Why You Need A Business Continuity Plan

It is becoming increasingly clear that you will be legally bound to ensure your firm has a plan in place to help it recovery when disaster strikes. This is especially true with the advent of the Sarbanes-Oxley Act, which tightens the rules that govern corporations and ensures that the heads of of those corporations follow the rules.

Under Sarbanes-Oxley, the CIO of a firm has become a key player because it is his job to make sure that IT meets process and internal control requirements. In particular, Section 409 of the Act appears to require real-time reporting of critical information that could affect the performance of a corporation:

"Each issuer reporting under section 13(a) or 15(d) shall disclose to public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest."

Planning, reporting, IT requirements have become crucial, not just for corporate survival but also for making sure you play by the rules of the game. Their continued operation must be protected.

Sarbanes-Oxley is only the most recent of many regulations strongly encouraging  corporations to be prepared if disaster strikes. Several others are listed below.

Sector	Legislation	Requirements
Medical	HIPAA Regulations	Regulations covering electronic security and transmission of patient records. A documented, tested business continuity plan is required.
Financial Services & Banking	FFIEC FIL-67-97	Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus.
	Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC and Federal Home Loan Bank Bulletin R-67 (1986) superceded by FFIEC	Requires banking institutions to develop and maintain Business Recovery Plans.
	Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC - 1989, revised and made stronger 1997)	Requires business wide resumption planning and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks.
Public Companies	SEC Regulations	"Reasonable safeguards for information" - Board of Directors and senior management will be accountable.
	Foreign Corrupt Practices Act (1977)	Requires that publicly-held corporations provide "reasonable protection for information systems" and holds management accountable.
All Companies	IRS Procedure 86-19	Legal backup and recovery requirements for computer records containing tax data.
eCommerce Transactions	Consumer Credit Protection Act (CCPA) section 2001 Title IX (1992)	Due Diligence for availability of data in Electronic Funds Transfers including Point of Sale.
Federal Government	Computer Security Act	Requires security plans for all federal computer systems to assure data integrity, availability, and confidentiality
	FEMA FRPG 01-94	All department and agency heads must formally plan for continuity of essential operations.
State Governments	Various State Departments of Administrative Services Policies, e.g., Texas, (1 TAC 210.13(b)), Oregon’s Dept. of Information Resources (ORS 291.038)	Policies assigning responsibility for contingency planning within state agencies.

Legislative Requirements for Business Continuity and Business Continuity Planning

A Disaster May Wipe Out Your Institution

An institution that is unprepared for a disaster will be struck down hard if one strikes. For example:

• Some 70% of businesses fail within a year following a major IT disaster, if they do not have a valid recovery plan in place;
• Of those that do survive only 10% make a full recovery; and
• Without a plan, recovery is slower resulting in loss of clients, sales revenue and shareholder confidence.

Protecting Your Directors and Investors

If your institution is not prepared for disaster when it strikes, your directors may be liable for failing to do their duty. A proper plan will protect them and clearly show that no matter what the outcome, they did their job.

Minimizing the impact of a disaster and ensuring that your institutionis back in operation as soon as possible will ease the loss felt by investors. Just knowing a plan is in place will also encourage them to continue to support the firm.

You Cannot Escape Disaster

Disasters happen.

• North America's largest blackout, August 2003;
• Devasting computer worms, 2003;
• Hurricane Isabel, Summer 2003; and
• SARS-related quarantines shut down businesses worldwide, 2003.

Each of these hit unprepared firms hard. And they are only a few of the disasters that could strike at any time:

• Storm
• Fire
• Employee strike
• Tornado
• Hurricane
• Flood
• Malicious employee sabotage
• Hardware failure
• Software failure
• Virus
• Theft

Anyone of these could bring your institutionand your clients down unless you have a thorough and tested strategy of recovery.

Where Do You Start?

You need a Business Continuity Plan. But where do you start?

First of all, recognize that the goals of a good Business Continuity Plan are to help your institution survive a disaster and get back to business in a reasonable time. The Plan must therefore:

• Identify where the weaknesses are and set up a program to try and prevent them;
• Minimize the length of time that business operations would be seriously disrupted;
• Help to co-ordinate all the recovery tasks; and
• Make the recovery effort as uncomplicated as possible.

Secondly, the strategies in the Plan must:

• Ensure management knows that a total effort is needed to develop and maintain an effective plan;
• Have management support and take part in this effort;
• Define your recovery requirements in terms of business functions;
• Document the impact of an extended loss of operations and key business functions;
• Focus on preventing a disaster and minimizing its impact as well as business recovery;
• Select teams that will give you the balance needed to develop a proper plan;
• Develop a continuity plan that is easy to set up and maintain; and
• Define how to integrate continuity planning issues into ongoing business planning and system development processes to ensure the plan is viable over time.

Senior personnel from Information Systems and user areas must be involved to make the planning process work.