Aligning BCM into the Firm's Overall
Governance Model:
from Shared Control Principles
to Shared Governance
Kathleen Lucey
[email protected]
tel: 516-676-9234
cell: 516-384-6437
1
2008 Montague Risk Management II, Inc.
All Rights Reserved
Connections
 Information Security (computer security, data
security)
 Records Management
 Emergency Management
 Crisis Management
 Business Continuity Management (disaster
recovery, contingency planning, resilience)
2
2008 Montague Risk Management II, Inc.
All Rights Reserved
InfoSec Overview
 Modern usage begins with the growth of
information technology
– Traditionally ends at the last point controlled by DP / IT
– Generally reports within IT
– Professional knowledge base and jargon
3
2008 Montague Risk Management II, Inc.
All Rights Reserved
InfoSec
Control Principles
– Transference of Risk
– Prevention, Avoidance, Deterrence (Defensive Depth)
– Detection
– Mitigation & Recovery
– Correction
4
2008 Montague Risk Management II, Inc.
All Rights Reserved
Records Management
Overview
 Exists since the use of paper documents, but particularly
since the use of printed documents
–
–
–
–
–
Organizes and stores critical documents for future access
Regulated
Third-party industry for short- and long-term archive
Professional knowledge base and jargon
Generally reports to an internal administrative department (CFO)
5
2008 Montague Risk Management II, Inc.
All Rights Reserved
Records Management
Control Principles
– Transference of risk
– Loss Prevention, Avoidance, Deterrence (Defensive Depth)
– Detection
– Recovery
– Correction
6
2008 Montague Risk Management II, Inc.
All Rights Reserved
Emergency Management
Overview
 Primarily concerned with the safety of personnel during an
infrastructure or other climate-induced or physical failure.
–
–
–
–
–
Involves many third parties
Regulated
Professional knowledge base(s) and internal jargon (many)
Supports controls used by other functions
Generally reports to Facilities or HR, which reports to either the COO,
CFO, or CAO
7
2008 Montague Risk Management II, Inc.
All Rights Reserved
Emergency Management
Control Principles
– Transference of risk and damages
– Prevention of human injury and loss of life
– Prevention, Avoidance, Deterrence of an infrastructure-related failure
– Detection of an emergency condition
– Mitigation & Recovery from an incident
– Correction
8
2008 Montague Risk Management II, Inc.
All Rights Reserved
Crisis Management
Overview
 Shapes and manages the communications to the public, employees,
and other parties after a major incident
 Attempts to minimize the follow-on legal, financial and reputation
impacts to the organization
–
–
–
–
Third party involvement: Public Relations firm and/or a Law firm
Senior executives are usually involved – but only at the time of incident
Professional knowledge base(s) and internal jargon (multiple)
Generally responsible to the CEO or Chairman of the Board
 May not be formally organized
9
2008 Montague Risk Management II, Inc.
All Rights Reserved
Crisis Management
Control Principles
– Transference of risk and damages wherever possible
– Detection: Early identification of potential crisis; pre-planned response
– Implementation of a “Crisis Management Plan”
– Mitigation & Recovery from an incident:
» “Spin” of crisis-related information to minimize negative impacts
» Control of communications channels to press, public, and staff
– Correction
10
2008 Montague Risk Management II, Inc.
All Rights Reserved
Business Continuity
Overview
 Modern usage begins with the growth of information technology, and
the perceived dependence of the organization on its IT systems. First
called DISASTER RECOVERY. Now may be called RESILIENCE.
– New third party industry: alternate IT sites. Alternate workarea sites.
– STILL often reports within IT; advanced organizations use different
structures.
– Concerned with 1) avoiding/deterring an incident that interrupts business
operations; 2) mitigating damages if one occurs.
– Often more attuned to operational impacts of IT systems loss: RTO, RPO
11
2008 Montague Risk Management II, Inc.
All Rights Reserved
Business Continuity
Control Principles
– Transference of risk and damages as possible
– Prevention, Avoidance, Deterrence (Defensive Depth) of ANY
and ALL conditions that may provoke a business interruption
– Early detection and pre-planned, rehearsed response
– Damage Mitigation & Recovery
– Correction
12
2008 Montague Risk Management II, Inc.
All Rights Reserved

Initial Interruption Management
Emergency Logistics
Interruption
Management
Team
Media Relations
Team
Command Center
Support Team
Business
Continuity
Coordination
Recovery Management
Business Recovery
Coordination
Business
Continuity
Teams
IT Recovery
Coordination
Information
Technology
Recovery
13
Teams
Site Repair or Relocate
Crisis
Management
Team
Employee
Support
Emergency
Funding
EMT
Government
Liaison
Transportation,
Communications
Physical
Security
Admin.
Services
HAZMAT
Damage
Assessment
Insurance
Liaison
Purchasing
Site Repair
and
Restoration
Site
Relocation
and
Recreation
2008 Montague Risk Management II, Inc.
All Rights Reserved
2007 Montague Risk Management II, Inc.
All rights reserved.
Convergence
of Disciplines
RISK MANAGEMENT must be concerned with all control
disciplines working to deter and respond to ALL incidents that
may result in personnel injury, operational interruptions to the
business OR revenue losses.
 ALL of the control disciplines work to minimize the probability and
severity of incidents.
 ALL are concerned with controls to reduce incident-related effects:
injuries and/or damages.
ALL of these disciplines are often now included in business
continuity programs.
14
2008 Montague Risk Management II, Inc.
All Rights Reserved
Prototype Risk Management Governance Organization
Board Risk
Committee
Corporate
Risk
Management
Enterprise
Audit
Department
Business
Continuity
Emergency
Management /
Facilities
Crisis
Management
Physical
Security
Information
Security
15
Safety
Records
Management
Insurance
2008 Montague Risk Management II, Inc.
All Rights Reserved
Benefits
 Cross-pollination of control cultures erodes knowledge and
jargon barriers.
 Missing or ineffective controls are easier to see when all
are grouped together.
 Duplication of efforts can be eliminated.
 Risk Management budgets can be allocated across the
company, instead of competing for resources within
department- or silo-level organizations.
16
2008 Montague Risk Management II, Inc.
All Rights Reserved
The Chief Risk Officer
 The CRO needs to understand and speak the languages of
multiple control disciplines.
 The CRO will need knowledge, certification, and
experience in multiple control disciplines.
 The CRO ranks will be filled by individuals willing to step
away from each discipline’s jargon, and to lead the
emergence of a new management function that embraces
all control disciplines.
17
2008 Montague Risk Management II, Inc.
All Rights Reserved
Questions ??
Kathleen Lucey
Montague Risk Management
[email protected]
516-384-6437
18
2008 Montague Risk Management II, Inc.
All Rights Reserved