This fundamental shift means increased importance on external influences (e.g., new government regulations) and the need for corporations to be proactive in responding to governance variables, as opposed to the typical reactive mode in years past.
The primary driver of corporations finally beginning to give governance issues priority were corporate scandals (Enron, Adelphia, Arthur Anderson, et. al.) that shook the confidence of stakeholders and raised the ire of legislators on a global basis. The perceived and actual failure of corporate governance and internal controls and the regulatory focus on ensuring sound internal controls are established for at least the financial elements (auditing) of the organizations.The most significant legislative trend is the reoccurrences of management accountability with significant civil and criminal penalties specified in the various regulations, should management fail to prove due diligence in protecting the corporate assets and reporting accurate information. Few at the most senior management levels will be able to claim ignorance with any hope of protection from civil or even criminal penalties.
Given all this, how does regulatory compliance affect a company’s business continuity management (BCM) program? Availability and integrity of information and continuity of services are key internal control concepts directly attributable to an effective BCM program. And while the task at hand can seem quite onerous, efficiencies and competitive edge can be gained with better compliance, including:
- Reduced risk exposure
- Increased stakeholder confidence Increased efficiency by having a proactive policy towards compliance
- Ability to build internal operational efficiencies caused by compliance constraints and controls
- Increased value to possible partners by showing compliance
- Reduced data administration costs
- Architectural changes provide geo-diversity
- 99.999 availability plus protection from site loss
So what must a company do to increase reliability and availability (from an operational perspective), safeguard assets, and adhere with new compliance laws and regulations?
As business continuity and disaster recovery experts, this is where we step in. Our goal is to reduce risk exposure, increase stakeholder confidence, increase efficiency by having a proactive policy towards compliance, and to help reduce administration costs.
In order to be truly compliant, companies must take into account physical, logical, and operational risks and their implications to the enterprises operations, data, facilities, and personnel. And they must be able to prove to regulators that they have in place a check and balance, identification and management of risk, and assurances that assets are managed as intended.
The effectiveness of any BCM program and its business continuity and disaster recovery planning methodologies needs to be evaluated against best practices and standards that focus on critical elements supporting continuity of operations, availability of information and staff, and maintaining the integrity of information. To start, organizations must create a robust business continuity plan that minimizes risks and accounts for all the scenarios that could significantly impact an organization in the event of a disaster. To do this, organizations should:
- Conduct a business impact analysis to identify financial and other potential impacts to the organization caused by the loss of systems, data, or both
- Identify the dependencies on locations, data, equipment, networks, and staff
- Create guidelines for corporate data retention policies company-wide that includes establishing and enforcing a corporate retention strategy, storing records in a system that allows authorized access, provides an audit trail, allows timely retrieval of archived records, retains only those pertinent records as long as necessary but no longer
- Mitigate risks where possible
- Determine the recovery point objectives (RPOs) that establishes the maximum data loss that can occur and still enable financial reporting to be conducted accurately and in a timely fashion
- Identify data management and technology solutions to minimize data loss and maximize data availability
- Determine the recovery time objectives (RTOs) that establishes the window of time for recovery from downtime and identify the processes and technology solutions to meet these objectives
- Engage and brief company management and obtain senior approval
- Document and incorporate BC solutions, processes, and actions into plans, and test the solutions and validate the data on a regular basis
- Keep the BC plans current with a formal updating process that allows for changes in the organization and ensures a current state of the plans
- Have the processes evaluated and tested by an outside consultant on an annual basis
Although many organizations struggle with meeting regulatory requirements, few realize the true benefits that result from integrating corporate governance with business continuity and changing business processes (e.g. archiving e-mail), which is adhering to compliant regulations and steering clear of penalties and infractions. A comprehensive BC plan, including a thorough business impact analysis and risk assessment, supplemented by a disaster recovery plan, can alleviate risks that have the potential to paralyze an organization if disaster strikes.
Belinda Wilson, CBCP, is the executive director of Business Continuity & Availability (BC&A) Services at Hewlett-Packard. She is a member of the DRJ Executive Council and vice chair of DRI International. Wilson is a globally recognized expert in this field and leads her team of sales, consultants, delivery, and engineers for HP.