Professional Documents
Culture Documents
March 2013 DRI Presentation
March 2013 DRI Presentation
March 2013 DRI Presentation
Management
for
Risk Managers
resources
2
Where Are We Going?
• More Integrated Solution
– Business Continuity
– Disaster Recovery
– Emergency Response
– Crisis Management
3
Business Continuum
Pre-Incident Planning Incident Occurs Post Incident
Risk Assessment/Mitigation/ Evacuation Repair/Restoration
Prevention - Life & Safety Claims Processing
- Physical Incident/Crisis Management Increase Production Levels
- Logical (Technology) BCM
Lessons Learned
Supply Chain - Business Recovery
- Mitigation/Prevention
- Vendor management - Relocation
Reducing Effects
– BCM - Deals with Effects
• What are the Implications of failing to mitigate or prevent
– Preparation
» Structure, planning, resources, testing
– Execution
» Relocation, operating under duress
5
How Does BCM Address Enterprise Risk
Management?
New Markets - Locations
Expanded Distribution Channels
Upside Research & Develop Products
Risk New Technologies
Opportunity
Economies of Scale
Competitor Activity
Operational Risk is the risk that
a business does not meet its
obligations to its stakeholders
due to an erosion of value or
operational failure.
Operational Failure
Downside Financial Controls
Risk Monitoring/Reporting
Change
6
Why BCM?
External Drivers Effects
7
Post-9/11 Surge in Business Continuity
Regulations and Standards
Post-9/11
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCM Handbook -2003/ 2008 FPC 65
Fair Credit Reporting Act NYS Circular Letter 7
NASD Rule 3510 ASIS
Pre-9/11 NERC Security Guidelines State of NY FIRM White Paper on CP
FERC Security Standards NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
NAIC Standard on BCM
HB221
NIST Contingency Planning Guide HB292
FRB-OCC-SEC Guidelines for BS25999
Consumer Credit Protection Act Strengthening the Resilience of SS507 – SS540
OMB Circular A-130 US TR19
FEMA Guidance Document CA Z1600
Financial System
Paperwork Reduction Act NYSE Rule 446 ISO/PAS 22399
ISO 27002 (Previously ISO17799) California SB 1386
FFIEC BCM Handbook Australia Standards BCM Handbook
Computer Security Act GAO Potential Terrorist Attacks
12 CFR Part 18 Guideline
Presidential Decision Directive 67 DRII (SDO)
Federal and Legislative BC
FDA Guidance on Computerized Systems Requirements for IRS
used in Clinical Trials Basel Capital Accord
ANSI/NFPA Standard 1600 MAS Proposed BCM Guidelines
Turnbull Report (UK)
(Singapore)
ANAO Best Practice Guide (Australia) NFA Compliance Rule 2-38
SEC Rule 17 a-4 Title IX – 110-53
FSA Handbook (UK)
FEMA FPC 65 BCI Standard, PAS 56 (UK)
CAR Civil Contingencies Bill (UK)
9
Title IX – 110-53
a. Goal of the new program is to provide a method to independently certify
the emergency preparedness of private sector organizations, including their
disaster / emergency management and business continuity programs. The
program focuses on certifying the preparedness of businesses and other
private sector entities, and does not involve any individual professional
certification.
b. The program will be voluntary.
c. Key stakeholders are invited to participate in the development of the
program. Consultation with a variety of organizations and various sectors is
required by the legislation. Program development will likely include
involvement by a diversity of private sector advisory groups and others.
d. The program will be administered outside of government by 3rd party
organizations with experience / expertise in managing and implementing
voluntary accreditation and certification programs.
e. One or more preparedness standards can be designated. NFPA 1600 is
reference by example.
f. Existing industry efforts, certifications and reporting in this area will not
be duplicated or displaced, but rather recognized and integrated.
g. Special consideration will be made for small business.
10
h. Proprietary and confidential information is to be protected.
DHS Decides
Approved Standards
• ASIS International SPC.1-2009 Organizational Resilience:
Security Preparedness, and Continuity Management System –
Requirements with Guidance for use (2009 Edition).
• British Standards Institution 25999 (2007 Edition) - Business
Continuity Management.(BS 25999:2006-1 Code of practice
for business continuity management and BS 25999: 2007-2
Specification for business continuity management)
• National Fire Protection Association 1600-Standard on
Disaster / Emergency Management and Business Continuity
Programs, 2007 and 2010 editions.
11
How It Works
ANSI-ANAB
In progress - ANSI
DHS
12
Next Steps
– Approved by ANSI-ANAB
– Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC
17011
– Potential CB’s Must Take Course and Pass Examination
Industries / Sectors
Who Needs BCM?
By Size
BCM Methodology
Ensuring a consistent approach
• Identifying
Risk
• Analyzing Plan Test &
Maintenance Assessment
• Designing
• Executing
BCM
• Testing Plan Life Cycle Business
Develop / Impact
Execution Analysis
Strategy
Selection
Process Mapping
Program Policies & Procedures
Policy statement
Management commitment
Program procedures and resources
Roles, responsibilities, and
authorities
Analysis
Risk assessment
Review, Maintenance, Improvement Impact analysis
Corrective action process (acting Criticality analysis
on problems) Resource analysis
Program revision and improvement Analysis of legal and
other requirements
Planning
Checking and Evaluation Prioritization
Exercises and testing Objectives and targets
Nonconformity and problem analysis Strategic and tactical plans for prevention,
Internal audits (system) deterrence, readiness, mitigation,
response, continuity, and recovery
Questions?