How Will Regulatory Changes Affect Disaster Recovery?
Disasters are big news for the destruction they cause, and an organization that finds itself at the center of a disaster may be at risk for survival. Governments across the globe are recognizing the value of business-continuity programs and are progressively developing business continuity regulations for them, as discussed in a recent CSC Town Hall.
Developing and implementing a business continuity plan are among the most important tasks an executive can undertake. Dan Mikulsky, product manager for business continuity and disaster recovery at CSC, says businesses need a total riskmanagement system to guard against catastrophic disasters.
“Through business continuity [planning], companies come to understand what is mission critical to their survival and what risks can cause them to fail to deliver their products and services,” Mikulsky says. “That understanding helps them put together a strategy for recovery that — in addition to specific recovery objectives — includes a plan for regular testing.”
Governments realize that resiliency is an important economic safeguard, says Tim Mathews, executive director of enterprise resiliency at ETS, a nonprofit educational testing service.
“Government wants the private sector and government itself to be able to bounce back faster to provide goods and services and to generate tax revenue,” he says. “Government is very interested in the resiliency of communities.” Al Berman, president of Disaster Recovery Institute International, says that governance in continuity occurs at differing levels. Laws are the highest authority and must be followed. Business continuity regulations are the next level of authority and carry the weight of law. Industry standards are voluntary requirements that represent best practices within an industry.
Certification is a process that a company goes through to verify that it meets the standards for its industry. Mathews says that as companies develop relationships and partnerships with other companies, questions about continuity and resiliency have to be answered as a natural part of the due diligence process. “When we ask someone, or they ask us, ‘What level of business continuity do you have?’ certification becomes valuable at that point because it establishes a common framework for discussion.”
Continuity plans can contain sensitive information, and certification enables a business to satisfy the requirements a client or partner may have without revealing details. “You’re essentially saying, ‘Our program has been approved by a third party; that should be good enough for you.’ And in most cases, it is,” Mathews says.
Across industries and regions
Business Continuity Regulations vary by industry. Berman says that certification is helpful if a client requests it, but in industries like finance, much more is required. “The Federal Financial Institutions Examination Council (FFIEC)has very stringent requirements for the banking industry. [Its] requirements are used by many countries, and they are very effective at improving the resiliency of banks. You have to participate in tests. There’s an oversight group. With all the disasters we’ve had, none has caused a failure in the banking system,” Berman says.
Mikulsky says that companies in different regions look to different sources for business continuity regulation. “Internationally, there’s a heavy reliance on ISO [International Organization for Standardization] standards. Europeans especially have a respect for certifications. American businesses, on the other hand, look toward business regulators such as the FFIEC, HIPAA and others. We have 18 critical infrastructure areas in the United States, as described by the government. Each one is regulated by different components of the government.”
Continuity helps build trust in the brand. “I’ve talked with some small companies whose continuity plan is to simply go out of business if a disaster occurs. That’s fine as long as those you enter into contracts with understand this,” Mathews says.
“I think it’s clear that events have driven regulation in business continuity and disaster recovery, and will continue to do so. When you look at events such as 9/11, Katrina and Hurricane Sandy, [you see that] these were all events that caused people to take this seriously, and caused changes in local or national regulations and legislation. The phone rings only when there’s a disaster. When it’s quiet, people forget about it,” he says.