business continuity management for risk managers n.
Skip this Video
Loading SlideShow in 5 Seconds..
Business Continuity Management for Risk Managers PowerPoint Presentation
Download Presentation
Business Continuity Management for Risk Managers

Loading in 2 Seconds...

play fullscreen
1 / 40

Business Continuity Management for Risk Managers - PowerPoint PPT Presentation

  • Uploaded on

Business Continuity Management for Risk Managers. What is BCP?. BCP - Business Continuity Planning –

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Business Continuity Management for Risk Managers' - darin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is bcp
What is BCP?
  • BCP - Business Continuity Planning –

The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected,interruptions of these processes and their supporting resources

where are we going
Where Are We Going?
  • More Integrated Solution
    • Business Continuity
    • Disaster Recovery
    • Emergency Response
    • Crisis Management
    • Risk Management

Under The Banner of Business Continuity Management

business continuum
Business Continuum

Pre-Incident Planning

Incident Occurs

Post Incident

Risk Assessment/Mitigation/


- Physical

- Logical (Technology)

Supply Chain

- Vendor management

- Inventory Control

BCP Creation

- Crisis Management

- Emergency Response

- Disaster Recovery

- Business Recovery


- Life & Safety

Incident/Crisis Management

BCP activation

- Business Recovery

- Relocation

- Processing

- Reprioritize


- Technology Recovery

- Data Recovery

- Processing Recovery


Claims Processing

Increase Production Levels

Lessons Learned

- Mitigation/Prevention


Post-9/11 Surge in Business Continuity Regulations and Standards


Sarbanes-Oxley Act of 2002

HIPAA, Final Security Rule

FFIEC BCM Handbook -2003/ 2008

Fair Credit Reporting Act

NASD Rule 3510

NERC Security Guidelines

FERC Security Standards

NAIC Standard on BCM

NIST Contingency Planning Guide

FRB-OCC-SEC Guidelines for

Strengthening the Resilience of US

Financial System

NYSE Rule 446

California SB 1386

Australia Standards BCM Handbook

GAO Potential Terrorist Attacks


Federal and Legislative BC

Requirements for IRS

Basel Capital Accord

MAS Proposed BCM Guidelines


NFA Compliance Rule 2-38

FSA Handbook (UK)

BCI Standard, PAS 56 (UK)

Civil Contingencies Bill (UK)

FPC 65

NYS Circular Letter 7


State of NY FIRM White Paper on CP

NISCC Good Practices (Telecomm)

Australian Prudential Standard on BCM




SS507 – SS540


CA Z1600

ISO/PAS 22399

PS Prep


Consumer Credit Protection Act

OMB Circular A-130

FEMA Guidance Document

Paperwork Reduction Act

ISO 27002 (Previously ISO17799)

FFIEC BCM Handbook

Computer Security Act

12 CFR Part 18

Presidential Decision Directive 67

FDA Guidance on Computerized Systems

used in Clinical Trials

ANSI/NFPA Standard 1600

Turnbull Report (UK)

ANAO Best Practice Guide (Australia)

SEC Rule 17 a-4




Title IX – 110-53

1991 - 2001

2002 -------------------------------------------------------2010

title ix 110 53
Title IX – 110-53

 a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs.  The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.  b.  The program will be voluntary.c.  Key stakeholders are invited to participate in the development of the program.  Consultation with a variety of organizations and various sectors is required by the legislation.  Program development will likely include involvement by a diversity of private sector advisory groups and others.d.  The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e.  One or more preparedness standards can be designated.  NFPA 1600 is reference by example.f.  Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g.  Special consideration will be made for small business.h.  Proprietary and confidential information is to be protected.

dhs decides
DHS Decides

Approved Standards

  • ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition).
  • British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management)
  • National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions.
how it works
How It Works


In progress - ANSI


next steps
Next Steps
  • Creation of Accreditation Rules (AR) for Training of “Certification Bodies”
    • Approved by ANSI-ANAB
    • Must comply with ASTM 2659 and be approved by ANSI-CAP or ISO/IEC 17011
    • Potential CB’s Must Take Course and Pass Examination
  • As of this Moment No Organization
    • Has Been Approved to Accredit Certifying Bodies
    • Has been Grandfathered into Compliance with PS-Prep
nfpa dri audit course certification
NFPA/DRI Audit Course Certification
  • DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course. Preliminary application has been approved
  • ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies as well as ASTM E2659 - 09e1 Standard Practice for Certificate Programsand recognized by ANSI-ANAB
  • Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only)
  • This Certificate will Be Required to Seek CBCA/CBCLAs
  • DRI International will maintain recertification through continuing education (RABQSA requirement)

Business Continuity

  • Risk Management
  • Disaster Recovery
  • -
  • Crisis Management
  • Emergency Management

Risk Management

  • -Prevention/Mitigation
  • -Risk Retention
  • -Risk Transfer
risk management has been around for a while

Risk Management has been around for a while

Even the ancients practiced a form of risk management.

Question: who invented the first fire protection system (hint: it was semi-automatic)?


The Egyptians

we all practice risk management

We all practice risk management

Car/Home Insurance


Example of risk transfer:

Example of risk retention:


Crisis Management

  • -Crisis Communication
  • Employees
  • Media
  • Authorities
  • Stakeholders
crisis management is a relatively new discipline

Toyota?? BP??

Crisis Management is a relatively new discipline

New “poster child” of how NOT to do good crisis management is……?

Example of a company that practiced good crisis management, and still prospers to this day…?

The advent of instant worldwide communications mandates good crisis management for business survival

Johnson & Johnson, Tylenol!!


Emergency Management

  • -First Responders
  • -Emergency Services
    • Police
    • Fire/Rescue
  • -Incident Command System

Philadelphia – 1736

Ben Franklin

first responders
First Responders


emergency response
Emergency Response
  • Training: drills…practice, practice, practice!
  • Planning: pre-plans with emergency services
  • Communication: 911, Emergency Notification Systems
  • Coordination of efforts: Incident Command System (ICS)

Disaster Recovery

  • -Data Recovery
  • -Processing Recovery
disaster recovery is a relatively new concept

Disaster Recovery is a relatively new concept

Late 1960’s early 1970’s – introduction of computer mainframes

Question: Who created the first disaster recovery (DR) plan?


The first data center manager who realized the problem if they lost their data and made a copy and took it home each night

disaster recovery is a relatively new concept cont

Disaster Recovery is a relatively new concept cont.

  • Late 1980’s - PCs become prevalent

1990’s – LANS & WANS

2000’s - Web-based computing

Future – Who knows! The Cloud???


Business Continuity



Risk Assessment

Plan Test & Maintenance

  • Had its roots in DR
  • Realization: it takes more than just data and applications to continue the business


Life Cycle

Plan Develop /Execution





  • BC is a process, not a transaction



Business Continuity

  • Risk Management
  • Disaster Recovery
  • -

Enterprise Risk Management

Business Continuity Management

  • Crisis Management
  • Emergency Management
who needs bcm
Who Needs BCM?

Industries / Sectors

who needs bcm1
Who Needs BCM?

By Size

Is business continuity scalable?

example bob s dry cleaning

Example: Bob’s Dry Cleaning

Risk management

Fire prevention program

Automatic sprinklers


Crisis management

Media contacts

Customer lists

Emergency Management

Emergency services pre-plan


example bob s dry cleaning cont

Example: Bob’s Dry Cleaningcont.

Disaster Recovery

Back-up data


Accounts receivable

Accounts payable

Client list

Identify back-up hardware



Web-based computing

example bob s dry cleaning cont1

Example: Bob’s Dry Cleaningcont.

Business Continuity

Location strategy



Processing strategy


Mutual aid

Communication strategy



Social media

challenge for business continuity in the u s going forward

Challenge for Business Continuity in the U.S. going forward:

Business Continuity must be a common business practice throughout all private and public sector organizations, regardless of size.

dri international who are we
DRI International – Who Are We?
  • A Non-Profit Organization Committed to:
    • Promoting a base of common knowledge for the continuity management industry
    • Certifying qualified individuals in the discipline of Business Continuity
    • Promoting the credibility and professionalism of certified individuals
  • Celebrated our Twentieth Anniversary in 2008.
  • The Industry’s Premier Education and Certification Program Body
dri international who are we1
DRI International – Who Are We?
  • DRI International has Certified INDIVIDUALS in over 95 Countries.
  • DRI International conducts training courses in over 45 countries.
  • More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 individuals as of 2009)
  • DRI International certifies individuals and teaches in English, Spanish, French, Japanese, Mandarin, and Russian.
  • Conducts Courses for:
      • Insurance
      • Audit
      • Small and Medium Sized Businesses