Ms. Michael C. Redmond, MBCP,FBCI,CEM, PhDc

Transcription

1 Ms. Michael C. Redmond, MBCP,FBCI,CEM, PhDc

2 BP31: Developing Enterprise Risk Management (300 L) Michael C. Redmond, Redmond Worldwide To proactively approach enterprise risk management (ERM), executives need to think outside the traditional Risk Assessment and Business Impact Analysis (BIA). While the concept of ERM stretches back to the early 90s, it is only recently that firms treat the concept of their recovery and security from a 360-degree perspective. A good ERM program allows for: less downtime and increased productivity, adherence to regulatory standards, and greater flexibility. The common thread in ERM will be covered in a "how to" approach. Assessing risks and impacts, architecting solutions, implementing mitigation, and implementing recovery solutions will be covered. ERM scope has grown so large in the last few years that each area will be discussed, along with a process for incorporating all the areas with limited staff and budget. You Will Learn: The components of a successful Enterprise Risk Management program About the technical and business ERM risks How to develop and document an ERM plan with limited resources

3 Aligning risk appetite and strategy Management considers the entity s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. Enhancing risk response decisions Enterprise risk management provides the rigor to identify and select among alternative risk responses risk avoidance, reduction, sharing, and acceptance. Reducing operational surprises and losses Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. Identifying and managing multiple and cross-enterprise risks Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks. Seizing opportunities By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. Improving deployment of capital Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation

4 Less downtime and increased productivity Adherence to regulatory standards Greater flexibility

5 Business Continuity Disaster Recovery Emergency Management Information Security Continuity of Operations (COOP) Continuity of Government (COG) Physical Security Compliance/Audits And More

6 Assessing risks and impacts Architecting solutions Implementing mitigation Implementing recovery solutions

7 Application Management Business Continuity Management Business Process Reorganization Construction and Building Risk Management Crisis Management Emergency Management High Availability Information Security ISO Service Offerings Management Processing Physical Security Risk Analysis & Controls Service Level Agreements Systems & Engineering Solutions Table Top Tests Technology Implementation Technology Sizing Training

8 Assessing risks and impacts Architecting solutions, implementing mitigation Implementing recovery solutions

9 Enterprise risks and impacts span such threats as: people, buildings, equipment, processes, and reputation and financial concerns When proposing cost-effective controls to upper management, it is better to base these on the enterprise Risk Evaluation and Control and enterprise impacts

10 * Architect Solution: Determine and guide the selection of alternative business recovery operating strategies for recovery of business and information technologies within the recovery time objective, while maintaining the organization's critical functions. * Public Relations and Crisis Coordination: Develop, coordinate, evaluate, and exercise plans to handle media during crisis situations. * Implement Solution: Design, develop, and implement the Business Continuity Plan that provides recovery within the recovery time objective. * Monitor and Test: Pre-plan and coordinate plan exercises, and evaluate and document plan exercise results.

11 Within the context of an entity s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an entity s objectives, set forth in four categories: Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations.

12

13 EMERGENCY RESPONSE RESTORATION RESUMPTION MAINTENACE

14

15

16

17 Identify alternative continuity strategies (1) Do nothing (2) Defer action (3) Manual procedures (4) Reciprocal agreements (5) Alternative site or business facility (6) Alternate source of product (7) Third-party service providers/outsourcers (8) Distributed processing (9) Alternative communications (10) Mitigation (11) Preplanning

18 How will data be accessed? What is the standby Recovery service level agreement (SLA)? How is service moved back to the primary location? Are the resources dedicated to the site resilience solution?

19 With the increased practice of outsourcing to save money and assets, come the new problems of recovery To succeed, globalization requires the movement of resources, capital, and people; but, in the information age, much of that movement is virtual

20 Building the computer as part of the emergency management team ensures People continue to do the things they do well They are supported by the technology Not driven by it Today there is an emergent interoperability approach to addressing unanticipated contingencies during an emergency

21 Communication challenges in emergency response Public warning in this networked age The use of open source software for managing situations is causing many entities to run to their planning table to catch up

22 What level of service is required after the primary location fails? What services, applications, hardware, processes are needed? How rapidly is data required? How many users must be supported?

23 Ms. Michael C. Redmond MBA, FBCI, MBCP, CEM Redmond Worldwide, Inc. Phone: THANK YOU!