Adam S' Levison, CBCP

1
Citi Institutional Clients Group - Business
Continuity Management
Enterprise Risk Management Establishing a Risk
Control-based Continuity Program

• Adam S. Levison, CBCP
• Senior Vice President, Citi Institutional Clients
  Group
• Adam.Levison_at_citi.com 1 973.725.1567

2
Goals

• Distinguish Compliance vs. Risk Control
• Stakeholder Drivers
• Objectives and Outcome
• Provide methods to establish a Program
  Certification/Attestation Model
• Transform from Business Continuity to Independent
  Risk Control Utility
• Provide methods to implement an Independent
  Utility Risk Control Model
• Governance
• Plan Review (BIA, Plan, Crisis Management)
• Testing (Validation)
• Typical risk control findings from a Fully
  Compliant program.
• Provide tangible how-tos to bring back to
  apply to your program

3
Compliance vs. Risk Control Stakeholder Drivers
Program Compliance
Deficiency Management and Risk Mitigation
Analyze deficiency root cause so appropriate
corrective action can be taken Prioritize based
on risk exposure and track issue resolution
Track business progress against milestones Attest
to business completion and compliance
Business Recovery Coordinator
Determine key issues from geographical, business
and discipline perspective Develop risk trends on
issues and non-compliance Track business progress
towards completing BCM milestones
Analyze deficiency root cause so appropriate
corrective action can be taken. Develop risk
trends on issues and non-compliance Track
business progress towards resolving program
compliance and risk control issues
Risk Control (Ops Risk/Audit)
Ascertain overall program health by measuring
policy compliance Track business progress
towards completing BCM milestones Respond to
deficiencies or missing progress Compare standing
verses geographic and business peers
Ascertain overall program health by measuring
level of risk control and compliance issues Track
business progress towards resolving program
compliance and risk control issues Compare
standing verses geographic and business peers
Management
4
Foundation and Framework

• Foundation Program source and core
• Publish Policy, mandates, standards
• Align to in-country regulations, industry best
  practice, support firm objectives
• Avoid loopholes that can crack your foundation
  (aka program)
• Framework The program structure
• Implementation How to achieve compliance
• Expectations Minimum requirements
• Span of control Areas involved, exceptions
• Inspection Ensure adherence
• Implementation
• Clearly communicate mandates and expectations for
  all businesses
• Establish a steady pace to update and maintain
  planning milestones
• Ensuring Compliance and Risk Control
• Cyclical checkpoints to affirm compliance
• Business certification
• Independent validation and verification

5
Distinguishing between Compliance and Risk Control

• Business Impact Analysis (BIA)
• Compliance Loss Impacts RTO/RPO Process
  Prioritization
• Risk Issues The business may not be aware of all
  risks and corresponding impact on their processes
  in the event of a disaster.
• Crisis/Incident Management Plan (CMP)
• Compliance Response and Decision Protocols Key
  Contacts Escalation
• Risk Issues The plan may not be viable and ready
  to be executed which may impact the ability to
  resume and/or sustain business as usual
  processes.
• Business Recovery Plan (BRP)
• Compliance Strategy Workarea Requirements
  Staffing Impact Mitigation
• Risk Issues The plan may be insufficient to
  minimize financial losses, continue to serve
  stakeholders, and mitigate the negative effects
  of the disruption.
• Governance
• Compliance Having responsible owners and
  maintainers of the program
• Risk Issues Production / Recovery planning may
  become out of sync resulting in a breakdown
  ability to recover.
• Testing
• Compliance Execution of plan strategies and
  protocols to validate mitigation of impacts noted
  in the BIA.
• Risk Issues Untested strategies leave theories
  unproven, discovery of gaps and more effective
  methods to recover.

6
Program Compliance Certification

• Defined
• Provides evidence as to the effectiveness
  continuity planning programs, which include risk
  assessment, business impact analysis, planning,
  containment and recovery strategies, testing,
  training and awareness, compliance, independent
  review and governance.
• Business certifies and takes ownership of their
  program
• Forces management action on deficiencies through
  corrective action plans or risk acceptances
• Raises exposure level to the program
• Supports regulatory and audit requirements
• Benchmarks business standing
• Improvement/Deterioration trending

7
Program Certification Process

• Create an attestation-type questionnaire that
  addresses each policy mandate to certify
• Yes business completed to the letter of the
  policy
• No business is not in compliance
• Supporting evidence
• Yes where can evidence be found (centralized
  planning system, shared drive, etc.)
• No What is the gap? What is the resolution?
  When will the resolution be implemented?
• Business Manager approves compliance attestation
  standing thus certifying the compliance results
  and committing to resolve any deficiencies

8
Transform from Continuity to Independent Risk
Control

• Limitation to relying solely on Program
  Certification
• Check the Box mentality
• Risk taking / rounding up
• Creation of artificial ceiling on program
  improvement and maturity
• Continuity Program transforms into a Centralized
  Independent Risk Control Utility
• Align program to Audit-style with continuity
  subject matter expertise
• Become a service organization by
• Validating compliance certification
• Identifying gaps and partnering to resolve
• Injecting risk control into a policy compliant
  program.
• Emerge your program to operate horizontal to the
• firm organization

9
Creating and Conducting an Independent Review

• Objective
• Evaluate plans to assess the comprehensiveness,
  usability and quality of the documents
• Establish a benchmark for what to correct prior
  to an official audit
• Assist the business to identify and correct audit
  or compliance deficiencies
• Implementation
• Identify and Prioritize Plans to be reviewed by
  Risk/Criticality rating
• High-rated annually
• Medium/Low-rated alternating Bi-annually cycle
• Evaluate each plan by
• Answering each question with a compliant, not
  compliant, compliant with risk issue ratings
• Document limitations or issues
• Provide recommended corrective actions
• Tools and Reference Material to assist in review
• Firm Policy and Standards
• Regulatory guidelines
• Audit program guidelines and requirements

10
Establish Independent Risk Control Test

• Create a checklist that focuses on core program
  remits
• Governance (Roles and Responsibilities)
• Assessment (Identification and prioritization
  of processes, BIA)
• Crisis Management (Escalation Staffing
  Notification)
• Business Continuity Plan Requirements
  (Protocols, Procedures, Vital Records, Workarea
  Requirements)
• Validation (Call Tree, Business Continuity,
  Training exercises)
• Compliance (Audits, Certifications, Disclosures)

11
Validating Governance

• Objective To validate that a business has
• An owner (e.g. Business Unit Head) who is
  accountable for the continuity of the business in
  scope.
• An implementer (e.g. Business Recovery
  Coordinator) who is responsible for developing
  and maintaining recovery plan components and
  requirements.
• Risk Control
• Establish the necessary framework, roles,
  responsibilities and backup positions for the
  effective administration of the CoB program
• Ensure adequate management, ownership and
  accountability of the business' continuity
  program.
• Evaluation Findings
• Challenge the understanding and training of the
  members who occupy roles.
• Are the Business Heads truly accountable for the
  day-to-day business?
• Does proper succession planning exist?

12
Validating Business Assessment

• Objective
• To identify, evaluate and prioritize functions
  necessary to continue operations during a
  contingency.
• Determine if the prioritization, RTO, RPO, and
  criticality ratings of business processes
  adequately reflect the current business
  environment.
• Set proper direction on recovery strategy
  development and implementation
• Risk Control
• Business processes are captured at the
  appropriate level
• Assigned RTOs are justified by the quantitative
  and qualitative impacts
• Evaluation Findings
• Policy typically requires processes to have RTO.
  Independent reviews challenge and validate RTO
  and impacts so appropriate strategies are
  formulated.

13
Validating Recovery Plan

• Objective
• To validate the plan adequacy, effectiveness, and
  quality through ensuring all BIA objectives and
  requirements are addressed in the plan strategy
• Risk Control by determining whether the plan
• Addresses the recovery of key process and
  sub-processes according to its criticality
  ratings.
• Strategy sustains minimum RTO identified in the
  BIA and includes protocols necessary to recover
  functions to support business interdependencies.
• Considers dependencies on process that are
  external to the business, whether they are
  internal to the company or are provided by
  vendors, or other 3rd parties.
• Provides manual workarounds to be used as
  appropriate when systems and technology backups
  are not available.
• Evaluation Findings
• Policy typically requires a strategy and basic
  requirements to support the strategy.
• Risk control fine tunes the plan to focus on
  cost-effective solutions, closing loop holes in
  the supply chain, and establishing SLA where
  handshake agreements may expose the business
  during a crisis.

14
Validating Crisis/Incident Response Plan

• Objective
• Identify if proper protocols, roles are
  appropriate and effective to allow a business to
  respond, react, and mitigate.
• Risk Control
• Ineffective response to a crisis event can delay
  invocation and put critical RTOs in jeopardy
  from being met.
• Clear protocols and decision making checklists
  facilitate quicker response during an incident.
• Evaluation Findings
• Ensure crisis teams are not only filled but with
  the
• right staff and backups.
• Apply whats on the paper to local risk.
• Findings can be vetted during tabletop exercises.

15
Validating Recovery Exercise Process

• Objective
• Validate the adequacy and effectiveness of how
  the businesses test their recovery capabilities
  and to ensure recovery capabilities are
  sufficient to mitigate risk.
• Risk Control verifies the
• Plan is tested to ensure business process is
  functional in all aspects
• Test results indicate whether testing objectives
  and success criteria have been met.
• Application testing at an alternative location
  includes network connectivity and other critical
  data feed mechanisms (e.g., connections and
  interfaces).
• Test performed using the actual production data.
• Status of corrective action plan(s) developed to
  address problems encountered during the tests.
• Plan properly supports and reflects the goals,
  SLA and priorities contained in the business
  unit.
• Evaluation Findings
• Structure of Call Trees (linear or cascade)
• Recovery tests rigged for success, and do not
  challenge true reality situations
• Testing capacity

16
Typical findings from a Compliant Program

• General Findings
• Plans not reader friendly and lack logical flow.
  Most plans are too long to be of value.
• Key items such as assembly points, location of
  recovery site and directions to the recovery site
  are difficult to find.
• Assessment
• Limited documentation of a threat and
  vulnerability assessment being conducted.
• Plan criticality is inconsistent in both the
  process requirement and impacts.
• Strategy
• Critical information such as evacuation
  procedures are not documented.
• Holes in recovery requirements.
• Plan Requirements
• Many of the notification and communication
  procedures are missing vital information.
• Limited logistical protocols (e.g. directions to
  the recovery site expense management, etc.)
• Most strategies did not contain resumption to BAU
  procedures.
• Lack of documentation around disclosures.
• Testing

17
Recap and Considerations

• Establish Baseline for Policy, Mandates,
  Standards
• Force Businesses to Certify their Program
  Compliance Standing
• Transform Continuity Program into an Independent
  Risk Control Utility
• Validate Certification
• Partner with business to address risk control
  issues.
• Separate black/white policy compliance with
  program quality, effectiveness, and adequacy.
• Expose and remediate Audits typical touch points
  on the business behalf
• Create a Closed Loop Compliance and Risk Control
  System
• Risk Control Validation exposes check the box
  compliance certifications.
• Reap the benefits
• Achieve true business compliance
• Address key risks through corrective actions or
  management acceptance
• Have Audit place reliance on your program to
  centralize continuity reviews
• Raise program maturity level
• Achieve effective, executable and validated
  recovery plans and strategies
• Go beyond check the box

18
In Closing
Questions? Items to revisit. Discussion on local
experiences.
19
Citi Institutional Clients Group - Business
Continuity Management
Enterprise Risk Management Establishing a Risk
Control-based Continuity Program

• Adam S. Levison, CBCP
• Senior Vice President, Citi Institutional Clients
  Group
• Adam.Levison_at_citi.com 1 973.725.1567