preparing for the convergence of business continuity …€¦ · © 2012 strategic bcp®, inc. all...
TRANSCRIPT
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 1
Preparing for the Convergence of Risk Management & Business Continuity
Disaster Recovery Journal Webinar Series
September 5, 2012
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 2
Today’s Presenter
Frank Perlmutter, CBCP [email protected]
• Former Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury
• President & Co-Founder of Strategic BCP®, creators of ResilienceONE® BCM Software
• Managed BC, Risk, and Process Improvement Programs for over 100 organizations
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 3
Background
• Strategic BCP® established in 2004
– Purpose: elevate the productivity and relevance of business continuity (BC) professionals
– ResilienceONE® introduced as a milestone in using technology to streamline the process of creating and maintaining BC plans
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 4
Webinar Focus Areas
• Risk Management vs. Business Continuity
• Risk Management Principles
• Enterprise Risk Management- Practical Application
• Operational Risk Management- Practical Application
• Q&A and Wrap-up
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 5
Risk Management vs. Business Continuity
Disaster Recovery Journal Webinar Series
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 6
Risk Management vs. Business Continuity
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 7
Preventative Care vs. Reactive Approach
• Analyzing the Risk & Preventing It: Eat well, exercise, and take vitamins
• Reacting to the Risk: Get a heart attack and get revived
Proactive vs. Reactive
• BC Professionals unfortunately tend to focus too much on the reaction
– Response, Recovery, Restoration
– Plan/Document-Centric
• BC Professionals are better served by concentrating adequate focus on the proactive
– Focuses on mitigating risk of outages before they happen
– Analysis-centric
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 8
Why the Convergence of BC and RM?
• The convergence of BC and RM has already occurred and continues to evolve
• Regulations, frameworks, and standards reflect a strong theme of management of risk
• Decision-makers gravitate towards Risk Management for its continuous value, making BC a subset
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 9
Preparation for Current Reality
• Many BC Professionals are being left behind by unrequited devotion to outdated methods
• Strong plans do not necessarily equate to a strong ability to actually recover and reduce impact. This reduces
the value of the Professional that just focuses on plans
• Risk Management has value to everyday decision-making; Business Continuity Plans do not
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 10
What is the Dominant Discipline?
• There is an overlap of concepts between the two disciplines
– The Risk Assessment and Business Impact Analysis are risk-based tools
– How they are implemented; the value they bring will designate whether the process is a sound risk-based model or not
• Risk Management as a discipline is generally leading the way
• Business Continuity is a subset of overall Risk Management
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 11
Risk Management Practice Areas
• Business Continuity/ Incident Management
• Internal Controls
• Enterprise Risk
• Operational Risk
• Financial Risk
• Information Technology Risk
• Legal Risk
• Third Party Risk
• BOD/Ethics Risk
• Environmental Risk
• Quality Assurance
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 12
The Convergence/Overlap
NOW: Business Continuity—Business Impact Analysis and Risk Assessment
• Enterprise Risk
• Operational Risk
• Information Technology Risk
• Financial Risk
• Third Party Risk
FUTURE:
• Internal Controls?
• Legal Risk?
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 13
Risk Management Principles
Disaster Recovery Journal Webinar Series
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 14
What’s Available?
• A sea of Risk Management regulations, standards, and best practices
• Business Continuity regulations, standards, and best practices are similarly prevalent
• There are similarities and guiding principles throughout all of them
• Focus on the COMMON guiding principles
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 15
A Selection of RM Regulations, Standards, Best Practices, Frameworks
• ISO 31000
• COSO Framework
• OCEG GRC Capability Model (Red Book)
• FERMA 2002
• ISO/IEC 31010
• Basel II and Basel III
• BS 25999-2:2007ISO 22301:2012
• NFPA 1600: 2007/2010
• COBIT
• Institute of Operational Risk
• ISO 14001
• ISO 27001
• ISO 27005
• NIST 800 Series
• ITIL v.3
• DRII/BCI
• Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 16
Focus on What Delivers Value
• Regulations
– “Mandatory authoritative rules dealing with details or procedures having the force of law, which are issued by and authority of government”
• Standards and Best Practices
– “Voluntary criteria, voluntary guidelines and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes”
• Mandatory vs. Voluntary
Our Guidance:
• With so many mandatory
standards, we have seen that
most examiners and
executives are paying little
attention to voluntary
standards
• Standards and best practices
in both BC and RM tend to be
conceptual, with little guidance
on practical implementation
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 17
The Mission of Risk Management
• Operational Improvement: ability to identify and remediate inefficiently operating processes that may cause outages/impacts
• Compliance: evidence of properly implemented standards
• Resilience: ability to identify and remediate infrastructure vulnerabilities that may result in unacceptable impacts
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 18
Overarching Principles of Risk Management
• COSO provides an overall framework and principles for Risk Management
• COSO was originally housed in controls; has moved to a strategic approach
• Objectives appear at the top of the cube
• The right side of cube shows that Risk Management must be considered at all levels of an organization
• Risk management activities appear on the front of the cube
COSO Enterprise Risk Management: Integrated Framework
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 19
Enterprise Risk Management- Practical Application
Disaster Recovery Journal Webinar Series
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 20
Enterprise Risk vs. Operational Risk
• Enterprise Risk Management focuses on mitigating events that negatively impact an organization’s supporting infrastructure
– People, Facilities, Information Technology, Assets
– In BC Tool Terms: Risk Assessment, Risk Analysis, Hazard Vulnerability Analysis
• Operational Risk Management focuses on mitigating vulnerabilities in operational business processes
– In BC Tool Terms: Business Impact Analysis, Business Impact Assessment, Downtime Impact Analysis
• Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 21
Establishing an Enterprise Risk Appetite
• Core policy that defines decision-making
• (Probability x Impact) – Mitigated Risk = Enterprise Risk
• Organizations can set a risk appetite around the factors or the overall risk
• Remediation budget must align with Risk Appetite
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 22
Performing an Enterprise Risk Assessment
An Enterprise Risk Assessment (ERA) identifies potential threats that may impact an organization, and identifies measures to limit the probability or impact of these threats.
Determine the threats to be included on your Enterprise Risk Assessment. They revolve around your infrastructure.
Research and evaluate each risk by probability and impact of occurrence
Identify threats outside of the Risk Appetite of the organization
Provide a mitigation plan with alternatives that show costs of the mitigation measures and how much of the risk is reduced
Obtain sign-off of either the acceptance of the risk (i.e. do nothing) or a mitigation alternative
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 23
Sample ERA Report
REDUCE MITIGATE
Management Controls
Process Controls
Terminate Activty
Eliminate Risk
Physical Controls
ACCEPT TRANSFER
Insurance Alternate Vendors
Outsourcing
Updated Contact Lists
Strategic Alliances
Once risks are quantified, plot them on a grid as shown below. This will help management decide how to deal with the risks (Transfer, Accept, Reduce or Mitigate).
Obtain sign-off!
I 5 5 10 15 20
M 4 4 8 12 16
P 3 3 6 9 12
A 2 2 4 6 8
C 1 1 2 3 4
T 0 0 0 0 0
1 2 3 4
P R O B A B I L I T Y
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 24
Operational Risk Management- Practical Application
Disaster Recovery Journal Webinar Series
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 25
Operational RM and BC Crossing Paths
• Operational Risk Management and BC MAY cross paths in several places (if you perform these activities correctly)
– The Business Impact Analysis
– Mapping Normal Operations
• The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources by gauging impact (e.g. RTO’s)
• Mapping (and understanding) normal operations is essential to developing recovery strategies
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 26
Gathering OBJECTIVE Data is Critical
• Your data should be based as much on FACT and as little on OPINION as possible; Don’t use a subjective method
• The Subjective “RTO”: Popular “Asking Method” Example
Problem #1: There are numerous impacts used to calculate an RTO; respondents couldn’t possibly ANALYZE all scenarios in their heads
Problem #2: Respondents are not using a consistent scale to determine their RTO; everyone calculates differently in their heads
Problem #3: Results reflect limited data integrity, making justification to executives and auditors challenging
• OBJECTIVE data gathering methods:
Provide a consistent scale for all respondents
Do not ask respondents to perform on-the-fly analysis
Provide better data integrity
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 27
Objective Risk-Based Method: Setup
Start with gathering quantitative and qualitative factors that reflect the impact of taking down your operations
Weight factors as some may be more important than others
Set levels of impact for each factor
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 28
Objective Risk-Based Method: Data Gathering
Establish a timeline with time periods (i.e. your Recovery Timeframe Objectives or RTO’s) over which you will measure impact
Record your scoring of factors (e.g. reputational harm, regulatory fines, etc) across each function using the scale
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 29
Objective Risk Based Method: Prioritizing Operational Activities
# RTO Function UNDER 1
DAY 1 DAY 2 DAYS 3 DAYS 4 DAYS 5 DAYS 2 WEEKS 3 WEEKS 4 WEEKS 5 WEEKS
1 Immediately Process Deposits 32 48 48 48 64 64 64 64 64 88
2 Immediately Take Orders Via Phone 20 20 28 28 28 36 36 36 44 44
3 1 DAY Reconciliation- Beginning of Day 0 0 32 32 40 40 48 48 56 64
4 2 DAYS Reconciliation- End of Day 0 0 0 8 8 8 8 8 8 8
5 5 WEEKS Process Payments to Customers 0 0 0 0 0 0 0 0 0 0
Yellow = Exceeds Maximum Level of Acceptable Risk (6)
• METRIC: By Total Impact
Add total for each time period together
Provides aggregate risk over the entire time period
• METRIC: By RTO
Set a prioritization of activities by time period
Set a points limit for your maximum level of acceptable risk. This is your organizational risk appetite.
When totals in a time period first exceed that limit, your maximum timeframe is the time period immediately prior
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 30
Setting a Risk Appetite: Operational Risk Modeling
Timeframe # of Functions (x=6) # of Functions (x=12) # of Functions (x=18) Tier
Immediately 4 1 1 Critical
1 HOUR 2 3 0 Critical
8 HOURS 7 4 2 Critical
12 HOURS 2 1 3 Critical
1 DAY 17 7 2 Critical
2 DAYS 24 4 3 Critical
3 DAYS 9 4 2 Necessary
4 DAYS 14 4 1 Necessary
1 WEEK 8 4 1 Necessary
2 WEEKS 8 32 52 Optional
> 2 WEEKS 4 35 31 Optional
a) X = 6 points 56% are in the one week timeframe (high risk tolerance, strong recovery capability)
b) X =12 points 32% are in the one week timeframe (mean risk tolerance)
c) X = 18 points 17% are in the one week timeframe (low risk tolerance, weak recovery capability)
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 31
Understanding Operations is Essential
• Many BC Professionals skip right to Recovery Operations, instead of documenting normal business process first
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 32
Reengineering Operations
“Are there any inefficiencies or vulnerabilities in the highest value activities?”
Provide a process mapping (i.e. a standard operating procedure) for each of the highest value activities
Notice manual steps and repeated activities
Provide roadmap to investigating automation solutions
Implement best solution
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 33
People
Facilities & Assets Technology
Operations
People, Technology, Facilities, and Assets Support Your Critical Activities
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 34
Reviewing Supporting Operational Infrastructure
“Are there any inefficiencies or vulnerabilities in the highest value operational infrastructure?”
Establish an expertise in one or more areas and spot risks and vulnerabilities
• What are some common risks and vulnerabilities in these areas?
Offer cost effective/high value mitigation alternatives
• Over/under utilization of resources
• Offer economies of scale with people, IT, and vendor resources
• Offer cost-cutting measures to reduce under-utilized resources
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 35
RED FLAGS: Spotting BCM/RM Tools and Methods That Lead Users Down the Wrong Path
• Poor Reporting and Analytics
– Focus on paper planning
– Limited custom reporting or extensive reporting setup
– Output very similar to input
• Subjective Data Gathering Methods
– Long questionnaires that ASK USERS to calculate risk; system should provide detailed calculations
– Excessive narrative justification of risk measurements
– Inability to group risks at different organizational levels– e.g. by region, facility, department, supporting asset, etc.
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 36
Questions?
© 2012 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 37
Wrap-Up
For more insights:
• Contact Frank Perlmutter, CBCP [email protected]
• Visit www.strategicBCP.com
• Attend Frank’s presentation on “BC Metrics” Sept. 10 @ DRJ World Conference, San Diego