Auditing Enterprise Business Continuity Management (BCM) Jeffrey M. Dato, MBCP Senior Manager Risk Advisory Services KPMG, LLP

Transcription

1 Auditing Enterprise Business Continuity Management (BCM) Jeffrey M. Dato, MBCP Senior Manager Risk Advisory Services KPMG, LLP

2 Agenda Rules of Engagement Definitions and Presentation Premises Business Continuity 101 Historical Perspective The Changing Landscape Corporate and Technology Trends Compliance and Reputational Risk Link to Enterprise Risk Management Audit Framework for BCM Standards and Professional Practices Guideline for Auditing BCM 2

3 Rules of Engagement

4 Definitions & Presentation Premises Business Continuity Management Crisis Management ( Respond People-focus) Disaster Recovery ( Recover Technology-focus) Business Resumption ( Resume Process-focus) Presentation Premises It s a business issue. It s about managing risks across the enterprise. It s a culture thing. It s not your grandfather s DRP anymore. It s about managing expectations. 4

5 Business Continuity 101 5

6 Business Continuity 101 6

7 Business Continuity 101 Program Management Office KEY BUSINESS PROCESS (KBP) POTENTIAL UNKNOWN EVENTS Technology Resources Non-Technology Resources Human Capital SLA S Regulatory Issues BUSINESS IMPACTS Quantitative & Qualitative Estimated Severity & Likelihood of Occurrence Validate Assets Quantitative & Qualitative Threats Vulnerabilities -Natural Disasters -Cyber-Terrorism -Terrorist Events -Supply Chain -Privacy Issues -Availability People Process Technology Prioritization of KBP s for Continuity and Recovery Current Control Environment Gap Analysis Optimum Control Environment Identification and Selection of Strategic Alternatives for Availability, Continuity & Recovery Mitigate, Insure, Accept Planning Planning Response Resumption Recovery Monitoring Tools Exercise Change Management Training Awareness Governance 7

8 Historical Perspective Events (1970 s & 1980 s) Utilities Failures: NYC Brownouts / Hinsdale Building Fires: Penn Mutual / First Interstate Natural Events: Loma Prieta / Hurricane Hugo Planning Focus: RECOVERY Technology (Mainframe / Mid-Range) Regulations: FCPA / Bank Circular 177 Back to the Future Johnson & Johnson ( Tylenol ) Exxon ( Valdez ) 8

9 Historical Perspective Events (1990 s) Hurricanes: Andrew / Georges / Floyd Domestic Terrorism: WTC (NYC) / Murrah Building (OKC) Natural Events: Earthquakes / Flooding / Tornados Planning Focus: CONTINUITY Technology (PC s / LAN / WAN / GWAN) People (Relocation / Manual Operations) Regulations: FFIEC Handbook / GLBA / HIPAA Back to the Future UPS ( Strike ) Bridgestone/Firestone ( Tire Failure ) 9

10 Historical Perspective Events (Y2K) Significance Boardroom Attention Public/Private Interaction Infrastructure Improvement Results Non-event : Too good of a job? False sense of preparedness Let down Efforts abandoned and/or scrapped Costly 10

11 Historical Perspective Events (2000 s) Denial of Service (DoS) Attacks Dot.Com Collapse / Corporate Scandals September 11, Hurricanes / Tsunami Planning Focus: RESILIENCY Technology (Mainframe / Mid-Range) Regulations Whitepaper / OCC / NASD 3520 / NYSE 446 NERC/FERC CyberSecurity 1300 / California SB 1386 Turnbull Report (UK) / Florida Statutes / Puerto Rico 11

12 The Changing Landscape

13 Corporate and Technology Trends Corporate Mergers & Acquisitions / Globalization Process Sourcing Supply Chain Dependency Regulatory Pressures Resource Constraints Increased Service Demands Availability Requirements Online Transactions / EDI Self-Service Tools: ATMs / Kiosks Customer Relationship Management (CRM) 13

14 Corporate and Technology Trends Technology Availability vs. Recoverability Recovery Time Objective (RTO) Recovery Point Objective (RPO) Maximum Tolerable Outage (MTO) Service Delivery Objective (SDO) IT Sourcing Data Center Availability Data & Records Management (Mileage Limitations) Mobility (PDAs / Auto Call Notification) 14

15 Compliance & Reputational Risk Compliance BCM-Specific Financial Services Healthcare Energy Public Sector Cross-Industry BCM-Implied Basil II California SB 1386 Gramm-Leach-Bliley Act ( 501) Homeland Security Act Sarbanes-Oxley ( 302, 404, 409) 15

16 Compliance & Reputational Risk Reputational Need to manage expectations Internally Board of Directors Executive Management Employees Externally Business Partners / Supply Chain Shareholders Analysts Customers / Clients Regulators 16

17 Link to Enterprise Risk Management At the highest level, there are four things that can be done with Risk: Mitigate Insure Plan Accept Compliance Contractual Types of Risk to be Considered: Financial Lost/Deferred Revenue Operational Strategic Technical People Market Share Cybercrime Regulatory Opportunity Production Partnerships E-Business Service Level Agreements Shareholder Equity Supply Chain Reputational Infrastructure Failure 17

18 Link to Enterprise Risk Management Committee of Sponsoring Organizations (COSO) Old New 18

19 Audit Framework for BCM

20 Standards and Professional Practices Standards US Disaster Recovery Journal Generally-Accepted Practices NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs International Publicly Available Specification (PAS) 56 (UK) Tripartite Standing Committee for Financial Stability (UK) AS/NZ 4360 / 4390 / 4444 (Australia/New Zealand) MAS Business Continuity Guidelines (Singapore) Other BCM-specific standards exist in China, Hong Kong, Japan, Malaysia, Philippines, South Africa and India Non-BCM Specific: COBIT, ISO 17799/BS

21 Standards and Professional Practices Professional Practices DRI International ( and the Business Continuity Institute ( Project Initiation and Management Risk Evaluation and Control Business Impact Analysis Developing Business Continuity Strategies Emergency Response and Operations Developing and Implementing Business Continuity Plans Awareness and Training Programs Maintaining and Exercising Business Continuity Programs Crisis Communications Coordination with External Agencies 21

22 Guideline for Auditing BCM Program Management Program Governance Critical & Sensitive Data Risk Assessment Business Impact Analysis Strategy Evaluation and Implementation Plan Development Change Management Event & Crisis Management Plan Exercises Training Awareness Quality Assurance Program Integration & Coordination Evolving Practices 22

23 Guideline for Auditing BCM Risk Assessment People Process Technology Physical Geographic Plan to Mitigate Insure Plan Accept Business Impact Analysis Business vs. Technology-driven Process Workflow Analysis Interdependencies Impacts (Quantified/Qualified) Financial Operational Legal/Contractual/Regulatory Brand/Reputational Market Share Resource Requirements Executive Accountability 23

24 Guideline for Auditing BCM Strategy Evaluation & Implementation Linkage to findings from Risk Assessments and Business Impact Analyses Partnership between Business and Technology Cost Benefit Analysis Vendor Agnostic Proof of Concept Process Chosen prior to plans being developed Change Management Process 24

25 Guideline for Auditing BCM Plan Development General Format Task-driven vs. Narrative Crisis Management / Emergency Response Pre-incident awareness and escalation processes Formalized Chain of Command / Succession Planning Incident Command Structure (ICS) Dedicated alternate site(s) for Command Centers Linkage to Crisis Communications plans and enterprise Business Continuity process Structured declaration process Ongoing Incident Management / ATOD Logistics 25

26 Guideline for Auditing BCM Plan Development Business Resumption Linkage to Crisis Management / Emergency Response Call Notification process Pre-identification of alternate workspace and/or redirection of process activities to other offices Resource requirements (i.e. workspace, voice/data, supplies, vital records, mail/courier/print) Recovery Operations Procedures Status Reporting / Event Audit Log Place-holder for multiple moves (i.e. interim and home) 26

27 Guideline for Auditing BCM Plan Development Disaster Recovery Linkage to Crisis Management / Emergency Response and Business Resumption Call Notification process Hot site / Tape Host / Sourcing declaration procedure Logistics (i.e. transportation, tape transfer, data push) Hardware / Software / Voice & Data scripts & restoration priority Status Reporting / Event Audit Log Multi-site move plan pre-identified (interim and home) 27

28 Guideline for Auditing BCM Exercise and Change Management Exercise schedule, involvement and frequency Exercise type do they build upon each other? Involvement of business partners and supply chain Existence of external observer for monitoring and line of business management for accountability Post-mortem reviews and ties to future exercises/plan maintenance (incorporation of lessons learned ) Change management schedule and frequency Automated or manual maintenance process and LOB sign-off 28

29 Guideline for Auditing BCM Program Governance Policies/Procedures Program Charter and Mission Statement Roles and Responsibilities Chapters for Governance of BIA, RA, Strategy, Plans, Exercises, Change Management, Awareness & Training Quality Assurance Functional vs. Process-driven Survey-only vs. Facilitated LOB Management involvement, review and sign-off Vendor Readiness External validation and benchmarking 29

30 Guideline for Auditing BCM Program Governance Awareness Existence, execution and frequency Cross-enterprise involvement Incorporation of lessons learned Training Existence, execution and frequency Types offered (i.e. position, BCM 101, software) Linkage to other training programs 30

31 Guideline for Auditing BCM Crisis Communications Formal policy exists and lead by Public Relations Communication of policy to employees War Room Executive involvement Exercise schedule or actual event experience Coordination with External Agencies (First Responders) Communication with local authorities First Responder involvement with exercises, as appropriate Discussion with authorities about identification cards for entrance to secured area 31

32 Guideline for Auditing BCM Program Integration & Coordination Linkage of BCM to the following Crisis Management and Disaster Recovery Compliance / Regulatory Enterprise Risk Management Legal / Contractual Supply Chain / Sourcing Strategic Initiatives Technology 32

33 Contact Information Jeff Dato, MBCP Senior Manager Risk Advisory Services KPMG, LLP Office: (404) Cell: (404)