Medtronic’s Practical Approach to Creating a Resilient ... · Approach to Creating a Resilient...
Transcript of Medtronic’s Practical Approach to Creating a Resilient ... · Approach to Creating a Resilient...
1
Medtronic’s Practical Approach to Creating a
Resilient Organization
Discussion Outline
• Company Background – Establish Context
• Medtronic’s Risk Mgmt Strategy & Evolution
• BCM at Medtronic
• Our Methodology, Process and Tools
• What We’ve Gained from BCM
Medtronic: Driven By Our Mission
The world leader in medical
technology
Focus on treating chronic disease
Every 5 seconds, someone in the world benefits from Medtronic technology
2
We’re a High-Tech, High-Growth Company
19%$2.41$0.17EPS*
20%$2.8 Billion$180 MillionNet Earnings
17%$1.2 Billion$120 MillionR&D Expenditures
16%$12.3 Billion$1.2 BillionSales
37,0008,000Employees
CAGR20071992
• Stock split adjusted
Strong financial position allows us to be self – insured.
Our Products Treat Diverse Medical Conditions
Parkinson’s Disease Essential Tremor Dystonia
Spasticity Chronic Pain Cranial Surgery
Irregular Heart Rates Heart Failure Cardiac Surgery
Unexplained Syncope Heart Valve Disease
Coronary Vascular Disease Peripheral Disease
Aortic Disease Spinal Deformities Herniated Disc
Degenerative Disc Disease Acute Tibial Fractures
Diabetes Urinary Incontinence
Gastroparesis Benign Prostatic Hyperplasia
Meniere’s Disease Ear and Sinus Infections
We Have a Strong and Growing Global Presence
37,000 Employees120 Countries270 Locations
44 Manufacturing Sites 25 R&D Centers
23 Training Facilities
3
Operations are Complex & Highly-Regulated
Implications to BCM Strategy
• Must support the Mission
• Must be proactive vs. reactive
• Focus must be on creating:– Agility
– Flexibility
– RESILIENCE!
Discussion Outline
• Company Background – Establish Context
• Medtronic’s Risk Mgmt Strategy & Evolution
• BCM at Medtronic
• Our Methodology, Process and Tools
• What We’ve Gained from BCM
4
Self-fund all losses through fronted insurance
Ensure quick and effective response and recovery to major disruptions to operations through crisis management processes and business continuity plans
Recent
Crisis Mgmt
PREPARE
Ensure continuity of operations at minimum acceptable levels through common risk strategy and standardized business continuity management process
Current
Crisis Management
BCM
PREVENT
Ensure successful achievement of companyobjectives through broader risk management scope
Build strategic risk management into companypractices, culture and strategic planning process
? Year Vision
ERM
Business Continuity Mgmt
Crisis Management
EXPAND
Self-manage key exposures to loss
Self-fund normal operating losses
Insure against catastrophicevents
Manage losses strategically
Historical
Insure
TRANSFER
How we manage BI loss exposure has evolved…..
Risk Management Strategy
BCM is One Part of ERM
Typical Enterprise Risk Management Categories
Developed Market Growth
Global Focus and Reach
Competition
Regulatory
Clinical Evidence
Customer Relationship Disruption
Company-Wide Growth Portfolio
Talent
Quality & Product Reliability
Financial
Intellectual Property
Legal/Compliance
“…the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”
BCM Focuses on Operational Risk
OperationsOperations
Operational Risks Span the Value Chain
SupplierOperationalProcesses
Distribution Customer
• Supplier Selection/Development
• Supplier Interruption
• Supplier Mgmt
• Quality Issue
• Outsourcing
• Process Failure
• Facility Damage
• Utility Outage
• Equipment Failure
• IT Failure/Sabotage
• EH&S Compliance
• Record Destruction
• Key Person Loss
• Labor Shortage
• Workplace Violence
• Terrorism
• Health Epidemic
• Customer Service
• Customer BusinessInterruption
• Carrier Interruption
• Transportation Channels Unavailable
• Import/Export Compliance
They are not limited to physical disasters!!
5
Discussion Outline
• Company Background – Establish Context
• Medtronic’s Risk Mgmt Strategy & Evolution
• BCM at Medtronic
• Our Methodology, Process and Tools
• What We’ve Gained from BCM
Business Continuity PlanningStrategies and plans that ensure an organization
can continue to operate to a pre-determined
minimum capability/service level and meet
demand.
Crisis Management & Mobilization
Overall coordination of an
organization's response to a
crisis. Must be effective and
timely; Goal - avoid or minimize
impact to the organization's
employees, reputation, or ability to
operate.
IT Response & RecoveryPlans and actions designed to respond to
network/technology incidents and recover the
applications and infrastructure that support
business continuity.
Emergency ResponsePlans and actions to ensure human
health and safety, protect physical
assets and limit environmental
impact. Includes pre-planning for
localized events and notification and
interaction with local authorities in
emergency situations.
Program Integrates Four Key Disciplines
Based on BCI Definition of BCM
Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.
Source: Business Continuity Institute (BCI)
6
Resiliency Defined
• Ability to recover from or adjust easily to misfortune or change.
• Capability to withstand shock without permanent deformation or rupture.
The ability to meet customer
demand in spite of a crisis event.
How Do We Make Medtronic More Resilient?
• Proactively manage our operational risks– Prevent or lessen the impact of a crisis event
– Mitigate single-points-of-failure
– Develop contingencies
• Develop business continuity plans – Ensure organized and quality response
– Reduce time to recover
• Create a risk management culture
Having a Plan is Not Enough
Business
ContinuityPlan
Addresses Responding to aCrisis Event
Risk Identification
and Mitigation
Strategy + Policy
Resources
Leadership + Governance
People + Organization
Risk identification and impact analysis
Risk mitigation, planning and preparation
Establish culture, exercise and maintainplans
Risk Identification
and Mitigation
Strategy + Policy
Resources
Leadership + Governance
People + Organization
Risk identification and impact analysis
Risk mitigation, planning and preparation
Establish culture, exercise and maintainplans
Business Continuity Management
Program
Focuses on Building Operational Resilience as well as Effective Response
7
Discussion Outline
• Company Background – Establish Context
• Medtronic’s Risk Mgmt Strategy & Evolution
• BCM at Medtronic
• Our Methodology, Process and Tools
• What We’ve Gained from BCM
BCM Best Practice Model
Enterprise View
Operational View
Key BCM process areas
BCM structural enablers
Process of identifying risks to critical processes, assessing the materiality / impact and prioritizing appropriate mitigation responses
Process of mitigating identified risks through
modifications to operational procedures
and practices, implementing alternative
business strategies, and developing
continuity and DR plans
Process of educating and training employees, building BCM into strategic planning
process and annually testing and maintaining
continuity plans
Tangible and intangible resources that support (tools, templates, website, etc)
and enable (funding, training, etc) the BCM processes
Organizational resources aligned to effectively support the BCM process as part of their operational responsibilities and accountabilities
Strategy + Policy
Resources
Leadership + Governance
People + Organization
Risk identification and impact analysis
Risk mitigation, planning and preparation
Establish culture, exercise and maintainplans
Leadership commitment and governance mechanisms that clearly define, monitor and ensure accountability for BCM practices
Overarching strategy that defines risk components, e.g. tolerance levels, and
outlines the approach for ensuring business continuity at an enterprise level
*Model provided by PA Consulting.
BCM Program Office
Site Site Site
Site Mgmt
Key Operations
Key Support
Functions
Site Mgmt
Key Operations
Key SupportFunctions
Site Mgmt
Key Operations
Key SupportFunctions
BCM Organization
And 35+ more
Governance
Audit Committee (Annual Report)Senior Executives (Annual Review)Operating Council – VP of Ops (Quarterly)
Organizational Reporting
Part of Risk Mgmt Organization (Corporate Legal) reporting to General Counsel.
8
• establish BCM scope, focusing
on the areas that are critical to business continuity
• develop common assessment of risks and define what risks are
“intolerable”
• prioritize mitigation efforts and
investments
The Materiality Criteria
provides a strategic
framework that helps the business to:
A Common Risk Strategy –
Materiality CriteriaStrategy + Policy
Resources
Leadership+ Governance
People + Organization
Risk identification and impact analysis
Risk mitigation, planning and preparation
Establish culture, exercise and maintainplans
Strategy + Policy
Resources
Leadership+ Governance
People + Organization
Risk identification and impact analysis
Risk mitigation, planning and preparation
Establish culture, exercise and maintainplans
Losses > x% business unit revenue
Losses between x to x% business unit revenue
Losses < x% business unit revenue
Financial
Impedes time to market by greater than x months
Impedes time to market by up to x months
No impact on time to market
Product Time to Market
Major impact, excluded from producing or marketing a key product in a major market
Minor impact, limitations on producing or marketing a key product in a minor market
No impactLegal and Regulatory
Outage for more than x hours/days/ weeks
Outage of x hours/ days/weeks up to x hours/days/ weeks
Outage up to x hours/days/weeks
Operational Capacity
Unable to serve major external customers or > x% of total customers
Unable to serve small external customers or < x% of total customers
No external customer impact
Customer
HighMediumLowType of impact to business unit or
region
Losses > x% business unit revenue
Losses between x to x% business unit revenue
Losses < x% business unit revenue
Financial
Impedes time to market by greater than x months
Impedes time to market by up to x months
No impact on time to market
Product Time to Market
Major impact, excluded from producing or marketing a key product in a major market
Minor impact, limitations on producing or marketing a key product in a minor market
No impactLegal and Regulatory
Outage for more than x hours/days/ weeks
Outage of x hours/ days/weeks up to x hours/days/ weeks
Outage up to x hours/days/weeks
Operational Capacity
Unable to serve major external customers or > x% of total customers
Unable to serve small external customers or < x% of total customers
No external customer impact
Customer
HighMediumLowType of impact to business unit or
region
Risk Identification
and Mitigation
Strategy + Policy
Resources
Leadership + Governance
People + Organization
Risk identification and impact analysis
Risk mitigation, planning and preparation
Establish culture, exercise and maintainplans
Risk Identification
and Mitigation
Strategy + Policy
Resources
Leadership + Governance
People + Organization
Risk identification and impact analysis
Risk mitigation, planning and preparation
Establish culture, exercise and maintainplans
Implementation Follows a Step by Step Process
Implementation Follows a Step by Step Process
Step 1 – Project Planning
Step 2 – Business Impact &
Risk Assessment
Step 3 – Risk Mitigation
Step 4 – BCP Development
Step 5 – BCP Testing
Step 6 – Maintain & Create BCM
Culture
Implementing the Model
Step 2 – Business Impact & Risk Assessment
Process:
• Self-assessment performed by all departments in scope.
– Not an audit!
– Ownership of risks at the operational level.
– Hands-on learning; risk-management skill development.
Overall Objectives:
• Identify vulnerabilities and single-points-of-failure in key operations.
• Prioritize needed improvements and contingencies.
Assessing Risk is Core to Our BCM Effort.
9
Assessing Operations
Production
Distribution
R&D
Supply chain
Engineering
Quality
Regulatory
Finance
HR
Legal
Supporting Resources
Process
Step 2 – A common analytical framework
• Focuses on identifying exposures in the processes and resources that are critical – not the threats that could result in their loss.
• Creates common framework and vocabulary.
• Aids in critical knowledge capture.
The Business Impact and Risk Analysis (BIRA) Tool
Business Continuity
Employee Related
Records
Physical AssetsData & Information
Humanitarian Response
PeopleEnvironmental
Health & Safety
Disaster RecoveryIT Systems & Infrastructure
SuppliersLogisticsPremises
Modules Capture Key Data and Evaluate
Business Impact & Preparedness Levels
Lists that provide information critical to continuity e.g. key supplier, critical documents etc. These lists will be attached to the BC plan.
PHYSICAL ASSETS MODULE
Section A – Critical Business Continuity Data
Asks the respondent to think about what the business impact would be (according to the materiality criteria) if a risk event occurred.
Section B – Key Risk Events and Business Impacts
Identifies the current ability to mitigate or protect against failure by asking a simple set of related questions.
Section C – Business Resilience and Mitigation
Captures the observations, business continuity risk evaluation and details of actions agreed on to improve resilience and mitigate risks.
Section D – Risk Assessment*
What processes/resources are important?
How bad would it be to lose them?
Are we doing enough to protect them?
How can we make them more resilient?
10
Risk Map Prioritizes Exposures
Manufacturing
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
-0.100.200.300.400.500.600.700.800.901.00
Preparedness Index (Degree of resilience / mitigation in place)
Bu
sin
ess
Im
pa
ct
Ind
ex (
Ma
teri
ality
Cri
teri
a H
igh
or
Ve
ry H
igh
)
Records Retention
Employee Related
Environmental
Health and Safety
Disaster Recovery
Data and Information
Applications and Infrastructure
Physical Assets
Supply Chain
Distribution Chain
Business Continuity
Premises
Staff Turnover
Humanitarian Response
Low
Medium
High
High Med Low
Department Risk Map
FixMonitor
ReviewOK
Busin
ess I
mp
act
Preparedness Index
<Name of Department / Area>
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
-0.100.200.300.400.500.600.700.800.901.00
Preparedness Index (Degree of resilience / mit igat ion in place)
Bu
sin
es
s I
mp
ac
t In
de
x (
Ma
teri
ali
ty C
rite
ria
Hig
h o
r V
ery
Hig
h)
Records Retention
Employee Related
Environmental
Health and Safety
Process Related
Disaster Recovery
Data and Information
Infrastructure and Systems
Physical Assets
Supply Chain
Distribution Chain
Business Continuity
Premises
Staff Turnover
Humanitarian Response
Low
Medium
High
Very High
<Department / Area><Department / Area>
0
2
2
4
Preparedness
StatusWhoDue
Date
RecommendationModule StatusWhoDue
Date
RecommendationModule
1
5
2
1
Business Impact
Top 5 recommendations
No of completed recommendations
0 15of
V.H
igh
Hig
hM
ed
Lo
w
Lo
wM
ed
Hig
hV
.Hig
<Name of Department / Area>
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
-0.100.200.300.400.500.600.700.800.901.00
Preparedness Index (Degree of resilience / mit igat ion in place)
Bu
sin
es
s I
mp
ac
t In
de
x (
Ma
teri
ali
ty C
rite
ria
Hig
h o
r V
ery
Hig
h)
Records Retention
Employee Related
Environmental
Health and Safety
Process Related
Disaster Recovery
Data and Information
Infrastructure and Systems
Physical Assets
Supply Chain
Distribution Chain
Business Continuity
Premises
Staff Turnover
Humanitarian Response
Low
Medium
High
Very High
<Department / Area><Department / Area>
0
2
2
4
Preparedness
StatusWhoDue
Date
RecommendationModule StatusWhoDue
Date
RecommendationModule
1
5
2
1
Business Impact
Top 5 recommendations
No of completed recommendations
0 15of
V.H
igh
Hig
hM
ed
Lo
w
Lo
wM
ed
Hig
hV
.Hig
Risk Reporting: Site Dashboard
<Name of Department / Area>
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
-0.100.200.300.400.500.600.700.800.901.00
Preparedness Index (Degree of resilience / mit igat ion in place)
Bu
sin
es
s I
mp
ac
t In
de
x (
Ma
teri
ali
ty C
rite
ria
Hig
h o
r V
ery
Hig
h)
Records Retention
Employee Related
Environmental
Health and Safety
Process Related
Disaster Recovery
Data and Information
Infrastructure and Systems
Physical Assets
Supply Chain
Distribution Chain
Business Continuity
Premises
Staff Turnover
Humanitarian Response
Low
Medium
High
Very High
<Department / Area><Department / Area>
0
2
2
4
Preparedness
StatusWhoDue
Date
RecommendationModule StatusWhoDue
Date
RecommendationModule
1
5
2
1
Business Impact
Top 5 recommendations
No of completed recommendations
0 15of
V.H
igh
Hig
hM
ed
Lo
w
Lo
wM
ed
Hig
hV
.Hig
<Name of Department / Area>
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
-0.100.200.300.400.500.600.700.800.901.00
Preparedness Index (Degree of resilience / mit igat ion in place)
Bu
sin
es
s I
mp
ac
t In
de
x (
Ma
teri
ali
ty C
rite
ria
Hig
h o
r V
ery
Hig
h)
Records Retention
Employee Related
Environmental
Health and Safety
Process Related
Disaster Recovery
Data and Information
Infrastructure and Systems
Physical Assets
Supply Chain
Distribution Chain
Business Continuity
Premises
Staff Turnover
Humanitarian Response
Low
Medium
High
Very High
<Department / Area><Department / Area>
0
2
2
4
Preparedness
StatusWhoDue
Date
RecommendationModule StatusWhoDue
Date
RecommendationModule
1
5
2
1
Business Impact
Top 5 recommendations
No of completed recommendations
0 15of
V.H
igh
Hig
hM
ed
Lo
w
Lo
wM
ed
Hig
hV
.Hig
2
2
3
Preparedness
StatusWhoDue
Date
Recomm endationModule StatusWhoDue
Date
Recomm endationModule
1
4
2
Business Impact
Top 5 recommenda tions
No of complete d
recommendations3 15of
Hig
hM
ed
Lo
w
Lo
wM
ed
Hig
h
Last BIRA Review: <Date>
1
2
8
Preparedness
StatusWhoDue
Date
Recomm endationModule StatusWhoDue
Date
Recomm endationModule
4
6
1
Business Impact
Top 5 recommenda tions
No of complete d
recommendations5 10of
Hig
hM
ed
Lo
w
Lo
wM
ed
Hig
h
Last BIRA Review: <Date>
Manufacturing
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
-0.100.200.300.400.500.600.700.800.901.00
Preparedness Index (Degree of resilience / mitigat ion in place)
Bu
sin
ess
Im
pa
ct
Ind
ex
(M
ate
ria
lity
Cri
teri
a H
igh
or
Ve
ry H
igh
)
Records Retention
Employee Related
Envir onmental
Health and Safety
Disaster Recovery
Data and Information
Applications and Infras tructur e
Physical Assets
Supply Chain
Distribution Chain
Business Continuity
Premises
Staff Turnover
Humanitarian Response
Low
Medium
High
High Med Low
<Department / Area>
Manufacturing
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
-0.100.200.300.400.500.600.700.800.901.00
Preparedness Index (Degree of resilience / mitigat ion in place)
Bu
sin
es
s I
mp
act
Ind
ex
(Ma
teri
alit
y C
rite
ria
Hig
h o
r V
ery
Hig
h)
Records Retention
Employee Related
Envir onmental
Health and Safety
Disaster Recovery
Data and Information
Applications and Infras tructur e
Physical Assets
Supply Chain
Distribution Chain
Business Continuity
Premises
Staff Turnover
Humanitarian Response
Low
Medium
High
High Med Low
<Department / Area>
Summarizes:
• Site criticality and business impact
• Key RTO’s vs. RTR’s
• Key operational issues
Step 3 – Risk Mitigation
Goals:
• Mitigate key exposures.
• Ensure RTO’s can be met.
• Create flexible and agile supply chain.
• Improve operational performance and resilience.
11
Risk Mitigation Options
• Do nothing (accept the risk)
• Change or end the process (avoid the risk)
• Eliminate/reduce risk (tangible loss prevention)
• Create redundancies (minimize the impact)
• Develop contingencies (back up alternatives)
Challenge sites to be creative and improve operational performance while eliminating risk.
Monitoring Progress
BCM Program Office
Site Site Site
Site Mgmt
Key Operations
Key Support
Functions
Site Mgmt
Key Operations
Key Support
Functions
Site Mgmt
Key Operations
Key Support
Functions
Current Challenge: Tying it Together
12
Developing Broader BCM Strategies
Key Vendors Sub-Assembly Finished Goods Sterilization Distribution
Mexico MFG
Product A
Product B
Grand Rapids
x d
Brooklyn Park MFG
x d
x d
x d
x d
x d
MV, EOC, TOC
Component A
Component B
x d
x d
MECC MFG
MMC MFG
Santa Rosa MFG
Product A
Product B
Product A
Product B
Product A
Product B
Juncos MFG
SMO MFG
Galway MFG
MV, EOC, TOC
MV, EOC, TOC
Rice Creek
Outside Sterilizers
x d
x dX
X XXX
Step 4 – BCP Development
Our Planning Philosophy
• Keep it simple!
• Plan for the worse-case scenario.
• Focus on:
– Timely notification.
– Clear delineation of responsibilities.
– Action-oriented plans (no unnecessary fluff!).
– Ensuring critical information is accessible.
Legend:
BCP Team Structure
13
Planning Tools
• Medtronic Notification System– Mass notification
– Employee Hotline
• Business Continuity and Incident Management – Externally hosted
– Action-oriented checklists
– Virtual command center
Action-Oriented Plans
Step 5 – BCP Testing
• Every site conducts an all-teamsimulation upon plan completion.
• Full-day exercise.
• “Tests”:
– Team composition and role.
– Intra/Inter-team communication.
– Plan assumptions.
– Plan completeness.
Goal: Create confidence that they will
know what to do when necessary!
14
Step 6 – Establishing a BCM Culture
Risk Risk
Every employee is a risk manager!
Embedding BCM Across the Organization
SupplierOperationalProcesses
Distribution Customer
• Material/Supplier Selection
• Priority Agreements
• Continuity Requirements
• Facility Audits
• Outsourcing Decisions
• Product Design
• Process Location & Design
• Facility Location & Design
• Equipment Selection
• Equipment – Make vs. Buy
• Data Center Design
• Application Selection
• Record Storage
• Cross Training
• Succession Planning
• Agreements• Carrier Selection
• Lead Times
• Import/Export Procedures
• Safety Stock Levels
Program Supported by Website
15
Discussion Outline
• Company Background – Establish Context
• Medtronic’s Risk Mgmt Strategy & Evolution
• BCM at Medtronic
• Our Methodology, Process and Tools
• What We’ve Gained from BCM
Benefits of Our BCM Program
A More Flexible & Resilient Organization!
Questions and Discussion