Preparing for events that can impact core functions, processes, systems, and data has become an ever more important responsibility of elected officials, corporate management, and the board.
Regulators demand that top management be prepared. Lenders make evidence of operational resilience a contractual covenant. Customers require it in their service level agreements. Shareholders expect it. Washington has elevated preparedness to a national security priority. Markets, regulators, and public opinion punish companies that do not adequately prepare for operational continuity when disaster strikes.
Risk Solutions International’s corporate and government clients are expanding their focus on emergency scenarios that impact human capital, create crisis management issues, and affect business partner relationships. They are redefining what functions and agencies are critical to ensure uninterrupted continuity with partners, customers, citizens, and employees.
Risk Solutions International’s Business Continuity Management professionals systematically identify key people, processes, plant and equipment, and technology that may be impacted by disruptions, and help drive planning and recovery strategies. We help companies and municipal and state jurisdictions stay in business and serve their constituents in the event of a severe disruption to their essential operations.
In addition to requiring corporate officers to take greater responsibility for the accuracy of financial reports, the Sarbanes-Oxley Act (SOX) mandates that organizations understand the underlying risks that may impact the financial reporting process. A credible assessment of this risk environment should include the operational and IT risks that are embedded in every organizations’ operating environment and organizational structure. Absence of a business continuity plan is a prime indicator of significant risks unaddressed.
Business Continuity Management is now specifically required across a multitude of industries as a basic element of sound internal controls. Under NYSE Rule 446 and NASD Rule 3500 Series, the SEC now mandates business continuity for financial services companies. The State of New York Insurance Department’s Circular Letter No. 7 requires that insurance companies licensed to conduct business in New York maintain rigorous business continuity plans. In today’s corporate governance world, similar industry-specific compliance requirements are imposed from many sources:
- Patriot Act
- Critical Infrastructure
- FPC Circular 65
While many organizations struggle to meet regulatory requirements, few embrace the true benefits that result from exercises necessary not only to identify risks to the financial reporting process, but also to mitigate those same risks. Run-of-the-mill system outages may pose a greater risk than category-five hurricanes or terrorist attacks. Consider the number of times in the past quarter that the addition of a new piece of hardware or software, a virus, or other information-security threat has caused systems to be taken offline. When that downtime occurs, critically important data— for example, financial information under Sarbanes-Oxley or patient data under HIPAA— must be protected and managed in a compliant process. Audit comments often amplify the importance of business continuity plans if they are found to be absent or insufficient.
Because business continuity is a mature professional process, it has developed around an evolving set of standards that are internationally recognized and practiced by business continuity professionals.
There are three well established business continuity standards that are available for private and public sector uses alike:
- ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition).
- British Standards Institution (BSI) 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management).
- National Fire Protection Association (NFPA) 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions.
The federal government encourages the adoption of business continuity planning (often referred to in the public sector as continuity of operations planning (COOP)) through the National Security Presidential Directive – 51 (NSPD 51) and Homeland Security Presidential Directive – 20 (HSPD 20), issued in 2007. These directives for government agencies help establish the guidance for public sector entities and jurisdictions to establish their own continuity plans in two ways.
For entities of municipal, county or state governmental jurisdictions, the impetus to adopt BCP derives from this federal guidance.
For non-government entities, a joint effort between the Federal Emergency Management Agency (FEMA) and the U.S. Department of Homeland Security (DHS) provides federal guidance toward a voluntary framework for business continuity and disaster recovery – called PS-PREP. It is a voluntary program of accreditation and certification of private entities using standards adopted by DHS that promote private sector preparedness, including business continuity programs, as directed in NSPD 51/HSPD 20. The program provides a mechanism by which private sector entities can be certified by an accredited third party as having business continuity plans that conform to one or more of the three established preparedness standards, shown above, each of which has been adopted by DHS. All provide for these elements, as required in the federal directives:
- The continuation of essential functions during emergencies until normal operations can be resumed, and the capability to be fully operational at alternate sites.
- Succession orders and pre-planned devolution of authority.
- Safeguarding and providing access to vital resources, facilities and records.
- Obtaining the resources necessary to continuity operations.
- Planning for redundancy in critical communications at alternatives sites with stakeholders.
- Having the capability to reconstitute, recover and resume normal operations after disruptions.
- Assuring that capable personnel are assigned, trained and prepared to manage operational relocation.
Increasingly having business continuity plans is a requirement imposed by commercial contract as a condition of doing business. Business continuity or emergency plans are often required by partners as a service level agreement or pre-condition to buying or investing. They can be made a loan covenant by banks, a due diligence element in mergers and acquisitions, or by insurers as a condition of insurance coverage.
Internal financial or risk management imperatives can drive resiliency planning. Recent loss or crisis experience and its impact on operations, revenue, liability, compliance and reputation can provide the impetus for recovery planning. The awareness of increased vulnerability of sensitive and legally protected data to hacking, cyber attack, malware, intrusion or denial of service attacks provide another. Risk managers may encourage adoption of business continuity planning to help quantify business interruption insurance limits, or to deal with risks associated with violently destructive weather patterns.
Under contract to the Transportation Research Board, Risk Solutions International has developed the definitive guidebook for U.S. airports to use to implement custom business continuity plans.
The guidebook - ACRP Report 93: Operational and Business Continuity Planning for Prolonged Airport Disruptions - was published by the Transportation Research Board in November 2013 and is available for download or purchase at:
The guidebook includes the software tool which airports can use to develop their custom operational continuity plans.
See also Airport Business Continuity Planning.
In today’s highly globalized business environment, companies recognize more than ever that disruption in their supply chains – or to their vendors’ operations -can cause immediate impact on their ability to provide their customers with dependable on-time delivery of their products and services. Addressing this formidable risk requires more than just internal resiliency— it requires a commitment by every vendor in the supply chain to achieve a similar state of readiness.
Unfortunately, the inability to continue operations after an interruption may only become obvious after the supplier is no longer able to meet its obligation. The result is that the end product or service is delivered late, if at all. The effect is loss of confidence, lost revenue, potential loss of customers to competitors – and the reputational damage that can ensue. Volcanoes, tsunami and typhoon-driven floods are recent examples of natural disasters suffered by single or sole source suppliers that have had a major negative impact on some of the largest and most sophisticated companies in the world. Volatile international political and social instability seems less predictable and more prevalent than ever before.
To be fully prepared for operational recovery, companies should look past their primary suppliers to secondary and tertiary vendors in their supply chains to fully appreciate their vulnerability to global disruptions. They should develop vendor resilience auditing programs. They should understand how to quantify value-at-risk in their supply chains (good in raw material form, in production, in storage, or finished goods in transit) as an element of arranging contingent business interruption insurance. They should identify their single points of failure from sole sourcing - as potential unintended consequences of efficiency and cost take-out strategies such as lean manufacturing, just-in-time procurement and consolidation.
This kind of business continuity planning at the supply chain level is fundamental to providing the clarity required by underwriters and re-insurers in order for them to provide sufficient capacity and pricing for contingent business interruption insurance coverage that can financially transfer supply chain risk.
After facing numerous man-made, natural, and terror-related disasters in the last decade, the U.S. Department of Homeland Security (DHS) has issued requirements and clear guidance for government agencies and municipalities to have viable continuity of operations plans (COOP) in place. DHS grants billions of dollars to state emergency management agencies to fund these regional and local continuity plans. The combined effects of Hurricanes Katrina and Sandy revealed the vulnerability of major urban and suburban population centers to natural disasters. They have resulted in presidential and gubernatorial orders to review city, county state and federal plans to ensure both a better state of readiness and a credible capacity to recover essential functions and government services.
Risk Solutions International specializes in helping local, county and state jurisdictions cope with their risks associated with the potential loss of operational or governmental capabilities. We manage this process for entire states – across all their departments, agencies and tribal areas.
Operational continuity plans that do not specifically align with the Information Technology Department’s DR plan can be highly ineffective. A surprising number of organizations have not adequately mapped the two recovery planning elements – to the detriment of business function owners and the IT Department alike. Risk Solutions International works within our business continuity engagements – or directly with the CIO and the IT Department - to develop or upgrade the organization’s DR plan and IT service availability strategy with the recovery priorities of the business and operating functions.
Our Business Continuity Management practice is comprised of highly trained and certified industry practitioners with a combined seventy-five years of experience to their work. Risk Solutions International consultants have expertise across a wide spectrum of commercial, governmental, not-for-profit and educational organizations. They are industry thought leaders who have helped develop national standards for business continuity management, continuity of operations planning and information security. They understand that the costs of not managing disaster disruption risk can be far greater to our clients than the cost of developing a sustained internal capacity for preparation, response and recovery.
For information about how Risk Solutions International’s Business Continuity Management Practice, please contact Duane Lohn at firstname.lastname@example.org