BCM The Road Ahead Chris Alvord, COOP Systems, MBCI, CBCP. April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona

Transcription

1 BCM The Road Ahead Chris Alvord, COOP Systems, MBCI, CBCP April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona

2 BCM The Road Ahead BCM Superman COOP Systems DRJ Webinar 10 May

3 Risk, BCM and ISO Standards Trends starting in 1988 BCM milestone review, trends & ISO standards Re evaluating BCM lifecycle Towards GRC (Governance, Risk, Compliance) Examples of ISO improvement directions ISO :2009 Security ISO 24762:2008 ICT DR Perfecting processes CAR/CAPA & auditing Recommendations considering ISO emergence Substantial costs of not aligning with ISO Getting ready for BCM ISO22301:2012 Summary recommendations 3

4 BCM Milestone Review UK BCI Formed 1988 US DRII Formed Separation from IT DR 1st Gen Web Based software 2003 PAS 56 Published 2006 BS BS ISO22301 Next Gen Web Based software

5 Towards Future BCM ISO Trends Move from Experts to automated systems and standard processes Move toward multi discipline approach Global ISO Standards 5

6 What Will ISO Standards Deliver? Less diversity in plans and approaches Country specific standards will fade away Checklists follow ISO standards Provide detailed guidelines to very specific BCM areas of interest ISO based approach is already causing industry re evaluation of BCM lifecycle Example of Risk vs. BIA ordering in process 6

7 New ISO Standards for Risk * Integrated Management System 7

8 Re Evaluating BCM Lifecycle 8

9 Re Evaluating BCM Lifecycle Importance of Records Management reviews Corrective Actions Training records Audit records Fewer Static Documents Data requires flexibility, constant review Maturity through detailed reviews, history of changes Updates need automation 9

10 Moving Towards GRC/Risk BCM aligned more closely with Risk BCM as separate discipline will decline More need for multi discipline specialists General GRC specialists to emerge Environmental compliance may play role 10

11 Example: ISO 27001:2005 IT Security Rapidly one of biggest selling ISO s in world Deeper integration with BCM/DR/Risk logical Easily done w/bia/dr/risk, sharing controls Consider ISO standard threats/vulnerability matrixes (next slide) Security, BCM, DR share same control data 11

12 ISO Threats & Vulnerability Matrix Category Threat Yes/No Probability Comment Probability Vulnerability Vulnerability Controls Impact Risk Factor Risk Treatment Interference Yes 1 Hardly ever 3 Medium nd Tier Interception Yes Fraud 0 Masquerading of user identity 0 Malicious code 0 Willful damage 0 (1) MALICIOUS DAMAGE/FRAUD Vandalism 0 Malicious code 0 Destroy BCM plan 0 Falsify records 0 Illegal import/export of software 0 Illegal software use 0 Violation of IP rights 0 Contract breaches 0 Regulatory breaches 0 12

13 Example: ISO24762:2008 ICT DR Implementing, operating, monitoring & maintaining ICT DR services and facilities Capabilities & practices outsourced ICT DR service providers should possess Guidance for selection of recovery site Guidance for ICT DR service providers to continuously improve their services 13

14 ISO24762:2008 Recovery Checklist 14

15 ISO24762:2008 Facility Threat View 15

16 Example: CAR/CAPA/Audits Mgt systems require mgt system audits With agreed process, followed up with records Acronyms CAR Corrective Action Records CAPA Corrective Actions & Preventative Actions Perform regular internal audits and identify Non conformities (Minor and Major) Observations that need to be recorded 16

17 Example CAR / CAPA workflows Ref. Event date Jan Jan 10 What occurred? (non conformity) BIA Critical Activities reevaluated specifics BIA Critical Activities reevaluatedspecifics Root cause Removed HR sickness termination and record keeping from critical activity list Practice Groups :Receive client instructions Research Drafting Correspondence Analysis, collating, liaise with bene's / trustees / client 3rd party mtgs Corrective action Determined as non critical due to the MTPOD length being greater than 1 day Determined as non critical due to the MTPOD length being greater than 1 day Event learning point(s) Define critical activities by their MTPOD and RTO's not by expectations for business Define critical activities by their MTPOD and RTO's not by expectations for business Follow up action(s) required At planned frequencies reevaluate all MTPOD's and RTO's to ensure critical activities are being identified At planned frequencies reevaluate all MTPOD's and RTO's to ensure critical activities are being identified Action(s) by whom and when Communication of actions (to whom) Jan 10 BIA Critical Activities reevaluatedspecifics Practice Groups : Recommendations reduced from 2 Days MTPOD 4 hrs RTO to 1 Days MTPOD Reviewed MTPOD for 'recommenda tions' in light of Law Society BCM guidelines MTPOD and RTO's need to be reviewed and challenged regularly. At planned frequencies reevaluate all MTPOD's and RTO's to ensure critical activities are being identified 17

18 Dangers of being non ISO aligned External assessment and submission Non aligned plans harder to assess In house custom methods are less credible General employees understand BCM ISO approach Non standard methods will be challenged 18

19 Getting ISO Ready for BCM? Review alignment of BCM program w/iso22301 Current training records, skills analysis Audit records, methodology Start to understand general ISO management system auditing approach How to raise Corrective Actions, maintain records Review BCM program staff skills 19

20 Summary Review aligning BCM program w/iso22301 Get ahead of curve goal to get certified Look at combining all compliance/resilience issues into Integrated Management System Make sure you choose experts, suppliers, and consultants who are ISO22301 ready 20