ABCs of Operational Resilience Management Protecting and Sustaining Organizational Missions Dr. Nader Mehravari, MBCP, MBCI March 15, 2016 DRJ Spring World Orlando, FL

Objectives of the Workshop    

Introductory coverage of: Resilience Management, Operational Resilience, Cyber Resilience Wide, but not too deep, coverage of the landscape Intended for an audience with diverse backgrounds Key aspects to be explored o Vocabulary and nomenclature o What is it? o Why is it important? o Business and operational drivers o Who is asking for it? o Trends o Standards o Solution techniques o Particular tools and frameworks o Success stories

OUTLINE  Setting the Stage  Three Stories; Same Conclusion  Hacking of Forbes Inc.  Sandy’s Surprises  Nader’s Briefcase  Conclusion: Expand of risk environment  CHECKLIST: Characterizing one’s risk environment  Challenges to Organizational Mission  Why are we having this discussion?  Why is this subject important?  CHECKLIST: Identifying your critical products and services  Operational Stress  What is operational stress  Illustration through examples key cyber and kinetic disruptive events over the past 36 months  Scope of operational stress

 Natural or manmade  Accidental or intentional  Small or large  Information technology or operational technology based  Kinetic or Cyber  Affecting  People assets  Information assets  Technology assets  Facility assets  Supply chain assets  CHECKLIST: What dose operational stress mean to your organization?  Yesterday vs. Today  What has changed over the years that has expanded our risk environment and ever more dynamic  Changes in disaster recovery objectives  Changes in application complexities  Changes in business process complexities  Ever-Increasing Capability & Complexity of products and services  Disappearance of geographical boundaries  Attack sophistication vs intruder technical knowledge  Where was the information stored?  Who had control over the information?  Who valued our information?  Who created the information?  Changes in today’s business environment  CHECKLIST: Internal environmental scan (What has changed internally?)  CHECKLIST: External environmental scan (What has changed externally?)  Resilience, Operational Resilience, Cyber Resilience  Risk & Resilience  Enterprise Risk Management  Operational Risk Management  Operational risk management exacerbated by  actions of people  systems and technology failures  failed internal processes  external events  Why do operational risks matter?  CHECKLIST: What are your operational risks? Who will be affected if they are realized?  Concept of Resilience and Operational Resilience  Resilience  Operational Resilience  Operational Resilience Management  Cyber Resilience  What makes an entity operationally resilient?

 

Hurdles to effective operational risk management CHECKLIST: What hurdles do you face to effective operational resilience management?

 Business Drivers  Who is talking about it?  Who is asking for it?  Indications and Business Drivers from a Variety of Fronts  Federal Government  Other Countries  Academic Institutions  Publishing  Job Market  Standards  Social Media  Commercial Industry  Business Continuity Community  Today’s Business Environment  Other External Drivers  Policies, Regulations, Standards  Recent policy, regulations, and standard development affecting the landscape  Federal / Commercial  Public / Private  National / International  Solution Technique – Cornerstones of Resilience Management  Risk Management – Operational Risk Management  Convergence  Benefits of Convergence and Integration  Enemies of convergence  Integration of key elements  Information & cyber security  IT Operations  Continuity of operations and business continuity  Incident and emergency management  Workforce continuity  CHECKLIST: What operational risk management activates (silos) exist? Are there opportunities for convergence of some sort? Where would you start?  Organizational Construct for Resilience Activities  EXERCISE – Parts 1 and 2  Organizational assets of relevant to operational resilience  People assets  Information assets  Technology assets  Facility assets  Supply chain assets  EXERCISE – Part 3

          

Protection and sustainment activities CHECKLIST: Draw the resilience context diagram for your organization. Resilience Requirements EXERCISE – Parts 4 and 5 EXERCISE – Parts 6 and 7 Operational risk and resilience EXERCISE – Parts 8 and 9 CHECKLIST: What are your resilience requirement categories? CHECKLIST: Repeat the exercise for your organization. Lifecycle view of operational resilience Institutionalization  Institutionalizing a Culture of resilience

 Resilience Management Model (RMM)  Background and history  What is RMM?  How was RMM developed?  What drove development of RMM?  RMM process areas  Core Principle and Focus of RMM  Foundational Elements of RMM  Operational Resilience  Operational Risk Management  Convergence  Organizational Construct for Resilience Activities  Protection & Sustainment Activities  Institutionalization  Institutionalization  Capability Dimension  Lifecycle View  Code of Practice Crosswalk  Organization of the Model  Structure and components  Using the Model  Using CERT-RMM for Improvement  Distinguishing Features of RMM  Variety of ways that RMM has been used by others  Success Stories - Real Life Samples  US Department of Homeland Security  US Department of Energy  US Postal Service  Lockheed Martin  Other examples  Challenges  Unsolved problems

 Summary  Make a long-term commitment  Understand the big picture  Prevention is futile  Operational and Cyber Resilience are risk management issues  Compliance ≠ Security or Resilience  Continually balance protection and sustainment activities  Integrate and coordinate all operational risk management activities  Invest in people and process  Overcome organizational hurdles  Create a culture of resilience  Establish governance (strategy, plan, sponsorship, performance) for operational resilience.  Utilize a proven and structured framework to guide resilience management activities Step-By-Step / Checklist / Roadmap which is developed throughout the workshop  Identify your critical products and services (Why do you exist?)  What dose operational stress mean to you?  Internal environmental scan (What has changed internally?)  External environmental scan (What has changed externally?)  Characterize your risk environment.  What are your operational risks? Who will be affected if they are realized?  What hurdles do you face to effective operational resilience management?  What operational risk management activates (silos) exist? Are there opportunities for convergence of some sort?  Draw the resilience context diagram for your organization.  What are your resilience requirement categories?  Repeat the exercise for your organization.  Select a process improvement cycle? Do you already use one?  Select a sample problem at your organization and do a model scoping exercise. Copy of slides available at: https://dl.dropboxusercontent.com/u/33692579/2016031516ABCOpRes.pdf