The Binomial Bookstore

BUSINESS CONTINUITY MANAGEMENT:
AUDIO CD PROGRAM
by Ms. Michael C. Redmond

Learn the vital information you need to develop or improve your organization’s business
recovery plan. This two-volume CD set outlines the components of an effective emergency
management and business continuity program, including hazard identification, risk
assessment and impact analysis. You will learn to identify the management structure and
process necessary to develop a new program or advance an existing program, starting with
the integration of hazard identification, vulnerability assessment and business impact
analysis in prioritizing risks and allocating resources.

Business Continuity Management has been defined by the Disaster Recovery Institute
International (DRII) as a holistic management process that identifies potential impacts that
threaten an organization and provides a framework for building resilience with the capability
for an effective response that safeguards the interests of its key stakeholders, reputation,
brand and value creating activities. It includes the management of recovery or continuity in the
event of a disaster as well as the management of the overall program through training,
rehearsals, and reviews, to ensure the plan stays current and up to date.

Business Continuity Programs are defined by the US National Preparedness Standard on
Disaster / Emergency Management & Business Continuity Programs (NFPA 1600) as an
ongoing process supported by senior management and funded to ensure that the necessary
steps are taken to identify the impact of potential losses, maintain viable recovery strategies
and recovery plans, and ensure continuity of services through personnel training, plan testing,
and maintenance.

The objectives of business continuity, as defined by the Federal Financial Institutions
Examination Council (FFIEC), are to minimize loss to the entity; continue to serve customers
and financial market participants; and mitigate the negative effects disruptions can have on an
institution's strategic plans, reputation, operations, liquidity, credit quality, market position,
and ability to remain in compliance with applicable laws and regulations.

= = = = = = = = = =

VOLUME 1

DISK 1: PROJECT INITIATION AND MANAGEMENT
Organizing and managing resources in such a way that these resources deliver all the work
required to complete a full business continuity program within defined scope, time, and cost
constraints. Setting the vision, mission, goals, and objectives of the program as it relates to
the policies of the entity. Establishing and defining responsibilities for the program finance
authority, including its reporting relationships to the program coordinator. Designing the
processes for a Business Continuity Management (BCM) program, this would include
obtaining management support and organizing and managing the process. This phase is
discussed in relation to the key elements of disaster/emergency management project
initiation and management. Business Continuity Program is an ongoing process supported by
senior management and funded to ensure that the necessary steps are taken to identify the
impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure
continuity of services through personnel training, plan testing, and maintenance.

- - - - - - - - -

DISK 2: RISK EVALUATION AND CONTROL
Risk is the possibility of loss, damage, or any other undesirable event and the evaluation and
control lend themselves to a systematic and comprehensive methodology to evaluate risks. A
comprehensive risk assessment identifies the range of possible hazards, threats, or perils
that have or might impact the entity, surrounding area, or critical infrastructure supporting the
entity. Events that can affect the entity and controls that can be utilized to mitigate the
effects of potential loss. How to identify hazards, the likelihood of their occurrence, and the
vulnerability of people, property, the environment, and the entity itself to those hazards.

- - - - - - - - -

DISK 3: BUSINESS IMPACT ANALYSIS
Identifying the critical and time-sensitive applications, vital records, processes, and functions
that shall be maintained, as well as the personnel and procedures necessary to do so, their
recovery priorities, and inter-dependencies so that recovery time objectives can be set.
Techniques for analysis based on both the quantifiable and qualifiable impacts, Determining
which hazards are most likely to occur; what entity facilities, functions, or services are
affected based on their vulnerability to that hazard; what actions will most effectively protect
them; and the potential impact on the entity, Documenting impacts to the entity in terms of
time, money, people, materials, energy, space, provisions, communication, quality, etc
Considering the impact external to its area of influence that can affect the entity’s ability to
cope with a disaster/emergency.

- - - - - - - - -

DISK 4: DEVELOPING BUSINESS CONTINUITY MANAGEMENT STRATEGIES
Developing and implement a strategy to eliminate hazards or mitigate the effects of hazards
that cannot be eliminated. Selecting business operating strategies for continuation of
business within the recovery point objective and recovery time objective that will allow for
maintaining the organization’s critical functions. Basing it on the results of hazard
identification and risk assessment, impact analysis, program assessment, operational
experience, and cost-benefit analysis. Considering the resource capability shortfalls and the
steps necessary to overcome any shortfalls. Determining roles and responsibilities for
functions. Establishing interim and long-term actions to reduce the risks from hazards such
as protective systems or equipment that can reduce the probability of occurrence or the
severity of consequences.

- - - - - - - - -

DISK 5: EMERGENCY RESPONSE AND OPERATIONS
Assigning responsibilities to entity and individuals for carrying out specific actions at
projected times and places in an emergency or disaster. Procedures for response and
stabilizing the situation, including an Emergency Operations Center. Directing, controlling,
and coordinating response operation. Developing procedures including life safety, incident
stabilization, and property conservation.

- - - - - - - - -

BONUS DISK 1: WORKBOOK

- - - - - - - - -

VOLUME 2

DISK 6: DEVELOPING AND IMPLEMENTING BUSINESS CONTINUITY AND CRISIS
MANAGEMENT PLANS
Written plans using strategies based on the short-term and long-term priorities, processes,
vital resources, and acceptable time frames for restoration of services, facilities, programs,
and infrastructure, that provide continuity within the recovery time and recovery point
objectives. Including the critical and time-sensitive applications, vital records, processes, and
functions that shall be maintained, as well as the personnel and procedures necessary to do
so, while the entity is being recovered. Developing procedures and policies for coordinating
response, continuity, and recovery activities. Directing, controlling, and coordinating response
operations

- - - - - - - - -

DISK 7: AWARENESS AND TRAINING PROGRAMS
Developing and implementing a training/educational curriculum to support the program and
increase the entities awareness of the program. Supporting the Business Continuity
Management Program through supporting activities.

- - - - - - - - -

DISK 8. MAINTAINING AND EXERCISING PLANS
Pre-planned exercises which are evaluated and documented to exercise such areas as the
logistical capability and procedures to locate, acquire, store, distribute, and account for
services, personnel, resources, materials, and facilities procured or donated to support the
program. Evaluating the program plans, procedures, and capabilities through periodic reviews,
testing, post-incident reports, lessons learned performance evaluations, and exercises.
Establishing procedures to ensure that corrective action is taken on any deficiency identified
in the evaluation process and to revising the plan. Developing processes to maintain the
currency of continuity capabilities and the plan document in accordance with the Entities
vision and mission. Reporting results in a way that they are usable to management in
improving the program.

- - - - - - - - -

DISK 9. CRISIS COMMUNICATIONS
Addressing communication needs and capabilities to execute all components of the
response and recovery plans, and the inter-operability of multiple responding organizations
and personnel. Designing, utilizing and implementing an incident management system that
can be used for communicating and coordination with resources identified within the plan and
others. Designing procedures for response to requests for pre-disaster, disaster, and
post-disaster information. Developing, coordinating, evaluating, and exercising plans to
communicate with employees, management, families. vendors, suppliers, the media and
others.

- - - - - - - - -

DISK 10. COORDINATION WITH EXTERNAL AGENCIES
Establishing procedures for coordinating continuity and restoration activities with external
agencies while making sure the actions are in compliance with applicable statutes or
regulations.

- - - - - - - - -

BONUS DISK 2: QUESTIONS AND ANSWERS
Actual questions from students of a Redmond Worldwide, Inc. Teleseminars on the areas of
Business Continuity with responses from Ms. Michael C. Redmond.

- - - - - - - - -

BONUS DISK SET

DISK 11: RISK ASSESSMENT GENERAL BACKGROUND
Delves into the Risk categories including reputation, strategy, financial, investments,
operational infrastructure, business, regulatory compliance, Outsourcing, people, technology
and knowledge. Conducting an economic and financial impact analysis to arrive at a general
loss expectancy that demonstrates what is at risk and to guide measures to mitigate the
effects of a disaster/emergency. Failure mode and effects analysis (FMEA): Each element in
a system is examined individually and collectively to determine the effect when one or more
elements fail. Fault-tree analysis (FTA): This is a topdown approach where an undesirable
event is identified and the range of potential causes that could lead to the undesirable event is
identified.

- - - - - - - - -

DISK 12: GAP ANALYSIS
Overview of a Business Continuity Program Gap Analysis starting with the development of a
Gap Analysis Checklist. This is a list of recommended requirements from sources such as
NFPA 1600, Disaster Recovery Institute, FFIEC, HIPPA, etc. documented in a “report card.”
Gap assessment is a preparedness evaluation to know where the program is now versus
what is preferred practice for planning activities. Tips for Quality: Assessments as a
mechanism to keep your program up to date and ready. Scope, administration, management
issues, program evaluation. Key components of a Gap Analysis such as report
considerations and communicating assessment results as well as control of assessment
information and legal issues that must be considered.

- - - - - - - - -

DISK 13: RESTORATION PLANNING
When a catastrophe of any kind occurs, whether it is fire, smoke, water, wind, oil/chemical
spill, biological hazard, explosion or radiological release the best approach is a rapid, safe
and thorough remediation. Restoration is the process of planning for and/or implementing
procedures for the repair of hardware, relocation of the primary site and its contents, and
returning to normal operations at the permanent operational location. Three questions: What's
damaged, who's fixing it and who's paying for it. Performing a coordinated assessment to
determine the appropriate actions to be performed on impacted assets. The assessment can
be coordinated with Insurance adjusters, facilities personnel, or other involved parties.
Appropriate actions may include: disposal, replacement, reclamation, refurbishment, recovery
or receiving compensation for unrecoverable organizational assets.

= = = = = = = = =

The CD’s presented in this collection are based on Business Continuity/Disaster Recovery
Professional Practices, Standards Guidelines and Regulations. To develop a full program or
fully assess an existing program, the references which were used to create this CD series
should be combines with your industry specific best practices as well as your own entities’
experiences and insights.

BUSINESS CONTINUITY/DISASTER RECOVERY REFERENCES

NFPA 1600, The US National Preparedness Standard on Disaster / Emergency Management
& Business Continuity Programs (NFPA 1600)

BS 25999, The BS 25999 series includes two standards. The first BS 25999-1:2006 Code of
Practices for BCM, establishes practices, principles, and terminology. The second, BS
25999-2-2006 a specification for BCM specifies the requirements for implementation of
business continuity controls.

PAS 77, IT Services Continuity Management, a framework for IT Continuity an Availability
Management

COOP and COG, Continuity of Operations/Continuity of Government

DRII, Disaster Recovery Institute International and BCI, Business Continuity Institute. DRII
sets standards that provide the minimum acceptable level of measurable knowledge, thus
providing a baseline for levels of knowledge and capabilities. Accordingly, in 1997, DRII,
together with BCI, published the Professional Practices for Business Continuity Planners as
the industry’s international standard.

FFIEC, The Federal Financial Institutions Examination Council is an interagency set out to
dictate policies, standards, and report forms for the scrutiny of financial institutions by the
Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation,
National Credit Union Administration, the Office of the Comptroller of Currency, and the Office
of Thrift Supervision).

HIPPA, The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the
U.S. Congress in 1996. The Health Insurance Portability and Accountability Act (HIPAA)
Security Rule 164.308(a)(7)(i) identifies Contingency Plan as a standard under Administrative
Safeguards. Contingency plans address the “availability” security principle. The availability
principle addresses threats related to business disruption –so that authorized individuals have
access to vital systems and information when required.

Sarbanes Oxley, 404 – The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745,
also known as the Public Company Accounting Reform and Investor Protection Act of 2002
and commonly called SOX or SarbOx; July 30, 2002) . Section 404 of the Act mandates that
adequate “internal controls” exist to ensure compliance. SOX clearly states a harsh set of
fines and other punishments for failure to comply with the law; however, it doesn’t offer any
leeway when it comes to being unable to meet your requirements due to a disaster or other
data-loss event. Entities must be able to file reports and have the data to back them up, no
matter what else may be going on in the organization or its data center. SOX details what
must be reported from a financial view of the corporation, and when those reports must be
made. It also details guidelines for internal compliance operations to ensure that these
reports can be created on time and accurately. The SOX requirements have serious
implications for DR planning.

COSO, National Commission on Fraudulent Financial Reporting that was created in 1985.
This is also known as the Treadway Commission. They made a number of recommendations
that directly addressed internal controls.

FMECA, Failure Mode, Effects, and Criticality Analysis, dates back to a U.S. military report
from 1949. Since then, FMECA (also known as simply FMEA) has spread from just pre
Disaster Maintenance and evolved today to become an important part of restoration risk
analysis and restoration management.

- - - - - - - - -

In addition, when developing these CD’s thought was given to regulatory considerations
such as:
.. Australian Standard BCP Guidelines
.. Check 21
.. Gramm-Leach-Bliley Act
.. FIPS 199 Federal Information Processing Standards Publication
.. PATRIOT ACT
.. Monetary Authority Singapore BCP Guidelines
.. NAIC (National Assoc Insurance Commissioner)
.. NASD
.. Nat’l Future Assoc Compliance
.. New Basal Accord II
.. NYSE
.. UK Trumbull Report (Financial Services)
.. US Financial Services Authority (FSA-handbook systems and control)

= = = = = = = = =

DRII CONTINUING EDUCATION CREDITS

Disaster Recovery Institute International (DRII) is granting 16 continuing education credits for
completion of this educational CD series.

= = = = = = = = =

ABOUT THE SPEAKER

Ms. MICHAEL C. REDMOND is CEO of Redmond Worldwide, Inc. an International Consulting
Company. Prior consulting experience included both consulting and compliance auditing
which such firms as Chubb, Deloitte and Touché and KPMG. She served 4 years on Active
Duty with US Military and completed an additional 16 years with the National Guard and
Reserve.

She served, on a special project, as the US Attaché to Chile for Disaster Recovery at the
request of the President of Chile. She was invited to the US White House for a luncheon
honoring woman who were outstanding in their fields. She was selected by the UN to write
the Prolog on Risk for the Millennium Book on Disaster Recovery which was presented to the
Heads of State for every nation.

She is a Certified Business Recovery Planner; Certified Emergency Manager; and holds two
Master Level Certifications in Business Continuity.

Ms. Redmond is currently a PhD Candidate in Psycho-neurology and holds an MBA. She is
also a graduate of Command & General Staff College out of Fort Leavenworth, where she
studied strategic planning; control and command; and control in an emergency. Furthermore,
she has completed the Civil Affairs courses in the School for Special Warfare, which
encompasses planning in various political and cultural environments.

She served as an Adjunct Professor for Emergency Management and Business Continuity
Management at New York University and the Masters program at John Jay College. She
serves on the Executive Board of the New York Chapter for Association of Contingency
Planners.

She is on the editorial review panel for the Business Continuity Journal. Ms. Redmond is an
author and an International Speaker. She has written for many contingency magazines and
recorded many CD's on Business Continuity and Emergency Management and has a book
coming out in November, 2007.

= = = = = = = = = =
2007, 15 Audio CD set.
Order #DR824. Special Order item.
= = = = = = = = = =

The Binomial Bookstore

NEW RELEASES AND SPECIAL OFFERS!

Rothstein Associates Inc.