THE CURRENT SITUATION
The need for Contingency Planning (otherwise known as Disaster Recovery Planning, Business Continuity Planning, and any one of a host of other names) has been recognized in several government sectors. The Comptroller of the Currency issued a Banking Circular on this topic, BC 177, in 1983. This circular was revised in 1987 and revised again in July 1989. The 1989 revision to the circular was issued jointly by the Comptroller’s office and the Federal Financial Institution Examination Council (FFIEC). The 1989 revision of BC 177 states that:
“The loss or extended interruption of (business operations, including central computer processing, end-user computing, local area networking, and nationwide telecommunications) poses substantial risk of financial loss and could lead to failure of an institution. As a result, contingency planning now requires an institution-wide emphasis, as opposed to focusing on centralized computer operations.”
The language of this statement is clear; failure to construct and implement an institution-wide contingency plan could have extremely grave consequences. Also, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has recognized the need for contingency planning. While less emphatic in nature than the terminology contained in BC 177, the JCAHO policy nevertheless acknowledges the critical need for advance planning and emergency preparedness for healthcare organizations.
Why have regulating bodies in these industries chosen to mandate contingency planning to some degree? And, perhaps more importantly, will other industries be required to follow suit and mandate disaster recovery and contingency planning? The answers to these questions lie in the more general provisions of the Foreign Corrupt Practices Act of 1977, an amendment to the Securities and Exchange Act of 1934, which deals with the fiduciary responsibilities of officers and directors of publicly-held corporations toward the assets of these corporations.
FOREIGN CORRUPT PRACTICES ACT OF 1977
What, you may ask, could anything entitled the “Foreign Corrupt Practices Act” have to do with the responsibilities of officers and directors of domestic corporations - and more specifically, those officers and directors who are NOT engaging in “corrupt practices?” Actually, the Foreign Corrupt Practices Act deals specifically with a concept called the “standard of care” by which the actions of officers and directors are judged, in this instance with respect to the management (or mismanagement) of corporate assets. In the legal publication entitled Corpus Juris Secundum (CJS), this “Standard of care” is enunciated as follows, “A director or officer is liable for loss of corporate assets through his negligence, fraud, or abuse of trust.” [CJS Corporations, Volume 19, Section 491] In this same section, CJS states even more clearly that “The directors and officers owe a duty to the corporation to be vigilant and to exercise ordinary or reasonable care and diligence and the utmost good faith and fidelity to conserve the corporate property; and, if a loss or depletion of assets results from their willful or negligent (emphasis added) failure to perform their duties, or to a willful or fraudulent abuse of their trust, they are liable, provided such losses were the natural and necessary consequences of omission on their part.” [CJS Corporations, Volume 19, Section 491]
Now, the real question becomes much clearer: Should officers and/or directors of a publicly-held corporation that did NOT have a functional disaster recovery or business continuity plan, and, as a result of this lack of planning, sustained significant losses from a disaster be held liable for that part of the loss that could have been averted, had a functional disaster recovery plan been in place? The positions of the Comptroller of the Currency, the Federal Financial Institution Examination Council, and the Joint Commission on Accreditation of Healthcare Organizations seem to lend considerable support to the argument that the failure to plan ahead is an extremely serious omission on the part of the officials of financial institutions and healthcare organizations. But, the question remains: Should officers and/or directors of publicly-held corporations be considered negligent for their failure to plan if a corporation suffers losses that could have been avoided, at least in part, had a contingency plan been in place at the time that the disaster occurred?
Looking back 60 years to an often quoted case, the answer emerges. To an article published in the winter 1993 edition of Recovery (from Sungard Recovery Services) and reprinted in Volume 6, Issue 2 of Disaster Recovery Journal, Kevin Cronin discusses the case of “In the T.J. Hopper” as follows: “In a landmark 60-year-old case ... several ships sank during a storm off the East Coast. The vessels were not equipped with radio receivers. If they had been (equipped with radio receivers), they could have avoided the storm. Despite the court’s finding that only one shipping line in the country then had fitted its vessels with radio receivers (transmitters were already common for S.O.S calls), it (the court) found the owners of the lost vessels negligent for not equipping the vessels with receivers. The court balanced the cost of the radios, which was relatively small, against the harm that would result from not using them and decided that the prevailing custom of not having radios was negligent.” If one looks at modern corporations and substitutes “contingency plan” for “radio receiver,” the question posed above must surely be answered with a resounding YES.
WHERE DO WE GO FROM HERE?
Earlier in history, it is doubtful that corporate officers and directors could have been found negligent, and consequently liable, with regard to losses that could have been reduced, had a disaster recovery plan been in place. After all, true, institution-wide “disaster recovery planning” (or “contingency planning” or “business recovery and resumption planning” or “business continuity planning”) is a young discipline, and courts may be reluctant to find individuals negligent for failure to use products, services, or procedures that were either extremely new or very scarce (for example, had radio receivers been only in an experimental stage or in such short supply that they were incredibly difficult to obtain, then the outcome of the Hopper case would likely have been different).
Today, however, there exists an abundance of methodologies published widely in books and journals, software programs, consultants, education, training, testing and certification programs in the area of business continuity and disaster recovery planning as to invalidate any possible claim of ignorance. “I tried to get help to build a contingency plan, but there was nothing available...!”
So, where are we now? With ample answers available to assist in developing, testing, implementing, and executing contingency plans for organizations in most industries, and with all too many examples that have recently occurred of what can happen to businesses that have not planned for potential disasters, corporate officers and directors should not be allowed to escape liability for an otherwise-avoidable loss of corporate assets resulting from a disaster simply by claiming ignorance of disaster recovery and business continuity planning. These officers and directors either knew or should have known about the need for contingency planning and the availability of resources to help in this process.
A sticky issue arises when a business unit that has a disaster recovery plan experiences a disastrous loss due in whole or in part to the fact that the plan did not function properly. Resolving this issue will be the next major hurdle for the disaster recovery and business continuity industry, because the only way to find corporate officers and directors negligent for losses resulting from an inadequate disaster recovery plan is to give these officers and directors - and the courts that will judge them - clear standards as to what constitutes an adequate disaster recovery planning effort. Without such standards, courts will be extremely reluctant to step in and deem any contingency plan so grossly inadequate as to have the effective of no plan at all. These standards are only currently emerging in this young industry.
“Where do we go from here?” Those of us associated with the disaster recovery industry need to concentrate on two major issues. First, the continuing education of corporate executives on contingency planning (What is it? Why should we do it? How do we do it? What could happen to us if we don’t do it?). Second, the establishment of a set of standards for our industry to guide these executives, as well as other interested parties, such as courts, regulators, auditors, etc., in their efforts to comply with this “new” responsibility of ensuring that their businesses have effective disaster recovery plans in place.
Suggested Guidelines For Standards In Disaster RecoverY And Business Continuity Planning
1. Capabilities and limitations of disaster recovery and business continuity plans and equipment must be communicated to all stockholders.
2. All jurisdictions must be convinced to participate in disaster recovery and business continuity planning and to own product.
3. The disaster recovery and business continuity response organization must improve the ability to communicate with the stockholders during response operations.
4. Ability to mobilize adequate resources to execute disaster recovery and business
5. The disaster recovery and business continuity response organizations must improve the ability to communicate with response units and resources.
6. Realistic scenario-based disaster recovery and business continuity response strategies and tactics must be developed.
7. A disaster recovery and business continuity response organization that includes multiple parties but retains the ability to make decisions and take rapid action must be designed.
8. Methodology, technology, education, and training for disaster recovery and business continuity planning, implementation, testing, and execution must be continually improved.
John Copenhaver, CDRP, is the Director of Business Continuity Services for BellSouth Business Systems, in Atlanta, Ga. Raja K. Iyer, Ph.D., CDRP, is an associate professor of Information Systems at the University of Texas at Arlington.