Building organizational resilience amidst global uncertainty:An overview of business continuity and crisis management for today’s global leaders

Bryan Strawser, MBCP, MBCI, CISSP, CEMPrincipal Consultant & CEO

Data Breaches

Company Impacted People

Sony Pictures 6,000

Sally Beauty 25,000

Neiman Marcus 1,100,000

Michaels Stores 3,000,000

Community Health Systems 4,500,000

PF Chang’s 7,000,000

Home Depot 56,000,000

Target 70,000,000

JP Morgan 76,000,000

Anthem 80,000,000 (still being evaluated)

eBay 145,000,000

7

The Last 24 Months

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Global Standards

Business Continuity

• ISO 22301 (formerly BS25999)

• NFPA 1600

• ASIS Business Continuity Management Standard

• ASIS SPC.1: Organizational Resilience

US Government

• Federal Continuity Directives (FCD 1 / FCD 2)

• Continuity Guidance Circulators (CGC 1 / CGC 2)

8

Business Continuity and Emergency Management

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

• Formerly BS25999• Adopted globally in 2012• Intersects with other ISO

Standards– Ex: ISO 27001

• Establish and maintain a Business Continuity Management System

• Accreditation• Certification

– Implementer / Lead– Auditor / Lead

9

ISO 22301:2012Societal Security – Business Continuity Management Systems

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Professional Certifications

Business Continuity• Disaster Recovery Institute International

– Associate Business Continuity Professional (ABCP)– Certified Business Continuity Professional (CBCP)– Master Business Continuity Professional (MBCP)

• Business Continuity Institute– Member, Business Continuity Institute (MBCI)– Fellow, Business Continuity Institute (FBCI)

Emergency Management• International Association of Emergency Managers

– Associate Emergency Manager (AEM)– Certified Emergency Manager (CEM)

10

Business Continuity and Emergency Management

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Business Continuity Regulations

United States

• Federal Financial Institutions Examination Council (FFIEC)

• Securities and Exchange Commission (SEC)

• Financial Industry Regulatory Authority (FINRA)

• Payment Card Industry Standard (PCI)

11

We’re from the government, we’re here to help…

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

12

Business Continuity LifecycleISO 22301 Business Continuity Management Lifecycle

Business Impact Analysis & Risk

Assessment

Develop BC Strategies

Establish & Implement BC

Procedures

Exercise, Testing,

Maturing

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

13

Business Impact Analysis & Risk AssessmentIdentifying critical business functions & their risks

Business Impact Analysis• What are the critical business

functions at my company?• How long can they be disrupted?• How quickly can they be recovered

today?• What is the impact from that

disruption to my business?• BIA Methods

Risk Assessment• What are the risks to these

functions?• What are our top enterprise risks?• Risk Assessment Methods

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Specific actions to manage your risks and address your

opportunities

• Prepare your business for disruption

• Develop Business Continuity Plans

• Implement Business Continuity Solutions

14

Develop BC StrategiesHow can I recover my critical functions in the time period needed?

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Core Components of a BC Plan

• Roles & Responsibilities

• Activation process

• Managing the immediate consequences

• Communication plan

• Recover prioritized activities

• Media response

• Process for standing down

15

Develop BC StrategiesBusiness Continuity Plans

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

16

Establish & Implement BC ProceduresWhat processes will I follow in a disruption?

Specific defined processes for Business Continuity

Examples:

• Emergency preparedness

• Governance

• Activation

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

• All plans should be exercisesdat least annually:– Notification– Table Top– Recovery– Fully integrated

• Disaster Recovery– Testing DR plans and strategies

• Defined process for capturing lessons learned and applying to plans and strategies

17

Exercise, Testing, & MaturingHow will I exercise and test my plans? Based on those results, how will I improve?

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Awareness

Executive Leaders & Board Members• An understanding of risk across the organization• Broad, strategic overview of the program• Clear understanding of decision making rights and their roles• Metrics & program maturity

Typical Employee• Emergency procedures• High-level understanding of business continuity

Critical Function Leaders• Understanding of how function connects to the broader business strategically• Can describe dependencies on technologies and other functions• Takes ownership of planning process for critical function• Fully understands business continuity & disaster recovery plans for function

18

Connecting to Security Education and Awareness

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Crisis Management

The active management of a disruption or escalating situation

Items to consider:

• Clear roles and responsibilities

• Decision making rights pre-defined

• Single source of truth for executive & board communication

• Communication products / messages

• Cross-functional coordination

19

A Component of Business Continuity Management

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Crisis Management

Green Team

YellowTeam

Red Team

20

A Simple Framework Example

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

• “Disaster Recovery” generally pertains to the recoverability of IT systems– Applications– Infrastructure

• Must be closely linked to business continuity capability

• Should heavily utilize the BIA findings to influence a tiered recovery strategy

21

Disaster RecoveryBusiness Continuity for IT Systems

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

• 2013 Target Corporation HQ Flood

• Primarily impacted non-critical teams

• Flexibility in planning and crisis management framework enabled response despite lack of function specific plans

• Lessons Learned

22

Case StudyWhen a drip becomes a flood…

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Advice on Building a BC Program

• Keep things simple

• Establish clear governance up-front

• Pick a standard to guide your implementation

• Select the leader of the program carefully

– Professional certifications / subject matter expertise

– Presence / Communication skills

• Understand local, regional, country level risk

• Bring in experts where needed to augment

• This is not rocket science!

23

Practical tips for success

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Contact Information

Contact Bryan:

Bryan Strawser

Principal Consultant & CEO

Phone: +1-612-235-6435E-Mail: bryan@bryghtpath.comTwitter: @bryanstrawser

Learn more about our services and how we can help you:Website: www.bryghtpath.com

Twitter: @bryghtpath

Facebook: facebook.com/bryghtpathllc

24

Bryghtpath LLC

Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com

Our Consulting Services Include:Business Continuity

Crisis / Emergency ManagementEnterprise Risk ManagementExercise Design & FacilitationGlobal Intelligence & Security

ISO Training & CertificationTravel Risk & Security

Building organizational resilience amidst global uncertainty:An overview of business continuity and crisis management for today’s global leaders

Bryan Strawser, MBCP, MBCI, CISSP, CEMPrincipal Consultant & CEO