DRJ Fall 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 32, Issue 2

Full Contents Now Available!

How Business is Leveraging Business Continuity To Comply with the New Regulation
In the wake of spectacular corporate governance failures at several companies, Congress enacted the Sarbanes-Oxley Act of 2002 to address the shortcomings of corporate governance and improve the overall controls associated with the management and reporting of corporate financial information. The legislation is aimed at protecting employees, business partners, and corporate. In a period that saw the creation of specific legislation and regulations around business continuity, it was only natural that Sarbanes-Oxley would be seen as an extension of these same regulations.
Sarbanes-Oxley does not specifically address business continuity requirements. In fact, it never mentions business continuity at all. But as a practical matter business continuity is seen as a means to create a comprehensive controls environment within an organization. Sarbanes-Oxley is spurring companies to expand the scope of their business continuity initiatives to be more comprehensive in nature, even to the point of a company looking outside its own organization to suppliers and vendors.

There is no magic or mystery to effective communication in a crisis; yet anytime you turn on the news, you will invariably find someone who is making a mess of it. In working with organizations of every size and in nearly every sector, I have found that by following a few simple rules when communicating with your internal and external audiences you can keep your company from becoming the next crisis casualty.

Rule 1. Tell the truth

The single most important communication rule for surviving a crisis is often the most difficult to follow. After a major mishap our natural tendency is to try to cover up or defend what happened. It is simply unnatural when you have fallen on a banana peel to shout out, “Hey everyone, I fell down!” Providing accurate information and getting it out early, however, will allow you to control the flow of information and start the recovery process that much sooner.

This is the most basic rule of post-crisis communication and the one that is most often violated. You should never forget that the organizations that have historically suffered the most in the wake of a crisis have been those in which the leadership thought they could get away with bending, twisting, slanting, or stretching the truth. One of the consequences of living in the information age is that the truth always comes out eventually. The bottom line is this: When “it” hits the fan, you don’t want to be the one who was throwing the “it.”



Today’s headlines are full of disturbing stories about new occurrences and outbreaks of infectious diseases. Some of them such as SARS (Severe Acute Respiratory Syndrome), monkeypox, and West Nile virus are new and alarming. In addition, the threat of bioterrorism with deadly agents such as anthrax and smallpox continues to be a concern.

Although the Occupational Safety and Health Administration (OSHA) has specific rules to protect workers from exposure to blood-borne infections such as hepatitis and HIV, there are many other infections that can affect the workforce, which ultimately impacts corporate productivity and profits. Even though most infections are not occupationally acquired, health and safety programs should be proactive in identifying potential infectious threats to the workforce and preventing them when possible. From a public health and safety perspective, preventing illness and injury are the primary goals.

With the exception of healthcare workers and first responders, most employees in the U.S. are not at risk for acquiring occupational infections. However, many people get exposed to a variety of infections at home, in the community, and also from fellow workers. Employers should be proactive by addressing these potential risks through their health and safety programs with the support of their human resources departments.

Some of the most common infections are respiratory viruses such as colds and influenza. Although not considered an occupational exposure, per se, people frequently are exposed to these common infections while at work. An employer can take several steps to minimize the potential spread of respiratory viral infections in the workplace. The modest cost of providing influenza vaccine to employees every fall, before flu season is in full swing, can save significant time and money. The more employees who are immunized, the better. This reduces potential exposure for non-immunized employees while at work. It also reduces the number of people in the workforce who may become exposed to the flu from family or community. Overall, provision of flu vaccine is a win/win situation for both employers and their staffs.


What’s the Difference for the Business Continuity Planner?

What are the basic differences between creating a business continuity plan for a multi-billion dollar corporation and creating a business continuity plan for a mom and pop grocery?
How about differences between a business function and IT?
By this planner, all plans basically are the same; they have the same basic requirements. The operative word is basic.

Each plan has the following segments in common:

• Determine why the entity (or process or procedure or ...) exists.
• Identify risks to the “thing.”
• Rate the risks: what is the probability of the risk occurring versus the impact on the “thing” if the risk occurs.
• Identify ways to avoid or mitigate the risks.
• Document what must be done if the risk occurs.
• Create a training methodology to assure that if the risk occurs, it will be dealt with within the defined time constraints by people who are confident in their skills.
• Maintain the plan by watching for trigger events and by watching the calendar.


It’s often said that, other than your spouse or significant other, you can’t pick your family members. We love our parents and grandparents, but in almost every family, there are people who, had we had the opportunity to select, they might not have been chosen.

It’s usually that way with the person to whom we report and where we report in the organization. When we’re hired into a company, or accept a promotion into a position, it’s unlikely that we’ll be able to dictate who our boss will be, or in which part of the company he or she will find themselves positioned. It’s too bad, because more than almost any function in the company, business continuity planning needs to be placed in the organization where it can be most effective.

Best Case Scenario

Placement of business continuity within the organization is of critical importance. Depending on the expected scope of the program, BCP should report to someone with administration or oversight responsibilities for the entire company. For maximum effectiveness, ideally, BCP will report through one of the following line authorities:

• The chief operating officer or chief administrative officer;
• Within a corporate level reporting relationship, not branch or division level.

BCP doesn’t need to report directly to the COO or CAO; however, it should report to someone who does report to these levels. Since BCP needs to address the corporation (both business and technical recovery) having it as a part of the COO or CAO chain of command will simplify how decisions are made, and the perspective of areas that must work with the BCP teams.

The key factors in placement of the BCP function are to avoid compromising a planning program’s objectivity and integrity, and getting the needed visibility within the organization to be effective.