Business Continuity
Management
for
Risk Managers
What is BCP?
• BCP - Business Continuity Planning –
The identification and protection of business processes
required to maintain an acceptable level of operations in the
event of sudden, unexpected, or not so unexpected,
interruptions of these processes and their supporting
resources
3
Where Are We Going?
• More Integrated Solution
– Business Continuity
– Disaster Recovery
– Emergency Response
– Crisis Management
– Risk Management
Under The Banner of Business Continuity Management
4
Business Continuum
Pre-Incident Planning
Risk Assessment/Mitigation/
Prevention
Evacuation
- Life & Safety
Incident/Crisis Management
- Logical (Technology)
BCP activation
- Business Recovery
- Vendor management
- Relocation
- Inventory Control
- Processing
BCP Creation
- Crisis Management
- Emergency Response
- Disaster Recovery
- Business Recovery
Post Incident
Repair/Restoration
- Physical
Supply Chain
5
Incident Occurs
- Reprioritize
Product/Customer
- Technology Recovery
- Data Recovery
- Processing Recovery
Claims Processing
Increase Production Levels
Lessons Learned
- Mitigation/Prevention
Legislative Landscape
Post-9/11 Surge in Business Continuity
Regulations and Standards
Post-9/11
Pre-9/11
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO 27002 (Previously ISO17799)
FFIEC BCM Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
FEMA FPC 65
CAR
7
1991 - 2001
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCM Handbook -2003/ 2008
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCM
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of
US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCM Guidelines
(Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
FPC 65
NYS Circular Letter 7
ASIS
State of NY FIRM White Paper on CP
NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
HB221
HB292
BS25999
SS507 – SS540
TR19
CA Z1600
ISO/PAS 22399
DRII (SDO)
Title IX – 110-53
PS Prep
2002 -------------------------------------------------------2010
Title IX – 110-53
a. Goal of the new program is to provide a method to independently certify
the emergency preparedness of private sector organizations, including their
disaster / emergency management and business continuity programs. The
program focuses on certifying the preparedness of businesses and other
private sector entities, and does not involve any individual professional
certification.
b. The program will be voluntary.
c. Key stakeholders are invited to participate in the development of the
program. Consultation with a variety of organizations and various sectors is
required by the legislation. Program development will likely include
involvement by a diversity of private sector advisory groups and others.
d. The program will be administered outside of government by 3rd party
organizations with experience / expertise in managing and implementing
voluntary accreditation and certification programs.
e. One or more preparedness standards can be designated. NFPA 1600 is
reference by example.
f. Existing industry efforts, certifications and reporting in this area will not
be duplicated or displaced, but rather recognized and integrated.
g. Special consideration will be made for small business.
8
h. Proprietary and confidential information is to be protected.
DHS Decides
Approved Standards
• ASIS International SPC.1-2009 Organizational Resilience:
Security Preparedness, and Continuity Management System –
Requirements with Guidance for use (2009 Edition).
• British Standards Institution 25999 (2007 Edition) - Business
Continuity Management.(BS 25999:2006-1 Code of practice
for business continuity management and BS 25999: 2007-2
Specification for business continuity management)
• National Fire Protection Association 1600-Standard on
Disaster / Emergency Management and Business Continuity
Programs, 2007 and 2010 editions.
9
How It Works
ANSI-ANAB
In progress - ANSI
DHS
10
Next Steps
• Creation of Accreditation Rules (AR) for Training of “Certification
Bodies”
– Approved by ANSI-ANAB
– Must comply with ASTM 2659 and be approved by ANSI-CAP or
ISO/IEC 17011
– Potential CB’s Must Take Course and Pass Examination
• As of this Moment No Organization
– Has Been Approved to Accredit Certifying Bodies
– Has been Grandfathered into Compliance with PS-Prep
NFPA/DRI Audit Course Certification
• DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the
Course. Preliminary application has been approved
• ANSI-CAP follows the accreditation process outlined in the international
standard ISO/IEC 17011, General Requirements for Accreditation Bodies
Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1
Standard Practice for Certificate Programs and recognized by ANSI-ANAB
• Passing the Exam will Provide a Certificate of Completion (Because training
is a requirement there can be no examination only)
• This Certificate will Be Required to Seek CBCA/CBCLAs
• DRI International will maintain recertification through continuing
education (RABQSA requirement)
Public/Private Sector
Landscape
Disaster
Recovery
-
Emergency
Management
Business
Continuity
Risk
Management
Crisis
Management
Risk Management
Prevention/Mitigation
-Risk Retention
-Risk Transfer
-
Risk Management has been
around for a while
Even the ancients practiced a form of risk
management.
Question: who invented the first fire
protection system (hint: it was semiautomatic)?
Answer:
The Egyptians
We all practice risk management
Example of risk transfer: Car/Home Insurance
Example of risk retention: Deductible
Crisis Management
-Crisis
Communication
•Employees
•Media
•Authorities
•Stakeholders
Crisis Management is a relatively
new discipline
•New “poster child” of how NOT to do
good crisis management is……? Toyota?? BP??
•Example of a company that practiced
good crisis management, and still prospers
to this day…? Johnson & Johnson, Tylenol!!
•The advent of instant worldwide
communications mandates good crisis
management for business survival
Emergency
Management
-First Responders
-Emergency Services
•Police
•Fire/Rescue
-Incident Command System
Emergency Management has
distant roots as well
First U. S. fire department?
Answer:
Philadelphia – 1736
Ben Franklin
First Responders
Effective????
Emergency Response
• Training: drills…practice, practice, practice!
• Planning: pre-plans with emergency services
• Communication: 911, Emergency Notification
Systems
• Coordination of efforts: Incident Command
System (ICS)
Disaster Recovery
-Data
Recovery
-Processing Recovery
Disaster Recovery is a relatively new
concept
•Late 1960’s early 1970’s – introduction of
computer mainframes
•Question: Who created the first disaster
recovery (DR) plan?
Answer:
The first data center manager who realized the
problem if they lost their data and made a copy and
took it home each night
Disaster Recovery is a relatively new
concept cont.
•Late 1980’s - PCs become prevalent
•1990’s – LANS & WANS
•2000’s - Web-based computing
•Future – Who knows! The Cloud???
Business Continuity
• Had
its
roots
in
DR
Risk
Plan Test &
Maintenance Assessment
•Realization:
it takes
more than
just data
BCM
Plan applications
Business
Life Cycle
and
to
Develop /
Impact
Execution
Analysis
continue the business
Strategy
•BC is a process,
not a
Selection
transaction
Disaster
Recovery
-
Business
Continuity
Risk
Management
Enterprise
Risk
Business
Continuity
Management
Management
Emergency
Management
Crisis
Management
Who Needs BCM?
Industries / Sectors
Who Needs BCM?
By Size
Is business continuity
scalable?
Example: Bob’s Dry Cleaning
•Risk management
•Fire prevention program
•Automatic sprinklers
•Insurance
•Crisis management
•Media contacts
•Customer lists
•Emergency Management
•Emergency services pre-plan
•911
Example: Bob’s Dry Cleaning
cont.
•Disaster Recovery
•Back-up data
•Inventory
•Accounts receivable
•Accounts payable
•Client list
•Identify back-up hardware
•Server
•PC
•Web-based computing
Example: Bob’s Dry Cleaning
cont.
•Business Continuity
•Location strategy
•Purchase
•Lease/rent
•Processing strategy
•Outsourcing
•Mutual aid
•Communication strategy
•Media
•E-mail
•Social media
Challenge for Business Continuity
in the U.S. going forward:
Business Continuity must be a
common business practice
throughout all private and public
sector organizations, regardless
of size.
DRI International – Who Are We?
• A Non-Profit Organization Committed to:
– Promoting a base of common knowledge for the continuity
management industry
– Certifying qualified individuals in the discipline of Business
Continuity
– Promoting the credibility and professionalism of certified individuals
• Celebrated our Twentieth Anniversary in 2008.
• The Industry’s Premier Education and Certification Program Body
DRI International – Who Are We?
 DRI International has Certified INDIVIDUALS in over 95
Countries.
 DRI International conducts training courses in over 45 countries.
 More individuals choose to maintain their certification through us
than all other organizations in our industry combined (Over
7,500 individuals as of 2009)
 DRI International certifies individuals and teaches in English,
Spanish, French, Japanese, Mandarin, and Russian.
 Conducts Courses for:
 Insurance
 Audit
 Small and Medium Sized Businesses
Questions?