BRPA event review New Year; new ideas in BC 2018 – Round table discussions
Business continuity professionals of Chicagoland gathered together on February 15, 2018 to discuss new ideas in the industry. Business Resumption Planners Association (BRPA) hosted its first educational event, facilitating engaging roundtable discussions with 60 attendees covering topics such as risk management, third party risk, BC management buy-in, exercises, ITDR exercises, and BCM via ISO 22301.
Attendees were guided to sit at one of six tables with one subject matter expert each at each table. After 20-minutes the moderator rotated. These discussions were well-thought out and tailored for the tables needs. Below is a direct insight into these roundtable discussions.
Business Continuity Management (BCM) via ISO 22301
Moderator: Jim Nelson
ISO 22301: 2012 framework and path to certification is a popular topic within the business continuity industry. The moderator, Jim Nelson, facilitated the discussion around the table about using ISO 22301 framework with its clauses as a guide for BC program management and see what BC professionals practice. All attendees were aware of ISO 22301, however, not everyone had a complete understanding or an access to it. Most of the BC professionals at the table indicated that they are using a hybrid approach when it comes to BC program management. They further explained that each industry and particularly company culture requires a unique approach to BCM. Standards such as BCI GPG, DRII, FFIEC, and ISO were mentioned as a guide.
Moderator: Eric Thomson
Everyone at the table showed special enthusiasm when it came to discussion of exercises. Over the last few years there has been a shift from standard and dull approaches to non-standardized methods that are fun, interesting, and engaging. Common approaches include using board games or incorporating humor into the training and exercises.
Moderator, Eric Thomson, focused the discussion on how to engage the right people in the exercises, provide new exercise ideas, and what opportunities BC professionals can look for during the exercise. Highlights of the discussion are captured below:
- It is important to get buy-in from management to facilitate a great exercise and achieve the set goals.
- Cyber threat is a trending exercise topic for BC professionals and will continue to grow this year.
- Exercises not only promote the practice of the plan but also provides an opportunity to cross train people and identify appropriate BC/CM team roles.
- Exercise are set as real-life examples and are not based on assumptions. For example, participants may need to prepare a statement to the media within 10-15 minutes that includes the scenario details and company's response.
IT Disaster Recovery (ITDR) Exercises
Moderator: Jan Guido
ITDR and business continuity programs were referred to as the yin to the yang, as these programs should work in sync. Along with general BC program exercises, ITDR is a specific area of focus for exercises and training programs. The moderator, Jan Guido, stressed the importance of having the appropriate approach and scope when it comes to designing and facilitating ITDR exercises. She also discussed opportunities that are created once appropriate ITDR exercises are executed. These opportunities included:
- Creating awareness within the organization about ITDR program
- Collaboration with other programs and business units
- Cross-training opportunity
- Building relationships within the organization.
Getting Management Buy-in
Moderator: Robert Mucerino
Management buy-in is a main topic of many BC conference, industry chapter meetings, and knowledge sharing events. Getting management buy-in is an essential step in building a robust business continuity program and is a challenge that nearly every BC professional has encountered.
Robert Mucerino, the table moderator, addressed the challenges and facilitated discussion on how to overcome them. Below are tips to help get management buy-in:
- Discuss with executives about corporate responsibility to the employees to continue operations (job security) and how business continuity provides support.
- Discuss the importance of operational resilience and integration of business continuity and other disciplines to achieve it.
- Move the primary focus of business continuity to reputation/brand protection and impact to operations from compliance and financial loss focus.
- Shift the driver from ITDR (e.g. determining applications RTO, RPO, etc.) to focus on business units’ needs and building IT capabilities accordingly.
Moderator: Julia Holden
Risk management is an essential element of business continuity and in one way or another, risk management is integrated into the BC program by performing risk assessments (site risk, operational risk, process risk, vendor risk, etc.). As various risk management (RM) approaches can be implemented as an integrated part of BC program or as a stand-alone program, Julia Holder took it as an opportunity to explore diverse view on risk. She asked all participant at the table to provide their definition of risk to their organization and program.
Below are how different participants around the table defined risk and risk management:
- Risk management is an effort to make sure in an event we can take care of our staff.
- Risk is an all-encompassing framework, including financial risk, operational risk, environmental risk, etc. and those risks that can create disruptions.
- Identifying risks, testing them, and seeing what real impact they are our organization.
- For one of the participant's risk was associated with physical risk - for them, it was important finding the right partners to offload the risk.
- Risk is broadly a cycle of improvement.
All the players at the table agreed that BC and risk management have to be integrated and that sharing and collaboration is key to success.
Third Party Risk
Moderator: Andy DeNovo
Nearly every company uses service providers and supply chain partners. When discussing third party risk within business continuity context, similar to risk, various of approaches are exploited. Andy DeNovo, the moderator, went over elements that should be part of third party risk:
- Information security questionnaire
- IT questionnaire
- Audit of their BCDR program
- Including risk assessment procedures
- Contractual/SLA – Legal BC language incorporated into the contact/SLA
- Careful examination of “force majeure” clause
Event quotes from attendees:
“At this event, there were great experts from different areas who offered different individual perspectives and good insights”
Business Continuity Program Manager at Walgreens
"The event was valuable of time, topics were relevant and timely to make decisions in my BC program"
About the author
Associate Advisory Consultant , Fusion Risk Management Inc