Publications & Resources

January/February 2008
Focus: Compliance

The Effect of Business Continuity Management on Compliance Programs

By Mark T. Edmead, MBA, CISSP, CISA

Many regulations, such as Sarbanes Oxley, NYSE 466, and Gramm-Leach Bliley, make it a requirement for companies to develop, maintain, review and update business continuity and disaster reviewing plans. For financial institutions, the proliferation of these regulations means that companies need to implement an integrated approach to business continuity. The compliance to these regulations has elevated the involvement of senior management. It also means that BCM has moved from information security to becoming a necessary part of a company’s strategic plan.

Recent events including the September 11 attacks, hurricane Katrina, SARS, the Avian flu and the Asia tsunami has caused companies to evaluate how they handle disaster events, and specifically, the organization’s business continuity and disaster recovery plans. The business continuity plan (BCP) addresses an organization's ability to continue functioning when normal operations are disrupted. In essence, a business continuity plan incorporate the policies, procedures and practices that in the event of a disaster or crisis allow an organization to recover and resume both manual and automated mission critical processes. In some organizations, the BCP might include other plans such as disaster recovery, end-user recovery, contingency, emergency response, and crisis management. One definition is that the BCP is an all-encompassing term covering both disaster recovery planning and business resumption planning. The disaster recovery plan (DRP) defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist a company in restoring the business process within the stated disaster recovery goals. Specifically, the DRP is used for the advanced preparation and planning necessary to minimize the damage caused by the disaster, and ensures the availability of the critical information systems of the organization.

The term business continuity management (BCM) is defined at the development of strategies, plans, and actions that provide protection or alternative modes of operation for activities or business processes which, if there were to  be interrupted could cause seriously damaging or potentially fatal loss to the enterprise. BCM is a process that provides a framework to ensure the resilience of your business to any eventuality, to help ensure continuity of service to your key customers. It provides a basis for planning to ensure your long-term survivability following a disruptive event. To put it another way, business continuity management is the development of strategies, plans, and actions which provide protection or alternative modes of operation. In order for the business continuity plan to be effective, the compromised operation needs to be operational within timeframes set by management. Business continuity management goes beyond the protection of resources from physical damage. Business continuity management includes the following core elements: crisis management, business resumption planning, and IT disaster recovery planning.

Crisis management is the process designed to enable an effective response to an event. When operating in crisis management mode the goal is to stabilize the situation and prepare the business for recovery operations. Business resumption planning (sometimes called business recover) involves the recovery of critical business functions. The IT disaster recovery addresses the recovery of critical IT assets including systems, applications, databases, storage, and other network assets.

Financial institutions must not only ensure compliance to regulatory issues but also effectively communicate policy and regulatory issues to the organization. Training and awareness programs are needed to ensure that everyone knows the risks of non-compliance with not only regulations. A successful program depends upon executive endorsement and appropriately motivating personnel to incorporate security, privacy and contingency activities into their job responsibilities. 

Mark Edmead is managing partner of MTE Advisors, Inc. in Escondido, Calif., and has over 28 years’ experience in the areas of computer systems architecture, information security, project management and IT and application audits. He can be reached at mark@mteadvisors.com .

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.