Continuity Insights Management Conference April 26-28, 2004, New Orleans

Business Continuity Management a Key Component of Enterprise Risk Management

Presented By:

Richard Cooper Business Protection Systems International (BPSI) www.businessprotection.com  1986 – 2004 Business Protection Systems International. All rights reserved. All registered trademarks and names belong to their respective owners.

What Does Business Continuity Management have to do with Enterprise Risk Management?

Traditional Views Traditional Views of the Purpose of BCM  Data Preservation  Disaster Response Preparedness  Recovery from Business Interruptions  Recognized as an IT Problem

Current Views Our Current Views of the Purpose of BCM  Enterprise Resiliency  Preserving Valuable Relationships with Suppliers, Customers, Employees and other Stakeholders  Controls for Improved Governance and Compliance  A Tool for Improved Risk Management

The BCI Definition of BCM “Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities”.

BCM Disciplines as seen by the BCI

 1986 – 2004 Business Protection Systems International. All rights reserved. All registered trademarks and names belong to their respective owners.

Crisis Communications & PR

Security

Emergency Management

Knowledge Management

Health & Safety

Quality Management

Supply Chain Management

Facilities Management

Disaster Recovery

Risk Management

Business Continuity Management

Benefits of Enterprise BCM  Improved Governance and Ethics  More Resilient Enterprise  Improved Response to Crises  Improved Regulatory Compliance  Enhanced Enterprise Value

What is Enterprise Risk Management? Enterprise risk management is a comprehensive, systematic approach for helping all organizations, regardless of size or mission, to identify events, and measure, prioritize and respond to the risks challenging the projects and initiatives they undertake. Enterprise risk management enables an organization to determine what level of risk it can— or wants to—accept as it seeks to build shareholder value. Source: www.erm.coso.org

Why is ERM such a Hot Topic? Regulatory Pressure

Criminal Consequences of Non-Compliance

Corporate Governance HIPAA Security Rule

Fines and imprisonment for up to 5 years

Graham Leach Bliley Act Safeguard Rule

Fines to $250,000 and imprisonment for up to 10 years

Sarbanes Oxley 404 Rules

Fines up to $5 million and prison sentences for up to 20 years for deliberate violations

Objectives of Corporate Governance  Improved Financial Record-keeping and Reporting  Accountability of Senior Officers through Certifications  More Timely and Better Disclosures  Improved Regulatory Compliance  Enhanced Enterprise Value

How are Most Organizations Addressing Corporate Governance Needs? The COSO Framework for Internal Controls COSO Definition of Internal Control Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

 Effectiveness and efficiency of operations  Reliability of financial reporting; and  Compliance with applicable laws and regulations

COSO The Committee of Sponsoring Organizations of the Treadway Commission

Principles of Sound Operational Risk Management 10

Disclosure

9

Role of Supervisors 8 7

Risk Management: Identification, Measurement, Monitoring and Control

6 5 4

Developing an Appropriate Risk Management Environment 2 The ten principles of sound operational risk management Released by Basel Courtesy of Methodware

10. Public disclosure of Risk exposure & Quality of Management

1

3

9. Regular evaluation of strategies, Policies, procedures & practices 8. Ensure effective framework in place

7. Contingency and Business Continuity Plans. 6. Policies, Processes and Procedures to mitigate Risks

5. Monitor Risk Profiles and Losses 4. Identify & Assess Risks

3. Senior Management responsible for implementing the Framework

2. Framework subject to effective and comprehensive internal audit.

1. Board sets – strategy and framework plus oversight

The Ten Certification Standards For Business Continuity Practitioners 1 Project Initiation and Management 2 Risk Evaluation and Control 3 Impact Analysis 4 Developing Business Continuity Strategies 5 Emergency Response and Operations 6 Developing and Implementing Business Continuity Plans 7 Awareness and Training Programs 8 Maintaining and Exercising Business Continuity 9 Public Relations and Crisis Coordination 10 Coordination with Public Authorities

Principles of Sound Business Continuity Management 10

Communication and Disclosure

10. Coordination with Public Authorities

9 8 7

Risk Management and Control 6 5 4

Developing an Appropriate Risk Management Environment 1

3 2

9. Public Relations and Crisis Coordination 8. Maintaining and Exercising Business Continuity Plans

7. Awareness and Training Programs 6. Developing and Implementing Business Continuity Plans

5. Emergency Response and Operations

4. Developing Business Continuity Strategies

3. Business Impact Analysis

2. Risk Evaluation and Control

1. Project Initiation and Management

An Enterprise BCM Program  Risk Assessment and Business Impact Analysis  Control Activities to Mitigate and Contain Risks  Emergency or Contingency Plans to Operate During and to Recover from Disruptive Incidents  Communications throughout the Enterprise to Promote an Environment that Encourages Compliance and Ethical Conduct  Monitoring, Testing and Maintaining the Control Systems to Promote Continued Compliance

Why should a BCM Professional Care about ERM? By better understanding issues that concern the Board of Directors, a BCM professional is better positioned to articulate the importance of a strong business continuity management program for The Enterprise.

BCM and Other Compliance Measures  HIPAA Security Rule  Graham Leach Bliley Act - Safeguard Rule  California’s SB 1386  Basel II  Senator Feinstein’s Bill - NORPDA  Corporate Governance - Board of Director’s Risk Management Responsibilities  COBIT  Turnbull Report  Sarbanes Oxley 404 Rules  ISO 7799

ERM and BCM

 COSO Framework’s Similarity to a Holistic BCM Program  Applicability of the BCM Process to Internal Controls Compliance  Jumping off Point for Initiation of Holistic BCM

Contact Us At Business Protection Systems International, Inc. Richard Cooper, E.V.P, Business Development and Alliances 5041 La Mart Drive, Suite 130 Riverside, CA 92507 USA main: (909) 341-5050 toll free: (800) 594-3714 fax: (909) 341-5049

[email protected]

www.businessprotection.com  1986 – 2004 Business Protection Systems International. All rights reserved. All registered trademarks and names belong to their respective owners.