BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE...

13
David Halford – Forsythe Solutions Group Frank Perlmutter – Strategic BCP BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? The convergence of BC and RM has already occurred and continues to evolve Regulations, frameworks, and standards reflect a strong theme of management of risk Decision-makers gravitate towards Risk Management for its continuous value

Transcript of BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE...

Page 1: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

David Halford – Forsythe Solutions GroupFrank Perlmutter – Strategic BCP

BC & RISK MANAGEMENT:CONVERGENCE IS REAL

2

WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ?• The convergence of BC and RM

has already occurred and continues to evolve

• Regulations, frameworks, and standards reflect a strong theme of management of risk

• Decision-makers gravitate towards Risk Management for its continuous value

Page 2: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

3

RISK MANAGEMENT VS.BUSINESS CONTINUITYRisk Management

Business Continuity

Perform Risk Assessment

Map Business Operations

Perform Business Impact Analysis

Develop IT Disaster Recovery Plans

Develop Business Recovery Plans

Develop Crisis Management Plans

4

WHAT IS THE DOMINANT DISCIPLINE?

• There is an overlap of concepts between the two disciplineso The Risk Assessment and Business Impact

Analysis are risk-based toolso How they are implemented; the value they bring will

designate whether the process is a sound risk-based model or not

• Risk Management as a discipline is generally leading the way

• Business Continuity is a subset of overall Risk Management

Page 3: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

5

http://blog.hedgebookpro.com/tag/reporting/

TAKING RISKThere’s a fine line between taking a calculated risk and doing something dumb.

6

AREAS TO EXAMINE

Risk Management Principles

Facilitating Program Improvement

Page 4: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

7

RISK MANAGEMENTPRINCIPLES

8

THE MISSION OF RISK MANAGEMENT

• Operational Improvement:ability to identify andremediate inefficiently operating processes that may cause outages/impacts

• Compliance: evidence of properly implemented standards

• Resilience: ability to identify and remediate infrastructurevulnerabilities that may result in unacceptable impacts

Page 5: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

9

RISK MANAGEMENT PRACTICE AREAS

Enterprise Risk

Legal Risks

BOD/Ethics Risk

Financial Risk

Environmental Risk

Operational Risk

Business Continuity

Information Technology Risk

Third Party Vendor Risk

Internal Controls

10

ENTERPRISE RISK VS.OPERATIONAL RISK• Enterprise Risk Management focuses on mitigating events that

negatively impact an organization’s supporting infrastructureo People, Facilities, Information Technology, Assetso Risk Assessment, Hazard Vulnerability Analysis

• Operational Risk Management focuses on mitigating vulnerabilitiesin operational business processeso Business Impact Analysis, Downtime Impact Analysis

• Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk

Page 6: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

11

ENTERPRISE RM AND BCCROSSING PATHS

OPERATIONS

PEOPLE

TECHNOLOGY FACILITIES & ASSETS

GOVERNACE & REPORTING

12

OPERATIONAL RM AND BCCROSSING PATHS• Operational Risk Management and BC Planning may cross paths in

several places (if you perform these activities correctly)o The Business Impact Analysiso Mapping Normal Operations

• The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources bygauging impact (e.g. RTO’s)

• Mapping (and understanding) normal operations is essentialto developing recovery strategies

Page 7: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

13

WHAT INFORMATION IS AVAILABLE?

Risk Management Principles

• A sea of Risk Management regulations,standards, and best practices

• Business Continuity regulations, standards, and best practices are similarly prevalent

• There are similarities and guiding principlesthroughout all of them

• Focus on the common guiding principles

14

A SELECTION OF:RM regulations, standards, & frameworks

• ISO 31000

• COSO Framework

• OCEG GRC Capability Model (Red Book)

• FERMA 2002

• ISO/IEC 31010

• COBIT

• NIST 800 Series (several)

• FFIEC BCP Work Program

• ISO 22301 / 22313

• ISO 27001

• ISO 27005

• ITIL v.3

Page 8: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

15

OVERARCHING PRINCIPLESOF RISK MANAGEMENT• COSO provides an overall

framework and principles for Risk Management

• COSO was originally housed in controls; has moved to a strategic approach

• Objectives appear at the top of the cube

• The right side of cube shows that Risk Management must be considered at all levels of an organization

• Risk management activities appear on the front of the cube

COSO Enterprise Risk Management:Integrated Framework

16

BUSINESS CONTINUITY& RISK MANAGEMENTFACILITATING IMPROVEMENT

Page 9: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

17

ESTABLISH ANENTERPRISE RISK APPETITE

• Align Program with a Risk view versus Response or Recovery only

• Establish risk appetite around the factors or the overall risk

• Establish Balance between Resiliency & Recovery

• Include Core policy that defines decision-making in Program Guidance

• Align remediation budget with Risk Appetite

18

TRADITIONAL BC/DR MODEL OPERATIONAL RESILIENCY MODEL

Minimum acceptable level of performance at Time of Crisis

Optimum level of performance continuously

Invoke alternate procedures to recover & resume operations following significant disruptive event

Architecture and processes for continuous availability of business operations and IT environments

Operational Resiliency vs.Traditional BC/DR

Page 10: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

19

ProductionBusiness

Continuity

Balanced approach focused on returning to OptimalPerformance Level

Operational Resiliency

OPL (Optimal Performance Level) Optimal production performance capacity

APL (Acceptable Performance Level) Minimal acceptable level for business functions

Performance(SLA, User

Experience)

Growth(Organic, M&A)

Risk(Availability,

Threats)

IT DisasterRecovery (capability

& Requirements)

Governance &Program

Framework(Requirements)

Operational Resiliency Balance

20

Copyright © Alex Alexeev: http://www.projectdecisions.org/index-cartoon-riskanalysis1.html

Page 11: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

21

• Enterprise BC Program Framework/Policy/Governance

• BC Strategy & Planning ( business units / sites)

• BC/DR capability & validation Governance

• BC/DR Compliance & reporting

• Crisis / Incident Management Program Leadership

• Active member of Risk Management committee

ORGANIZATIONAL TRENDS

Global BusinessContinuity

ExecutiveLeadership Compliance / Audit /

Risk Management

22

ORGANIZATIONAL TRENDS

• Enterprise BC Strategy & Planning

• BC Program Governance & Reporting

• BIA & Requirements for DR

• DR Strategy & DR Planning

• DR Program Governance

• Recovery Capability Validation

• DR Compliance & Reporting

ExecutiveLeadership

Business Continuity IT Disaster Recovery

IT / CTO / CIOCISO / HR / CIO / Business Units

Compliance / Audit /Risk Management

Compliance / Audit /Risk Management

Page 12: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

23

ADDING VALUE IN THE NEWCONVERGED WORLD• Focus on reducing Risk and improving

performance

• Establish functional connection with Business, IT, Risk Management

• Incorporate Risk view up front – Solution Planning and Strategic Initiatives

BusinessDrives, empowers, &

invests in IT

ITEnables business, innovationBalance Risk

24

CALL TO ACTION• Adapt to a holistic Risk Management approach

o Forget about “BC & DR” independently

• Ensure Risk Management & Resiliency is part of corporate strategyo Embed risk management in all decisions making

• Participate in structured process to manage all business riskso Document and publish processes and standards

Page 13: BC & RISK MANAGEMENT: CONVERGENCE IS REAL · BC & RISK MANAGEMENT: CONVERGENCE IS REAL 2 WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ? • The convergence of BC and

25

Frank [email protected]

President & Co-Founder

David [email protected]

Practice Manager, BC ServicesIT Risk Management

Forsythe Solutions Group

QUESTIONS?