Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

BCM Regulations and Learnings from across the globe..

Continuity and Resilience
Continuity and Resilience

This document provides an overview of business continuity management (BCM) regulations around the world. It discusses BCM requirements in various countries and sectors such as government, healthcare, capital markets, and utilities. The research was conducted by reviewing online sources and involved analyzing BCM regulations and standards in over 30 countries. The findings indicate that many countries and sectors have implemented regulations to enhance BCM preparedness and resilience. The presentation aims to communicate this information to relevant authorities in India to help boost BCM practices through potential new regulations or guidelines.

1 of 21
Continuity & Resilience (CORE) ISO 22301 CERTIFIED CONSULTING FIRM Presentations by speakers at the 7th India Business & IT Resilience Summit December 6, 2018 | Hyderabad, India Our Contact Details: UAE INDIA Continuity and Resilience Tel: +971 2 6594006 PO Box: 25722, Abu Dhabi, United Arab Emirates Website: www.coreconsulting.ae Email: info@continuityandresilience.com Continuity and Resilience Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019 Tel: +91 11 41055534 | Fax: ++91 11 41055535 Website: www.continuityandresilience.com Email: info@continuityandresilience.com
BCM Regulations and Learnings from across the globe Dhiraj Lal Executive Director, CORE Hyderabad, Dec 6 2018
CONTENTS  Background 1  Research Methodology 2  Research Findings 3  Suggestions for India 4  Way Forward (open discussion) 5 SECTION
BACKGROUND • While there has been some recent progress in enhancing visibility of BCM in India, in general it is my concern that BCM in India does not currently get the importance that it deserves • My sense is that the BCM domain in India could get a huge boost in case regulations or guidelines were formulated/enhanced – as is already the case in many other countries • This presentation looks at BCM across various countries and sectors globally • Purpose is, to the extent possible, to find a way to communicate this information to the powers-that-be in India. In case there are any Indian entities which are able to issue regulations/guidelines in BCM, that could hugely enhance the current levels of commitment towards BCM in India • I would welcome any volunteers who may be willing to help make this happen.
RESEARCH METHODOLOGY Objective To give an overview of BCM regulations over the world, classified according to countries and sectors Overview of Sources Internet based research from papers and Publications, Discussions/Interviews No of countries considered 30 Functions/sector s considered Energy, Healthcare, Govt/Emergency Services, Financial Services and Capital Markets - and many others Disclaimer While every attempt has been made to ensure correctness of this data, it is recommended that it be independently verified before assuming it to be 100% correct. For example, new guidelines may have been issued, some may have been withdrawn/superseded etc.
TEAM A Sourish Dutta, IIM Calcutta Shubhradeep Saha, IIM Calcutta Rahul Das, IIM Calcutta
TEAM B PGP-PGDM IIM Calcutta IIT Madras PGP-PGDM IIM Calcutta IIT Jodhpur Sasi Kaushik PGP-PGDM IIM Calcutta JNTU Hyderabad Bhargavi Dinakaran Lakshmi Meenakshi
RESEARCH FINDINGS Data Availability (Approximation) Interest (Google Trends)
GOVERNMENT/BCM Country Regulation/ standard Expectation from regulation Issuing authority/body USA Continuity of Operations (COOP) and Continuity of Government (COG) - Federal Preparedness All federal executive branch departments and agencies must develop an integrated/ overlapping continuity capability, to support National Essential Functions. BCM should be maintained at high levels of readiness and be operational within 12 hours. BC Plans must be able to sustain operations for 30 days Government of USA USA OSHA ‐ Occupational Safety and Health Administration Disaster preparedness . OSHA requires that all businesses with more than 10 employees have an Emergency Contingency Plan (ECP). For business with 10 or less, a plan is not mandated, but recommended OSHA (Occupational Safety & Health Administration) UAE Business Continuity Management Standard AE/HSC/NCEMA 7000 All entities in the nation are supposed to implement BCM National Crisis and Disasters Management Authority of the UAE (NCEMA) USA Federal Financial Institutions Examination Council (FFIEC) Handbook, 2003-2004 (Chapter 10) Directors and managers are accountable for organization-wide contingency planning and for "timely resumption of operations in the event of a disaster." Federal Financial Institutions Examination Council (FFIEC) Australia Business Continuity Management - Building Resilience in Public Sector Entities BCM is an essential component of good public sector governance and is part of an entity’s overall approach to effective risk management. This guide is designed to be a useful reference document for boards, chief executives and senior management in public sector entities Australian National Audit Office (ANAO)
GOVERNMENT/INCIDENT MGT. Country BCM Type Name/ Number Issuing Authority Key Expectations Canada Legislation Emergency Management & Civil Protection Act Canadian Government Every municipality shall formulate an emergency plan governing the provision of necessary services during an emergency and the procedures under and the manner in which employees of the municipality and other persons will respond to the emergency. The council of the municipality adopt the emergency plan Australia Guidelines AIIMS 2004 ‐ Australian Inter‐service Incident Management System The Australasian Inter- Service Incident Management System (AIIMS) To put in place a nationally recognised system, organizational principles and structure to manage bushfires and other large emergencies (e.g. floods, storms, cyclones etc.). Directly applicable to the nation's fire and emergency service agencies New Zealand Guidelines New Zealand Coordinated Incident Management System (CIMS) Ministry of Civil Defence and Emergency Management, New Zealand Establishes a framework of consistent principles, structures, functions, processes and terminology that agencies can apply in emergency response South Africa Regulation Major Hazard Installation Regulations, 1993 Occupational Health & Safety, South African Government Describes how incidents and their consequences should be dealt with, with special reference to emergency plans etc,
Countr y BCM Type Name/ Number Issuing Authority Key Expectations Kuwait Regulation Executive Bylaws - Policies & Procedures of Licensed Persons Capital Market Authority Kuwait Listed organizations must be able to at a very minimum fulfill their legal obligations in the event of an unexpected suspension of their business. Policies, plans (and precautions) must be maintained with respect of emergencies and the need to maintain business continuity. Such precautions must be documented and periodically updated and tested to ensure their effectiveness and continued relevance. Records related to precautions pertaining to business continuity must be kept for five years ideally. Australia Guidelines Australian Financial Markets Association Australia Financial Markets Association Members should anticipate situations that would cause their operations to be disrupted, define a business continuity strategy, have a supporting business continuity plan (BCP), and test this plan regularly. Saudi Arabia Regulation Rules for broking companies and stock exchange participants Capital Market Authority Kingdom of Saudi Arabia Entities transacting on the Saudi stock exchange (Tadawul) cannot have systems downtime of more then 45 minutes USA Regulation NYSE Rule 4370 (Business Continuity Plans and Emergency Contact Information) Financial Industry Regulatory Authority (FINRA) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. The business continuity plan must be made available promptly upon request to FINRA staff CAPITAL MARKETS
HEALTHCARE Country BCM Type BCM Name /Number Issuing Authority Key expectations USA Guidelines Joint Commission Accreditation Manual for Hospitals (1997) Joint Commission on Accreditation of Healthcare Organizations (JCAHO) Organizations must plan for the continuity of their information management. Hong Kong Circular Business continuity planning against serious communicable diseases Securities and Futures Commission of Hong Kong Business continuity plans are to be prepared for cases of unexpected market conditions and failures. This section also directs to attention to business continuity plan expectations by other regulators USA Regulation Health Insurance Portability and Accountability Act United States Department of Health and Human Services To ensure that health care service delivery players across the full chain comply with strong security and privacy standards to protect personal health information (CIA). Failure to comply can result in fines as well as criminal penalties (up to $250,000 and up to 10 years in prison). USA Regulation Code of Federal Regulations (CFR) Title XXI, 1999 Food and Drug Administration (FDA) Organizations must update their BC measures to ensure the availability of information
Country Regulation/standard Expectation from regulation Issuing authority/body USA Security Guideline for the Electricity Sector Facilities and functions critical to operations should be identified, to support the operational continuity plans. Intention is to serve customers with a reliable source of electric energy, ensure the reliable operation of the energy grid and interconnection, and avoid losses that would create a significant risk to public health and safety The North American Electric Reliability Corporation (NERC) Oman SCADA and DCS Cyber- Security Standards Entities must implement incident response, business continuity and disaster recovery plans, with special reference to SCADA/DCS systems; Oman Authority for Electricity Regulation UAE Business Continuity Management Regulations for Drinking Water, Wastewater and Electricity Services To ensure entities in the water, wastewater, and electricity sectors in the geography develop a Business Continuity Program and Business Continuity Plans The Regulation and Supervision Bureau – UAE USA Security Standards for Electric Market Participants Every participant operating a critical electric resource shall have contingency plans that define roles, responsibilities and actions for protecting the rest of the electric grid and market from the failure of its own critical resources. Such plans shall be tested or exercised regularly. Federal Electric Reliability Council’s (FERC) Order No. 650 Revisions to Oil Pipeline Regulations Pursuant to the Energy Policy Act of 1992 FERC ENERGY
Countr y BCM Type BCM Name /Number Issuing Authority USA White Paper for Strengthening the Resilience of US Financial System FRB (Federal Reserve Bank),OCC (Office of the Comptroller of the Currency). SEC (Securities & Exchange Commission) Rapid recovery and timely resumption of critical operations following a wide- scale disruption or loss or inaccessibility of staff in at least one major operating location. High level of confidence, via ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. Applicable also to service providers. South Africa Banks Act 2007 revision South African Reserve Bank To provide for the regulation and supervision of the business of public companies taking deposits from the public; and to provide for matters connected therewith. Global The Joint Forum - High-level principles for business continuity Bank for International Settlements (Basel Committee on Banking Supervision) 7 High-level principles of Business Continuity to be adhered to, including Board and senior management responsibility , Cross-border communications and Business Continuity Management reviews by financial authorities Switzerland SBFA EBK RS 06/3 Swiss Federal Banking Commission (SFBC) Specifies the determination of capital requirements for operational risk along the three approach options and the related requirements. Singapore MCD 5/2003 - BCM Guidelines Monetary Authority of Singapore (MAS) Principles to be implemented for Business Continuity Planning in Banks Australia Prudential Standard CPS 232 (Business Continuity Management) Australian Prudential Regulation Authority (APRA) Each APRA-regulated institution must implement a whole-of-business approach to BCM. This Prudential Standard applies to all ‘APRA- regulated institutions’, not general and life insurance entities, but also all authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs) BANKING & INSURANCE
Country Regulation/standard Key expectations Issuing authority/body USA Telecommunications Act of 1996, Section 256, Coordination for Interconnectivity Requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by carriers and other providers. FCC - Federal Communications Commission CTIA Telecommunication Industry BCM Standard and certification Adherence to a basic set of regulation in natural disasters, tech issues CTIA (Cellular Telecommunications Industry Association ) Hellenic Countries Secrecy Assurance Regulations for Telecommunication Services Regulatory framework for Organizations providing telecom services to retail or corporate clients Hellenic Authority for Communication Security and Privacy USA Comments to the U.S.-India ICT Working Group on the draft National Telecommunications Policy Suggestions for the growth and progress of the Indian Telecom industry, including business continuity The Telecommunications Industry Association (TIA), the U.S.-India Business Council (USIBC) and the Information Technology Industry Council (ITI) TELECOM
INFORMATION SECURITY Country BCM Type BCM Name /Number Issuing Authority Key expectations USA National Standards ANSI/ARMA 5‐2003 American National Standards Institute Sets the requirements for establishment of a Vital Records Program. Encompasses the requirements for identifying and protecting vital records, assessing and analyzing their vulnerability, and determining the impact of their loss on the organization. USA Legislation FISMA: Federal Information Security management Act of 2002 FTC (Federal Trade Commission) Details requirements to assess risk, determine levels of security necessary to protect such information, and also periodically test and evaluate information security controls and techniques Singapore Standard Singapore Standard for business continuity management (SS507:2004) Standards Council of Singapore This Standard is applicable to all organisations regardless of their size. This standard emphasises resilience and protection of critical assets, human, environmental, intangible and physical. Germany Guidelines BSI 100‐4 (Business Continuity Management) Federal Office for Information Security, Germany The goal of this standard is to point out a systematic method for enabling fast reactions to emergencies and crises of all types and origins that could lead to a disruption of business operations. This focuses on the Availability aspect of Information Security Italy Legislation Law Decree No. 196 Italian government Code on Personal Data and Sensitive Information Protection
SUPPLY CHAIN Country Regulation/standard Expectation from regulation Issuing authority/body Japan Business Continuity Guidelines ―Strategies and Responses for Surviving Critical Incidents Focus on the importance of including risks and consideration of the supply chain, and the necessity of a flexible business continuity strategy for handling risks Cabinet Office, Government of Japan USA Continuity of Operations/Continuity of Government for State-Level Transportation Organizations The Homeland Security Presidential Directive 20 (HSPD-20) requires all local, state, tribal and territorial government agencies, and private sector owners of critical infrastructure and key resources (CI/KR) to create a Continuity of Operations Plan (COOP). The Transportation Research Board offers guidance for transportation organizations to comply United States Department of Transportation’s Research and Innovative Technology Administration Singapore MAS Guidelines on Outsourcing Guidelines on ensuring BC preparedness is not compromised by outsourcing; taking steps to evaluate and satisfy itself that interdependency risk arising from the outsourcing arrangement can be adequately mitigated; and assurance on the functionality Monetary Authority of Singapore (MAS) Singapore Business Continuity Management for Singapore’s Logistics Sector Each organisation must established a BCM policy; that is linked to organizational objectives and other policies (including risk management); which has been communicated to all employees and relevant stakeholders. Singapore Business Federation and Singapore Logistics Association
INDIA Industr y BCM Type Issuing Authority Key expectations Banking Regulation RBI Banks should put in place necessary backup sites for their critical payment systems. Bank Boards/Top Management should provide clear guidance and direction in relation to BCP. The main responsibilities are approving policy on BCP, prioritizing critical business functions, allocating sufficient resources, reviewing test results Aviation Good Practice DGCA Aviation entities should ensure preparedness for technical emergencies like safety and security related issues, and non-technical emergencies like natural disaster, structural disaster, public health emergencies. Capital Markets Regulation National Stock Exchange of India Stock exchanges to have a documented process / framework to ensure the continuation and/or rapid recovery from failure or interruption of business and Information Technology processes and systems Insurance Regulation IRDA Apart from the corporate governance guidelines, insurance companies must have risk management committee to monitor and review updates on Business Continuity. Insurance brokers need to include BCM plans in case they have any. Also in case of outsourcing they should ensure that vendor have business continuity Capital Markets Regulation Securities and Exchange Board of India (SEBI) Exchanges should have a robust Business Continuity Plan (BCP) and Disaster Recovery (DR), to ensure continuity of operations. The exchanges shall conduct annual system audit as per the prescribed audit framework. The Systems Audit Report and compliance status should be placed before the governing board of the exchange and communicated to SEBI along with their comments.
THE HELP WE NEED FROM YOU • Please let us know of any National/Industry specific BCM/IT DR guidelines/standards that are being asked for currently in India – mandatory/non-mandatory • Please help highlight to Govt/Regulators/Industry bodies (IBA/CII/FICCI etc) the need for BCM/IT DR to be mandatory • Please help get BCM/IT DR into critical industries like Power, Energy, Telecom, Aviation, Healthcare, Security Services, Municipalities etc • Please help at least get BCM/IT DR be mandatory for all listed companies • And any other ways you can think of….
PLEASE LET US KNOW HOW YOU CAN TO HELP ENHANCE BCM COMMITMENT IN INDIA india@continuityandresilience.com +91 78383 89017 /99580 91880 Thank You Dhiraj Lal (+91 9910110240) d.lal@continuityandresilience.com
Continuity & Resilience (CORE) ISO 22301 CERTIFIED CONSULTING FIRM Presentations by speakers at the 7th India Business & IT Resilience Summit December 6, 2018 | Hyderabad, India Our Contact Details: UAE INDIA Continuity and Resilience Tel: +971 2 6594006 PO Box: 25722, Abu Dhabi, United Arab Emirates Website: www.coreconsulting.ae Email: info@continuityandresilience.com Continuity and Resilience Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019 Tel: +91 11 41055534 | Fax: ++91 11 41055535 Website: www.continuityandresilience.com Email: info@continuityandresilience.com

More Related Content

BCM Regulations and Learnings from across the globe..

  • 1. Continuity & Resilience (CORE) ISO 22301 CERTIFIED CONSULTING FIRM Presentations by speakers at the 7th India Business & IT Resilience Summit December 6, 2018 | Hyderabad, India Our Contact Details: UAE INDIA Continuity and Resilience Tel: +971 2 6594006 PO Box: 25722, Abu Dhabi, United Arab Emirates Website: www.coreconsulting.ae Email: info@continuityandresilience.com Continuity and Resilience Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019 Tel: +91 11 41055534 | Fax: ++91 11 41055535 Website: www.continuityandresilience.com Email: info@continuityandresilience.com
  • 2. BCM Regulations and Learnings from across the globe Dhiraj Lal Executive Director, CORE Hyderabad, Dec 6 2018
  • 3. CONTENTS  Background 1  Research Methodology 2  Research Findings 3  Suggestions for India 4  Way Forward (open discussion) 5 SECTION
  • 4. BACKGROUND • While there has been some recent progress in enhancing visibility of BCM in India, in general it is my concern that BCM in India does not currently get the importance that it deserves • My sense is that the BCM domain in India could get a huge boost in case regulations or guidelines were formulated/enhanced – as is already the case in many other countries • This presentation looks at BCM across various countries and sectors globally • Purpose is, to the extent possible, to find a way to communicate this information to the powers-that-be in India. In case there are any Indian entities which are able to issue regulations/guidelines in BCM, that could hugely enhance the current levels of commitment towards BCM in India • I would welcome any volunteers who may be willing to help make this happen.
  • 5. RESEARCH METHODOLOGY Objective To give an overview of BCM regulations over the world, classified according to countries and sectors Overview of Sources Internet based research from papers and Publications, Discussions/Interviews No of countries considered 30 Functions/sector s considered Energy, Healthcare, Govt/Emergency Services, Financial Services and Capital Markets - and many others Disclaimer While every attempt has been made to ensure correctness of this data, it is recommended that it be independently verified before assuming it to be 100% correct. For example, new guidelines may have been issued, some may have been withdrawn/superseded etc.
  • 6. TEAM A Sourish Dutta, IIM Calcutta Shubhradeep Saha, IIM Calcutta Rahul Das, IIM Calcutta
  • 7. TEAM B PGP-PGDM IIM Calcutta IIT Madras PGP-PGDM IIM Calcutta IIT Jodhpur Sasi Kaushik PGP-PGDM IIM Calcutta JNTU Hyderabad Bhargavi Dinakaran Lakshmi Meenakshi
  • 8. RESEARCH FINDINGS Data Availability (Approximation) Interest (Google Trends)
  • 9. GOVERNMENT/BCM Country Regulation/ standard Expectation from regulation Issuing authority/body USA Continuity of Operations (COOP) and Continuity of Government (COG) - Federal Preparedness All federal executive branch departments and agencies must develop an integrated/ overlapping continuity capability, to support National Essential Functions. BCM should be maintained at high levels of readiness and be operational within 12 hours. BC Plans must be able to sustain operations for 30 days Government of USA USA OSHA ‐ Occupational Safety and Health Administration Disaster preparedness . OSHA requires that all businesses with more than 10 employees have an Emergency Contingency Plan (ECP). For business with 10 or less, a plan is not mandated, but recommended OSHA (Occupational Safety & Health Administration) UAE Business Continuity Management Standard AE/HSC/NCEMA 7000 All entities in the nation are supposed to implement BCM National Crisis and Disasters Management Authority of the UAE (NCEMA) USA Federal Financial Institutions Examination Council (FFIEC) Handbook, 2003-2004 (Chapter 10) Directors and managers are accountable for organization-wide contingency planning and for "timely resumption of operations in the event of a disaster." Federal Financial Institutions Examination Council (FFIEC) Australia Business Continuity Management - Building Resilience in Public Sector Entities BCM is an essential component of good public sector governance and is part of an entity’s overall approach to effective risk management. This guide is designed to be a useful reference document for boards, chief executives and senior management in public sector entities Australian National Audit Office (ANAO)
  • 10. GOVERNMENT/INCIDENT MGT. Country BCM Type Name/ Number Issuing Authority Key Expectations Canada Legislation Emergency Management & Civil Protection Act Canadian Government Every municipality shall formulate an emergency plan governing the provision of necessary services during an emergency and the procedures under and the manner in which employees of the municipality and other persons will respond to the emergency. The council of the municipality adopt the emergency plan Australia Guidelines AIIMS 2004 ‐ Australian Inter‐service Incident Management System The Australasian Inter- Service Incident Management System (AIIMS) To put in place a nationally recognised system, organizational principles and structure to manage bushfires and other large emergencies (e.g. floods, storms, cyclones etc.). Directly applicable to the nation's fire and emergency service agencies New Zealand Guidelines New Zealand Coordinated Incident Management System (CIMS) Ministry of Civil Defence and Emergency Management, New Zealand Establishes a framework of consistent principles, structures, functions, processes and terminology that agencies can apply in emergency response South Africa Regulation Major Hazard Installation Regulations, 1993 Occupational Health & Safety, South African Government Describes how incidents and their consequences should be dealt with, with special reference to emergency plans etc,
  • 11. Countr y BCM Type Name/ Number Issuing Authority Key Expectations Kuwait Regulation Executive Bylaws - Policies & Procedures of Licensed Persons Capital Market Authority Kuwait Listed organizations must be able to at a very minimum fulfill their legal obligations in the event of an unexpected suspension of their business. Policies, plans (and precautions) must be maintained with respect of emergencies and the need to maintain business continuity. Such precautions must be documented and periodically updated and tested to ensure their effectiveness and continued relevance. Records related to precautions pertaining to business continuity must be kept for five years ideally. Australia Guidelines Australian Financial Markets Association Australia Financial Markets Association Members should anticipate situations that would cause their operations to be disrupted, define a business continuity strategy, have a supporting business continuity plan (BCP), and test this plan regularly. Saudi Arabia Regulation Rules for broking companies and stock exchange participants Capital Market Authority Kingdom of Saudi Arabia Entities transacting on the Saudi stock exchange (Tadawul) cannot have systems downtime of more then 45 minutes USA Regulation NYSE Rule 4370 (Business Continuity Plans and Emergency Contact Information) Financial Industry Regulatory Authority (FINRA) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. The business continuity plan must be made available promptly upon request to FINRA staff CAPITAL MARKETS
  • 12. HEALTHCARE Country BCM Type BCM Name /Number Issuing Authority Key expectations USA Guidelines Joint Commission Accreditation Manual for Hospitals (1997) Joint Commission on Accreditation of Healthcare Organizations (JCAHO) Organizations must plan for the continuity of their information management. Hong Kong Circular Business continuity planning against serious communicable diseases Securities and Futures Commission of Hong Kong Business continuity plans are to be prepared for cases of unexpected market conditions and failures. This section also directs to attention to business continuity plan expectations by other regulators USA Regulation Health Insurance Portability and Accountability Act United States Department of Health and Human Services To ensure that health care service delivery players across the full chain comply with strong security and privacy standards to protect personal health information (CIA). Failure to comply can result in fines as well as criminal penalties (up to $250,000 and up to 10 years in prison). USA Regulation Code of Federal Regulations (CFR) Title XXI, 1999 Food and Drug Administration (FDA) Organizations must update their BC measures to ensure the availability of information
  • 13. Country Regulation/standard Expectation from regulation Issuing authority/body USA Security Guideline for the Electricity Sector Facilities and functions critical to operations should be identified, to support the operational continuity plans. Intention is to serve customers with a reliable source of electric energy, ensure the reliable operation of the energy grid and interconnection, and avoid losses that would create a significant risk to public health and safety The North American Electric Reliability Corporation (NERC) Oman SCADA and DCS Cyber- Security Standards Entities must implement incident response, business continuity and disaster recovery plans, with special reference to SCADA/DCS systems; Oman Authority for Electricity Regulation UAE Business Continuity Management Regulations for Drinking Water, Wastewater and Electricity Services To ensure entities in the water, wastewater, and electricity sectors in the geography develop a Business Continuity Program and Business Continuity Plans The Regulation and Supervision Bureau – UAE USA Security Standards for Electric Market Participants Every participant operating a critical electric resource shall have contingency plans that define roles, responsibilities and actions for protecting the rest of the electric grid and market from the failure of its own critical resources. Such plans shall be tested or exercised regularly. Federal Electric Reliability Council’s (FERC) Order No. 650 Revisions to Oil Pipeline Regulations Pursuant to the Energy Policy Act of 1992 FERC ENERGY
  • 14. Countr y BCM Type BCM Name /Number Issuing Authority USA White Paper for Strengthening the Resilience of US Financial System FRB (Federal Reserve Bank),OCC (Office of the Comptroller of the Currency). SEC (Securities & Exchange Commission) Rapid recovery and timely resumption of critical operations following a wide- scale disruption or loss or inaccessibility of staff in at least one major operating location. High level of confidence, via ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. Applicable also to service providers. South Africa Banks Act 2007 revision South African Reserve Bank To provide for the regulation and supervision of the business of public companies taking deposits from the public; and to provide for matters connected therewith. Global The Joint Forum - High-level principles for business continuity Bank for International Settlements (Basel Committee on Banking Supervision) 7 High-level principles of Business Continuity to be adhered to, including Board and senior management responsibility , Cross-border communications and Business Continuity Management reviews by financial authorities Switzerland SBFA EBK RS 06/3 Swiss Federal Banking Commission (SFBC) Specifies the determination of capital requirements for operational risk along the three approach options and the related requirements. Singapore MCD 5/2003 - BCM Guidelines Monetary Authority of Singapore (MAS) Principles to be implemented for Business Continuity Planning in Banks Australia Prudential Standard CPS 232 (Business Continuity Management) Australian Prudential Regulation Authority (APRA) Each APRA-regulated institution must implement a whole-of-business approach to BCM. This Prudential Standard applies to all ‘APRA- regulated institutions’, not general and life insurance entities, but also all authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs) BANKING & INSURANCE
  • 15. Country Regulation/standard Key expectations Issuing authority/body USA Telecommunications Act of 1996, Section 256, Coordination for Interconnectivity Requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by carriers and other providers. FCC - Federal Communications Commission CTIA Telecommunication Industry BCM Standard and certification Adherence to a basic set of regulation in natural disasters, tech issues CTIA (Cellular Telecommunications Industry Association ) Hellenic Countries Secrecy Assurance Regulations for Telecommunication Services Regulatory framework for Organizations providing telecom services to retail or corporate clients Hellenic Authority for Communication Security and Privacy USA Comments to the U.S.-India ICT Working Group on the draft National Telecommunications Policy Suggestions for the growth and progress of the Indian Telecom industry, including business continuity The Telecommunications Industry Association (TIA), the U.S.-India Business Council (USIBC) and the Information Technology Industry Council (ITI) TELECOM
  • 16. INFORMATION SECURITY Country BCM Type BCM Name /Number Issuing Authority Key expectations USA National Standards ANSI/ARMA 5‐2003 American National Standards Institute Sets the requirements for establishment of a Vital Records Program. Encompasses the requirements for identifying and protecting vital records, assessing and analyzing their vulnerability, and determining the impact of their loss on the organization. USA Legislation FISMA: Federal Information Security management Act of 2002 FTC (Federal Trade Commission) Details requirements to assess risk, determine levels of security necessary to protect such information, and also periodically test and evaluate information security controls and techniques Singapore Standard Singapore Standard for business continuity management (SS507:2004) Standards Council of Singapore This Standard is applicable to all organisations regardless of their size. This standard emphasises resilience and protection of critical assets, human, environmental, intangible and physical. Germany Guidelines BSI 100‐4 (Business Continuity Management) Federal Office for Information Security, Germany The goal of this standard is to point out a systematic method for enabling fast reactions to emergencies and crises of all types and origins that could lead to a disruption of business operations. This focuses on the Availability aspect of Information Security Italy Legislation Law Decree No. 196 Italian government Code on Personal Data and Sensitive Information Protection
  • 17. SUPPLY CHAIN Country Regulation/standard Expectation from regulation Issuing authority/body Japan Business Continuity Guidelines ―Strategies and Responses for Surviving Critical Incidents Focus on the importance of including risks and consideration of the supply chain, and the necessity of a flexible business continuity strategy for handling risks Cabinet Office, Government of Japan USA Continuity of Operations/Continuity of Government for State-Level Transportation Organizations The Homeland Security Presidential Directive 20 (HSPD-20) requires all local, state, tribal and territorial government agencies, and private sector owners of critical infrastructure and key resources (CI/KR) to create a Continuity of Operations Plan (COOP). The Transportation Research Board offers guidance for transportation organizations to comply United States Department of Transportation’s Research and Innovative Technology Administration Singapore MAS Guidelines on Outsourcing Guidelines on ensuring BC preparedness is not compromised by outsourcing; taking steps to evaluate and satisfy itself that interdependency risk arising from the outsourcing arrangement can be adequately mitigated; and assurance on the functionality Monetary Authority of Singapore (MAS) Singapore Business Continuity Management for Singapore’s Logistics Sector Each organisation must established a BCM policy; that is linked to organizational objectives and other policies (including risk management); which has been communicated to all employees and relevant stakeholders. Singapore Business Federation and Singapore Logistics Association
  • 18. INDIA Industr y BCM Type Issuing Authority Key expectations Banking Regulation RBI Banks should put in place necessary backup sites for their critical payment systems. Bank Boards/Top Management should provide clear guidance and direction in relation to BCP. The main responsibilities are approving policy on BCP, prioritizing critical business functions, allocating sufficient resources, reviewing test results Aviation Good Practice DGCA Aviation entities should ensure preparedness for technical emergencies like safety and security related issues, and non-technical emergencies like natural disaster, structural disaster, public health emergencies. Capital Markets Regulation National Stock Exchange of India Stock exchanges to have a documented process / framework to ensure the continuation and/or rapid recovery from failure or interruption of business and Information Technology processes and systems Insurance Regulation IRDA Apart from the corporate governance guidelines, insurance companies must have risk management committee to monitor and review updates on Business Continuity. Insurance brokers need to include BCM plans in case they have any. Also in case of outsourcing they should ensure that vendor have business continuity Capital Markets Regulation Securities and Exchange Board of India (SEBI) Exchanges should have a robust Business Continuity Plan (BCP) and Disaster Recovery (DR), to ensure continuity of operations. The exchanges shall conduct annual system audit as per the prescribed audit framework. The Systems Audit Report and compliance status should be placed before the governing board of the exchange and communicated to SEBI along with their comments.
  • 19. THE HELP WE NEED FROM YOU • Please let us know of any National/Industry specific BCM/IT DR guidelines/standards that are being asked for currently in India – mandatory/non-mandatory • Please help highlight to Govt/Regulators/Industry bodies (IBA/CII/FICCI etc) the need for BCM/IT DR to be mandatory • Please help get BCM/IT DR into critical industries like Power, Energy, Telecom, Aviation, Healthcare, Security Services, Municipalities etc • Please help at least get BCM/IT DR be mandatory for all listed companies • And any other ways you can think of….
  • 20. PLEASE LET US KNOW HOW YOU CAN TO HELP ENHANCE BCM COMMITMENT IN INDIA india@continuityandresilience.com +91 78383 89017 /99580 91880 Thank You Dhiraj Lal (+91 9910110240) d.lal@continuityandresilience.com
  • 21. Continuity & Resilience (CORE) ISO 22301 CERTIFIED CONSULTING FIRM Presentations by speakers at the 7th India Business & IT Resilience Summit December 6, 2018 | Hyderabad, India Our Contact Details: UAE INDIA Continuity and Resilience Tel: +971 2 6594006 PO Box: 25722, Abu Dhabi, United Arab Emirates Website: www.coreconsulting.ae Email: info@continuityandresilience.com Continuity and Resilience Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019 Tel: +91 11 41055534 | Fax: ++91 11 41055535 Website: www.continuityandresilience.com Email: info@continuityandresilience.com