Gene Weber, Director Business Resiliency...Gene Weber, Director Business Resiliency February, 2016 2...
Transcript of Gene Weber, Director Business Resiliency...Gene Weber, Director Business Resiliency February, 2016 2...
1 1
Business Resiliency
Gene Weber, Director Business Resiliency
February, 2016
2
Express Scripts Business Resiliency Program Feb 18 - Agenda
1. Business Resiliency Program Overview
2. Operational Risk Management
3. Q&A
3
Risks we manage…
Employees Supplier Outages
Drug Inventory
Risks Civil Unrest
Site & Utility Impacts
Weather IT Outages Data
Breach
4
Express Scripts’ Business Resiliency – Key Components
• Recovery Strategies & Plans
• Exercises
• Daily Monitoring Weather/Events
Business Continuity
• DR Readiness
• DR Planning & Exercises
• DR Gap Mitigation
Disaster Recovery
• Risk Discovery
• Risk Management
• Risk Mitigation
OPS Risk Management
• Crisis Team Activation
• Crisis Management
• Crisis Communications
Crisis Management
Proactively protect our patients & clients from any major outage!
Proactive
Planning
ENABLES
Effective
Crisis
Management
5
Business Resiliency Governance
Board of Director’s Audit
Committee
Business Resiliency Steering
Committee
IT Leadership
• Operational VP’s
• Bus Res Program Review
• OPS Risk Mitigation
• Status Updates
• Health of DR Program
• Exercise Results
• Readiness Metrics
• Risks/Gaps
• Sr. Executives & Board
Members
• Bi-Annual Program
Review with Audit
Committee
Well Established
Governance &
Oversight
6
Senior Team Focus… All about RISK!
• Executives Focus = Critical Risks/Gaps
• Need to speak their language…
• What are my critical risks/gaps?
• How will this impact my business?
• What is your risk mitigation strategy?
• What will it cost to mitigate?
• What else keeps you up at night?
7
Executive Perspectives on Operational Risk…
What keeps you up at night? “I’m not worried about a disaster; but I do worry about
what I don’t know…”
Secretary of Defense Donald Rumsfeld --- February 12, 2002
8
Business Resiliency Risk Framework
Collaboration: Workshops Leadership Reviews Exercises
Data: Leader Metrics Crisis Events
Risk Assessment Heat Maps Vet Results Manage Risk Acceptance
Scope, Funding Project Team, Plan & Schedule Monitor Risks Risk Register, Heat Maps
Risk Register Heat Maps
Risk Register Acceptance
Risk Register Acceptance Funding BR Steering Comm IT Leadership
Execute Project Plans Status Reports Lessons Learned Validate Results Communicate Results
Action Plans Presentations Spreadsheets
Identify
Manage
Asse
ss Mit
igat
e
Identify Risks Mitigate Risks Manage Risks Assess Risks
Governance
Pro
ce
ss
Too
ls
Process Based on ISACA Risk IT Framework
Business Resiliency Steering Committee IT Leadership Updates
9
Risk Discovery Methods
Reactive:
• Crisis Events – Post Mortem/Lessons Learned
Proactive Engagement (360 View):
• Board of Directors
• Steering Committee Reviews
• Portfolio Reviews with VPs
• Quarterly 1:1 with ERM VP
• Risk Workshops – Focused Brainstorming sessions
• Business Resiliency Workshops
• Joint Planning Sessions with Facilities
• Nathan Assessment Reports
• BIAs, Data & Trends (System Reliability / DR)
• Exercises
10
Business Resiliency Workshops
Workshop Agenda…
1. Business Resiliency Awareness
2. Validate Recovery Strategies
3. Risk Validation & Discovery
4. Crisis Management Tabletop
Cross Functional Attendees
Identify, Assess, Manage & Mitigate
Drives Operational Readiness
11
Operational Risk Management Deliverables
Operational Risk Register
• Critical Risks, Threats, Gaps that could harm Operations
• Emerging (New) & Recurring
Operational Risk Heat Map
• Shows Visual of priorities
• Based on Impact & Probability
Risk Mitigation Projects
• When normal BC Plan would not mitigate the Gap
• Requires Project Leadership, Cross Functional Teams & Leadership visibility to close Gaps
Site Area Risk Title Risk Detailed Description Contact Person(S) Risk
Probability
Risk
Consequence
Heat Map Rating
Vegas BE Workstopage
NV site had workstoppage in 2006. 8 week outage. Non-RPH, 600 FTE
impacted. RPH contract up on 9/1/13, non-RPH on 9/1/14.
Dennis Urban,
Diana Castillo 40 41
Tempe BE Loss of McKesson
Development of DR Plan. ESI can not talk to McKesson directly. Needs to
be presented to PMO (Tom N) and TMA/DoD before we can go to
McKesson. (Roll into one Wholesaler Risk Item in Risk Map?) Carolyn Lawyer 45 45
Willingboro BE
Drug Contamination
Risk Risk of damaging drug inventory from some sort of contaminate.
Nick St. George
/John Ford 10 80
St Louis BE
Loss of shipping
vendor ongoing 2013 risk
Whitestown BE
Pandemic Planning,
POD
Need to update Pandemic plans. Insure pandemic sections of BC Plans
are updated for Whitestown. Investigate local POD. Rhonda Yates
Tempe CC Generator no generator cover for first floor air conditioner Tyrone Christy 41 21
Dublin CC Union campaign Risk across the non-union PCC sites Matt Sprosty
N. Versailles FE Emp Safety
Emp job stress higher w/new processes. Are we trained disgruntled
emp? Do we have documented plan? Background checks for vendors /
contractors. Emp bags not checked. Piggyback of badges. Rick A. 20 25
Ft Worth FE
PHI/IHI/Privacy
Incident
Ongoing risk of IHI Breach (Individual HI). Risk of L-ESI staff going thru
learning curve on F14. Tom V/Melinda 90 90
Bensalem,
Harrisburg,
Troy FE
PHI/IHI/Privacy
Incident
Risk of employees taking pictures of PHI/IHI/PII with cell phone camera.
Can we restrict cell phone and not allow them on floor like back end
does? Back end has lockers that employees must leave cameras in. Steve Knecht
Mason,
Fairfield FE Work Place Violence Emp safety a concern. How well trained are contract security guards?
Ed Christman, Jim
Zirpoli 10 85
Mason,
Fairfield FE e-Prescribing
SureScripts outage. If system goes down, volume thru phone / fax would
be bottleneck. Vendor is in RBSM program. Scripts would take 2X as long
or more to enter. Andy Wilhelm
MEM SP Seating Capacity
There is not room within the footprint to move individuals internally
(i.e. swing space is at minimum and not backed up by UPS / Generator in
some instances)
Lynette
Jeff 75 75
Risk Register
Project Name Project Owner Status Target Completion Date Revised Date
Network Project Green
# Task Description Task Owner
Target Due
Date CommentsStatus(Open/Closed)
Level Set & SCOPE
Complete initial planning for Network Project (Project Scope, Key
Action Items…) Project Team 03/25/13 Closed
Develop draft Project Schedule Project Team 03/25/13 Closed
Review Project Scope, Schedule & Project Team Members Project Team 03/25/13 Closed
KICK-OFF & SCOPE
Conduct Project Kick-off Meeting Project Team 07/16/13 Closed
Finalize Project Scope Project Team 08/30/13 Closed
Project Tasks
Create Joint Version of Readiness Dashboard from Network &
BCM Templates Project Team 09/15/13 Closed
Determine if Data & Voice will use the same Readiness
Dashboard Project Team 09/15/13 Closed
Provide Sample Network Diagram Project Team 09/15/13 Closed
Determine if Utilization Info will be included in the Readiness
Dashboard Project Team 09/30/13 Closed
Determine Process to Track the Readiness Dashboard &
Utilization Info Project Team 09/30/13 Closed
Draft Readiness Dashboard & Capacity Report Process Project Team 10/30/13 Open
Populate Readiness Dashboard with Tier 1 sites Project Team 10/25/13 Open
Conduct Initial Review of a Populated Readiness Dashboard -
begin with Tier 1 sites Project Team 10/30/13 Open
Establish completion date to Populate Readiness Dashboard for
all sites Project Team 10/30/13 Open
Provide Network Diagram for Key ESI Sites Project Team 10/30/13 Open
Finalize Readiness Dashboard & Capacity Report Process Project Team 11/30/13 Open
Track Readiness Dashboard Project Team Ongoing Open
Driving Risk Mitigation & Site Readiness
12
Operational Risk Management Recommendations…
Establish…
• Proactive Process to discover, capture, measure & manage risks
• Steering Committee of Operational VPs
• Tools (Heat Maps, Risk Registers, Workshops, etc)
• Recurring Operational Leadership Status Updates
13
QUESTIONS?
Gene Weber, Director Business Resiliency