Whether you are the CEO of a small publishing company (as I am) or the CEO of a Fortune 500 company, our jobs are essentially the same. We must grow the business, manage the business and protect the business.
Traditionally most of our resources go toward building and managing. It’s not until a business disruption exposes our vulnerabilities that we see clearly the gaps in our third responsibility.
The following essays will show you a number of developments in the past year that have been, and are continuing to be, instrumental in elevating business continuity to a level of importance never seen before. Indeed, as a fellow CEO, it is my belief that in these turbulent times, the protection of your business will command more of your attention than it has in the past.
One of the most frustrating stories in the aftermath of the 9/11 terrorist attacks was the Senate Intelligence Committee’s conclusion that the government had all the information necessary to thwart the attack, but “they just didn’t connect the dots.” Various departments did not communicate with one another, allowing the terrorists to execute their plans.
. The developments you will read about below traditionally originate in different areas of your company. The more successful you are at fostering communication among these different areas – and better yet, bringing them together under one entity for an integrated mitigation and response strategy – the better protected your organization will be.
For example, you will read below that the threat of weapons of mass destruction is more real than it has been in the past, and perhaps your facilities department or your crisis management personnel have been developing new procedures to respond to such an attack. The interesting piece about continuity as it relates to supply chain management may be something with which your director of operations is currently struggling. The new regulations mandating better business continuity practices are probably on the radar screen of your legal department. And perhaps your marketing department is starting to see the value in promoting corporate stability and dependability in sales and marketing communications.
As the CEO, you must ensure all these “dots” are connected. You must integrate all these areas of your business – and all these factors leading to business continuity – to increase survivability and productivity in the long run. Will a committee made up of division or department representatives be an effective means for working toward the goal of enterprise continuity? Does the task merit a board level officer charged with bringing pieces together? Communication among department heads and between you and your suppliers, local government, shareholders, and stakeholders is essential to growing your business, managing your business, and, now more than ever, protecting your business. This time, we must connect the dots!
–
1. THE DRIVERS FOR BUSINESS CONTINUITY MANAGEMENT HAVE MOVED FROM INFORMATION TECHNOLOGY TO SALES AND MARKETING, BECOMING A NECESSARY PART OF EVERY SUCCESSFUL COMPANY’S STRATEGIC PLAN.
Continuity Planning as Part of Strategic Planning
In the past, only companies in regulated industries were required to have, first, disaster recovery plans, and then later, business continuity plans. In other industries, business continuity planners tried scare tactics to motivate management, with little or no long-term success. Business continuity as part of regular business strategy has often been hoped for but never demanded – until now.
We live in an increasingly hostile world. It is not just the “CNN effect” that makes catastrophes commonplace. There really are more natural, technological, and political disasters every day. Those of us raised in the later half of the 20th century have enjoyed an unusually calm period in the history of mankind. This is changing as we enter the 21st century.
The increasing frequency and severity of disasters means the company prepared for the worst will come out the best. Consider the following:
- An aging and crumbling infrastructure threatens our power and telecommunications.
- Religious and political terrorism threatens our staff and customers.
- Natural disasters such as hurricanes, floods, and tornadoes threaten our buildings.
- Governance issues threaten our confidence.
Against this frightening backdrop, our customers are demanding lower prices and higher quality. Some companies are moving with the tide and “driving to the bottom” through outsourcing and offshore production. Wiser companies are able to command a premium price for consistent quality and assured delivery. Just as ISO certification was driven by customer demand for consistent quality in the 1990s, the demand for assured delivery in the face of increasing obstacles today is driving business continuity management.
In manufacturing and the service industries, companies up and down the supply chain are demanding assured delivery from suppliers. Through the review or audit of suppliers’ business continuity programs, they hope to divide the resilient from the fragile. A solid business continuity program, regularly exercised and maintained, is becoming a basic requirement when bidding for business in many sectors of the economy.
The drivers for business continuity management have therefore moved from information technology, where they languished for years, to sales and marketing. It only takes one client to refuse a bid because of inadequate contingency plans to move business continuity into the mainstream. By focusing on the client’s requirements of continuous service and production, business continuity management may finally shed its IT-based disaster recovery roots and become a necessary part of every successful company’s strategic plan.
2. THE PROLIFERATION OF REGULATIONS AT THE FEDERAL, STATE, AND LOCAL LEVELS IS CAUSING THE BUSINESS CONTINUITY PROFESSION TO EXPAND, AND BC PROFESSIONALS ARE HAVING A GREATER INFLUENCE ON THEIR ORGANIZATIONS.
Legislation, Regulations, and Their Impact on BCP
The past year has seen a continuing increase in compliance initiatives with which organizations must contend. External requirements for greater preparedness seem without end.
Today, regulations such as NYSE 446 require firms to develop, maintain, review, and update business continuity and contingency plans that establish procedures to be followed in the event of an emergency or significant business disruption. U.S. regulations and legislation, such as The Patriot Act, Vital Interdiction of Criminal Terrorist Organizations Act, HIPAA, and privacy regulations, will have far-reaching impact on everyone. Sarbanes-Oxley is certainly a significant piece of legislation that is still being sorted through by regulators, auditors, and management.
The essence of Sarbanes, for example, is quite simple: compliance with applicable laws and regulations. But how does one know what compliance is or what it ought to be? What about such international precedents as BASIL or the ISO standards? The gap between “is” and “ought” is not accidental but systematic, and it is a gap that may leave us permanently torn. Needless to say, all these new regulations, with their vague but nonetheless demanding language, present a challenge to today’s business leaders as they strive for compliance.
What does all this mean for the business continuity profession? The proliferation of regulations at the federal, state, and local level should mean the business continuity profession will expand, and business continuity professionals will have a greater influence on the organizations employing them or their consulting clients. It also means business continuity professionals will have to become more educated in their profession, and that business continuity, as it is variously defined, will have to rethink its basis and redefine itself.
For business leaders, the increase in regulations means an integrated approach to business continuity – one making business continuity planning an integral part of the business process – should be a priority. Today’s business leaders cannot afford to let regulatory compliance go unanswered. The many, and proliferating, regulations affecting business have elevated compliance initiatives to the senior management and board of director levels.
3. THERE IS A GROWING BODY OF JUDICIAL ACTION COMPELLING CRITICAL INFRASTRUCTURE OWNERS AND OPERATORS TO ENHANCE SECURITY – OR FACE LIABILITY FOR FAILING TO DO SO.
What Homeland Security Means to American Business
The Department of Homeland Security merged almost two dozen federal agencies to fulfill a single mission: protect and defend the United States from terrorism. Nonetheless, homeland security is not the singular responsibility of government; the federal government continues to seek the aid and assistance of the private sector. The Department of Homeland Security is in the process of finalizing the National Response Plan, superseding the Federal Response Plan as the core plan for integrating federal government domestic prevention, preparedness, response, and recovery plans into one all-discipline, all-hazards approach. Private sector companies and corporations will be encouraged to make sure their plans are consistent with the National Response Plan.
More importantly, however, in the aftermath of the September 11 attacks, critical infrastructure owners and operators have been called upon to implement additional security measures above and beyond those undertaken by government. While the decision to augment security remains largely voluntary, the private sector should note the change in the air: A growing body of law and judicial action suggests that critical infrastructure owners and operators may be compelled to enhance security – or face liability for failing to do so.
It is now widely known that critical infrastructures are professed terrorist targets. From power plants and bridges to agricultural production facilities and banking, critical infrastructures represent the foundation of the economy as well as the backbone of American life. With 85 to 90 percent of the nation’s critical infrastructures in private hands, some lawmakers believe that at least part of the responsibility for security rests with the critical infrastructure owners themselves.
The Maritime Transportation Security Act (MTSA), for example, creates new roles, responsibilities, and duties for all segments of the maritime supply chain. Under MTSA, the maritime industry has significantly greater security responsibilities that were unimaginable before 9/11. Conservative estimates suggest that MTSA compliance will cost the maritime industry more than $7 billion over the next 10 years. Similarly, pending congressional legislation, such as the Chemical Facilities Security Act of 2003, would mandate security duties for the chemical industry.
Perhaps the decisions of the courts represent the most compelling evidence that owners and operators of critical infrastructures have an increased “security duty.” When Boeing moved to dismiss a lawsuit filed by victims of 9/11, federal judge Alvin Hellerstein refused to grant Boeing’s request. To the contrary, the judge held that “… it was reasonably foreseeable that a failure to design a secure cockpit could contribute to a breaking and entering into, and takeover of, a cockpit by hijackers or other unauthorized individuals….” (Order and Opinion Denying Defendants’ Motion to Dismiss at 38, In Re September 11 Litigation. S.D.N.Y. (No. 21 MC 97)). Arguably, the nation’s critical infrastructure owners and operators should take note, for this ruling, though preliminary, signals a possible paradigm shift in the legal liabilities associated with terrorism and further reflects the apparent sentiments of some in Congress.
4. THE PUBLIC AND PRIVATE SECTORS ARE STARTING TO WORK MORE CLOSELY TOGETHER ON BUSINESS CONTINUITY AND EMERGENCY MANAGEMENT.
Public and Private Working Together
It would be a gross understatement to say the public and private communities are working together now more than ever before. The scope of the work accomplished recently and the work ongoing are unprecedented. Recent events over the last few years have opened up joint emergency planning efforts around the world between government agencies and the business sectors – the common good being the economic well being of the city or state and the safety of its citizens.
In years past, the public and private sectors were leery to trade information and develop emergency and continuity plans together. Each sector was satisfied with developing plans in a vacuum in order not to impart too much of their inabilities or lack of response or recovery capabilities. But that’s all changed, and both sectors are freely exchanging information and seeking out each other’s competencies, mostly due to the dramatic changes in our world today. Today emergency managers are working with companies to develop joint response plans for their business continuity programs, and businesspeople are now positioned in Emergency Operation Centers. There are even a number of public emergency agencies that have designated personnel to directly work with the business community.
What changed? Of course, terrorism has been a motivation for developing partnerships so both sectors build mitigation, response, and recovery plans for the communities in which they live. But there is also a realization from past disaster events that rapid restoration of the local business community leads to the overall well being of the area. When ATMs are back online, when phone service is restored, when local restaurants are opened, the community impacted by a devastating disaster is optimistic about its survival and future. Both public and private sectors also understand that when the business community can feel confident it can withstand even the most devastating outages, it will continue to operate in the states, cities, and neighborhoods. This type of partnership planning fosters the economic well being of the community, as businesses want to stay and new companies want to open.
The private sector has many resources to share with the emergency management officials in their regions. For example, Business Executives for National Security (www.bens.org) helps enhance the nation’s security and make America safe by sharing business experience and resources with the public sector; and the Business Network of Emergency Resources, or BNet (www.bnetinc.org), works with agencies to develop initiatives fostering partnerships for the purpose of reducing emergency-related business losses.
5. PRESERVATION OF CUSTOMER TRUST, ACHIEVED IN LARGE PART WITH SECURITY AND PRIVACY PRACTICES, IS ESSENTIAL NOW – AND WILL BECOME EVEN MORE IMPORTANT – TO THE SURVIVABILITY OF BUSINESSES.
The Worldwide State of Privacy Laws
The public’s desire to control their privacy is demonstrated by the FTC-managed National Do Not Call Registry: 370,000 numbers were registered in the first four hours of its availability on June 27, 2003, and as of March 3, 2004, consumers had registered over 57.3 million telephone numbers. This quest for privacy is one that transcends telemarketing and goes beyond U.S. borders. It is not a new issue, but one gaining momentum and increasingly bubbling up on the short list of the public’s concerns.
The U.S. government most noticeably started addressing privacy with the passage of the Privacy Act of 1974. In 1980 the Organization for Economic Cooperation and Development (OECD) released their guidelines for the protection of privacy and trans-border flows of personal information. This served as the warm-up for a series of worldwide privacy laws established since. Most ostensibly was the 1995 European Union (EU) Data Protection Directive, which was modeled closely after the OECD guidelines. Many countries soon followed suit and are continuing to enact privacy laws. Legislation in Canada, Australia, New Zealand, Argentina, and other Latin American countries and proposed laws in other countries such as Japan closely follow the OECD and EU privacy requirements model. The EU group of countries is just one example of a worldwide community that blocks the flow of personally identifiable information about its citizens to any nation that does not have adequate data protection and privacy standards. Countries around the world are passing privacy laws to ensure trade with other countries with strict privacy requirements is not interrupted.
The trend for passing privacy laws in the United States also continues. In recent years many new federal regulations such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and hundreds of privacy laws at the state and local levels have been enacted. Organizations have been challenged to keep up with all the privacy and security laws in each of their office and customer locations.
When an individual’s privacy has been infringed upon, he feels a loss of control over his life. Once an organization loses its customers’ trust because of a privacy incident, it is extremely difficult, if not impossible, to regain the trust of the public and its remaining customers.
Business leaders and continuity professionals are becoming increasingly aware that the preservation of customer trust, achieved in large part with security and privacy practices, is essential now – and will become even more important in the coming years – for business survivability.
6. UNIVERSITIES AND BUSINESS CONTINUITY ASSOCIATIONS ARE CONTINUING TO DEVELOP BUSINESS CONTINUITY, SECURITY, AND RISK AND EMERGENCY MANAGEMENT PRACTICES INTO A PROFESSIONAL DISCIPLINE.
Building the Profession: Education and Standards
Major changes have been occurring at an increasing frequency in this discipline which not too long ago focused primarily on data center recovery. Increasing threats, both man-made and natural, incredibly rapid technological evolution, new business concepts and processes, a global economy, and an increasing stakeholder awareness have made business continuity truly a professional discipline and not just an unavoidable task to satisfy auditors and regulators.
Focusing in particular on expanding professional development, good practices, and the promotion of meaningful standards and guidelines, DRI International (DRII) and the Business Continuity Institute (BCI) are launching new initiatives. BCI recently announced a new Specialist certification category and is about to pilot a recertification program. DRII is expanding its course offerings and has made available many of its courses and its certification examination online. Both institutes, acting in collaboration, have published an updated set of certification standards, and BCI has published a Good Practices Guide.
DRII has established four new management committees – the Strategic Alliances Committee, the Legislative Affairs Committee, the International Affairs Committee, and the Educational Advisory Council – to work closely with its board of directors to ensure progress continues in these critical areas.
Several U.S. universities, such as the University of North Texas in Denton, Texas, and George Washington University in Washington, D.C., have established degree programs in emergency management. Cal State University at Long Beach has a Masters program in emergency management. The University of Richmond has initiated a program and has taken over the Harris certification program. In the UK, Coventry University has launched a degree and certificate program in BCM, with BCI providing input into the development of the curriculum.
Many other universities are investigating expansion of current business management and information technology curricula to include course work in emergency management, risk management, and business continuity management. The Educational Advisory Council of DRII is researching schools offering courses in BC and emergency management. One goal of the Council is to track an educational and career path for students and practitioners in business continuity, security, and risk and emergency management that leads to a corporate executive position identified as chief risk officer. The Council is working toward identifying and defining the functions, skills, and knowledge needed by this individual with regard to regulatory issues, physical and intellectual security, environmental health and safety concerns, crisis management, legal implications, etc.
With all the new and continuing initiatives, it is clear tomorrow’s business continuity professional will be better educated and prepared – and will reap the benefit of significantly higher levels of management awareness and commitment.
7. THE FINANCIAL AUDIT FUNCTION WITHIN ORGANIZATIONS IS BECOMING INCREASINGLY CONCERNED WITH RISK MANAGEMENT, CONTINUITY, AND RESILIENCE.
Audit, Benchmarking, Maturity, and Compliance
This year brought a number of significant changes to the general audit framework: business continuity, disaster recovery, and crisis management have emerged as core disciplines to be reviewed.
The Civil Contingencies Bill, PAS 56, and the control self-assessment tool for the BCI Good Practice Guide are indicative of this new mega-trend. If the 1990s was the decade of building and implementing sustainable BCM processes, we have now moved on toward control, monitoring, and benchmarking. Large strategic initiatives such as Basel II for the financial sector require objective criteria for evaluating continuity and disaster recovery within organizations.
With growing maturity of the business continuity and risk management cultures, audit and compliance issues are firmly embedded in the overall approach toward risk and, most importantly, corporate governance. Several European countries have introduced corporate governance codices with specific audit and compliance provisions. In the Asia-Pacific region, various governments have embarked on self-assessments to determine the state of business continuity, disaster resilience, and crisis management capabilities. These developments are being reinforced by U.S. laws and standards.
From a business perspective, the increasing level of optimization, “lean” organizations, and constant restructuring multiply the operational risks and potential threats. The “crisis-prone organization” of the 1970s may well return, as has been observed in recent research. As a result, even financial audit is becoming increasingly concerned with risk management, continuity, and resilience. A multitude of global surveys published by the “Big 4” accounting firms have clearly identified business continuity, IT disaster recovery, and crisis management as important audit and compliance issues. Professional audit associations have published extensive research on benchmarking and review techniques. If the question until now was how to introduce BCM, it is rapidly changing to how to know it works.
This is just the beginning. The BC profession and practice have reached a new maturity level, moving from the initial “ad hoc” and “repeatable” stages to the “managed” stage of the capability maturity model. It is likely that the need for management, gap analysis, and continuous improvement will be reinforced by new regulatory initiatives. The significant number of current discussion papers, consultative documents, and exposure drafts will eventually form standards, principles, and regulations.
8. ORGANIZATIONS ARE RECOGNIZING THE GROWING THREAT OF THE USE OF WEAPONS OF MASS DESTRUCTION IN TERRORIST INCIDENTS.
WMD/CBRN: Is Fear Exceeding Reality?
Almost by definition terrorism will continually seek to change its face. In the past few years we have seen new adversaries, new motivations, and new methods surface to challenge many of our most fundamental assumptions about terrorists and how they operate.
The situation is changing once again. Until recently, terrorism was seen as a form of limited violence, as compared to traditional warfare where one nation’s army attacked another. But events in the United States and now Madrid have fundamentally changed the picture. A Rubicon has been crossed and as a result our understanding of war, terrorism, invasion, weapons of mass destruction (WMD), and chemical, biological, radiological, and nuclear weapons (CBRN) has significantly changed. It seems certain that sooner or later, at least the United States, UK, or Israel will suffer a WMD/CBRN attack – albeit only on the scale of the 1995 sarin gas attack by Aum Shinrikyo on the Tokyo subway system that killed 12 and sent more than 5000 people to hospitals.
Many experts believe the financial cost and logistical requirements necessary to design, build, deliver, and activate any WMD preclude a sudden attack by a terrorist organization against the West. The shift has therefore been toward much better intelligence gathering and evaluation so we can be alerted to a possible terrorist attack. This leads to actions such as the grounding of recent flights to the United States from the UK and France, and on a wider level, it might soon be necessary to consider the complete evacuation of a town or even city rather than just a single aircraft. This would of course make our security services de facto agents of the terrorists, since mass evacuation on this scale could cause panic and injuries, the risk being that we would trigger a response irrespective of threat actuality – and thus play into the hands of the terrorists. We are therefore in a world where we measure success against terrorists using WMD/CBRN not by capturing the perpetrators and confiscating the weapons, but chiefly by being able to predict or at least second guess where they might strike next.
In the UK, the emergency services and other responding agencies have always worked closely together to deal with the scene of a disaster. They have carried out their roles in accordance with a range of guidance issued by government departments, specialist agencies, and by the emergency services themselves. Most recently, the Civil Contingencies Bill (stimulated by 9/11) is now going through Parliament. This brings together and refines some actions hanging over from the Cold War and the emergency procedures that are used to respond to industrial accidents and civil emergencies. It also sets up special reaction forces using our army (in the UK there is no prohibition using regular soldiers on our streets). It is designed to enable the emergency services, the military, local authorities, health professionals, and government departments and agencies to work together more effectively during an incident, especially one involving WMD/CBRN.
9. BUSINESS CONTINUITY MANAGEMENT HAS RAPIDLY ESTABLISHED ITSELF AS AN INTEGRAL PART OF THE SUPPLY CHAIN MANAGEMENT PROCESS.
BCM in Supply Chains
Given the number of former military personnel in business continuity, it is hardly surprising that supply chain management has become a key focus in BCM. In battle conditions, a break in supply lines may mean the difference between life and death. In business the consequences of a supply chain failure may be less dramatic but nevertheless vital to avoid.
So, is the management of supply chains a BCM issue at all? Prior to Y2K, most organizations did not think so – surely dealing with crises and problems is what logistics managers did every day!
However, the analysis undertaken to manage the Y2K event gave rise to many disturbing conclusions. Not only were organizations at risk from their own problems, but also the problems of their vendors. Nowhere was this more obvious than in the supply of utilities and services where, in the pursuit of cost savings, companies had negotiated single sources of supply. The problem was wider, however, in that many other key vendors emerged, each with a capability to cause serious disruption should they fail. The trend to outsource manufacturing, particularly offshore, added to both the length of the supply lines and the potential for disruption.
BCM is about identification of single points of failure, understanding the impact of such failure, and mitigating the effect by designing plans and solutions. This was exactly what was needed for supply chain vulnerability assessment. In two sectors, manufacturing and retail, business continuity has rapidly established itself as an integral part of the supply chain process. Clearly retail and manufacturing are two sides of the same problem, as retailers buy from manufacturers. However, manufacturers also buy raw materials and components from other manufacturers. Non-availability can stop production lines and continuous processes at a stroke. In the area of just-in-time (JIT) production and delivery, this can be disastrous in terms of lost productivity and compensation clause claims.
Many smaller manufacturers are now finding that without BCM in place they cannot get contracts with major customers who are writing it into their agreements with all vendors. Retailers by contrast are usually at the end of the supply chain and are in a position to demand resilience and guaranteed supply from their vendors. Most large retailers are now asking their vendors about plans and looking for proof of testing and audit. A statement of BCM compliance in any contract is now almost mandatory, while undertaking an audit of key vendors’ BCM provisions is becoming more commonplace.
… And One to Grow On
10. LET’S FACE IT – EVEN WITH ALL THESE POSITIVE STEPS TAKEN IN THE PAST YEAR, THE PROFESSION STILL STRUGGLES FOR RECOGNITION, AND WILL CONTINUE TO DO SO UNTIL IT BECOMES A WELL-DEFINED AND BROADLY ESTABLISHED DISCIPLINE. PAUL KIRVAN, FBCI, CBCP, CISSP HAS A VISION FOR HOW BCP CAN EVOLVE.
Operations Assurance: A New Strategy for Business Protection
With increased threats to business and government from physical and cyber sources, the issues of business continuity, security, and crisis management have never been more important. However, these three functions are often located in various parts of an organization, and there continues to be a “silo” mentality in most businesses regarding the relationship of these areas.
Assuming the disciplines exist in an organization, they typically operate autonomously and only interact when absolutely necessary.
It is time to think of these issues in the greater context of corporate governance. Governance in most cases is 100 percent involved with the financial model of the enterprise. Every day the board of directors of virtually every company challenges the CEO or managing director to verifiably reduce total operating costs, improve productivity in an already well-understood critical success strategy, or enable previously unavailable strategic capabilities. These people should also be responsible for ensuring that the business is protected.
Operations assurance is the process by which business continuity, security (all forms), and crisis management are integrated into a unified, holistic approach to corporate governance, with the mission of ensuring uninterrupted operation of business and government. The second part of this model is to establish a senior- or board-level activity that assumes overall responsibility for these disciplines as part of corporate governance, thus ensuring a single point of responsibility for continuity of operations.
With this concept of corporate governance – and the need to maintain uninterrupted operations – we clearly see the need for business continuity, security, and crisis management. But they can no longer remain independent; they must move closer, in a more synergistic and collaborative fashion. It is not necessary to dissolve these disciplines into a single entity – yet. Rather, it may be better, as an initial focus, to identify the best practices and policies of each and evolve them into a new, more relevant corporate activity that is part of corporate governance; namely, operations assurance.
Assuming we can integrate the best practices of these three disciplines into something greater than the sum of the individual parts, we have the beginnings of a new direction. The success of this direction rests on several truths:
- The business continuity, security, and crisis management disciplines can no longer ignore their interdependence.
- There is a growing need for integration of these disciplines within corporate governance.
- The resulting discipline – operations assurance – needs senior management attention and access to funding.
- The new discipline must play both strategic and tactical roles in business and government.
Whether this concept is ultimately termed operations assurance, global assurance, risk management, or otherwise coined, the vision of tighter integration of the primary disciplines – business continuity, security, and crisis management – is one that will lead to an evolution of the business continuity profession. The BC community must embrace this vision, mobilize it, document it, standardize it, regulate it, and promote it as a front-line profession along with the likes of accounting, engineering, and law.
ACKNOWLEDGEMENTS
Leave A Comment
You must be logged in to post a comment.