Title: How to Implement a Risk Management Program When You Are a Business Continuity Manager
1How to Implement a Risk Management Program When
You Are a Business Continuity Manager
- Randall P Burdette
- Director
Karen Cole, CBCP, SBCI CEO
2Agenda
- The Challenge
- Goal and Vision of ERM Program
- Getting Help
- Project Focus Areas
- Wrap Up
3 Challenge
- Our team was working hard, but
- We were one person deep in many areas
- We had no documented processes
- Occasional allegations from our customers of slow
service - We had no way of tracking performance
- We needed a system to ensure we were providing a
needed service that - Customer Focused
- Performance Oriented
- Documented our Processes
- Provided accurate data for decisions and risk
mitigation
4- And maintained Virginia state agency compliance
with
- Continuity of Operations Planning Guidelines
(Department of Emergency Management) - Emergency Response Planning Requirements
(Department of Human Resources Management) - Financial Controls Requirements (Department
of Accounts) - IT Disaster Recovery Planning (Virginia
Information Technologies Agency) - Flight Operations Risk Assessment (IS-BAO)
- Vital Records Recovery Planning (Virginia
Library)
5Overall Goal
- Implement an integrated risk management program
with a common governance structure that meets
multiple state requirements while significantly
reducing duplication and the time and effort
needed to manage risk.
6Vision of ERM
Ensure Overall Safety
7We Needed Help
- Enter the Cavalry
- Assura, Inc.
- Karen Cole, CBCP, SBCI
- Integrate with other efforts
- Process mapping and efficiency study
- IS-BAO certification
- ISO 9000
- Mission critical system upgrade (integrated
database system) - Comprehensive Records Management System
8Assura Inc
- Great reputation in COOP
- Later discovered they were also well versed in IT
Security - New Challenge
- A fully integrated risk management program was
not being accomplished by any other agency - Need additional staff for Financial Risk
- Needed research for Flight Operations
- Willingness to take on a new integration
challenge - Positive Attitude
- Quickly designed a programmatic approach
9DOAV Extended Team
- VCU
- Facilitation
- Integration
- Program Oversight
- ISO - 9000
- Assura
- COOP
- Finance
- IT Security
- Physical Security
- Flight Risk Integration
- GCR
- Aircraft License
- Taxation
- Airport IQ
- Enterprise Database
- DHRM
- Training Program
- Cross Training
- Personnel Compensation
- VITA
- Computer Refresh
- Data Pipeline
- Records Management
- ARG/US
- Safety Assessment
- Flight Manual
- Safety Management System
- IS-BAO Certification
10Project Challenges
- Policy Makers Buy-In
- Research the Standards
- Picking the Right Standard and Develop the
Framework - Ensure Compliance
- Ensure Demonstrated Value (Over Deliver)
11Policy Makers Buy-In
- Things we did well
- Immediately demonstrated costs savings and value
- Saved effort for the next agency
- Make the win/win for agency and policy makers
- Lessons Learned
- Not enough offline conversations before
official request (relationship building)
12Research the Standards
- Get the strategic view of the organization
- Research the standards and models
- Committee of Sponsoring Organizations of the
Treadway Commission (COSO) - Australian/New Zealand Standard (AZ/NZA
43602004) - International Standard Business Aircraft
Operation (IS-BAO) - Quality Management ISO-9000
- Risk and Insurance Management Society (RIMS) Risk
Maturity Model (RMM) for Enterprise Risk
Management - Future ISO/FDIS 31000 (Under development)
13Research the Standards (Continued)
- Things we did well
- Understood that one size does not fit all and
start small - Did not try to recreate the wheel
- Sensitive to other regulatory requirements that
drove changes in the program structure - Take advantage of existing material (process
mappings) - Lessons Learned
- Do not try to over think the solution!
- Maintain a high level of flexibility to
accommodate the customers schedule
14Picking The Right Standard
15Develop the Framework
- Develop the Risk Philosophy
- Determine the Risk Appetite (tolerance)
- Program Structure
- Risk Management Program Requirements
- Policy with Respect to Risk Strategy and Tolerance
16Framework
Integrated Tools
Risk Classification Model
Risk Mgmt. Policy
BIA
Gap Analysis Risk Assessment
17Picking the Right Standard Developing the
Framework (Continued)
- Things we did well
- Thoroughly researched all available standards
- Used a proven model as a foundation and then
borrowed from other models as needed - Agency leaders were actively involved in the
process (but sensitive to leaders time) - Develop a trust relationship
- Lessons Learned
- Prepare to integrate with existing/ongoing
processes
18Ensure Compliance
- Things we did well
- Identified as the best managed program in
Virginia state government - Improved relationship with auditors understand
long term goals - No findings
- Lessons Learned
- More time for helping other extended team members
19Over Deliver
- Went from out of compliance in COOP to best
managed program in a Virginia state agency! - Achieved compliance with new requirements with
minimal effort - Developed the Personal Safety Handbook for
employees that provides information on how to
respond, prevent, and report any incident (out of
scope but needed to ensure program success)
20Project Firsts
- Only ERM for a state agency in Virginia (First
found in the country!) - First developed Confidentiality Memorandum of
Understanding (MOU) between state organizations - Only the second agency in Virginia to evaluate
the recovery capabilities of the Virginia
Information Technologies Agency/Northrop Grumman
Partnership
212009-2010 Focus
- Fine tuning of the ERM Program improving the
culture of continuity - Management of positive as well as negative risks
- Providing the model to other agencies
experiencing the same issues - Statewide Aviation Response Program
22Questions?
Randall P Burdette, Director Virginia Department
of Aviation (804) 236-3624 Randall.burdette_at_doav.v
irginia.gov
Karen Cole, CEO Assura, Inc. (866)
672-8714 Karen.cole_at_assura.us