1
WHY SHOULD YOUR BUSINESS PREPARE FOR A DISASTER?
This chapter contains a description of the types of disasters your company might experience and the potential financial and legal ramifications that could follow.
By the end of this chapter you will:
ā¢Understand the importance of Business Continuity Planning
ā¢Become aware of the potential interruptions that could effect your company's bottom line
ā¢Understand what's at stake if you do not plan
ā¢Understand the potential legal consequences of not planning
This book subscribes to the well known rule, BE PREPARED! By planning ahead for an emergency you can help defend your business against irreparable damage or even total business failure. The time taken to plan for an emergency could be the best investment your company ever made.
WHAT DISASTER MIGHT HIT YOU?
Disasters may occur at any time for many reasons. A Business Continuity Plan (BCP) must be in place to prevent or reduce the effects of disasters. According to The Disaster Recovery Institute International (www.drii.org), 93% of companies who experience a disaster without a recovery plan close within five years. Fifty percent of companies that lose critical business functions for more than ten days never recover. For Fortune 500 companies, business and system downtime costs an average of $96,000 per minute!
There are many types of disasters that can affect your company's bottom line. Do you have a Business Continuity Plan to manage your way through these?
Equipment Failure | Fire | Hazardous Material |
Windstorms | Civil Disturbance | Incident |
Biological/Radiological | Water Pipe Breakage | Extended Power Outage |
Incident | Earthquake | Communications Failure |
Flooding | Loss of Key Employees, | Explosion |
Cyber Crime | Supplier or Customer | Transportation Accidents |
Denied Access | Network failure | Terrorist Attack |
If your answer is āyes,ā then take your plan out, dust it off and use this guide to assess and update your plan. If your answer is no, you are not alone and it is time to dig into this book and to begin protecting your company's assets.
ITāS TOO MUCH WORK! WHY SHOULDNāT WE JUST TAKE THE RISK?
Company management too often neglects disaster planning. The most common reasons are: lack of time and resources, lack of top management support, lack of money, too many causes of disasters to plan for effectively, little awareness of potential hazards, and lack of knowledge in developing a plan. We have all heard at least one of these reasons for not having a plan, but are any really good enough to risk the consequences of not being prepared?
Here's a simple test. Can you answer āyesā to all the following questions? If not, how would the repercussions affect your company's ability to remain in business?
1.Are you confident that you will manage through a disaster better than your competition? If not, how much business are you likely to lose?
2.Are you ensuring the safety of your personnel and customers? If not, could your legal liability put the company under?
3.Are you prepared to deal with the media, your stockholders and your employees when a disaster strikes?
4.Have you taken steps to eliminate or minimize the threat of fire, flooding, employee sabotage, cyber attack, etc.?
5.Are your companyās vital records adequately protected?
The obvious reasons for planning, like avoiding financial ruin, maintaining market share and minimizing negative publicity, are important ones. But there is another convincing reason for Business Continuity Planning: avoiding potential legal problems.
LEGAL REASONS FOR HAVING A PLAN
Protecting the confidentiality, integrity and availability of a patientās medical information is no longer just a best practice for healthcare entities, but a legal requirement.
As passed by the United States Congress, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) -PL 104-191 Standards for Privacy of Individually Identifiable Health Information - 45 CFR Parts 160 and 164, institutes administrative reforms that have been phased in over the period from 2000 through 2003. Of major importance in the HIPAA legislation is the issue of data and transaction standardization ā a mandate very few healthcare providers can circumvent if they bill third parties for services provided to patients. The HIPAA regulations apply to ācovered entities,ā groups that include health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form. The law also changes the way the ācovered entitiesā have to protect the privacy of a patientās health information, and contains security procedures that must be followed to protect the integrity of a patientās health information. For more information on the Health Insurance Portability and Accountability Act of 1996 go to www.cms.hhs.gov/hipaa.
Other legal reasons for Business Continuity Planning and disaster recovery capability have been categorized to respond to a law, statute or regulation that specifically requires your business to have a disaster recovery plan. Contingency Planning and Research, Inc. categorized these applicable statutes into 5 areas. Each area is presented here, but is not intended by Contingency Planning and Research, Inc. to be all-inclusive:
ā¢Contingency Planning Statutes ā Apply to the development of plans to ensure the recoverability of critical systems. Example: Federal Financial Institutions Examination Council (FFIEC). The FFIEC guidelines replace previously issued Banking Circulars, BC-177, BC-226, etc.
ā¢Liability Statues ā Establish levels of liability under the āPrudent Man Lawsā for directors and officers of a corporation. Example: Foreign Corrupt Practices Act (FCPA).
ā¢Life and Safety Statutes ā Set out specific ordinances and standards for ensuring the protection of employees in the workplace. Examples: National Fire Protection Association (NFPA), Occupational Safety & Health Administration (OSHA).
ā¢Risk Reduction Statues ā Stipulate areas of risk management required to reduce and/or mitigate the effects of a disaster. Example: Office of the Comptroller (āOCCā); Circular 235 and Thrift Bulletin 30.
ā¢Security Statutes ā Cover areas of computer fraud, abuse and misappropriation of computerized assets. Example: Federal Computer Security Act.
ā¢Vital Records Management Statutes ā Specifications for the retention and disposition of corporate electronic and hard-copy records. Example: IRS Records Retention requirements.
Statutory Example
The Federal Financial Institutions Examination Council (FFIEC), consisting of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the National Credit Union Administration, issued on May 20, 2003 revised guidance for examiners and financial institutions on business continuity planning. The FFIEC also issued guidance to bank examiners on the supervision of technology service providers. The guidance is contained in two booklets.
The Business Continuity Planning Booklet provides guidance and examination procedures to assist bank examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services.
The Supervision of Technology Service Providers Booklet covers the supervision and examination of services performed for financial institutions by technology service providers. It outlines the agenciesā risk-based supervision approach, the supervisory process, and the examination ratings used for technology service providers.
The guidance stresses that an institutionās management and board of directors have the ultimate responsibility for ensuring outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.
These booklets represent the latest in a series of updates to the 1996 FFIEC Information Systems Examination Handbook. The FFIEC is updating the Handbook to address significant changes in technology since 1996 and to incorporate a risk-based examination approach. The updates are being issued in separate booklets that will ultimately replace all chapters of the Handbook and comprise the new FFIEC Information Technology Handbook.
The booklets are being distributed electronically and are available at www.ffiec.gov/guides.htm.
Determining Liability
Other legal reasons are that most businesses have contracts with one another, and some may require that their suppliers perform, no matter what happens. Banks, manufacturers, insurance companies and other businesses are aware of the importance of Business Continuity Planning. These businesses obviously do not want to bite the dust if their suppliers fail to deliver after a disaster. So, review your contracts closely. If you provide services to another company, you may be required by contract to have a continuity plan that has been tested and proved reliable. Even if contracts include a āForce Majeureā clause limiting liability in extreme circumstances, you could still lose business partners, suppliers or clients.
Many attorneys know another reason as ācommon law.ā Common law grew out of court decisions and some very old laws. Many of the laws today regarding negligence and fiduciary responsibilities were assembled out of the common law.
In a common law instance, your company may have fiduciary obligations and āduties of careā to its shareholders and customers. Plaintiff...