Citi Institutional Clients Group - Business Continuity Management

Enterprise Risk ManagementEstablishing a Risk Control-based Continuity Program

Adam S. Levison, CBCPAdam S. Levison, CBCPSenior Vice President, Citi Institutional Clients Group

Adam.Levison@citi.com | +1 973.725.1567

Adam S. Levison

Goals

Distinguish Compliance vs. Risk ControlStakeholder DriversObjectives and Outcome

Provide methods to establish a Program Certification/Attestation Model

Transform from Business Continuity to Independent Risk Control Utility

Provide methods to implement an Independent Utility Risk Control ModelGovernancePlan Review (BIA, Plan, Crisis Management)Testing (Validation)Typical risk control findings from a Fully Compliant program.

Provide tangible “how-to’s” to bring back to apply to your program

Adam S. Levison

Compliance vs. Risk Control – Stakeholder Drivers

Management

Risk Control (Ops Risk/Audit)

Business Recovery Coordinator

Program Compliance Deficiency Management and Risk Mitigation

Track business progress against milestonesAttest to business completion and compliance

Analyze deficiency root cause so appropriate corrective action can be takenPrioritize based on risk exposure and track issue resolution

Determine key issues from geographical, business and discipline perspectiveDevelop risk trends on issues and non-complianceTrack business progress towards completing BCM milestones

Analyze deficiency root cause so appropriate corrective action can be taken.Develop risk trends on issues and non-complianceTrack business progress towards resolving program compliance and risk control issues

Ascertain overall program “health” by measuring level of risk control and compliance issuesTrack business progress towards resolving program compliance and risk control issuesCompare standing verses geographic and business peers

Ascertain overall program “health” by measuring policy compliance Track business progress towards completing BCM milestones Respond to deficiencies or missing progressCompare standing verses geographic and business peers

Adam S. Levison

Foundation and Framework

Foundation – Program source and corePublish Policy, mandates, standardsAlign to in-country regulations, industry best practice, support firm objectivesAvoid loopholes that can crack your foundation (aka program)

Framework – The program structureImplementation – How to achieve complianceExpectations – Minimum requirementsSpan of control – Areas involved, exceptionsInspection – Ensure adherence

ImplementationClearly communicate mandates and expectations for all businessesEstablish a steady pace to update and maintain planning milestones

Ensuring Compliance and Risk ControlCyclical checkpoints to affirm complianceBusiness certificationIndependent validation and verification

Adam S. Levison

Distinguishing between Compliance and Risk Control

Business Impact Analysis (BIA)Compliance: Loss Impacts; RTO/RPO; Process PrioritizationRisk Issues: The business may not be aware of all risks and corresponding impact on their processes in the event of a disaster.

Crisis/Incident Management Plan (CMP)Compliance: Response and Decision Protocols; Key Contacts; EscalationRisk Issues: The plan may not be viable and ready to be executed which may impact the ability to resume and/or sustain business as usual processes.

Business Recovery Plan (BRP)Compliance: Strategy; Workarea Requirements; Staffing; Impact MitigationRisk Issues: The plan may be insufficient to minimize financial losses, continue to serve stakeholders, and mitigate the negative effects of the disruption.

GovernanceCompliance: Having responsible owners and maintainers of the programRisk Issues: Production / Recovery planning may become out of sync resulting in a breakdown ability to recover.

TestingCompliance: Execution of plan strategies and protocols to validate mitigation of impacts noted in the BIA.Risk Issues: Untested strategies leave theories unproven, discovery of gaps and more effective methods to recover.

Adam S. Levison

Program Compliance Certification

DefinedProvides evidence as to the effectiveness continuity planning programs, which include risk assessment, business impact analysis, planning, containment and recovery strategies, testing, training and awareness, compliance, independent review and governance.

Business certifies and takes ownership of their program

Forces management action on deficiencies through corrective action plans or risk acceptances

Raises exposure level to the program

Supports regulatory and audit requirements

Benchmarks business standing

Improvement/Deterioration trending

Adam S. Levison

Program Certification Process

Create an attestation-type questionnaire that addresses each policy mandate to certify

Yes – business completed to the letter of the policyNo – business is not in compliance

Supporting evidenceYes – where can evidence be found (centralized planning system, shared drive, etc.)No – What is the gap? What is the resolution? When will the resolution be implemented?

Business Manager approves compliance attestation standing thus certifying the compliance results and committing to resolve any deficiencies

Adam S. Levison

Transform from Continuity to Independent Risk Control

Limitation to relying solely on Program Certification“Check the Box” mentalityRisk taking / “rounding up”Creation of artificial ceiling on program improvement and maturity

Continuity Program transforms into a Centralized Independent Risk Control Utility

Align program to Audit-style with continuity subject matter expertiseBecome a service organization by

Validating compliance certificationIdentifying gaps and partnering to resolveInjecting risk control into a policy compliant program.

Emerge your program to operate horizontal to thefirm organization

Adam S. Levison

Creating and Conducting an Independent ReviewObjective

Evaluate plans to assess the comprehensiveness, usability and quality of the documentsEstablish a benchmark for what to correct prior to an official auditAssist the business to identify and correct audit or compliance deficiencies

ImplementationIdentify and Prioritize Plans to be reviewed by Risk/Criticality rating

High-rated annuallyMedium/Low-rated alternating Bi-annually cycle

Evaluate each plan by…Answering each question with a compliant, not compliant, compliant with risk issue ratings Document limitations or issuesProvide recommended corrective actions

Tools and Reference Material to assist in reviewFirm Policy and StandardsRegulatory guidelinesAudit program guidelines and requirements

Adam S. Levison

Establish Independent Risk Control Test

Create a checklist that focuses on core program remits:Governance – (Roles and Responsibilities)

Assessment – (Identification and prioritization of processes, BIA)

Crisis Management – (Escalation; Staffing; Notification)

Business Continuity Plan Requirements – (Protocols, Procedures, Vital Records, Workarea Requirements)

Validation – (Call Tree, Business Continuity, Training exercises)

Compliance – (Audits, Certifications, Disclosures)

Adam S. Levison

Validating Governance

Objective: To validate that a business has…An owner (e.g. Business Unit Head) who is accountable for the continuity of the business in scope.An implementer (e.g. Business Recovery Coordinator) who is responsible for developing and maintaining recovery plan components and requirements.

Risk ControlEstablish the necessary framework, roles, responsibilities and backup positions for the effective administration of the CoB programEnsure adequate management, ownership and accountability of the business' continuity program.

Evaluation FindingsChallenge the understanding and training of the members who occupy roles.Are the Business Heads truly accountable for the day-to-day business?Does proper succession planning exist?

Adam S. Levison

Validating Business Assessment

ObjectiveTo identify, evaluate and prioritize functions necessary to continue operations during a contingency.Determine if the prioritization, RTO, RPO, and criticality ratings of business processes adequately reflect the current business environment.Set proper direction on recovery strategy development and implementation

Risk ControlBusiness processes are captured at the appropriate levelAssigned RTO’s are justified by the quantitative and qualitative impacts

Evaluation FindingsPolicy typically requires processes to have RTO. Independent reviews challenge and validate RTO and impacts so appropriate strategies are formulated.

Adam S. Levison

Validating Recovery Plan

ObjectiveTo validate the plan adequacy, effectiveness, and quality through ensuring all BIA objectives and requirements are addressed in the plan strategy

Risk Control by determining whether the plan…Addresses the recovery of key process and sub-processes according to its criticality ratings.Strategy sustains minimum RTO identified in the BIA and includes protocols necessary to recover functions to support business interdependencies. Considers dependencies on process that are external to the business, whether they are internal to the company or are provided by vendors, or other 3rd parties.Provides manual workarounds to be used as appropriate when systems and technology backups are not available.

Evaluation FindingsPolicy typically requires a strategy and basic requirements to support the strategy.Risk control fine tunes the plan to focus on cost-effective solutions, closing loop holes in the supply chain, and establishing SLA where handshake agreements may expose the business during a crisis.

Adam S. Levison

Validating Crisis/Incident Response Plan

ObjectiveIdentify if proper protocols, roles are appropriate and effective to allow a business to respond, react, and mitigate.

Risk ControlIneffective response to a crisis event can delay invocation and put critical RTO’s in jeopardy from being met.Clear protocols and decision making checklists facilitate quicker response during an incident.

Evaluation FindingsEnsure crisis teams are not only filled but with the right staff and backups.Apply what’s on the paper to local risk.Findings can be vetted during tabletop exercises.

Adam S. Levison

Validating Recovery Exercise Process

ObjectiveValidate the adequacy and effectiveness of how the businesses test their recovery capabilities and to ensure recovery capabilities are sufficient to mitigate risk.

Risk Control verifies the…Plan is tested to ensure business process is functional in all aspectsTest results indicate whether testing objectives and success criteria have been met. Application testing at an alternative location includes network connectivity and other critical data feed mechanisms (e.g., connections and interfaces).Test performed using the actual production data. Status of corrective action plan(s) developed to address problems encountered during the tests. Plan properly supports and reflects the goals, SLA and priorities contained in the business unit.

Evaluation FindingsStructure of Call Trees (linear or cascade)Recovery tests rigged for success, and do not challenge true reality situationsTesting capacity

Adam S. Levison

Typical findings from a Compliant ProgramGeneral Findings

Plans not reader friendly and lack logical flow. Most plans are too long to be of value.Key items such as assembly points, location of recovery site and directions to the recovery site are difficult to find.

AssessmentLimited documentation of a threat and vulnerability assessment being conducted.Plan criticality is inconsistent in both the process requirement and impacts.

StrategyCritical information such as evacuation procedures are not documented.Holes in recovery requirements.

Plan RequirementsMany of the notification and communication procedures are missing vital information.Limited logistical protocols (e.g. directions to the recovery site; expense management, etc.)Most strategies did not contain resumption to BAU procedures.Lack of documentation around disclosures.

TestingCall tree implementation structure

Adam S. Levison

Recap and Considerations

Establish Baseline for Policy, Mandates, StandardsForce Businesses to Certify their Program Compliance StandingTransform Continuity Program into an Independent Risk Control UtilityValidate Certification

Partner with business to address risk control issues.Separate black/white policy compliance with program quality, effectiveness, and adequacy.Expose and remediate Audit’s typical touch points on the business’ behalf

Create a Closed Loop Compliance and Risk Control SystemRisk Control Validation exposes “check the box” compliance certifications.

Reap the benefitsAchieve true business complianceAddress key risks through corrective actions or management acceptanceHave Audit place reliance on your program to centralize continuity reviewsRaise program maturity levelAchieve effective, executable and validated recovery plans and strategiesGo beyond “check the box”

Adam S. Levison

In Closing

Citi Institutional Clients Group - Business Continuity Management

Enterprise Risk ManagementEstablishing a Risk Control-based Continuity Program

Adam S. Levison, CBCPAdam S. Levison, CBCPSenior Vice President, Citi Institutional Clients Group

Adam.Levison@citi.com | +1 973.725.1567