Business Continuity Management for Risk Managers Lou Drapeau Greater Kansas City Chapter, RIMS March 12, 2013PERK Program.

Business ContinuityManagement

forRisk Managers

Lou Drapeau Greater Kansas City Chapter, RIMSMarch 12, 2013 PERK Program

2

What is BCP?

• BCP - Business Continuity Planning –

The identification and protection of business processes

required to maintain an acceptable level of operations in the

event of sudden, unexpected, or not so unexpected,

interruptions of these processes and their supporting

resources

3

Where Are We Going?• More Integrated Solution

– Business Continuity

– Disaster Recovery

– Emergency Response

– Crisis Management

Under The Banner of Business Continuity Management

4

Pre-Incident Planning

Risk Assessment/Mitigation/

Prevention

- Physical

- Logical (Technology)

Supply Chain

- Vendor management

- Inventory Control

BCM Creation

- Emergency Response

- Disaster Recovery

- Business Recovery

- Crisis Management

Evacuation

- Life & Safety

Incident/Crisis Management

BCM

- Business Recovery

- Relocation

- Processing

- Reprioritize

Product/Customer

- Technology Recovery

- Data Recovery

- Processing Recovery

Incident Occurs Post Incident

Repair/Restoration

Claims Processing

Increase Production Levels

Lessons Learned

- Mitigation/Prevention

Business Continuum

5

Risk Assessment vs. BCMCause vs. Effect– Risk Assessment

• Identifies Risk• Recommends Mitigation/Prevention measures

– Probability– Cost – Severity

– BCM - Deals with Effects• What are the Implications of failing to mitigate or prevent

– Preparation» Structure, planning, resources, testing

– Execution » Relocation, operating under duress

Reducing Causal ImplicationsReducing Causal Implications

Reducing EffectsReducing Effects

6

New Markets - Locations Expanded Distribution Channels Research & Develop Products New Technologies Economies of Scale Competitor Activity

UpsideRisk

DownsideRisk

Operational Failure Financial Controls Monitoring/Reporting Change

Ris

kO

pp

ortu

nit

yCompliance Strategic

How Does BCM Address Enterprise Risk Management?

Operational Risk is the risk that a business does not meet its obligations to its stakeholders due to an erosion of value or operational failure.

BCM seeks to mitigate the effects of operational failures.

7

Why BCM?

External Drivers

• Pressure From Audit Committees• Pressure From Financial Institutions• Pandemic Concern• New Threats & Risks Since 9/11• Demands From Customers • Cost Of Insurance• Perceived As Competitive Edge• Reliance On Third Parties

(Supply Chain)• Increased Regulatory And

Self-regulated Requirements

Effects

• Loss Of Customers or Inability to Attract New Customers

• Loss Of Revenue• Decrease In Stock Value• Increase Of Insurance Premiums• Loss Of Assets And Employees• Regulatory Sanctions

8

Consumer Credit Protection ActConsumer Credit Protection ActOMB Circular A-130OMB Circular A-130FEMA Guidance DocumentFEMA Guidance DocumentPaperwork Reduction ActPaperwork Reduction ActISO 27002 (Previously ISO17799)ISO 27002 (Previously ISO17799)FFIEC BCM HandbookFFIEC BCM HandbookComputer Security ActComputer Security Act12 CFR Part 1812 CFR Part 18Presidential Decision Directive 67Presidential Decision Directive 67FDA Guidance on Computerized SystemsFDA Guidance on Computerized Systems used in Clinical Trialsused in Clinical TrialsANSI/NFPA Standard 1600ANSI/NFPA Standard 1600Turnbull Report (UK)Turnbull Report (UK)ANAO Best Practice Guide (Australia)ANAO Best Practice Guide (Australia)SEC Rule 17 a-4SEC Rule 17 a-4FEMA FPC 65FEMA FPC 65CARCAR

Sarbanes-Oxley Act of 2002Sarbanes-Oxley Act of 2002HIPAA, Final Security RuleHIPAA, Final Security RuleFFIEC BCM Handbook -2003/ 2008FFIEC BCM Handbook -2003/ 2008Fair Credit Reporting ActFair Credit Reporting ActNASD Rule 3510NASD Rule 3510NERC Security GuidelinesNERC Security GuidelinesFERC Security StandardsFERC Security StandardsNAIC Standard on BCMNAIC Standard on BCMNIST Contingency Planning GuideNIST Contingency Planning GuideFRB-OCC-SEC Guidelines for FRB-OCC-SEC Guidelines for Strengthening the Resilience of Strengthening the Resilience of USUS Financial SystemFinancial SystemNYSE Rule 446NYSE Rule 446California SB 1386California SB 1386Australia Standards BCM HandbookAustralia Standards BCM HandbookGAO Potential Terrorist AttacksGAO Potential Terrorist Attacks GuidelineGuidelineFederal and Legislative BC Federal and Legislative BC Requirements for IRSRequirements for IRSBasel Capital AccordBasel Capital AccordMAS Proposed BCM Guidelines MAS Proposed BCM Guidelines (Singapore)(Singapore)NFA Compliance Rule 2-38NFA Compliance Rule 2-38FSA Handbook (UK)FSA Handbook (UK)BCI Standard, PAS 56 (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)Civil Contingencies Bill (UK)

Post-9/11Post-9/11

Pre-9/11Pre-9/11

1991 - 2001 2002 -------------------------------------------------------2008

FPC 65FPC 65 NYS Circular Letter 7NYS Circular Letter 7 ASISASIS State of NY FIRM White Paper on CPState of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)NISCC Good Practices (Telecomm)Australian Prudential Standard on BCMAustralian Prudential Standard on BCMHB221HB221HB292HB292BS25999BS25999SS507 – SS540SS507 – SS540TR19TR19CA Z1600CA Z1600ISO/PAS 22399ISO/PAS 22399

DRII (SDO)DRII (SDO)

Title IX – 110-53 Title IX – 110-53

Post-9/11 Surge in Business Continuity Regulations and Standards

Not Just IT

9

“Business continuity planning is about maintaining, resuming, and recovering the business, not just the recovery of the technology.” “The planning process should be conducted on an enterprise-wide basis”.

“Business continuity management (BCM) describes a whole of business approach to ensure critical business functions can be maintained, or restored in a timely fashion”

“Business Continuity Management (“BCM”) is an over-arching framework that aims to minimize the impact to businesses due to operational disruptions. It not only addresses the restoration of information technology (“IT”) infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfillment of business obligations.”

10

a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary.c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e. One or more preparedness standards can be designated. NFPA 1600 is reference by example.f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g. Special consideration will be made for small business.h. Proprietary and confidential information is to be protected.

Title IX – 110-53

Approved Standards• ASIS International SPC.1-2009 Organizational Resilience:

Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition).

• British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management)

• National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions.

DHS Decides

11

How It Works

12

ANSI-ANAB

In progress - ANSI

DHS

Next Steps

• Creation of Accreditation Rules (AR) for Training of “Certification Bodies”

– Approved by ANSI-ANAB– Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC

17011– Potential CB’s Must Take Course and Pass Examination

• As of this Moment No Organization

– Has Been Approved to Accredit Certifying Bodies– No Organization has been Grandfathered into Compliance with PS-Prep

NFPA/DRI Audit Course Certification

• DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved

• ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1 Standard Practice for Certificate Programs and recognized by ANSI-ANAB

• Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only)

• This Certificate will Be Required to Seek CBCA/CBCLAs

• DRI International will maintain recertification through continuing education (RABQSA requirement)

Who Needs BCM?

Industries / Sectors

Who Needs BCM?

By Size

BCM Methodology

Ensuring a consistent approach • Identifying• Analyzing• Designing • Executing• Testing

Risk Assessment

Risk Assessment

Plan Test & Maintenance

Plan Test & Maintenance

Plan Develop /Execution

Plan Develop /Execution

StrategySelectionStrategySelection

BusinessImpact

Analysis

BusinessImpact

Analysis

BCMLife Cycle

BCMLife Cycle

18

Program Policies & Procedures Policy statement Management commitment Program procedures and resources Roles, responsibilities, and authorities

Implementation & Operations Controls Operational procedures Awareness and training Communications and warning Document and information control Resources and finances Incident management (procedures and controls for before, during and after a disruption including prevention, mitigation, response and recovery)

Checking and Evaluation Exercises and testing Nonconformity and problem analysis Internal audits (system)

Review, Maintenance, Improvement Corrective action process (acting on problems) Program revision and improvement

Planning Prioritization Objectives and targets Strategic and tactical plans for prevention, deterrence, readiness, mitigation, response, continuity, and recovery

Analysis Risk assessment Impact analysis Criticality analysis Resource analysis Analysis of legal and other requirements

Process Mapping

DRI International – Who Are We?

• A Non-Profit Organization Committed to:

– Promoting a base of common knowledge for the continuity management industry

– Certifying qualified individuals in the discipline of Business Continuity

– Promoting the credibility and professionalism of certified individuals

• Will Celebrate our Twenty-fifth Anniversary in 2013.

• The Industry’s Premier Education and Certification Program Body

DRI International has Certified INDIVIDUALS in over 95 Countries.

DRI International conducts training courses in over 45 countries.

More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of 2010)

DRI International certifies individuals in English, Spanish, French, Japanese, Mandarin (expanding to Portuguese and Russian this year, Italian and Korean early next year)

Conducts Courses for: Insurance , Audit, Healthcare, Higher Ed

2nd Annual conference June 4-8, 2013 in Philadelphia

DRI International – Who Are We?

Business ContinuityManagement

forRisk Managers

Questions?