[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Prepare For The Next Disaster


By Scott Louis Weber 

The private sector owns 85% of this country's critical infrastructure, 
and the government simply cannot protect it all, nor should it be 
expected to. So this year, the most important resolution any corporate 
executive can make is to develop, maintain and test its own business 
continuity program, or "BCP."

A well-designed BCP will enhance internal credibility (with employees) 
and external credibility and goodwill (with regulators, stockholders, 
customers, suppliers and the community at large). In today's legal 
landscape, it is clear that senior managers, officers and directors have 
an affirmative obligation to take a substantive role in a company's BCP 
planning and actively participate in the frequent and regular testing 
and exercising of a company's plan.

A business continuity program helps an organization prepare for future 
incidents that could disrupt the organization's core mission and 
critical functions and, thereby, jeopardize the long-term health of the 

The program consists of several components, including written plans, 
physical security, mission critical systems redundancy, identification 
of key employees, succession rules, reliable emergency communications, 
alternative secure locations and regular tests and exercises. A robust 
BCP will help ensure the continuity of a company's operations regardless 
of the hazard. It is not optional. Rather, the responsibilities of a 
company--and the duties of a company's senior managers, officers and 
directors--are often heightened and tested during times of crisis. If 
you are just starting to figure things out at that point, then it's too 

Traditionally, neither the CEO nor the board of directors had 
participated in BCP planning. However, the Sept. 11, 2001, terrorist 
attacks elevated crisis planning to the CEO level. Accordingly, 
corporate leaders must now plan for disruptions and crises resulting 
from events that may be construed by courts as "foreseeable." And 
unfortunately, in a post-Sept. 11, post-Hurricane Katrina and avian 
influenza-threatened world, this category of unforeseeable events 
becomes narrower every day. Guess what? If Jack Bauer on 24 has to deal 
with it, it's foreseeable!

Thanks to a number of organizations and the U.S. federal government, the 
Internet is host to a collection of helpful resources.

The National Fire Protection Association (NFPA) is a nonprofit 
organization established in 1896, with more than 81,000 members 
representing some 100 nations. Among other things, it develops consensus 
codes and standards that address hazard reductions and that are 
developed through an extensive peer-review process involving 
representatives from the public and private sectors. The NFPA 1600 
standards encompass disaster/emergency management and business 
continuity programs. These standards were endorsed by the American 
National Standards Institute and the U.S. Department of Homeland 

The NFPA 1600 standards define business continuity as "an ongoing 
process supported by senior management and funded to ensure that the 
necessary steps are taken to identify the impact of potential losses, 
maintain viable recovery strategies and recovery plans, and ensure 
continuity of services through personnel training, plan testing and 
maintenance." It provides an "all hazards" approach (identifying over 45 
categories of hazards like pandemic disease, cyber-attack, flood and 
biological agent attack) and establishes a common set of criteria for 
disaster management, emergency management and business continuity. The 
standards provide the criteria to assess current programs and to 
develop, implement and maintain a program to mitigate, prepare for, 
respond to and recover from disasters.

Though these standards are voluntary "best practices," they may 
ultimately spark creation of a regulatory scheme, which could have 
significant impact on the private sector. Indeed, the importance of BCP 
was acknowledged in new federal law. Last August, H.R.1, Implementing 
Recommendations of the 9/11 Commission Act of 2007 was signed into law 
by the president, and one subsection on Private Sector Preparedness 
encourages the use of business continuity and disaster recovery 
standards. This new law specifically cites the NFPA's code and calls for 
the development of a private sector preparedness accreditation and 
certification program, which would be used to certify the preparedness 
of private sector organizations.

In September 2004, the U.S. Department of Homeland Security launched its 
Ready Campaign. This includes Ready Business, which outlines common 
sense measures that business owners and managers can implement and 
provides practical steps and templates to help companies plan for the 

Using the 2008 new year as a springboard, the department is renewing its 
efforts for readiness. During a speech in December 2007, Homeland 
Security Secretary Michael Chertoff offered the following advice: 
"Having a plan can make all the difference. ... The time for 
individuals, families and businesses to plan is now, and to resolve to 
make readiness a priority for 2008."

Senior management's involvement is critical. Senior managers have the 
required level of expertise, knowledge of the company and ability to 
identify resources from all of its key functional areas. Still, 
third-party advice and validation is essential to ensure compliance with 
standards and keep the company ahead of the regulatory curve.

Internal BCP compliance reviews that are supported by outside experts 
are just as important as internal reviews to ensure compliance with the 
Sarbanes-Oxley Act and the Foreign Corrupt Practices Act. BCP compliance 
reviews that involve third-party validation will help senior management 
satisfy its duty of care to plan appropriately for business continuity, 
and thereby shield officers and directors from personal liability and 
enhance a company's ability to mitigate, regardless of the hazard.

It is only a matter of time before Washington legislates how BCP is 
done. Don't become a test case by failing to get ahead of the curve. 
Corporate America should heed Chertoff's advice that "having a plan can 
make all the difference." Maintaining your company's preparedness is not 
something that can fall by the wayside, and your senior managers, 
officers and directors must take an active and substantive role in BCP 
to ensure the long-term health of your organization.


Scott Louis Weber is a partner in the law firm of Patton Boggs and is a 
former senior counselor to the secretary in the Department of Homeland 

Subscribe to InfoSec News