www.nicsa.org

Regulatory & Risk Hot Topics

Business ResiliencyJune 3, 2015

www.nicsa.org

Agenda• Opening Remarks and Introduction 5 minutes

• Industry Overview 15 minutes

• Emerging Trends 15 minutes

• Industry Perspectives 15 minutes

• Closing Remarks 5 minutes

• Q&A 20 minutes

www.nicsa.org

Speaker Bio

Robbie Atabaigi – KPMG, Manager, Information Protection & Business Resiliency, Atlanta, GA• Over 29 years of experience in developing and evaluating many

aspects of enterprise risk management including Emergency Preparedness and Response, Crisis Management, Disaster Recovery, and Business Continuity.

• Robbie is certified as one of only 300 worldwide Master Business Continuity Planners (MBCP). She has a breadth and depth of experience across industries with a focus in assisting organizations to maintain availability of critical business functions and resources.

• Winner of the 2015 Business Continuity Institute’s Continuity and Resilience Consultant of the Year award.

www.nicsa.org

BCM Program Overview

Business Resiliency Management – Holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. The management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the program stays current and up to date.

Business Resiliency Management

Emergency Response

Crisis Management

IT/Disaster Recovery

Business Unit Plans

www.nicsa.org

Industry Related Regulations / Standards / Guidelines

www.nicsa.org

North American and Global . . .• Regulations:

• FFIEC• FINRA• FERC / NERC

• Common Standards/Guidelines:• NFPA 1600• BS 25999 / ISO 22301• ASIS BCM.1 / ASIS SPC.1• NIST SP 800• DRII / BCI• COBIT• ITIL

• Australia – HB 221:2004 Business Continuity Management• India – RBI BC Circulars• Singapore – MAS Business Continuity Management

Guidelines• UK – Financial Services Authority Handbook.

Commonalities:• Oversight Board /

Reporting• Program Structure• Assessments• Recovery Plans• Training• Exercising• Maintenance

www.nicsa.org

DRJ – Rules and Regulations

http://www.drj.com/resources/dr-rules-regulations.html

www.nicsa.org

Unique Industry Considerations- Timing / Business Decisions- Stakeholder Confidence- Increasing Regulatory Scrutiny

Finance

- Farm to Table- Supply Chain- Transportation

Food & Beverage

- Data Protection- Customer ConfidenceHealthcare

- Geographic Dispersion- Outsourcing / Off-shoring- Resource Constraints

Manu-facturing

- Brand / Reputation- Supply Chain- Transportation

Retail

www.nicsa.org

Emerging Trends

Vendor management

Breaking down the silos

Cyber is a top threat

Commitment is a two way street

Social media as a viable

tool/issue

Increasing presence of

BYOD

Correct and efficient

communication

Policy has to be actionable and a

living process

Older technology not being replaced

Assumption that IT will recover

everything

www.nicsa.org

BCM ComponentsRisk Assessment

• Methodology and Approach (Qualitative)

• Analysis of Threats / Vulnerabilities

- Natural - Man-Made - Technical• Existing Controls and

BCM Capabilities• Mitigation Strategies

Business Impact Analysis• Methodology and

Approach (Quantitative and Qualitative)

• Stakeholder Input• Business vs. Technology

Driven• Interdependencies• RTOs / RPOs• Alternate Operating

Procedures• Resource Requirements

Strategy Evaluation & Implementation

• Linkage to Findings From Risk Assessment and BIA

• Partnership Between Business and Technology

• Cost Benefit Analysis• Chosen Prior to Plans

being Developed

Program Governance• Oversight• Regulation / Standard /

Guideline / Roadmap• Actionable Policy• Framework with Roles

and Responsibilities / Accountability

• Frequency of Updates / Reviews

• Plan Distribution and Methods

Plan Structure and Documentation

• Plan Development Schedule

• Consistent format – Understandable, Task-Driven, Easy to Maintain

• Addresses Both Business and IT Resumption

• Identifies Resources and Timeline

• Return to “Normal / Business as Usual”

Training & Communications

• Existence and Evidence of Execution

• Training Schedule• Types Offered• Participants (New and

Existing Employees)• Training Content• Training Results• Linkage to Other Training

Programs

BCP Testing & Results• Exercise Schedule,

Involvement and Frequency

• Exercise Type• Involvement of Business

Partners and Supply Chain

• Testing Content• Testing Results• Incorporation of

Lessons Learned

Maintenance• Change Management• Maintenance Logs• Frequency of Updates /

Reviews• Plan Distribution and

Methods• Storage / Security of

Plans

www.nicsa.org

Common Weaknesses

• No BCM Policy Statement

• No Standard / Roadmap

• Lack of Integration Between Plans

• Variation in Preparedness Between Business Units / Sites

• BCP Maintenance Roles and Responsibilities Not Clearly Defined

• BCP Not Included in the Enterprise Change Management Process

• Lack of Testing and/or Lack of Incorporation of Lessons Learned

• Lack of Stakeholder Involvement in the BIA

www.nicsa.org

Thank You!

Robbie Atabaigi, MBCP, MBCI, CISAManagerInformation Protection & Business Resilience

KPMG LLP Tel 404.222.3257Suite 2000 Fax 678.827.0630303 Peachtree Street Cell 404.375.8754Atlanta, GA 30308-3210

ratabaigi@kpmg.com

KPMG LLP is a U.S. limited liability partnership.

Deanna FloresPrincipalTax

KPMG LLP Tel 858.750.7340Suite 600 4747 Executive Drive San Diego, CA 92121-3100

djflores@kpmg.com

KPMG LLP is a U.S. limited liability partnership.