ISO/TC 223 Societal Security

ICOR Presents: ISO/TC 223 Societal Security International Standardization Aimed at Increasing Crisis and Continuity Management Capabilities and Awareness in Order to Improve the Resilience of Society

ISO/TC 223: Early Beginnings

ISO/TC 223 got its start with the sinking of the Russian submarine Kursk in the Barents Sea in Sept. 2000.

The international community lacked the tools necessary to cooperate effectively in emergency situations, resulting in an initiative from the Russian standards organization, GOST, to establish ISO/TC 223.

In 2001, originally titled, “Civil Defence” with the intention to standardize emergency procedures After the 9/11 attacks as well as a surge in natural disasters, ISO conducted an assessment in 2005 to begin in earnest and renamed it “Societal Security” to broaden its approach from just “Civil”

Early Optimism & Resulting Challenges Build on 5 major works in emergency management from Australia, Israel, Japan, UK, and USA ISO/PAS 22399:2007 Societal security – Guideline for Incident Preparedness and Operational Continuity Management However – none of the countries wanted to use the new standard in replacement of their national standards… To what extent are countries prepared to relinquish their own solutions in search for common ground?

Technical Committee formed by ISO in 2008 in the area of Societal Security Aim to increase crisis management and business continuity capabilities through improved • Technical, • Human, • Organizational, and • Functional interoperability as well as • Shared situational awareness

ISO/TC 223 Societal Security

TC 223 develops standards for the protection of society from, and in response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures. Its all-hazards perspective covers adaptive, proactive and reactive strategies in all phases before, during and after a disruptive incident. The area of societal security is multi-disciplinary and involves actors from both the public and private sectors. An emphasis on developing deliverables that will contribute to improving the resilience of society

ISO/TC 223 aspires to answer how individuals, organizations, communities and society can Anticipate, prevent, prepare for, respond to and recover from disruptive events potentially resulting in an incident, emergency, crisis or disaster Protect assets (human, physical, intangible and environmental) from disruptive events Identify, assess, and leverage their capacity and capabilities to withstand disruptive events.

ISO/TC 223 Societal Security

ISO/TC 223 provides tools to enhance capacity and demonstrate improved performance through: Standardization for the prevention and management of disruptive events Standardization to promote collaboration and coordination of incident identification, response and recovery Standardization for the design, deployment and evaluation of technical capabilities.

Approximately 45 countries are participating with 17 others observing. At this time there are six work groups working on the following initiatives: 1. Framework Standard on Societal Security Management 2. Terminology 3. Emergency Management 4. Preparedness & Continuity 5. Video Surveillance 6. Mass Evacuation Within each Work Group are different Project Teams that work on specific standards.

The US Delegation: NFPA / ANSI

ISO 22300: Terminology – published May 2012 ISO 22301: BCMS – published May 2012 ISO 22311: Video surveillance-Export interoperability ISO / TR 22312: Technological capabilities – published 2010 ISO 22313: BCMS Guidelines – published August 2012? ISO 22315: Mass Evacuation ISO 22320: Emergency management – Requirements for incident response – published December 2011 ISO 22322: Emergency management – Public warning ISO 223XX: Organizational Resilience ISO 22324: Emergency management–Colour coded alert ISO 22325: Emergency management – Guidelines for emergency capability assessment ISO 22351: Emergency management – Shared information awareness ISO 22397: Public/Private partnerships - Guidelines to set up partnership agreements ISO 22398: Guideline for exercises and testing ISO / PAS 22399 Guideline for incident preparedness and operational continuity management – published in 2007

Types of Standards

Management System Standards Specify requirements that can be applied to any organization, regardless of the product it makes or the service it performs • Auditable • Organizations can be certified to these standards as complying with their requirements – ISO 22301 is the only standard in this series that is a management system standard

Guidance

Types of Standards

Technical Report

Published Document

Types of Standards

Publicly Available Specification A step in the process of standardization. It includes useful and practical information that can be made available quickly to suit the market need of the developers and users of a product, process or service.

Emergency Management Business Continuity (Public Sector) (Private Sector) ISO 22311: Video surveillance- ISO 22301: BCMS Requirements Export interoperability ISO 22313: BCMS Guidelines ISO 22315: Mass Evacuation ISO 223XX: Organizational ISO 22320: Emergency management – Requirements for Resilience Principles & Guidance incident response ISO 22322: Emergency Both management – Public warning ISO 22300: Terminology ISO 22324: Emergency ISO 22312: Technological capabilities management – Colour coded alert ISO 22397: Public/Private partnerships ISO 22325: Emergency ISO 22398: Guidelines for exercises management – Guidelines for ISO 22399: Guidelines for Incident emergency capability assessment Preparedness & Operational Continuity ISO 22351: Emergency Management management – Shared information awareness

Emergency Management Standards (Public Sector)

ISO 22311: Video Surveillance - Export Interoperability Purpose of the Standard: Video- surveillance is a crucial asset in intelligence collection, crime prevention, crisis management, and forensic applications, etc. The minimum requirement in societal security is for the authorities to be able to rapidly use the data collected by different CCTV systems from given locations.

Provides an export interoperability profile which constitutes the exchange format and minimum technical requirements that ensure that the digital video-surveillance contents exported Are compatible with the replay systems, Establish an appropriate level of quality and Contain all the context information (metadata) necessary for their processing.

Video Surveillance-Export Interoperability

It is crucial for societal security that present and future video-surveillance systems implement this interface to allow efficient forensic processing of the material produced, often in massive quantities. This standard also contains provisions to ensure that citizen privacy measures can be implemented.

©2012 ICOR ALL RIGHTS RESERVED 22 Video-Surveillance Systems Generic Architecture A CCTV system usually consists of hardware, software and human elements. A CCTV system for security applications presented as functional blocks, which portray the various parts and functions of the system, as well as the interactions with the human stakeholders

The Following Graphics are Provided Functional blocks of a CCTV system for security applications Generic files organization Structure of the Audio-Video Package XML description and integration in the folder Arrangement of the XML Descriptor Arrangement of the descriptive metadata Sensor metadata items Event metadata items

©2012 ICOR ALL RIGHTS RESERVED 24 Minimum Requirements for Interoperability The implementation of this standard shall be such that widely available OS independent tools will allow for minimal processing of received standard files by societal security organizations, ensuring as a minimum the following and any combination thereof: Videos and metadata display; Direct access to the metadata without display of the videos; Selection of content time slots; Access to the sources defined by name or scene-location.

ISO 22315: Mass Evacuation

US Wildfires

WWII Bomb

Israel

Philippines Typhoon

©2012 ICOR ALL RIGHTS RESERVED 26 ISO 22315: Mass Evacuation Governments and Emergency Management Agencies have a duty to prepare to evacuate areas in readiness for major catastrophic incidents. There is no template for the assessment of the plans for mass evacuation. Plans are developed using different assumptions, relying on different data, and are often specific to immediate hazards rather than being broad in scope.

ISO 22315: Mass Evacuation

Purpose: To develop a framework against which planners can assess their planning for mass evacuation. The framework will allow planners identify how well developed are their plans and where additional resources might add value. The content of the standard will, in part, be informed by a 10-country, 3 year EU project on how countries prepare for mass evacuation.

Covers 6 planning activities: 1. Preparing the public to evacuate; 2. Understanding the evacuation zone; 3. Making evacuation decisions; 4. Disseminating the warning message; 5. Evacuating pedestrians and traffic; and 6. Shelter management.

ISO 22315: Mass Evacuation

Will specify a consistent structure to plan for mass evacuation for a range of risks. Will cover the following tasks Analyzing evacuation situations, Preparing, Training & exercising, A common framework for debriefing/assessing response.

ISO 22320: Requirements for Incident Response Published November 2011 Overall approach to preventing emergencies and managing those that occur with a focus on international, national, regional, or local incidents Specifies minimum requirements for effective incident response • Utilizes the “command and control” process • Decision support • Traceability • Information management • Interoperability

Purpose: Need for a multi-national and multi-organizational approach for responding to an incident Enables incident response organizations to improve their capabilities in handling all types of emergencies Specifies minimum requirements for effective incident response

Process of Providing Operational Information

Dissemination Planning & & Information Direction

Mission

Analysis & Collection Production

Processing & Exploitation

ISO 22322: Public Warning

©2012 ICOR ALL RIGHTS RESERVED 36 ISO 22322: Public Warning Purpose: Effective incident response needs structured and pre-planned public warning which is the message broadcasted by organizations dealing with societal security tasks to ensure safety and security of the public and the vital functions of society. Public warning consists of alert message and notification message. It is necessary to establish a framework risk identification, hazard monitoring, decision making, warning dissemination and evaluation.

ISO 22322: Public Warning

All organizations which are responsible for contributing to or issuing a public warning Should be aware of the system so that relevant, accurate, reliable, and timely information will be disseminated promptly (who); Should take continuous efforts to raise and maintain public awareness about the process of public warning (to whom); Should use all available means and technologies systematically and redundantly to ensure the highest quality of information (how); Should specify the following four elements for safety action: when, where, what hazard, and how to cope with (what).

Public Warning Process Implementation

Planning / Decision-Making

Hazard Identification Hazard Monitoring Area Identification

Warning Activation coordination

Public Warning Monitoring & Review Warning Area People at risk, andresources, People Warning Methods Warning Dissemination

ISO 22322: Public Warning

ISO 22325: Emergency Capability Assessment

©2012 ICOR ALL RIGHTS RESERVED 42 ISO 22325: Emergency Capability Assessment Purpose: Provide organizations with key elements and an assessment tool in order to determine the organization's state of emergency capability. Will seek to provide • Road map • Assessment model • Assessment procedure • Assessment criteria • Assessment tool

ISO 22325: Key Elements 1. Leadership 2. Resources 3. Resource Management 4. Risk Management 5. Rick Analysis 6. Information & Communication 7. Command & Control 8. Coordination & Cooperation 9. Structure 10. Planning 11. Exercise & Training 12. Hazard Mitigation 13. Hazard Mitigation 14. Activation

Assessment Procedure

ISO 22351: Shared Situation Awareness A new standard not yet published in any manner – a new project.

ISO 22300 Societal Security - Terminology

Societal Security “Definition please?”

©2012 ICOR ALL RIGHTS RESERVED 50 ISO 22300 Societal Security - Terminology Purpose: Contains terms and definitions applicable to societal security to establish a common understanding so that consistent terms are used. 6 categories • 2.1 Societal security • 2.2 Management of societal security • 2.3 Operational – Risk reduction • 2.4 Operational – Exercise • 2.5 Operational – Recovery • 2.6 Technology

ISO 22300 Societal Security - Terminology 2.1 Societal security defined Protection of society from, and response to incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures Civil protection • Measures taken and systems implemented to preserve the lives and health of citizens, their properties, and their environment from unnatural events

Mitigation Resilience Business Continuity Risk Management All-Hazards

2.1 Event Societal Risk Security Incident Threat Crisis Hazard Disaster Consequence

ISO 22300 Societal Security – Terminology Partnership Mutual Aid Agreement Emergency Management

Policy Objective Business Impact Performance Analysis 2.2 Continual Management Risk Source Improvement of Societal Security Capacity Risk Owner Effectiveness Competence Residual Risk Corrective Action Exercise Program Conformity / Nonconformity

Work Environment

Vulnerability

2.3 Risk Assessment Operational – Risk Probability Training Reduction Prioritized Test / Activities Testing Contingency

ISO 22300 Societal Security – Terminology Strategic Exercise Functional Exercise Exercise Drill Full-Scale Exercise

Observer Scenario 2.4 Inject Monitoring Operational - Exercise Script Exercise Coordinator After-action Report Exercise Safety Officer Exercise Annual Plan

Command & Control Incident Command Incident Response

Shelter in Coordination Place 2.5 Operational - Recovery Improvisation

Operational Protection Information Recovery

ISO 22300 Societal Security – Terminology

Video-Surveillance Forensic Scene Location CCTV System

2.6 Technology

ISO 22312 Societal Security – Technological Capabilities A Technical Report that outlines the work of the Technical Committee for ISO 223 ANSI-Homeland Security Standards Panel (HSSP) BEN BT/WG 161 Protection of the Citizen ISO/IEC/ITU-T/SAG-S Asian-Pacific Economic Cooperation (APEC) and Standards Australia Initiative Documents work completed at the launch of the project

ISO 22397:Public-Private Partnership Agreements Purpose: Addresses principles, planning and development of partnership agreements with the objective of Managing relations among relevant organizations, Promoting interoperability, Enabling governance and Fulfilling of the agreement. The modeling framework should lead to benefits such as: Structure to avoid and resolve conflicts among the organizations; Synergy in the use of organizations' resources to achieve objectives; Trust and sharing common procedures;

ISO 22398: Guidelines for Exercises Purpose: Describes the procedures necessary for planning, implementing, managing, evaluating, reporting and improving exercises, and the testing designs to assess the readiness of an organization to perform the mission.

©2012 ICOR ALL RIGHTS RESERVED 64 ISO 22398: Guidelines for Exercises 4 Establishing the foundation 4.1 Needs and gap analysis 4.2 Base of support 4.3 Framework 4.4 Scope 4.5 Exercises within the system 4.6 Planning Document

ISO 22398: Guidelines for Exercises 5 Planning & design 5.1.1 Developing aim and performance objectives 5.1.2 Team management 5.1.3 Risk management & information security 5.1.4 Environmental aspects 5.1.5 Gender and diversity aspects 5.1.6 Logistics 5.1.7 Communication 5.1.8 Resources

ISO 22398: Guidelines for Exercises 5.2 Design & development 5.2.1 General 5.2.2 Selecting exercise type 5.2.3 Exercise types 5.2.4 Exercise methods 5.2.5 Preparing scenarios 5.2.6 Documentation 5.2.7 Records 5.2.8 Intervention

Discussion Based Operational Based

Seminar Simulation Workshop Drill Tabletop Functional Game Full-scale

ISO 22398: Guidelines for Exercises

ISO 22398: Guidelines for Exercises 7 Improvement 7.1 After action review 7.2 Evaluation 7.3 After action report 7.4 Management review 7.5 Corrective action 7.6 Implement follow up

ISO 22398: Guidelines for Exercises

ISO/PAS 22399: Guidelines for Incident Preparedness & Operational Continuity Management Purpose: Provide general guidance for an organization to develop its own specific performance criteria for incident preparedness and operational continuity and design an appropriate management system. Excludes specific emergency response activities such as disaster relief and social infrastructure recovery

This standard has essentially been replaced with ISO 22301 and ISO 22313, however it has some good information in it. It has not yet been retired, but it is not being reviewed for updating.

Business Continuity Management Standards (Private Sector)

Published May 2012 - Developed from BS 25999-2:2007 Scope of the standard Applicable to all types and sizes of organizations that wish to: • Establish, implement, maintain, & improve a BCMS; • Assure conformance with stated BCM policy; • Demonstrate conformance to others; • Seek certification/registration of its BCMS by an accredited third party certification body; or • Make a self-determination and self-declaration of conformance with this International Standard.

Plan-Do-Check-Act Cycle Applied to BCMS

Continual improvement of preparedness & continuity management system

Establish (Plan) Interested Parties Interested Parties

Maintain & Implement & Improve Operate Requirements for (Act) (Do) Managed preparedness preparedness & continuity & continuity management Monitor & Review (Check)

This International Standard provides guidance to ISO 22301 for setting up and managing an effective business continuity management system (BCMS)

8.1.1 BCM Program Elements

*Reference Excel Comparison Document BS 25999-2 ISO 22301 Context of the Organization ---- 4.1 & 4.2.1 Legal & Regulatory 3.2.1.1 4.2.2 Scope & Objectives 3.2.1 4.3 & 4.4 Management Commitment / Provision of 3.2.3& 3.2.4 5 & 7 Resources Policy 3.2.2 5.3 Documentation 3.4 7.5 BIA 4.1.1 8.0, 8.1 & 8.2 Risk Assessment 4.1.2 & 4.1.3 8.2.3 & 6.1 Strategy 4.2 8.3 Plan Documentation / Implementation 4.3 6.2, 8.4 & 7.4 Training & Awareness 3.3 7.3 Exercising & Testing 4.4.2 8.5 Program Maintenance & Improvement 4.4.3,5, & 6 9 & 10

Review of ISO 22301 by Category

4. Context of the Organization 5. Leadership 6. Planning 7. Support 8. Operation* 9. Performance evaluation 10. Improvement

*contains bulk of the requirements

4.1 Understanding the organization and its context

Internal Factors External Factors

4.2 Understanding Needs & Expectations of Interested Parties

The whole organization?

Or part of the organization?

Scope of Program vs. Scope of Certification

Scope: BCM Program

Scope: Certification

Demonstrated Roles, Responsibilities BCM Policy Management & Authorities Commitment Defined

Management Shall Demonstrate Leadership

6 Planning

• Assure the BCMS can achieve its intended 6.1 Actions to outcomes Address • Prevent undesired effects • Realize opportunities for improvement Risks & • Evaluate the need to plan actions to address these Opportunities risks and opportunities

6.2 BC • Be consistent with policy • Take account of the minimum level of products and Objectives services acceptable to achieve its objectives & Plans to • Be measurable Achieve • Take into account requirements Them • Be monitored and updated as appropriate

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented Information

8 Operation 8.1 Operational Planning & Control

8.2 BIA & Risk Assessment

8.3 Business Continuity Strategy

8.4 Business Continuity Procedures

8.5 Exercising & Testing

©2012 ICOR ALL RIGHTS RESERVED 92 8.1 Operational Planning & Control The organization shall determine, plan, implement, and control those activities needed to address the risks and opportunities by a) Establish criteria for those activities or processes b) Implementing controls c) Keeping documented information to demonstrate that they have been carried out as planned The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary Including those that are contracted out or outsourced ©2012 ICOR ALL RIGHTS RESERVED 93

8.2 The BIA & Risk Assessment

The organization shall have a formal and documented process for business impact analysis and risk assessment that:

Accounts for Includes legal and other systematic analysis Evaluates requirements Prioritization of potential impact risk treatments of a disruptive and costs incident

Defines Defines criteria required output

Information is Establishes BIA & kept up to date context RA and confidential

Effects on Staff & Consequences of Public Well-Being Damage to Non-compliance Reputation

New Term: MBCO Minimum Business Continuity Objective (MBCO) Minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption

During a Disruption

Normal Operations

What may happen and why?

What are the consequences?

What is the probability?

How to mitigate or reduce probability of the risk?

ISO 31000

The process needs to take into consideration Financial Governmental Societal obligations The organization should understand the threats to and vulnerabilities of each resource required for each activity and in particular those Required by activities with high priority With significant replacement lead-time

Product/Service at Risk

Transfer / Change, Suspend, Business Accept Risk Mitigate or Terminate Continuity Risk Produce/Service

Options to continue Document & Sign Off = operations at Risk Management Program pre-defined levels

Physical Supply Data & People Facilities Technology Assets Chain Information

8.3.1 Determination & Selection of Strategies

Remove Risk to Transfer Risk to Activity another part of the Cease or Change Organization or a the Activity Third Party

Control or mitigate

Financing / Insurance Acceptance

Resource Relocation Redundancy Resource & Skills Replacement

8.3.2 Establishing Resource Requirements

Information, Data, Facilities, Equipment Technology & , Utilities & Employees & Telecommunications Consumables Stakeholders Systems

Transportation, Partners & Suppliers Reputation Finance

Limit the impact of a disruption on the organization’s key services

Shorten the period of disruption

Reduce the likelihood of a disruption

8.4 Establish & Implement BC Procedures 8.4.1 General

8.4.2 Incident Response Structure

8.4.3 Warning & Communication

8.4.4 Business Continuity Plans

8.4.5 Recovery

The procedures shall: a) Establish an appropriate internal and external communications protocol b) Be specific regarding the immediate steps that are to be taken during a disruption c) Be flexible to respond to unanticipated threats and changing internal and external conditions

8.4.1 Establish & Implement BC Procedures The procedures shall: d) Focus on the impact of events that could potentially disrupt operations e) Be developed based on stated assumptions and an analysis of interdependencies f) Be effective in minimizing consequences through implementation of appropriate mitigation strategies

©2012 ICOR ALL RIGHTS RESERVED 106 8.4.2 Incident Response Structure The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with Strategic the necessary responsibility, authority, Tactical and competence to manage an incident. Operational

8.4.3 Warning and Communication The organization shall establish, implement, and maintain procedures for a) Detecting an incident b) Regular monitoring of an incident c) Internal communication within the organization and receiving, documenting, and responding to communication from interested parties d) Receiving, documenting, and responding to any national or regional risk advisory system or equivalent

e) Assuring availability of the means of communication during a disruptive event f) Facilitating structured communication with emergency responders g) Recording of vital information about the incident, actions taken and decisions made

8.4.4 Business Continuity Plans

The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe.

Such procedures shall address the requirements of those who will use them.

8.4.4.3.2 Communications

8.4.4.3.3 Incident & Welfare

8.4.4.3.4 Resuming Activities

8.4.4.3.5 Recovery of ICT

8.4.5 Recovery Goal: Get operations back to the state they were in before the incident. Repair damage Migrate operations from temporary premises back to restored or new location

The organization shall conduct exercises and tests that: a) Are consistent with the scope of the BCMS; b) Are based on appropriate scenarios that are well planned with clearly defined aims and objectives; c) Taken together over time validate the whole of its business continuity arrangements involving relevant interested parties; d) Minimize the risk of disruption to operations; e) Produce formalized post-exercise reports that contain outcomes, recommendations, and actions to implement improvements; f) Are reviewed within the context of promoting continual improvement; and g) Are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.

Sections 9 & 10: Continuous Improvement

9.2 Internal Audit

9.3 Management Review

10 Improvement 10.1 Nonconformity and corrective action The organization shall: a) Identify nonconformities; and b) React to the nonconformities, and as applicable 1. Take action to control, contain and correct them; 2. Deal with the consequences

The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. NOTE: The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.

ISO 223XX: Organizational Resilience Guidelines

New proposed outline Organizational Resilience Defined What are the Benefits of Enhanced Resilience? Behaviors that Support Resilience Principles & Models that Support Resilience Relationship to Risk Management Measuring & Building Adaptive Capacity

What is Organizational Resilience?

Organizational resilience is the adaptive capacity of an organization in a complex and changing environment. ISO 22300

o Planning and decision-taking in order to build and sustain the adaptive capacity of an organization in complex and rapidly changing circumstances; o Achieving the agile treatment of a broad range of risks uniquely applicable to each organization; and o Creating a culture that takes full advantage of adaptive change to meet its objectives and aims.

Organizations with adaptive cultures, innovative thinkers and inner strength thrive in the face of unpredictable markets. As such, building resilience has daily business benefits. Valikangas (2010)

Enhanced Ability to Leadership Improved Change as Capacity Performance Needed

Resilience Objectives

An organization accepts that adversity may cause it to cease operating

Exist in a reduced form after adversity

Regain pre-adversity position quickly and effectively

Improve aspects of its functioning so that it not only survives but possibly gains from event

Protection of Performance Adaptation is business systems. refers to the need required when These systems to get things right circumstances need to be robust the first time and change, demanding enough to survive to move quickly to a change in the various assaults business focus, and/or intrusions. correct errors. structure and processes.

Behaviors that Support Resilience

Open Communication: Communicate as openly and regularly as possible with all concerned stakeholders.

Honesty: Staff need to know that when they receive information it is truthful.

Authenticity: Do what you say. There must be alignment between the purpose and values of the organization and what they do.

Deep Knowledge & Expertise: Extensive training and exercises. Succession planning around key roles.

©2012 ICOR ALL RIGHTS RESERVED 124 The Principles Model of Resilience Resilience is an outcome Resilience is not a static trait Resilience is not a single trait Resilience is multi-dimensional Resilience exists over a range of conditions Resilience is founded upon good risk management

Volume 25, No.02, April 2010

The Progression of Resilience Maturity

Integrated Functions Model

Composite Model

Resilience Triangle Model

Characteristics that Support a Resilient State

Ability to Ambiguity Creativity & Stress Learnability recognize Tolerance Agility Coping precedence

2010 study by FM Global showed a positive correlation between earnings stability of a company and their investment in physical loss prevention.

Pursuing strong physical risk management processes and systems to prevent the likelihood and losses, a company will potentially reap a measurable reduction in earnings viability. (40% less volatile than companies with less advance risk management)

Resilience Benchmark Survey

Questions? Lynnda Nelson Jim Nelson President, ICOR Chair, ICOR [email protected] President, BCS 866-765-8321 North [email protected] America 866-629-6327 +1630-705-0910 www.BusinessContinuitySvcs.com International www.theICOR.org