b5 - from best practice to certification · b5 - from best practice to certification what is...

October 29-30, 2012 • Hotel Pennsylvania

B5 - From Best Practice to Certification

What is stopping you?

Tim MathewsDirector, Enterprise Resiliency

Educational Testing Service

October 29, 201211:30 a.m. – 12:30 a.m.


Session Overview

The recent announcement from ATT regarding PS-Prep conformity has created a lot of interest in Business Continuity Management System (BCMS) Certification.– What is it?– Why should you care? – What resources and effort are required?

A recent KPMG study shows that many organizations already model their BC Programs on one or more PS-Prep adopted standards – so ……. – What is holding your organization back certification?


Educational Testing Service• Our Mission: To advance quality and equity in education by providing

fair and valid assessments, research and related services. Our products and services measure knowledge and skills, promote learning and educational performance, and support education and professional development for all people worldwide.

• Our Vision: To be recognized as the global leader in providing fair and valid assessments, research and related products and services to help individuals, parents, teachers, educational institutions, businesses, governments, countries, states and school districts, as well as measurement specialists and researchers.

• Our Values: Social responsibility, equity, opportunity, and quality.We practice these values by listening to educators, parents and critics. We learn what students and the institutions they attend need.

We lead in the development of products and services to help teachers teach, students learn and parents measure the intellectual progress of their children.


What is PS-Prep?• Mandated by the “Implementing Recommendations of the 9/11

Commission Act of 2007” (Public Law 110-53)• Directs DHS to establish a “Voluntary Private Sector Preparedness

Accreditation and Certification Program” to improve Private Sector preparedness.

• DHS adopted standards:– NFPA1600, BS25999-2, ASIS SPC.1-2009

• Key components of PS-Prep:– Voluntary participation– Provide a method to independently certify “preparedness” of

private sector entities– Integrate and leverage existing regulatory requirements

• ANAB accredits certifying bodies based on Rule 37– NQA has been accredited– Orion is in application– BSI, Intertek and SRI have indicated intent

• AT&T is the first and only PS-Prep certified PS entity


What is BCMS certification?

• Confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review, education, assessment, or audit. (source = Wikipedia)

• In the context of Business Continuity Management Systems (BCMS) measures program conformity to an adopted industry standard. Examples: NFPA1600, BS25999-2, ISO27001:2005, ASIS BCM.01-2010, COBIT 4.1, NIST SP 800-34, ITILv.3, ……

• CI & KPMG 2011-2012 Global BCM Program benchmarking study noted significant use of standards as the basis of BC programs


Why should you care?

Support the Corporate Strategy

• Establish and maintain trust – enhance and preserve the Brand

• Supply chain risk management

– Your critical suppliers or customers may experience a disaster

– What do you know about their resiliency?

• Competitive advantage

– Increase or maintain margin vis-à-vis competition

– Certified BCMS is a differentiator (RFI,RFP and Contract)

– Reduces the cost of internal and external audits

• SLA and scope “expectation” management

– Key customer “availability requirements” may be vague

– As PS-Prep voluntary compliance percolates through the business community, there will be a “Wal-Mart” effect



Compliance and Governance

• Compliance requirements– Industry specific regulatory requirements– Periodic external financial control audits– Linkage to additional standards– Insurability audits– Independent client audits

• Common framework for communicating capabilities– Business development and due diligence– Supply chain– Inter-company (parent and subs) training and hiring

• Integrated recovery planning and exercises with subs, key suppliers and clients



Effective Risk Management• Debt valuation and risk ratings

– S&P (and Moody’s)• Enterprise Risk Management (ERM) added as an element of

corporate ratings• Requires that a firm address all its risks• Operational risk is a critical element … encompassing security,

resilience, etc– ...the extent to which companies are adopting standards would

bolster the view that management has a proactive culture and attitude towards risk. However it’s too early to know what weight would be place on that evidence.

– Firms must show they are addressing risks in a systematic manner• Tort Negligence: Industry standards inform prudent practice and

“affirmative defense.” – ’93 WTC bombing decision– Port Authority - more liable than terrorists ($100M)


Supplier shall deliver services within 48 hours

ETS - 3rd party certification

Reading Services - SDOC

Hotel A

SDOC

Hotel B“trusted partner”

Scoring Services

“trusted partner”

Printer

SDOC

Your Supply “Chain is only as strong as its weakest link”


Regulations? Best Practices? Standards?

Summary of Resiliency Elements

0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

3.00

Enterprise Resiliency Goals

BC/DR Governance & Compliance

Continuity & Resumption

IT Redundancy & Recovery

Facilities Safety, Security & Dependability

Information Management & Protection

Reliability Requirements & Strategies

Organizational Command & Control

Resiliency Quotient = 1.75

Baseline

Baseline 2004


0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

3.00










2005-2006

Updated2005/6


0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

3.00










2007

Updated2007


0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

3.00










2008

Updated2008

Resiliency Quotient

1.75

2.07

2.41

2.64

1.00 1.25 1.50 1.75 2.00 2.25 2.50 2.75 3.00

Baseline

2005/6

2007

2008

More ResilientLess Resilient

BS 25999-1 View

--Code Of Practice--

0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

3.00

BCM Program Management

Understanding the Organization

Determining BCM Strategy

Developing & Implementing the Response

Exercising Maintaining & Reviewing

Embedding BCM in the Culture

Composite Score

2.54

BS 25999-2 View

--Measurement Against Specifications--

0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

3.00

Establish & Manage

Embed in the Culture

Documentation & Records

Understand the Organization

Determine the Strategy

Develop & ImplementExercise & Maintain

Internal Audit

Management Review

Preventive & Corrective Actions

Continual Improvement

Composite Score

2.58

NFPA 1600 View

0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

3.00

Program Management

Laws & Authorities

Risk Assessment

Incident Prevention

Mitigation

Resource Management & Logistics

Mutual Aid & Assistance

Planning

Incident Management

Communications & Warning

Operational Procedures

Facilities

Training

Exercises, Evaluations & Corrective Actions

Crisis Communication & Public Information

Finance & Administration

Composite Score

2.50


Why BS25999-2?• Accepted Standard that establishes the process, principles

and terminology of business continuity management• BS 25999-1 Code of Practice – provides guidance and

recommendations• BS 25999-2 Detailed Specification – meets the published

DHS criteria• Provides a scalable, non-prescriptive, generic model to

follow in creating and maintaining preparedness processes and activities

• Enterprise Resiliency program aligned well to the standard• Gaps were straight forward to implement • 3rd party certification is available


BS25999-2 Certification ProcessStandard (Criteria) Assessment (Evidence) Certification + =

Research

Self-assessment

Pre-assessment

Stage 1 audit

Stage 2 audit

Remediation

Surveillance

Industry practices

Peer discussion

Online self assessment

Part 1: Code of practice

Part 2: Specification

Review Policy and SOP

Risk Assessments and Internal Audit

Review BIA, BCP, TDRPs and ERP

Address any non-conformities

Refresh program

Demonstrate on-going compliance with specification

Demonstrate compliance with specification


BS25999-2 Certification TimelineStandard (Criteria) Assessment (Evidence) Certification + =

Research

Self-assessment

Pre-assessment

Stage 1 audit

Stage 2 audit

Remediation

Surveillance

3 months

1 month

4 months

4/08 – 8/08

7 months

9/08 – 4/09

2 days

2 days

10 days

2 months

annual recurring

5 days

8 weeks

Re-tooling = ½ FTE additional labor

23

- Resources and Effort -Incremental Cost of Certification

$

BCMS Maturity

Registration fees + Audit days (based on scope)

Re-tool or augment current BC program to conform


What is stopping you from certifying your

BCMS?

b5 - from best practice to certification · b5 - from best practice to certification what is...

Documents