http://www.forbes.com/opinions/2008/01/16/disaster-preparedness-companies-oped-cx_slw_0117disaster.html By Scott Louis Weber Forbes.com 01.17.08 The private sector owns 85% of this country's critical infrastructure, and the government simply cannot protect it all, nor should it be expected to. So this year, the most important resolution any corporate executive can make is to develop, maintain and test its own business continuity program, or "BCP." A well-designed BCP will enhance internal credibility (with employees) and external credibility and goodwill (with regulators, stockholders, customers, suppliers and the community at large). In today's legal landscape, it is clear that senior managers, officers and directors have an affirmative obligation to take a substantive role in a company's BCP planning and actively participate in the frequent and regular testing and exercising of a company's plan. A business continuity program helps an organization prepare for future incidents that could disrupt the organization's core mission and critical functions and, thereby, jeopardize the long-term health of the organization. The program consists of several components, including written plans, physical security, mission critical systems redundancy, identification of key employees, succession rules, reliable emergency communications, alternative secure locations and regular tests and exercises. A robust BCP will help ensure the continuity of a company's operations regardless of the hazard. It is not optional. Rather, the responsibilities of a company--and the duties of a company's senior managers, officers and directors--are often heightened and tested during times of crisis. If you are just starting to figure things out at that point, then it's too late. Traditionally, neither the CEO nor the board of directors had participated in BCP planning. However, the Sept. 11, 2001, terrorist attacks elevated crisis planning to the CEO level. Accordingly, corporate leaders must now plan for disruptions and crises resulting from events that may be construed by courts as "foreseeable." And unfortunately, in a post-Sept. 11, post-Hurricane Katrina and avian influenza-threatened world, this category of unforeseeable events becomes narrower every day. Guess what? If Jack Bauer on 24 has to deal with it, it's foreseeable! Thanks to a number of organizations and the U.S. federal government, the Internet is host to a collection of helpful resources. The National Fire Protection Association (NFPA) is a nonprofit organization established in 1896, with more than 81,000 members representing some 100 nations. Among other things, it develops consensus codes and standards that address hazard reductions and that are developed through an extensive peer-review process involving representatives from the public and private sectors. The NFPA 1600 standards encompass disaster/emergency management and business continuity programs. These standards were endorsed by the American National Standards Institute and the U.S. Department of Homeland Security. The NFPA 1600 standards define business continuity as "an ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing and maintenance." It provides an "all hazards" approach (identifying over 45 categories of hazards like pandemic disease, cyber-attack, flood and biological agent attack) and establishes a common set of criteria for disaster management, emergency management and business continuity. The standards provide the criteria to assess current programs and to develop, implement and maintain a program to mitigate, prepare for, respond to and recover from disasters. Though these standards are voluntary "best practices," they may ultimately spark creation of a regulatory scheme, which could have significant impact on the private sector. Indeed, the importance of BCP was acknowledged in new federal law. Last August, H.R.1, Implementing Recommendations of the 9/11 Commission Act of 2007 was signed into law by the president, and one subsection on Private Sector Preparedness encourages the use of business continuity and disaster recovery standards. This new law specifically cites the NFPA's code and calls for the development of a private sector preparedness accreditation and certification program, which would be used to certify the preparedness of private sector organizations. In September 2004, the U.S. Department of Homeland Security launched its Ready Campaign. This includes Ready Business, which outlines common sense measures that business owners and managers can implement and provides practical steps and templates to help companies plan for the future. Using the 2008 new year as a springboard, the department is renewing its efforts for readiness. During a speech in December 2007, Homeland Security Secretary Michael Chertoff offered the following advice: "Having a plan can make all the difference. ... The time for individuals, families and businesses to plan is now, and to resolve to make readiness a priority for 2008." Senior management's involvement is critical. Senior managers have the required level of expertise, knowledge of the company and ability to identify resources from all of its key functional areas. Still, third-party advice and validation is essential to ensure compliance with standards and keep the company ahead of the regulatory curve. Internal BCP compliance reviews that are supported by outside experts are just as important as internal reviews to ensure compliance with the Sarbanes-Oxley Act and the Foreign Corrupt Practices Act. BCP compliance reviews that involve third-party validation will help senior management satisfy its duty of care to plan appropriately for business continuity, and thereby shield officers and directors from personal liability and enhance a company's ability to mitigate, regardless of the hazard. It is only a matter of time before Washington legislates how BCP is done. Don't become a test case by failing to get ahead of the curve. Corporate America should heed Chertoff's advice that "having a plan can make all the difference." Maintaining your company's preparedness is not something that can fall by the wayside, and your senior managers, officers and directors must take an active and substantive role in BCP to ensure the long-term health of your organization. -=- Scott Louis Weber is a partner in the law firm of Patton Boggs and is a former senior counselor to the secretary in the Department of Homeland Security. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Jan 17 2008 - 23:19:40 PST