Can your business survive the unexpected?
Hurricane George ... an ice storm ... a strike ... a bomb ... Web site failure ... a network problem ... communication cables catch fire and disable your data center for days.
An unsuspecting company could experience any of these. Many already have. As a result, "business continuity planning" (BCP)--a high-profile, mission-critical task that attracts the attention of the CEO, the CFO, and the board of directors--has supplanted what used to be called "disaster recovery planning" and fell under the umbrella of building security or human resources. BCP is, at heart, a form of risk management. CPAs have the skills to take it on and might do well to get involved with BCP projects within their companies or for their clients. CPAs and other financial executives involved in BCP from all parts of the country were interviewed for this article.
"After the Oklahoma City bombing, 40 square blocks were barricaded off for weeks," says Mary Carrido, president of Irvine, California-based continuity planning consultant MLC & Associates and national chairwoman of the 1,800 member Association of Contingency Planners (ACP; www.acp-international.com). "This devastated 4,000 businesses; 210 are not in existence anymore."
Insurance industry statistics show the number of man-made and natural disasters has increased. With the news media flashing disaster reports, regulators demanding that companies take preventive measures against the millennium bug and the reliability questions introduced by electric utility deregulation, more executives are realizing, "This could happen to me. And it could hurt."
Gauging the damage that disasters or other disruptions may cause to plant and equipment is only one aspect of preparedness. Other costly problems could follow: Relocation, repairs, regenerating lost data and replacing lost business income all take time, money and other resources. Intangible assets may be impaired as well. A business interruption can cause a company to lose market share, image and credibility; reduce customer satisfaction or brand value; damage research data; or strain relationships with suppliers or alliance partners. One-time events may also divert management and employees from normal core business pursuits, altering routines in ways that reduce efficiency or allow less dramatic problems to fester. "Professional service companies are starting to appreciate and protect the intellectual capital of a business," explains Pat McAnally, director of marketing at SunGard Planning Solutions in Wayne, Pennsylvania.
The year 2000 computer issue--a specialized kind of foreseeable disaster--has caused managers to think more about risk mitigation. Y2K issues have raised contingency planning awareness by government agencies such as the SEC, too. Corporate responsibilities to stockholders, employees, customers and the communities the company operates in have been on managers' minds. The ever-present threat of expensive shareholder lawsuits has added weight to management concerns.
A company without a continuity plan, or with an ineffective one, may not be meeting its statutory obligations; corporate managers or directors may be legally responsible for overseeing BCP. For example, the Foreign Corrupt Practices Act of 1977, while primarily directed at preventing bribery, also requires that company assets, including business records, be maintained and protected. "Lifeline" providers, such as hospitals, utilities, financial service firms, public works and airports, operate under regulatory mandates requiring BCP, as auditors know. Bankers are familiar with rules at the Federal Financial Institutions Examination Council and the Federal Deposit Insurance Corp. "Contingency plans are also a regular part of requirements by the office of the comptroller of the currency," says SunGard's McAnally.
CREATING A CONTINUITY PLAN
Financial executives trained as CPAs and auditors--as well as CPAs in public practice consulting to business clients--have the skills and background to assist in or supervise the creation of a continuity plan. Corporate CPAs are likely to know who in the company to bring together to compile, test, and amend the plan.
The goal of BCP is to preserve and protect the essential elements of an enterprise and maintain an acceptable level of operations throughout a crisis and afterward, as the company recovers. It's always easier to minimize risk than to recover from a setback. People with experience planning audits know how to identify an enterprise's areas of greatest financial vulnerability. Those who prepare financial statements know that failure to identify risks correctly can have financial consequences severe enough to put a company out of business. So it is only a small stretch--mostly common sense--to identify the people who can suggest measures to minimize those risks and to document those measures in the detail that is second nature to accountants.
WORDS OF CAUTION
Kenneth Brill, a computer disaster prevention consultant at ComputerSite Engineering in Santa Fe, New Mexico, says that people can also be the weakest link. To ensure effective continuity planning, top management must support the project. When the top execs of a company have "bought in" and championed the process, the continuity plan is far more likely to work.
Common mistakes in designing the BC plans include not asking the tough questions or failing to give honest answers. "It's easy to gamble and play Russian roulette," quips Rick Roller, computing disaster preparedness manager for the Boeing Co. in Seattle and director of chapter services for the ACP. He recommends ample interaction between continuity planners and information technology (IT) people throughout the planning process.
Bill McCoy, a Soddy Daisy, Tennessee-based consultant, also recommends auditor/IT discussion. Otherwise, auditors and accountants may have a tough time keeping up with the rapid pace of technological change, as "a great deal of specific knowledge is required to make judgment calls in the BCP process," he says.
However, financial executives should be careful not to shift responsibility for continuity planning onto technical people, who can be more interested in saving devices than saving data or resurrecting processes, cautions Deloitte & Touche, LLP's New Canaan, Connecticut-based BCP specialist William H. Murray, certified information systems security professional. "The techies don't always have enough perspective on what drives corporate profitability to know what to protect," he says. Financial people usually do. In fact, Murray says, accountants may be "the only ones who can do it."
A NATURAL EVOLUTION
BCP's precursor--disaster recovery planning--focused on tangible assets such as backing up data, securing copies and spare equipment off-site and other techniques relying on redundancy. Contemporary BCP takes a more organic view by focusing on the processes, networks, flows, procedures and affiliations essential for an organization's survival and ongoing prosperity. Now, planners are likely to report to chief information officers and/or controllers and CFOs and are charged with maintaining the viability of intangible assets--not just bricks and mortar.
For instance, in 1993 the Federal Emergency Management Agency (FEMA; www.fema.org) began to pay more attention to protecting people and property rather than to cleaning up after the unthinkable had happened. "This culminated in the `disaster-resistant-community' concept," says FEMA's Atlanta regional director John Copenhaver. To reduce the scope of future catastrophes, FEMA recently launched a new nationwide initiative, Project Impact, based on broad scope commonsense planning and prevention. Copenhaver often sees companies that have compartmentalized their plans and missed internal and external interdependencies. Organizations need to coordinate emergency planning with local authorities on such issues as traffic flow or which hospitals to take injured people to if necessary.
THE WIDENING DEPENDENCY CIRCLE
Close relationships between customers and suppliers are now common. Consequently the scope of continuity plans has widened to embrace relationships up and down the supply chain. Outsourcing also increases interdependencies. Just-in-time inventory brings hair-trigger reliance on uninterrupted delivery. A disruption anywhere in the supply chain can have repercussions at dozens of companies. When customers and vendors rely on their business associates and partners to this extent, they may even write into their contracts stiff penalties for failure to deliver on time. Intimately linked businesses should coordinate their BC plans with customers and suppliers.
E-commerce introduces its own new vulnerabilities. Even companies that don't sell over the Internet are bound up and down the supply chain with intranets, extranets or other electronic ties to suppliers, customers and regulatory agencies. Add exposure to intrusions and potential leaks of sensitive data used in e-commerce, and it is clear why continuity plans must take these technologies into consideration.
DESIGNING THE BC PLAN
With proliferating exposure, every company needs to do some advance planning. The BCP process begins with identification and management of risk. A workable plan may be as short as a few pages, relying, of course, on multiple data sets as backup. A thorough plan often takes six months to two years to develop, depending on the size of the organization.
The most critical question to ask about a BC plan is: "Does it really work under fire?" Because the selection of elements to include in a continuity plan is subjective, oversights are common. Better to test and find out about them before disaster strikes. Disturbingly, a recent study by KPMG, LLP, found nearly 40% of respondents either lacked business continuity plans or had not tested theirs within the last six months. Nearly three quarters of those with untested network plans said the loss of that network would cause "critical or very severe" business disruptions. Similar results emerged from an Information-Week/Ernst & Young survey. While a higher percentage of respondents in that survey had plans, more than half were either untested or were tested only every two years.
The building blocks of a strong continuity plan include impact analysis, physical assessments, strategizing, plan development and training, testing, updating, maintenance and mitigation. (See "Glossary of BCP Building Blocks, page 30.) For some financial managers, these may be new ways of looking at top level issues--new "decision trees" that weigh and compare business needs and processes in novel ways.
Like Sisyphus's work, BCP is never finished--continuity plans must be "living" documents. For large or complex companies, the plan should be updated constantly and requires a full-time BCP specialist. Smaller companies typically update annually. But the frequency with which a company's plan is reviewed depends on the rate of change within the organization. ComputerSite's Brill, a computer disaster prevention consultant at ComputerSite Engineering in Sante Fe, New Mexico, recommends quarterly validation of continuity plans for dedicated data processing areas, where programs change frequently and data builds continuously.
Although BCP is generally a full-time job at large organizations, responsibility for it often lands atop other primary job functions. In such cases consultants may be needed. "Vendors are used when a company lacks the expertise in-house or doesn't have the time available," explains Sam Lee at Chubb Services Consulting. This help is especially necessary if no one at headquarters is following up on continuity plans at branch locations.
A general guideline for hiring consultants, says specialty publisher Phillip Jan Rothstein, is that the consulting arms of the larger accounting firms tend to do soup-to-nuts, multiday work, while smaller, more specialized consultants often deal with specific parts and special projects.
No one checklist does justice to the creative, analytical and forward thinking required for a successful BC plan. Yet it is still helpful for CPAs and planners to check others' lists, plans and guidelines. Templates are available from software vendors to help design plans from the simplest to the most complicated (See box, page 31, for some examples.).
Industry associations are raising the level of professionalism with educational resources and accreditation. Rothstein, president of the largest BCP specialty book distributor, Rothstein Associates, in Brookfield, Connecticut (www.rothstein.com), says that in his customer base, accountants and auditors account for three times the number of book purchases they made only five years ago. He also notes growing BCP participation from business line managers, practitioners and senior management.
Just about all Fortune 500 companies have a dedicated continuity planning person, but midsize to small companies may not be devoting sufficient resources to continuity planning, BCP specialists say. As a whole, U.S. companies are levels ahead of their counterparts in Europe and Asia. Overseas subsidiaries of American companies often coattail on their U.S. parents' business continuity plan.
"The U.S. public sector is standardizing planning processes and drilling that down to the local level; plus the Red Cross and FEMA provide tremendous education and materials," explains ACP's Carrido.
According to Rothstein, the financial services sector is on the leading edge in BCP. "They're more sophisticated and have a lot more at stake," he surmises. After all, their product is information. He also sees more substantial continuity planning on the east and west coasts, areas hit hard by recent natural disasters. He points to "manufacturing and distribution, and smaller governmental organizations," as economic sectors that may be behind the curve.
WHAT'S A CONCERNED CPA TO DO?
"Accountants and auditors who want to participate or even head up the BCP in their companies need to be well educated about just what a comprehensive business continuity plan is. One way to get that education is to study BCP as part of ongoing professional education," advises Carrido. Industry associations, including the ACP, encourage certification, additional courses and broader offerings at educational institutions.
On-staff accountants might also help make a case at the board level for sufficient resources to proceed with BCP. The CPA/planner should focus on those things that are essential to the company's ability to resume business after a major disruption, instead of focusing on just having a plan for compliance. CPAs can add value to plans by improving assessments of the risk of potential losses and quantifying costs of business components or a professional service interruption or repair of a damaged database. Auditors need to zero in where value is added within a business and make sure those areas are fully covered by the continuity plan. The planning skills of a CPA can convert a perfunctory plan into a preeminent one.
FOR FURTHER READING
A list of books discussing issues presented in this story
* Business Continuity Planning ... A Step-by-Step Guide, with Planning Forms. By Kenneth L. Fulmer. Rothstein Associates, Brookfield, Connecticut, 1996.
* Business Continuity Planning Guide. By Strohl Systems, King of Prussia, Pennsylvania, 1995.
* Business Resumption Planning. By Edward Devlin, Cole Emerson and Leo Wrobel. Auerbach Publishers/CRC Press, Boca Raton, Florida, 1999.
* Call Center Continuity Planning. By Jim and Sharon Rowan. Averbach/CRC Press, Boca Raton, Florida, 1999.
* The Definitive Guide To Business Resumption Planning. By Leo Wrobel. Artech House, Norwood, Massachusetts, 1997.
* Disaster Planning & Recovery: A Guide for Facilities Professionals. By Alan M. Levitt. John Wiley & Sons, New York, 1997.
* Disaster Recovery Planning for Computers and Communications Resources. By Jon Toigo. John Wiley & Sons, New York, 1995.
* Disaster Recovery Testing, Exercising Your Contingency Plan. By Philip Jan Rothstein, editor. Rothstein Associates, Brookfield, Connecticut, 1995.
* Disaster Survival Planning: Organizing the Project. By Judy Bell. Disaster Survival Planning Inc., Port Hueneme, California, 1993.
* Exercise Planning and Evaluation. By the staff of the Emergency Response Institute. Emergency Response Institute, Olympia, Washington, 1990.
* Fire in the Computer Room, What Now? Disaster Recovery Planning for Business Survival. By Gregor Neaga, Bruce Winters and Pat Laufman. Prentice Hall, Upper Saddle River, New Jersey, 1997.
* Normal Accidents: Living With High-Risk Technologies. By Charles Perrow. HarperCollins, New York, 1984.
* Risk Handbook. By John C. Chicken. International Thompson, Boston, 1997.
* Total Contingency Planning for Disasters. Managing Risk ... Minimizing Loss ... Ensuring Business Continuity. By Kenneth N. Myers. John Wiley & Sons, New York, 1995.
These books are all available through distributor Rothstein Associates, Brookfield, Connecticut (www.rothstein.com).
RELATED ARTICLE: EXECUTIVE SUMMARY
* NATURAL DISASTERS, MAN-MADE DISASTERS, communications and data network disruptions or the like can put a company out of business. A business continuity plan can help it survive.
* CPAs HAVE THE SKILLS TO ADD VALUE to business continuity plans. These skills come from experience with risk identification and management and require a big-picture financial perspective.
* BUSINESS CONTINUITY PLANNING IS A HIGH-PROFILE task within an organization, of personal interest to the CFO, the CEO and the board of directors. Officers of companies without such plans or with ineffective plans may be vulnerable to legal action.
* THE SCOPE OF PLANS HAS WIDENED to embrace relationships up and down the supply chain. Older business continuity plans focused on assets. Contemporary plans take a more organic view, concentrating on processes, networks, flows, procedures and affiliations.
* PLANS MUST BE TESTED before disaster strikes. Otherwise, crucial information may get left out. The goal of a company's plan is to be able to resume business after a major disruption.
RELATED ARTICLE: CASE STUDY
Lights Out In Greater San Francisco
Electric power failed for one million people within 49 square miles of San Francisco Peninsula at 8:17 A.M. on December 8, 1998. Human error was the culprit: A utility crew inadvertently mishandled a ground wire during substation repairs.
The city coped reasonably well. Traffic moved haltingly through nonworking intersection lights. Tunnels were eventually cleared of traffic stopped in the confusion. Hospital backup power worked.
Kenneth G. Brill, a computer disaster prevention consultant who has done trouble-shooting at hundreds of sites, happened to be at an engineering company's offices. "The telephone PBX system went out immediately," Brill said. "Backup batteries failed, perhaps because they were never serviced." Calls could not be made or received over public lines. Employees jumped to cellular phones. Wrong move.
That network overloaded and gridlocked and was out for the entire power loss. Several old-fashioned phones were finally unearthed and connected to the outside world via analog fax lines. "Virtually every BC plan I know depends on the cellular network as a backup" Brill remarked. "That's a fallacious assumption if the problem's regional, and peak carrier capacity is unconfirmed."
The company's emergency generator failed to start. Hallways remained dark. Building occupants groped their way downstairs from upper floors. Says Brill, "We did have flashlights, but they were inadequate for the duration of the power failure." And there were not enough of them.
People were trapped in elevators. After delays, the elevator doors were opened manually, but rescuers still had to cope with darkness and yawning elevator shafts. "I kept trying to calm one young woman stuck between floors, telling her we were there but couldn't get to her," said Brill. Bottom line: The company's 20 people were eventually "safe," but they were idled for the rest of the day.
"No business" tales abounded in San Francisco that day. Merchants couldn't ring up purchases on computerized registers, which were locked shut. Pacific Stock Exchange computers failed, lacking an outside source of auxiliary power. One radio station was knocked off the air. Power was completely restored to the Bay area within 7 hours, thankfully, without major safety problems or emergencies.
Answer honestly: How soon will you rethink and test your business continuity plan? This writer has seen the light: My number one priority is to use a long-idled disk backup system.
RELATED ARTICLE: Glossary of BCP Building Blocks
impact analysis Defines the scope and depth of what really happens within an organization when a business interruption or disaster occurs, with a focus on financial, business and operational systems.
physical assessment Identifies and quantifies a company's real assets (buildings, equipment, data, supporting utilities) and determines in what sequence and at what pace they are normally used. Looks at how these might be affected by a disaster and evaluates alternatives available to replace them in an emergency.
strategizing Looking into the relationships between corporate functions and systems, ranking their importance and assessing the scope and effect of the company's business; allocating corporate resources and attention according to these priorities.
plan development Creates an integrated plan for recovering from a disaster or business interruption affecting all or parts of an organization.
training Fostering employee and management awareness of BCP, teaching personnel how to keep the plan current, how to test it and how to actually use it.
testing or exercising "Running" parts or all of a plan in real time under simulated need, correcting any errors found and refining details to ensure smooth execution.
updating Assessing ongoing needs, with review frequency ranging from almost constant for critical, rapidly changing parts of a business, to annual for simpler, more mature, steady-state businesses.
maintenance Keeps up assets needed for a company to conduct business in an emergency and plans for that maintenance as well as ongoing upkeep of the BC plan itself.
mitigation Preventing or moderating disruptions by improving safety, applying common sense and designing and planning in advance of emergencies.
RELATED ARTICLE: "Live" From the Web
A huge number of domestic and international Web sites contain information on disaster planning and business continuity. A few searches will generate many useful pages of vendors, consultants, advice, backup facilities, articles and explanations. Major accounting firms' and consultants' sites generally maintain helpful, and sometimes extensive, material.
For the past three years, the Massachusetts Institute of Technology (MIT) has posted 40+ pages of its BC plan (web.mit.edu/security/www/pubplan.htm). Why? Jerry Isaacson, data security manager at MIT and the plan's author, explains, "We're an educational institution and thought it should be available as a resource."
Disaster specialist Factory Mutual, which supports insurance companies and provides BCP consulting services in property loss prevention to policyholders of three insurance company parents, also posts a fairly extensive continuity plan outline at www.factorymutual.com/disaster.htm.
RELATED ARTICLE: Insurance Is Not Enough
Insurance coverage, while an essential part of risk mitigation, is really incidental to a recovery plan. A payment received a year after a company has gone out of business is small consolation; it is the supply lines, information flow and speed with which processes are rerouted that keep a business going after a disaster.
Primary underwritten coverage is available for "business interruption" and "extra expenses." The former reimburses for lost revenue streams, while the latter handles extraordinary expenses incurred restoring a company's business. In either case, the deductibles are usually high. Kurt Edfast, associate manager at Great West Life Assurance in Englewood, Colorado, sees policies with deductibles as high as tens of millions of dollars.
Insurers reward companies that reduce the probability and severity of losses with solid contingency plans and risk mitigation procedures. "I've seen savings up to 20%" says Michael C. Redmond, senior manager at Deloitte & Touche's enterprise risk services in New York.
However, discounts depend on a plan's perceived and tested quality, relationships with insurers and how well the plan is communicated. If an insurer doesn't ask to see a company's continuity plan, the person purchasing the policy should bring the subject up. It can't hurt, and it could lower premiums significantly. To get credit for a solid plan, Redmond adds, "It helps if the insurance company has its own BC plan." It's also prudent to pick such insurers for their higher likelihood of "being there" after some dread event of their own.
If a company falters after a disaster, directors and officers can be sued for negligence. A weak continuity plan can leave them very vulnerable. Even with a good plan, most corporate fiduciaries insist on indemnification. But "D&O [directors' and officers'] liability insurance has been harder to get, and rates are up," reports lawyer Peter Vogel of Gardere & Wynne in Dallas. As a computer transaction specialist, he finds that most disputes involving computers are litigated on fraud and negligence rather than breach of contract. That leaves fiduciaries with oversight responsibilities at risk.
RELATED ARTICLE: BCP Questions That Auditors Should Ask
Data recovery veteran Bill McCoy, a consultant based in Soddy Daisy, Tennessee, advises on common BCP mistakes, some catchable in the audit process. These questions build on his mainframe experience at Chubb Corp. as the corporate disaster recovery coordinator who wrote the firm's original strategy for disaster recovery. They reflect real-life processes.
 Are observations of company processes and functions taken over an extended time?
 Are backups taken regularly and stored safely, offsite?
 Are recoveries tested against those normal backups?
 Is there sufficient documentation to direct any restoration, even if key executives are not available?
 Do multiple sites for distributed computer networks each have their own plans and safe storage? Are those plans locatable and executable? Are they tested?
 After data is recovered, can the company's critical applications actually run and deliver correct results?
 Are existing procedures able to handle growing amounts of data and increasing numbers of interconnects?
SUSAN RODETIS is a freelance journalist based in New York City. Her stories have appeared in Mutual Funds, International Global Risk Manager, Financial Trader and EQUITIES. Her e-mail address is email@example.com.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||business continuity plans|
|Publication:||Journal of Accountancy|
|Date:||Feb 1, 1999|
|Previous Article:||The law and CPA WebTrust.|
|Next Article:||How are we doing?|