ABCs of Operational Resilience Management Protecting and Sustaining Organizational Missions
ABCs of Operational Resilience Management Protecting and Sustaining Organizational Missions Dr. Nader Mehravari, MBCP, MBCI March 15, 2016 DRJ Spring ...
ABCs of Operational Resilience Management Protecting and Sustaining Organizational Missions Dr. Nader Mehravari, MBCP, MBCI March 15, 2016 DRJ Spring World Orlando, FL
Objectives of the Workshop
Introductory coverage of: Resilience Management, Operational Resilience, Cyber Resilience Wide, but not too deep, coverage of the landscape Intended for an audience with diverse backgrounds Key aspects to be explored o Vocabulary and nomenclature o What is it? o Why is it important? o Business and operational drivers o Who is asking for it? o Trends o Standards o Solution techniques o Particular tools and frameworks o Success stories
OUTLINE Setting the Stage Three Stories; Same Conclusion Hacking of Forbes Inc. Sandy’s Surprises Nader’s Briefcase Conclusion: Expand of risk environment CHECKLIST: Characterizing one’s risk environment Challenges to Organizational Mission Why are we having this discussion? Why is this subject important? CHECKLIST: Identifying your critical products and services Operational Stress What is operational stress Illustration through examples key cyber and kinetic disruptive events over the past 36 months Scope of operational stress
Natural or manmade Accidental or intentional Small or large Information technology or operational technology based Kinetic or Cyber Affecting People assets Information assets Technology assets Facility assets Supply chain assets CHECKLIST: What dose operational stress mean to your organization? Yesterday vs. Today What has changed over the years that has expanded our risk environment and ever more dynamic Changes in disaster recovery objectives Changes in application complexities Changes in business process complexities Ever-Increasing Capability & Complexity of products and services Disappearance of geographical boundaries Attack sophistication vs intruder technical knowledge Where was the information stored? Who had control over the information? Who valued our information? Who created the information? Changes in today’s business environment CHECKLIST: Internal environmental scan (What has changed internally?) CHECKLIST: External environmental scan (What has changed externally?) Resilience, Operational Resilience, Cyber Resilience Risk & Resilience Enterprise Risk Management Operational Risk Management Operational risk management exacerbated by actions of people systems and technology failures failed internal processes external events Why do operational risks matter? CHECKLIST: What are your operational risks? Who will be affected if they are realized? Concept of Resilience and Operational Resilience Resilience Operational Resilience Operational Resilience Management Cyber Resilience What makes an entity operationally resilient?
Hurdles to effective operational risk management CHECKLIST: What hurdles do you face to effective operational resilience management?
Business Drivers Who is talking about it? Who is asking for it? Indications and Business Drivers from a Variety of Fronts Federal Government Other Countries Academic Institutions Publishing Job Market Standards Social Media Commercial Industry Business Continuity Community Today’s Business Environment Other External Drivers Policies, Regulations, Standards Recent policy, regulations, and standard development affecting the landscape Federal / Commercial Public / Private National / International Solution Technique – Cornerstones of Resilience Management Risk Management – Operational Risk Management Convergence Benefits of Convergence and Integration Enemies of convergence Integration of key elements Information & cyber security IT Operations Continuity of operations and business continuity Incident and emergency management Workforce continuity CHECKLIST: What operational risk management activates (silos) exist? Are there opportunities for convergence of some sort? Where would you start? Organizational Construct for Resilience Activities EXERCISE – Parts 1 and 2 Organizational assets of relevant to operational resilience People assets Information assets Technology assets Facility assets Supply chain assets EXERCISE – Part 3
Protection and sustainment activities CHECKLIST: Draw the resilience context diagram for your organization. Resilience Requirements EXERCISE – Parts 4 and 5 EXERCISE – Parts 6 and 7 Operational risk and resilience EXERCISE – Parts 8 and 9 CHECKLIST: What are your resilience requirement categories? CHECKLIST: Repeat the exercise for your organization. Lifecycle view of operational resilience Institutionalization Institutionalizing a Culture of resilience
Resilience Management Model (RMM) Background and history What is RMM? How was RMM developed? What drove development of RMM? RMM process areas Core Principle and Focus of RMM Foundational Elements of RMM Operational Resilience Operational Risk Management Convergence Organizational Construct for Resilience Activities Protection & Sustainment Activities Institutionalization Institutionalization Capability Dimension Lifecycle View Code of Practice Crosswalk Organization of the Model Structure and components Using the Model Using CERT-RMM for Improvement Distinguishing Features of RMM Variety of ways that RMM has been used by others Success Stories - Real Life Samples US Department of Homeland Security US Department of Energy US Postal Service Lockheed Martin Other examples Challenges Unsolved problems
Summary Make a long-term commitment Understand the big picture Prevention is futile Operational and Cyber Resilience are risk management issues Compliance ≠ Security or Resilience Continually balance protection and sustainment activities Integrate and coordinate all operational risk management activities Invest in people and process Overcome organizational hurdles Create a culture of resilience Establish governance (strategy, plan, sponsorship, performance) for operational resilience. Utilize a proven and structured framework to guide resilience management activities Step-By-Step / Checklist / Roadmap which is developed throughout the workshop Identify your critical products and services (Why do you exist?) What dose operational stress mean to you? Internal environmental scan (What has changed internally?) External environmental scan (What has changed externally?) Characterize your risk environment. What are your operational risks? Who will be affected if they are realized? What hurdles do you face to effective operational resilience management? What operational risk management activates (silos) exist? Are there opportunities for convergence of some sort? Draw the resilience context diagram for your organization. What are your resilience requirement categories? Repeat the exercise for your organization. Select a process improvement cycle? Do you already use one? Select a sample problem at your organization and do a model scoping exercise. Copy of slides available at: https://dl.dropboxusercontent.com/u/33692579/2016031516ABCOpRes.pdf