Business Continuity

Management
for
Risk Managers

Lou Drapeau Greater Kansas City Chapter, RIMS

March 12, 2013 PERK Program
 What is BCP?
• BCP - Business Continuity Planning –
The identification and protection of business processes

required to maintain an acceptable level of operations in the

event of sudden, unexpected, or not so unexpected,

interruptions of these processes and their supporting

resources

2
 Where Are We Going?
• More Integrated Solution
– Business Continuity

– Disaster Recovery

– Emergency Response

– Crisis Management

Under The Banner of Business Continuity Management

3
 Business Continuum
Pre-Incident Planning Incident Occurs Post Incident
Risk Assessment/Mitigation/ Evacuation Repair/Restoration
Prevention - Life & Safety Claims Processing
- Physical Incident/Crisis Management Increase Production Levels
- Logical (Technology) BCM
Lessons Learned
Supply Chain - Business Recovery
- Mitigation/Prevention
- Vendor management - Relocation

- Inventory Control - Processing

- Reprioritize
BCM Creation
Product/Customer
- Emergency Response
- Technology Recovery
- Disaster Recovery
- Data Recovery
- Business Recovery
- Processing Recovery
4 - Crisis Management
 Risk Assessment vs. BCM
Cause vs. Effect
– Risk Assessment Reducing Causal Implications
• Identifies Risk
• Recommends Mitigation/Prevention measures
– Probability
– Cost
– Severity

Reducing Effects
– BCM - Deals with Effects
• What are the Implications of failing to mitigate or prevent
– Preparation
» Structure, planning, resources, testing
– Execution
» Relocation, operating under duress

5
How Does BCM Address Enterprise Risk
Management?
 New Markets - Locations
 Expanded Distribution Channels
Upside  Research & Develop Products
Risk  New Technologies

Opportunity
 Economies of Scale
 Competitor Activity
 Operational Risk is the risk that
a business does not meet its
obligations to its stakeholders
due to an erosion of value or
operational failure.

 BCM seeks to mitigate the

effects of operational failures.
Risk
Compliance Strategic

 Operational Failure
Downside  Financial Controls
Risk  Monitoring/Reporting
 Change

6
 Why BCM?
External Drivers Effects

• Pressure From Audit Committees • Loss Of Customers or Inability to

• Pressure From Financial Institutions
• Pandemic Concern
• New Threats & Risks Since 9/11
• Demands From Customers
• Cost Of Insurance
• Perceived As Competitive Edge
• Reliance On Third Parties
(Supply Chain)
• Increased Regulatory And
Self-regulated Requirements
Attract New Customers
• Loss Of Revenue
• Decrease In Stock Value
• Increase Of Insurance Premiums
• Loss Of Assets And Employees
• Regulatory Sanctions

7
 Post-9/11 Surge in Business Continuity
Regulations and Standards
Pre-9/11
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO 27002 (Previously ISO17799)
FFIEC BCM Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
FEMA FPC 65
CAR
8 1991 - 2001
Post-9/11
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCM Handbook -2003/ 2008 FPC 65
Fair Credit Reporting Act NYS Circular Letter 7
NASD Rule 3510 ASIS
NERC Security Guidelines State of NY FIRM White Paper on CP
FERC Security Standards NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
NAIC Standard on BCM
HB221
NIST Contingency Planning Guide HB292
FRB-OCC-SEC Guidelines for BS25999
Strengthening the Resilience of SS507 – SS540
US TR19
CA Z1600
Financial System
NYSE Rule 446 ISO/PAS 22399
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
DRII (SDO)
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCM Guidelines
(Singapore)
NFA Compliance Rule 2-38
Title IX – 110-53
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
2002 -------------------------------------------------------2008
 Not Just IT
“Business continuity planning is about maintaining, resuming, and
recovering the business, not just the recovery of the technology.”
“The planning process should be conducted on an enterprise-wide
basis”.

“Business continuity management (BCM) describes a whole of business

approach to ensure critical business functions can be maintained, or
restored in a timely fashion”

“Business Continuity Management (“BCM”) is an over-arching framework

that aims to minimize the impact to businesses due to operational
disruptions. It not only addresses the restoration of information
technology (“IT”) infrastructure, but also focuses on the rapid
recovery and resumption of critical business functions for the
fulfillment of business obligations.”

9
 Title IX – 110-53
a. Goal of the new program is to provide a method to independently certify
the emergency preparedness of private sector organizations, including their
disaster / emergency management and business continuity programs. The
program focuses on certifying the preparedness of businesses and other
private sector entities, and does not involve any individual professional
certification.
b. The program will be voluntary.
c. Key stakeholders are invited to participate in the development of the
program. Consultation with a variety of organizations and various sectors is
required by the legislation. Program development will likely include
involvement by a diversity of private sector advisory groups and others.
d. The program will be administered outside of government by 3rd party
organizations with experience / expertise in managing and implementing
voluntary accreditation and certification programs.
e. One or more preparedness standards can be designated. NFPA 1600 is
reference by example.
f. Existing industry efforts, certifications and reporting in this area will not
be duplicated or displaced, but rather recognized and integrated.
g. Special consideration will be made for small business.
10
h. Proprietary and confidential information is to be protected.
 DHS Decides
Approved Standards
• ASIS International SPC.1-2009 Organizational Resilience:
Security Preparedness, and Continuity Management System –
Requirements with Guidance for use (2009 Edition).
• British Standards Institution 25999 (2007 Edition) - Business
Continuity Management.(BS 25999:2006-1 Code of practice
for business continuity management and BS 25999: 2007-2
Specification for business continuity management)
• National Fire Protection Association 1600-Standard on
Disaster / Emergency Management and Business Continuity
Programs, 2007 and 2010 editions.

11
How It Works

ANSI-ANAB

In progress - ANSI

DHS

12
 Next Steps

• Creation of Accreditation Rules (AR) for Training of “Certification Bodies”

– Approved by ANSI-ANAB
– Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC
17011
– Potential CB’s Must Take Course and Pass Examination

• As of this Moment No Organization

– Has Been Approved to Accredit Certifying Bodies

– No Organization has been Grandfathered into Compliance with PS-Prep
NFPA/DRI Audit Course Certification
• DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the
Course. Preliminary application has been approved
• ANSI-CAP follows the accreditation process outlined in the international
standard ISO/IEC 17011, General Requirements for Accreditation Bodies
Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1
Standard Practice for Certificate Programs and recognized by ANSI-ANAB
• Passing the Exam will Provide a Certificate of Completion (Because training
is a requirement there can be no examination only)
• This Certificate will Be Required to Seek CBCA/CBCLAs
• DRI International will maintain recertification through continuing
education (RABQSA requirement)
 Who Needs BCM?

Industries / Sectors
Who Needs BCM?

By Size
 BCM Methodology
Ensuring a consistent approach
• Identifying
Risk
• Analyzing Plan Test &
Maintenance Assessment
• Designing
• Executing
BCM
• Testing Plan Life Cycle Business
Develop / Impact
Execution Analysis

Strategy
Selection
 Process Mapping
Program Policies & Procedures
 Policy statement
 Management commitment
 Program procedures and resources
 Roles, responsibilities, and
authorities
Analysis
 Risk assessment
Review, Maintenance, Improvement  Impact analysis
 Corrective action process (acting  Criticality analysis
on problems)  Resource analysis
 Program revision and improvement  Analysis of legal and
other requirements

Planning
Checking and Evaluation  Prioritization
 Exercises and testing  Objectives and targets
 Nonconformity and problem analysis  Strategic and tactical plans for prevention,
 Internal audits (system) deterrence, readiness, mitigation,
response, continuity, and recovery

Implementation & Operations Controls

 Operational procedures
 Awareness and training
 Communications and warning
 Document and information control
 Resources and finances
 Incident management (procedures and
controls for before, during and after a
disruption including prevention,
18 mitigation, response and recovery)
DRI International – Who Are We?

• A Non-Profit Organization Committed to:

– Promoting a base of common knowledge for the continuity
management industry
– Certifying qualified individuals in the discipline of Business
Continuity
– Promoting the credibility and professionalism of certified individuals

• Will Celebrate our Twenty-fifth Anniversary in 2013.

• The Industry’s Premier Education and Certification Program Body

 DRI International – Who Are We?
 DRI International has Certified INDIVIDUALS in over 95
Countries.

 DRI International conducts training courses in over 45 countries.

 More individuals choose to maintain their certification through us

than all other organizations in our industry combined (Over
7,500 individuals as of 2010)

 DRI International certifies individuals in English, Spanish, French,

Japanese, Mandarin (expanding to Portuguese and Russian this
year, Italian and Korean early next year)

 Conducts Courses for: Insurance , Audit, Healthcare, Higher Ed

 2nd Annual conference June 4-8, 2013 in Philadelphia

Business Continuity
Management
for
Risk Managers

Questions?