Regulation is the name of the game

By Phil Carter, director, Professional Services, at SunGard Availability Services

Both political and corporate world events, such as the USA’s ‘war on terror’ and corporate scandals such as Enron and Worldcom, have resulted in a range of new regulations being introduced requiring business continuity professionals to take a different approach to risk management.

This also reflects the results of a recent UK survey conducted by SunGard Availability Services, which showed that regulatory requirement is now one of the biggest drivers for business continuity planning. As businesses become increasingly reliant on technology and regulatory pressures increase, business continuity is a necessary cost of doing business rather than a ‘nice to have’.

Turnbull Report
The Turnbull Report was published in September 1999 and was the first in a recent line of new guidelines and regulations aimed at businesses taking risk more seriously. Endorsed by the London Stock Exchange, it firmly places responsibility for managing risk in the lap of senior directors. Listed organisations must now demonstrate to shareholders that they have assessed the risk attached to all assets and activities, and that they have taken action to limit or remove their exposure to risk in each area. Of course, as with any regulation or sector-specific guidelines, companies that do not comply with the Turnbull Report face the threat of a backlash in stakeholder confidence - from customers to investors – and in theory could even be de-listed.

This emphasis on senior director responsibility for managing risk is also reflected in other results from the SunGard survey. 80 percent of respondents said that business continuity was dealt with at board level, with the key drivers being regulation, the threat of terrorism, as well as companies’ increased reliance on IT systems.

Higgs Report
This onus on directors to take responsibility for risk management within a company was given further impetus with the publication of the Higgs Report last year. This sets out a code for boardroom reform and calls for non-executive directors to satisfy themselves that systems of risk management within a company are robust and effective. If companies wish to avoid sanctions, they will now have to be much more proactive in managing their operational risk by using a variety of tools – including the risk transfer mechanism of insurance for business processes, systems and data, as well as the risk management mechanism of business continuity planning. Of course, financial services businesses have had compliance directors in place for some time, but the Higgs Report means all UK plcs will be required to manage risk effectively. This may mean that directors need to undertake training in business continuity, and for those non-financial companies, the nomination of a compliance director is the first step towards understanding the risks which they face.

Higgs also gives the business continuity manager or compliance director further ammunition with which to lobby senior directors if they are struggling to obtain board-level buy-in or an increased budget to continuously improve the business continuity plan. Cost has historically been a key barrier to business continuity planning and is often the reason that less appropriate insurance covers are selected over business continuity planning. However, in the event of a disaster or interruption, a comprehensive business continuity plan should enable the business to get up and running faster and also reduce the ultimate cost of the insurance claim, as revenue losses are minimised. Business continuity also enables a company to safeguard its reputation – something insurance would find hard to quantify.

Financial Services Authority (FSA)
April 2004 sees the release of the FSA’s final recommendations for business continuity. Its Consultative Paper 142 looks at operational risks and controls and has been in circulation for feedback, before final guidelines are kicked into force. The final report will offer good practice guidelines but will not be prescriptive, with a focus on the review of operation and risk management in major financial groups. However, the resulting guidelines are unlikely to be onerous, as many of the recommendations will already be being followed by financial institutions that have already realised that the survival of their business very much depends on IT and communications systems.

Basel II
Basel II is also getting a lot of coverage in the media at the moment with industry analyst Datamonitor anticipating that spending on Basel II IT compliance projects will total $4 billion over the next two years. Basel II will close the loopholes of its predecessor, Basel I, which was introduced after the collapse of BankHaus Herstatt in the USA in 1974. Basel I was based on the basic requirement that to trade internationally banks needed to prove they had the funds to cover risks. Of course this was essentially dead money that could not be used for trading and, as the rules weren’t watertight, ways were often found to get around this requirement.

Basel II will make the amount of capital required more tightly aligned to a firm’s risk profile. This will include both financial as well as operational risk, which will of course have implications for how business continuity is managed in a banking organisation. To support this a mathematical formula has been developed to define a firm's risk profile and therefore determine the ultimate level of capital that must be kept aside. This will affect all internationally trading institutions worldwide but once again this best practice will be what the wise, who want to protect their business for longevity, will already be doing. Action must be taken now as, despite a deadline for compliance of 1st January 2006, banks will have to show two-year’s worth of historical data.

Regulation is often seen as bureaucracy that stops companies from focusing on doing business and making profit. However, as organisations become increasingly reliant on IT it’s imperative that attitudes to business continuity become more proactive. Without this, the achievement of information availability – keeping people and information connected at all times – is compromised. Regulation assists the information availability process by helping businesses both to reduce their vulnerability and protect customers thereby enabling business as usual, no matter what happens.

[Note: Basel II is aimed at banks and ‘banking groups’. To ascertain whether your firm will come under Basel II’s scope visit http://www.bis.org/bcbs/cp3part1.pdf )

Civil Contingencies Bill
Replacing the pre-existing emergency planning bill created in the 1940s, the new Civil Contingencies Bill requires local agencies to put proactive measures in place to provide civil protection. The Bill splits advice into two parts.

Part One requires local agencies to put pro-active measures in place to provide civil protection. This includes risk assessment, business continuity plans, warning mechanisms and promotion of business continuity in the community, which: Category 1 responders such as local councils, police, fire authorities, ambulance, environmental agencies and Coastguard have an obligation to do. Category 2 responders - electricity, gas, water, telecommunications, railway, airports, harbour and health & safety suppliers - are duty bound to assist in the response to an emergency. Compliance to Part One will be monitored by the Government’s audit commission.

Part Two retains the emergency powers section, which has been extended to give Government greater powers during an emergency. In addition The Queen and the Secretary of State have the right to make new regulations during an emergency “without delay”. And this power is almost limitless if it is done to protect human life, or the UK’s major infrastructure.

Although the Bill has yet to become law, if passed it is clear that there will be a major part for the business continuity industry to play.

PAS 56
Although not regulation per se, PAS 56 is worth exploring within the remit of this article. In 2003 the British Standards Institute joined the campaign for businesses to strengthen their approach to business continuity by releasing the PAS (Publicly Available Specification) 56 Guide to Business Continuity Management. PAS 56 describes the activities and outcomes involved in establishing a business continuity management process, and also provides recommendations for good practice. It suggests that businesses should ensure their recovery centre is at least 800 metres away from the primary place of work, in case that should become unavailable, and highlights the importance of developing service level agreements with business continuity suppliers.

PAS 56 also recommends that companies conduct two live tests every year. The testing of business continuity plans should be undertaken in a controlled environment which tests the efficacy of business continuity plans and strategies, but without placing the business at risk.

However, a badly managed live test could pose a significant risk to the business, perhaps making the prospect of invocation a reality. SunGard would recommend that businesses commit to a programme of testing to ensure their business continuity plans are kept up to date with changing business practices and IT systems, but also that they engage expert assistance in the planning phase to ensure success.

About SunGard Availability Services
SunGard Availability Services is the world’s leading provider of information availability services, helping to ensure that more than 10,000 clients in North America and Europe have uninterrupted access to their business critical information systems. With over 3 million sq. ft. of hardened facilities, it offers a complete range of information availability services for more than 30 technology platforms, from 48 hour disaster recovery hot sites to always-on, high availability infrastructure, co-location and electronic vaulting services. SunGard also provides technology and systems management services for application and data centre outsourcing, as well as business continuity consulting services and planning software.

For more information:
0800 143 413, infoavail@sungard.com or www.iamresponsible.net

•Date: 20th February 2004 •Region: UK •Type: Article •Topic: BC general
Rate this article or make a comment - click here