ZURICH'S BUSINESS RESILIENCE TOOLS
Business resilience management helps provide Zurich with the structure for dealing with risks systematically, holistically, and successfully. Zurich's Business Resilience program is supported by an enterprise risk management framework that identifies particular events or circumstances relevant to its business objectives,
Exhibit 14.9 Zurich's Business Resilience Program
assesses them in terms of likelihood and magnitude of impact, and then determines a response strategy. (See Exhibit 14.9.) A resilient enterprise is better able to anticipate surprises, recover more quickly from disruptions, adapt to changing conditions, and leverage emerging opportunities.
The objective of Zurich's Business Resilience program is "Prepared, Informed, and Resilient." This tagline is regularly communicated to staff, especially during Business Resilience Awareness week. Some of Zurich's proprietary Business Resilience tools are listed here.
Business Interruption Modeling allows Zurich the capability to better manage its risks based on an in-depth understanding of the value chain, with a main focus on the business critical value flow, followed by identification, assessment, and quantification of business interruption exposures and optional mitigations. Like all organizations, a business interruption for Zurich could have the potential to inhibit productivity and could have multiple negative impacts on its organization. Some examples of business interruption impacts could include loss of customers, diminished customer service, legal and/or regulatory issues, lower employee morale, and even delays in projects, products, or other strategic growth. Thus, it is essential that organizations try to map and quantify how they serve customers, in order to proactively protect where they generate value.
Key stages of Business Interruption Modeling include:
• Defining scope by identifying the business-critical part(s) of the value chain
• Building an interdependency framework of business-critical value flows
• Identifying relevant business interruption vulnerabilities as loss of resources such as supplier, production, storage, and customer
• Assessing the extent based on interruption scenarios, and modeling the effects quantitatively
• Prioritizing risks based on financial impact of scenarios, with focus on unacceptable risks in order to develop a beneficial mitigation plan
• Assessing the effectiveness of current business continuity plans and identifying improvement actions
Supply Chain Risk Assessment allows Zurich to improve its reliability and minimize the effects of a supply chain disruption on its capital and earnings. Zurich's supplier risk assessment should help address vulnerabilities that could inhibit Zurich's ability to respond to a changing risk landscape. Its supply chain risk evaluation, mapping, and grading are designed to assess and quantify the broad areas of exposures and risk controls in its supply chain. This gives Zurich actionable insights to help facilitate mitigation strategies that can address the characteristics of each supplier individually, including risk transfer options.
The stages of a Supply Chain Risk Assessment include:
• Develop a supply chain/value chain map.
• Gather key supply/supplier details.
• Evaluate risk factor information.
• Define and evaluate potential risk or loss scenarios.
• Develop risk grading for each critical supplier.
• Determine risk strategies.
Business Continuity Management (BCM) includes the mitigation strategies used to minimize the impact after an incident, with the possible scope of risks coming from supply chain risks, strategic risks, operational risks, technological risks, or natural hazards. BCM is very useful in identifying gaps in risk mitigation strategies and improving risk controls to manage those exposures more effectively. As part of Zurich's business resilience process, BCM is important for managing the multitude of risk exposures and potential interruptions scenarios and thus strengthening Zurich's business resilience program.
Zurich's Six-Stage Business Continuity Management Life Cycle
1. Modeling key business processes
2. Business impact analysis
3. BCM strategy and processes
4. Business continuity planning
5. Crisis management
6. Training, exercise, maintenance, and assessment
Zurich is able to undertake a regular gap analysis of its business continuity plans against best practices and common BCM-related standards such as International Standards Organization (ISO), National Fire Protection Association (NFPA) and the British Standard. It also routinely tests its crisis response activities. For example, it has planned or completed simulation exercises such as:
• Eurostar trains caught in tunnel
• India: Bomb explosion in hotel where Zurich has employees, impacting the country where company has operations in Pune, Bangalore, and Chennai
• Fire in Home Office location injuring employees, impacting critical processes, and possibly preventing occupancy in location for up to three to four months
• Los Angeles earthquake
• Kansas tornado
• Political demonstration in New York City
Business Impact Analysis is designed to provide the method to identify the systems that, when absent, would create a danger to the survival of the organization. This analysis can also ensure that these systems receive the correct priority in any subsequent business continuity plan.
Key stages of Zurich's Business Impact Analysis include:
• Prioritize the key business services or processes.
• Identify the internal and external risks to the continuity of these business processes.
• Assess the importance of each risk in terms of both the likelihood and the financial impact of potential outcomes.
• Establish priorities for mitigating the critical risks.
• Develop a management plan of action.
• Assess the business continuity plan and management plan of action.