Preliminary Conference Program
We’re proud to present the preliminary conference program for DRI2019! These exciting sessions and hands-on workshops are just the beginning. The full conference program will be announced shortly. Check back often for updates on additional sessions as well as exciting tracks, including a Healthcare BCM Track, a Cyber Risk Track, and a track dedicated to Women in BCM. Our brand new Fortune 500 Track, brings you in-depth information on how resilience is addressed by Fortune 500 companies. As always, our sessions are not seen elsewhere and our speakers – including C-level executives – are by invitation only, making this the most challenging and unique educational content of any event in our profession! This year, sessions will be tagged by professional practice so you can concentrate on the areas most important to you, your program, and your professional development.
KEYNOTE: Meet McKesson CISO Spencer Mott
Spencer Mott, Global Chief Information Security Officer (CISO) and Senior Vice President, McKesson Corporation
Chloe Demrovsky, President and CEO, DRI International
McKesson CISO Spencer Mott is responsible for enhancing and overseeing the information and cybersecurity strategy and program at a highly diverse and global Fortune 6 healthcare company. He leads the Information Security & Risk Management team that oversees projects, standards, and controls that mitigate risks, strengthen defenses, and reduce vulnerabilities in a manner that aligns with business goals. He brings over 30 years’ experience in technology and security, encompassing domestic, international, public and private sectors. His industry experience includes healthcare, technology, and government. Mott has also spent time in the Royal Marines/Armed Forces and in leadership roles with the Metropolitan Police Service’s Serious Organized Crime Group at New Scotland Yard.
Mott will be joined by DRI President and CEO Chloe Demrovsky as the two explore questions such as:
- With the great concern surrounding cyber penetration emanating from suppliers, how does McKesson vet the 40,000 pharmaceutical customers to ensure that they do not introduce malware into McKesson’s technology environment?
- With the increase in privacy regulation GDPR, HIPAA, etc. how does McKesson create a secure environment while protecting individual privacy?
- McKesson has grown in recent years through acquisition; Rexall Health, Vantage Oncology and Biologics, Medical Specialties Distributors and others over the last two years. How does McKesson vet the quality of the security of the systems from these acquired organizations? Does McKesson have a set of standards that they require for all McKesson companies?
- What do you consider the greatest threat to maintaining secure systems? From what source do you think these threats emanate?
This discussion will lay the groundwork for a deep dive into McKesson’s program that we’re calling “The McKesson Sessions.” These sessions will provide an unprecedented, up-close look at how the resilience disciplines work together at McKesson, and will be followed by a Q&A with the McKesson team in the Exhibit Hall.
The McKesson Sessions: McKesson Healthcare’s Information Risk & Security Program
Beth-Anne Bygum, Senior Director Security & Risk Management, McKesson Corporation
Marian Reed, Senior Director of Global iSOC, McKesson Corporation
Siobhan Smyth, Vice President, Trust, Risk, Assurance and Compliance, McKesson Corporation
Attend this session for an in-depth look at McKesson Corporation’s Information Risk & Security Program. First, learn about Information Protection at McKesson (IPAM), a strategic initiative designed to improve the maturity of cybersecurity defensive, preventative, and resiliency controls as well as instill clear lines of governance over information security risks. IPAM’s roadmap ensures accountability, transparency, robust governance, and a strong advocacy model with staff. A discussion of IPAM will include driving necessary improvements over a three-year, accelerated timeframe.
Next, attendees will be introduced to McKesson’s iSecurity Operations Center (iSOC) process which addresses growing cyber threats across the globe. Rounding out this presentation is a discussion of McKesson’s Trust, Risk, Assurance, and Compliance program, which provides a level of confidence that software and systems are free from conditions, either intentionally designed or accidentally inserted at any point during its lifecycle, and customer solutions and internal business platforms function in the intended manner. This program ensures that capabilities and prescriptive consults are designed to embed security throughout the development lifecycle, address risks and vulnerabilities early, and reduce cost with unplanned R&D spend.
The McKesson Sessions: McKesson Healthcare’s Business Continuity Services
Raymond Seid, Sr. Director, Business Continuity Services, Trust, Risk, Assurance & Compliance (TRAC), Information Security & Risk Management, McKesson Corporation
Ronnie Sebren, Director of Business Continuity Consulting Services, McKesson Corporation
Kathryne Estrada, Director of Disaster Recovery Consulting Services, McKesson Corporation
Stephen Weber, Director of DRaaS Arch., Eng., & Delivery Services, McKesson Corporation
Bill Lavigne, Director, Cloud Recovery, McKesson Corporation
This session will explore how a Fortune 6 company manages business continuity; discussion will include the tools McKesson uses to manage one of the largest programs in the business.
Learn how McKesson’s internal business continuity (BC) consulting service works very closely with business units as a center of excellence to execute BC policy and drive best practices into operating processes and procedures. BC Consulting conducts assessments, develops strategies, builds plans and conducts both exercises and reviews. The group is also called on at times to train sales teams on BC capabilities and to work directly with large customers alongside corporate leadership and account managers.
Next learn how McKesson’s internal disaster recovery (DR) consulting group provides services across business units that focus on the validation and sustainability of a DR capability via performing impact assessments, DR implementation support, DR validation coordination, and procedure plan support. Validation exercises coordinated by DR Consulting can range from individual infrastructure or application-level validation through to complex business process validation.
Finally, hear how McKesson’s DR as a Service is integrated with McKesson Technology’s Public Cloud Adoption Plans and provides business units with a customized DR solution leveraging key technology partners. DRaaS supports DR solution design, engineering, and implementation, and has proven to be both highly capable as well as extremely cost effective and presents a very compelling business case for McKesson’s disaster recovery needs.
WORKSHOP: Long-Term Power Outage Continuity of Operations
Russell Fox, Analysis and Integration Branch Chief, FEMA Region II
David Fortino, Regional Continuity Manager, FEMA Region II
This hands-on, interactive workshop promotes preparedness among public and private entities when faced with a long-term power outage caused by a cyber-attack.
The National Preparedness goal describes what it means for the U.S. to be prepared for all types of disasters and emergencies, including the possibility of a cyber-attack aimed at our Nation’s infrastructure. In May, the President signed an executive order on cybersecurity designed to protect critical infrastructure, including the national power grid. Large-scale power outages are not a new concern for emergency managers. A December 2016 power outage in Ukraine linked to a cyber-attack.
An organization’s ability to perform its essential functions is based on key elements of leadership, staff, communications, and facilities. When faced with a prolonged power outage, lasting several weeks, will public and private continuity plans allow organizations to continue to provide these essential functions? This workshop will present participants with the opportunity to examine plans and procedures to discover the ability to sustain operations.
WORKSHOP: The Why and How of Implementing Incident Command in BC Management
Jeanne Powell, President, DAHR Consulting
Should your business take an approach successfully used by first responders across the U.S. and, with some modifications, use it temporarily to enable more efficient and effective business continuity and disaster recovery? This session will help you identify benefits of Incident Command (IC) and provide you with the opportunity to observe the practical workings of IC so you more fully understand what it means to shift to a temporary IC management during and after a disaster.
In this jam-packed session, the speaker will bring her years of real-world disaster experience (and humor) to talk about IC benefits and implementation. You’ll walk through examples of: a temporary IC reporting structure modified for business; incident related documentation and forms to track progress; and an execution method to continuously and effectively keep incident efforts focused. Then, with the help of a strawman business and disaster scenario, reinforce what you’ve learned with some hands on learning. Participants will work together to establish an IC reporting structure, apply an operational period approach, complete incident documentation, and observe post-disaster incident documentation reconciliation.
WORKSHOP: Transitioning from Crisis Management to BCP: It’s All in the Set Up!
Bobby Cook, Senior Manager of Global ERT, Applied Materials
Raelene Anderson, Principal Consultant, BSI Consulting Group
How do you go from crisis management to business continuity mode? Attend this workshop to find out how to make the transition smooth and avoid common pitfalls. The session will explore “hour zero activities,” including setting up the event, getting the smartest people in the room, communications and notifications, and bringing in business continuity personnel early. Next, you’ll walk through the “48 hours later” transition, including transferring to business continuity and the long-term issues involved in going from crisis response to continuity and recovery.
Case Study: Bouncing Back Strong – Building the Merck Global Regulatory Affairs and Clinical Safety Business Continuity Plan
Colleen Merritt Severyn, Director, Global Regulatory Affairs & Clinical Safety, Merck Research Laboratories
In June 2017, Merck experienced a cybersecurity incident that identified the need to bolster preparedness for business disruptions. From the fall of 2017 through the present, the Global Regulatory Affairs and Clinical Safety (GRACS) organization prepared its first ever business continuity plan (BCP), including table top exercises and training. This was a massive undertaking for an organization of such breadth (regulatory science, clinical safety, labeling, licensing, operations, etc.) and large size (2200 employees globally), starting from scratch, and an illuminating experience regarding the risk susceptibility of our systems and processes. GRACS is in a much better place today with a completed BCP across the entire organization and connections with ongoing business continuity, risk management, and resiliency efforts across the company.
Case Study: Hurricane Maria Lessons Learned & BCM Program Optimization at Edwards Lifesciences
Karina de Allicon, Manager of Business Continuity and Enterprise Risk, Edwards Lifesciences
Hurricane Maria was one of the worst natural disasters on record to impact Puerto Rico. As a result of a strong team effort, quick incident management, and effective recovery strategies, the Edwards Puerto Rico manufacturing plant was able to restore 100% of its operations within just two weeks. In collaboration with other departments, the Edwards ERM-BCM team captured over 100 lessons learned and, based on these learnings, developed a systematic approach to refine the Edwards BCM Program.
This session will review key lessons learned from Hurricane Maria and how they can be used to optimize a BCM Program at an enterprise-wide level.
Performing Effective Business Continuity Audits
Harvey Betan, Commissioner and Instructor, DRI International
This session will not only cover the best approach for effective business continuity audits, but it also will show you how to gauge your organization’s preparedness. Attend this session to learn how to prevent simple check box audits while discovering what to look for beneath the hood. When you complete this session, you will have sufficient information to be confident in your BC audit and show your leadership the most accurate assessment of the business continuity program.
New Glossary, New Challenges!
Dean Gallup, Chair, DRI International Glossary Committee
With a major revision recently released, the DRI International Glossary for Resiliency is both an in-demand resource as well as a hot topic. Since its first release in 2014, the glossary has been a major resource for business continuity and resilience professionals around the world and is currently published in four different languages. This session will share the thought process behind the recent changes and explore the future of the glossary – with a new version due out in 2022.