Post on 26-May-2020
David Halford – Forsythe Solutions GroupFrank Perlmutter – Strategic BCP
BC & RISK MANAGEMENT:CONVERGENCE IS REAL
2
WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT ?• The convergence of BC and RM
has already occurred and continues to evolve
• Regulations, frameworks, and standards reflect a strong theme of management of risk
• Decision-makers gravitate towards Risk Management for its continuous value
3
RISK MANAGEMENT VS.BUSINESS CONTINUITYRisk Management
Business Continuity
Perform Risk Assessment
Map Business Operations
Perform Business Impact Analysis
Develop IT Disaster Recovery Plans
Develop Business Recovery Plans
Develop Crisis Management Plans
4
WHAT IS THE DOMINANT DISCIPLINE?
• There is an overlap of concepts between the two disciplineso The Risk Assessment and Business Impact
Analysis are risk-based toolso How they are implemented; the value they bring will
designate whether the process is a sound risk-based model or not
• Risk Management as a discipline is generally leading the way
• Business Continuity is a subset of overall Risk Management
5
http://blog.hedgebookpro.com/tag/reporting/
TAKING RISKThere’s a fine line between taking a calculated risk and doing something dumb.
6
AREAS TO EXAMINE
Risk Management Principles
Facilitating Program Improvement
7
RISK MANAGEMENTPRINCIPLES
8
THE MISSION OF RISK MANAGEMENT
• Operational Improvement:ability to identify andremediate inefficiently operating processes that may cause outages/impacts
• Compliance: evidence of properly implemented standards
• Resilience: ability to identify and remediate infrastructurevulnerabilities that may result in unacceptable impacts
9
RISK MANAGEMENT PRACTICE AREAS
Enterprise Risk
Legal Risks
BOD/Ethics Risk
Financial Risk
Environmental Risk
Operational Risk
Business Continuity
Information Technology Risk
Third Party Vendor Risk
Internal Controls
10
ENTERPRISE RISK VS.OPERATIONAL RISK• Enterprise Risk Management focuses on mitigating events that
negatively impact an organization’s supporting infrastructureo People, Facilities, Information Technology, Assetso Risk Assessment, Hazard Vulnerability Analysis
• Operational Risk Management focuses on mitigating vulnerabilitiesin operational business processeso Business Impact Analysis, Downtime Impact Analysis
• Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk
11
ENTERPRISE RM AND BCCROSSING PATHS
OPERATIONS
PEOPLE
TECHNOLOGY FACILITIES & ASSETS
GOVERNACE & REPORTING
12
OPERATIONAL RM AND BCCROSSING PATHS• Operational Risk Management and BC Planning may cross paths in
several places (if you perform these activities correctly)o The Business Impact Analysiso Mapping Normal Operations
• The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources bygauging impact (e.g. RTO’s)
• Mapping (and understanding) normal operations is essentialto developing recovery strategies
13
WHAT INFORMATION IS AVAILABLE?
Risk Management Principles
• A sea of Risk Management regulations,standards, and best practices
• Business Continuity regulations, standards, and best practices are similarly prevalent
• There are similarities and guiding principlesthroughout all of them
• Focus on the common guiding principles
14
A SELECTION OF:RM regulations, standards, & frameworks
• ISO 31000
• COSO Framework
• OCEG GRC Capability Model (Red Book)
• FERMA 2002
• ISO/IEC 31010
• COBIT
• NIST 800 Series (several)
• FFIEC BCP Work Program
• ISO 22301 / 22313
• ISO 27001
• ISO 27005
• ITIL v.3
15
OVERARCHING PRINCIPLESOF RISK MANAGEMENT• COSO provides an overall
framework and principles for Risk Management
• COSO was originally housed in controls; has moved to a strategic approach
• Objectives appear at the top of the cube
• The right side of cube shows that Risk Management must be considered at all levels of an organization
• Risk management activities appear on the front of the cube
COSO Enterprise Risk Management:Integrated Framework
16
BUSINESS CONTINUITY& RISK MANAGEMENTFACILITATING IMPROVEMENT
17
ESTABLISH ANENTERPRISE RISK APPETITE
• Align Program with a Risk view versus Response or Recovery only
• Establish risk appetite around the factors or the overall risk
• Establish Balance between Resiliency & Recovery
• Include Core policy that defines decision-making in Program Guidance
• Align remediation budget with Risk Appetite
18
TRADITIONAL BC/DR MODEL OPERATIONAL RESILIENCY MODEL
Minimum acceptable level of performance at Time of Crisis
Optimum level of performance continuously
Invoke alternate procedures to recover & resume operations following significant disruptive event
Architecture and processes for continuous availability of business operations and IT environments
Operational Resiliency vs.Traditional BC/DR
19
ProductionBusiness
Continuity
Balanced approach focused on returning to OptimalPerformance Level
Operational Resiliency
OPL (Optimal Performance Level) Optimal production performance capacity
APL (Acceptable Performance Level) Minimal acceptable level for business functions
Performance(SLA, User
Experience)
Growth(Organic, M&A)
Risk(Availability,
Threats)
IT DisasterRecovery (capability
& Requirements)
Governance &Program
Framework(Requirements)
Operational Resiliency Balance
20
Copyright © Alex Alexeev: http://www.projectdecisions.org/index-cartoon-riskanalysis1.html
21
• Enterprise BC Program Framework/Policy/Governance
• BC Strategy & Planning ( business units / sites)
• BC/DR capability & validation Governance
• BC/DR Compliance & reporting
• Crisis / Incident Management Program Leadership
• Active member of Risk Management committee
ORGANIZATIONAL TRENDS
Global BusinessContinuity
ExecutiveLeadership Compliance / Audit /
Risk Management
22
ORGANIZATIONAL TRENDS
• Enterprise BC Strategy & Planning
• BC Program Governance & Reporting
• BIA & Requirements for DR
• DR Strategy & DR Planning
• DR Program Governance
• Recovery Capability Validation
• DR Compliance & Reporting
ExecutiveLeadership
Business Continuity IT Disaster Recovery
IT / CTO / CIOCISO / HR / CIO / Business Units
Compliance / Audit /Risk Management
Compliance / Audit /Risk Management
23
ADDING VALUE IN THE NEWCONVERGED WORLD• Focus on reducing Risk and improving
performance
• Establish functional connection with Business, IT, Risk Management
• Incorporate Risk view up front – Solution Planning and Strategic Initiatives
BusinessDrives, empowers, &
invests in IT
ITEnables business, innovationBalance Risk
24
CALL TO ACTION• Adapt to a holistic Risk Management approach
o Forget about “BC & DR” independently
• Ensure Risk Management & Resiliency is part of corporate strategyo Embed risk management in all decisions making
• Participate in structured process to manage all business riskso Document and publish processes and standards
25
Frank PerlmutterFPerlmutter@StrategicBCP.com
President & Co-Founder
David HalfordDHalford@Forsythe.com
Practice Manager, BC ServicesIT Risk Management
Forsythe Solutions Group
QUESTIONS?