1. University of Maryland Robert H. Smith School of Business
Presenter: Al Berman, DRI International
April 10, 2015

2. Business Continuity and Supply Vulnerabilities
DRI International Collegiate Conference Series

3. The leading nonprofit that helps organizations around the world prepare for and recover from disasters.
We provide education, accreditation, and thought leadership in business continuity and related fields.
train. prepare. recover.

4. DRI has Certified Professionals in over 100 Countries
DRI conducts training courses in over 50 countries
Since 2009, DRI taught more students outside the United States than within
DRI has over 13,000 active certified professionals (more than all other organizations in our industry combined)
Since 1988, more than 26,000 individuals have held a DRI certification
DRI International conducts training and certifies individuals in 10 languages.
Truly International

5. International Government Collaboration
Europe: Presented at the Interparliamentary Center for Parliamentary Studies (Belgium) and the IDRC (Davos, Switzerland)
DRI Canada is a member of the Technical Committee for the CSA Z1600 Standard
APEC: Only officially recognized business continuity certification
Japan: Joint Declaration on overcoming future crises with municipal governments
UAE: Member of Standards Committee Advisory Team
United States: Chair, Alfred P. Sloan Committee to draft the Framework for Preparedness that is the foundation for the Title IX Implementation.
Member, U.S. Chamber of Commerce Homeland Security Task Force
Member, Council of Experts for ANSI-ANAB
Member, FEMA National Advisory Council Private Sector Subcommittee
Member, Advisory Committee for Congressionally funded Project for National Security Reform
Advisor, Special Assistant to The President for Homeland Security Standards Policy
Nigeria: Participate in regular embassy drills
Mexico: National standards advisor
Malaysia: Annual DRI conference with the Ministry of Science, Technology and Innovation
Singapore: Exclusive training partner for Singapore Business Federation

6. United Nations Collaboration
DRI is representing the private sector to the Disaster Management Terminology Committee for the United Nations Office of Disaster Risk Reduction
Research conducted in partnership with the European Commission
DRI’s International Glossary for Resiliency is a source document
DRI is hosting a Public Forum in conjunction with the launch of the Hyogo Framework for Action 2
Will launch on the anniversary of the Great Eastern Earthquake and Fukushima disaster
Several years ago DRI International created the first international glossary for Resiliency which has been translated into English, Spanish, Arabic, and Chinese!. The definitions were based on existing standards, regulations, laws and recognized guidances from the public and private sector around the world. Based upon this incredible achievement DRI was invited to have a seat on the terminology committee of the UN office of Risk Reduction in partnership with the European Commission. DRI will be presenting at the World Conference on Disaster Risk Reduction in Japan. We are the only organization of our kind to be a presenter.
Bottom line:
Your voice is being heard by global policymakers

7. Recognition from the Academic Community
DRI International is only
The largest non-academic institution to receive
chapter status
All DRI MBCPs were inducted into the Order of the Sword and Shield National Honor Society at DRI Below are just a few of the colleges that currently offer our BCLE 1500, which features the Qualifying Exam as the final exam for the semester-long class.

8. MyDRI Resources train. prepare. recover.
Project Initiation and Management
Risk Evaluation and Control
Business Impact Analysis
Developing Business Continuity Strategies
Emergency Response and Operations
Plan Implementation and Documentation
Awareness and Training Programs
Plan Exercise, Audit and Maintenance
Crisis Communications
Coordination with External Agencies
DRI International is an ANSI- Accredited Standards Development Organization
The MyDRI section of our website contains free informational resources including the DRI Ten Professional Practices, the International Glossary for Resiliency, job listings, and a presentation library. The Ten Professional Practices serve as the heart of our teachings and thought leadership and are available in their entirety.
train. prepare. recover.

9. Most Used Standard for BCM
The Most Used Standard in the World
Most Used Standard for BCM
BC Management 2013

10. Charitable Giving and Volunteerism
As the charitable arm of DRI, the DRI Foundation seeks to provide our certified professionals with an outlet to give back. Together, we can help build resilient communities worldwide.
The DRI Foundation is a 501(c)(3) founded in July 2011.
A means to empower business continuity, disaster recovery and emergency management professionals to use their expertise through volunteerism, support and education.
Resilient communities worldwide
Vision
To promote disaster risk reduction through partnership and education
To aid recovery efforts through fundraising and volunteerism
Mission

11. Business Continuity as a Career

12. Reasons for Business Continuity
External Drivers
Impacts
Pressure from audit committees
Pressure from financial institutions
Pandemic concern
New threats & risks since 9/11
Demands from customers
Increased regulatory and self-regulated requirements
Loss of customers or inability to attract new customers
Loss of revenue
Decrease in stock value
Increase of insurance premiums
Loss of assets and employees
Regulatory sanctions

13. Reasons for Business Continuity
We Are Making The Investment So That We Will Be There for You and Your Customers

14. Reasons for Business Continuity – Customer Involved

15. Reasons for Business Continuity
External Drivers
Impacts
Pressure from audit committees
Pressure from financial institutions
Pandemic concern
New threats & risks since 9/11
Demands from customers
Increased regulatory and self-regulated requirements
Loss of customers or inability to attract new customers
Loss of revenue
Decrease in stock value
Increase of insurance premiums
Loss of assets and employees
Regulatory sanctions

16. Business Continuity Laws, Regulations and Standards
Pre-9/11
Post-9/11
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO (Previously ISO17799)
FFIEC BCP Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
FEMA FPC 65
CAR
JHACO
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCP Handbook -2003/ 2008
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCP
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCP Guidelines (Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
NFPA: 2007
PS-Prep
Sarbanes-Oxley
2002 Safety Act
FCD-1/2
NYS Circular Letter 7
ASIS
State of NY FIRM White Paper on CP
NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
HB221
HB292
BS25999
SS507 – SS540
TR19
CA Z1600
ISO/PAS 22399
HiTech Act of 2009
NZ 5050
ISO22301
FINRA 4370
UAE
SEC - Compliance Programs
Dodd-Frank Wall Street Reform Act
NFPA:

17. Industry Demand for Certified Individuals
Monday, October 12, 2009

18. Industry Demand for Certified Individuals
25 Hot Careers That Didn't Exist 10 Years Ago by JoVon Sotak, FindtheRightSchool.com
“What did you want to be when you grew up? Astronaut? Movie star? Superhero? Whatever made your list, green marketer probably wasn't on it--but that job may be on the lists of today's youngsters. Here's a list of emerging careers that you (and your inner child) can get excited about. You couldn't have daydreamed about any of these jobs when you were a child--because they didn't exist then. In fact, they're so new that, although they're starting to be recognized, the U.S. Bureau of Labor Statistics doesn't yet have data on them. If you've been looking for a new dream job or haven't decided what you want to be when you "grow up," these are 25 new options”.
Business:
1. Business continuity specialists plan and implement recovery solutions to keep businesses functioning during disasters and emergency situations

19. Industry Demand for Certified Individuals

20. Let’s Talk Money

21. Let’s Talk Money

22. A Look at Supply Chain Issues

23. Insurance Risk Transfer
Challenges
Supply Chain
From Albuquerque to Sendai & Beyond
Cyber Threats
Extending Supply Chain Scope
Insurance Risk Transfer
Real ROI

24. Supply Chain
From Albuquerque to Sendai & Beyond

25. Supply Chain

26. Supply Chain - Manufacturing

27. Supply Chain - Order to Cash
Sales Order Processing
Billing
Customer Order
Service Delivery
Customer Invoice
Customer Service
Payment

28. Supply Chain Physical Distribution Procurement and Strategic Sourcing
Inventory Planning and Management
Customer Service and Support
Physical Distribution
Transportation Management

29. Nokia vs. Ericsson -- March 17, 2000
Pre Fire Ranking
Nokia (32%)
Motorola (22%)
Ericsson (12%)
10 Minute Fire in Albuquerque Philips Microchip Plant
Post Fire Ranking
Nokia shipments grew by 10.5 percent over the previous year, to 140 million units.
Motorola shipments dropped by 1.7 percent to 59 million units.
Siemens shipments grew by 10.2 percent to 30 million units.
Samsung shipments grew by 36.8 percent to 28 million units.
Ericsson shipments dropped by 35 percent to 27 million units.
On July 20, 2000, Ericsson reported that the fire and component shortages had caused a second-quarter operating loss of $200 million in its mobile phone division. Total loss $400 million

30. Why Nokia Gained and Ericsson Lost
Considered solutions before event occurred
Understood the need
Implemented recovery at other Philips plants
Believed early reports of little damage and interruption
Smart people will find a solution
Preparation - Nokia
Wishful Thinking - Ericsson
Nokia implemented plan

31. Once Burned: Better BCM Means More Reliable Suppliers
Business Interruption and Recovery Plan
Supplier will provide Motorola with a detailed, written business interruption and recovery plan, including business impact and risk assessment, crisis management, information technology disaster recovery, and business continuity. Supplier will update the plan annually. Supplier will notify Motorola in writing within twenty-four (24) hours of any activation of the plan.
Motorola Corp 2002
RFP Demand for BCP private and public sector
Marriott catering story

32. Japanese Impact Upon Supply Chain
GM shuts down for lack of supplies
Chrysler – Ford no Red Black Pigments
Apple iPad2 Backorder
Chip shortage
Chip increased prices
Case Polishing

33. Japan as a Supplier

34. Moving More Production Off Shore
Changing Direction
Moving More Production Off Shore
Some 70 per cent of domestic manufacturers expect at least one partner in their supply chains to speed up relocation efforts overseas, a trade ministry poll showed, accelerating a nearly two decade-long migration of Japanese manufacturing capability overseas.
"Relocating is on the table for many executives. If a key supplier or partner moves, that could trigger a large exodus," said Shuzo Takada, director of the ministry's industrial revitalisation division.

35. Changing Direction Moving More Production Off Shore Off Shore Back Up
Renesas Electronics, plans to increase offshore production from 8% - 25%
Fujitsu plans to shift more chip output to a factory in China
Hoya, is planning its first overseas plant in China
Off Shore Back Up
Mitsui Mining & Smelting, which supplies 90 percent of the ultra-thin copper foil used in smartphones, is building a backup production line in Malaysia.
Japanese Firms Plan to Set Up Backup Production Bases in Taiwan
The two Japanese firms, one a semiconductor-equipment maker and the other an electronic chemical material supplier, plan to make investments totaling NT$600 million in value.

36. Mapping Risk in Supply Chain

37. Emerging Supply Chain Risks
Risk & Insurance Magazine

38. Cyber Threats
Extending Supply Chain Scope

39. The Risks Increase
Natural Disasters
Man-Made Incidents
Technology Failure

40. The Risks Increase
Pandemics
Nuclear, Biological, Chemical
Political
Economic
Cyber

41. The Risks Increase
valuewalk.com

42. The Changing Face of Hackers
Hackmageddon.com

43. Cyber Crimes In The News
U.S. notified 3,000 companies in 2013 about cyberattacks

44. The New Attacks – Easy SUPPLY CHAIN WEAKNESS AFFECTED CUSTOMER
Source of Attacks
Find a trusted source (third party vendor)
One with less than adequate security – phish, hack
Steal credentials
Gain entry to Target POS
Test the hack
Spread to rest of POS system – live Credit/Debit card info
Upload (FTP) data to innocent servers in Miami and Brazil
Data winds up in Russia and Eastern Europe
SUPPLY CHAIN WEAKNESS AFFECTED CUSTOMER
CREATED POTENTIAL LEGAL LIABILITY

46. HIPAA FFIEC OCC FINRA PCI
More Pressure to Perform Due Diligence on Supply Chain New Regulations to Ensure Vendor Security
Omnibus Rules – Vendor Due Diligence
HIPAA
Third-Party Providers, Key Suppliers, and Business Partners
Cybersecurity Assessment Pilot Program
FFIEC
Third Party Relationships
OCC
Assessing how firms manage cybersecurity threats
FINRA
Credit Card Processing (Outsourcing cloud services provider, hosted call-center, IT services firm, disaster recovery location, document storage company)
PCI

47. BULLETIN 
OCC
A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
An effective risk management process throughout the life cycle of the relationship includes
plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
proper due diligence in selecting a third party.
written contracts that outline the rights and responsibilities of all parties.
ongoing monitoring of the third party’s activities and performance.
contingency plans for terminating the relationship in an effective manner.
clear roles and responsibilities for overseeing and managing the relationship and risk management process.
Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
The OCC charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. The OCC is an independent bureau of the U.S. Department of the Treasury.
Mission
To ensure that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulation

48. HIPAA – Business Associates – Concerned with ePHI
Focus Area
Change Required
Internal
Existing Agreements With Business Associate Addenda  
All Covered Entities must review their existing vendor relationships and affiliations to determine whether any relationship meets the new Business Associate Criteria.
All Business Associates must review their existing subcontractor arrangements for compliance purposes.
Inventory all existing contracts and identify all signed Business Associate Addenda and/or subcontractor agreements.
Review contracts signed prior to January 25, 2013 and determine end date for compliance as per transitional rule.
Existing Relationships without Business Associate Addenda
Identify Vendors and/or affiliates or affiliation relationships which involve access or disclosure of PHI and which do not have documented BA addenda.
RHIO relationships must include a Business Associate Addendum.
A parent or affiliate which provides quality assurance or other functions involving access or review of PHI must have a Business Associate Addendum in place.
Vendors who provide PHI to patients must have a Business Associate Addendum in place.
Other entities, such as document storage and/or disposal vendors must have a Business Associate Addendum in place.
Conduct a risk assessment of all vendor relationships to identify those that may fall within the new regulatory definitions.
Do not overlook corporate relationships with affiliates which do not involve the exchange of information for treatment purposes.
For individuals employed by vendors or affiliates but who may fall within a covered entity’s or Business Associate’s “work force”, assure proper designation and training.
Hybrid Entities
Hybrid Entities that perform multiple functions and roles (such as operating a hospital and university) must now include any Business Associate functions under the health care component of its operations subject to the new rules. 
Review internal designations of health component for any Hybrid Entity.
Assure direct compliance with HIPAA/HITECH as to Business Associate functions carried out by organization.

49. And One for the US Government
FISMA -(Federal Information Security Management Act)
 Federal Highway Administration bid solicitation 
Security assessment: formal evaluation of control environment (annual)
Plan of action: plan to mitigate assessment findings (quarterly)
System security plan: documentation of all controls (annual)
Security categorization: impact level of each system (annual)
System contingency plan: documentation of redundancy (annual)
Security policy and workforce training records (annual)
Interconnection agreements from sub-contractors (annual)

50. Government Contract Lost
Oct 10, 2014, 7:01am EDT
Dayton Business Journal
It seems that being the victim of a data breach could lead to companies losing government contracts, according to a report by the Washington Business Journal. The Office of Personnel Management’s decision not to renew two contracts with US Investigations Services LLC might have set a precedent for how government handles contractor breaches, according to the report.
As a reminder, in July 2014, USIS was hit by a cyber attack that reportedly affected 25,000 government employees. USIS suspected it to be "state-sponsored." The government quickly suspended work with USIS and then opted to drop its contracts with the company.
Robert Nichols, a lawyer specializing in government contracts at D.C. firm Covington & Burling LLP, says the lost contracts could place higher demands on contractors in securing their work with government data, according to Federal Computer Week.
For this reason alone, government contractors must have adequate system protections in place to keep data safe.

51. Insurance – Risk Transfer
Real ROI

52. Risk Transfer - Insurance
Integrates with
BI & CBI Insurance
Optimizes Extra Expense Insurance
DOCUMENTATION & PARTICIPANTS
BCM PROCESS
MAJOR STEPS
BUSINESS IMPACT ANALYSIS
STRATEGY SELECTION
PLAN PREPARATION
TESTING & MAINTENANCE
ACTIONS
1. Develop BIA questionnaire using Senior Management’s recovery objectives
2. Conduct BIA workshop with Business Representatives
3. Distribute BIAs and receive completed forms from Business Representatives
4. Review BIA Questionnaires
5. Conduct follow-up interviews with Business Unit Representatives
1. Identify and document resource requirements based on BIAs
2. Conduct gap analysis to determine gaps between recovery requirements and current capabilities
3. Explore facility options
4. Define strategy options
5. Select strategy
1. Link/Update Plan Model throughout BCP Process with gathered information
2. Develop Relocation Plans
3. Validate complete plan
1. Develop testing and maintenance requirements
2. Train Associates to create awareness of the BCP Model & individual roles
3. Plan for walk through testing
4. Conduct tests and document test results
5. Update BCP Plan to incorporate lessons learned from testing
1. BIA Kickoff Presentation
2. BIA Questionnaire
BCP Leader, Business Unit Representatives
1. Summary of BIAs
2. Gap Analysis Report
3. Relocation Strategy
Senior Management, BCP Leader, Business Unit Representatives
1. Plan Model
2. Relocation Procedures
3. Workaround Procedures
4. Data Restore Procedures
5. IT procedures
Senior Management, BCP Leader, Business Unit Representatives
1.Test Scenario
2. Pre-Test Checklist
3. Test Monitoring Procedures
4. Test Review Report
Senior Management, BCP Leader, Business Unit Representatives, and Third Party Observers

53. Business interruption insurance
Business Interruption:. - insurance that provides protection for the loss of profits and continuing fixed expenses resulting from a break in commercial activities due to the occurrence of a peril
Business Interruption Purpose: To protect the earnings of the insured and do what the insured would do for itself had no loss occurred.
Business Interruption: “Net Profits Plus Continuing Expenses” or “Gross Earnings less non-continuing expenses”

54. Contingent Business Interruption Insurance Supply Chain Protection
Contingent Business Interruption (CBI) reimburses lost profits and extra expenses resulting from an interruption of business at the premises of a customer or supplier
Usage:
When the insured depends on a single supplier or a few suppliers for materials.
When the insured depends on one or a few manufacturers or suppliers for most of its merchandise.
When the insured depends on one or a few recipient businesses to purchase the bulk of the insured’s products.
When the insured counts on a neighboring business to help attract customers, known as a leader property.

55. Extra expense
Extra Expense: Pays for the extra expense of maintaining operations after an accident to an insured item until normal operations can be restored.
Pays for expenses over and above those that would have been incurred during normal operation of the business.
Some of the covered extra expenses are; expenses incurred to avoid or minimize the suspension of operations, expense to repair or replace property, and expense paid for overtime work to speed up the restoration of the business.

56. Insurance Implications
Maps to Business Interruption and Contingent Business Interruption
Business Impact Analysis
Indemnity cover bought to compensate for the losses incurred due to interruption or stoppage of a key suppliers' business.
Maps to Business Extra Expense and Extraordinary Expense
Strategy Selection
Policy that pays (up to a specified limit) expenses incurred in restoring a firm to its normal operations (after a disaster) but not covered under the ordinary business-interruption insurance policy.

57. Cyberinsurance Data Liability – Defense Damages for Data Breach
Media Liability – Copyright & IP Defense Costs
Regulatory Coverage – Civil Fines, Not Criminal - Limited
Remediation Coverage – Notification, Credit Monitoring & Help Desks
Information Asset Coverage – Restoration of Data and Systems
Network Interruption Coverage – Denial of Service Attacks
Extortion Coverage – Ransomware (Crypto Locker)

58. Thank You
Questions, Comments