Citi Institutional Clients Group-Business Continuity Management... · · 2016-06-14Citi...
-
Upload
truongnhan -
Category
Documents
-
view
215 -
download
1
Transcript of Citi Institutional Clients Group-Business Continuity Management... · · 2016-06-14Citi...
Citi Institutional Clients Group - Business Continuity Management
Enterprise Risk ManagementEstablishing a Risk Control-based Continuity Program
Adam S. Levison, CBCPAdam S. Levison, CBCPSenior Vice President, Citi Institutional Clients Group
[email protected] | +1 973.725.1567
Adam S. Levison
Goals
Distinguish Compliance vs. Risk ControlStakeholder DriversObjectives and Outcome
Provide methods to establish a Program Certification/Attestation Model
Transform from Business Continuity to Independent Risk Control Utility
Provide methods to implement an Independent Utility Risk Control ModelGovernancePlan Review (BIA, Plan, Crisis Management)Testing (Validation)Typical risk control findings from a Fully Compliant program.
Provide tangible “how-to’s” to bring back to apply to your program
Adam S. Levison
Compliance vs. Risk Control – Stakeholder Drivers
Management
Risk Control (Ops Risk/Audit)
Business Recovery Coordinator
Program Compliance Deficiency Management and Risk Mitigation
Track business progress against milestonesAttest to business completion and compliance
Analyze deficiency root cause so appropriate corrective action can be takenPrioritize based on risk exposure and track issue resolution
Determine key issues from geographical, business and discipline perspectiveDevelop risk trends on issues and non-complianceTrack business progress towards completing BCM milestones
Analyze deficiency root cause so appropriate corrective action can be taken.Develop risk trends on issues and non-complianceTrack business progress towards resolving program compliance and risk control issues
Ascertain overall program “health” by measuring level of risk control and compliance issuesTrack business progress towards resolving program compliance and risk control issuesCompare standing verses geographic and business peers
Ascertain overall program “health” by measuring policy compliance Track business progress towards completing BCM milestones Respond to deficiencies or missing progressCompare standing verses geographic and business peers
Adam S. Levison
Foundation and Framework
Foundation – Program source and corePublish Policy, mandates, standardsAlign to in-country regulations, industry best practice, support firm objectivesAvoid loopholes that can crack your foundation (aka program)
Framework – The program structureImplementation – How to achieve complianceExpectations – Minimum requirementsSpan of control – Areas involved, exceptionsInspection – Ensure adherence
ImplementationClearly communicate mandates and expectations for all businessesEstablish a steady pace to update and maintain planning milestones
Ensuring Compliance and Risk ControlCyclical checkpoints to affirm complianceBusiness certificationIndependent validation and verification
Adam S. Levison
Distinguishing between Compliance and Risk Control
Business Impact Analysis (BIA)Compliance: Loss Impacts; RTO/RPO; Process PrioritizationRisk Issues: The business may not be aware of all risks and corresponding impact on their processes in the event of a disaster.
Crisis/Incident Management Plan (CMP)Compliance: Response and Decision Protocols; Key Contacts; EscalationRisk Issues: The plan may not be viable and ready to be executed which may impact the ability to resume and/or sustain business as usual processes.
Business Recovery Plan (BRP)Compliance: Strategy; Workarea Requirements; Staffing; Impact MitigationRisk Issues: The plan may be insufficient to minimize financial losses, continue to serve stakeholders, and mitigate the negative effects of the disruption.
GovernanceCompliance: Having responsible owners and maintainers of the programRisk Issues: Production / Recovery planning may become out of sync resulting in a breakdown ability to recover.
TestingCompliance: Execution of plan strategies and protocols to validate mitigation of impacts noted in the BIA.Risk Issues: Untested strategies leave theories unproven, discovery of gaps and more effective methods to recover.
Adam S. Levison
Program Compliance Certification
DefinedProvides evidence as to the effectiveness continuity planning programs, which include risk assessment, business impact analysis, planning, containment and recovery strategies, testing, training and awareness, compliance, independent review and governance.
Business certifies and takes ownership of their program
Forces management action on deficiencies through corrective action plans or risk acceptances
Raises exposure level to the program
Supports regulatory and audit requirements
Benchmarks business standing
Improvement/Deterioration trending
Adam S. Levison
Program Certification Process
Create an attestation-type questionnaire that addresses each policy mandate to certify
Yes – business completed to the letter of the policyNo – business is not in compliance
Supporting evidenceYes – where can evidence be found (centralized planning system, shared drive, etc.)No – What is the gap? What is the resolution? When will the resolution be implemented?
Business Manager approves compliance attestation standing thus certifying the compliance results and committing to resolve any deficiencies
Adam S. Levison
Transform from Continuity to Independent Risk Control
Limitation to relying solely on Program Certification“Check the Box” mentalityRisk taking / “rounding up”Creation of artificial ceiling on program improvement and maturity
Continuity Program transforms into a Centralized Independent Risk Control Utility
Align program to Audit-style with continuity subject matter expertiseBecome a service organization by
Validating compliance certificationIdentifying gaps and partnering to resolveInjecting risk control into a policy compliant program.
Emerge your program to operate horizontal to thefirm organization
Adam S. Levison
Creating and Conducting an Independent ReviewObjective
Evaluate plans to assess the comprehensiveness, usability and quality of the documentsEstablish a benchmark for what to correct prior to an official auditAssist the business to identify and correct audit or compliance deficiencies
ImplementationIdentify and Prioritize Plans to be reviewed by Risk/Criticality rating
High-rated annuallyMedium/Low-rated alternating Bi-annually cycle
Evaluate each plan by…Answering each question with a compliant, not compliant, compliant with risk issue ratings Document limitations or issuesProvide recommended corrective actions
Tools and Reference Material to assist in reviewFirm Policy and StandardsRegulatory guidelinesAudit program guidelines and requirements
Adam S. Levison
Establish Independent Risk Control Test
Create a checklist that focuses on core program remits:Governance – (Roles and Responsibilities)
Assessment – (Identification and prioritization of processes, BIA)
Crisis Management – (Escalation; Staffing; Notification)
Business Continuity Plan Requirements – (Protocols, Procedures, Vital Records, Workarea Requirements)
Validation – (Call Tree, Business Continuity, Training exercises)
Compliance – (Audits, Certifications, Disclosures)
Adam S. Levison
Validating Governance
Objective: To validate that a business has…An owner (e.g. Business Unit Head) who is accountable for the continuity of the business in scope.An implementer (e.g. Business Recovery Coordinator) who is responsible for developing and maintaining recovery plan components and requirements.
Risk ControlEstablish the necessary framework, roles, responsibilities and backup positions for the effective administration of the CoB programEnsure adequate management, ownership and accountability of the business' continuity program.
Evaluation FindingsChallenge the understanding and training of the members who occupy roles.Are the Business Heads truly accountable for the day-to-day business?Does proper succession planning exist?
Adam S. Levison
Validating Business Assessment
ObjectiveTo identify, evaluate and prioritize functions necessary to continue operations during a contingency.Determine if the prioritization, RTO, RPO, and criticality ratings of business processes adequately reflect the current business environment.Set proper direction on recovery strategy development and implementation
Risk ControlBusiness processes are captured at the appropriate levelAssigned RTO’s are justified by the quantitative and qualitative impacts
Evaluation FindingsPolicy typically requires processes to have RTO. Independent reviews challenge and validate RTO and impacts so appropriate strategies are formulated.
Adam S. Levison
Validating Recovery Plan
ObjectiveTo validate the plan adequacy, effectiveness, and quality through ensuring all BIA objectives and requirements are addressed in the plan strategy
Risk Control by determining whether the plan…Addresses the recovery of key process and sub-processes according to its criticality ratings.Strategy sustains minimum RTO identified in the BIA and includes protocols necessary to recover functions to support business interdependencies. Considers dependencies on process that are external to the business, whether they are internal to the company or are provided by vendors, or other 3rd parties.Provides manual workarounds to be used as appropriate when systems and technology backups are not available.
Evaluation FindingsPolicy typically requires a strategy and basic requirements to support the strategy.Risk control fine tunes the plan to focus on cost-effective solutions, closing loop holes in the supply chain, and establishing SLA where handshake agreements may expose the business during a crisis.
Adam S. Levison
Validating Crisis/Incident Response Plan
ObjectiveIdentify if proper protocols, roles are appropriate and effective to allow a business to respond, react, and mitigate.
Risk ControlIneffective response to a crisis event can delay invocation and put critical RTO’s in jeopardy from being met.Clear protocols and decision making checklists facilitate quicker response during an incident.
Evaluation FindingsEnsure crisis teams are not only filled but with the right staff and backups.Apply what’s on the paper to local risk.Findings can be vetted during tabletop exercises.
Adam S. Levison
Validating Recovery Exercise Process
ObjectiveValidate the adequacy and effectiveness of how the businesses test their recovery capabilities and to ensure recovery capabilities are sufficient to mitigate risk.
Risk Control verifies the…Plan is tested to ensure business process is functional in all aspectsTest results indicate whether testing objectives and success criteria have been met. Application testing at an alternative location includes network connectivity and other critical data feed mechanisms (e.g., connections and interfaces).Test performed using the actual production data. Status of corrective action plan(s) developed to address problems encountered during the tests. Plan properly supports and reflects the goals, SLA and priorities contained in the business unit.
Evaluation FindingsStructure of Call Trees (linear or cascade)Recovery tests rigged for success, and do not challenge true reality situationsTesting capacity
Adam S. Levison
Typical findings from a Compliant ProgramGeneral Findings
Plans not reader friendly and lack logical flow. Most plans are too long to be of value.Key items such as assembly points, location of recovery site and directions to the recovery site are difficult to find.
AssessmentLimited documentation of a threat and vulnerability assessment being conducted.Plan criticality is inconsistent in both the process requirement and impacts.
StrategyCritical information such as evacuation procedures are not documented.Holes in recovery requirements.
Plan RequirementsMany of the notification and communication procedures are missing vital information.Limited logistical protocols (e.g. directions to the recovery site; expense management, etc.)Most strategies did not contain resumption to BAU procedures.Lack of documentation around disclosures.
TestingCall tree implementation structure
Adam S. Levison
Recap and Considerations
Establish Baseline for Policy, Mandates, StandardsForce Businesses to Certify their Program Compliance StandingTransform Continuity Program into an Independent Risk Control UtilityValidate Certification
Partner with business to address risk control issues.Separate black/white policy compliance with program quality, effectiveness, and adequacy.Expose and remediate Audit’s typical touch points on the business’ behalf
Create a Closed Loop Compliance and Risk Control SystemRisk Control Validation exposes “check the box” compliance certifications.
Reap the benefitsAchieve true business complianceAddress key risks through corrective actions or management acceptanceHave Audit place reliance on your program to centralize continuity reviewsRaise program maturity levelAchieve effective, executable and validated recovery plans and strategiesGo beyond “check the box”
Citi Institutional Clients Group - Business Continuity Management
Enterprise Risk ManagementEstablishing a Risk Control-based Continuity Program
Adam S. Levison, CBCPAdam S. Levison, CBCPSenior Vice President, Citi Institutional Clients Group
[email protected] | +1 973.725.1567