Business Continuity and Supply Vulnerabilities

The leading nonprofit that helps organizations around the world prepare for and recover from disasters.

The leading nonprofit that helps organizations around the world prepare for and recover from disasters.

We provide education, accreditation, and thought leadership in business continuity and related fields.

We provide education, accreditation, and thought leadership in business continuity and related fields.

Truly International

DRI has Certified Professionals in over 100

Countries

DRI conducts training courses in over 50 countries

Since 2009, DRI taught more students outside the United

States than within

DRI has over 13,000 active certified professionals (more

than all other organizations in our industry combined)

Since 1988, more than 26,000individuals have held a DRI

certification

DRI International conducts training and certifies

individuals in 10 languages.

APEC: Only officially recognized business continuity certification

DRI Canada is a member of the Technical Committee for the CSA Z1600 Standard

Japan: Joint Declaration on overcoming future crises with municipal governments

Singapore: Exclusive training partner for Singapore Business Federation

Malaysia: Annual DRI conference with the Ministry of Science, Technology and Innovation

UAE: Member of Standards Committee Advisory Team

Europe: Presented at the Interparliamentary Center for Parliamentary Studies (Belgium) and the IDRC (Davos, Switzerland)

United States: Chair, Alfred P. Sloan Committee to draft the Framework for Preparedness that is the foundation for the Title IX Implementation.

Member, U.S. Chamber of Commerce Homeland Security Task Force

Member, Council of Experts for ANSI-ANAB

Member, FEMA National Advisory Council Private Sector Subcommittee

Member, Advisory Committee for Congressionally funded Project for National Security Reform

Advisor, Special Assistant to The President for Homeland Security Standards Policy

Nigeria: Participate in regular embassy drills

Mexico: National standards advisor

International Government CollaborationInternational Government CollaborationInternational Government CollaborationInternational Government Collaboration

ConferencesConferencesConferencesConferences

DRI2014Atlanta, United States

DRI2013Philadelphia, United States

DRI2012New Orleans, United States

KL2013KL2014Kuala Lumpur, Malaysia

Business Continuity ForumIstanbul, Turkey

“Knowledge Grows by Sharing”Hyderabad and Banaglore, India

Urban Security EventRome, Italy

Crisis and Emergency Management ConferenceAbu Dhabi, United Arab Emirates

Business Continuity ForumDoha, Qatar

PwC International BCM ConferenceSan Juan, Costa Rica

Global Risk ForumDavos, Switzerland

The State of The Art of Business Continuity and Disaster RecoveryISACA: True Risk Management – The Road to ConvergenceSingapore

DRI DaySao Paolo, Brazil

Low Carbon Earth SummitQingdao, China

Congreso BCM y ERMMexico City, Mexico

the Role of the Central Bank and BCMManila, Philippines

Congreso ALCONTMedellin, Colombia

Japan Signatory to Mutual Aid AgreementJapan BCM Conference: BCM Essentials and BCM TrendsTokyo, Japan

BCM ConferenceBeijing, China

NYU Intercep Global Risk ForumNew York, United States

Mid-Maryland ACP MeetingMaryland, United States

Leadership for Peace and Prosperity ConferenceSan Diego, United States

ACP Liberty Valley MeetingPennsylvania, United States

Great Lakes Business Recovery GroupMichigan, United States

RIMS PERK PresentationKansas City, KS

United Nations Collaboration

DRI is representing the private sector to the Disaster Management Terminology Committee for the United Nations Office of Disaster Risk Reduction

Research conducted in partnership with the European Commission

DRI’s International Glossary for Resiliency is a source document

DRI is hosting a Public Forum in conjunction with the launch of the Hyogo Framework for Action 2

Will launch on the anniversary of the Great Eastern Earthquake and Fukushima disaster

Bottom line: Your voice is being heard by global policymakers

DRI International is only The largest non-academic

institution to receive chapter status

Recognition from the Academic Community

MyDRI Resources

Project Initiation and ManagementProject Initiation and Management

Risk Evaluation and ControlRisk Evaluation and Control

Business Impact AnalysisBusiness Impact Analysis

Developing Business Continuity StrategiesDeveloping Business Continuity Strategies

Emergency Response and OperationsEmergency Response and Operations

Plan Implementation and DocumentationPlan Implementation and Documentation

Awareness and Training ProgramsAwareness and Training Programs

Plan Exercise, Audit and MaintenancePlan Exercise, Audit and Maintenance

Crisis CommunicationsCrisis Communications

Coordination with External AgenciesCoordination with External Agencies

DRI International is an ANSI-Accredited Standards Development Organization

Most Used Standard for BCM

The Most Used Standard in the World

BC Management 2013

Doubled the Number of Certified Professionals World wide

Tripled the Number of Certified Professionals Outside the US – Now Accounts for 40%

Introducing DRI International Collegiate Conferences

• One-day conference in conjunction with an Institution of Higher Learning

• Admission - $50 Tax-Deductible donation to the DRI Foundation

• Includes all meals and materials• A Chance for Everyone to Attend a Conference

• Minimal Cost• More Venues

• A Chance for Professionals and Academics to Meet

Collegiate Conference ScheduleCollegiate Conference ScheduleCollegiate Conference ScheduleCollegiate Conference Schedule

• April 10, 2015: University of Maryland Smith School of Business, Oak Ridge, Maryland

• July 10, 2015: Dominican College, San Francisco, California

• October 23, 2015: Centennial College, Ontario, Canada

• January 25, 2016: St. John’s University, New York, New York

• Registration is Limited: Register Now at www.drii.org

• To help pay for rising education costs• $5,000 for a high school senior • Parent or legal guardian must be a Certified

Professional in good standing• Applications available at www.driif.org• Available March 9, 2015• Applications due May 1, 2015

DRI Foundation ScholarshipDRI Foundation ScholarshipDRI Foundation ScholarshipDRI Foundation Scholarship

Helping Nonprofit Helping Nonprofit Helping Nonprofit Helping Nonprofit Professional OrganizationsProfessional OrganizationsProfessional OrganizationsProfessional Organizations

◦ DRI is NOT a Membership Organization◦ We rely on professional nonprofit organizations for:

◦ Disseminating and sharing information◦ Networking◦ Furthering the Profession

◦ Professional Non-Profit Organizations:◦ Financial Challenges◦ Membership Building

◦ Double our Financial Commitment◦ We changed our CEAP formula:

◦ Certified Professionals will receive more CEAPs for:◦ Professional NPO Events, Meetings, Conferences◦ Presentations, Articles

◦ Our aim is to help them:◦ Increase membership and commercial sponsorship

◦ Meeting with Organizations to Tell Us How DRI Can Help

Helping Nonprofit Helping Nonprofit Helping Nonprofit Helping Nonprofit Professional OrganizationsProfessional OrganizationsProfessional OrganizationsProfessional Organizations

Charitable Giving and VolunteerismCharitable Giving and VolunteerismCharitable Giving and VolunteerismCharitable Giving and Volunteerism

•Resilient communities worldwide

Vision

•To promote disaster risk reduction through partnership and education•To aid recovery efforts through fundraising and volunteerism

Mission

A Look at Supply Chain Issues

Challenges

Supply ChainFrom

Albuquerque to Sendai & Beyond

Cyber ThreatsExtending

Supply Chain Scope

Insurance Risk Transfer

Real ROI

Supply ChainFrom Albuquerque to Sendai & Beyond

Supply Chain

Supply Chain - Manufacturing

Sales Order Processing

Billing

Customer Order

Service Delivery

Customer Invoice

Customer Service

Payment

Supply Chain - Order to Cash

Procurement and Strategic

Sourcing

Inventory Planning and Management

Customer Service and

Support

Physical Distribution

Transportation Management

Supply Chain

Nokia vs. Ericsson -- March 17, 2000

Pre Fire Ranking – Nokia (32%)

– Motorola (22%)

– Ericsson (12%)

On July 20, 2000, Ericsson reported that the fire and component shortages had caused a second-quarter operating loss of $200 million in its mobile phone division. Total loss $400 million

Post Fire Ranking– Nokia shipments grew by 10.5 percent over the previous year,

to 140 million units.

– Motorola shipments dropped by 1.7 percent to 59 million units.

– Siemens shipments grew by 10.2 percent to 30 million units.

– Samsung shipments grew by 36.8 percent to 28 million units.

– Ericsson shipments dropped by 35 percent to 27 million units.

10 Minute Fire in Albuquerque Philips Microchip Plant

Why Nokia Gained and Ericsson Lost

Considered solutions before event occurred

Understood the need

Implemented recovery at other Philips plants

Believed early reports of little damage and interruption

Smart people will find a solution

Prep

arat

ion

-Nok

iaW

ishful Thinking -Ericsson

Once Burned:Better BCM Means More Reliable Suppliers

Business Interruption and Recovery Plan

Supplier will provide Motorola with a detailed, written business interruption and recovery plan, including business impact and risk assessment, crisis management, information technology disaster recovery, and business continuity. Supplier will update the plan annually. Supplier will notify Motorola in writing within twenty-four (24) hours of any activation of the plan.

Motorola Corp 2002

Japanese Impact Upon Supply Chain

• GM shuts down for lack of supplies• Chrysler – Ford no Red Black Pigments• Apple iPad2 Backorder• Chip shortage• Chip increased prices• Case Polishing

Japan as a Supplier

Changing Direction

Moving More Production Off Shore

Some 70 per cent of domestic manufacturers expect at least one partner in their supply chains to speed up relocation efforts overseas, a trade ministry poll showed, accelerating a nearly two decade-long migration of Japanese manufacturing capability overseas.

"Relocating is on the table for many executives. If a key supplier or partner moves, that could trigger a large exodus," said Shuzo Takada, director of the ministry's industrial revitalisation division.

Changing Direction

Moving More Production Off Shore

RenesasElectronics,

plans to increase offshore

production from 8% - 25%

Fujitsu plans to shift more chip

output to a factory in China

Hoya, is planning its

first overseas plant in China

Off Shore Back Up

Mitsui Mining & Smelting,

which supplies 90 percent of the ultra-thin

copper foil used in

smartphones, is building a

backup production line

in Malaysia.

Japanese Firms Plan to Set Up

Backup Production

Bases in Taiwan

The two Japanese firms,

one a semiconductor-

equipment maker and the

other an electronic chemical material

supplier, plan to make

investments totaling

NT$600 million in value.

Mapping Risk in Supply Chain

Emerging Supply Chain Risks

Risk & Insurance Magazine

Cyber Threats Extending Supply Chain Scope

• Natural Disasters

• Man-Made Incidents

• Technology Failure

The Risks Increase

The Risks Increase

• Pandemics• Nuclear, Biological, Chemical• Political• Economic• Cyber

The Risks Increase

valuewalk.com

Hackmageddon.com

The Changing Face of Hackers

Cyber Crimes In The News

U.S. notified 3,000 companies in 2013 about cyberattacks

The New Attacks – Easy

Source of Attacks◦ Find a trusted source (third party vendor)◦ One with less than adequate security – phish, hack◦ Steal credentials◦ Gain entry to Target POS◦ Test the hack◦ Spread to rest of POS system – live Credit/Debit card info◦ Upload (FTP) data to innocent servers in Miami and Brazil◦ Data winds up in Russia and Eastern Europe

SUPPLY CHAIN WEAKNESS AFFECTED CUSTOMERCREATED POTENTIAL LEGAL LIABILITY

More Pressure to Perform Due Diligence on Supply Chain

New Regulations to Ensure Vendor SecurityNew Regulations to Ensure Vendor SecurityNew Regulations to Ensure Vendor SecurityNew Regulations to Ensure Vendor Security

• Omnibus Rules – Vendor Due DiligenceHIPAA • Third-Party Providers, Key Suppliers, and Business

Partners• Cybersecurity Assessment Pilot Program

FFIEC

• Third Party Relationships OCC

• Assessing how firms manage cybersecurity threatsFINRA• Credit Card Processing (Outsourcing cloud services

provider, hosted call-center, IT services firm, disaster recovery location, document storage company)PCI

BULLETINBULLETINBULLETINBULLETIN 2013201320132013----29292929A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.

A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.

An effective risk management process throughout the life cycle of the relationship includes◦ plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank

selects, assesses, and oversees the third party.◦ proper due diligence in selecting a third party.◦ written contracts that outline the rights and responsibilities of all parties.◦ ongoing monitoring of the third party’s activities and performance.◦ contingency plans for terminating the relationship in an effective manner.◦ clear roles and responsibilities for overseeing and managing the relationship and risk management

process.◦ Documentation and reporting that facilitates oversight, accountability, monitoring, and risk

management.◦ Independent reviews that allow bank management to determine that the bank’s process aligns with its

strategy and effectively manages risks.

OCC

The OCC charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. The OCC is an independent bureau of the U.S. Department of the Treasury.MissionTo ensure that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulation

HIPAA – Business Associates – Concerned with ePHI

Focus Area Change Required InternalExisting Agreements With Business Associate Addenda

All Covered Entities must review their existing vendor relationships and affiliations to determine whether any relationship meets the new Business Associate Criteria.All Business Associates must review their existing subcontractor arrangements for compliance purposes.

Inventory all existing contracts and identify all signed Business Associate Addenda and/or subcontractor agreements.

Review contracts signed prior to January 25, 2013 and determine end date for compliance as per transitional rule.

Existing Relationships without Business Associate Addenda

Identify Vendors and/or affiliates or affiliation relationships which involve access or disclosure of PHI and which do not have documented BA addenda.RHIO relationships must include a Business Associate Addendum.A parent or affiliate which provides quality assurance or other functions involving access or review of PHI must have a Business Associate Addendum in place.Vendors who provide PHI to patients must have a Business Associate Addendum in place.Other entities, such as document storage and/or disposal vendors must have a Business Associate Addendum in place.

Conduct a risk assessment of all vendor relationships to identify those that may fall within the new regulatory definitions.Do not overlook corporate relationships with affiliates which do not involve the exchange of information for treatment purposes.

For individuals employed by vendors or affiliates but who may fall within a covered entity’s or Business Associate’s “work force”, assure proper designation and training.

Hybrid Entities Hybrid Entities that perform multiple functions and roles (such as operating a hospital and university) must now include any Business Associate functions under the health care component of its operations subject to the new rules.

Review internal designations of health component for any Hybrid Entity.Assure direct compliance with HIPAA/HITECH as to Business Associate functions carried out by organization.

HIPAA

And One for the US Government

FISMA -(Federal Information Security Management Act)

Federal Highway Administration bid solicitation◦ Security assessment: formal evaluation of control environment (annual)◦ Plan of action: plan to mitigate assessment findings (quarterly)◦ System security plan: documentation of all controls (annual)◦ Security categorization: impact level of each system (annual)◦ System contingency plan: documentation of redundancy (annual)◦ Security policy and workforce training records (annual)◦ Interconnection agreements from sub-contractors (annual)

Government Contract Lost

Oct 10, 2014, 7:01am EDTDayton Business JournalIt seems that being the victim of a data breach could lead to companies losing government contracts, according to a report by the Washington Business Journal. The Office of Personnel Management’s decision not to renew two contracts with US Investigations Services LLC might have set a precedent for how government handles contractor breaches, according to the report.As a reminder, in July 2014, USIS was hit by a cyber attack that reportedly affected 25,000 government employees. USIS suspected it to be "state-sponsored." The government quickly suspended work with USIS and then opted to drop its contracts with the company.Robert Nichols, a lawyer specializing in government contracts at D.C. firm Covington & Burling LLP, says the lost contracts could place higher demands on contractors in securing their work with government data, according to Federal Computer Week.For this reason alone, government contractors must have adequate system protections in place to keep data safe.

Finally

We Waited 12 Years for This?

Enough Defense – Some Offense

Insurance –Risk TransferReal ROI

BCM PROCESS

PLAN PREPARATIONTESTING &

MAINTENANCE

1. Develop BIA questionnaire using Senior Management’s recovery objectives

2. Conduct BIA workshop with Business Representatives

3. Distribute BIAs and receive completed forms from Business Representatives

4. Review BIA Questionnaires

5. Conduct follow-up interviews with Business Unit Representatives

1. Identify and document resource requirements based on BIAs

2. Conduct gap analysis to determine gaps between recovery requirements and current capabilities

3. Explore facility options

4. Define strategy options

5. Select strategy

1. Link/Update Plan Model throughout BCP Process with gathered information

2. Develop Relocation Plans

3. Validate complete plan

1. Develop testing and maintenance requirements

2. Train Associates to create awareness of the BCP Model & individual roles

3. Plan for walk through testing

4. Conduct tests and document test results

5. Update BCP Plan to incorporate lessons learned from testing

1. BIA Kickoff Presentation2. BIA Questionnaire

BCP Leader, Business Unit Representatives

1. Summary of BIAs2. Gap Analysis Report3. Relocation Strategy

Senior Management, BCP Leader, Business Unit Representatives

1. Plan Model2. Relocation Procedures3. Workaround Procedures4. Data Restore Procedures5. IT procedures

Senior Management, BCP Leader, Business Unit Representatives

1.Test Scenario2. Pre-Test Checklist3. Test Monitoring Procedures4. Test Review Report

Senior Management, BCP Leader, Business Unit Representatives, and Third Party Observers

ACTIONS

DOCUMENTATION & PARTICIPANTS

MAJOR STEPS

RISK TRANSFER - INSURANCEINTEGRATES WITH

BI & CBI INSURANCE

OPTIMIZES EXTRA EXPENSE

INSURANCE

BUSINESS IMPACT ANALYSIS

STRATEGY SELECTION

• Business Interruption:. - insurance that provides protection for the loss of profits and continuing fixed expenses resulting from a break in commercial activities due to the occurrence of a peril

BUSINESS INTERRUPTION INSURANCE

• Business Interruption Purpose: To protect the earnings of the insured and do what the insured would do for itself had no loss occurred.

• Business Interruption: “Net Profits Plus Continuing Expenses” or “Gross Earnings less non-continuing expenses”

Contingent Business Interruption InsuranceSupply Chain ProtectionSupply Chain ProtectionSupply Chain ProtectionSupply Chain Protection

•Contingent Business Interruption (CBI) reimburses lost profits and extra expenses resulting from an interruption of business at the premises of a customer or supplier

•Usage:• When the insured depends on a single supplier or a few suppliers for

materials.• When the insured depends on one or a few manufacturers or

suppliers for most of its merchandise.• When the insured depends on one or a few recipient businesses to

purchase the bulk of the insured’s products.• When the insured counts on a neighboring business to help attract

customers, known as a leader property.

Extra expense

Extra Expense: Pays for the extra expense of maintaining operations after an accident to an insured item until normal operations can be restored.

• Pays for expenses over and above those that would have been incurred during normal operation of the business.

• Some of the covered extra expenses are; expenses incurred to avoid or minimize the suspension of operations, expense to repair or replace property, and expense paid for overtime work to speed up the restoration of the business.

Insurance Implications

Maps to Business Interruption and

Contingent Business Interruption

Business Impact Analysis

Indemnity cover bought to compensate for the losses

incurred due to interruption or stoppage of a key suppliers' business.

Maps to Business Extra Expense and Extraordinary

Expense

Strategy Selection

Policy that pays (up to a specified limit) expenses

incurred in restoring a firm to its normal operations (after a

disaster) but not covered under the ordinary business-interruption insurance policy.

Cyberinsurance

• Data Liability – Defense Damages for Data Breach

• Media Liability – Copyright & IP Defense Costs

• Regulatory Coverage – Civil Fines, Not Criminal - Limited

• Remediation Coverage – Notification, Credit Monitoring & Help Desks

• Information Asset Coverage – Restoration of Data and Systems

• Network Interruption Coverage – Denial of Service Attacks

• Extortion Coverage – Ransomware (Crypto Locker)

Thank You

Questions, Comments