Preparing for the Convergence of Business Continuity …€¦ · © 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 3 Background • Strategic BCP® established

© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 1

Preparing for the Convergence of Risk Management & Business Continuity

Disaster Recovery Journal Webinar Series

September 5, 2012


Today’s Presenter

Frank Perlmutter, CBCP [email protected]

• Former Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury

• President & Co-Founder of Strategic BCP®, creators of ResilienceONE® BCM Software

• Managed BC, Risk, and Process Improvement Programs for over 100 organizations

mailto:[email protected]


Background

• Strategic BCP® established in 2004

– Purpose: elevate the productivity and relevance of business continuity (BC) professionals

– ResilienceONE® introduced as a milestone in using technology to streamline the process of creating and maintaining BC plans


Webinar Focus Areas

• Risk Management vs. Business Continuity

• Risk Management Principles

• Enterprise Risk Management- Practical Application

• Operational Risk Management- Practical Application

• Q&A and Wrap-up


Risk Management vs. Business Continuity



Risk Management vs. Business Continuity


Preventative Care vs. Reactive Approach

• Analyzing the Risk & Preventing It: Eat well, exercise, and take vitamins

• Reacting to the Risk: Get a heart attack and get revived

Proactive vs. Reactive

• BC Professionals unfortunately tend to focus too much on the reaction

– Response, Recovery, Restoration

– Plan/Document-Centric

• BC Professionals are better served by concentrating adequate focus on the proactive

– Focuses on mitigating risk of outages before they happen

– Analysis-centric


Why the Convergence of BC and RM?

• The convergence of BC and RM has already occurred and continues to evolve

• Regulations, frameworks, and standards reflect a strong theme of management of risk

• Decision-makers gravitate towards Risk Management for its continuous value, making BC a subset


Preparation for Current Reality

• Many BC Professionals are being left behind by unrequited devotion to outdated methods

• Strong plans do not necessarily equate to a strong ability to actually recover and reduce impact. This reduces

the value of the Professional that just focuses on plans

• Risk Management has value to everyday decision-making; Business Continuity Plans do not


What is the Dominant Discipline?

• There is an overlap of concepts between the two disciplines

– The Risk Assessment and Business Impact Analysis are risk-based tools

– How they are implemented; the value they bring will designate whether the process is a sound risk-based model or not

• Risk Management as a discipline is generally leading the way

• Business Continuity is a subset of overall Risk Management


Risk Management Practice Areas

• Business Continuity/ Incident Management

• Internal Controls

• Enterprise Risk

• Operational Risk

• Financial Risk

• Information Technology Risk

• Legal Risk

• Third Party Risk

• BOD/Ethics Risk

• Environmental Risk

• Quality Assurance


The Convergence/Overlap

NOW: Business Continuity—Business Impact Analysis and Risk Assessment

• Enterprise Risk

• Operational Risk

• Information Technology Risk

• Financial Risk

• Third Party Risk

FUTURE:

• Internal Controls?

• Legal Risk?


Risk Management Principles



What’s Available?

• A sea of Risk Management regulations, standards, and best practices

• Business Continuity regulations, standards, and best practices are similarly prevalent

• There are similarities and guiding principles throughout all of them

• Focus on the COMMON guiding principles


A Selection of RM Regulations, Standards, Best Practices, Frameworks

• ISO 31000

• COSO Framework

• OCEG GRC Capability Model (Red Book)

• FERMA 2002

• ISO/IEC 31010

• Basel II and Basel III

• BS 25999-2:2007ISO 22301:2012

• NFPA 1600: 2007/2010

• COBIT

• Institute of Operational Risk

• ISO 14001

• ISO 27001

• ISO 27005

• NIST 800 Series

• ITIL v.3

• DRII/BCI

• Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010


Focus on What Delivers Value

• Regulations

– “Mandatory authoritative rules dealing with details or procedures having the force of law, which are issued by and authority of government”

• Standards and Best Practices

– “Voluntary criteria, voluntary guidelines and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes”

• Mandatory vs. Voluntary

Our Guidance:

• With so many mandatory

standards, we have seen that

most examiners and

executives are paying little

attention to voluntary

standards

• Standards and best practices

in both BC and RM tend to be

conceptual, with little guidance

on practical implementation


The Mission of Risk Management

• Operational Improvement: ability to identify and remediate inefficiently operating processes that may cause outages/impacts

• Compliance: evidence of properly implemented standards

• Resilience: ability to identify and remediate infrastructure vulnerabilities that may result in unacceptable impacts


Overarching Principles of Risk Management

• COSO provides an overall framework and principles for Risk Management

• COSO was originally housed in controls; has moved to a strategic approach

• Objectives appear at the top of the cube

• The right side of cube shows that Risk Management must be considered at all levels of an organization

• Risk management activities appear on the front of the cube

COSO Enterprise Risk Management: Integrated Framework


Enterprise Risk Management- Practical Application



Enterprise Risk vs. Operational Risk

• Enterprise Risk Management focuses on mitigating events that negatively impact an organization’s supporting infrastructure

– People, Facilities, Information Technology, Assets

– In BC Tool Terms: Risk Assessment, Risk Analysis, Hazard Vulnerability Analysis

• Operational Risk Management focuses on mitigating vulnerabilities in operational business processes

– In BC Tool Terms: Business Impact Analysis, Business Impact Assessment, Downtime Impact Analysis

• Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk


Establishing an Enterprise Risk Appetite

• Core policy that defines decision-making

• (Probability x Impact) – Mitigated Risk = Enterprise Risk

• Organizations can set a risk appetite around the factors or the overall risk

• Remediation budget must align with Risk Appetite


Performing an Enterprise Risk Assessment

An Enterprise Risk Assessment (ERA) identifies potential threats that may impact an organization, and identifies measures to limit the probability or impact of these threats.

Determine the threats to be included on your Enterprise Risk Assessment. They revolve around your infrastructure.

Research and evaluate each risk by probability and impact of occurrence

Identify threats outside of the Risk Appetite of the organization

Provide a mitigation plan with alternatives that show costs of the mitigation measures and how much of the risk is reduced

Obtain sign-off of either the acceptance of the risk (i.e. do nothing) or a mitigation alternative


Sample ERA Report

REDUCE MITIGATE

Management Controls

Process Controls

Terminate Activty

Eliminate Risk

Physical Controls

ACCEPT TRANSFER

Insurance Alternate Vendors

Outsourcing

Updated Contact Lists

Strategic Alliances

Once risks are quantified, plot them on a grid as shown below. This will help management decide how to deal with the risks (Transfer, Accept, Reduce or Mitigate).

Obtain sign-off!

I 5 5 10 15 20

M 4 4 8 12 16

P 3 3 6 9 12

A 2 2 4 6 8

C 1 1 2 3 4

T 0 0 0 0 0

1 2 3 4

P R O B A B I L I T Y


Operational Risk Management- Practical Application



Operational RM and BC Crossing Paths

• Operational Risk Management and BC MAY cross paths in several places (if you perform these activities correctly)

– The Business Impact Analysis

– Mapping Normal Operations

• The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources by gauging impact (e.g. RTO’s)

• Mapping (and understanding) normal operations is essential to developing recovery strategies


Gathering OBJECTIVE Data is Critical

• Your data should be based as much on FACT and as little on OPINION as possible; Don’t use a subjective method

• The Subjective “RTO”: Popular “Asking Method” Example

Problem #1: There are numerous impacts used to calculate an RTO; respondents couldn’t possibly ANALYZE all scenarios in their heads

Problem #2: Respondents are not using a consistent scale to determine their RTO; everyone calculates differently in their heads

Problem #3: Results reflect limited data integrity, making justification to executives and auditors challenging

• OBJECTIVE data gathering methods:

Provide a consistent scale for all respondents

Do not ask respondents to perform on-the-fly analysis

Provide better data integrity


Objective Risk-Based Method: Setup

Start with gathering quantitative and qualitative factors that reflect the impact of taking down your operations

Weight factors as some may be more important than others

Set levels of impact for each factor


Objective Risk-Based Method: Data Gathering

Establish a timeline with time periods (i.e. your Recovery Timeframe Objectives or RTO’s) over which you will measure impact

Record your scoring of factors (e.g. reputational harm, regulatory fines, etc) across each function using the scale


Objective Risk Based Method: Prioritizing Operational Activities

# RTO Function UNDER 1

DAY 1 DAY 2 DAYS 3 DAYS 4 DAYS 5 DAYS 2 WEEKS 3 WEEKS 4 WEEKS 5 WEEKS

1 Immediately Process Deposits 32 48 48 48 64 64 64 64 64 88

2 Immediately Take Orders Via Phone 20 20 28 28 28 36 36 36 44 44

3 1 DAY Reconciliation- Beginning of Day 0 0 32 32 40 40 48 48 56 64

4 2 DAYS Reconciliation- End of Day 0 0 0 8 8 8 8 8 8 8

5 5 WEEKS Process Payments to Customers 0 0 0 0 0 0 0 0 0 0

Yellow = Exceeds Maximum Level of Acceptable Risk (6)

• METRIC: By Total Impact

Add total for each time period together

Provides aggregate risk over the entire time period

• METRIC: By RTO

Set a prioritization of activities by time period

Set a points limit for your maximum level of acceptable risk. This is your organizational risk appetite.

When totals in a time period first exceed that limit, your maximum timeframe is the time period immediately prior


Setting a Risk Appetite: Operational Risk Modeling

Timeframe # of Functions (x=6) # of Functions (x=12) # of Functions (x=18) Tier

Immediately 4 1 1 Critical

1 HOUR 2 3 0 Critical

8 HOURS 7 4 2 Critical

12 HOURS 2 1 3 Critical

1 DAY 17 7 2 Critical

2 DAYS 24 4 3 Critical

3 DAYS 9 4 2 Necessary

4 DAYS 14 4 1 Necessary

1 WEEK 8 4 1 Necessary

2 WEEKS 8 32 52 Optional

> 2 WEEKS 4 35 31 Optional

a) X = 6 points 56% are in the one week timeframe (high risk tolerance, strong recovery capability)

b) X =12 points 32% are in the one week timeframe (mean risk tolerance)

c) X = 18 points 17% are in the one week timeframe (low risk tolerance, weak recovery capability)


Understanding Operations is Essential

• Many BC Professionals skip right to Recovery Operations, instead of documenting normal business process first


Reengineering Operations

“Are there any inefficiencies or vulnerabilities in the highest value activities?”

Provide a process mapping (i.e. a standard operating procedure) for each of the highest value activities

Notice manual steps and repeated activities

Provide roadmap to investigating automation solutions

Implement best solution


People

Facilities & Assets Technology

Operations

People, Technology, Facilities, and Assets Support Your Critical Activities


Reviewing Supporting Operational Infrastructure

“Are there any inefficiencies or vulnerabilities in the highest value operational infrastructure?”

Establish an expertise in one or more areas and spot risks and vulnerabilities

• What are some common risks and vulnerabilities in these areas?

Offer cost effective/high value mitigation alternatives

• Over/under utilization of resources

• Offer economies of scale with people, IT, and vendor resources

• Offer cost-cutting measures to reduce under-utilized resources


RED FLAGS: Spotting BCM/RM Tools and Methods That Lead Users Down the Wrong Path

• Poor Reporting and Analytics

– Focus on paper planning

– Limited custom reporting or extensive reporting setup

– Output very similar to input

• Subjective Data Gathering Methods

– Long questionnaires that ASK USERS to calculate risk; system should provide detailed calculations

– Excessive narrative justification of risk measurements

– Inability to group risks at different organizational levels– e.g. by region, facility, department, supporting asset, etc.


Questions?


Wrap-Up

For more insights:

• Contact Frank Perlmutter, CBCP [email protected]

• Visit www.strategicBCP.com

• Attend Frank’s presentation on “BC Metrics” Sept. 10 @ DRJ World Conference, San Diego

mailto:[email protected]

http://www.strategicbcp.com/

http://www.strategicbcp.com/

Documents

Preparing for the Convergence of Business Continuity …€¦ · © 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 3 Background • Strategic BCP® established