1 / 40

Business Continuity Management for Risk Managers

Business Continuity Management for Risk Managers. What is BCP?. BCP - Business Continuity Planning –

drucilla
Télécharger la présentation

Business Continuity Management for Risk Managers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business ContinuityManagementforRisk Managers

  2. What is BCP? • BCP - Business Continuity Planning – The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected,interruptions of these processes and their supporting resources

  3. Where Are We Going? • More Integrated Solution • Business Continuity • Disaster Recovery • Emergency Response • Crisis Management • Risk Management Under The Banner of Business Continuity Management

  4. Business Continuum Pre-Incident Planning Incident Occurs Post Incident Risk Assessment/Mitigation/ Prevention - Physical - Logical (Technology) Supply Chain - Vendor management - Inventory Control BCP Creation - Crisis Management - Emergency Response - Disaster Recovery - Business Recovery Evacuation - Life & Safety Incident/Crisis Management BCP activation - Business Recovery - Relocation - Processing - Reprioritize Product/Customer - Technology Recovery - Data Recovery - Processing Recovery Repair/Restoration Claims Processing Increase Production Levels Lessons Learned - Mitigation/Prevention

  5. Legislative Landscape

  6. Post-9/11 Surge in Business Continuity Regulations and Standards Post-9/11 Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCM Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCM NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Federal and Legislative BC Requirements for IRS Basel Capital Accord MAS Proposed BCM Guidelines (Singapore) NFA Compliance Rule 2-38 FSA Handbook (UK) BCI Standard, PAS 56 (UK) Civil Contingencies Bill (UK) FPC 65 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CP NISCC Good Practices (Telecomm) Australian Prudential Standard on BCM HB221 HB292 BS25999 SS507 – SS540 TR19 CA Z1600 ISO/PAS 22399 PS Prep Pre-9/11 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act ISO 27002 (Previously ISO17799) FFIEC BCM Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 FEMA FPC 65 CAR DRII (SDO) Title IX – 110-53 1991 - 2001 2002 -------------------------------------------------------2010

  7. Title IX – 110-53  a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs.  The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.  b.  The program will be voluntary.c.  Key stakeholders are invited to participate in the development of the program.  Consultation with a variety of organizations and various sectors is required by the legislation.  Program development will likely include involvement by a diversity of private sector advisory groups and others.d.  The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e.  One or more preparedness standards can be designated.  NFPA 1600 is reference by example.f.  Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g.  Special consideration will be made for small business.h.  Proprietary and confidential information is to be protected.

  8. DHS Decides Approved Standards • ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). • British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management) • National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions.

  9. How It Works ANSI-ANAB In progress - ANSI DHS

  10. Next Steps • Creation of Accreditation Rules (AR) for Training of “Certification Bodies” • Approved by ANSI-ANAB • Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC 17011 • Potential CB’s Must Take Course and Pass Examination • As of this Moment No Organization • Has Been Approved to Accredit Certifying Bodies • Has been Grandfathered into Compliance with PS-Prep

  11. NFPA/DRI Audit Course Certification • DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved • ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1 Standard Practice for Certificate Programsand recognized by ANSI-ANAB • Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only) • This Certificate will Be Required to Seek CBCA/CBCLAs • DRI International will maintain recertification through continuing education (RABQSA requirement)

  12. Public/Private Sector Landscape

  13. Business Continuity • Risk Management • Disaster Recovery • - • Crisis Management • Emergency Management

  14. Risk Management • -Prevention/Mitigation • -Risk Retention • -Risk Transfer

  15. Risk Management has been around for a while Even the ancients practiced a form of risk management. Question: who invented the first fire protection system (hint: it was semi-automatic)?

  16. Answer: The Egyptians

  17. We all practice risk management Car/Home Insurance Deductible Example of risk transfer: Example of risk retention:

  18. Crisis Management • -Crisis Communication • Employees • Media • Authorities • Stakeholders

  19. Toyota?? BP?? Crisis Management is a relatively new discipline New “poster child” of how NOT to do good crisis management is……? Example of a company that practiced good crisis management, and still prospers to this day…? The advent of instant worldwide communications mandates good crisis management for business survival Johnson & Johnson, Tylenol!!

  20. Emergency Management • -First Responders • -Emergency Services • Police • Fire/Rescue • -Incident Command System

  21. Emergency Management has distant roots as well First U. S. fire department?

  22. Answer: Philadelphia – 1736 Ben Franklin

  23. First Responders Effective????

  24. Emergency Response • Training: drills…practice, practice, practice! • Planning: pre-plans with emergency services • Communication: 911, Emergency Notification Systems • Coordination of efforts: Incident Command System (ICS)

  25. Disaster Recovery • -Data Recovery • -Processing Recovery

  26. Disaster Recovery is a relatively new concept Late 1960’s early 1970’s – introduction of computer mainframes Question: Who created the first disaster recovery (DR) plan?

  27. Answer: The first data center manager who realized the problem if they lost their data and made a copy and took it home each night

  28. Disaster Recovery is a relatively new concept cont. • Late 1980’s - PCs become prevalent 1990’s – LANS & WANS 2000’s - Web-based computing Future – Who knows! The Cloud???

  29. Business Continuity Measure Identify Risk Assessment Plan Test & Maintenance • Had its roots in DR • Realization: it takes more than just data and applications to continue the business BCM Life Cycle Plan Develop /Execution BusinessImpactAnalysis Execute Analyze StrategySelection • BC is a process, not a transaction Design

  30. Business Continuity • Risk Management • Disaster Recovery • - Enterprise Risk Management Business Continuity Management • Crisis Management • Emergency Management

  31. Who Needs BCM? Industries / Sectors

  32. Who Needs BCM? By Size Is business continuity scalable?

  33. Example: Bob’s Dry Cleaning Risk management Fire prevention program Automatic sprinklers Insurance Crisis management Media contacts Customer lists Emergency Management Emergency services pre-plan 911

  34. Example: Bob’s Dry Cleaningcont. Disaster Recovery Back-up data Inventory Accounts receivable Accounts payable Client list Identify back-up hardware Server PC Web-based computing

  35. Example: Bob’s Dry Cleaningcont. Business Continuity Location strategy Purchase Lease/rent Processing strategy Outsourcing Mutual aid Communication strategy Media E-mail Social media

  36. Challenge for Business Continuity in the U.S. going forward: Business Continuity must be a common business practice throughout all private and public sector organizations, regardless of size.

  37. DRI International – Who Are We? • A Non-Profit Organization Committed to: • Promoting a base of common knowledge for the continuity management industry • Certifying qualified individuals in the discipline of Business Continuity • Promoting the credibility and professionalism of certified individuals • Celebrated our Twentieth Anniversary in 2008. • The Industry’s Premier Education and Certification Program Body

  38. DRI International – Who Are We? • DRI International has Certified INDIVIDUALS in over 95 Countries. • DRI International conducts training courses in over 45 countries. • More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of 2009) • DRI International certifies individuals and teaches in English, Spanish, French, Japanese, Mandarin, and Russian. • Conducts Courses for: • Insurance • Audit • Small and Medium Sized Businesses

  39. Questions?

More Related