Disaster Recovery Journal- Volume 18, Issue 3 - Summer 2005 Issue

Return to the
Summer 2005 Index

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

EXECUTIVE PUBLISHER
Richard L. Arnold, CBCP
richard@drj.com

EDITOR-IN-CHIEF
Jon Seals
jon@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

ASSOCIATE EDITOR
Ed Pearce, CBCP
ed@drj.com

ASSISTANT EDITOR
Pamela Clifton
pamelaclifton@hotmail.com

COPY EDITORS
Jim Hammill, CBCP
Richard Sandhofer
richards@drj.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Mike Croy, Forsythe
Jeff Dato, MBCP, KPMG
John Jackson
Edward S. Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting Inc.
Pat McAnally, SunGard Availability Services
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk
Japan: Shinji Hosotsubo
Crisis Management and Preparedness Organization
Phone: 03-3519-6270
fax: 03-3519-6255
hosotsubo@cmpo.org
Brazil: José Carlos Ferreira
Disaster Recovery Mercosul
Phone and fax: 011-3666-9506
jocaff@uol.com.br

Click Here for a Printable Version

Regulatory Compliance
Intersecting Business Continuity
with Corporate Governance

By Belinda Wilson, CBCP

Corporate governance is the system by which companies are directed and controlled. It is the way in which the corporate boards and officers set the policies and handle the affairs of corporations. Initially, the focus of corporate governance was to protect shareholders of the corporation, but with increasing emphasis being placed upon corporate governance and associated policies, current thinking defines corporate governance as a corporation’s responsibility to stakeholders (irrespective of share ownership). This fundamental shift means increased importance on external influences (e.g., new government regulations) and the need for corporations to be proactive in responding to governance variables, as opposed to the typical reactive mode in years past.
The primary driver of corporations finally beginning to give governance issues priority were corporate scandals (Enron, Adelphia, Arthur Anderson, et. al.) that shook the confidence of stakeholders and raised the ire of legislators on a global basis. The perceived and actual failure of corporate governance and internal controls and the regulatory focus on ensuring sound internal controls are established for at least the financial elements (auditing) of the organizations.
The most significant legislative trend is the reoccurrences of management accountability with significant civil and criminal penalties specified in the various regulations, should management fail to prove due diligence in protecting the corporate assets and reporting accurate information. Few at the most senior management levels will be able to claim ignorance with any hope of protection from civil or even criminal penalties.
Given all this, how does regulatory compliance affect a company’s business continuity management (BCM) program? Availability and integrity of information and continuity of services are key internal control concepts directly attributable to an effective BCM program. And while the task at hand can seem quite onerous, efficiencies and competitive edge can be gained with better compliance, including:

Reduced risk exposure
Increased stakeholder confidence Increased efficiency by having a proactive policy towards compliance
Ability to build internal operational efficiencies caused by compliance constraints and controls
Increased value to possible partners by showing compliance
Reduced data administration costs
Architectural changes provide geo-diversity
99.999 availability plus protection from site loss

So what must a company do to increase reliability and availability (from an operational perspective), safeguard assets, and adhere with new compliance laws and regulations?
As business continuity and disaster recovery experts, this is where we step in. Our goal is to reduce risk exposure, increase stakeholder confidence, increase efficiency by having a proactive policy towards compliance, and to help reduce administration costs.

In order to be truly compliant, companies must take into account physical, logical, and operational risks and their implications to the enterprises operations, data, facilities, and personnel. And they must be able to prove to regulators that they have in place a check and balance, identification and management of risk, and assurances that assets are managed as intended.

The effectiveness of any BCM program and its business continuity and disaster recovery planning methodologies needs to be evaluated against best practices and standards that focus on critical elements supporting continuity of operations, availability of information and staff, and maintaining the integrity of information. To start, organizations must create a robust business continuity plan that minimizes risks and accounts for all the scenarios that could significantly impact an organization in the event of a disaster. To do this, organizations should:

Conduct a business impact analysis to identify financial and other potential impacts to the organization caused by the loss of systems, data, or both
Identify the dependencies on locations, data, equipment, networks, and staff
Create guidelines for corporate data retention policies company-wide that includes establishing and enforcing a corporate retention strategy, storing records in a system that allows authorized access, provides an audit trail, allows timely retrieval of archived records, retains only those pertinent records as long as necessary but no longer
Mitigate risks where possible
Determine the recovery point objectives (RPOs) that establishes the maximum data loss that can occur and still enable financial reporting to be conducted accurately and in a timely fashion
Identify data management and technology solutions to minimize data loss and maximize data availability
Determine the recovery time objectives (RTOs) that establishes the window of time for recovery from downtime and identify the processes and technology solutions to meet these objectives
Engage and brief company management and obtain senior approval
Document and incorporate BC solutions, processes, and actions into plans, and test the solutions and validate the data on a regular basis
Keep the BC plans current with a formal updating process that allows for changes in the organization and ensures a current state of the plans
Have the processes evaluated and tested by an outside consultant on an annual basis

Although many organizations struggle with meeting regulatory requirements, few realize the true benefits that result from integrating corporate governance with business continuity and changing business processes (e.g. archiving e-mail), which is adhering to compliant regulations and steering clear of penalties and infractions. A comprehensive BC plan, including a thorough business impact analysis and risk assessment, supplemented by a disaster recovery plan, can alleviate risks that have the potential to paralyze an organization if disaster strikes.

Belinda Wilson, CBCP, is the executive director of Business Continuity & Availability (BC&A) Services at Hewlett-Packard. She is a member of the DRJ Executive Council and vice chair of DRI International. Wilson is a globally recognized expert in this field and leads her team of sales, consultants, delivery, and engineers for HP.