|SUSAN RODETIS is a freelance journalist based in New York City. Her stories have appeared in Mutual Funds, International Global Risk Manager, Financial Trader and EQUITIES . Her e-mail address is firstname.lastname@example.org.|
Hurricane George, an ice storm, a strike, a bomb, Web site failure, a network problem, communication cables catch fire and disable your data center for days.
An unsuspecting company could experience any of these. Many already have. As a result, business continuity planning (BCP), a high-profile, mission-critical task that attracts the attention of the CEO, the CFO, and the board of directors, has supplanted what used to be called disaster recovery planning and fell under the umbrella of building security or human resources. BCP is, at heart, a form of risk management. CPAs have the skills to take it on and might do well to get involved with BCP projects within their companies or for their clients. CPAs and other financial executives involved in BCP from all parts of the country were interviewed for this article.
After the Oklahoma City bombing, 40 square blocks were barricaded off for weeks, says Mary Carrido, president of Irvine, California-based continuity planning consultant MLC & Associates and national chairwoman of the 1,800 member Association of Contingency Planners (ACP; www.acp-international.com). This devastated 4,000 businesses; 210 are not in existence anymore.
Insurance industry statistics show the number of man-made and natural disasters has increased. With the news media flashing disaster reports, regulators demanding that companies take preventive measures against the millennium bug and the reliability questions introduced by electric utility deregulation, more executives are realizing, This could happen to me. And it could hurt.
Gauging the damage that disasters or other disruptions may cause to plant and equipment is only one aspect of preparedness. Other costly problems could follow: Relocation, repairs, regenerating lost data and replacing lost business income all take time, money and other resources. Intangible assets may be impaired as well. A business interruption can cause a company to lose market share, image and credibility; reduce customer satisfaction or brand value; damage research data; or strain relationships with suppliers or alliance partners. One-time events may also divert management and employees from normal core business pursuits, altering routines in ways that reduce efficiency or allow less dramatic problems to fester. Professional service companies are starting to appreciate and protect the intellectual capital of a business, explains Pat McAnally, director of marketing at SunGard Planning Solutions in Wayne, Pennsylvania.
The year 2000 computer issue, a specialized kind of foreseeable disaster, has caused managers to think more about risk mitigation. Y2K issues have raised contingency planning awareness by government agencies such as the SEC, too. Corporate responsibilities to stockholders, employees, customers and the communities the company operates in have been on managers minds. The ever-present threat of expensive shareholder lawsuits has added weight to management concerns.
A company without a continuity plan, or with an ineffective one, may not be meeting its statutory obligations; corporate managers or directors may be legally responsible for overseeing BCP. For example, the Foreign Corrupt Practices Act of 1977, while primarily directed at preventing bribery, also requires that company assets, including business records, be maintained and protected. Lifeline providers, such as hospitals, utilities, financial service firms, public works and airports, operate under regulatory mandates requiring BCP, as auditors know. Bankers are familiar with rules at the Federal Financial Institutions Examination Council and the Federal Deposit Insurance Corp. Contingency plans are also a regular part of requirements by the office of the comptroller of the currency, says SunGard’s McAnally.
CREATING A CONTINUITY PLAN
Financial executives trained as CPAs and auditors, as well as CPAs in public practice consulting to business clients, have the skills and background to assist in or supervise the creation of a continuity plan. Corporate CPAs are likely to know who in the company to bring together to compile, test, and amend the plan.
The goal of BCP is to preserve and protect the essential elements of an enterprise and maintain an acceptable level of operations throughout a crisis and afterward, as the company recovers. It’s always easier to minimize risk than to recover from a setback. People with experience planning audits know how to identify an enterprise's areas of greatest financial vulnerability. Those who prepare financial statements know that failure to identify risks correctly can have financial consequences severe enough to put a company out of business. So it is only a small stretch, mostly common sense, to identify the people who can suggest measures to minimize those risks and to document those measures in the detail that is second nature to accountants.
WORDS OF CAUTION
Kenneth Brill, a computer disaster prevention consultant at ComputerSite Engineering in Santa Fe, New Mexico, says that people can also be the weakest link. To ensure effective continuity planning, top management must support the project. When the top execs of a company have bought in and championed the process, the continuity plan is far more likely to work.
Electric power failed for one million people within 49 square miles of San Francisco Peninsula at 8:17 A.M. on December 8, 1998. Human error was the culprit: A utility crew inadvertently mishandled a ground wire during substation repairs.
The city coped reasonably well. Traffic moved haltingly through nonworking intersection lights. Tunnels were eventually cleared of traffic stopped in the confusion. Hospital backup power worked.
Kenneth G. Brill, a computer disaster prevention consultant who has done trouble-shooting at hundreds of sites, happened to be at an engineering company’s offices. The telephone PBX system went out immediately, Brill said. Backup batteries failed, perhaps because they were never serviced. Calls could not be made or received over public lines. Employees jumped to cellular phones. Wrong move.
That network overloaded and gridlocked and was out for the entire power loss. Several old-fashioned phones were finally unearthed and connected to the outside world via analog fax lines. Virtually every BC plan I know depends on the cellular network as a backup, Brill remarked. That’s a fallacious assumption if the problems regional, and peak carrier capacity is unconfirmed.
The company’s emergency generator failed to start. Hallways remained dark. Building occupants groped their way downstairs from upper floors. Says Brill, We did have flashlights, but they were inadequate for the duration of the power failure. And there were not enough of them.
People were trapped in elevators. After delays, the elevator doors were opened manually, but rescuers still had to cope with darkness and yawning elevator shafts. I kept trying to calm one young woman stuck between floors, telling her we were there but couldn’t get to her, said Brill. Bottom line: The company’s 20 people were eventually safe, but they were idled for the rest of the day.
No business tales abounded in San Francisco that day. Merchants couldn’t ring up purchases on computerized registers, which were locked shut. Pacific Stock Exchange computers failed, lacking an outside source of auxiliary power. One radio station was knocked off the air. Power was completely restored to the Bay area within 7 hours, thankfully, without major safety problems or emergencies.
Answer honestly: How soon will you rethink and test your business continuity plan? This writer has seen the light: My number one priority is to use a long-idled disk backup system.
Common mistakes in designing the BC plans include not asking the tough questions or failing to give honest answers. It’s easy to gamble and play Russian roulette, quips Rick Roller, computing disaster preparedness manager for the Boeing Co. in Seattle and director of chapter services for the ACP. He recommends ample interaction between continuity planners and information technology (IT) people throughout the planning process.
Bill McCoy, a Soddy Daisy, Tennessee-based consultant, also recommends auditor/IT discussion. Otherwise, auditors and accountants may have a tough time keeping up with the rapid pace of technological change, as a great deal of specific knowledge is required to make judgment calls in the BCP process, he says.
However, financial executives should be careful not to shift responsibility for continuity planning onto technical people, who can be more interested in saving devices than saving data or resurrecting processes, cautions Deloitte & Touche, LLP's New Canaan, Connecticut-based BCP specialist William H. Murray, certified information systems security professional. The techies don’t always have enough perspective on what drives corporate profitability to know what to protect, he says. Financial people usually do. In fact, Murray says, accountants may be the only ones who can do it.
A NATURAL EVOLUTION
BCP's precursor, disaster recovery planning, focused on tangible assets such as backing up data, securing copies and spare equipment off-site and other techniques relying on redundancy. Contemporary BCP takes a more organic view by focusing on the processes, networks, flows, procedures and affiliations essential for an organizations survival and ongoing prosperity. Now, planners are likely to report to chief information officers and/or controllers and CFOs and are charged with maintaining the viability of intangible assets, not just bricks and mortar.
For instance, in 1993 the Federal Emergency Management Agency (FEMA; www.fema.org) began to pay more attention to protecting people and property rather than to cleaning up after the unthinkable had happened. This culminated in the disaster-resistant-community concept, says FEMA's Atlanta regional director John Copenhaver. To reduce the scope of future catastrophes, FEMA recently launched a new nationwide initiative, Project Impact, based on broad scope commonsense planning and prevention. Copenhaver often sees companies that have compartmentalized their plans and missed internal and external interdependencies. Organizations need to coordinate emergency planning with local authorities on such issues as traffic flow or which hospitals to take injured people to if necessary.
THE WIDENING DEPENDENCY CIRCLE
Close relationships between customers and suppliers are now common. Consequently, the scope of continuity plans has widened to embrace relationships up and down the supply chain. Outsourcing also increases interdependencies. Just-in-time inventory brings hair-trigger reliance on uninterrupted delivery. A disruption anywhere in the supply chain can have repercussions at dozens of companies. When customers and vendors rely on their business associates and partners to this extent, they may even write into their contracts stiff penalties for failure to deliver on time. Intimately linked businesses should coordinate their BC plans with customers and suppliers.
E-commerce introduces its own new vulnerabilities. Even companies that don’t sell over the Internet are bound up and down the supply chain with intranets, extranets or other electronic ties to suppliers, customers and regulatory agencies. Add exposure to intrusions and potential leaks of sensitive data used in e-commerce, and it is clear why continuity plans must take these technologies into consideration.
impact analysis Defines the scope and depth of what really happens within an organization when a business interruption or disaster occurs, with a focus on financial, business and operational systems.
physical assessment Identifies and quantifies a company’s real assets (buildings, equipment, data, supporting utilities) and determines in what sequence and at what pace they are normally used. Looks at how these might be affected by a disaster and evaluates alternatives available to replace them in an emergency.
strategizing Looking into the relationships between corporate functions and systems, ranking their importance and assessing the scope and effect of the company’s business; allocating corporate resources and attention according to these priorities.
plan development Creates an integrated plan for recovering from a disaster or business interruption affecting all or parts of an organization.
training Fostering employee and management awareness of BCP, teaching personnel how to keep the plan current, how to test it and how to actually use it.
testing or exercising Running parts or all of a plan in real time under simulated need, correcting any errors found and refining details to ensure smooth execution.
updating Assessing ongoing needs, with review frequency ranging from almost constant for critical, rapidly changing parts of a business, to annual for simpler, more mature, steady-state businesses.
maintenance Keeps up assets needed for a company to conduct business in an emergency and plans for that maintenance as well as ongoing upkeep of the BC plan itself.
mitigation Preventing or moderating disruptions by improving safety, applying common sense and designing and planning in advance of emergencies.
DESIGNING THE BC PLAN
With proliferating exposure, every company needs to do some advance planning. The BCP process begins with identification and management of risk. A workable plan may be as short as a few pages, relying, of course, on multiple data sets as backup. A thorough plan often takes six months to two years to develop, depending on the size of the organization.
The most critical question to ask about a BC plan is: Does it really work under fire? Because the selection of elements to include in a continuity plan is subjective, oversights are common. Better to test and find out about them before disaster strikes. Disturbingly, a recent study by KPMG, LLP, found nearly 40% of respondents either lacked business continuity plans or had not tested theirs within the last six months. Nearly three quarters of those with untested network plans said the loss of that network would cause critical or very severe business disruptions. Similar results emerged from an InformationWeek /Ernst & Young survey. While a higher percentage of respondents in that survey had plans, more than half were either untested or were tested only every two years.
The building blocks of a strong continuity plan include impact analysis, physical assessments, strategizing, plan development and training, testing, updating, maintenance and mitigation. (See Glossary of BCP Building Blocks) For some financial managers, these may be new ways of looking at top-level issues, new decision trees that weigh and compare business needs and processes in novel ways.
Insurance Is Not Enough
Insurance coverage, while an essential part of risk mitigation, is really incidental to a recovery plan. A payment received a year after a company has gone out of business is small consolation; it is the supply lines, information flow and speed with which processes are rerouted that keep a business going after a disaster.
Primary underwritten coverage is available for business interruption and extra expenses. The former reimburses for lost revenue streams, while the latter handles extraordinary expenses incurred restoring a company’s business. In either case, the deductibles are usually high. Kurt Edfast, associate manager at Great West Life Assurance in Englewood, Colorado, sees policies with deductibles as high as tens of millions of dollars.
Insurers reward companies that reduce the probability and severity of losses with solid contingency plans and risk mitigation procedures. I’ve seen savings up to 20%, says Michael C. Redmond, senior manager at Deloitte & Touches enterprise risk services in New York.
However, discounts depend on a plans perceived and tested quality, relationships with insurers and how well the plan is communicated. If an insurer doesn’t ask to see a company’s continuity plan, the person purchasing the policy should bring the subject up. It can’t hurt, and it could lower premiums significantly. To get credit for a solid plan, Redmond adds, it helps if the insurance company has its own BC plan. It’s also prudent to pick such insurers for their higher likelihood of being there after some dread event of their own.
If a company falters after a disaster, directors and officers can be sued for negligence. A weak continuity plan can leave them very vulnerable. Even with a good plan, most corporate fiduciaries insist on indemnification. But D&O [directors and officers] liability insurance has been harder to get, and rates are up, reports lawyer Peter Vogel of Gardere & Wynne in Dallas. As a computer transaction specialist, he finds that most disputes involving computers are litigated on fraud and negligence rather than breach of contract. That leaves fiduciaries with oversight responsibilities at risk.
Like Sisyphus's work, BCP is never finished, continuity plans must be living documents. For large or complex companies, the plan should be updated constantly and requires a full-time BCP specialist. Smaller companies typically update annually. But the frequency with which a company’s plan is reviewed depends on the rate of change within the organization. ComputerSite's Brill, a computer disaster prevention consultant at ComputerSite Engineering in Santa Fe, New Mexico, recommends quarterly validation of continuity plans for dedicated data processing areas, where programs change frequently and data builds continuously.
|Live From the Web
A huge number of domestic and international Web sites contain information on disaster planning and business continuity. A few searches will generate many useful pages of vendors, consultants, advice, backup facilities, articles and explanations. Major accounting firms and consultants sites generally maintain helpful, and sometimes extensive, material.
For the past three years, the Massachusetts Institute of Technology (MIT) has posted 40+ pages of its BC plan (web.mit.edu/security/www/pubplan.htm). Why? Jerry Isaacson, data security manager at MIT and the plans author, explains, We're an educational institution and thought it should be available as a resource.
Disaster specialist Factory Mutual, which supports insurance companies and provides BCP consulting services in property loss prevention to policyholders of three insurance company parents, also posts a fairly extensive continuity plan outline at www.factorymutual.com/disaster.htm.
Although BCP is generally a full-time job at large organizations, responsibility for it often lands atop other primary job functions. In such cases, consultants may be needed. Vendors are used when a company lacks the expertise in-house or doesn’t have the time available, explains Sam Lee at Chubb Services Consulting. This help is especially necessary if no one at headquarters is following up on continuity plans at branch locations.
A general guideline for hiring consultants, says specialty publisher Phillip Jan Rothstein, is that the consulting arms of the larger accounting firms tend to do soup-to-nuts, multiday work, while smaller, more specialized consultants often deal with specific parts and special projects.
No one checklist does justice to the creative, analytical and forward thinking required for a successful BC plan. Yet it is still helpful for CPAs and planners to check others' lists, plans and guidelines. Templates are available from software vendors to help design plans from the simplest to the most complicated (See box for some examples.)
Industry associations are raising the level of professionalism with educational resources and accreditation. Rothstein, president of the largest BCP specialty book distributor, Rothstein Associates, in Brookfield, Connecticut (www.rothstein.com), says that in his customer base, accountants and auditors account for three times the number of book purchases they made only five years ago. He also notes growing BCP participation from business line managers, practitioners and senior management.
Just about all Fortune 500 companies have a dedicated continuity planning person, but midsize to small companies may not be devoting sufficient resources to continuity planning, BCP specialists say. As a whole, U.S. companies are levels ahead of their counterparts in Europe and Asia. Overseas subsidiaries of American companies often coattail on their U.S. parent’s business continuity plan.
The U.S. public sector is standardizing planning processes and drilling that down to the local level; plus the Red Cross and FEMA provide tremendous education and materials, explains ACP's Carrido.
According to Rothstein, the financial services sector is on the leading edge in BCP. They’re more sophisticated and have a lot more at stake, he surmises. After all, their product is information. He also sees more substantial continuity planning on the east and west coasts, areas hit hard by recent natural disasters. He points to manufacturing and distribution, and smaller governmental organizations, as economic sectors that may be behind the curve.
WHAT'S A CONCERNED CPA TO DO?
Accountants and auditors who want to participate or even head up the BCP in their companies need to be well educated about just what a comprehensive business continuity plan is. One way to get that education is to study BCP as part of ongoing professional education, advises Carrido. Industry associations, including the ACP, encourage certification, additional courses and broader offerings at educational institutions.
|BCP Questions That Auditors
Data recovery veteran Bill McCoy, a consultant based in Soddy Daisy, Tennessee, advises on common BCP mistakes, some catchable in the audit process. These questions build on his mainframe experience at Chubb Corp. as the corporate disaster recovery coordinator who wrote the firms original strategy for disaster recovery. They reflect real-life processes.
On-staff accountants might also help make a case at the board level for sufficient resources to proceed with BCP. The CPA/planner should focus on those things that are essential to the company’s ability to resume business after a major disruption, instead of focusing on just having a plan for compliance. CPAs can add value to plans by improving assessments of the risk of potential losses and quantifying costs of business components or a professional service interruption or repair of a damaged database. Auditors need to zero in where value is added within a business and make sure those areas are fully covered by the continuity plan. The planning skills of a CPA can convert a perfunctory plan into a preeminent one.