Business Continuity, Homeland Security and Corporate Governance
By Joe D. Whitley
With terrorist threats increasingly frequent and well-publicized, directors and ocers will have a hard time claiming that corporate risk management did not need to include emergency preparedness.
O n a Sunday afternoon in August 2004, Homeland Security Secretary Tom Ridge held a press conference to announce that the alert level on the
Joe D. Whitley
Homeland Security Advisory System had
been raised to “orange,” the second highest level. Unusually specific information from reliable sources, confirmed by multiple intelligence streams, suggested that terrorists were plotting a strike against financial centers in New York City, northern New Jersey, and Washington D.C. Wall Street increased security to unprecedented levels, leaving some to wonder if the police outnumbered the floor traders. Similar measures were taken in Washington, a city already bristling with barriers and patrols.
For companies and executives who are in the bull’s-eye of the terrorist threat, the warning brought home the importance of security and business continuity planning for financial markets.1 For America’s premier financial service providers— the members of the New York Stock Exchange (NYSE) and the National Association of Securities Dealers (NASD)—business continuity (BC) is no longer an option or just the domain of the corporate security department. It is a critical component of corporate governance and market stability.
As an aside natural disasters like Katrina and
Rita present very similar concerns to corporations and
Self-regulation and Business Continuity
Both the NYSE and the NASD are self- regulating organizations that require compliance with practices, standards, and policies as a prerequisite for membership. In response to 9/11, the NYSE and the NASD began formulating new business continuity requirements for broker-dealer members. Rule 446 for NYSE members and Rules 3510 and 3520 for NASD members address business continuity and contingency planning and are very similar in substance. The new rules recognize that there is no cookie-cutter approach to planning and therefore account for flexibility in business continuity design and implementation. But these rules require that, at a minimum, each firm’s plan contain ten elements:
Data back-up and recovery (hard copy and electronic)
Financial and operational risk assessments
Alternate communications between customers and member
Alternate communications between the member and employees
Alternate physical location of
Critical constituent, bank and
Communications with regulators
A plan to assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business elements.
Members of the NYSE and NASD must also publicly disclose the general configuration of their business continuity plan. Pursuant to its statutory authority, the Securities and Exchange Commission approved the NYSE’s and the NASD’s business continuity rules on April 7, 2004.2
At least in concept, forcing business continuity into the open serves as a de facto incentive to take the rules—and homeland security preparedness—seriously. There is an implicit reliance on market forces: it is assumed that if the public can compare business continuity plans, rational consumers will prefer to do business with those members whose plans are the strongest. Equally rational business leaders, in an attempt to capture competitive advantage, will establish robust plans. Considering that e-commerce
Securities and Exchange Act Release No. 34-49537
(April 7, 004), 69 FR 19586. April 13, 004. See also NYSE Information Memo 04-4 as well as NASD Notice to members 04-37. May 004
Boardroom Brieng: Business Continuity and Disaster Recovery