Applying risk management_to_your_business_continuity_management_efforts

1 © Copyright 2012 EMC Corporation. All rights reserved.

Applying Enterprise Risk Management to Your Business Continuity Management Efforts Patrick Potter GRC Strategist, RSA Archer

October 10, 2013


Today’s Speaker Patrick is currently a GRC Strategist for the RSA Archer organization, where he helps drive the direction of the Business Continuity and Audit Management solutions. Prior to RSA, Patrick spent over 20 years leading business continuity, internal audit, strategic planning, process improvement and related activities at Fortune 500 companies in both industry and consulting roles.

Patrick has developed a broad perspective working with analysts, partners and customers spanning such industries as financial services, higher education, manufacturing, high-tech, healthcare, and media and hospitality. He has been a speaker for the Institute of Internal Auditors, DRJ, RSA Archer Summit, Financial Executives Networking Group, Association of Continuity Planners and ISACA. Patrick has also contributed various thought leadership articles for Continuity Insights, SC Magazine, Internal Auditor Magazine and Disaster Recovery Journal.


Session Abstract

Business Continuity and Disaster Recovery (BC/DR) management programs typically evaluate business criticality through performing risk assessments and business impact analyses to determine recovery priorities. But, how often do BC/DR programs coordinate their efforts with other internal enterprise risk management groups and functions? How do these groups define and measure risk?


Case Study

A Fortune 100 financial services (FS) company performed over 3,000 BIAs and had as many documented Business Continuity (BC) plans. Their central BC program’s charge was to audit as many of these plans as possible based on a risk profile. The BC group had a rudimentary risk assessment process that would help them determine which BC plans to audit (i.e., go onsite, verify plans were documented and tested) versus having business process/BC plan owners self-audit through a questionnaire that the BC program would review.

The Issue: Their risk approach and criteria was not aligned with any other risk group, such as ERM or Internal Audit.

Were they focusing on the right risks?


What is Risk Management?

• Many authoritative sources define risk: IS0 31000, BASEL, Regulators and Auditors

• Risk management is defined as “identifying and categorizing risks to the organization, evaluating them through online assessments and metrics, and responding with remediation or acceptance”

– Supply Chain Risk – Operational Errors

– Human Resources Risk – Fraud

– Environmental Risk – Business Continuity

– Regulatory Risk

– Information Security Risk

Operations Risk =


Risk Management Objectives

Assessment

Identification

Decision Treatment

Monitoring Risk


ISO 22313 Section 8.1.1 Elements of BCM

• Operational Planning and Control

• BIA and Risk Assessment

• BC Strategy

• BC Procedures

• Testing


ISO 22313 Section 8.2.3 - Risk Assessment

The organization should establish a formal risk assessment process that systematically identifies, analyses and evaluates the risk of disrupting the organization’s prioritized activities and the processes, systems, information, people, assets, suppliers and other resources that support them.


Business Processes

Objectives

Risk Register

Controls & Risk Transfer

Incidents & Events

Policies & Procedures

People / Org Structure

Rules & Regulations

Assets

Supply Chain

Products & Services

Risk Management is Complex


Disconnected

approaches,

priorities and

thresholds

Organizational Gaps in Risk Management

IT Repositories

Business Asset

Catalog

CIO

Risk Identification

Risk Assessment

ERM

Metrics & Reporting CRO

Risk Ownership

Plan Ownership

Remediation

BC/DR

Risk Assessment

Evaluate Controls

Reporting

CCO

Control Testing

Compliance

Checklist

Reporting

COO


Some Common Themes

• The level of maturity of risk programs varies greatly by industry and by company within the same industry

• Agreement on taxonomy, framework, and approach remains a challenge

• Regulated companies are under increasing pressure to demonstrate risk management capabilities

• Interest in ERMS continues to grow

• Best practices continue to evolve


RSA Archer Demonstration


Understand Your Enterprise

Business

Units

• Visibility

• Collaboration

Processes

Contacts

Applications

Information

Devices Facilities

• Accountability

• Criticality


Understand Your Stakeholders

• Board of Directors / Risk & Audit Committee/ Executives (All Risks) • Chief Risk Officer (All Risks) • Enterprise Risk Manger (All Risks) • Operations Risk Manager (Ops Risk within scope of how the company defines ORM) • Chief Financial / Accounting Officer (Financial Reporting Risks) • Treasurer (Market Risks) • Director of Internal Audit (All Risks & Audit Management) • Director of Corporate Compliance (Regulatory Compliance) • CIO / CISO (Info Security component of Ops Risk) • Director of Business Continuity and Disaster Recovery (Bus Continuity component) • Director of Corporate Insurance (All Ops Risks) • Chief Legal Counsel (Ops Risks focused on customer & 3rd Pty contracts, employment practices

liability, regulatory compliance, fraud) • Director Operations (All operating activities) • Physical Security Officer (Physical Security component of Ops Risk; Fraud / Investigation

Incidents) • Purchasing Director (Vendors / Service Providers)


Focus Needs to Span the Organization

Strategic Partnership

IT Audits

New systems

IT Security Risk

Security Operations

Regulatory Risk

Operational Risk

Corp. Governance

Audit & Compliance

3rd Party Risk

Policy & Controls

Organizational Resiliency

New business challenges

GRC Management

Management

Board of Directors

Risk

IT Business CFO/CRO/CCO CIO/CISO


Leverage Your GRC Program

Response to

Individual Mandates

Multiregulatory

Cross-Enterprise

Strategic Direction/

Competitive Advantage

Compliance

Risk Management

Performance


In Summary

• Get Executive buy-in and sponsorship

• Establish common enterprise taxonomy, framework, risk assessment, and risk management approach

• Bring risk management within the GRC umbrella

• Look at risk where you can in terms of real $$$

• Focus on making more aligned risk decisions across the organization


Questions?


The Magic Quadrant is copyrighted 26 Aug 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.

Source: Gartner Magic Quadrant for Business Continuity Management Planning Software Roberta J. Witty, John P. Morency 26 Aug. 2013

Gartner MQ for BCM Planning Software

http://www.gartner.com/reprints/emc-vol8?id=1-1IWARRL&ct=130828&st=sb




http://www.gartner.com/RecognizedUser


RSA Archer GRC Roadshows

Coming to a City Near You! (& they’re free) • New York Wed., Nov. 6 • Minneapolis Thurs., Nov. 14 • Boston Thurs., Nov. 21 • Atlanta Fri., Nov. 22 • Toronto Mon., Dec. 2 • Washington, DC. Thurs., Dec. 5 • San Francisco Fri., Dec. 6

Space is Limited - Register today: https://community.emc.com/docs/DOC-27671

https://community.emc.com/docs/DOC-27671




Maintain business operations with Business Continuity Management Learn More At…

www.rsa.com/grc

Download the Latest Analyst Reports

Learn more about regulatory compliance and business continuity

management Learn about RSA Archer Business

Continuity Management & Operations


THANK YOU THANK YOU