Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1
Today s Presenter Frank Perlmutter, CBCP Fperlmutter@strategicbcp.com Former Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury President & Co-Founder of Strategic BCP, creators of ResilienceONE BCM Software Managed BC, Risk, and Process Improvement Programs for over 100 organizations 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 2
Background Strategic BCP established in 2004 Purpose: elevate the productivity and relevance of business continuity (BC) professionals ResilienceONE introduced as a milestone in using technology to streamline the process of creating and maintaining BC plans 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 3
Webinar Focus Areas Risk Management vs. Business Continuity Risk Management Principles Enterprise Risk Management- Practical Application Operational Risk Management- Practical Application Q&A and Wrap-up 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 4
Disaster Recovery Journal Webinar Series Risk Management vs. Business Continuity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 5
Risk Management vs. Business Continuity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 6
Preventative Care vs. Reactive Approach Analyzing the Risk & Preventing It: Eat well, exercise, and take vitamins Reacting to the Risk: Get a heart attack and get revived Proactive vs. Reactive BC Professionals unfortunately tend to focus too much on the reaction Response, Recovery, Restoration Plan/Document-Centric BC Professionals are better served by concentrating adequate focus on the proactive Focuses on mitigating risk of outages before they happen Analysis-centric 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 7
Why the Convergence of BC and RM? The convergence of BC and RM has already occurred and continues to evolve Regulations, frameworks, and standards reflect a strong theme of management of risk Decision-makers gravitate towards Risk Management for its continuous value, making BC a subset 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 8
Preparation for Current Reality Many BC Professionals are being left behind by unrequited devotion to outdated methods Strong plans do not necessarily equate to a strong ability to actually recover and reduce impact. This reduces the value of the Professional that just focuses on plans Risk Management has value to everyday decision-making; Business Continuity Plans do not 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 9
What is the Dominant Discipline? There is an overlap of concepts between the two disciplines The Risk Assessment and Business Impact Analysis are risk-based tools How they are implemented; the value they bring will designate whether the process is a sound risk-based model or not Risk Management as a discipline is generally leading the way Business Continuity is a subset of overall Risk Management 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 10
Risk Management Practice Areas Business Continuity/ Incident Management Internal Controls Enterprise Risk Operational Risk Financial Risk Legal Risk Third Party Risk BOD/Ethics Risk Environmental Risk Quality Assurance Information Technology Risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 11
The Convergence/Overlap NOW: Business Continuity Business Impact Analysis and Risk Assessment Enterprise Risk FUTURE: Internal Controls? Legal Risk? Operational Risk Information Technology Risk Financial Risk Third Party Risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 12
Disaster Recovery Journal Webinar Series Risk Management Principles 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 13
What s Available? A sea of Risk Management regulations, standards, and best practices Business Continuity regulations, standards, and best practices are similarly prevalent There are similarities and guiding principles throughout all of them Focus on the COMMON guiding principles 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 14
A Selection of RM Regulations, Standards, Best Practices, Frameworks ISO 31000 COSO Framework OCEG GRC Capability Model (Red Book) FERMA 2002 ISO/IEC 31010 Basel II and Basel III BS 25999-2:2007 ISO 22301:2012 NFPA 1600: 2007/2010 COBIT Institute of Operational Risk ISO 14001 ISO 27001 ISO 27005 NIST 800 Series ITIL v.3 DRII/BCI Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 15
Focus on What Delivers Value Regulations Mandatory authoritative rules dealing with details or procedures having the force of law, which are issued by and authority of government Standards and Best Practices Voluntary criteria, voluntary guidelines and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes Our Guidance: With so many mandatory standards, we have seen that most examiners and executives are paying little attention to voluntary standards Standards and best practices in both BC and RM tend to be conceptual, with little guidance on practical implementation Mandatory vs. Voluntary 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 16
The Mission of Risk Management Operational Improvement: ability to identify and remediate inefficiently operating processes that may cause outages/impacts Compliance: evidence of properly implemented standards Resilience: ability to identify and remediate infrastructure vulnerabilities that may result in unacceptable impacts 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 17
Overarching Principles of Risk Management COSO provides an overall framework and principles for Risk Management COSO was originally housed in controls; has moved to a strategic approach Objectives appear at the top of the cube The right side of cube shows that Risk Management must be considered at all levels of an organization Risk management activities appear on the front of the cube COSO Enterprise Risk Management: Integrated Framework 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 18
Disaster Recovery Journal Webinar Series Enterprise Risk Management- Practical Application 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 19
Enterprise Risk vs. Operational Risk Enterprise Risk Management focuses on mitigating events that negatively impact an organization s supporting infrastructure People, Facilities, Information Technology, Assets In BC Tool Terms: Risk Assessment, Risk Analysis, Hazard Vulnerability Analysis Operational Risk Management focuses on mitigating vulnerabilities in operational business processes In BC Tool Terms: Business Impact Analysis, Business Impact Assessment, Downtime Impact Analysis Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 20
Establishing an Enterprise Risk Appetite Core policy that defines decision-making (Probability x Impact) Mitigated Risk = Enterprise Risk Organizations can set a risk appetite around the factors or the overall risk Remediation budget must align with Risk Appetite 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 21
Performing an Enterprise Risk Assessment An Enterprise Risk Assessment (ERA) identifies potential threats that may impact an organization, and identifies measures to limit the probability or impact of these threats. Determine the threats to be included on your Enterprise Risk Assessment. They revolve around your infrastructure. Research and evaluate each risk by probability and impact of occurrence Identify threats outside of the Risk Appetite of the organization Provide a mitigation plan with alternatives that show costs of the mitigation measures and how much of the risk is reduced Obtain sign-off of either the acceptance of the risk (i.e. do nothing) or a mitigation alternative 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 22
Sample ERA Report Once risks are quantified, plot them on a grid as shown below. This will help management decide how to deal with the risks (Transfer, Accept, Reduce or Mitigate). Obtain sign-off! I 5 5 10 15 20 REDUCE MITIGATE M 4 4 8 12 16 P 3 3 6 9 12 A 2 2 4 6 8 C 1 1 2 3 4 T 0 0 0 0 0 1 2 3 4 Management Process Physical ACCEPT Alternate Vendors Controls Controls Controls Terminate Activty Insurance Outsourcing Eliminate Risk TRANSFER P R O B A B I L I T Y Updated Contact Lists Strategic Alliances 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 23
Disaster Recovery Journal Webinar Series Operational Risk Management- Practical Application 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 24
Operational RM and BC Crossing Paths Operational Risk Management and BC MAY cross paths in several places (if you perform these activities correctly) The Business Impact Analysis Mapping Normal Operations The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources by gauging impact (e.g. RTO s) Mapping (and understanding) normal operations is essential to developing recovery strategies 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 25
Gathering OBJECTIVE Data is Critical Your data should be based as much on FACT and as little on OPINION as possible; Don t use a subjective method The Subjective RTO : Popular Asking Method Example Problem #1: There are numerous impacts used to calculate an RTO; respondents couldn t possibly ANALYZE all scenarios in their heads Problem #2: Respondents are not using a consistent scale to determine their RTO; everyone calculates differently in their heads Problem #3: Results reflect limited data integrity, making justification to executives and auditors challenging OBJECTIVE data gathering methods: Provide a consistent scale for all respondents Do not ask respondents to perform on-the-fly analysis Provide better data integrity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 26
Objective Risk-Based Method: Setup Start with gathering quantitative and qualitative factors that reflect the impact of taking down your operations Weight factors as some may be more important than others Set levels of impact for each factor 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 27
Objective Risk-Based Method: Data Gathering Establish a timeline with time periods (i.e. your Recovery Timeframe Objectives or RTO s) over which you will measure impact Record your scoring of factors (e.g. reputational harm, regulatory fines, etc) across each function using the scale 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 28
Objective Risk Based Method: Prioritizing Operational Activities METRIC: By RTO Set a prioritization of activities by time period Set a points limit for your maximum level of acceptable risk. This is your organizational risk appetite. When totals in a time period first exceed that limit, your maximum timeframe is the time period immediately prior METRIC: By Total Impact Add total for each time period together Provides aggregate risk over the entire time period # RTO Function UNDER 1 DAY 1 DAY 2 DAYS 3 DAYS 4 DAYS 5 DAYS 2 WEEKS 3 WEEKS 4 WEEKS 5 WEEKS 1 Immediately Process Deposits 32 48 48 48 64 64 64 64 64 88 2 Immediately Take Orders Via Phone 20 20 28 28 28 36 36 36 44 44 3 1 DAY Reconciliation- Beginning of Day 0 0 32 32 40 40 48 48 56 64 4 2 DAYS Reconciliation- End of Day 0 0 0 8 8 8 8 8 8 8 5 5 WEEKS Process Payments to Customers 0 0 0 0 0 0 0 0 0 0 Yellow = Exceeds Maximum Level of Acceptable Risk (6) 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 29
Setting a Risk Appetite: Operational Risk Modeling Timeframe # of Functions (x=6) # of Functions (x=12) # of Functions (x=18) Tier Immediately 4 1 1 Critical 1 HOUR 2 3 0 Critical 8 HOURS 7 4 2 Critical 12 HOURS 2 1 3 Critical 1 DAY 17 7 2 Critical 2 DAYS 24 4 3 Critical 3 DAYS 9 4 2 Necessary 4 DAYS 14 4 1 Necessary 1 WEEK 8 4 1 Necessary 2 WEEKS 8 32 52 Optional > 2 WEEKS 4 35 31 Optional a) X = 6 points 56% are in the one week timeframe (high risk tolerance, strong recovery capability) b) X =12 points 32% are in the one week timeframe (mean risk tolerance) c) X = 18 points 17% are in the one week timeframe (low risk tolerance, weak recovery capability) 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 30
Understanding Operations is Essential Many BC Professionals skip right to Recovery Operations, instead of documenting normal business process first 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 31
Reengineering Operations Are there any inefficiencies or vulnerabilities in the highest value activities? Provide a process mapping (i.e. a standard operating procedure) for each of the highest value activities Notice manual steps and repeated activities Provide roadmap to investigating automation solutions Implement best solution 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 32
People, Technology, Facilities, and Assets Support Your Critical Activities People Technology Operations Facilities & Assets 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 33
Reviewing Supporting Operational Infrastructure Are there any inefficiencies or vulnerabilities in the highest value operational infrastructure? Establish an expertise in one or more areas and spot risks and vulnerabilities What are some common risks and vulnerabilities in these areas? Offer cost effective/high value mitigation alternatives Over/under utilization of resources Offer economies of scale with people, IT, and vendor resources Offer cost-cutting measures to reduce under-utilized resources 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 34
RED FLAGS: Spotting BCM/RM Tools and Methods That Lead Users Down the Wrong Path Poor Reporting and Analytics Focus on paper planning Limited custom reporting or extensive reporting setup Output very similar to input Subjective Data Gathering Methods Long questionnaires that ASK USERS to calculate risk; system should provide detailed calculations Excessive narrative justification of risk measurements Inability to group risks at different organizational levels e.g. by region, facility, department, supporting asset, etc. 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 35
Questions? 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 36
Wrap-Up For more insights: Contact Frank Perlmutter, CBCP Fperlmutter@strategicbcp.com Visit www.strategicbcp.com Attend Frank s presentation on BC Metrics Sept. 10 @ DRJ World Conference, San Diego 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 37