Resilience

Business Continuity Planning Standards: A Search for Normalcy

by Ashley Moore

By Ashley Moore, amoore@domprep.com

Anteon Corp. CBRNE Technical Director

Acceptance of prevailing standards often means we have no standards of our own.~ Jean Toomer (1894 - 1967) US author, poet

What is a standard? More specifically, what is a Business Continuity (BC) standard? In general, standards provide preparedness models that private-sector organizations can use when they want to establish their own “internal” organizational standards. In most cases, they are voluntary; this precludes the need, usually, for “regulatory” standards.

Most current process-oriented preparedness standards-such as the one prescribed for Business Continuity and Contingency Planning (BCCP)--are voluntary (unless they have been internalized by the corporate head). However, most “life safety codes”--i.e., fire and building codes--are deemed as regulatory standards. It is possible that some all-encompassing regulatory standard could be developed for buildings that serve as business headquarters, where people are employed who produce some viable output. But creating regulatory mandates for businesses might well pressure insurance companies, real estate owners, and the banking industry to become more directly involved in a BCCP balanced investment.

Because business interruptions range from catastrophic natural disasters like the January 2005 tsunami, acts of terrorism (e.g., the attacks on the World Trade Center), or technological malfunctions such as the 14 August 2003 Great Northeast Power Blackout; businesses providing services must have a broader view and understanding of BC standards. Sequentially, the services that they either support or produce must be recoverable within a short but narrow spectrum of time so not to worsen the economic loss. Hence, BCCP standard developers could have used this momentum to force the development of a regulatory standard. However, U.S. history shows that legislative and/or regulatory changes are mandated only when the country is faced with, or has experienced, a major catastrophe-the attacks on the World Trade Center, and the Pentagon, for example. Fortunately, a National Fire Protection Association (NFPA) standard (NFPA 1600: Emergency Preparedness and Business Continuity) was already in place.

NFPA 1600 leads off with a strong and clear assertion: NFPA has no power, nor does it undertake, to police or enforce compliance with the contents of this document. Nor does the NFPA list, certify, test, or inspect products, designs, or installations for compliance with this document. Any certification or other statement of compliance with the requirements of this document shall not be attributable to the NFPA and is solely the responsibility of the certifier or maker of the statement.

Nonetheless, an interesting twist occurred in late April of last year at a Homeland Security Standards Panel meeting of the American National Standards Institute (ANSI). During that meeting, a recommendation was made that the “federal government” adopt standards consistent with NFPA 1600. Left unanswered was the important question of what department or agency was qualified to or would develop staff, establish policy, and manage a Business Continuity/Disaster Recovery Planning and Management program or process. Some agency or component of the U.S. Department of Homeland Security (DHS) seemed the most likely answer, and would be consistent with a Brookings Institution recommendation, in August 2004, that the DHS have an under secretary for policy. Creating a standard might well become one of the top ten items on that official's working agenda.

The need for workable standards also was addressed in the final report of the 9/11 Commission, which recommended that ANSI develop a “National Standard for Preparedness” for private-sector businesses to consider in making their own plans for emergency preparedness and its potential effects on business continuity. In response, ANSI assembled subject matter experts from the safety, security, and business continuity professions, as well as from industries and associations, and federal, state, and local government communities of interest.

This extraordinary gathering of minds resulted in ANSI's recommendation that the Commission endorse the existing American National Standard on Disaster/Emergency Management and Business Continuity Programs-i.e., NFPA 1600--as strictly “voluntary.” Embedded in the Commission's report was the following comment: “Private-sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. It is ignored at a tremendous potential cost in lives, money, and national security.”

The Art of War and Business Continuity A number of forward-thinking public as well as private-sector agencies and organizations take very seriously the need for development, program implementation, and compliance oversight of Business Continuity “regulatory” standards. In particular, the following have tackled the challenge with determination: the Department of Treasury, the Internal Revenue Service, the New York Stock Exchange, the National Association of Securities Dealers (NASD), and the International Standards Organization. Following are capsule summaries of what they have done:

Department of the Treasury: In December 2004, the department produced a report on “Improving Business Continuity in the Financial Services Sector.” The report, ChicagoFIRST, which was conducted in Chicago, focused on a select regional coalition of financial institutions and local government organizations in that city. According to its mission statement, this collaborative effort came together to strengthen Chicago's financial services sectors and establish the framework to coordinate with local, state, and federal government agencies in the event of a potential natural or manmade crisis.

ChicagoFIRST also defined certain prerequisites for success, and provided this motivating conclusion: “By following the steps to adapt and apply the model, similarly healthy, robust communities can evolve elsewhere. These communities will strengthen the resiliency of the financial services industry as a whole.

The Treasury report is available at http://www.treas.gov/press/releases/reports/chicagofirst_handbook.pdf

New York Stock Exchange: In a memo dated 3 May 2004, the New York Stock Exchange distributed Rule NYSE 446 Business Continuity Plans to all members and member organizations. The rule states, among its general requirements, that members and member organizations “must” establish and maintain Business Continuity Plans (BCPs) relating to an emergency or significant business disruption. Rule 446(a) also requires that a member's or member organization's BCP be reasonably designed to enable it to meet existing obligations to customers, and address existing relationships with other broker-dealers and counter-parties.

The rule also provides the necessary framework for BCPs, which include but are not limited to the following:

  • Annual Review of BCPs
  • Minimum Requirements of a BCP
  • Mission-Critical Systems and Back-Up for Such Systems
  • Critical Constituent, Bank, and Counter-Party Impact
  • Data Back-Up and Recovery (Hard Copy and Electronic)
  • Prompt Access to Funds
  • Disclosure Provisions
  • Corporate-Wide BCPs
  • Financial and Operational Risk Assessments
  • Emergency Contact Information
  • Implementation Dates

The NYSE rule is available at http://www.sec.gov/rules/sro/34-46443.htm

National Association of Securities Dealers: In April 2004, the association provided its their members rulings NASD 3510, “Business Continuity Plans,” and NASD 3520, “Emergency Contacts.” NASD members now are required to establish emergency preparedness plans and procedures. Rule 3510 requires each member to create and maintain a business continuity plan and enumerates certain requirements that each plan must address. The rule further requires members to update their business continuity plans upon any material change and, at a minimum, to conduct an annual review of their plans. Each member also must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. Rule 3520 requires members to designate two emergency contact persons and to provide this information to NASD electronically.

The NASD rules are available at http://www.nasdr.com/business_continuity_planning.asp

The International Connection It should be obvious that attaching a regulatory standard to something that is internationally understood changes the entire perspective of the conversation and the outcome--as, for example, when money and information technology are connected within the global economic mainframe.

A good example is ISO/IEC 17799, a Code of Practice for Information Security Management issued by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). This new international standard postulates how businesses should conduct the management of their information security requirements. The document is copyrighted by BSI and ISO/IEC. ISO 17799 primarily covers the platforms for IT security and Business Continuity Management; the U.S. position is strongly in favor of a major revision of the document that is currently underway. Business Continuity and Contingency Planning standards (BCCPs) play a major role in ISO 17799. IT disruptions and BCCP processes will be applied to a business continuity management audit to cohesively incorporate, in a top-down manner, the continuity requirements of critical business processes and ensure that they and the resources that support them are available when a catastrophic event occurs.

A comparison of NYSE Rule 446; SOX, BASEL II, and ISO 17799 shows the different approaches taken by different organizations to encourage and ensure business continuity. Rule 446 is all about corporate image; it demands that its members on the NYSE have viable and functional BCCPs. Its predecessor, Disaster Recovery Planning, was a primitive form of BC planning that derived from the Y2K period--which, in turn, focused primarily on the potential failure of technology. But the most viable Business Continuity standards are built on the full continuum of business processes, people, resources, communications, and other variables.

Sarbanes-Oxley (SOX), which applies to all public corporations in America, and Basel II, which pertains to financial institutions in more than 100 countries, will go into effect in 2006. Because all top 20 U.S. banks or financial institutions with locations in the European Union must accept SOX & BASEL II, their U.S. clients are affected as well by these rules. This creates a situation that ties back into Rule 446-which, along with Sox and Basel II--demands BCP/DRP/Operational Risk Management, in accordance with the ISO 17799 (BS 7799) standard, on a worldwide scale. This standard is available at http://www.iso.ch/iso/en/

A final point-about Homeland Security Presidential Directive # XX-- National Business Continuity and Contingency Preparedness Planning-also might be relevant: Andy Rooney, a CBS commentator, once stated, “Don't rule out working with your hands. It does not preclude using your head.” In a global economy, it may be time for the United States to change its position and accept what the rest of the world is no longer taking for granted. In the cornucopia of plausible disasters and the new age of transnational terrorism, horrible events are going to happen and they will likely have local, regional, and/or even international economic implications. Which means that the time may have come to establish a National Regulatory Standard for Business Continuity and Contingency Planning.