Business Continuity

Business Continuity

Management

for

Risk Managers

Business Continuity

USA

3

What is BCP?

BCP - Business Continuity Planning –

The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected

,

or not so unexpected,

interruptions of these processes and their supporting resources

4

Where Are We Going?

More Integrated SolutionBusiness ContinuityDisaster RecoveryEmergency ResponseCrisis ManagementRisk Management

Under The Banner of

Business Continuity Management

5

Pre-Incident Planning

Risk

Assessment/Mitigation/

Prevention - Physical - Logical (Technology) Supply Chain - Vendor management - Inventory Control BCP Creation - Crisis Management - Emergency Response - Disaster Recovery - Business Recovery

Evacuation - Life & SafetyIncident/Crisis ManagementBCP activation - Business Recovery - Relocation - Processing - Reprioritize Product/Customer - Technology Recovery - Data Recovery - Processing Recovery

Incident Occurs

Post Incident

Repair/Restoration

Claims ProcessingIncrease Production LevelsLessons Learned - Mitigation/Prevention

Business Continuum

Legislative Landscape

7

Consumer Credit Protection Act

OMB Circular A-130

FEMA Guidance DocumentPaperwork Reduction ActISO 27002 (Previously ISO17799)FFIEC BCM HandbookComputer Security Act12 CFR Part 18Presidential Decision Directive 67FDA Guidance on Computerized Systems used in Clinical TrialsANSI/NFPA Standard 1600Turnbull Report (UK)ANAO Best Practice Guide (Australia)SEC Rule 17 a-4FEMA FPC 65CAR

Sarbanes-Oxley Act of 2002

HIPAA, Final Security Rule

FFIEC BCM Handbook -2003/ 2008

Fair Credit Reporting ActNASD Rule 3510NERC Security GuidelinesFERC Security StandardsNAIC Standard on BCMNIST Contingency Planning GuideFRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial SystemNYSE Rule 446California SB 1386Australia Standards BCM HandbookGAO Potential Terrorist Attacks GuidelineFederal and Legislative BC Requirements for IRSBasel Capital AccordMAS Proposed BCM Guidelines (Singapore)NFA Compliance Rule 2-38FSA Handbook (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)

Post-9/11

Pre-9/11

1991 - 2001

2002 -------------------------------------------------------

2010

FPC 65 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)Australian Prudential Standard on BCMHB221HB292BS25999SS507 – SS540TR19CA Z1600ISO/PAS 22399

DRII (SDO)

Title IX – 110-53

Post-9/11 Surge in Business Continuity Regulations and Standards

PS Prep

8

 a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs.  The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.  b.  The program will be voluntary.c.  Key stakeholders are invited to participate in the development of the program.  Consultation with a variety of organizations and various sectors is required by the legislation.  Program development will likely include involvement by a diversity of private sector advisory groups and others.d.  The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e.  One or more preparedness standards can be designated.  NFPA 1600 is reference by example.f.  Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g.  Special consideration will be made for small business.h.  Proprietary and confidential information is to be protected.

Title IX – 110-53

Approved StandardsASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management)National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. 

DHS Decides

9

How It Works

10

ANSI-ANAB

In progress - ANSI

DHS

Next Steps

Creation of Accreditation Rules (AR) for Training of “Certification Bodies”

Approved by ANSI-ANAB

Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC 17011

Potential CB’s Must Take Course and Pass Examination

As of this Moment No Organization

Has Been Approved to Accredit Certifying Bodies

Has been Grandfathered into Compliance with PS-Prep

NFPA/DRI Audit Course Certification

DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved

ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011,

General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1 Standard Practice for Certificate Programs

and recognized by ANSI-ANAB

Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only)

This Certificate will Be Required to Seek CBCA/CBCLAs

DRI International will maintain recertification through continuing education (RABQSA requirement)

TITLE IX UPDATE

At ANSI – HSSP (Homeland Security Standards Panel ) - DHS “unveiled” its “Voluntary Private Sector Preparedness Accreditation and Certification Program – Proposed Target Criteria for Preparedness Standard”

Internally developed and will be open for comment when DHS publishes a notice in the Federal Registry

December 24, 2008 DHS files notice for comments in the Federal Register. “We note that the designated officer will consider adoption of the American National Standards Institute (ANSI) National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600)—the standard specifically mentioned in both the statute and the 9/11 Commission’s recommendation—as well as any other private sector preparedness standards submitted for adoption.”

TITLE IX UPDATE

October 15, 2009: Department of Homeland Security (DHS) Secretary Janet Napolitano today announced new proposed standards for a 9/11 Commission-recommended program for the private sector to improve preparedness for disasters and emergencies.

The proposed standards, developed by the National Fire Protection Association, the British Standards Institution and the ASIS International, were selected based on their scalability, balance of interest and relevance to PS-Prep from a group of 25 standards proposed for consideration following the publication of a Federal Register notice in December 2008 announcing the program. Visit: www.fema.gov/privatesectorpreparedness

TITLE IX UPDATE

DHS has published a notice in the Federal Register announcing its intent to adopt the three standards listed below under PS-Prep. The notice also requests public comment on these standards and other programmatic issues:

ASIS International SPC.1-2009 "Organizational Resilience: Security Preparedness, and Continuity Management Systems"

British Standards Institution 25999 "Business Continuity Management"

National Fire Protection Association 1600:2010 "Standard on Disaster / Emergency Management and Business Continuity Programs”

Public/Private Sector Landscape

Business Continuity

Risk Management

Crisis Management

Emergency Management

Disaster Recovery

-

Risk Management

-

Prevention/Mitigation

-Risk Retention

-Risk Transfer

Risk Management has been around for a while

Even the ancients practiced a form of risk management.

Question: who invented the first fire protection system (hint: it was semi-automatic)?

Answer:

The Egyptians

We all practice risk management

Example of risk transfer:Example of risk retention:

Car/Home Insurance

Deductible

Crisis Management

-

Crisis Communication

Employees

Media

Authorities

Stakeholders

Crisis Management is a relatively new discipline

New “poster child” of how NOT to do good crisis management is……?Example of a company that practiced good crisis management, and still prospers to this day…? The advent of instant worldwide communications mandates good crisis management for business survival

Toyota?? BP??

Johnson & Johnson, Tylenol!!

Emergency Management

-First Responders

-

Emergency Services

Police

Fire/Rescue

-Incident Command System

Emergency Management has distant roots as well

First U. S. fire department?

Answer:

Philadelphia – 1736

Ben Franklin

First Responders

Effective????

Emergency Response

Training: drills…practice, practice, practice!

Planning: pre-plans with emergency services

Communication: 911, Emergency Notification Systems

Coordination of efforts: Incident Command System (ICS)

Disaster Recovery

-

Data Recovery

-Processing Recovery

Disaster Recovery is a relatively new concept

Late 1960’s early 1970’s – introduction of computer mainframes

Question: Who created the first disaster recovery (DR) plan?

Answer:

The first data center manager who realized the problem if they lost their data and made a copy and took it home each night

Disaster Recovery is a relatively new concept cont.

1990’s – LANS & WANS2000’s - Web-based computingFuture – Who knows! The Cloud???

Late 1980’s - PCs become prevalent

Business Continuity

Had its roots in DR

Realization: it takes more than just data and applications to continue the business

BC is a process, not a transaction

Risk

Assessment

Identify

Measure

Execute

Analyze

Design

Plan Test &

Maintenance

Plan

Develop /

Execution

Strategy

Selection

Business

Impact

Analysis

BCM

Life Cycle

Business Continuity

Risk Management

Crisis Management

Emergency Management

Disaster Recovery

-

Business Continuity Management

Enterprise Risk Management

Business Continuity

Risk Management

Crisis Management

Emergency Management

Disaster Recovery

-

Business Continuity Management

Enterprise Risk Management

Who Needs BCM?

Industries / Sectors

Who Needs BCM?

By Size

Is business continuity scalable?

Example: Bob’s Dry Cleaning

Risk management

Fire prevention program

Automatic sprinklers

Insurance

Crisis management

Media contacts

Customer lists

Emergency Management

Emergency services pre-plan

911

Example: Bob’s Dry Cleaningcont.

Disaster Recovery

Back-up data

Inventory

Accounts receivable

Accounts payable

Client list

Identify back-up hardware

Server

PC

Web-based computing

Example: Bob’s Dry Cleaningcont.

Business Continuity

Location strategy

Purchase

Lease/rent

Processing strategy

Outsourcing

Mutual aid

Communication strategy

Media

E-mail

Social media

Challenge for Business Continuity in the U.S. going forward:

Business Continuity must be a common business practice throughout all private and public sector organizations, regardless of size.

DRI International – Who Are We?

A

Non-Profit

Organization Committed to:

Promoting a base of common knowledge for the continuity management industry

Certifying qualified individuals in the discipline of Business Continuity

Promoting the credibility and professionalism of certified individuals

Celebrated our Twentieth Anniversary in 2008.

The Industry’s Premier Education and Certification Program Body

DRI International has Certified INDIVIDUALS in over 95 Countries. DRI International conducts training courses in over 45 countries.More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of 2009)DRI International certifies individuals and teaches in English, Spanish, French, Japanese, Mandarin, and Russian.Conducts Courses for:Insurance AuditSmall and Medium Sized Businesses

DRI International – Who Are We?

Questions?