Transcript Regs Presentation 2006

Regulating Business Continuity
Al Berman
DRI International
Post-9/11
Pre-9/11
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO 27002 (Previously ISO17799)
FFIEC BCP Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
FEMA FPC 65
CAR
1991 - 2001
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCP Handbook -2003/ 2008
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCP
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCP Guidelines
(Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
FPC 65
NYS Circular Letter 7
ASIS
State of NY FIRM White Paper on CP
NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
HB221
HB292
BS25999
SS507
TR19
CA Z1600
ISO/PAS 22399
DRII
BCI
Title IX – 110-53
2002 -------------------------------------------------------2008
2
BCP Standards for Financial Institutions

Federal Financial Institutions Examination Council (FFIEC) BCP Handbook
– Business continuity planning is about maintaining, resuming, and
recovering the business, not just the recovery of the technology
technology.
– The planning process should be conducted on an enterprise-wide basis.
– A thorough business impact analysis and risk assessment are the
foundation of an effective BCP.
– The effectiveness of a BCP can only be validated through testing or
practical application.
– The BCP and test results should be subjected to an independent audit
and reviewed by the board of directors.
– A BCP should be periodically updated to reflect and respond to changes
in the financial institution or its service provider(s).
3
BCP Standards for Financial Institutions

NASD Rule 3510
Rule 3510 will require a business continuity plan that addresses, at a minimum:
– Data back-up and recovery (hard copy and electronic)
– Mission critical systems
–
Financial and operational assessments
Alternate communications between customers and the firm
– Alternate communications between the firm and its employees
– Business constituent, bank and counter-party impact
–
Regulatory reporting
– Communications with regulators
–
4
BCP Standards for Financial Institutions

NYSE Rule 446
(a) Members and member organizations must develop and maintain a written business continuity and
contingency plan establishing procedures to be followed in the event of an emergency or significant
business disruption. Members and member organizations must make such plan available to the Exchange
upon request.
(b) Members and member organizations must conduct a yearly review of their business continuity and
contingency plan to determine whether any modifications are necessary in light of changes to the
member's or member organization's operations, structure, business or location.

National Association of Insurance Commissioners (NAIC)

National Futures Association Compliance Rule 2-38
(a) Each Member must establish and maintain a written business continuity and disaster recovery
plan that outlines procedures to be followed in the event of an emergency or significant business
disruption. The plan shall be reasonably designed to enable the Member to continue operating, to
reestablish operations, or to transfer its business to another Member with minimal disruption to its
customers, other Members, and the commodity futures markets.
5
BCP Standards for Financial Institutions



Electronic Funds Transfer Act - held that banks were liable for actual
damages caused by failing to transfer funds in a timely fashion. This
required the establishment of contingency plans to meet the standard of
“reasonable” standard of care (the care that a reasonable man would
exercise under the circumstances; the standard for determining legal duty.)
Basel Committee’s Capital Accords and Sound Practices for the
Management and Supervision of Operational Risk - “Banks should have in
place contingency and business continuity plans to
ensure their ability to operate on an ongoing basis and limit losses in
the event of severe business disruption.” – Seventh Principle in Sound
Practices for Management and Supervision of Operational Risk
Reserve Bank of India - Operational Risk Management - Business
Continuity Planning - Business Continuity planning is a key prerequisite for minimising the adverse effects of one of the important
areas of operational risk – business disruption and system failures.
6
BCP Standards for Insurance Companies

NYS Circular Letter 7
– Board of Directors support
– Training and education
– Scenario based and operational plans
– Testing and communications plans
– Annual updates and changes submitted to the Department, starting on
June 1, 2005
7
Not Just IT
• FFIEC – March 2008
“Business continuity planning is about maintaining, resuming, and recovering
the business, not just the recovery of the technology.” “The planning
process should be conducted on an enterprise-wide basis”.
• Australian Prudential Standard – April 2005
“Business continuity management (BCM) describes a whole of business
approach to ensure critical business functions can be maintained, or
restored in a timely fashion”
• Monetary Authority of Singapore – June 2003
“Business Continuity Management (“BCM”) is an over-arching framework that
aims to minimise the impact to businesses due to operational disruptions. It
not only addresses the restoration of information technology (“IT”)
infrastructure, but also focuses on the rapid recovery and resumption of
critical business functions for the fulfillment of business obligations.”
11
BCP Standards for the
Healthcare/Life Science Industries

Health Insurance Portability and Accountability Act of 1996 (HIPAA),
Final Security Rule
7. Contingency Plan (§ 164.308(a)(7)(i))
We proposed that a contingency plan must be in effect for responding to system emergencies.
The plan would include an applications and data criticality analysis, a data backup plan, a disaster
recovery plan, an emergency mode operation plan, and testing and revision procedures.
In this final rule, we make the implementation specifications for testing and revision procedures
and an applications and data criticality analysis addressable, but otherwise require that the
contingency features proposed be met.
12
HIPAA BCP REQUIREMENTS
Contingency
Plan
164.308(a)(7)
Data Backup
(R)
Plan
Disaster
(R)
Recovery Plan
(R)
Emergency Mode Operation
Plan
Testing and Revision
(A)
Procedure
Applications and Data Criticality (A)
Analysis
•State privacy laws are NOT preempted by federal privacy rules, unless there is a
direct conflict
Is it enough ????
•If state law is “more stringent,” or covers an area not covered by federal rules,
state law controls
13
HIPAA - Impact of State Laws

State privacy laws are NOT preempted by federal privacy rules, unless
there is a direct conflict

If state law is “more stringent,” or covers an area not covered by federal
rules, state law controls
14
BCP Standards for the
Healthcare/Life Science Industries
Manufacturing


FDA’s GxP: Good
Laboratory
Clinical
Practices
FDA Guidance on Computerized Systems in Clinical Trials
IX. SYSTEM CONTROLS
B. Contingency Plans
Written procedures should describe contingency plans for continuing the study by alternate
means in the event of failure of the computerized system.
C. Backup and Recovery of Electronic Records
Backup and recovery procedures should be clearly outlined in the SOPs and be sufficient to
protect against data loss. Records should be backed up regularly in a way that would prevent a
catastrophic loss and ensure the quality and integrity of the data.
15
BCP Standards for the Energy Industry

Federal Electric Reliability Council’s (FERC) Security Standards for
Electric Market Participants, July 2002 (draft)
Business Continuity:
Every participant operating a critical electric resource shall have contingency plans that define roles,
responsibilities and actions for protecting the rest of the electric grid and market from the failure of its
own critical resources. Those plans should further define the roles, responsibilities and actions needed
to quickly recover or reestablish electric grid and market functions, processes and systems, in the event
that a critical physical or cyber resource fails or suffers harm or attack. Such plans shall be tested or
exercised regularly.

North American Electric Reliability Council’s (NERC) Security Guidelines
for the Electricity Sector, June 2002
Continuity of Business Processes:
Reduces the likelihood of prolonged interruptions and enhances prompt resumption of operations
when interruptions occur. Consider flexible plans that address key areas such as telecommunications,
information technology, customer service centers, facilities security, operations, generation, power
delivery, customer remittance and payroll processes. It is useful to revise and test plans on a regular
basis. It also is advisable to train personnel so they fully understand their roles with respect to the
plans.
16
Cross-Industry BCP Standards

Sarbanes-Oxley Act of 2002
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by
section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal
control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control
structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of
the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control
assessment required by subsection (a), each registered public accounting firm that prepares or issues the
audit report for the issuer shall attest to, and report on, the assessment made by the management of the
issuer. An attestation made under this subsection shall be made in accordance with standards for attestation
engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate
engagement.
IS THERE BCP IN SARBANES-OXLEY????
17
Is There BCP in Sarbanes-Oxley?

PCAOB (Public Company Accounting Oversight Board)
NO
“Furthermore, management's plans that could potentially
affect financial reporting in future periods are not controls.
For example, a company's business continuity or
contingency planning has no effect on the company's current
abilities to initiate, authorize, record, process, or report
financial data.
Therefore, a company's business continuity or
contingency planning is not part of internal control over
financial reporting."
18
Is There BCP in Sarbanes-Oxley?

Practitioners
YES
19
Municipal Governments
“Therefore, I have ordered the Department of Homeland Security
to undertake an immediate review, in cooperation with local
counterparts, of emergency plans in every major city in
America.”
President Bush 9/15/05
20
Municipal Governments

Continuity of Operations (COOP)

Continuity of Government (COG)

FEMA Federal Preparedness Circular (FPC) 65
–Originally Issued – June 1999 – James Lee Witt
–Revised – June 2004 – Michael Brown
21
Rating COOP Compliance FEMA 65 Crosswalk
A. Plans and Procedures
B. Essential Functions
C. Delegations of Authority
D. Orders of Succession
E. Alternate Operating Facilities
F. Interoperable Communications
G. Vital Files, Records and Databases
H. Human Capital
I. Test, Training and Exercise Program
J. Devolution of Control and Direction
K. Reconstitution Operations
L. Agency Head Responsibilities
22
Are They A Client?

FFIEC – Appendix E - Interdependencies
-THIRD-PARTY PROVIDERS, KEY SUPPLIERS, AND BUSINESS PARTNERS
-outsourcing information, transaction processing, and settlement
activities
-Institutions should review and understand service providers'
BCPs and ensure critical services can be restored within
acceptable timeframes based upon the needs of the institution
- If possible the institution should consider participating in their
provider’s testing process.
HOW FAR DOES THIS EXTEND?????
23
Are They A Client?

HIPAA – Business Associate (aka Chain of Trust)
–the business associate must--(1) implement safeguards that
reasonably and appropriately protect the confidentiality,
integrity, and availability of the electronic protected health
information that it creates, receives, maintains, or transmits on
behalf of the covered entity; (2) ensure that any agent, including
a subcontractor, to whom it provides this information agrees to
implement reasonable and appropriate safeguards;
24
Singapore – The Model for the Future?

Standard for Business Continuity / Disaster Recovery Service Providers
(SS507) - Singapore is the first country in the world to introduce a Standard
and Certification program for BC/DR service providers. Developed by the
Infocomm Development Authority of Singapore and the IT Standards
Committee (ITSC), the Standard specifies the stringent requirements for BC/DR
service providers. These requirements benchmark against the top practices in
the region and stipulate the operating, monitoring and up-keeping of BC/DR
services offered.

TR19 – Technical Reference 19 - aims to help Singapore based enterprises
build competence, capacity, resilience and readiness to respond to and
recover from events that threaten to disrupt normal business operations.

PROPOSED BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX
MEMBERS – May 2008
25
China & Japan

Chinese Business Continuity Management Committee (CBCM)
– Setting Standards for Chinese

Emergency Response

Business Continuity
– Still IT Centric (Committee exists under technology directorate)
– Will Greatly Influence its “Business Partners”

Japanese Continuity Management & Planning Organization. (CMPO)

Business Continuity Advancement Organization. (BCAO)
26
Standards

Uniform Commercial Code
– Preparing for foreseeable business disruption

National Institute of Standards and Technology (NIST)
– Contingency Planning Guide for Information Technology Systems

IT Governance Institute Standards COBIT
– Control objectives for information and related technology
27
ISO Standards and Business Continuity

ISO/TS 16949 - Applicable to any supplier to automotive original equipment manufacturer
Section 6.3.2. Contingency Plans
The organization shall prepare contingency plans to satisfy customer requirements in the event of an
emergency such as a utility interruptions, labor shortages, key equipment failure, and field returns.

ISO 27002 (Previously Designated (ISO17799) - Deals with Information Security
11 BUSINESS CONTINUITY MANAGEMENT
11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
11.1.1 Business continuity management process
11.1.2 Business continuity and impact analysis
11.1.3 Writing and implementing continuity plans
11.1.4 Business continuity planning framework
11.1.5 Testing, maintaining and re-assessing business continuity plans

ISO 9001, Quality Management - Record Retention and Data Availability

ISO 14001, Environmental Mgt - Emergency Preparedness and Response

ISO/PAS 22399 – Societal Security - Guideline for incident preparednessand operational continuity
28
management
Is It BCP?
Business Continuity vs.Vital Records

Foreign Corrupt Practices Act – “Make and keep records and accounts,
which, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets.”

SEC Rule 17a - Record Retention Requirements

IRS Procedure 86-19 - Requires off-site protection, as well as documentation
of computer records maintaining tax information.

European Union Privacy - Data Privacy

Under the Safe Harbor, organizations that have committed to cooperate and
comply with the European Data Protection Authorities (DPAs)

PATRIOT ACT, ACH RULES, G-L-B, AS/NZ 4390, Records Management Standard, et. al.
29
Legal Standards

Liability of Corporations

Liability of Corporate Executives

Liability to Outside Parties

Standard of Negligence
– Standard of Care:

Prudent Man Doctrine

Exercise same care in managing company affairs as in managing own
affairs.

Informed Business Judgment v. Gross Negligence
30
Case Law – Legal Precedence

Blake v. Woodford Bank & Trust Co. (1977) – Foreseeable
workload – failure to prepare

Sun Cattle Company, Inc.vs. Miners Bank (1974) – Computer
System Failure – Foreseeable Computer Failure

Uniform Commercial Code – Preparing for foreseeable business
disruption
31
Meeting the Standards
US v. Carroll Towing Co. (1947)
1. Probability of Harm (P): the chance that a damaging event will occur
2. Magnitude of Harm (M): the amount of financial damage that would
occur should a disaster happen
3. Cost of Prevention (C): the price of putting in place a means of
preventing the disaster’s effects
P*M=C
32
Negligent Failure To Plan/Prepare – Liability
Pandemics

2003 – Canadian Nurses who contracted SARS file suit stating that the
Government was Negligent in not preparing for the second wave of the
disease after the first wave was identified.

Munich Re:

American Bar Association
33
BS25999

Part 1 is an extension of PAS56
– Guidance
– Prescriptive
– Not Performance Based

Part 2
– Certification Body
– Specification
– Auditable
– Create Ability to Demonstrate Compliance
Stage 1 – Audit – Initial Assessment – Desktop Review
- Successful Completion Required Before Moving To Stage 2
Stage 2 -Conformance Audit - Certification Audit
- Demonstrate Implementation
- Failure Requires Corrective Action Plan Which Must be Agreed Upon



Completion of Stage 1 & 2 Allows for Application to BS 25999 Certification Manager for
Certification

Surveillance Audits

34
(To be fair, British standard BS25999 introduced "Maximum Tolerable Period of
Disruption" (MTPD), another mind-bender destined for the verbal scrap heap, as well.)
PUBLIC LAW 110-53
“IMPLEMENTING RECOMMENDATIONS
OF THE 9/11 COMMISSION ACT OF 2007”
TITLE IX
35
The Holy Grail or SOX for Business Continuity

The Program Was Called For In Title IX Of "The Implementing The 9/11 Commission
Recommendations Act Of 2007“ (Public Law 110-53) Which Addresses A Diversity Of
Other National Security Issues As Well. It Was Signed Into Law By The President On
August 3, 2007.

Intent – To Implement The Findings Of The 9/11 Commission
– NFPA 1600 Was Recommendation Of Commission For Standard
– DRII’s Professional Practices Are The Basis For BCP In NFPA 1600

Will It Become A “Standard”????
– Voluntary
– Non-punitive
– Unsuccessful Attempts By Federal Government To Address Private Sector BCM

Overcome Investments By Private Sector

Strain On Small And Medium Sized Businesses In Supply Chain
36
Title IX – 110-53
a. Goal of the new program is to provide a method to independently certify the emergency
preparedness of private sector organizations, including their disaster / emergency
management and business continuity programs. The program focuses on certifying the
preparedness of businesses and other private sector entities, and does not involve any
individual professional certification.
b. The program will be voluntary.
c. Key stakeholders are invited to participate in the development of the
program. Consultation with a variety of organizations and various sectors is required by the
legislation. Program development will likely include involvement by a diversity of private
sector advisory groups and others.
d. The program will be administered outside of government by 3rd party organizations with
experience / expertise in managing and implementing voluntary accreditation and certification
programs.
e. One or more preparedness standards can be designated. NFPA 1600 is reference by
example.
f. Existing industry efforts, certifications and reporting in this area will not be duplicated or
displaced, but rather recognized and integrated.
g. Special consideration will be made for small business.
h. Proprietary and confidential information is to be protected.
37
Defining “The Standard”

Process Used By Sloan Interdisciplinary Team
– Representatives of:

ASIS, DRI International, NFPA, RIMS

Review Existing Regulations
– FFIEC, NYSE, SEC, NASD
– NERC
– HIPAA

Provide “Credit” for Work Already Done

Reduce Start From Scratch Opposition

Create Core Elements for Standard
Core elements are those basic components that, when implemented within an organization’s unique governance and culture,
provide the underlying framework to enable the organization to sustain itself in spite of a disruptive event (i.e., the “common
set of criteria for preparedness, disaster management, emergency management, and business continuity programs...." called
for under the law.)
38
Core Elements 13 Become 8
1.
2.
3.
4.
5.
Policy statement and management commitment - Scope, program roles,
responsibilities, and resources
Risk identification, assessments and criticality impact analyses, including
legal and other requirements
Prevention and Mitigation Evaluation and Planning
Incident management (procedures and controls before, during and after a
disruption, including emergency management of people, business operations
and technology) includes communications
Recovery Planning - May be considered to include rebuilding, repairing, and /
or restoring
6.
Awareness and training
7.
Exercises and testing
8.
Program revision and improvement
39
Process Mapping
Program Policies & Procedures
 Policy statement
 Management commitment
 Program procedures and resources
 Roles, responsibilities, and
authorities
Analysis
 Risk assessment
 Impact analysis
 Criticality analysis
 Resource analysis
 Analysis of legal and
other requirements
Review, Maintenance, Improvement
 Corrective action process (acting
on problems)
 Program revision and improvement
Checking and Evaluation
 Exercises and testing
 Nonconformity and problem analysis
 Internal audits (system)
Planning
 Prioritization
 Objectives and targets
 Strategic and tactical plans for prevention,
deterrence, readiness, mitigation,
response, continuity, and recovery
Implementation & Operations Controls
 Operational procedures
 Awareness and training
 Communications and warning
 Document and information control
 Resources and finances
 Incident management (procedures and
controls for before, during and after a
disruption including prevention,
mitigation, response and recovery)
40
Standards Crosswalk

NFPA 1600:2007 Standard on Disaster/ Emergency Management and
Business Continuity Programs

CSA Z1600 Standard on Emergency Management and Business Continuity
Programs

DRI International Professional Practices for Business Continuity Planners

BS 25999-2: 2007 Business Continuity Management – Part 2: Specification

ASIS International - Organizational Resilience: Preparedness and Continuity
Management - Best Practices Standard Probably Become Part of ISO/PAS
22399

TR19:2005 Technical Reference for Business Continuity Management (BCM)
includes TS507

ISO/PAS 22399:2007 Societal Security: Guidelines for Incident Preparedness
and Operational Continuity Management
41
Flexibility Within A Framework

Existing Industry Efforts
– Regulations

FFIEC – NYSE – SEC – HIPAA – NERC
– Standards

ISO, ANSI, BSI
NOT Sarbanes-Oxley
42
Results
Critical Core Elements


Policy statement and management commitment
Scope, program roles, responsibilities, and resources

Risk identification, assessments and criticality impact analyses, including legal and
other requirements
Process
Standards / Best Practices
Program Policies and Procedures

Project scope, policy, principles and
management commitment
Analysis

Legal, statutory, regulatory and other
requirements
Risk assessment and impact analysis




Prevention and Mitigation Evaluation and Planning
Strategic: prioritization, objectives, targets supply chain and third party dependencies
Tactical: plans for avoidance, prevention, deterrence, readiness, mitigation, response,
continuity, and recovery

Incident management (procedures and controls before, during and after a disruption,
including emergency management of people, business operations and technology)
Operational procedures and contingency plans
Communications and warning
Application and business function resiliency
Document, information and data control and backup
Execution resources, responsibilities and finances





Planning

Setting objectives and priorities to develop
risk and incident preparedness
management strategies
Implementation and Operation
Controls

Developing and implementing operational
and control plans, procedures and
programs for preparedness, including
prevention, avoidance, deterrence,
readiness, preparedness, mitigation,
response, continuity and recovery
Communication and warning
Document, information and data control and
backup
Allocation of human, physical and financial
resources




Recovery May be considered by the reader to include rebuilding, repairing, and / or
restoring
Implementation and Operation
Controls


Awareness and training
Implementation and Operation
Controls

Awareness, competence and training


Exercises and testing
Post-mortem learning
Checking and Evaluation

Performance assessment and evaluation


Program revision and improvement
Corrective actions
Review, Maintenance, Improvement

Review, maintenance, and improvement
Included above under planning and
implementation and operations control
43
Process For Implementation of Title IX
1. DHS will designate one or more organizations to act as the accrediting body,
and oversee the certification process, and to accredit qualified third parties to
carry out the certification program.
2. DHS will separately designate one or more standards for assessing
private sector preparedness.
3. DHS will provide information and promote the business case for
voluntary compliance with preparedness standards.
4. DHS will monitor the effectiveness program on an on-going basis.
44
Process For Implementation of Title IX

Appointment by DHS of Designated Officer October 1, 2007
– Ashley
FEMA
Marcus Moore–
Pollack- FEMA

Enter into Agreement for standard February 28, 2008
45
DHS Selects ANSI-ASQ National Accreditation Board To Support Voluntary Private Sector Preparedness Certification
Program
Release Date: July 30, 2008
Release Number: HQ-08-148
D.C. -- The Department of Homeland Security announced today that
it has signed an agreement with the ANSI-ASQ National Accreditation Board
(ANAB) to establish and oversee the development and implementation of the
accreditation and certification requirements for the Voluntary Private Sector
Preparedness Accreditation and Certification Program. This program is
directed by Public Law 110-53, Implementing the Recommendations of the
9/11 Commission Act of 2007, requiring the department to establish a common
set of criteria for private sector preparedness in disaster management,
emergency management and business continuity.
WASHINGTON,
Under Title IX of the Act, the department is charged with a number of core tasks to establish the voluntary program, to include the
designation of an organization to act as an accrediting body. In this role, ANAB will be responsible for overseeing the certification
process, managing the accreditation, and accrediting qualified third parties to carry out certifications of private sector entities.
ANAB was selected based on its experience and expertise in managing and implementing accreditation programs.
As required by the Act, Homeland Security Secretary Michael Chertoff previously designated an officer within the department to be
responsible for the accreditation and certification program. R. David Paulison, Administrator of the Federal Emergency
Management Agency, serves as the designated officer and will chair an internal Private Sector Preparedness Council comprised of
department leadership from the Science & Technology Directorate, Private Sector Office and the Office of Infrastructure Protection.
The Private Sector Preparedness Council will focus on the remaining requirements of the Act. This includes selecting program
standards, defining and promoting the business case for private sector entities to work toward voluntary certification, overseeing
the program's progress, and providing regular updates to Congress.
Learn more at www.fema.gov/privatesectorpreparedness
46
Gaining Accreditation
47
Implications

Certification
– Benefit To Passing Certification
– If You Can’t Pass Don’t Start

Legal
– Litigation Standard
– “Voluntary Negligence”

No Teeth

Non-Punitive
Will it meet customer requirements
48
What We Know Right Now

Title IX of PL 110-53 is an unfunded effort, there are no tangible rewards; e.g.,
tax reductions in the form of deductions or tax credits to use as an incentive.
While there are ongoing efforts to provide some insurance relief for business
continuity planning, at this time no such incentives are available – Sloan
Foundation Report

FEMA has been designated to lead the effort

ANSI – will oversee the certification process
- Manage Accreditation
- Accredit third parties to carry out certification
- Collaborate to develop procedures and requirements for
certification and accreditation
49
Now For The Misinformation
Although voluntary right now, these standards could soon be
federal mandates for all private industry. - Not To Be Named
Consulting Firm in advertising for their webinar
Will share their best practices to meet the new "national
preparedness standard" known as NFPA 1600 – Not To Be Named
Consulting Firm
This voluntary program offers a number of potential benefits to the
certified organization, including:
•Possible insurance premium advantages
•Enhanced credit ratings
•Competitive differentiation - Not To Be Named Consulting Firm
50
Assessing The Business Continuity Process

DRII Evaluates Planning Process, Implementation and Testing Across The 10
Professional Practices – MAPS TO CORE ELEMENTS
– Includes Subcategories
– Ability To Weight Each Category

Utilizes The Same Scoring As It Does For Certifying Professionals

Questions Require a Yes Or No

Recommendations Are Provided When a “No” Answer Is Provided

May Be Customized For Industry, Country Or Regulatory Considerations

Will Contribute To a Worldwide Database
51
Q&A
Thank You
Statements concerning legal matters should be understood to be general observations based solely on our experience as risk
consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be
reviewed with your own qualified legal advisors in these areas
52