Assignment 2 - Business Continuity Plans Thomas Vaillant (316167)

Question 1: Provide a brief overview of the organization:

Organization chosen: Marsh

a) What are the organization’s critical functions and operations?

Firstly, Marsh's core operation is insurance broking, which involves advising clients on risk
management and helping them obtain insurance coverage that meets their needs. Insurance
broking can involve identifying risks, analyzing insurance policies, negotiating with insurers,
and helping clients manage claims.

In addition to that, Marsh provides risk management and consulting services to help clients
identify, assess, and mitigate risks to their business. This may involve conducting risk
assessments, developing risk management strategies, and providing training and education to
help clients manage their risks more effectively.

Marsh also invests heavily in developing technology solutions to help clients manage their
risks more effectively and adapt to worldwide trends. Data analytics tools, risk modeling
software, and various technology platforms helping clients identify and manage risks more
proactively are all part of those technology solutions provided by the company.

Finally, in the case where a client experiences a loss or other insured event, Marsh's claims
management team helps them navigate the claims process. This involves working with
insurers to ensure that clients receive the coverage and compensation they are entitled to.

Overall, Marsh's critical functions and operations are focused on helping clients navigate the
complex world of risk management and insurance.

b) Describe the physical locations from which the organization operates. For example, is
it run from an office or other type of building? Does it have customer-facing
operations?

Marsh operates primarily out of office buildings, where its employees work to provide
various services to clients. These offices may be located in commercial or business districts,
or in other areas that are easily accessible to clients.

In addition to its office-based operations, Marsh also has customer-facing operations such as
retail insurance brokerage locations and claims centers, where clients can meet with Marsh
representatives and receive assistance with their insurance needs. These customer-facing
operations may be located in shopping centers, office parks, or other locations that are
convenient for clients.

Marsh also operates virtually, providing digital services and support to clients through online
platforms and mobile apps. These virtual operations allow clients to access Marsh's services
and support from anywhere with an internet connection, making it easier for them to manage
their insurance and risk management needs remotely.
Assignment 2 - Business Continuity Plans Thomas Vaillant (316167)

c) Identify if there are any critical suppliers or customers.

Firstly, Marsh works closely with a range of insurance companies to provide insurance
coverage to its clients. These insurers are critical suppliers to Marsh, as they provide the
products and services that Marsh needs to offer insurance coverage and policies to its clients.

IT vendors are also critical suppliers for Marsh, as they provide the technology infrastructure,
software, and support that the company needs to operate effectively and efficiently in today's
digital economy. Without this critical supplier, Marsh would not be able to provide the high
level of service and support that its clients expect.

Finally, Marsh's large corporate clients (such as public companies from different industries)
are critical customers, as they represent a significant source of revenue for the firm. Marsh
works closely with these clients to provide them various risk management and insurance
solutions.

Question 2: Choose TWO risks that could create a major business disruption or
shutdown for the organization (from any of the four risk quadrants). Pick one that has a
higher likelihood of occurring and another that is more unusual and therefore less
probable. For each risk:
a) Describe the risk. Include a description of how likely the risk is to happen.
b) Explain the challenges the risk would cause in maintaining critical functions and
operations. Be sure to connect the two ideas.

First risk: Cyber attack

a) One risk that could create a major business disruption or shutdown for Marsh is a cyber
attack, which falls under the Operational Risk quadrant. A cyber attack is the deliberate
exploitation of computer systems, networks, or devices, typically with the goal of stealing
sensitive information, disrupting operations, or causing other forms of harm.

Cyber attacks are becoming increasingly common and sophisticated, and pose a significant
threat to businesses of all sizes, including Marsh. The likelihood of a cyber attack occurring
is high, as cybercriminals continue to develop new methods and techniques to breach security
systems and steal sensitive information. Marsh is particularly vulnerable to cyber attacks due
to the sensitive nature of the data it handles, including personal and financial information of
clients.

b) A cyber attack on Marsh could cause significant challenges in maintaining critical

functions and operations. For example, a cyber attack could compromise the confidentiality,
integrity, and availability of the company's data and systems, making it difficult or impossible
for employees to provide its insurance brokerage, risk management, and consulting services
to clients, which could result in a loss of business and reputational damage.

Marsh could also experience disruptions to its IT systems and networks, which could impact
its ability to communicate with clients, access critical information, and perform necessary
business functions. This could eventually lead to delays or errors in the delivery of services to
clients,
Assignment 2 - Business Continuity Plans Thomas Vaillant (316167)

Finally, a cyber attack could lead to the theft or loss of sensitive client information, which
could have significant legal and regulatory implications. Marsh is responsible for handling
sensitive client data and an attack that compromises this data could result in legal and
regulatory consequences, such as fines and lawsuits.

Second risk: Natural disaster

a) One risk that could create a major business disruption or shutdown for Marsh is a natural
disaster, which falls under the Hazard Risk quadrant. Natural disasters, such as earthquakes,
hurricanes, and floods, can have severe and unpredictable impacts on businesses and their
operations.

While the likelihood of a natural disaster occurring may be overall relatively low, the
potential impact could be significant. Marsh operates in various regions and countries around
the world, and each location is exposed to different natural disaster risks. For example,
Marsh's offices in coastal areas may be at risk of hurricanes, while offices in
earthquake-prone regions may be vulnerable to seismic activity.

The likelihood of a natural disaster occurring can also vary depending on the region's climate
and other environmental factors. While some areas may experience more frequent natural
disasters, others may be relatively low risk but still susceptible to unexpected events.

b) A natural disaster could create significant challenges in maintaining Marsh's critical

functions and operations. The impact of a natural disaster can be wide-ranging and
unpredictable, and could result in the loss of property, equipment, or data, as well as the
displacement of staff and disruption of communication networks.

For example, damage to buildings and infrastructure could render offices unusable and
disrupt the company's ability to communicate with clients and access critical information,
which could affect the delivery of services to clients.

It could also lead to the loss or destruction of critical data and systems, leading to the loss of
client data, financial records, and other critical information.

Finally, a natural disaster could impact Marsh's workforce and their ability to perform
essential job functions potentially leading to staff displacement. As staff displacement may
occur, services to clients would be significantly impacted.

Question 3: Choose ONE of the risks from question 2. Identify and explain the top
TWO strategies the organization could take to maintain its critical functions and
operations if the risk occurred.

Risk chosen: Natural disaster

In case a natural disaster occurs at a particular location, Marsh could adopt the alternative site
model strategy, which involves identifying and setting up alternative physical locations where
they can function and operate as primary sites. These alternative sites are equipped with the
necessary infrastructure, equipment, and resources to allow for continued business
operations.
Assignment 2 - Business Continuity Plans Thomas Vaillant (316167)

For example, Marsh could set up an alternative site in a location outside of the area affected
by the natural disaster, such as a neighboring city or state. The site would be equipped with
backup systems, data storage, and communication systems to ensure continuity of critical
business operations. This would help to minimize the impact of the disaster on Marsh's
operations, by ensuring that Marsh's operations can continue to function while the affected
location is being restored and prevent prolonged disruptions that could have negative
consequences for the business. This strategy would also enable Marsh to maintain
communication with employees, clients, and suppliers, ensuring that critical information is
shared and important tasks are completed even in the midst of a natural disaster.

In case of a natural disaster, Marsh could also adopt the contingency model strategy, which
involves having a pre-established plan in place to address potential risks and disruptions. The
company could benefit from it by quickly identifying and assessing the impact of the disaster,
activating the necessary resources and procedures, and implementing a coordinated response
to minimize the impact on critical functions and operations. This contingency plan could
include backup power generators and alternative communication systems in case of power
outages and communication disruptions. It could also involve a designated team that is
responsible for assessing the damage and making decisions about relocating employees or
activating alternative work arrangements.

The contingency model strategy would allow Marsh to maintain critical functions and
operations by providing a clear roadmap for responding to the natural disaster. The
pre-established plan would allow Marsh to quickly activate resources and procedures,
minimizing downtime and disruption. By having backup systems and alternative work
arrangements in place, the organization could continue to provide essential services and
maintain operations even in the face of a natural disaster. This would prevent significant
disruptions to critical functions and operations, such as client communication and claims
processing, ultimately reducing the impact on the organization's reputation and financial
performance.

Question 4: How does the organization maintain a BCM/BCP culture? If it doesn’t, how
could it?

Overall, Marsh maintains a relatively strong BCM/BCP culture. Firstly, top-level leadership
supports and promotes a culture of BCM/BCP within the organization. As an example, it
participates in BCM/BCP activities, allocates significant resources for the development of
BCM/BCP and always makes sure to communicate the importance of BCM/BCP to
employees.

Marsh also provides regular training and awareness programs to employees to educate them
on the importance of BCM/BCP and how it can contribute to maintaining critical functions
and operations in the event of a disruption. Training usually includes tabletop exercises,
simulations, and other similar activities, allowing employees to practice their roles and
responsibilities in the event of a disruption.

Furthermore Marsh regularly reviews its BCM/BCP plans to ensure that they are effective
and up-to-date. Risk assessments as well as testing and exercising plans are continuously
updated, while it always makes sure to identify areas for improvement.
Assignment 2 - Business Continuity Plans Thomas Vaillant (316167)

Finally, BCM/BCP are well integrated with the different business functions such as risk
management, IT, and operations, helping to ensure that the organization is well-prepared to
handle disruptions and maintain critical functions and operations.

Question 5: If the organization had a BCM/BCP in place prior to COVID-19, how well
did the plan prepare the organization for the pandemic? If the organization did not
have a BCM/BCP in place, reflect on how this impacted the organization’s response.

Although Marsh has an important BCM/BCP in place to face potential important black swan
events and a strong BCM/BCP culture, it’s hard to confirm that it was well suited to directly
face the effects of the pandemic on its critical functions and operations. However, compared
to different similar organizations, Marsh was able to somehow limit COVID’s negative
impacts on its activities.

Firstly, COVID forced Marsh to make very quick and sometimes uncalculated decisions
about transitioning to remote work, implementing social distancing measures, etc. Such fast
and massive disruptions (i.e. lockdowns) almost never happened in the past, making it hard
for Marsh to have predicted and adapted its BCM/BCP beforehand. As mentioned in the
responses above, cyber attacks and natural disasters are rare events, but companies are
generally more aware of their likelihood and potential occurrence. Therefore, Marsh's
BCM/BCP was better suited for facing known rare events than a pandemic, which negatively
impacted their response. This resulted in delays and temporarily decreased productivity as
employees were trying to adapt to a new working environment they had never been made
aware could happen.

Despite facing challenges with the short-term effects of COVID-19, Marsh was able to
effectively maintain its critical functions and operations due to its overall strong BCM/BCP
culture described above, which positively impacted the company. This was achieved through
clear and effective communication with suppliers, employees, and clients, which helped them
navigate through the uncertainty caused by the pandemic. Although the company was not
able to predict the immediate impacts of the pandemic, its established lines of communication
allowed for a smoother response to the crisis.

In summary, Marsh's BCM/BCP culture was instrumental in enabling the company to

function well during the pandemic, even though the plan was not specifically tailored to
address such an event.