BCP/DR Reporting Metrics

Size: px

Start display at page:

Download "BCP/DR Reporting Metrics"

Nicholas Mitchell
8 years ago
Views:

1 Session Agenda I. Introductions Telling Management the WHOLE Story Session D15 Joe Flach / Safe Harbor Consulting II. Reporting Requirements III. IV. V. The Adjusted Recovery Confidence Factor VI. Back Pocket Readiness VII. Questions and Answers Introductions Reporting Requirements Hello! General Requirements Foreign Corrupt Practices Act, 1977 Sarbanes-Oxley Act of 2002 The Occupational Safety and Health Act (OSHA) SEC Regulations NYSE Rule 446 NASD Rules 3510 & 3520

Questions and Answers Introductions Reporting Requirements Hello!

2 Industry Specific Requirements Reporting Requirements Industry Regulation Healthcare HIPPA of 1996 FDA Code of Federal Regulations Title XXI, 1999 Government FISMA 2002, Title III of the E Gov. Act COOP and COG Federal Prep Circular 69, 1999 NIST Self Publication , 2002 NIST , 2005 Finance FFIEC Handbook, Chapter 10, Basel II, 2002 Interagency Paper on Sound Practices, 2003 EFA Act, 1989 Utilities GASB Statement Number 34, 1999 NERC 1200 (1216.1), 2003 FERC RM Appendix G, 2003 RUS 7 CFR Part 1730, 2005 Typical duties of boards of directors include: governing the organization by establishing broad policies and objectives; selecting, appointing, supporting and reviewing the performance of the chief executive; ensuring the availability of adequate financial resources; approving annual budgets; accounting to the stakeholders for the organization's performance; setting the salaries and compensation of company management. From: Wikipedia: just one of many items on a full agenda limited to 15 minutes or less speaking to a room of people in which no one has a background in this field speaking to a room of people who have a limited interest in your topic speaking to people who are strategic planners not tactical thinkers standing in the way of a more interesting topic, lunch or liquid refreshments Board of Directors is responsible for ensuring the company has an adequate Business Continuity Program in place to protect the best interests of all corporate stakeholders. Business Continuity Planner is responsible for educating and informing Sr. Management on the business continuity posture, risks/threats and potential impacts from interruptions. The Business Continuity Planner is responsible for positioning the BOD to make informed and educated decisions regarding the Business Continuity Program. The worst thing that can happen to a Business Continuity Planner is to have Sr.

2003 EFA Act, 1989 Utilities GASB Statement Number 34, 1999 NERC 1200 (1216.

3 Do Not Report on Activity. Do Report on Recovery Posture. ARE WE RECOVERABLE? Are we recoverable? The Adjusted Recovery Confidence Factor ARCF = CBUTested/CBUTotal (CA) (DA) CBUTested = Number of Critical Business Units SUCCESSFULLY Tested CBUTotal = Number of Total Critical Business Units CA = Confidence Adjuster - % Confidence we have identified the right CBUs DA = Documentation Adjuster - % of our program that is adequately documented

Business Units SUCCESSFULLY Tested CBUTotal = Number of Total Critical Business Units CA = Confidence Adjuster

4 CBUTested Emphasis on the word successfully. A critical business unit is successfully tested when it is validated that the business processes can be recovered within the established RTO. You will be unsuccessful The Confidence Adjuster Is a subjective measurement for how confident you are that your program has identified the right Critical Business Units. Supports the need for a Business Impact Analysis (BIA) to validate the CBUs. The Documentation Adjuster Measures what percentage of the program is supported by documented plans. Back Pocket Readiness The individual components of the ARCF allows you to tell the whole story and focus on those parts of the program that demand attention. Be prepared to answer these other questions: Are we compliant? How do we compare to our peers? What could possibly cause an interruption to our operations? And: What can/should we do to improve our ARCF?

Supports the need for a Business Impact Analysis (BIA) to validate the CBUs. The Documentation Adjuster Measures what percentage of the program is supported by documented plans.

5 Thank You

Continuity of operations for critical infrastructure. Disclosure of critical information to the government.

Continuity of operations for critical infrastructure. Disclosure of critical information to the government. Regulatory compliance is a significant factor influencing the development of your business resilience strategy. Moreover, while Business Continuity or Disaster Recovery regulations may not apply in every