BUSINESS CONTINUITY MANAGEMENT:
AUDIO CD PROGRAM
by Ms. Michael C. Redmond

Learn the vital information you need to develop or improve your organization’s
business
recovery plan. This two-volume CD set outlines the components of an effective
emergency
management and business continuity program, including hazard identification, risk
assessment and impact analysis. You will learn to identify the management
structure and
process necessary to develop a new program or advance an existing program,
starting with
the integration of hazard identification, vulnerability assessment and business
impact
analysis in prioritizing risks and allocating resources.

Business Continuity Management has been defined by the Disaster Recovery
Institute
International (DRII) as a holistic management process that identifies potential
impacts that
threaten an organization and provides a framework for building resilience with the
capability
for an effective response that safeguards the interests of its key stakeholders,
reputation,
brand and value creating activities. It includes the management of recovery or
continuity in the
event of a disaster as well as the management of the overall program through
training,
rehearsals, and reviews, to ensure the plan stays current and up to date.

Business Continuity Programs are defined by the US National Preparedness
Standard on
Disaster / Emergency Management & Business Continuity Programs (NFPA 1600)
as an
ongoing process supported by senior management and funded to ensure that the
necessary
steps are taken to identify the impact of potential losses, maintain viable recovery
strategies
and recovery plans, and ensure continuity of services through personnel training,
plan testing,
and maintenance.

The objectives of business continuity, as defined by the Federal Financial
Institutions
Examination Council (FFIEC), are to minimize loss to the entity; continue to serve
customers
and financial market participants; and mitigate the negative effects disruptions can
have on an
institution's strategic plans, reputation, operations, liquidity, credit quality, market
position,
and ability to remain in compliance with applicable laws and regulations.

= = = = = = = = =
=

VOLUME 1

DISK 1: PROJECT INITIATION AND MANAGEMENT
Organizing and managing resources in such a way that these resources deliver all
the work
required to complete a full business continuity program within defined scope, time,
and cost
constraints. Setting the vision, mission, goals, and objectives of the program as it
relates to
the policies of the entity. Establishing and defining responsibilities for the program
finance
authority, including its reporting relationships to the program coordinator.
Designing the
processes for a Business Continuity Management (BCM) program, this would
include
obtaining management support and organizing and managing the process. This
phase is
discussed in relation to the key elements of disaster/emergency management
project
initiation and management. Business Continuity Program is an ongoing process
supported by
senior management and funded to ensure that the necessary steps are taken to
identify the
impact of potential losses, maintain viable recovery strategies and recovery plans,
and ensure
continuity of services through personnel training, plan testing, and maintenance.

- - - - - - - - -

DISK 2: RISK EVALUATION AND CONTROL
Risk is the possibility of loss, damage, or any other undesirable event and the
evaluation and
control lend themselves to a systematic and comprehensive methodology to
evaluate risks. A
comprehensive risk assessment identifies the range of possible hazards, threats,
or perils
that have or might impact the entity, surrounding area, or critical infrastructure
supporting the
entity. Events that can affect the entity and controls that can be utilized to mitigate
the
effects of potential loss. How to identify hazards, the likelihood of their occurrence,
and the
vulnerability of people, property, the environment, and the entity itself to those
hazards.

- - - - - - - - -

DISK 3: BUSINESS IMPACT ANALYSIS
Identifying the critical and time-sensitive applications, vital records, processes, and
functions
that shall be maintained, as well as the personnel and procedures necessary to do
so, their
recovery priorities, and inter-dependencies so that recovery time objectives can be
set.
Techniques for analysis based on both the quantifiable and qualifiable impacts,
Determining
which hazards are most likely to occur; what entity facilities, functions, or services
are
affected based on their vulnerability to that hazard; what actions will most
effectively protect
them; and the potential impact on the entity, Documenting impacts to the entity in
terms of
time, money, people, materials, energy, space, provisions, communication,
quality, etc
Considering the impact external to its area of influence that can affect the entity’s
ability to
cope with a disaster/emergency.

- - - - - - - - -

DISK 4: DEVELOPING BUSINESS CONTINUITY MANAGEMENT STRATEGIES
Developing and implement a strategy to eliminate hazards or mitigate the effects of
hazards
that cannot be eliminated. Selecting business operating strategies for continuation
of
business within the recovery point objective and recovery time objective that will
allow for
maintaining the organization’s critical functions. Basing it on the results of hazard
identification and risk assessment, impact analysis, program assessment,
operational
experience, and cost-benefit analysis. Considering the resource capability
shortfalls and the
steps necessary to overcome any shortfalls. Determining roles and responsibilities
for
functions. Establishing interim and long-term actions to reduce the risks from
hazards such
as protective systems or equipment that can reduce the probability of occurrence
or the
severity of consequences.

- - - - - - - - -

DISK 5: EMERGENCY RESPONSE AND OPERATIONS
Assigning responsibilities to entity and individuals for carrying out specific actions
at
projected times and places in an emergency or disaster. Procedures for response
and
stabilizing the situation, including an Emergency Operations Center. Directing,
controlling,
and coordinating response operation. Developing procedures including life safety,
incident
stabilization, and property conservation.

- - - - - - - - -

BONUS DISK 1: WORKBOOK

- - - - - - - - -


VOLUME 2

DISK 6: DEVELOPING AND IMPLEMENTING BUSINESS CONTINUITY AND
CRISIS
MANAGEMENT PLANS
Written plans using strategies based on the short-term and long-term priorities,
processes,
vital resources, and acceptable time frames for restoration of services, facilities,
programs,
and infrastructure, that provide continuity within the recovery time and recovery
point
objectives. Including the critical and time-sensitive applications, vital records,
processes, and
functions that shall be maintained, as well as the personnel and procedures
necessary to do
so, while the entity is being recovered. Developing procedures and policies for
coordinating
response, continuity, and recovery activities. Directing, controlling, and
coordinating response
operations

- - - - - - - - -

DISK 7: AWARENESS AND TRAINING PROGRAMS
Developing and implementing a training/educational curriculum to support the
program and
increase the entities awareness of the program. Supporting the Business
Continuity
Management Program through supporting activities.

- - - - - - - - -

DISK 8. MAINTAINING AND EXERCISING PLANS
Pre-planned exercises which are evaluated and documented to exercise such
areas as the
logistical capability and procedures to locate, acquire, store, distribute, and
account for
services, personnel, resources, materials, and facilities procured or donated to
support the
program. Evaluating the program plans, procedures, and capabilities through
periodic reviews,
testing, post-incident reports, lessons learned performance evaluations, and
exercises.
Establishing procedures to ensure that corrective action is taken on any deficiency
identified
in the evaluation process and to revising the plan. Developing processes to
maintain the
currency of continuity capabilities and the plan document in accordance with the
Entities
vision and mission. Reporting results in a way that they are usable to management
in
improving the program.

- - - - - - - - -

DISK 9. CRISIS COMMUNICATIONS
Addressing communication needs and capabilities to execute all components of
the
response and recovery plans, and the inter-operability of multiple responding
organizations
and personnel. Designing, utilizing and implementing an incident management
system that
can be used for communicating and coordination with resources identified within
the plan and
others. Designing procedures for response to requests for pre-disaster, disaster,
and
post-disaster information. Developing, coordinating, evaluating, and exercising
plans to
communicate with employees, management, families. vendors, suppliers, the
media and
others.

- - - - - - - - -

DISK 10. COORDINATION WITH EXTERNAL AGENCIES
Establishing procedures for coordinating continuity and restoration activities with
external
agencies while making sure the actions are in compliance with applicable statutes
or
regulations.

- - - - - - - - -

BONUS DISK 2: QUESTIONS AND ANSWERS
Actual questions from students of a Redmond Worldwide, Inc. Teleseminars on the
areas of
Business Continuity with responses from Ms. Michael C. Redmond.

- - - - - - - - -

BONUS DISK SET

DISK 11: RISK ASSESSMENT GENERAL BACKGROUND
Delves into the Risk categories including reputation, strategy, financial,
investments,
operational infrastructure, business, regulatory compliance, Outsourcing, people,
technology
and knowledge. Conducting an economic and financial impact analysis to arrive at
a general
loss expectancy that demonstrates what is at risk and to guide measures to
mitigate the
effects of a disaster/emergency. Failure mode and effects analysis (FMEA): Each
element in
a system is examined individually and collectively to determine the effect when one
or more
elements fail. Fault-tree analysis (FTA): This is a topdown approach where an
undesirable
event is identified and the range of potential causes that could lead to the
undesirable event is
identified.

- - - - - - - - -

DISK 12: GAP ANALYSIS
Overview of a Business Continuity Program Gap Analysis starting with the
development of a
Gap Analysis Checklist. This is a list of recommended requirements from sources
such as
NFPA 1600, Disaster Recovery Institute, FFIEC, HIPPA, etc. documented in a
“report card.”
Gap assessment is a preparedness evaluation to know where the program is now
versus
what is preferred practice for planning activities. Tips for Quality: Assessments as
a
mechanism to keep your program up to date and ready. Scope, administration,
management
issues, program evaluation. Key components of a Gap Analysis such as report
considerations and communicating assessment results as well as control of
assessment
information and legal issues that must be considered.

- - - - - - - - -

DISK 13: RESTORATION PLANNING
When a catastrophe of any kind occurs, whether it is fire, smoke, water, wind,
oil/chemical
spill, biological hazard, explosion or radiological release the best approach is a
rapid, safe
and thorough remediation. Restoration is the process of planning for and/or
implementing
procedures for the repair of hardware, relocation of the primary site and its
contents, and
returning to normal operations at the permanent operational location. Three
questions: What's
damaged, who's fixing it and who's paying for it. Performing a coordinated
assessment to
determine the appropriate actions to be performed on impacted assets. The
assessment can
be coordinated with Insurance adjusters, facilities personnel, or other involved
parties.
Appropriate actions may include: disposal, replacement, reclamation,
refurbishment, recovery
or receiving compensation for unrecoverable organizational assets.

= = = = = = = = =

The CD’s presented in this collection are based on Business Continuity/Disaster
Recovery
Professional Practices, Standards Guidelines and Regulations. To develop a full
program or
fully assess an existing program, the references which were used to create this
CD series
should be combines with your industry specific best practices as well as your own
entities’
experiences and insights.

BUSINESS CONTINUITY/DISASTER RECOVERY REFERENCES

NFPA 1600, The US National Preparedness Standard on Disaster / Emergency
Management
& Business Continuity Programs (NFPA 1600)

BS 25999, The BS 25999 series includes two standards. The first BS
25999-1:2006 Code of
Practices for BCM, establishes practices, principles, and terminology. The
second, BS
25999-2-2006 a specification for BCM specifies the requirements for
implementation of
business continuity controls.

PAS 77, IT Services Continuity Management, a framework for IT Continuity an
Availability
Management

COOP and COG, Continuity of Operations/Continuity of Government

DRII, Disaster Recovery Institute International and BCI, Business Continuity
Institute. DRII
sets standards that provide the minimum acceptable level of measurable
knowledge, thus
providing a baseline for levels of knowledge and capabilities. Accordingly, in 1997,
DRII,
together with BCI, published the Professional Practices for Business Continuity
Planners as
the industry’s international standard.

FFIEC, The Federal Financial Institutions Examination Council is an interagency
set out to
dictate policies, standards, and report forms for the scrutiny of financial institutions
by the
Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance
Corporation,
National Credit Union Administration, the Office of the Comptroller of Currency, and
the Office
of Thrift Supervision).

HIPPA, The Health Insurance Portability and Accountability Act (HIPAA) was
enacted by the
U.S. Congress in 1996. The Health Insurance Portability and Accountability Act
(HIPAA)
Security Rule 164.308(a)(7)(i) identifies Contingency Plan as a standard under
Administrative
Safeguards. Contingency plans address the “availability” security principle. The
availability
principle addresses threats related to business disruption –so that authorized
individuals have
access to vital systems and information when required.

Sarbanes Oxley, 404 – The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116
Stat. 745,
also known as the Public Company Accounting Reform and Investor Protection Act
of 2002
and commonly called SOX or SarbOx; July 30, 2002) . Section 404 of the Act
mandates that
adequate “internal controls” exist to ensure compliance. SOX clearly states a
harsh set of
fines and other punishments for failure to comply with the law; however, it doesn’t
offer any
leeway when it comes to being unable to meet your requirements due to a disaster
or other
data-loss event. Entities must be able to file reports and have the data to back
them up, no
matter what else may be going on in the organization or its data center. SOX
details what
must be reported from a financial view of the corporation, and when those reports
must be
made. It also details guidelines for internal compliance operations to ensure that
these
reports can be created on time and accurately. The SOX requirements have
serious
implications for DR planning.

COSO, National Commission on Fraudulent Financial Reporting that was created
in 1985.
This is also known as the Treadway Commission. They made a number of
recommendations
that directly addressed internal controls.

FMECA, Failure Mode, Effects, and Criticality Analysis, dates back to a U.S.
military report
from 1949. Since then, FMECA (also known as simply FMEA) has spread from
just pre
Disaster Maintenance and evolved today to become an important part of restoration
risk
analysis and restoration management.

- - - - - - - - -

In addition, when developing these CD’s thought was given to regulatory
considerations
such as:
.. Australian Standard BCP Guidelines
.. Check 21
.. Gramm-Leach-Bliley Act
.. FIPS 199 Federal Information Processing Standards Publication
.. PATRIOT ACT
.. Monetary Authority Singapore BCP Guidelines
.. NAIC (National Assoc Insurance Commissioner)
.. NASD
.. Nat’l Future Assoc Compliance
.. New Basal Accord II
.. NYSE
.. UK Trumbull Report (Financial Services)
.. US Financial Services Authority (FSA-handbook systems and control)

= = = = = = = = =

DRII CONTINUING EDUCATION CREDITS

Disaster Recovery Institute International (DRII) is granting 16 continuing education
credits for
completion of this educational CD series.

= = = = = = = = =

ABOUT THE SPEAKER

Ms. MICHAEL C. REDMOND is CEO of Redmond Worldwide, Inc. an International
Consulting
Company. Prior consulting experience included both consulting and compliance
auditing
which such firms as Chubb, Deloitte and Touché and KPMG. She served 4 years
on Active
Duty with US Military and completed an additional 16 years with the National
Guard and
Reserve.

She served, on a special project, as the US Attaché to Chile for Disaster Recovery
at the
request of the President of Chile. She was invited to the US White House for a
luncheon
honoring woman who were outstanding in their fields. She was selected by the UN
to write
the Prolog on Risk for the Millennium Book on Disaster Recovery which was
presented to the
Heads of State for every nation.

She is a Certified Business Recovery Planner; Certified Emergency Manager; and
holds two
Master Level Certifications in Business Continuity.

Ms. Redmond is currently a PhD Candidate in Psycho-neurology and holds an
MBA. She is
also a graduate of Command & General Staff College out of Fort Leavenworth,
where she
studied strategic planning; control and command; and control in an emergency.
Furthermore,
she has completed the Civil Affairs courses in the School for Special Warfare,
which
encompasses planning in various political and cultural environments.

She served as an Adjunct Professor for Emergency Management and Business
Continuity
Management at New York University and the Masters program at John Jay
College. She
serves on the Executive Board of the New York Chapter for Association of
Contingency
Planners.

She is on the editorial review panel for the Business Continuity Journal. Ms.
Redmond is an
author and an International Speaker. She has written for many contingency
magazines and
recorded many CD's on Business Continuity and Emergency Management and
has a book
coming out in November, 2007.

= = = = = = = = =
=
2007, 15 Audio CD set.
Order #DR824. Special Order item.
= = = = = = = = =
=

4 Arapaho Rd.

Brookfield, CT 06804-3104 USA

1-888-ROTHSTEin; (888.768.4783)

Telephone: 203.740.7444; 888.768.4783

Fax: 203.740.7401

"Keep Me Posted" Business Survival Newsletter