How to Implement a Risk Management Program When You Are a Business Continuity Manager

1
How to Implement a Risk Management Program When
You Are a Business Continuity Manager

• Randall P Burdette
• Director

Karen Cole, CBCP, SBCI CEO
2
Agenda

• The Challenge
• Goal and Vision of ERM Program
• Getting Help
• Project Focus Areas
• Wrap Up

3
Challenge

• Our team was working hard, but
• We were one person deep in many areas
• We had no documented processes
• Occasional allegations from our customers of slow
  service
• We had no way of tracking performance
• We needed a system to ensure we were providing a
  needed service that
• Customer Focused
• Performance Oriented
• Documented our Processes
• Provided accurate data for decisions and risk
  mitigation

4
- And maintained Virginia state agency compliance
with

• Continuity of Operations Planning Guidelines
  (Department of Emergency Management)
• Emergency Response Planning Requirements
  (Department of Human Resources Management)
• Financial Controls Requirements (Department
  of Accounts)
• IT Disaster Recovery Planning (Virginia
  Information Technologies Agency)
• Flight Operations Risk Assessment (IS-BAO)
• Vital Records Recovery Planning (Virginia
  Library)

5
Overall Goal

• Implement an integrated risk management program
  with a common governance structure that meets
  multiple state requirements while significantly
  reducing duplication and the time and effort
  needed to manage risk.

6
Vision of ERM
Ensure Overall Safety
7
We Needed Help

• Enter the Cavalry
• Assura, Inc.
• Karen Cole, CBCP, SBCI
• Integrate with other efforts
• Process mapping and efficiency study
• IS-BAO certification
• ISO 9000
• Mission critical system upgrade (integrated
  database system)
• Comprehensive Records Management System

8
Assura Inc

• Great reputation in COOP
• Later discovered they were also well versed in IT
  Security
• New Challenge
• A fully integrated risk management program was
  not being accomplished by any other agency
• Need additional staff for Financial Risk
• Needed research for Flight Operations
• Willingness to take on a new integration
  challenge
• Positive Attitude
• Quickly designed a programmatic approach

9
DOAV Extended Team

• VCU
• Facilitation
• Integration
• Program Oversight
• ISO - 9000

• Assura
• COOP
• Finance
• IT Security
• Physical Security
• Flight Risk Integration

• GCR
• Aircraft License
• Taxation
• Airport IQ
• Enterprise Database

• DHRM
• Training Program
• Cross Training
• Personnel Compensation

• VITA
• Computer Refresh
• Data Pipeline
• Records Management

• ARG/US
• Safety Assessment
• Flight Manual
• Safety Management System
• IS-BAO Certification

10
Project Challenges

• Policy Makers Buy-In
• Research the Standards
• Picking the Right Standard and Develop the
  Framework
• Ensure Compliance
• Ensure Demonstrated Value (Over Deliver)

11
Policy Makers Buy-In

• Things we did well
• Immediately demonstrated costs savings and value
• Saved effort for the next agency
• Make the win/win for agency and policy makers
• Lessons Learned
• Not enough offline conversations before
  official request (relationship building)

12
Research the Standards

• Get the strategic view of the organization
• Research the standards and models
• Committee of Sponsoring Organizations of the
  Treadway Commission (COSO)
• Australian/New Zealand Standard (AZ/NZA
  43602004)
• International Standard Business Aircraft
  Operation (IS-BAO)
• Quality Management ISO-9000
• Risk and Insurance Management Society (RIMS) Risk
  Maturity Model (RMM) for Enterprise Risk
  Management
• Future ISO/FDIS 31000 (Under development)

13
Research the Standards (Continued)

• Things we did well
• Understood that one size does not fit all and
  start small
• Did not try to recreate the wheel
• Sensitive to other regulatory requirements that
  drove changes in the program structure
• Take advantage of existing material (process
  mappings)
• Lessons Learned
• Do not try to over think the solution!
• Maintain a high level of flexibility to
  accommodate the customers schedule

14
Picking The Right Standard
15
Develop the Framework

• Develop the Risk Philosophy
• Determine the Risk Appetite (tolerance)
• Program Structure
• Risk Management Program Requirements
• Policy with Respect to Risk Strategy and Tolerance

16
Framework
Integrated Tools
Risk Classification Model
Risk Mgmt. Policy
BIA
Gap Analysis Risk Assessment
17
Picking the Right Standard Developing the
Framework (Continued)

• Things we did well
• Thoroughly researched all available standards
• Used a proven model as a foundation and then
  borrowed from other models as needed
• Agency leaders were actively involved in the
  process (but sensitive to leaders time)
• Develop a trust relationship
• Lessons Learned
• Prepare to integrate with existing/ongoing
  processes

18
Ensure Compliance

• Things we did well
• Identified as the best managed program in
  Virginia state government
• Improved relationship with auditors understand
  long term goals
• No findings
• Lessons Learned
• More time for helping other extended team members

19
Over Deliver

• Went from out of compliance in COOP to best
  managed program in a Virginia state agency!
• Achieved compliance with new requirements with
  minimal effort
• Developed the Personal Safety Handbook for
  employees that provides information on how to
  respond, prevent, and report any incident (out of
  scope but needed to ensure program success)

20
Project Firsts

• Only ERM for a state agency in Virginia (First
  found in the country!)
• First developed Confidentiality Memorandum of
  Understanding (MOU) between state organizations
• Only the second agency in Virginia to evaluate
  the recovery capabilities of the Virginia
  Information Technologies Agency/Northrop Grumman
  Partnership

21
2009-2010 Focus

• Fine tuning of the ERM Program improving the
  culture of continuity
• Management of positive as well as negative risks
• Providing the model to other agencies
  experiencing the same issues
• Statewide Aviation Response Program

22
Questions?
Randall P Burdette, Director Virginia Department
of Aviation (804) 236-3624 Randall.burdette_at_doav.v
irginia.gov
Karen Cole, CEO Assura, Inc. (866)
672-8714 Karen.cole_at_assura.us