Emergency Planning and Crisis Management initiatives rolled up into a viable Business Continuity and Enterprise Risk Management Program.

Similar documents
Business Continuity Planning for Schools, Departments & Support Units

Page Administrative Summary...3 Introduction Comprehensive Approach Conclusion

BUSINESS IMPACT ANALYSIS.5

Business Resiliency Business Continuity Management - January 14, 2014

The PNC Financial Services Group, Inc. Business Continuity Program

Enterprise Risk Management Panel Discussion

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

The PNC Financial Services Group, Inc. Business Continuity Program

Business Continuity Management Review

Cornell University EMERGENCY MANAGEMENT PROGRAM

All-Hazard Continuity of Operations Plan. [Department/College Name] [Date]

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

The Commonwealth of Massachusetts. 1 Ferncroft Road, P.O. Box 3340, Danvers, MA

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

UNIVERSITY OF CALIFORNIA, MERCED EMERGENCY NOTIFICATION SYSTEM (UCMAlert)

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

UNION COLLEGE INCIDENT RESPONSE PLAN

TRENDS IN BUSINESS CONTINUITY AND CRISIS COMMUNICATIONS SURVEY

Staying In Business. A Business Continuity White Paper by. Paul O Brien and Gerard Joyce. LinkResQ Limited

Desktop Scenario Self Assessment Exercise Page 1

Ohio Supercomputer Center

BUSINESS CONTINUITY PLANNING

CRISIS MANAGEMENT PLAN

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

An Introduction to. Business Continuity Planning

Western Washington University Basic Plan A part of Western s Comprehensive Emergency Management Plan

Chapter 1: An Overview of Emergency Preparedness and Business Continuity

OREGON STATE UNIVERSITY MASTER EMERGENCY MANAGEMENT PLAN

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

Temple university. Auditing a business continuity management BCM. November, 2015

Creating a Business Continuity Plan for your Health Center

BUSINESS CONTINUITY PLANNING GUIDELINES

Managing business risk

Good Security. Good Business

Business Continuity & Recovery Plan Summary

Business Continuity Management & Disaster Recovery GETTING STARTED Checklist for Local Businesses & Organisations

Business Continuity Planning. Presentation and. Direction

Building and Maintaining a Business Continuity Program

NCUA LETTER TO CREDIT UNIONS

Administration & Finance

Business Continuity (Policy & Procedure)

Business Continuity Planning and Disaster Recovery Planning

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

The Joint Commission Approach to Evaluation of Emergency Management New Standards

Business Continuity and Disaster Recovery Planning

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Disaster Recovery Plan

How to Design and Implement a Successful Disaster Recovery Plan

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

BUSINESS CONTINUITY POLICY

Chapter I: Fundamentals of Business Continuity Management

Risk Based Internal Auditing & Enterprise Risk

Risk Management How to manage your brand & build business resilience to improve your bottom line

NAIT Guidelines. Implementation Date: February 15, 2011 Replaces: July 1, Table of Contents. Section Description Page

Overview of Business Continuity Planning Sally Meglathery Payoff

Intel Business Continuity Practices

Why Should Companies Take a Closer Look at Business Continuity Planning?

Emergency Preparedness Guidelines

Business Continuity Plan

Virginia Commonwealth University School of Medicine Information Security Standard

CONTINUITY OF OPERATIONS PLAN TEMPLATE

Business Continuity Management

Enterprise-Wide Risk Assessment

Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager

BUSINESS CONTINUITY PLANNING

Business Continuity Planning in IT

Boost BCM Program Maturity: Arm Your Team with the Right Tools. Jason Zimmerman Vice President Operations

Business Continuity Overview

Disaster Recovery and Business Continuity What Every Executive Needs to Know

Business Continuity Management Policy

Policy : Enterprise Risk Management Policy

a Disaster Recovery Plan

In accordance with risk management best practices, below describes the standard process for enterprise risk management (ERM), including:

Business Continuity Planning

Georgia College Emergency Notification System Activation Protocols

Business Continuity and Disaster Planning

Disaster Recovery and Business Continuity Planning Workshop. Jane Drews University IT Security Officer June 30, 2009

EMERGENCY PREPAREDNESS TEMPLATE

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

U.S. Nuclear Regulatory Commission

Appendix 3 Disaster Recovery Plan

Coping with a major business disruption. Some practical advice

Business Continuity Policy

Develop Your Disaster Recovery Manual. More work? Call his wife, he s lost it! Oh my God! This stinks

Department of Environmental Health & Safety Con6nuity Planning Program Training - Partnership - Compliance. Continuity Planning Training

POINT UNIVERSITY CAMPUS SECURITY Emergency Response Plan

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

ICS for LAUSD EOC and DOC Operation

Enterprise Risk Management taking on new dimensions

Business Continuity & Recovery Plan Summary

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Business Continuity Policy

Business Continuity Planning Guide

Continuity Planning and Disaster Recovery

Enterprise Risk Management. Breaking Down the Barriers at Emory

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E (mobile)

Table of Contents... 1

Transcription:

Emergency Planning and Crisis Management initiatives rolled up into a viable Business Continuity and Enterprise Risk Management Program. Or: How I Learned to Stop Worrying and Love the ERM!

Is this You?

Why Should We Be Concerned and What Are the Trends? U.S. Schools and University Incidents April 2008 to April 2009*= 12 months = 4 per month Bombs and Bomb Threats 13 Shootings 17 Adjacent Police Activity 11 Chemical Release 2 Found Bodies 2 Stabbings 2 Flooding 1 TOTAL * NC4 48 Incidents

Trends? U.S. Schools and University Incidents from April 2009 to January 27, 2011*= 21 months = 18 per month Bombs and Bomb Threats 113 Shootings 72 Guns on Campus 59 Evacuations (Fire,Chem,etc) 63 Hostage Situation 6 Stabbings 14 White Powder 6 Misc (Police/Suicides/Bodies) 55 TOTAL * NC4 382 Incidents

Trends? U.S. Schools and University Incidents Feb. 2011 to January 2012 11 Months = 29 per Month Bombs and Bomb Threats 96 Shootings 48 Guns on Campus 36 Evacuations (Fire,Chem,etc) 45 Hostage Situation 3 Stabbings 13 White Powder 40 Misc (Police/Suicides/Bodies) 15 TOTAL * NC4 320 Incidents

Trends? U.S. Schools and University Incidents January 2012 to Feb. 4, 2013 = 13 Months = 23 per Month Bombs and Bomb Threats 128 Shootings 50 Guns on Campus 32 Evacuations (Fire,Chem,etc) 28 Hostage Situation 0 Stabbings 5 White Powder 5 Misc (Police/Suicides/Bodies) 45 TOTAL * NC4 293 Incidents

KENNESAW STATE INDIVIDUAL UNIT RESPONSIBILITIES ENTERPRISE RISK COORDINATOR SSS/ERM Advisory Group WORKING GROUP STRATEGIC RISKS OPERATIONAL RISKS FINANCIAL RISKS COMPLIANCE AND REGULATORY REPUTATION AND MEDIA RISKS RISKS ENTERPRISE RISK MANAGEMENT DIRECTIVE EMERGENCY MANAGEMENT BUSINESS CONTINUITY DISASTER RECOVERY CRISIS MANAGEMENT Facility or Institution STRATEGIC PLANS

EMERGENCY MANAGEMENT Early Warnings Sirens, Big Voice Early Notifications SMS Texts Voice Cell Email Desktop Computer Override PC Mac Digital Signage Stagnant Scrolling Main Facility Webpage Override Fire Panel (Voice or recorded) Camera (IP and Analog)

CRISIS MANAGEMENT What are you trying to accomplish? Who is your customer? What are your resources? What time frame is your expectation? Most shooter events are over in less than 3 minutes! Can you wait for Police appearance?

DISASTER RECOVERY Has two meanings IT Data recovery Hot/Cold sites Offsite storage Internal Procedures Physical Facility Predetermined Co. Contract Response time?

BUSINESS CONTINUITY Originally CONOPS Concept of Operations Contingency Operations Continuity Of Operations Control Operations Continuous Operations Conduct of Operations TO Business Continuity TO Business Resilience Individual forms to all depts on what they do and with whom Review forms and provide input Identify highest processes to survive Rank others Determine who else supports ops vendors, outside stakeholders, funds Obtain software if possible to correlate results and interface with other depts. Premise what if 75% of your dept. did not show up for work! Identifies processes/procedures as Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.

Risk Assessment as part of the Business Continuity, Em. Mgt./Crisis Mgt. Planning and Disaster Recovery Now that your baseline Preparedness, Mitigation, Response and Recovery plans and procedures are in place, many of the questions needed in the process have already been answered. However, the next step is determining the Risk through Analysis, Frequency, Type and Severity.

KENNESAW STATE INDIVIDUAL UNIT RESPONSIBILITIES ENTERPRISE RISK COORDINATOR SSS/ERM Advisory Group WORKING GROUP STRATEGIC RISKS OPERATIONAL RISKS FINANCIAL RISKS COMPLIANCE AND REGULATORY REPUTATION AND MEDIA RISKS RISKS ENTERPRISE RISK MANAGEMENT DIRECTIVE EMERGENCY MANAGEMENT BUSINESS CONTINUITY DISASTER RECOVERY CRISIS MANAGEMENT Facility or Institution STRATEGIC PLANS

Transactional Risk Management (where most are in Risk Mgt. efforts Purchase Insurance Safety and Emergency Preparations separate Claims Management Separate Risks are all perceived as NEGATIVE (Integrated) Advanced Risk Management (Skip?) Use of Alternative Financing Techniques More Proactive Prevention and Reducing Risks Integrates Safety and Em. Mgt. and Claims Mgt. More Collaboration and Fewer Silos (Strategic) Enterprise Risk Management (Includes all above) Top Down approach aligns ERM with Strategy and Mission Strategic, Operational, Financial, Compliance and Reputational Evaluate Opportunities to Risk Taking Offers Risks OWNED and mitigated at Dept. Level Many tools (software) available to assist

How does ERM work? Process Establish ERM Framework Step 1 - Identify Project Champion - Identify Project Owner - Establish Steering Committee Identify Key Objectives Step 2 - List key objectives - Prioritize objectives - Select objectives for assessment Identify Key Risks Step 3 - Brainstorm and assess risks - Assign risks of 4 or higher to risk owner Manage Risks Step 4 - Identify current controls and mitigation requirements - Develop mitigation plan for key risks - Conduct qtrly. mtgs. to review status - Initiate steps 2-4 for add. objectives

How does ERM work? Establish ERM Framework Step 1 - Identify Project Champion - Identify Project Owner - Establish Steering Committee -Establish Working Group A. Identify Project Champion Executive-level official (President, Chief X Officer) who will provide support and direction to process. B. Identify Project Owner - Senior-level official who will provide ongoing management and oversight to ERM implementation. C. Establish Steering Committee Executive/senior-level officials representing key organizational areas. Working Groups will be established based on departments and assess key risks. 16

How does ERM work Identify Key Objectives Step 2 - List key objectives - Prioritize objectives - Select objectives for assessment A. List key objectives Working Group identifies institutional and strategic objectives. B. Prioritize objectives Steering Committee uses ranking or other system to select top objectives (should not exceed 3-5 objectives per division head). C. Select Main Institute Risks for assessment Steering Committee selects 4-6 top Risks for initial risk assessment by the Working Group that are mainly full Institute wide risks that an individual department is incapable of providing relief itself.

How does ERM work? Identify Key Risks Step 3 - Brainstorm and assess risks - Assign Key Risks to risk owner A. Brainstorm and assess risks Working Group conducts initial risk assessment through calculation of impact and likelihood without consideration of current controls or mitigation plans. 1. Working Group must understand the key components/process associated with selected objectives. 2. Working Group performs risk ranking with guidance from Project Owner. 3. Steering Committee validates risk ranking to Project Champion B. Steering Committee, with Project Owner, selects Key Risks and assigns to a specific Risk Owner.

How does ERM work? Identify KEY Risks Risk Identification sorted by adjusted risk score Likelihood of occurring 1 - low 2 - medium 3 high 4- critical Potential impact 1 low; unlikely to have a permanent or significant effect on institution s reputation or achievement of its strategic objectives. 2 - medium; will have a significant impact on institution but can be managed without major impact. 3 - high; will have a significant effect on institution and requires a major effort to manage and resolve the occurrence, as well as its ramifications 4 - critical; will threaten the existence of the institution if not resolved.

How does ERM work? Manage Risks Step 4 - Identify current controls and mitigation requirements - Develop mitigation plan for key risks - Conduct qtrly. mtgs. to review status - Initiate steps 2-4 for add. objectives A. Identify current controls and mitigation requirements Risk owners identify the current controls, mitigation steps, or other actions already taken by the institution to reduce risk. The risk is assessed again to determine likelihood and impact. B. Develop mitigation plan for key risks Risk owners develop mitigation plans for risks still ranked 3 or higher. C. *Conduct meetings to review status Steering Committee holds initial meeting to approve and to review the status of risk owner mitigation plans. Risk scores may be adjusted by the Steering Committee to reflect the risk after implementation of the mitigation plan. D. Continue process Project Owner incorporates new risks into the ERM process (steps 2-4) as current risks are mitigated by risk owners.

Strategic Risks Those Risks that are the long range goals and objectives of any company or institution that if compromised, may affect the entire course and survivability: In essence, the failure to achieve those objectives. The funding formula for allocating budgets has been changed with the possibility of layoffs and furloughs. Technology changes that affect your long range plans on previously procured computer support. The inability to obtain qualified professors or instructors for disciplines offered. The Regents have decided to consolidate college and universities and yours is involved in order to save money. A specific brand of computer has been discontinued due to the company bankrupcy. The previously offered academic discipline has not enough students registered and cannot support the present faculty or staff.

Operational Risks Those Risks that usually attributed to human forces that either fail to respond or fail to prevent actions from affecting the health and welfare of the company. Power outages for facilities with no backup options Strikes and other labor issues that affect day to day operations requiring backup plan. A Pandemic Flu outbreak with no plan to staff primary support operational functions. The main server/s are down and no plan for redundant backup exists or no trained personnel are available for support. Gas prices go sky high or fuel is not available for your fleet. The 3 rd party supply chain vendor is going out of business and you have no backup vendor prepared to step in.

Financial Risks Those Risks that affect the bottom line financial stability of the college or institution. The inability to maintain payroll due to budget changes from State or Private funds. The investment strategy previously embraced by your Foundation management is no longer embraced by the Board of Directors. You ve been asked to reduce your budget allocation by 10% for the next fiscal year and face consequences of program curtailment. Your project enrollment does not come near the current status for this fiscal year. Potential loss of tax-exempt status due to any number of risks associated with the school. Loss of funding from Federal, State or Local government agencies.

Compliance Risks Those Risks that pertain to the company s obligations to laws, regulations, contracts, strategies and policies that if compromised, could affect the health and welfare of the University or Institution. Environmental Health and Safety issues with OSHA. Nuclear Regulatory Regulations relative to handling radioactive materials and transport. Title IX regulations affecting fedral funding in Universities. One of your main researchers has been pouring biospecific samples down the main sink in his lab. A significant quantity of radioactive materials is missing from the inventory list and the inspectors are due this week. A student has reported that she was sexually assaulted and you did nothing about it.

Reputational Risks Those Risks that pertain to the Institution s character or quality of service that is projected by its students, faculty and staff and if negative, could adversely affect its long term survivability. The methods your professors and instructors use when teaching courses. The SAT scores needed to enroll at your school. The publications of faculty and staff in journals and magazines reflecting opinionated topics. During a class, a professor removes his clothes to give an example of free speech. Discovery that many applicants to the university submitted SAT test scores taken by another student to get in. A high ranking job opening in the academic side of your Institution did not get applicants properly vetted before making the offer.

Key Points to Remember Risk, in one form or another, is present in virtually all worthwhile endeavors. ERM is a management tool this process can and should be changed to work for YOUR organization. ERM ultimately should change the organizational culture however, change is slow, painful, and time-consuming. Frustration and confusion are simply part of the process the long-term result is worth it.

Contact Robert F. (Bob) Lang CSO, CPP, CEM rlang3@kennesaw.edu 770-423-6985

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information