BC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP

Size: px

Start display at page:

Download "BC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP"

Morgan Powers
5 years ago
Views:

Strategic BCP WHY THE CONVERGENCE OF BUSINESS

The convergence of BC and RM has already occurred

and standards reflect a strong theme of management

1 BC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT? The convergence of BC and RM has already occurred and continues to evolve Regulations, frameworks, and standards reflect a strong theme of management of risk Decision-makers gravitate towards Risk Management for its continuous value 2

2 RISK MANAGEMENT VS. BUSINESS CONTINUITY Risk Management Perform Risk Assessment Map Business Operations Perform Business Impact Analysis Business Continuity Develop IT Disaster Recovery Plans Develop Business Recovery Plans Develop Crisis Management Plans 3 WHAT IS THE DOMINANT DISCIPLINE? There is an overlap of concepts between the two disciplines o The Risk Assessment and Business Impact Analysis are risk-based tools o How they are implemented; the value they bring will designate whether the process is a sound risk-based model or not Risk Management as a discipline is generally leading the way Business Continuity is a subset of overall Risk Management 4

3 TAKING RISK There s a fine line between taking a calculated risk and doing something dumb. 5 AREAS TO EXAMINE Risk Management Principles Facilitating Program Improvement 6

RISK MANAGEMENT PRINCIPLES 7 THE MISSION OF

cause outages/impacts Compliance: evidence

Resilience: infrastructure vulnerabilities

4 RISK MANAGEMENT PRINCIPLES 7 THE MISSION OF RISK MANAGEMENT Operational Improvement: ability to identify and remediate inefficiently operating processes that may cause outages/impacts Compliance: evidence of properly implemented standards Resilience: ability to identify and remediate infrastructure vulnerabilities that may result in unacceptable impacts 8

5 RISK MANAGEMENT PRACTICE AREAS Enterprise Risk Operational Risk Legal Risks Business Continuity BOD/Ethics Risk Information Technology Risk Financial Risk Third Party Vendor Risk Environmental Risk Internal Controls 9 ENTERPRISE RISK VS. OPERATIONAL RISK Enterprise Risk Management focuses on mitigating events that negatively impact an organization s supporting infrastructure o People, Facilities, Information Technology, Assets o Risk Assessment, Hazard Vulnerability Analysis Operational Risk Management focuses on mitigating vulnerabilities in operational business processes o Business Impact Analysis, Downtime Impact Analysis Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk 10

Business Impact Analysis o Mapping Normal Operations The Business Impact Analysis provides a prioritization of operational processes and

6 ENTERPRISE RM AND BC CROSSING PATHS GOVERNACE & REPORTING PEOPLE TECHNOLOGY FACILITIES & ASSETS OPERATIONS 11 OPERATIONAL RM AND BC CROSSING PATHS Operational Risk Management and BC Planning may cross paths in several places (if you perform these activities correctly) o The Business Impact Analysis o Mapping Normal Operations The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources by gauging impact (e.g. RTO s) Mapping (and understanding) normal operations is essential to developing recovery strategies 12

7 WHAT INFORMATION IS AVAILABLE? Risk Management Principles A sea of Risk Management regulations, standards, and best practices Business Continuity regulations, standards, and best practices are similarly prevalent There are similarities and guiding principles throughout all of them Focus on the common guiding principles 13 A SELECTION OF: RM regulations, standards, & frameworks ISO COSO Framework OCEG GRC Capability Model (Red Book) FERMA 2002 ISO/IEC COBIT NIST 800 Series (several) FFIEC BCP Work Program ISO / ISO ISO ITIL v.3 14

OVERARCHING PRINCIPLES OF RISK MANAGEMENT COSO provides an overall framework and

a strategic approach Objectives appear at the top of the cube The right side of cube

management activities appear on the front of the cube COSO Enterprise Risk

8 OVERARCHING PRINCIPLES OF RISK MANAGEMENT COSO provides an overall framework and principles for Risk Management COSO was originally housed in controls; has moved to a strategic approach Objectives appear at the top of the cube The right side of cube shows that Risk Management must be considered at all levels of an organization Risk management activities appear on the front of the cube COSO Enterprise Risk Management: Integrated Framework 15 BUSINESS CONTINUITY & RISK MANAGEMENT FACILITATING IMPROVEMENT 16

ESTABLISH AN ENTERPRISE RISK APPETITE Align Program with a Risk view versus Response or Recovery only Establish risk appetite around the factors or the overall risk Establish

Traditional BC/DR TRADITIONAL BC/DR MODEL Minimum acceptable level of performance at Time of Crisis Invoke alternate procedures to recover & resume operations following significant

9 ESTABLISH AN ENTERPRISE RISK APPETITE Align Program with a Risk view versus Response or Recovery only Establish risk appetite around the factors or the overall risk Establish Balance between Resiliency & Recovery Include Core policy that defines decision-making in Program Guidance Align remediation budget with Risk Appetite 17 Operational Resiliency vs. Traditional BC/DR TRADITIONAL BC/DR MODEL Minimum acceptable level of performance at Time of Crisis Invoke alternate procedures to recover & resume operations following significant disruptive event OPERATIONAL RESILIENCY MODEL Optimum level of performance continuously Architecture and processes for continuous availability of business operations and IT environments 18

Operational Resiliency Balance Production Business Continuity Operational Resiliency Performance (SLA, User Experience) Growth (Organic, M&A)

Performance Level) Optimal production performance capacity APL (Acceptable Performance Level) Minimal acceptable level for business functions

10 Operational Resiliency Balance Production Business Continuity Operational Resiliency Performance (SLA, User Experience) Growth (Organic, M&A) Risk (Availability, Threats) IT Disaster Recovery (capability & Requirements) Governance & Program Framework (Requirements) OPL (Optimal Performance Level) Optimal production performance capacity APL (Acceptable Performance Level) Minimal acceptable level for business functions Balanced approach focused on returning to Optimal Performance Level Copyright Alex Alexeev:

ORGANIZATIONAL TRENDS Executive Leadership Compliance / Audit / Risk Management Global Business Continuity Enterprise BC Program Framework/Policy/Governance BC Strategy & Planning ( business units /

11 ORGANIZATIONAL TRENDS Executive Leadership Compliance / Audit / Risk Management Global Business Continuity Enterprise BC Program Framework/Policy/Governance BC Strategy & Planning ( business units / sites) BC/DR capability & validation Governance BC/DR Compliance & reporting Crisis / Incident Management Program Leadership Active member of Risk Management committee 21 ORGANIZATIONAL TRENDS Compliance / Audit / Risk Management Executive Leadership Compliance / Audit / Risk Management CISO / HR / CIO / Business Units Business Continuity Enterprise BC Strategy & Planning BC Program Governance & Reporting BIA & Requirements for DR IT / CTO / CIO IT Disaster Recovery DR Strategy & DR Planning DR Program Governance Recovery Capability Validation DR Compliance & Reporting 22

ADDING VALUE IN THE NEW CONVERGED WORLD Focus on reducing Risk and improving performance Establish functional connection with Business, IT, Risk Management Incorporate Risk view up front Solution

12 ADDING VALUE IN THE NEW CONVERGED WORLD Focus on reducing Risk and improving performance Establish functional connection with Business, IT, Risk Management Incorporate Risk view up front Solution Planning and Strategic Initiatives Business Drives, empowers, & invests in IT Balance Risk IT Enables business, innovation 23 CALL TO ACTION Adapt to a holistic Risk Management approach o Forget about BC & DR independently Ensure Risk Management & Resiliency is part of corporate strategy o Embed risk management in all decisions making Participate in structured process to manage all business risks o Document and publish processes and standards 24

13 QUESTIONS? Frank Perlmutter President & Co-Founder David Halford Practice Manager, BC Services IT Risk Management Forsythe Solutions Group 25