Contingency Planning - Critical element of an ERM program

Robert Serena
May 5, 2018
Executive Summary
Contingency Planning (CP) is critical to an organization’s ability to recover from a business disruption event in a
timely and cost-effective fashion. A robust and well-developed CP program is an integral component of a broader
Enterprise Risk Management (ERM) program, and can oftentimes be the critical element in determining whether
that organization survives as a going-concern or ceases operations. The CP program provides answers to the 3
simple questions that would be posed by the employees of an organization:

• What actions do I need to take?

• When do I need to take these actions?
• Where do I need to go?

CP is composed of the following core activities:

• Business Resumption or Business Continuity – This term refers to a comprehensive plan/strategy (aka Business
Continuity Plan - BCP) that is codified in the form of a written document that outlines, in detail, the
organizational context, frameworks, policies and procedures, critical activities (both revenue generating and
functional) with economic values attached, key assets (human, technological, and physical) with economic
values attached, and vendor relationships and regulatory drivers that underpin that organization’s strategy to
resume business operations in the event of a business disruption event. Two of the critical activities that
underpin the BCP are the Business Impact Assessment (BIA) and Risk Management Assessment (RMA) – both
are described in more detail below.
• Disaster Recovery (DRP) – This term refers to a comprehensive plan/strategy that, much like the BCP, is codified
in the form of a written document that outlines the firm’s critical technology assets - IT systems, applications,
telecommunications equipment, data, etc. - and a detailed plan to restore each asset to a defined level of
operational availability based on the relative criticality of that asset.
• Crisis Management – This term refers to the overarching strategy that governs how an organization responds
to and manages crisis situations – providing status updates on business resumption activities to employees,
providing support to employees and their families during the event, general communications with external
business partners and regulators, communications with employees and contractors, communications with the
press, etc.

There are a wide range of business disruption events that could adversely impact an organization’s business
activities, including but not limited to:

• Natural Disaster
• Earthquake
• Tsunami
• Flood
• Fire

Select Classification Level

 • Wind
• Pandemic
• Man-made
• Terrorist attacks
• Cyber attacks
• Biological agent attack

Business Impact Assessment (BIA)/Risk Management Assessment (RMA)

Business Impact Assessments and Risk Management Assessments are tightly linked via the critical business activities
that a firm is required to execute daily to continue as a going-concern. These activities take two forms – (1)
Commercial or revenue-generating activities and (2) Corporate overhead or shared services activities that support
commercial activities (e.g. payroll, human resources, financial reporting, supply chain, facilities maintenance, legal,
risk management, etc.). The initial step in performing both a BIA and RMA is to identify and inventory all such
activities, and then map each activity to the supporting assets and infrastructure (e.g. people, processes, technology
assets, facilities, balance sheet capacity, etc.) that enable that activity.

A BIA is a structured methodology that is used to rank these activities from “MOST CRITICAL” to “LEAST CRITICAL”
along one or more measurement dimensions – economic, reputational, regulatory, etc. This ranking process helps
the organization’s executive team to prioritize and time-sequence the firm’s restoration of these critical activities.
Exhibit 1 below illustrates the dependency relationship between a given business activity (either the procurement
of a service for revenue, production of a product for revenue, or execution of a support activity) and the people,
processes, and technology that support that activity.

EXIBIT 1 - Relationship between business activities and supporting assets

Business
Activity

People Processes Technology

While performing a BIA with the relevant business stakeholders, the risk practitioner will identify values for 3 key
metrics related to CP:

• Recovery Point Objective (RPO) – RPO is defined with reference to individual business activities and the
supporting assets and processes, and refers to the maximum amount of data related to that activity that can
be lost without an adverse business impact. Essentially, the RPO is a both a time-scale parameter (amount of
time since the last backup) and data-scale parameter (the amount of new data generated since the last backup),
and is defined relative to the timing of the business disruption event.

Page 2 of 6
• Recovery Time Objective (RTO) – Much like the RPO, the RTO is defined with reference to individual business
activities and the supporting assets and processes, and refers to the time-window post the event occurrence
in which the activity must be restored to a defined level of availability. The RTO estimate includes the time
required to reinstall the relevant asset, restore data from the most recently completed backup, and properly
securing the asset so that normal operations can resume.
• Maximum Tolerable Downtime (MTD) – The MTD is also defined with reference to individual business activities
and the supporting assets and processes, and represents the maximum time that the business activity can be
out-of-commission before the outage presents a material threat to the firm’s survival.

An RMA is a component of the BIA and is used to inform the prioritization of the resumption of business activities
that are vulnerable to a business disruption event. RMAs are also conducted at the individual business activity level
and follows these steps:

• Step 1 - Identifies the individual risk factors and vulnerabilities associated with each business activity, and
additionally develops realistic and practical risk scenarios that combine one or more individual risk factors that
could adversely impact each business activity.
• Step 2 - Quantifies the likelihood and impact of each risk scenario identified in Step 1 and identifies the current-
state risk appetite and risk tolerance for each business activity based on the current controls aligned against
each risk factor.
• Step 3 - Develops risk treatment strategies for each critical activity that has a risk profile that is outside the
firm’s risk appetite. Risk treatment strategies can take one of four forms – (1) Risk Acceptance/Retention, (2)
Risk Avoidance, (3) Risk Mitigation, and (4) Risk Transfer.
• Step 4 – Once the treatment decisions that result from Step 3 are fully implemented, then the Risk Management
program enters the monitoring phase in which performance of the newly implemented controls are monitored
and incremental refinements are made as required.

Exhibit 2 below illustrates the discrete steps in the Risk Management lifecycle.

EXHIBIT 2 - Steps in the Risk Management lifecycle

IT Risk
Identification

Risk and
Control IT Risk
Monitoring Assessment
and Report

Risk Response
and
Mitigation

Page 3 of 6
Exhibit 3 below illustrates the discrete steps in the development of a Contingency Plan, and the table in Appendix
1 provides detailed descriptions of each step.
EXHIBIT 3 – Contingency Planning program development

Establish
Procure
Establish cross- Execute Strateggy Document Periodic plan Awareness Monitoring &
Executive
Context functional Assessments Development Development testing Training Reporting
Support
team

Regulatory Impacts
Given the critical importance of having a robust CP program for organizations (both public-sector and private-
sector), it’s not surprising that there are a wide variety of laws, regulations, and US and international best practice
standards that prescribe detailed requirements for CP programs.

A comprehensive list of all laws/regulations, impacted private-sector industries and government agencies, and US
and international best practice standards is quite extensive and beyond the scope of this article, but following are
the key industries and laws in the US:

• Industries/government sectors
• Banks and other financial institutions
• Energy – Electric Utilities and Oil & Gas
• Health Care – Insurance and Delivery
• All US federal government agencies
• Regulations/bodies of law/regulatory agencies
• Sarbanes-Oxley Act (SOX) – Liability of corporate officers for the implementation of effective BCM programs
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Energy Regulatory Commission – Security Standards
• North American Electric Reliability Council – Security Guidelines
• Federal Financial Institutions Examination Council (FFIEC) – BCP Handbook 2003
• Federal Information Security Management Act of 2002 (FISMA)
• Best practice US and International standards

Page 4 of 6
• International Organization for Standardization (ISO)
• 9001 – Quality Management
• 22301 – Business Continuity Management
• 31000 – Risk Assessment Techniques
• National Institute of Technology and Standards (NIST) – Contingency Planning Guide
• Control Objectives for Information and Related Technology (COBIT)
• Committee of Sponsoring Officers (COSO) Enterprise Risk Management Framework

Page 5 of 6
 APPENDIX 1 – Description of each phase of the CP process
BCM Step Description
Establish Context Monitor the external environment (competitive, strategic, and
regulatory) for emerging catastrophic or systemic risks that
could potentially impact the organization – this monitoring will
serve to inform the design of the CP program.
Procure Executive Support Develop a robust business case to clearly articulate the
economic and reputational benefits of a CP program to
procure executive management support and funding. This
step is arguably the most critical in the entire process chain –
if management does not support the establishment of a
formal CP program, the likelihood of success is severely
diminished.
Establish cross-functional team When building an ERM program, achieving buy-in from a large
cross-section of stakeholders is critical. Start the process early
– find out the appropriate subject-matter experts from each
impacted functional group and invite them to participate in
the design of the program.
Execute Assessments Develop an engagement model with individuals across the
firm and execute Business Impact Assessments and Risk
Management Assessments.
Strategy Development Use the results from the two assessments to develop a
detailed, time-sequenced strategy that lays out which
business activities and the supporting assets and processes
will be prioritized for recovery along with the corresponding
recovery parameters – RPO, RTO, and MTD – that will be
adhered to. Part of the strategy development will be to
identify alternative assets/resources that can be tapped
quickly if the primary assets are unavailable (e.g. different
suppliers, back-up sites, hiring contractors for temporary staff
augmentation, outsourcing functions that are normally
performed internally, etc.).
Document Development Draft a formal plan document that captures all policies and
procedures related to the execution of the Contingency Plan –
BCP and DRP. These documents are “living, breathing”
documents, and so it’s critical that they be both thorough and
all-encompassing and regularly updated with a changing
business environment and internal processes.
Periodic Plan Testing To ensure that the response plans (BCP, DRP) perform as
expected when a business disruption event occurs, each such
plan must be subjected to rigorous, periodic testing ahead of
any events actually occurring.
Awareness Training As with any element of an ERM program, there will be many
stakeholders of a CP program. So, when the program is being
rolled out, the Risk Management team should develop
practical and focused awareness training that is tailored to the
unique perspective of each stakeholder group.
Monitoring and Reporting Once the CP program has been operationalized, the Risk
Management team should deploy metrics and monitoring
tools that will track the “operational health” of the CP program
and will serve to inform incremental adjustments to the initial
program design as the business conditions and internal firm
dynamics change.

Page 6 of 6