companies and Internet Service Providers routinely use this type of security-related marketing, it soon may become prevalent among the largest financial institutions, all of which are members of the NYSE and the NASD. Any act of terror on American soil would accelerate this process.
The business continuity initiatives in the financial services sector highlight a significant issue for other business sectors: Even in the absence of regulation or statute, should corporations implement a business continuity plan as a matter of sensible corporate governance and sound policy? The answer clearly is yes.
The federal government, and particularly the Department of Homeland Security, needs industry’s participation and support to make the country secure. The owners and operators of obvious targets— power plants, chemical facilities, telecommunication centers—have been tightening their defenses and have developed (or contracted for) business continuity plans.
Yet, with finite budgets and only a transient sense of threat, most corporations have not initiated business continuity planning for the post-9/11 era—robust, tested, enterprise-wide programs that protect facilities, people, and which would permit the rapid resumption of business if an attack occurred. Many companies still don’t quite get it: business continuity is a strategic investment, and its dividends will be evident during an attack, and economically and legally, in the aftermath of a terrorist event. For example, when a cascading grid failure left tens of millions of people in the U.S. and Canada without electrical power in August 2003, corporations without business
continuity plans suffered. Without electricity to run computers, commerce simply stopped.
Not so for the New York brokerage firms that had aggressively invested in business continuity after September 11. That preparedness, including installation of emergency generators and back-up trading systems, allowed commercial transactions to continue with minimal interruption. Considering the financial losses brokerage firms sustain from even an hour of missed trading, investments in business continuity paid for themselves many times over in that one event. Indeed, the 2003 blackout and the business continuity success stories within the financial services sector accelerated the NYSE’s and the NASD’s adoption of business continuity rules for the industry as a whole.
SEC Oversight and Legislation
SEC Chairman Chris Cox, who prior to his appointment was chair of the House of Representative’s Committee on Homeland Security, may be just the person who will trigger consideration of homeland security as a “material” matter in 10K reports. Chairman Cox is well aware that 85 to 90 per cent of America’s critical infrastructure is owned by the private sector. He, too, is familiar with the post 9/11 legislation that increased the responsibility of businesses that provide financial services, transport hazardous waste, provide and maintain maritime facilities ranging from ship terminals to storage facilities for LNG to refineries. All of these industries and many others are to some extent regulated by the Department of Homeland Security and it is likely that chemical plant security will soon be regulated by the Department.
As these legislative efforts increase the responsibilities of the private
sector to make homeland security a priority it makes good sense to have in place security programs that will reduce their vulnerability to the consequences of the next terrorist attack. Contingency planning to assure business continuity in addition to should include some of the following:
Insurance—Does it adequately cover business interruption costs? Are the terms and provisions written in a manner favorable to quick recovery?
Supply chain—Is it capable of restoration after a terrorist event? Are there components and parts coming across U.S. borders that may be closed?
Market resilience—Will the customer continue to purchase products and services after a terrorist event?
Implementing a business continuity plan also may have legal significance for a corporation. Because business continuity recognizes risk and mitigates it, the creation and implementation of such a plan may help a corporation discharge its corporate governance responsibilities to customers and shareholders alike. The concept is only now being tested in the courts, but the normal standard of corporate responsibility—focusing on acknowledging and responding to knowledge of a threat—likely will be applied here, diminishing liability. With terrorist threats increasingly frequent and well-publicized, directors and officers will have a hard time claiming that corporate risk management did not need to include emergency preparedness.
The Spectre of SOX
There is not yet regulatory linkage between homeland security governance and Sarbanes-Oxley but it is likely that it would parallel developing SOX compliance in
(continued on page 34)
Boardroom Brieng: Business Continuity and Disaster Recovery