Management for Risk Managers Business Continuity USA 3 What is BCP BCP Business Continuity Planning The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden unexpected ID: 146164
Download Presentation The PPT/PDF document "Business Continuity" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Business Continuity
Management
for
Risk ManagersSlide2
Business Continuity
USASlide3
3
What is BCP?
BCP - Business Continuity Planning –
The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected
,
or not so unexpected,
interruptions of these processes and their supporting resourcesSlide4
4
Where Are We Going?
More Integrated Solution
Business Continuity
Disaster Recovery
Emergency Response
Crisis Management
Risk Management
Under The Banner of
Business Continuity ManagementSlide5
5
Pre-Incident Planning
Risk
Assessment/Mitigation/
Prevention
- Physical
- Logical (Technology)
Supply Chain
- Vendor management
- Inventory Control
BCP Creation
- Crisis Management
- Emergency Response - Disaster Recovery - Business Recovery
Evacuation - Life & SafetyIncident/Crisis ManagementBCP activation - Business Recovery - Relocation - Processing - Reprioritize Product/Customer - Technology Recovery - Data Recovery - Processing Recovery
Incident Occurs
Post Incident
Repair/Restoration
Claims ProcessingIncrease Production LevelsLessons Learned - Mitigation/Prevention
Business ContinuumSlide6
Legislative LandscapeSlide7
7
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO 27002 (Previously ISO17799)
FFIEC BCM Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)SEC Rule 17 a-4FEMA FPC 65CAR
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCM Handbook -2003/ 2008Fair Credit Reporting Act
NASD Rule 3510NERC Security GuidelinesFERC Security StandardsNAIC Standard on BCMNIST Contingency Planning GuideFRB-OCC-SEC Guidelines for Strengthening the Resilience of US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCM Guidelines (Singapore)NFA Compliance Rule 2-38FSA Handbook (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)
Post-9/11
Pre-9/11
1991 - 2001
2002 -------------------------------------------------------
2010
FPC 65 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)Australian Prudential Standard on BCMHB221HB292BS25999SS507 – SS540TR19CA Z1600ISO/PAS 22399
DRII (SDO)
Title IX – 110-53
Post-9/11 Surge in Business Continuity Regulations and Standards
PS PrepSlide8
8
a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their
disaster / emergency management
and
business continuity programs
. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.
b.
The program will be voluntary.c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.
d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.
e. One or more preparedness standards can be designated. NFPA 1600 is reference by example.
f.
Existing industry efforts
, certifications and reporting in this area
will not be duplicated or displaced, but rather recognized and integrated.g. Special consideration will be made for small business.h. Proprietary and confidential information is to be protected.
Title IX – 110-53Slide9
Approved Standards
ASIS International SPC.1-2009
Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition).
British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management)
National Fire Protection Association 1600-
Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions.
DHS Decides9Slide10
How It Works
10
ANSI-ANAB
In progress - ANSI
DHSSlide11
Next Steps
Creation of Accreditation Rules (AR) for Training of “Certification Bodies”
Approved by ANSI-ANAB
Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC 17011
Potential CB’s Must Take Course and Pass Examination
As of this Moment No Organization
Has Been Approved to Accredit Certifying Bodies
Has been Grandfathered into Compliance with PS-PrepSlide12
NFPA/DRI Audit Course Certification
DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved
ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011,
General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1 Standard Practice for Certificate Programs
and recognized by ANSI-ANAB
Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only)
This Certificate will Be Required to Seek CBCA/CBCLAsDRI International will maintain recertification through continuing education (RABQSA requirement)Slide13
TITLE IX UPDATE
At ANSI – HSSP (Homeland Security Standards Panel ) - DHS “unveiled” its “Voluntary Private Sector Preparedness Accreditation and Certification Program – Proposed Target Criteria for Preparedness Standard”
Internally developed and will be open for comment when DHS publishes a notice in the Federal Registry
December 24, 2008 DHS files notice for comments in the Federal Register. “We note that the designated officer will consider adoption of the American National Standards Institute (ANSI) National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600)—the standard specifically mentioned in both the statute and the 9/11 Commission’s recommendation—as well as any other private sector preparedness standards submitted for adoption.” Slide14
TITLE IX UPDATE
October 15, 2009: Department of Homeland Security (DHS) Secretary Janet Napolitano today announced new proposed standards for a 9/11 Commission-recommended program for the private sector to improve preparedness for disasters and emergencies.
The proposed standards, developed by the National Fire Protection Association, the British Standards Institution and the ASIS International, were selected based on their scalability, balance of interest and relevance to PS-Prep from a group of 25 standards proposed for consideration following the publication of a Federal Register notice in December 2008 announcing the program. Visit: www.fema.gov/privatesectorpreparedness Slide15
TITLE IX UPDATE
DHS has published a notice in the Federal Register announcing its intent to adopt the three standards listed below under PS-Prep. The notice also requests public comment on these standards and other programmatic issues:
ASIS International SPC.1-2009 "Organizational Resilience: Security Preparedness, and Continuity Management Systems"
British Standards Institution 25999 "Business Continuity Management"
National Fire Protection Association 1600:2010 "Standard on Disaster / Emergency Management and Business Continuity Programs”Slide16
Public/Private Sector LandscapeSlide17
Business Continuity
Risk Management
Crisis Management
Emergency Management
Disaster Recovery
-Slide18
Risk Management
-
Prevention/Mitigation
-Risk Retention
-Risk TransferSlide19
Risk Management has been around for a while
Even the ancients practiced a form of risk management.
Question: who invented the first fire protection system (hint: it was semi-automatic)?Slide20
Answer:
The EgyptiansSlide21
We all practice risk management
Example of risk transfer:
Example of risk retention:
Car/Home Insurance
DeductibleSlide22
Crisis Management
-
Crisis Communication
Employees
Media
Authorities
StakeholdersSlide23
Crisis Management is a relatively new discipline
New “poster child” of how NOT to do good crisis management is……?
Example of a company that practiced good crisis management, and still prospers to this day…?
The advent of instant worldwide communications mandates good crisis management for business survival
Toyota?? BP??
Johnson & Johnson, Tylenol!!Slide24
Emergency Management
-First Responders
-
Emergency Services
Police
Fire/Rescue
-Incident Command SystemSlide25
Emergency Management has distant roots as well
First U. S. fire department?Slide26
Answer:
Philadelphia – 1736
Ben FranklinSlide27
First Responders
Effective????Slide28
Emergency Response
Training: drills…practice, practice, practice!
Planning: pre-plans with emergency services
Communication: 911, Emergency Notification SystemsCoordination of efforts: Incident Command System (ICS)Slide29
Disaster Recovery
-
Data Recovery
-Processing RecoverySlide30
Disaster Recovery is a relatively new concept
Late 1960’s early 1970’s – introduction of computer mainframes
Question: Who created the first disaster recovery (DR) plan?Slide31
Answer:
The first data center manager who realized the problem if they lost their data and made a copy and took it home each nightSlide32
Disaster Recovery is a relatively new concept cont.
1990’s – LANS & WANS
2000’s - Web-based computing
Future – Who knows! The Cloud???
Late 1980’s - PCs become prevalent Slide33
Business Continuity
Had its roots in DR
Realization: it takes more than just data and applications to continue the business
BC is a process, not a transaction
Risk
Assessment
Identify
Measure
Execute
Analyze
Design
Plan Test &
Maintenance
Plan
Develop /
Execution
Strategy
Selection
Business
Impact
Analysis
BCM
Life CycleSlide34
Business Continuity
Risk Management
Crisis Management
Emergency Management
Disaster Recovery
-
Business Continuity Management
Enterprise Risk ManagementSlide35
Business Continuity
Risk Management
Crisis Management
Emergency Management
Disaster Recovery
-
Business Continuity Management
Enterprise Risk ManagementSlide36
Who Needs BCM?
Industries / SectorsSlide37
Who Needs BCM?
By
Size
Is business continuity scalable?Slide38
Example: Bob’s Dry Cleaning
Risk management
Fire prevention program
Automatic sprinklers
Insurance
Crisis management
Media contacts
Customer listsEmergency ManagementEmergency services pre-plan911Slide39
Example: Bob’s Dry Cleaning
cont.
Disaster Recovery
Back-up data
Inventory
Accounts receivable
Accounts payable
Client listIdentify back-up hardwareServer
PC
Web-based computingSlide40
Example: Bob’s Dry Cleaning
cont.
Business Continuity
Location strategy
Purchase
Lease/rent
Processing strategy
OutsourcingMutual aidCommunication strategy
Media
E-mail
Social mediaSlide41
Challenge for Business Continuity in the U.S. going forward:
Business Continuity must be a common business practice throughout all private and public sector organizations, regardless of size.Slide42
DRI International – Who Are We?
A
Non-Profit
Organization Committed to:
Promoting a base of common knowledge for the continuity management industry
Certifying qualified individuals in the discipline of Business Continuity
Promoting the credibility and professionalism of certified individuals
Celebrated our Twentieth Anniversary in 2008.
The Industry’s Premier Education and Certification Program BodySlide43
DRI International has Certified INDIVIDUALS in over 95 Countries.
DRI International conducts training courses in over 45 countries.
More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of
2009)
DRI International certifies individuals
and teaches in
English, Spanish, French, Japanese,
Mandarin, and Russian.
Conducts Courses for:
Insurance
Audit
Small and Medium Sized Businesses
DRI International – Who Are We?Slide44Slide45
Questions?