Preliminary Conference Program
We’re proud to present the preliminary conference program for DRI2018! These exciting sessions are just the beginning. The full conference program will be announced shortly. Check back often for updates on additional sessions as well as exciting tracks, including a Hands-on Workshop Track, a Healthcare BCM Track, and a Cyber Risk Track. As always, our sessions are not seen elsewhere and our speakers are by invitation only, making this the most challenging and unique educational content of any event in our profession!
PANEL: DRI’s Revamped Professional Practices – How Is the BCM Market Keeping Pace?
Moderator: Al Berman, DRI International
Attend this panel discussion, led by the legendary Al Berman, to learn how the BCM market is reacting to DRI’s recently updated and expanded Professional Practices. Based in part on feedback from DRI Certified Professionals worldwide, the revamped Professional Practices now include the most current concerns to our community – worries like supply chain and cyber risks. Attend this session to see how the BCM market is handling those changes. With myriad product and services offerings built on the foundation DRI provides, the vendor community is now challenged to ensure that those offerings also are in line with your concerns and DRI’s Professional Practices – the most used standard in our profession by a mile!
PANEL: Here Comes the Cavalry (literally) – The Military and Defense Support to Civil Authorities
Have you ever wondered how the military gets involved with disaster response? How does the military fit into the Incident Command System (ICS)? Why are military assets committed to some disasters and not others? Is there a difference between support provided by active duty, National Guard, and reserve components? Is it martial law?! Join this session to learn more about the nuances of military response and capabilities during a disaster.
WORKSHOP: Cyber Risk Management – Mitigating the Human
Drew Buchanan, Bowhead
It is not a matter of if your organization will be attacked by a cyber threat, but when! While most organizations spend significant resources on technical controls, up to 90 percent or more cyber incidents occur as a result of human error, making the job of the cyber attacker that much easier. By implementing organizational strategies to reduce the likelihood of human error, the likelihood of success for the most common forms of cyber-attack can be significantly lowered.
This two-hour, scenario-based workshop will explore organizational challenges with addressing human error as well as the technical and non-technical risk controls that can be used to control this risk. This session will be of value to both technical and non-technical business continuity managers with risk management responsibilities.
WORKSHOP: Strengthening Your Program by Auditing
Donald L. Schmidt, DRI International
Harvey Betan, DRI International
Auditing is an objective activity that should add value to an organization by following a systematic, disciplined approach. If you’re striving to improve your business continuity program or need to audit critical suppliers, this workshop is a must. Whether you are self-assessing your program (auditing the preparedness of your suppliers) or preparing for certification, this two-hour, hands-on workshop will provide the guidance you need. Auditing methodology will be defined, evaluation criteria including international standards will be identified, and lessons learned from decades of auditing will be shared. Project management, collecting “evidence,” corroborating information gathered, and using objective criteria to identify program gaps and support your opinion will be covered.
WORKSHOP: Designing Creative Exercises – From Theory to Real World
This four-hour, hands-on workshop is a practical exercise design course during which you will be actively engaged. If you want to learn how to build (or better!) your exercises, this is the workshop for you. Exercising can mean the difference between surviving a crisis and not. We practice to ensure all participants understand their roles and responsibilities during crisis. An exercise is NOT a test, but rather to practice skills learned through training.
Equally as important, is to set your exercise up right from the beginning. Designing an exercise takes time, patience, and support. An exercise should produce measurable, useful, timely and relevant results. Designing exercises is not a one size fits all, however many of the foundations are the same. This course will take you through the steps to design a creative, effective and fun exercise.
CASE STUDY: Rain, Rushing Water, and Recovery – Lessons from Ellicott City
Ryan Miller, Howard County Emergency Management
Larry Twele, Howard County Economic Development Authority
When six inches of rain got dumped on Ellicott City, MD, in under two hours, something perhaps even more rare than the resulting 1,000-year flood happened – a partnership between county emergency management and economic development officials rose to the top and really worked! Everyone talks about public private partnerships. Attend this session to hear about one that resulted in more than 95% of businesses surviving. Ryan Miller, Director of Emergency Management for Howard County, MD, and Lary Twele, CEO of the Howard County Economic Development Authority will give an overview of the plans in place before the flood, including how they incorporated economic development into the emergency operations plan and the community disaster recovery plan. They’ll take attendees through the response – a response was so large and complex that resources from as far away as Colorado were called in – to the devastating flood that gave almost no warning. They’ll cover short, medium and long term recovery. But most importantly, they’ll teach you how to apply their model in order to get your local emergency managers and economic development officials working together!
CASE STUDY: Government Shutdown! – A BCM Practitioners Perspective during a “Pre-Mediated” Disaster
John T. Driscoll II, State of Maine Office of Information Technology
As BCM Practitioners, we continuously plan and prepare for unforeseen disruptions and disasters. But what if the “disaster” is pre-planned, the start time is known, and the organization has the ability to end the disaster at will? What business continuity information is relevant and useful, and what is not? The State of Maine suffered through a government shutdown in the summer of 2017. What agencies experienced when they reached for their contingency plans was not quite what they expected. Join this session to experience a practitioner’s viewpoint when the business continuity does a 180 degree pivot!
CASE STUDY: Designing a Resiliency Program – Tradition or Innovation?
Ever wonder why some business continuity and crisis management programs succeed while others do not? Traditional program methodology paved the way for our firm’s highly successful enterprise resiliency program, but over time, it also led to our BC/CM approach getting stuck in the proverbial rut. How did we dig ourselves out of that rut and gain the unparalleled support of our enterprise’s executive team? By innovating. Join us as we share stories and the lessons we’ve learned about stepping out of our comfort zone, taking a business-centric approach to continuity risk, moving from a tactical mindset to a strategic focus and the value of building relationships.
Align Your BCM Program and Its Deliverables with Your Organization’s Objectives…and Gain Executive Interest
Michael Kadar, DRI International
DRI Professional Practice One, Program Initiation and Management, states that the professional should, “Develop objectives, assumptions, and scope for the business continuity program within the context of the entity’s mission, objectives, and operations.” At a macro level, what steps have you taken to ensure your BCM program’s mission and objectives clearly align with “… the entity’s mission, objectives, and operations”? Is the alignment of BCM and the organization’s mission and objectives obvious to senior management? Or do they often ask questions like, “What is the value of your preparedness recommendations to the objectives of this organization?” Perhaps they require a better understanding of the alignment – if one exists.
DRI Professional Practice Three, Business Impact Analysis, states in part that the professional should, “Analyze the collected data against the approved criteria to establish a recovery time objective and recovery point objective…” At a micro level, how do you ensure documented recovery objectives (RTO, RPO, RLO) meet “… approved criteria …” and align with normal business operations objectives?
This session will present a step-by-step Objectives Alignment Assessment method that operates at both the macro and micro levels of your program. The macro level method will allow you to perform an assessment of your BCM program’s alignment with your organization’s mission and objectives. You will learn how to use this method to analyze and identify organization-program gaps at an entity level. The micro level method will allow you to perform an assessment of your BIA process and its capability to identify and align recovery objectives with normal operations objectives. You will learn how to use this method to analyze alignment and identify normal objective – recovery objective gaps at a business process level.
Bonus: Session attendees that request the Objectives Alignment Assessment tool for their BCM program will receive the operational file at no charge shortly after the conference!
The Future of Ransomware and Social Engineering
Ross Albert, HUB International
The threat of ransomware has risen with the increased existence of sensitive digital information. Businesses and individuals have experienced their computers and servers being seized by variations of ransomware that encrypt their data and hinder their computer accessibility, which can only be resolved with a decryption key upon payment of a ransom. Through any method of data hijacking, criminals are able to access privately held information through various intrusion techniques for financial gain.
Ransomware tactics have evolved, with the introduction of software that instead of requiring payment to free a compromised computer provides victims with the opportunity to obtain a key in exchange for compromising others. As the threat of ransomware has risen, so has the sophistication of the attacks, to include the use of social engineering techniques.
This presentation will explore the future of ransomware, the likely evolution of tactics, techniques and procedures over the next three to five years; better understand how these intrusions occur, how social engineering techniques are used to facilitate, perpetuate, and manage ransomware operations, strategies to prevent such exploitation, and appropriate responses and mitigation efforts in the event of an attack.
Active Shooter Planning and Response
Scott Cormier, Medxcel Facilities Management
Active Shooter events at a healthcare facility present unique challenges; healthcare professionals may be faced with decisions about leaving patients; visitors will be present; and patients or staff may not be able to evacuate due to age, injury, illness, or a medical procedure in progress. Workplace violence is another challenge that every organization may face; however, in the healthcare setting, there are more vulnerabilities due to patients and unique tensions that may result in a higher risk of injury. In this presentation, we will discuss how to effectively utilize threat assessment teams and how to develop a healthcare workplace violence program that will minimize the destruction if violence occurs.
Plan Management vs. Risk Management – Which Has a higher ROI and Which Is More Sustainable?
Larry Chase, Humana
Join us for a special and intense session with Larry Chase as he lays out his industry acclaimed programmatic approach to defining program long term value. A tale of two core disciplines, each essential in our industry but not absolute equals—with focus on burden of effort as it relates to ground gained and how each layer of the organization perceives (and expects) value in plan and risk management. He will lay out critical points of tips, trips and traps for success.
SEC, FINRA, HIPAA, FISMA, NFPA, ISO, FFIEC – Why Can’t We All Play by the Same Rules?
Bobby Williams, Fidelity
It seems that every industry or government agency wants DR and BC to be done a little bit differently. Some overlap and some don’t. Throw in a standard or two, and the plot really gets complicated. If your company touches multiple industries or agencies, how can you be in compliance?
Let’s take a look at some regulations, standards, and guidelines and turn the heap of ingredients into alphabet soup that we can digest. We will look at BC and DR requirements and see if we can serve up components that can help your program be palatable and in compliance with multiple menus.
Start participating now by helping out the beforehand. Send Bobby Williams a message detailing the standards, regulations, or guidelines with which you must comply. This session is meant to have gobal reach so North and South America, Europe, Africa, Asia, Australia, or Antarctica, get in on this! We don’t want anything to be left out and this is one time where there can’t be too many cooks in the kitchen. You can find Bobby on Linkedin or email your message to email@example.com.
Continuity of Healthcare for Major Chemical Mass Casualty Incidents
Mike Mastrangelo, University of Texas Medical Branch
The University of Texas Medical Branch at Galveston was recently invited to meet with the Department of Homeland Security, Office of Health Affairs to present on UTMB’s 3-year effort to develop a national model for response to major chemical incidents such as releases of toxic industrial chemicals like Hydrofluoric Acid (HF). Unlike other chemical releases, HF produces a heavier-than-air persistent vapor cloud that is toxic to people, animals, and plant life. Specific medical countermeasures are needed to treat HF injuries, yet these are in short supply. Department of Homeland Security also recently completed a three-year effort to develop a new framework and strategic approach to chemical incident preparedness (for terrorist incidents and accidents). Although the efforts were independent, there were many commonalities, including the use of advanced computational modeling by Lawrence Livermore National Laboratory to simulate chemical release scenarios. Another significant similar approach was to enhance the risk assessment process to incorporate information about the jurisdiction’s response capability. A new toolset was developed called a Response Risk Assessment (RRA).
In its pilot program, DHS completed the RRA at five cities across the United States (including Houston as part of the Super Bowl preparedness effort). At the conclusion of the meeting, the Office of Health Affairs and UTMB agreed to pilot test the RRA Toolset in Galveston County Texas with the assistance of UTMB. The ultimate goal is to roll out the toolset to all U.S. jurisdictions for self-assessments. The presentation will use HF as a case study on use of an enhanced risk assessment process to build healthcare continuity. Another aspect of preparedness examined is the use of a combination of an all-chemical hazards approach – with – a specific planning approach for Priority Risk chemicals in a given region. UTMB now sponsors an annual HF incident symposium that includes national and international experts in various aspects of the response. Honeywell, the world’s largest producers of HF, participates in UTMB’s annual HF Exercise and Symposium. The project won a University of Texas National Security Excellence grant and was the basis for a recent award of a Combined Coordinated Terrorist Attack (CCTA) preparedness grant from Department of Homeland Security/FEMA