BCM s Role in Effective Risk Management: A Risk Manager s Point of View

Similar documents
Business continuity management and cyber resiliency

TSC Business Continuity & Disaster Recovery Session

Using International Standards to Implement a Business Continuity Management System (BCMS)

Emergency Management Response and Recovery. Mark Merritt, President September 2011

Business Continuity Management

HENRY EE, FBCI, CBCP

How ISO helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016

Risk Management. Continuity Management

Business Continuity Policy

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Rejuvenating BCM - Infrastructure. Business Continuity Awareness Week March 2009

Implementing a Global Business

Session 5: Business Continuity, with Business Impact Analysis

Business Continuity Planning

Introduction to Business Continuity Management

Building a BC/DR Control Library and Regulatory Response Program

Facilities Management and Business Continuity. 10 May 2017

Explore Resilience and Risk Management Around the World

BCP At Bangkok Bank, Thailand

Business Continuity and Disaster Recovery

INTELLIGENCE DRIVEN GRC FOR SECURITY

Disaster Recovery and Business Continuity Planning (Mile2)

WHITE PAPER OCTOBER 2017 VMWARE ENTERPRISE RESILIENCY. Integrating Resiliency into Our Culture and DNA

B13: The Case for Integration Converting the BCM Silo into an Enterprise Risk Foundation

Integration of Business Continuity, Emergency Preparedness, and Emergency Response

Symantec Business Continuity Solutions for Operational Risk Management

Business Continuity: How to Keep City Departments in Business after a Disaster

Driving Global Resilience

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Prepare your Emergency respons, continuity plan, recovery plan

Rethinking Information Security Risk Management CRM002

Deciphering Overlapping Standards and Requirements, Using the BCP Genome

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

What Does the Future Look Like for Business Continuity Professionals?

Promoting the Art and Science of Business Continuity Management Worldwide. Partner of the DRJ

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

BUSINESS CONTINUITY MANAGEMENT. A short guide 2017

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

Introduction to Business continuity Planning

Preparing your C-Suite for a Cyber Crisis

STRATEGIC PLAN. USF Emergency Management

November 14, Emergency Management and Hurricane Irma. Florida Human Resources People and Strategy (FLHRPS)

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

FINNISH APPROACH TO CRITICAL INFRASTRUCTURE PROTECTION

Business Continuity Management Program Overview

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Business Continuity Risk Management IT Service Continuity

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Principles for BCM requirements for the Dutch financial sector and its providers.

Business Continuity - An Inside Perspective

Table of Contents. Sample

Keeping it Simple Driving BCM Program Adoption Through Simplification

BUSINESS CONTINUITY MANAGEMENT (BCM) INITIATIVES OF THE BANGKO SENTRAL NG PILIPINAS

Risk Advisory Academy Training Brochure

Global Statement of Business Continuity

CCISO Blueprint v1. EC-Council

Continuity of Operations During Disasters: Electronic Systems and Medical Records

Crisis Management at Disneyland Paris Eric Cosset (Disneyland Paris) 27/09/2017

THE LINK BETWEEN ENTERPRISE RISK MANAGEMENT AND DISASTER MANAGEMENT

Earthquake Preparedness

Area Business Continuity Management Scalable Cross Sector Coordination Framework of Disaster Management for Business Continuity

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

HOTEL RESILIENT Plan ahead stay ahead. With support from the German Government through

BCP evolution at the Colombian Central Bank

Policy. Business Resilience MB2010.P.119

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

Shared Responsibility: Roles and Responsibilities in Emergency Management Geoff Hay

Education & Training. B. 3. Education & Training. Stefan Heuer / Managing Director TÜV Rheinland Thailand.

An Update on Security and Emergency Preparedness Standards for Utilities

Meeting the Challenges of Enhancing Power Sector Resilience

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Enterprise resilience and the role of Standards

COSO ERM. To improve organizational performance & Governance COSO ERM. COSO Internal Control. COSO ERM_prepared by Nattapan T. 2

Sample Exam Privacy & Data Protection Foundation

INTERNAL AUDIT DIVISION REPORT 2017/138

Frontiers of Risk. Don t Be Afraid: Business Continuity Plan Development Only Hurts A Little!

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Verso ilnuovostandard ISO (BS25999) sullabusiness Continuity Scenari e opportunità

Cyber Resilience. Think18. Felicity March IBM Corporation

Ervia Risk Management. Elaine O Donoghue IPA Governance Forum Briefing 10 th November 2017

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

Taking a Business Risk Portfolio (BRP) Approach to Information Security

Continuity of Business

TURNING STRATEGIES INTO ACTION DISASTER MANAGEMENT BUREAU STRATEGIC PLAN

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

The Office of Infrastructure Protection

Overview of the Federal Interagency Operational Plans

Emergency Management BC Update

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

Member of the County or municipal emergency management organization

ISO Business Continuity Management System

Making YOUR Organization More Efficient and Effective Through Business Continuity / Continuity of Operations Planning

Introduction to ISO/IEC 27001:2005

Transcription:

BCM s Role in Effective Risk Management: A Risk Manager s Point of View Date: March 24, 2015 Presenter: Randall Davis, MBA, IBD, CPCU, ERM, ARM, ARM E, ABCP Agenda for this session Explore the case for integration of Business Continuity Management (BCM) & Risk Management (RM). Competition between RM & BCM functions Comparing the RM & BCM Frameworks Convergence of RM & BCM Practical tips for successful integration

Where to Start What got me thinking? From BCP 501: Course Topic 1. Project Initiation and Management Establish the need for a Business Continuity Management (BCM) Process or Function, including resilience strategies, recovery objectives, business continuity and crisis management plans and including obtaining management support and organizing and managing the formulation of the function or process either in collaboration with, or as a key component of, an integrated risk management initiative. Threats & Crises BCM or RM issues? Terrorism Fire Explosion Disease Earthquake War Labor strike Hurricanes Environmental pollution Lawsuits Cyber risk Polar Vortex!

The RM & BCM Explosion! A constant stream of crises over the past 15 years has created a strong drive for Risk and Continuity evolution. Failures in managing risks effectively have triggered efforts by: o Regulators o Stock exchanges o Rating agencies o Activist investors o NGOs o Governance bodies They insist that organizational management proactively manage risks and critical disruption on an enterprise wide basis. Conflicts between RM & BCM BCM ERM VS RM Separate and often competitive functions Overlapping responsibilities Different objectives and methodologies

Origins of RM & BCM IT departments, with the IT Disaster Recovery Program Insurance Buying or Hazard Risk Management BCM Converging RM Both RM & BCM have significantly expanded in scope and methodology Expanding the scope of RM Scope Increase Finance Losses Protect Operations Create Lasting and Intentional Stakeholder Value Financial & Hazard Operational Strategic Risk management has expanded from value protection to value creation

Expanding the scope of BCM Scope Increase IT Recovery Recover Operations Reduce (and prevent) losses to stakeholder value IT DR Facilities/Supply Enterprise Control Business continuity is expanding from IT recovery to enterprise loss control (prevention and reduction) RM & BCM Best Practices & Standards BCM Standards ISO 22301:2012 Societal security Business continuity management systems (International) BS 25999:2007 Business Continuity Management (BSI/UK) NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US) RM Standards ISO 31000:2009 Risk Management Guideline (International) Rating Agencies Frameworks S&P, Moody's AS/NZS 4360:2004 Risk Management Standard (Australia/NZ) COSO:2004 Integrated ERM Framework (US)

Some definitions Risk: effect of uncertainty on objectives o An effect is a deviation from the expected positive and/or negative. o Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization wide, project, product and process). o Risk is often characterized by reference to potential events and consequences, or a combination of these. o Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. o Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood. Risk Management: coordinated activities to direct and control an organization with regard to risk Source: ISO 31000 Some definitions Business Continuity: capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident Business Continuity Management: holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities Source: ISO 22301

K.I.S.S.my simplification Risk: deviation from expectation (+ or ) Risk Management: you better be deliberate about risk taking Business Continuity: resilience to losses ( only) Business Continuity Management: you better prepare for losses RM vs BCM Risk can have either Negative or Positive impacts LOSSES GAINS + Catastrophic Threats (black swans) Unexpected Threats Expected Threats Expected Unexpected Transformational Opportunities Opportunities Opportunities (out of the blue swans)

RM vs BCM Area of Focus & Objectives BCM Ensure Business Continuity and Resilience RM Ensure Sustainable Stakeholder Value LOSSES GAINS Expected Performance + Catastrophic Threats (black swans) Unexpected Threats Expected Threats Expected Unexpected Transformational Opportunities Opportunities Opportunities (out of the blue swans) RM process ISO 31000 Context: Corporate Objectives & Risk Appetite 1 Identify Risks 2 Evaluate Likelihood x Impact Low Priority 3 Treat Risks 4 Review & Monitor Throw Away

BCM Process - ISO 22301 Context: Operational Planning and Control 1 Business Impact Analysis/Risk Assessment 1a Screen Based On Criticality Not critical? 2 Identify & Evaluate BC Strategies 3 Establish & Implement BC Procedures Throw Away 4 Exercise and Test RM process Intersect with BCM In from BCM Context: Corporate Objectives & Risk Appetite 1 Identify Risks 2 Evaluate Likelihood x Impact Out to BCM 3 Treat Risks 4 Review & Monitor

BCM Process - Intersect with RM Context: Operational Planning and Control In from RM 1 Business Impact Analysis/Risk Assessment 1a Screen Based On Criticality Out to RM 2 Identify & Evaluate BC Strategies 3 Establish & Implement BC Procedures 4 Exercise and Test In Summary: BCM vs. RM Primary Focus: Protected Areas: Tactical Objective: Time Horizon: Critical Dimension: Categories of Focus: Strategic Objective: BCM Key functions and processes Balance sheet and P&L Increase preparedness Medium to long term Impact High impact losses Ensure Enterprise Resiliency RM Organizational objectives and risk appetite Stakeholder value Risk communication/cost of risk Short to long term Likelihood and impact Medium to high impact events with medium to low frequency Ensure Achievement of Objectives

Negative consequences of the lack of integration of RM & BCM Duplicate activities/efforts to manage the same risk issues Waste and inefficient operations Increased expense, budget constraints Unhealthy competition for management attention Increased likelihood of missed opportunities/threats RM & BCM each add value BCM provides RM: A better understanding of critical activities with the BIA A stronger focus on exercising and testing Technical expertise that is missing in risk control Support from the IT organization RM provides BCM: A broader view of risk A better value proposition aligned with the priorities of management and the board Systematic approach of consistently and continuously monitoring and managing risk A better view of emerging threats An much larger annual budget with ability to allocate costs to operations

Practical Tip of the Session Risk Management Departments typically manage a large annual budget that cannot be allocated elsewhere (insurance has to be purchased every single year) As such, BCM programs can be supported and funded easily as part of the internal RM allocation process Also, RM inherently has C level support and the ear of the board of directors capitalize on our relationships! It s more than time for a change! There are at least 3 ways RM & BCM are to be handled: STATUS QUO keep separate silos for both (different teams, methods, reporting, etc.) COORDINATION use a common management unit that coordinates BCM and RM INTEGRATION fully integrate BCM into the RM framework

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback