Transcript PowerPoint - Flagg Management Inc

Regulations, Best Practices and
Standards
An Overview and Case Study for
Putting it to Work in Your Organization
Flagg Management Conference
March 17, 2009 – 3:10 P.M.
Tom Martin
[email protected]
Tim Mathews
[email protected]
Karen Hughes
[email protected]
Level Setting Definitions
Regulations (Source: Georgetown Law School)
A type of "delegated legislation" promulgated by a state, federal or local administrative
agency given authority to do so by the appropriate legislature. Regulations generally
are very specific in nature, they are also referred to as "rules" or simply "administrative
law."
Best Practices (Source: Business Dictionary. COM)
Methods and techniques that have consistently shown results superior than those
achieved with other means, and which are used as benchmarks to strive for.
There is, however, no practice that is best for everyone or in every situation, and
no best practice remains best for very long as people keep on finding better ways
of doing things.
Standards (Source: International Standards Organization - ISO)
Documented agreements containing technical specifications or other precise criteria
to be used consistently as rules, guidelines or definitions of characteristics, to ensure
that materials, products, processes and services are fit for their purpose.
2
5/19/08
Regulations, Best Practices & Standards
• Regulatory (US)
 FFIEC - Federal Financial Institutions Examination Council
 OCC - Office of the Controller of the Currency





FINRA - The Financial Industry Regulatory Authority
SEC - Securities and Exchange Commission
HIPAA - Health Insurance Portability and Accountability Act
SOX - Sarbanes-Oxley
+ Others
• Regulatory (International)
 FSA - Financial Services Authority (UK)
 MAS - Monetary Authority of Singapore
 Basel II – G10 Countries (Basel, Switzerland – June 2004)
3
5/19/08
Regulations, Best Practices & Standards
• Best Practices
 ASIS International - Preparedness & Continuity Management Best
Practice Standard
 DRII/BCI - Professional Practices for Business Continuity Planners
 BCI - The BCI Good Practice Guidelines 2007 (United Kingdom)
 DRJ/DRII - Generally Accepted Practices (GAP)
 Basel Committee on Banking Supervision - High Level Principles for
Business Continuity (2006)
4
5/19/08
Regulations, Best Practices & Standards
• Standards
 NFPA1600 - Standard on Disaster/Emergency Management and Business
Continuity Programs (ANSI/US)
 BS 25999 - Business Continuity Management (BSI/UK)
-1 Code of Practice
-2 Specification
 ISO/PAS 22399 - Incident Preparedness & Continuity Management
(ISO/International)
 Title IX – PL 110-53 - Voluntary Certification against yet to be Announced
Standards (US)
 ISO 24762 – Guide for Information and Communications Technology for Disaster
Recovery (ISO/International)
 HB 292:2006 - A Practitioners Guide to Business Continuity Management
(Australia)
 CSA Z1600 - Standard on Emergency Management and Business Continuity
Programs (Canada)
 TR19:2004 - BCM Framework & Technical Reference (Singapore)
 SI 24001:2007 - Security & Continuity Management Systems (Israel)
5
5/19/08
Recent Events
• July 2008
– Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified
in BS 25999
– BSI Certification Status
• 22 firms certified worldwide
• 160 active applications
– S&P announced they will enhance their ratings process for nonfinancial
companies through an enterprise risk management review (creating a more
systematic framework for an inherently subjective topic)
• August 2008
– BS 25777 introduced – Code of Practice for Information and
Communications Technology Continuity
• Similar to ISO 24762 – Guide for ICT and DR
– DHS signed agreement with ANSI-ASQ National Accreditation Board
(ANAB) – to establish and oversee the implementation and accreditation of
Title IX
6
5/19/08
Recent Events (cont’d)
• August 2008 (cont’d)
– ASIS announces plans for a new US Business Continuity
and Risk standard
• Solicits the support of ANSI organization
– ASIS is an ANSI accredited Standards Development Organization (SDO)
• DRII protests and rallies others to do the same
– Carnegie Mellon – Cert Resiliency Framework Code of
Practice Standards Crosswalk (11 standards) published
• October 2008
– ANSI Homeland Security Standards Panel discussion
• Subject was Public law 110-53 Title XI voluntary standards
– ASIS hosted stakeholder deliberation meeting and then reaffirms its direction in developing a new ANSI standard
7
5/19/08
Recent Events (cont’d)
• October 2008 (cont’d)
– Singapore (SPRING) launches new certifiable standard SS540 which
replaces TR 19:2004
• January 2009
– NFPA issues 2010 version of NFPA1600 for public comment
– ASIS International holds joint working group meeting to outline new US
standard based largely on BS 25999
– 1st public feedback session on Title IX sponsored by the DHS
– The Business Continuity Institute announced the release of an updated
version of its business continuity Good Practice Guidelines -- designated
as GPG2008-2
• February 2009
– 2nd public feedback session on Title IX sponsored by the DHS
Work Continues
8
5/19/08
BS25999: A Case Study
Tuesday, March 17, 2009
Tim Mathews
Director, Enterprise Resiliency
Educational Testing Service
Educational Testing Service
• Our Mission: To advance quality and equity in education by
providing fair and valid assessments, research and related services. Our
products and services measure knowledge and skills, promote learning
and educational performance, and support education and professional
development for all people worldwide.
• Our Vision: To be recognized as the global leader in providing fair
and valid assessments, research and related products and services to
help individuals, parents, teachers, educational institutions, businesses,
governments, countries, states and school districts, as well as
measurement specialists and researchers.
• Our Values: Social responsibility, equity, opportunity, and quality.
We practice these values by listening to educators, parents and critics.
We learn what students and the institutions they attend need.
We lead in the development of products and services to help
teachers teach, students learn and parents measure the
intellectual progress of their children.
Today’s agenda:
• Why pursue a standard?
• Why BS 25999?
• What is the process?
• What have we learned?
Why pursue a standard?
Support the Corporate Strategy
• Establish and maintain trust – enhance and preserve the Brand
• Supply chain risk management
– Critical vendors and suppliers may experience a disaster
– What do we know about their resiliency?
• Competitive advantage – may increase or maintain margin vis-àvis competition
– Certified BCMS is a differentiator (RFI,RFP and Contract)
– May reduce the burdens of internal and external audits from
your key customers.
• SLA and scope “expectation” management
– Key customers are vague
– As DHS voluntary compliance percolates through the
business community, there will be a “Wal-Mart” effect
• Training and knowledge transfer
Why pursue a standard?
Effective Risk Management
• Debt valuation and risk ratings
– S&P (and Moody’s)
• Enterprise Risk Management (ERM) will be added as an
element of all corporate ratings
• Requires that a firm address all its risks
• Operational risk is a critical element … encompassing
security, resilience, etc
“..the extent to which companies are adopting standards, …
would bolster the view that management has a proactive
culture and attitude towards risk. However it’s too early ….
to know what weight we’d place on that evidence.”
– Firms must show they are addressing risks in a systematic
manner
• Tort Negligence: Industry standards inform prudent practice and
“affirmative defense.” – ’93 WTC bombing decision
– Port Authority held more liable than terrorists ($100M)
Why pursue a standard?
Compliance and Governance
• DHS voluntary mandate - Title IX
• Various compliance requirements
– Regulatory
– Periodic external financial control audits
– Insurability audits
– Independent client audits
• Common framework for communication of capabilities
– Business development
– Supply chain
– Inter-company (parent and subs)
• Integrated recovery planning and exercises (with subs, key
suppliers and clients)
• Leverage plan development and maintenance activities
Why BS 25999?
• Accepted Standard that establishes the process, principles and
terminology of business continuity management (BCM)
• BS 25999-1 Code of Practice – provides guidance and
recommendations
• BS 25999-2 Detailed Specification – appears to meet or exceed
the published DHS criteria
• Provides a non-prescriptive, generic model to follow in creating
and maintaining preparedness processes and activities
• ETS Enterprise Resiliency program aligned well to the standard
• Gaps were straight forward to implement
BS25999-2 Certification Process
Standard (Criteria)
Research
+
Assessment (Evidence)
Demonstrate compliance
with specification
Self-assessment
Peer discussion
Stage 1 audit
Address any nonconformities
Demonstrate on-going
compliance with
specification
Stage 2 audit
Online self assessment
Review Policy and SOP
Part 1: Code of practice
Risk Assessments and
Internal Audit
Part 2: Specification
Certification
Refresh program
Pre-assessment
Industry practices
=
Review BIA, BCP, TDRPs
and ERP
Remediation
Surveillance
BS25999-2 Certification Timeline
Standard (Criteria)
Research
+
Assessment (Evidence)
=
Certification
7 months
2 months
9/08 – 4/09
annual recurring
Self-assessment
Pre-assessment
3 months
Stage 1 audit
Stage 2 audit
1 month
Remediation
2 days
2 days
4 months
4/08 – 8/08
10 days
6 weeks
Surveillance
2 days
Lessons Learned
• A really good and effective BC program does not necessarily
meet the standard.
• Learn standards “speak”
– “shall = will”
– Do what you say you do – write it down!
• BC/DR planning software may introduce a document
management gap
• Internal Audit is not an Internal Audit
• You cannot dance around the Maximum Tolerable Period of
Disruption (MTOTB)
• Risk Assessment – must be part of your program
• Who needs a CAPA?
• Light on the Technology aspects of recovery planning
• Dot the i’s and cross the t’s – the devil is in the details!
Flagg Management Conference
Presented by
Karen Hughes
Director of Homeland Security Standards
March 17, 2009
19
Agenda




ANSI-HSSP Overview
Title IX Program
Trajectory of ISO/PAS 22399
Business Case for Certification
Flagg Management Conference
March 17, 2009
Slide 20
ANSI-Homeland Security Standards Panel
Mission:




Identify and facilitate the development and enhancement of
homeland security standards
Serve as private/public sector partnership for standards
issues that cut cross-sector
Provide a forum for information sharing on homeland
security standards issue, as well as the overall standards
development and conformity assessment processes
Facilitate dialogue and networking on key issues for
homeland security stakeholders
Flagg Management Conference
March 17, 2009
Slide 21
Voluntary Private Sector Preparedness
Accreditation & Certification Program

Goal
Improve private sector preparedness in disaster
management, emergency management, and business
continuity to enhance nationwide resilience in an all hazards
environment

Background
Mandated by the Implementing Recommendations of the
9/11 Commission Act of 2007 to establish a common set of
criteria for private sector preparedness
Flagg Management Conference
March 17, 2009
Slide 22
Voluntary Private Sector Preparedness
Accreditation & Certification Program
Key Guiding Principles
 Participation is voluntary
 Provide method to independently certify preparedness of private
sector entities
 Administered by non-government entity (ANAB)
 DHS designation of one or more standards to be used in
assessing private sector preparedness
 Incorporate existing regulatory requirements and existing efforts
 Certification of private sector entities will be performed by nongovernment certifying bodies
Flagg Management Conference
March 17, 2009
Slide 23
Voluntary Private Sector Preparedness
Accreditation & Certification Program
Possible Standards
 International
 ISO 22399
 ISO 22301
 National
 NFPA 1600 (USA)
 BS 25999 (UK)
 CSA Z1600 (Canada)
Flagg Management Conference
March 17, 2009
Slide 24
ISO/PAS 22399:2007
ISO/TC 223 – Societal Security
 Scope
International standardization in the area of societal security, aimed at
increasing crisis management and business continuity capabilities,
amongst all interested parties.
 Structure
WG 1 – Framework standard on societal security management
WG 2 – Terminology
WG 3 – Command and control, coordination and cooperation
WG 4 – Preparedness and continuity
 Membership
Participating countries: 37
Observing countries: 17
Flagg Management Conference
March 17, 2009
Slide 25
ISO/PAS 22399:2007
ISO/TC 223 Work Program
 ISO/PAS 22399:2007
Societal security - Guideline for incident preparedness and
operational continuity management

Next Steps:
 Development of ISO 22301 – Management system
standard focused on preparedness and continuity
management
 Conversion of ISO 22399 from PAS to Draft International
Standard as a guide to ISO 22301
Flagg Management Conference
March 17, 2009
Slide 26
InterCEP



International Center for Enterprise Preparedness
Catalyst focused on Private Sector Preparedness &
Corporate Resilience
Working Groups





Supply Chain Management
Legal Liability Mitigation
Insurance Acknowledgement
Rating Agency Acknowledgement
Online Clearinghouse of information
Flagg Management Conference
March 17, 2009
Slide 27
Business Case for Certification
According to the Institute for Business & Home Safety, an
estimated 25% of businesses do not reopen following a
major disaster.
Compliance with preparedness standards can…
 Minimize impact of business disruptions
 Reduce overall costs
 Enhance corporate reputation
 Employee protection
 Link between good practice/standards (what to do) and
benefits (why to do it)
Flagg Management Conference
March 17, 2009
Slide 28
Further Information

For additional information about:

ANSI: www.ansi.org/hssp

ANAB: www.anab.org

InterCEP: www.nyu.edu/intercep

PS-Prep: www.fema.gov/business/certification/index.htm

ISO: www.iso.org

HSSD: www.hssd.us/

Questions can be directed to:

Karen Hughes
Program Director, Homeland Security Standards
([email protected]; 212-642-4992)
Flagg Management Conference
March 17, 2009
Slide 29