Business Continuity Management for Risk Managers Lou Drapeau March 12, 2013 Greater Kansas City Chapter, RIMS PERK Program
What is BCP? • BCP - Business Continuity Planning – The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected, interruptions of these processes and their supporting resources 2
Where Are We Going? • More Integrated Solution – Business Continuity – Disaster Recovery – Emergency Response – Crisis Management Under The Banner of Business Continuity Management 3
Business Continuum Pre-Incident Planning Risk Assessment/Mitigation/ Prevention Incident Occurs Evacuation Repair/Restoration - Life & Safety - Physical Incident/Crisis Management - Logical (Technology) BCM Supply Chain - Business Recovery - Vendor management - Relocation - Inventory Control - Processing BCM Creation - Emergency Response - Disaster Recovery - Business Recovery 4 - Crisis Management Post Incident - Reprioritize Product/Customer - Technology Recovery - Data Recovery - Processing Recovery Claims Processing Increase Production Levels Lessons Learned - Mitigation/Prevention
Risk Assessment vs. BCM Cause vs. Effect – Risk Assessment Reducing Causal Implications • Identifies Risk • Recommends Mitigation/Prevention measures – Probability – Cost – Severity – BCM - Deals with Effects Reducing Effects • What are the Implications of failing to mitigate or prevent – Preparation » Structure, planning, resources, testing – Execution » Relocation, operating under duress 5
n Upside Risk · · · New Markets - Locations Expanded Distribution Channels Research & Develop Products New Technologies Economies of Scale Competitor Activity BCM seeks to mitigate the effects of operational failures. Risk n Operational Risk is the risk that a business does not meet its obligations to its stakeholders due to an erosion of value or operational failure. Opportunity How Does BCM Address Enterprise Risk Management? Compliance Downside Risk 6 Strategic · · Operational Failure Financial Controls Monitoring/Reporting Change
Why BCM? External Drivers • • • 7 Pressure From Audit Committees Pressure From Financial Institutions Pandemic Concern New Threats & Risks Since 9/11 Demands From Customers Cost Of Insurance Perceived As Competitive Edge Reliance On Third Parties (Supply Chain) Increased Regulatory And Self-regulated Requirements Effects • • • Loss Of Customers or Inability to Attract New Customers Loss Of Revenue Decrease In Stock Value Increase Of Insurance Premiums Loss Of Assets And Employees Regulatory Sanctions
Post-9/11 Surge in Business Continuity Regulations and Standards Post-9/11 Pre-9/11 8 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act ISO 27002 (Previously ISO 17799) FFIEC BCM Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 FEMA FPC 65 CAR 1991 - 2001 Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCM Handbook -2003/ FPC 65 NYS Circular Letter 7 2008 ASIS Fair Credit Reporting Act State of NY FIRM White Paper NASD Rule 3510 on CP NERC Security Guidelines NISCC Good Practices FERC Security Standards (Telecomm) NAIC Standard on BCM Australian Prudential Standard on NIST Contingency Planning BCM Guide HB 221 HB 292 FRB-OCC-SEC Guidelines for BS 25999 Strengthening the SS 507 – SS 540 Resilience of US TR 19 Financial System CA Z 1600 NYSE Rule 446 ISO/PAS 22399 California SB 1386 Australia Standards BCM DRII (SDO) Handbook GAO Potential Terrorist Attacks Guideline Federal and Legislative BC Requirements for IRS Title IX – 110 -53 Basel Capital Accord MAS Proposed BCM Guidelines (Singapore) NFA Compliance Rule 2 -38 2002 ----------------------------2008 FSA Handbook (UK)
Not Just IT “Business continuity planning is about maintaining, resuming, and recovering the business, not just the recovery of the technology. ” “The planning process should be conducted on an enterprise-wide basis”. “Business continuity management (BCM) describes a whole of business approach to ensure critical business functions can be maintained, or restored in a timely fashion” “Business Continuity Management (“BCM”) is an over-arching framework that aims to minimize the impact to businesses due to operational disruptions. It not only addresses the restoration of information technology (“IT”) infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfillment of business obligations. ” 9
Title IX – 110 -53 a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary. c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others. d. The program will be administered outside of government by 3 rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. e. One or more preparedness standards can be designated. NFPA 1600 is reference by example. f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated. g. Special consideration will be made for small business. 10 h. Proprietary and confidential information is to be protected.
DHS Decides Approved Standards • ASIS International SPC. 1 -2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). • British Standards Institution 25999 (2007 Edition) - Business Continuity Management. (BS 25999: 2006 -1 Code of practice for business continuity management and BS 25999: 2007 -2 Specification for business continuity management) • National Fire Protection Association 1600 -Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. 11
How It Works ANSI-ANAB In progress - ANSI DHS 12
Next Steps • Creation of Accreditation Rules (AR) for Training of “Certification Bodies” – Approved by ANSI-ANAB – Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC 17011 – Potential CB’s Must Take Course and Pass Examination • As of this Moment No Organization – Has Been Approved to Accredit Certifying Bodies – No Organization has been Grandfathered into Compliance with PS-Prep
NFPA/DRI Audit Course Certification • DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved • ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E 2659 - 09 e 1 Standard Practice for Certificate Programs and recognized by ANSI-ANAB • Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only) • This Certificate will Be Required to Seek CBCA/CBCLAs • DRI International will maintain recertification through continuing education (RABQSA requirement)
Who Needs BCM? Industries / Sectors
Who Needs BCM? By Size
BCM Methodology Ensuring a consistent approach • Identifying • Analyzing • Designing • Executing • Testing Risk Plan Test & Maintenance Assessment Plan Develop / Execution BCM Life Cycle Strategy Selection Business Impact Analysis
Process Mapping 18
DRI International – Who Are We? • A Non-Profit Organization Committed to: – Promoting a base of common knowledge for the continuity management industry – Certifying qualified individuals in the discipline of Business Continuity – Promoting the credibility and professionalism of certified individuals • Will Celebrate our Twenty-fifth Anniversary in 2013. • The Industry’s Premier Education and Certification Program Body
DRI International – Who Are We? § DRI International has Certified INDIVIDUALS in over 95 Countries. § DRI International conducts training courses in over 45 countries. § More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7, 500 individuals as of 2010) § DRI International certifies individuals in English, Spanish, French, Japanese, Mandarin (expanding to Portuguese and Russian this year, Italian and Korean early next year) § Conducts Courses for: Insurance , Audit, Healthcare, Higher Ed § 2 nd Annual conference June 4 -8, 2013 in Philadelphia
Business Continuity Management for Risk Managers Questions?
Скачать презентацию Business Continuity Management for Risk Managers Lou Drapeau
7c7853b7c41fd4371763164fc4d2c31e.ppt