1. Business Continuity Management for Risk Managers
Lou Drapeau Greater Kansas City Chapter, RIMS
March 12, PERK Program

2. What is BCP? BCP - Business Continuity Planning –
The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected, interruptions of these processes and their supporting resources

3. Where Are We Going? More Integrated Solution
Business Continuity
Disaster Recovery
Emergency Response
Crisis Management
Under The Banner of Business Continuity Management

4. Business Continuum Pre-Incident Planning Incident Occurs Post Incident
Risk Assessment/Mitigation/
Prevention
- Physical
- Logical (Technology)
Supply Chain
- Vendor management
- Inventory Control
BCM Creation
- Emergency Response
- Disaster Recovery
- Business Recovery
- Crisis Management
Evacuation
- Life & Safety
Incident/Crisis Management
BCM
- Business Recovery
- Relocation
- Processing
- Reprioritize
Product/Customer
- Technology Recovery
- Data Recovery
- Processing Recovery
Repair/Restoration
Claims Processing
Increase Production Levels
Lessons Learned
- Mitigation/Prevention

5. Risk Assessment vs. BCM Cause vs. Effect Risk Assessment
Identifies Risk
Recommends Mitigation/Prevention measures
Probability
Cost
Severity
BCM - Deals with Effects
What are the Implications of failing to mitigate or prevent
Preparation
Structure, planning, resources, testing
Execution
Relocation, operating under duress
Reducing Causal Implications
Reducing Effects

6. How Does BCM Address Enterprise Risk Management?
New Markets - Locations
Expanded Distribution Channels
Research & Develop Products
New Technologies
Economies of Scale
Competitor Activity
Upside
Risk
Operational Risk is the risk that a business does not meet its obligations to its stakeholders due to an erosion of value or operational failure.
BCM seeks to mitigate the effects of operational failures.
Opportunity
Compliance
Strategic
Risk
Operational Failure
Financial Controls
Monitoring/Reporting
Change
Downside
Risk

7. Why BCM? Effects External Drivers
Pressure From Audit Committees
Pressure From Financial Institutions
Pandemic Concern
New Threats & Risks Since 9/11
Demands From Customers
Cost Of Insurance
Perceived As Competitive Edge
Reliance On Third Parties (Supply Chain)
Increased Regulatory And Self-regulated Requirements
Effects
Loss Of Customers or Inability to Attract New Customers
Loss Of Revenue
Decrease In Stock Value
Increase Of Insurance Premiums
Loss Of Assets And Employees
Regulatory Sanctions

8. Post-9/11 Surge in Business Continuity Regulations and Standards
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCM Handbook -2003/ 2008
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCM
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCM Guidelines
(Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
FPC 65
NYS Circular Letter 7
ASIS
State of NY FIRM White Paper on CP
NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
HB221
HB292
BS25999
SS507 – SS540
TR19
CA Z1600
ISO/PAS 22399
Pre-9/11
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO (Previously ISO17799)
FFIEC BCM Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
FEMA FPC 65
CAR
PAS = Publicly Available Specification
DRII (SDO)
Title IX –

9. Not Just IT
“Business continuity planning is about maintaining, resuming, and recovering the business, not just the recovery of the technology.” “The planning process should be conducted on an enterprise-wide basis”.
“Business continuity management (BCM) describes a whole of business approach to ensure critical business functions can be maintained, or restored in a timely fashion”
“Business Continuity Management (“BCM”) is an over-arching framework that aims to minimize the impact to businesses due to operational disruptions. It not only addresses the restoration of information technology (“IT”) infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfillment of business obligations.”
May want to consider putting the quotes in the notes section
First Quote: FFIEC – March 2008
Second Quote: Australian Prudential Standard – April 2005
Third Quote: Monetary Authority of Singapore – June 2003

10. Title IX –
 a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs.  The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.  b.  The program will be voluntary. c.  Key stakeholders are invited to participate in the development of the program.  Consultation with a variety of organizations and various sectors is required by the legislation.  Program development will likely include involvement by a diversity of private sector advisory groups and others. d.  The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. e.  One or more preparedness standards can be designated.  NFPA 1600 is reference by example. f.  Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated. g.  Special consideration will be made for small business. h.  Proprietary and confidential information is to be protected.
Need to reduce words on the slide; reduce to key points with details to be filled in by presenter
Slim this down.

11. DHS Decides Approved Standards
ASIS International SPC Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition).
British Standards Institution (2007 Edition) - Business Continuity Management.(BS 25999: Code of practice for business continuity management and BS 25999: Specification for business continuity management)
National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. 
ASIS – American Society for Industrial Security

12. How It Works ANSI-ANAB In progress - ANSI DHS
ANSI – American National Standards Institute
ANAB – ASQ National Accreditation Board
ASQ- American Society for Quality
DHS

13. Next Steps As of this Moment No Organization
Creation of Accreditation Rules (AR) for Training of “Certification Bodies”
Approved by ANSI-ANAB
Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC 17011
Potential CB’s Must Take Course and Pass Examination
As of this Moment No Organization
Has Been Approved to Accredit Certifying Bodies
No Organization has been Grandfathered into Compliance with PS-Prep
ISO – International Standards Organization
IEC – International Electrotechnical Commission
ASTM- American Society for Testing and Materials

14. NFPA/DRI Audit Course Certification
DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved
ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E e1 Standard Practice for Certificate Programs and recognized by ANSI-ANAB
Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only)
This Certificate will Be Required to Seek CBCA/CBCLAs
DRI International will maintain recertification through continuing education (RABQSA requirement)
CAP – Certification Accreditation Program
RABSQA - United States based - Registrar Accreditation Board (RAB) by Australia Based - Quality Society of Australasia (QSA) -

15. Who Needs BCM?
Industries / Sectors
Audience participation Slide

16. Who Needs BCM?
By Size
Audience participation Slide

17. BCM Methodology Measure Identify Analyze Execute Design
Ensuring a consistent approach
Identifying
Analyzing
Designing
Executing
Testing
Measure
Identify
Risk Assessment
Plan Test & Maintenance
BCM
Life Cycle
Plan Develop / Execution
Business Impact Analysis
Execute
Analyze
BCM vs BCM
Strategy Selection
Design

18. Process Mapping Slide will be hard to read. Can we condense or fix?
Next to be prettified…..

19. DRI International – Who Are We?
A Non-Profit Organization Committed to:
Promoting a base of common knowledge for the continuity management industry
Certifying qualified individuals in the discipline of Business Continuity
Promoting the credibility and professionalism of certified individuals
Will Celebrate our Twenty-fifth Anniversary in 2013.
The Industry’s Premier Education and Certification Program Body

20. DRI International – Who Are We?
DRI International has Certified INDIVIDUALS in over 95 Countries.
DRI International conducts training courses in over 45 countries.
More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of 2010)
DRI International certifies individuals in English, Spanish, French, Japanese, Mandarin (expanding to Portuguese and Russian this year, Italian and Korean early next year)
Conducts Courses for: Insurance , Audit, Healthcare, Higher Ed
2nd Annual conference June 4-8, 2013 in Philadelphia
Move to end of the presentation. Update numbers

21. Business Continuity Management for Risk Managers=
Questions?