Business Continuity
Management
for
Risk Managers
Lou Drapeau
March 12, 2013
Greater Kansas City Chapter, RIMS
PERK Program
What is BCP?
• BCP - Business Continuity Planning –
The identification and protection of business processes
required to maintain an acceptable level of operations in the
event of sudden, unexpected, or not so unexpected,
interruptions of these processes and their supporting
resources
2
Where Are We Going?
• More Integrated Solution
– Business Continuity
– Disaster Recovery
– Emergency Response
– Crisis Management
Under The Banner of Business Continuity Management
3
Business Continuum
Pre-Incident Planning
Risk Assessment/Mitigation/
Prevention
Evacuation
- Life & Safety
Incident/Crisis Management
- Logical (Technology)
BCM
- Business Recovery
- Relocation
- Inventory Control
- Processing
- Emergency Response
- Disaster Recovery
- Business Recovery
- Crisis Management
Claims Processing
Increase Production Levels
Lessons Learned
- Vendor management
BCM Creation
Post Incident
Repair/Restoration
- Physical
Supply Chain
4
Incident Occurs
- Reprioritize
Product/Customer
- Technology Recovery
- Data Recovery
- Processing Recovery
- Mitigation/Prevention
Risk Assessment vs. BCM
Cause vs. Effect
– Risk Assessment
Reducing Causal Implications
• Identifies Risk
• Recommends Mitigation/Prevention measures
– Probability
– Cost
– Severity
– BCM - Deals with Effects
Reducing Effects
• What are the Implications of failing to mitigate or prevent
– Preparation
» Structure, planning, resources, testing
– Execution
» Relocation, operating under duress
5
Operational Risk is the risk that
a business does not meet its
obligations to its stakeholders
due to an erosion of value or
operational failure.

BCM seeks to mitigate the
effects of operational failures.
Risk

Opportunity
How Does BCM Address Enterprise Risk
Management?
Upside
Risk






New Markets - Locations
Expanded Distribution Channels
Research & Develop Products
New Technologies
Economies of Scale
Competitor Activity
Compliance
Downside
Risk
6
Strategic




Operational Failure
Financial Controls
Monitoring/Reporting
Change
Why BCM?
External Drivers
Effects
•
•
•
•
•
•
•
•
•
•
7
Pressure From Audit Committees
Pressure From Financial Institutions
Pandemic Concern
New Threats & Risks Since 9/11
Demands From Customers
Cost Of Insurance
Perceived As Competitive Edge
Reliance On Third Parties
(Supply Chain)
Increased Regulatory And
Self-regulated Requirements
•
•
•
•
•
Loss Of Customers or Inability to
Attract New Customers
Loss Of Revenue
Decrease In Stock Value
Increase Of Insurance Premiums
Loss Of Assets And Employees
Regulatory Sanctions
Post-9/11 Surge in Business Continuity
Regulations and Standards
Post-9/11
Pre-9/11
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO 27002 (Previously ISO17799)
FFIEC BCM Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
FEMA FPC 65
CAR
8
1991 - 2001
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCM Handbook -2003/ 2008
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCM
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of
US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCM Guidelines
(Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
FPC 65
NYS Circular Letter 7
ASIS
State of NY FIRM White Paper on CP
NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
HB221
HB292
BS25999
SS507 – SS540
TR19
CA Z1600
ISO/PAS 22399
DRII (SDO)
Title IX – 110-53
2002 -------------------------------------------------------2008
Not Just IT
“Business continuity planning is about maintaining, resuming, and
recovering the business, not just the recovery of the technology.”
“The planning process should be conducted on an enterprise-wide
basis”.
“Business continuity management (BCM) describes a whole of business
approach to ensure critical business functions can be maintained, or
restored in a timely fashion”
“Business Continuity Management (“BCM”) is an over-arching framework
that aims to minimize the impact to businesses due to operational
disruptions. It not only addresses the restoration of information
technology (“IT”) infrastructure, but also focuses on the rapid
recovery and resumption of critical business functions for the
fulfillment of business obligations.”
9
Title IX – 110-53
a. Goal of the new program is to provide a method to independently certify
the emergency preparedness of private sector organizations, including their
disaster / emergency management and business continuity programs. The
program focuses on certifying the preparedness of businesses and other
private sector entities, and does not involve any individual professional
certification.
b. The program will be voluntary.
c. Key stakeholders are invited to participate in the development of the
program. Consultation with a variety of organizations and various sectors is
required by the legislation. Program development will likely include
involvement by a diversity of private sector advisory groups and others.
d. The program will be administered outside of government by 3rd party
organizations with experience / expertise in managing and implementing
voluntary accreditation and certification programs.
e. One or more preparedness standards can be designated. NFPA 1600 is
reference by example.
f. Existing industry efforts, certifications and reporting in this area will not
be duplicated or displaced, but rather recognized and integrated.
g. Special consideration will be made for small business.
10
h. Proprietary and confidential information is to be protected.
DHS Decides
Approved Standards
• ASIS International SPC.1-2009 Organizational Resilience:
Security Preparedness, and Continuity Management System –
Requirements with Guidance for use (2009 Edition).
• British Standards Institution 25999 (2007 Edition) - Business
Continuity Management.(BS 25999:2006-1 Code of practice
for business continuity management and BS 25999: 2007-2
Specification for business continuity management)
• National Fire Protection Association 1600-Standard on
Disaster / Emergency Management and Business Continuity
Programs, 2007 and 2010 editions.
11
How It Works
ANSI-ANAB
In progress - ANSI
DHS
12
Next Steps
• Creation of Accreditation Rules (AR) for Training of “Certification Bodies”
– Approved by ANSI-ANAB
– Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC
17011
– Potential CB’s Must Take Course and Pass Examination
• As of this Moment No Organization
– Has Been Approved to Accredit Certifying Bodies
– No Organization has been Grandfathered into Compliance with PS-Prep
NFPA/DRI Audit Course Certification
• DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the
Course. Preliminary application has been approved
• ANSI-CAP follows the accreditation process outlined in the international
standard ISO/IEC 17011, General Requirements for Accreditation Bodies
Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1
Standard Practice for Certificate Programs and recognized by ANSI-ANAB
• Passing the Exam will Provide a Certificate of Completion (Because training
is a requirement there can be no examination only)
• This Certificate will Be Required to Seek CBCA/CBCLAs
• DRI International will maintain recertification through continuing
education (RABQSA requirement)
Who Needs BCM?
Industries / Sectors
Who Needs BCM?
By Size
BCM Methodology
Ensuring a consistent approach
• Identifying
• Analyzing
• Designing
• Executing
• Testing
Risk
Plan Test &
Maintenance Assessment
Plan
Develop /
Execution
BCM
Life Cycle
Strategy
Selection
Business
Impact
Analysis
Process Mapping
Program Policies & Procedures
 Policy statement
 Management commitment
 Program procedures and resources
 Roles, responsibilities, and
authorities
Analysis
 Risk assessment
 Impact analysis
 Criticality analysis
 Resource analysis
 Analysis of legal and
other requirements
Review, Maintenance, Improvement
 Corrective action process (acting
on problems)
 Program revision and improvement
Checking and Evaluation
 Exercises and testing
 Nonconformity and problem analysis
 Internal audits (system)
18
Planning
 Prioritization
 Objectives and targets
 Strategic and tactical plans for prevention,
deterrence, readiness, mitigation,
response, continuity, and recovery
Implementation & Operations Controls
 Operational procedures
 Awareness and training
 Communications and warning
 Document and information control
 Resources and finances
 Incident management (procedures and
controls for before, during and after a
disruption including prevention,
mitigation, response and recovery)
DRI International – Who Are We?
• A Non-Profit Organization Committed to:
– Promoting a base of common knowledge for the continuity
management industry
– Certifying qualified individuals in the discipline of Business
Continuity
– Promoting the credibility and professionalism of certified individuals
• Will Celebrate our Twenty-fifth Anniversary in 2013.
• The Industry’s Premier Education and Certification Program Body
DRI International – Who Are We?
 DRI International has Certified INDIVIDUALS in over 95
Countries.
 DRI International conducts training courses in over 45 countries.
 More individuals choose to maintain their certification through us
than all other organizations in our industry combined (Over
7,500 individuals as of 2010)
 DRI International certifies individuals in English, Spanish, French,
Japanese, Mandarin (expanding to Portuguese and Russian this
year, Italian and Korean early next year)
 Conducts Courses for: Insurance , Audit, Healthcare, Higher Ed
 2nd Annual conference June 4-8, 2013 in Philadelphia
Business Continuity
Management
for
Risk Managers
Questions?