own internal assessment phelps-… · – the scope of this discussion is limited to business...
TRANSCRIPT
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Emergency Management &Safety Solutions
Developing a ComprehensiveEmergency ManagementProgram and Conducting YourOwn Internal Assessment
Safety Solutions
March 2011
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Standards Review andConducting a Self-Assessment
www.ems-solutionsinc.com 2March 2012
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Agenda• Introduction and Overview
R i i th M j St d d• Reviewing the Major Standards– ASIS SPC.1– BS 25999– FFIEC– NFPA 1600
• Conducting A Self-AssessmentP ti
www.ems-solutionsinc.com 3
– Preparation– Execution– Closure
March 2012 3www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Introduction and Overview
• Basic terminology and conceptsBasic terminology and concepts.– Audit: “to examine carefully with the intent of
verification.”– “Verification” implies that the subject of the
examination is being objectively compared to an existing standard or benchmark; the examination is not subjective.
– The scope of this discussion is limited to business continuity programs, and does not include other disciplines (e.g. information security and general risk management).
March 2012 4www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Introduction and Overview
• Why would we want to conduct a self-Why would we want to conduct a selfassessment?– External audit preparation/reaction.– Internal audit preparation/reaction.– Board of Directors or executive management
“interest.”Regulatory or legal compulsion– Regulatory or legal compulsion.
– Exploring PS-Prep compliance.– We just want to make sure that our program will
work when we need it!
March 2012 5www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Introduction and Overview
• Who should conduct the self-assessment?Who should conduct the self assessment?– The essential factor is to find someone who is
qualified, who can be objective during the examination, and who can deliver bad news if necessary.
– The most obvious internal candidate is the business continuity group, with assistance from key business and support groups.
– Internal audit may be able to assist.– An outside group with requisite knowledge and
experience may provide the best results.
March 2012 6www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Introduction and Overview
• The prerequisite for any assessment, formal orThe prerequisite for any assessment, formal or informal, is to establish a benchmark.
• The standard may be dictated, or you may have the discretion to pick your own.– If the former, the more you know about the standard that will
be used, the better prepared you will be for the audit.– If the latter, you need to know the options and alternatives to
make an informed decision.make an informed decision.
• Always keep in mind: once you know which “rule book” will be used, you have all the answers!
March 2012 7www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Introduction and Overview
• Four major standards are used in North AmericaFour major standards are used in North America today:– ASIS SPC.1 (2009)*
– BSI 25999-1 (2006) and -2 (2007)*
– FFIEC BCP (2008)
– NFPA 1600 (2010)*
• We have also reviewed (but do not reference) ASIS/BSI ( )BCM.01-2010.
• It also appears that ISO 22301, now in final review stages, will be published later this year.
• Accepted by Department of Homeland Security for use in the PS-Prep program.
March 2012 8www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Introduction and Overview
• Before we start the review a quick wordBefore we start the review, a quick word about the “standards” world.
• It’s easy to get lost in the maze of acronyms and buzz words that many people use when talking about business continuity.– Not surprisingly, some are more directly applicable
to our topic than others!to our topic than others!
• Let’s put the four “pure” business continuity standards into context with other standards, frameworks, laws and regulations.
March 2012 9www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Introduction and Overview
The BusinessASIS SPC.1 BSI 25999 FFIEC NFPA 1600
The BusinessContinuity World
The InformationTechnology World
COBIT ITIL
The BusinessWorld
COSOSOX FCPAHIPAA
March 2012 10www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
• As noted four standards dominateAs noted, four standards dominate North American practices.
• Each was developed from a certain perspective, and each reflects the views, biases, and characteristics of its originating organizationoriginating organization.
• However, at their core they all address the same elements and requirements.
March 2012 11www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
BSI 25999-2 NFPA 1600 FFIEC (App A) ASIS SPC.1
1. Scope 1. Administration 1. Examination Scope 1. Scope
2. Definitions 2. Referenced Publications
2. Board and Senior Management Oversight
2. Normative References
3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment
3. Terms and Definitions
4. Implementing and Operating the BCMS
4. Program Management 4. Risk Management 4. OR System Requirements
5. Monitoring and Reviewing the BCMS
5. Planning 5. BCP – General 4.1 General Requirements
6. Maintaining and Improving the BCMS
6. Implementation 6. BCP – HW, Backup, and Recovery Issues
4.2 Management Policy
7. Testing and Exercises 7. Security Issues 4.3 Planning
8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation
9. BCP – Outsourced Activities
4.5 Checking (Evaluation)
10. Testing and Exercises 4.6 Management Review
11. Conclusions
March 2012 12www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
BSI 25999-2 NFPA 1600 FFIEC (App A) ASIS SPC.1
1. Scope 1. Administration 1. Examination Scope 1. Scope
2. Definitions 2. Referenced Publications
2. Board and Senior Management Oversight
2. Normative References
3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment
3. Terms and Definitions
4. Implementing and Operating the BCMS
4. Program Management 4. Risk Management 4. OR System Requirements
5. Monitoring and Reviewing the BCMS
5. Planning 5. BCP – General 4.1 General Requirements
6. Maintaining and Improving the BCMS
6. Implementation 6. BCP – HW, Backup, and Recovery Issues
4.2 Management Policy
7. Testing and Exercises 7. Security Issues 4.3 Planning
8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation
9. BCP – Outsourced Activities
4.5 Checking (Evaluation)
10. Testing and Exercises 4.6 Management Review
11. Conclusions
March 2012 13www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
BSI 25999-2 NFPA 1600 FFIEC (App A) ASIS SPC.1
1. Scope 1. Administration 1. Examination Scope 1. Scope
2. Definitions 2. Referenced Publications
2. Board and Senior Management Oversight
2. Normative References
3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment
3. Terms and Definitions
4. Implementing and Operating the BCMS
4. Program Management 4. Risk Management 4. OR System Requirements
5. Monitoring and Reviewing the BCMS
5. Planning 5. BCP – General 4.1 General Requirements
6. Maintaining and Improving the BCMS
6. Implementation 6. BCP – HW, Backup, and Recovery Issues
4.2 Management Policy
7. Testing and Exercises 7. Security Issues 4.3 Planning
8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation
9. BCP – Outsourced Activities
4.5 Checking (Evaluation)
10. Testing and Exercises 4.6 Management Review
11. Conclusions
March 2012 14www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
BSI 25999-2 NFPA 1600 FFIEC (App A) ASIS SPC.1
1. Scope 1. Administration 1. Examination Scope 1. Scope
2. Definitions 2. Referenced Publications
2. Board and Senior Management Oversight
2. Normative References
3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment
3. Terms and Definitions
4. Implementing and Operating the BCMS
4. Program Management 4. Risk Management 4. OR System Requirements
5. Monitoring and Reviewing the BCMS
5. Planning 5. BCP – General 4.1 General Requirements
6. Maintaining and Improving the BCMS
6. Implementation 6. BCP – HW, Backup, and Recovery Issues
4.2 Management Policy
7. Testing and Exercises 7. Security Issues 4.3 Planning
8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation
9. BCP – Outsourced Activities
4.5 Checking (Evaluation)
10. Testing and Exercises 4.6 Management Review
11. Conclusions
March 2012 15www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
BSI 25999-2 NFPA 1600 FFIEC (App A) ASIS SPC.1
1. Scope 1. Administration 1. Examination Scope 1. Scope
2. Definitions 2. Referenced Publications
2. Board and Senior Management Oversight
2. Normative References
3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment
3. Terms and Definitions
4. Implementing and Operating the BCMS
4. Program Management 4. Risk Management 4. OR System Requirements
5. Monitoring and Reviewing the BCMS
5. Planning 5. BCP – General 4.1 General Requirements
6. Maintaining and Improving the BCMS
6. Implementation 6. BCP – HW, Backup, and Recovery Issues
4.2 Management Policy
7. Testing and Exercises 7. Security Issues 4.3 Planning
8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation
9. BCP – Outsourced Activities
4.5 Checking (Evaluation)
10. Testing and Exercises 4.6 Management Review
11. Conclusions
March 2012 16www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
BSI 25999-2 NFPA 1600 FFIEC (App A) ASIS SPC.1
1. Scope 1. Administration 1. Examination Scope 1. Scope
2. Definitions 2. Referenced Publications
2. Board and Senior Management Oversight
2. Normative References
3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment
3. Terms and Definitions
4. Implementing and Operating the BCMS
4. Program Management 4. Risk Management 4. OR System Requirements
5. Monitoring and Reviewing the BCMS
5. Planning 5. BCP – General 4.1 General Requirements
6. Maintaining and Improving the BCMS
6. Implementation 6. BCP – HW, Backup, and Recovery Issues
4.2 Management Policy
7. Testing and Exercises 7. Security Issues 4.3 Planning
8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation
9. BCP – Outsourced Activities
4.5 Checking (Evaluation)
10. Testing and Exercises 4.6 Management Review
11. Conclusions
March 2012 17www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Reviewing the Major Standards
• If you have a choice, review each standard carefullyIf you have a choice, review each standard carefully and choose the one that seems to best fit with your company’s way of doing business.
• Each has strengths:– Financial Services: FFIEC is the logical (and possibly
mandatory) choice.– North America: NFPA 1600 was seen as the de facto
American standard, but the landscape may be changing.American standard, but the landscape may be changing.– International: BSI 25999 has the cachet of international
acceptance, especially in Europe.– Strong ties to other ISO standards: ASIS SPC.1 was
designed to fit.
March 2012 18www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Conducting a Self-Assessment
• Whether you conduct a self-assessmentWhether you conduct a self assessment in anticipation of a formal audit, or to benchmark your business continuity program, the steps are the same.
• There are three phases to an assessment:assessment:– Preparation– Execution– Closure and Report
March 2012 19www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Conducting a Self-Assessment
• PreparationPreparation– Make sure you have senior management approval
and support.– Identify the parties you’ll need to interview and talk
to them before you start; let them know what to expect.
– Review your standard carefully; make sure you understand what each objective requires.j q
– Develop a scorecard before you start (example on the next slide).
– Determine how results will be reported (and to whom) before the examination begins.
March 2012 20www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Conducting a Self-Assessment
Item falls materially short of an auditable standard.
Item is not fully compliant with an auditable standard.
Item addresses all material requirements of an auditable standard Item addresses all material requirements of an auditable standard.
Item is not applicable to this examination.
Objective 1: Examination Scope 0 0 0 4
Objective 2: Board and Senior Management Oversight 0 0 6 0
Objective 3: Business Impact Analysis (BIA) and Risk Assessment 0 0 5 0
Objective 4: Risk Management 0 3 3 0
Objective 5: Business Continuity Plan (BCP) - General 0 1 0 0
Objective 6: BCP - Hardware, Backup, and Recovery Issues 1 1 2 2
Objective 7: Security Issues 0 0 6 0
Objective 8: Pandemic Issues 0 0 11 0
Objective 9: Outsourced Activities 0 0 1 6
Objective 10: Risk Monitoring and Testing 0 8 6 0
Totals 1 13 40 12
Percent of Total: Red 2%
Percent of Total: Yellow 24%
Percent of Total: Green 74%
March 2012 21www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Conducting a Self-Assessment
FFIECBusiness Continuity Planning
(March 2008)
Review Code
R Y G N/A
1 5 10 2
Objective 1: Examination Scope
1. Review examination documents and financial institution reports for outstanding issues or problems.
2. Review management's response to audit recommendations noted since the last examination.
3. Interview management and review the business continuity request information to identify:
4. Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process.
Objective 2: Board and Senior Management Oversight
1. Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization.
2. Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program.
3. Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facility management, and audit).
4. Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations.
March 2012 22www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Conducting a Self-Assessment
• ExecutionExecution– Be objective. Examine the evidence presented and
evaluation from the perspective of an outsider.– Be brutally honest. The goal is to identify
deficiencies, not to gloss over them.– Ask questions. The respondents may not
understand what you’re looking for; help them help you.
– Listen carefully and probe deeply. Things are rarely as bad (or as good) as they seem at first blush.
March 2012 23www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Conducting a Self-Assessment
• Closure and ReportingClosure and Reporting– Avoid making overly broad judgments in your
assessment. – Put subjective statements into full context.– Be ready to explain your assessment; include
documentation where appropriate.– Don’t pull any punches (if you can avoid it).– Be prompt Once the examination has beenBe prompt. Once the examination has been
completed, get the results out as quickly as possible.– Work with your management team to track
deficiencies all the way through resolution.– Set a date for a follow up/next examination.
March 2012 24www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Time for a 10 Minute Break!
March 2012 25www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Emergency Management &Safety Solutions
Developing a ComprehensiveEmergency ManagementProgram and Conducting YourOwn Internal Assessment
Safety Solutions
September 2010
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Comprehensive Emergency Management Program
www.ems-solutionsinc.com 27March 2012
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Agenda
• What is in a Comprehensive Program? – Risk Assessment– Emergency Response– Business Continuity– Disaster Recovery– Crisis Communications– Incident Management
www.ems-solutionsinc.com 28
g– Training and Exercises – Maintenance Process
March 2012
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Before you do anything - assess!• Before you plan your response you must assessBefore you plan your response you must assess
your risks:– Natural hazards– Your neighbors– Human risks– Environmental risks
Political/country risks
www.ems-solutionsinc.com 29
– Political/country risks– Your building: Life safety, security
• Determine risks and develop appropriate prevention and mitigation strategies.
March 2012
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Incident Management
The Four Pillars
Emergency DisasterR
Business
C ti it
CrisisCommun-
March 2012 www.ems-solutionsinc.com 30
Response Recovery Continuity ications
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
• What is included in your emergency response program?– Basic emergency procedures for all staff
– Employee training and/or materials
– Basic first aid supplies
– Floor warden/emergency response teams (ERT)
– Written procedures for ERT
Training for ERT based on their role
Emergency
Response
March 2012 www.ems-solutionsinc.com 31
– Training for ERT based on their role
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
• What is included in your emergency response program?– Drills - fire, earthquake, tornado, radio
More specialized disaster type supplies– More specialized disaster type supplies– Company emergency responder team– Detailed emergency procedures for all
company responders including building specific information
– Emergency exercise to test teams and procedures
Emergency
Response
March 2012 www.ems-solutionsinc.com 32
procedures
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
• The complexity of your DR plan has a lot to do with your size.
• It goes without saying that the bare minimum DR plan is nightly back up with tapes stored off site.
Small firms may simply do back up nightly and a staff person– Small firms may simply do back up nightly and a staff person takes the tapes off site.
– Moderate size may have a document storage company take them off site to a warehouse.
– Large firm may have a contract with a “hot-site” restoration vendor.
• What is included in your disaster recovery program?– Authority to Declare a Disaster
Clearly identified priorities for recovery of applications and
Disaster
Recovery
March 2012 www.ems-solutionsinc.com 33
– Clearly identified priorities for recovery of applications and data
– Recovery Tasks & Procedures: infrastructure and data restoration and resynchronization of data
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
– Complete inventory list of your equipment and applications.
– A schematic map of the server farm (in case you have to configure one from scratch!)to configure one from scratch!)
– Temperature monitoring of the server farm with an alarm notification system, check out www.temperatureguard.com
– Pre-designated “hot site” to recover your data or a drop ship arrangement for equipment
– Regular testing of equipment, procedures and staff– Up-to-date documentation on recovery of systems and
Disaster
Recovery
March 2012 www.ems-solutionsinc.com 34
Up to date documentation on recovery of systems and applications including procedures and equipment Telecommunications recovery strategies for all mission critical numbers
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
• What is included in business continuity?
– Business impact analysis
Clearly identified mission critical– Clearly identified mission critical functions that are “time-sensitive”
– Individuals assigned to a BCP role in each mission critical department
– Detailed work area recovery plans
Business
Continuity
March 2012 www.ems-solutionsinc.com 35
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
• What is included in business continuity?– Departmental plans that support the timely
recovery of those identified time-sensitive mission critical functions. Plans identify:
• Staff• Equipment• Technology and data required• Work area recovery strategy• Employee communication• Vendor communication• Critical operating procedures for time sensitive
Business
Continuity
Critical operating procedures for time sensitive functions
• Regular exercises of the plan
March 2012 www.ems-solutionsinc.com 36
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
• What is “crisis-communications?”– Communication strategies that reduce the likelihood of an
internal business problem going "public" or minimize the reaction if disclosure of the “crisis” cannot be avoided.
• The Plan should include:• The Plan should include:– The crisis communication team– Positioning– Designated spokespersons– Media policies and procedures– Identified key audiences– Draft communications including media, employee, investors
and other key stakeholders
Crisis
Comm
March 2012 www.ems-solutionsinc.com 37
– Collateral materials– Contact log– Guidelines for speakers presentations and handling media
interviews.
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Communication Tools• Land lines - avoid your
company phone switch• Web site• Notification systemscompany phone switch
• Centrex• Ring down lines• Cell• Nextel• Satellite• Blackberry/iPhone• Symon (reader-boards)
Notification systems• Conference Bridge• Ham • Two-way radios • Pager • CB Radio• Email• Text messaging
March 2012 www.ems-solutionsinc.com 38
• Symon (reader-boards)• Voice over Internet (VOIP)• Instant Messaging• Motorola “Walk-Abouts”• “Net” meetings
• Text messaging• Fax• Runners• GETS card (critical
infrastructure)
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Emergency
Response
Disaster Recovery
Business
Continuity
Planning
CrisisCommun-ications
March 2012 www.ems-solutionsinc.com 39
See a problem?
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Incident Management
Emergency
Response
DisasterRecovery
Business
Continuity
Planning CrisisCommun-ications
March 2012 www.ems-solutionsinc.com 40
Response ications
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
What is Incident Management?• Organized and centralized approach that allows
ffor:– Command
– Control
– Coordination
– Communication
Collaboration
March 2012 www.ems-solutionsinc.com 41
– Collaboration
– Consistency
• Look for industry best practices.– Incident Command System (ICS)
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Incident Command System History
Th I id t C d• The Incident CommandSystem (ICS) wasdeveloped in response toa series of fires inSouthern California in theearly 1970s.
ICS i id l d t d
March 2012 www.ems-solutionsinc.com 42
• ICS is widely adoptedin the U.S. at all levelsof government.
• Also used globally.
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Training and Exercises• Train all employees on the
planp• There is only two ways to
know if any of this works1. Have a disaster2. Do at least one exercise per
year
• We recommend #2, lessstressful, more productive!
March 2012 www.ems-solutionsinc.com 43
, p• Practice! Bi-annual…
– Telephone tree tests– Tabletop exercise reviews with
staff
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Lastly…It’s An On-going Effort
Develop a• Develop a maintenance schedule; someone needs to be responsible for a bi-annual review
March 2012 www.ems-solutionsinc.com 44
annual review.
• Remember…the work is never done!
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Emergency Management &Safety Solutions
Developing a ComprehensiveEmergency ManagementProgram and Conducting YourOwn Internal Assessment
Safety Solutions
September 2010
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Workshop
March 2012 www.ems-solutionsinc.com 46
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Workshop
• For this portion of the session please group yourselves into teams as directed.
• Each team will need to:– Nominate a spokesperson
– Complete the assignments
R t t t ’ lt t th d f
www.ems-solutionsinc.com 47
– Report out your team’s results at the end of the workshop session
March 201247www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Workshop Assignment
• Please develop team responses to the• Please develop team responses to the following situation:
“You have been directed to prepare and execute a self-examination of your organization’s Business Continuity Management Program. Describe the actionsManagement Program. Describe the actions you will take in each of the three major steps of the examination: Preparation, Execution, and Closure and Report.”
March 2012 48www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Preparation
• What standard will/must you use and why?• What standard will/must you use, and why?
• What level of management support will you expect to receive?
• Who will you talk to before the examination begins, and why?
Wh t t f liti l ill• What type of political pressure will you anticipate receiving and how will you handle it?
March 2012 49www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Execution
• What type of documentation will you need to yp ycollect to support the examination?
• Would you anticipate having to make in-progress reports to your manager? To senior management, if different?
• If the manager of a group or department being examined wants to talk to you about the outcome of the examination before your work is completeof the examination before your work is complete, how will you handle it?
• In general, will your organization be receptive to the examination? If not, what will you do to compensate?
March 2012 50www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Closure and Report
• Who within your organization will be the first y greviewer of the examination report, and why?
• Would you anticipate having to make adjustments to the examination report after senior management reviews the results; if so, why?
• How will your organization typically socialize the type of information found in an examinationtype of information found in an examination report?
• Does your organization have a mechanism for tracking examination findings and deficiencies until they are resolved? Is it effective?
March 2012 51www.ems-solutionsinc.com
Emergency Management & Safety SolutionsOut of
DangerComes
Opportunity
Thank You!
Regina Phelps RN BSN MPA CEMKelly David Williams MBA JD
Emergency Management & Safety SolutionsSan Francisco, California415-643-4300 www.ems-solutionsinc.com