Business Continuity Management for Risk Managers.
-
Upload
lionel-victor-golden -
Category
Documents
-
view
226 -
download
1
Transcript of Business Continuity Management for Risk Managers.
![Page 1: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/1.jpg)
Business ContinuityManagement
forRisk Managers
![Page 2: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/2.jpg)
3
What is BCP?
• BCP - Business Continuity Planning –
The identification and protection of business processes
required to maintain an acceptable level of operations in the
event of sudden, unexpected, or not so unexpected,
interruptions of these processes and their supporting
resources
![Page 3: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/3.jpg)
4
Where Are We Going?• More Integrated Solution
– Business Continuity
– Disaster Recovery
– Emergency Response
– Crisis Management
– Risk Management
Under The Banner of Business Continuity Management
![Page 4: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/4.jpg)
5
Pre-Incident Planning
Risk Assessment/Mitigation/
Prevention
- Physical
- Logical (Technology)
Supply Chain
- Vendor management
- Inventory Control
BCP Creation
- Crisis Management
- Emergency Response
- Disaster Recovery
- Business Recovery
Evacuation
- Life & Safety
Incident/Crisis Management
BCP activation
- Business Recovery
- Relocation
- Processing
- Reprioritize
Product/Customer
- Technology Recovery
- Data Recovery
- Processing Recovery
Incident Occurs Post Incident
Repair/Restoration
Claims Processing
Increase Production Levels
Lessons Learned
- Mitigation/Prevention
Business Continuum
![Page 5: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/5.jpg)
Legislative Landscape
![Page 6: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/6.jpg)
7
Consumer Credit Protection ActOMB Circular A-130FEMA Guidance DocumentPaperwork Reduction ActISO 27002 (Previously ISO17799)FFIEC BCM HandbookComputer Security Act12 CFR Part 18Presidential Decision Directive 67FDA Guidance on Computerized Systems used in Clinical TrialsANSI/NFPA Standard 1600Turnbull Report (UK)ANAO Best Practice Guide (Australia)SEC Rule 17 a-4FEMA FPC 65CAR
Sarbanes-Oxley Act of 2002HIPAA, Final Security RuleFFIEC BCM Handbook -2003/ 2008Fair Credit Reporting ActNASD Rule 3510NERC Security GuidelinesFERC Security StandardsNAIC Standard on BCMNIST Contingency Planning GuideFRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial SystemNYSE Rule 446California SB 1386Australia Standards BCM HandbookGAO Potential Terrorist Attacks GuidelineFederal and Legislative BC Requirements for IRSBasel Capital AccordMAS Proposed BCM Guidelines (Singapore)NFA Compliance Rule 2-38FSA Handbook (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)
Post-9/11
Pre-9/11
1991 - 2001 2002 -------------------------------------------------------2010
FPC 65 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)Australian Prudential Standard on BCMHB221HB292BS25999SS507 – SS540TR19CA Z1600ISO/PAS 22399
DRII (SDO)
Title IX – 110-53
Post-9/11 Surge in Business Continuity Regulations and Standards
PS Prep
![Page 7: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/7.jpg)
8
a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary.c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e. One or more preparedness standards can be designated. NFPA 1600 is reference by example.f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g. Special consideration will be made for small business.h. Proprietary and confidential information is to be protected.
Title IX – 110-53
![Page 8: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/8.jpg)
Approved Standards• ASIS International SPC.1-2009 Organizational Resilience:
Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition).
• British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management)
• National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions.
DHS Decides
9
![Page 9: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/9.jpg)
How It Works
10
ANSI-ANAB
In progress - ANSI
DHS
![Page 10: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/10.jpg)
Next Steps
• Creation of Accreditation Rules (AR) for Training of “Certification Bodies”
– Approved by ANSI-ANAB– Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC
17011– Potential CB’s Must Take Course and Pass Examination
• As of this Moment No Organization
– Has Been Approved to Accredit Certifying Bodies– Has been Grandfathered into Compliance with PS-Prep
![Page 11: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/11.jpg)
NFPA/DRI Audit Course Certification• DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the
Course. Preliminary application has been approved
• ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1 Standard Practice for Certificate Programs and recognized by ANSI-ANAB
• Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only)
• This Certificate will Be Required to Seek CBCA/CBCLAs
• DRI International will maintain recertification through continuing education (RABQSA requirement)
![Page 12: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/12.jpg)
Public/Private Sector Landscape
![Page 13: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/13.jpg)
Business Continuity
Risk Management
Crisis Management
Emergency Management
Disaster Recovery
-
![Page 14: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/14.jpg)
Risk Management-Prevention/Mitigation-Risk Retention-Risk Transfer
![Page 15: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/15.jpg)
Risk Management has been around for a while
Even the ancients practiced a form of risk management.Question: who invented the first fire protection system (hint: it was semi-automatic)?
![Page 16: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/16.jpg)
Answer:
The Egyptians
![Page 17: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/17.jpg)
We all practice risk management
Example of risk transfer:
Example of risk retention:
Car/Home Insurance
Deductible
![Page 18: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/18.jpg)
Crisis Management-Crisis Communication• Employees• Media• Authorities• Stakeholders
![Page 19: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/19.jpg)
Crisis Management is a relatively new discipline
•New “poster child” of how NOT to do good crisis management is……?
•Example of a company that practiced good crisis management, and still prospers to this day…?
•The advent of instant worldwide communications mandates good crisis management for business survival
Toyota?? BP??
Johnson & Johnson, Tylenol!!
![Page 20: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/20.jpg)
Emergency Management
-First Responders-Emergency Services
• Police• Fire/Rescue
-Incident Command System
![Page 21: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/21.jpg)
Emergency Management has distant roots as well
First U. S. fire department?
![Page 22: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/22.jpg)
Answer:
Philadelphia – 1736Ben Franklin
![Page 23: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/23.jpg)
First Responders
Effective????
![Page 24: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/24.jpg)
Emergency Response
• Training: drills…practice, practice, practice!• Planning: pre-plans with emergency services• Communication: 911, Emergency Notification
Systems• Coordination of efforts: Incident Command
System (ICS)
![Page 25: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/25.jpg)
Disaster Recovery-Data Recovery-Processing Recovery
![Page 26: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/26.jpg)
Disaster Recovery is a relatively new concept
•Late 1960’s early 1970’s – introduction of computer mainframes•Question: Who created the first disaster recovery (DR) plan?
![Page 27: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/27.jpg)
Answer:
The first data center manager who realized the problem if they lost their data and made a copy and
took it home each night
![Page 28: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/28.jpg)
Disaster Recovery is a relatively new concept cont.
•1990’s – LANS & WANS•2000’s - Web-based computing•Future – Who knows! The Cloud???
•Late 1980’s - PCs become prevalent
![Page 29: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/29.jpg)
Business Continuity
• Had its roots in DR• Realization: it takes
more than just data and applications to continue the business• BC is a process, not a
transaction
Risk Assessment
Risk Assessment
Plan Test & Maintenance
Plan Test & Maintenance
Plan Develop /Execution
Plan Develop /Execution
StrategySelectionStrategySelection
BusinessImpact
Analysis
BusinessImpact
Analysis
BCMLife Cycle
BCMLife Cycle
![Page 30: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/30.jpg)
Business Continuity
Risk Management
Crisis Management
Emergency Management
Disaster Recovery
-
Business Continuity ManagementEnterprise Risk Management
![Page 31: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/31.jpg)
Who Needs BCM?
Industries / Sectors
![Page 32: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/32.jpg)
Who Needs BCM?
By Size
Is business continuity scalable?
![Page 33: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/33.jpg)
Example: Bob’s Dry Cleaning
•Risk management•Fire prevention program•Automatic sprinklers•Insurance
•Crisis management•Media contacts•Customer lists
•Emergency Management•Emergency services pre-plan•911
![Page 34: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/34.jpg)
Example: Bob’s Dry Cleaningcont.
•Disaster Recovery•Back-up data
•Inventory•Accounts receivable•Accounts payable •Client list
•Identify back-up hardware•Server •PC•Web-based computing
![Page 35: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/35.jpg)
Example: Bob’s Dry Cleaningcont.
•Business Continuity•Location strategy
•Purchase•Lease/rent
•Processing strategy•Outsourcing•Mutual aid
•Communication strategy•Media•E-mail•Social media
![Page 36: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/36.jpg)
Challenge for Business Continuity in the U.S. going forward:
Business Continuity must be a common business practice throughout all private and public sector organizations, regardless of size.
![Page 37: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/37.jpg)
DRI International – Who Are We?
• A Non-Profit Organization Committed to:
– Promoting a base of common knowledge for the continuity management industry
– Certifying qualified individuals in the discipline of Business Continuity
– Promoting the credibility and professionalism of certified individuals
• Celebrated our Twentieth Anniversary in 2008.
• The Industry’s Premier Education and Certification Program Body
![Page 38: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/38.jpg)
DRI International has Certified INDIVIDUALS in over 95 Countries.
DRI International conducts training courses in over 45 countries.
More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of 2009)
DRI International certifies individuals and teaches in English, Spanish, French, Japanese, Mandarin, and Russian.
Conducts Courses for: Insurance Audit Small and Medium Sized Businesses
DRI International – Who Are We?
![Page 39: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/39.jpg)
![Page 40: Business Continuity Management for Risk Managers.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649d0f5503460f949e4f3a/html5/thumbnails/40.jpg)
Questions?