Slide 1

Business ContinuityManagementforRisk Managers1Business ContinuityUSA23What is BCP? BCP - Business Continuity Planning The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected, interruptions of these processes and their supporting resources

34Where Are We Going?More Integrated SolutionBusiness ContinuityDisaster RecoveryEmergency ResponseCrisis ManagementRisk Management

Under The Banner of Business Continuity Management45Pre-Incident PlanningRisk Assessment/Mitigation/Prevention - Physical - Logical (Technology) Supply Chain - Vendor management - Inventory Control BCP Creation - Crisis Management - Emergency Response - Disaster Recovery - Business Recovery

Evacuation - Life & SafetyIncident/Crisis ManagementBCP activation - Business Recovery - Relocation - Processing - Reprioritize Product/Customer - Technology Recovery - Data Recovery - Processing RecoveryIncident OccursPost IncidentRepair/RestorationClaims ProcessingIncrease Production LevelsLessons Learned - Mitigation/PreventionBusiness Continuum5Legislative Landscape67

Consumer Credit Protection ActOMB Circular A-130FEMA Guidance DocumentPaperwork Reduction ActISO 27002 (Previously ISO17799)FFIEC BCM HandbookComputer Security Act12 CFR Part 18Presidential Decision Directive 67FDA Guidance on Computerized Systems used in Clinical TrialsANSI/NFPA Standard 1600Turnbull Report (UK)ANAO Best Practice Guide (Australia)SEC Rule 17 a-4FEMA FPC 65CAR

Sarbanes-Oxley Act of 2002HIPAA, Final Security RuleFFIEC BCM Handbook -2003/ 2008Fair Credit Reporting ActNASD Rule 3510NERC Security GuidelinesFERC Security StandardsNAIC Standard on BCMNIST Contingency Planning GuideFRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial SystemNYSE Rule 446California SB 1386Australia Standards BCM HandbookGAO Potential Terrorist Attacks GuidelineFederal and Legislative BC Requirements for IRSBasel Capital AccordMAS Proposed BCM Guidelines (Singapore)NFA Compliance Rule 2-38FSA Handbook (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)Post-9/11Pre-9/111991 - 20012002 -------------------------------------------------------2010 FPC 65 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)Australian Prudential Standard on BCMHB221HB292BS25999SS507 SS540TR19CA Z1600ISO/PAS 22399

DRII (SDO)

Title IX 110-53

Post-9/11 Surge in Business Continuity Regulations and Standards

PS Prep7Point out surge in regs and Stds after 911. Dont worry about knowing what all these are!

PAS = Publicly Available SpecificationDRII (SDO) = DRII became and ANSI recognized Standards Development Organization in 20088a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary.c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e. One or more preparedness standards can be designated. NFPA 1600 is reference by example.f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g. Special consideration will be made for small business.h. Proprietary and confidential information is to be protected.

Title IX 110-538Approved Standards

ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System Requirements with Guidance for use (2009 Edition).

British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management)

National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions.

DHS Decides9ASIS American Society for Industrial Security9How It Works10

ANSI-ANABIn progress - ANSIDHSANSI American National Standards InstituteANAB ASQ National Accreditation BoardASQ- American Society for Quality10Next StepsCreation of Accreditation Rules (AR) for Training of Certification Bodies

Approved by ANSI-ANABMust comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC 17011Potential CBs Must Take Course and Pass Examination

As of this Moment No Organization

Has Been Approved to Accredit Certifying Bodies Has been Grandfathered into Compliance with PS-PrepISO International Standards OrganizationIEC International Electrotechnical CommissionASTM- American Society for Testing and Materials 11NFPA/DRI Audit Course CertificationDRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved

ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1 Standard Practice for Certificate Programs and recognized by ANSI-ANAB

Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only)

This Certificate will Be Required to Seek CBCA/CBCLAs

DRI International will maintain recertification through continuing education (RABQSA requirement)

CAP Certification Accreditation ProgramRABSQA - United States based - Registrar Accreditation Board (RAB) by Australia Based - Quality Society of Australasia (QSA) - 12TITLE IX UPDATEAt ANSI HSSP (Homeland Security Standards Panel ) - DHS unveiled its Voluntary Private Sector Preparedness Accreditation and Certification Program Proposed Target Criteria for Preparedness Standard

Internally developed and will be open for comment when DHS publishes a notice in the Federal Registry

December 24, 2008 DHS files notice for comments in the Federal Register. We note that the designated officer will consider adoption of the American National Standards Institute (ANSI) National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600)the standard specifically mentioned in both the statute and the 9/11 Commissions recommendationas well as any other private sector preparedness standards submitted for adoption.

TITLE IX UPDATEOctober 15, 2009: Department of Homeland Security (DHS) Secretary Janet Napolitano today announced new proposed standards for a 9/11 Commission-recommended program for the private sector to improve preparedness for disasters and emergencies. The proposed standards, developed by the National Fire Protection Association, the British Standards Institution and the ASIS International, were selected based on their scalability, balance of interest and relevance to PS-Prep from a group of 25 standards proposed for consideration following the publication of a Federal Register notice in December 2008 announcing the program. Visit: www.fema.gov/privatesectorpreparedness

14TITLE IX UPDATEDHS has published a notice in the Federal Register announcing its intent to adopt the three standards listed below under PS-Prep. The notice also requests public comment on these standards and other programmatic issues:

ASIS International SPC.1-2009 "Organizational Resilience: Security Preparedness, and Continuity Management Systems"

British Standards Institution 25999 "Business Continuity Management"

National Fire Protection Association 1600:2010 "Standard on Disaster / Emergency Management and Business Continuity Programs

15Public/Private Sector Landscape16Business Continuity

Risk ManagementCrisis ManagementEmergency ManagementDisaster Recovery-

Business Continuity Management does not exist on its own. It is a overlap of these five activities: BC, RM, CM, EM, & DR17Risk Management-Prevention/Mitigation-Risk Retention-Risk Transfer18Risk Management has been around for a whileEven the ancients practiced a form of risk management.Question: who invented the first fire protection system (hint: it was semi-automatic)?19Answer:

The EgyptiansEgyptians stored grain in buildings. They had fires which were devastating because they relied on stored grain. They hung clay vats filled with water in the storage buildings. In the event of fire, slaves would run into the building with large sticks to break vats. Not very effective, not many slaves would run into a burning building! Next they tried same vats filled with water but with holes drilled into the bottom of the vat and plugged with wax. In the event of fire, wax would melt and water would be released. Problem: water only fell in one spot, not necessarily over the fire. First effective AUTOMATIC system was mass produced by Henry Parmalee in 1874: first effective automatic sprinklers. Current sprinklers are very similar in function; technology, materials, and tolerances are infinitely better.20We all practice risk managementExample of risk transfer:

Example of risk retention:Car/Home InsuranceDeductible21Crisis Management-Crisis CommunicationEmployeesMediaAuthoritiesStakeholders22Crisis Management is a relatively new discipline New poster child of how NOT to do good crisis management is?

Example of a company that practiced good crisis management, and still prospers to this day?

The advent of instant worldwide communications mandates good crisis management for business survivalToyota?? BP??Johnson & Johnson, Tylenol!!23Emergency Management-First Responders-Emergency ServicesPoliceFire/Rescue-Incident Command System24Emergency Management has distant roots as wellFirst U. S. fire department?25Answer:

Philadelphia 1736Ben Franklin26First Responders

Effective????Point out that the responder is doing EXACTLY what the sign say to do, but not being very effective!27Emergency ResponseTraining: drillspractice, practice, practice!Planning: pre-plans with emergency servicesCommunication: 911, Emergency Notification SystemsCoordination of efforts: Incident Command System (ICS)28Disaster Recovery-Data Recovery-Processing Recovery

29Disaster Recovery is a relatively new conceptLate 1960s early 1970s introduction of computer mainframesQuestion: Who created the first disaster recovery (DR) plan?30Answer:

The first data center manager who realized the problem if they lost their data and made a copy and took it home each nightBack-ups then became standard operating procedures for all Data Centers31Disaster Recovery is a relatively new concept cont.1990s LANS & WANS2000s - Web-based computingFuture Who knows! The Cloud???Late 1980s - PCs become prevalent 32Business Continuity

Had its roots in DRRealization: it takes more than just data and applications to continue the businessBC is a process, not a transactionRisk Assessment Identify Measure Execute Analyze Design Plan Test & MaintenancePlan Develop /ExecutionStrategySelectionBusinessImpactAnalysisBCMLife Cycle33Business Continuity

Risk ManagementCrisis ManagementEmergency ManagementDisaster Recovery-

Business Continuity ManagementEnterprise Risk Management34Business Continuity

Risk ManagementCrisis ManagementEmergency ManagementDisaster Recovery-

Business Continuity ManagementEnterprise Risk ManagementThis slide is hidden as it was used in a presentation to a RIMS/CPCU meeting35Who Needs BCM?Industries / SectorsAudience participation SlideWho Needs BCM?By SizeIs business continuity scalable?Audience participation SlideExample: Bobs Dry CleaningRisk managementFire prevention programAutomatic sprinklersInsuranceCrisis managementMedia contactsCustomer listsEmergency ManagementEmergency services pre-plan911

Under insurance, point out things like All Risk policies, special coverage such as Earthquake or Flood when applicable38Example: Bobs Dry Cleaningcont.Disaster RecoveryBack-up dataInventoryAccounts receivableAccounts payable Client listIdentify back-up hardwareServer PCWeb-based computing

39Example: Bobs Dry Cleaningcont.Business ContinuityLocation strategyPurchaseLease/rentProcessing strategyOutsourcingMutual aidCommunication strategyMediaE-mailSocial media

40Challenge for Business Continuity in the U.S. going forward:Business Continuity must be a common business practice throughout all private and public sector organizations, regardless of size.41DRI International Who Are We?A Non-Profit Organization Committed to:Promoting a base of common knowledge for the continuity management industryCertifying qualified individuals in the discipline of Business ContinuityPromoting the credibility and professionalism of certified individuals

Celebrated our Twentieth Anniversary in 2008.

The Industrys Premier Education and Certification Program Body

42DRI International has Certified INDIVIDUALS in over 95 Countries. DRI International conducts training courses in over 45 countries.More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of 2009)DRI International certifies individuals and teaches in English, Spanish, French, Japanese, Mandarin, and Russian.Conducts Courses for:Insurance AuditSmall and Medium Sized Businesses

DRI International Who Are We?Move to end of the presentation. Update numbers43Questions?45

Business Continuity Planningfor Insurance Professionals

DETROIT AREA OFFERINGDRI Auburn Hills Training Facility

JUNE 10, 2011 9AM-1:30PM$795.00 MI CEUs: 4