Disaster-Resource.com

An Overview of the Regulatory Landscape

Can you explain the regulatory landscape regarding business continuity management?

Since 2001, nearly every BCM regulatory requirement or standard has been enhanced or expanded to address increases in the threat environment, as well as a focus on corporate governance. The following chart outlines the more common regulations and standards, along with specific requirements associated with each.

Business Continuity Program Component/Task

NFPA 1600

National Fire Protection Agency

 

NYSE 446, NASD 3510

Requirements for Securities Broker/Dealers

COBIT 

Control Objectives for Information and Related Technologies

JCAHO

Joint Commission on Accreditation of Healthcare Organizations

FFIEC

Federal Financial Institutions Examination Council

HIPAA

Health Insurance

Portability & Accountability

Act

Process Management

 

 

 

 

 

 

Institute a BCM process that includes crisis management, business resumption planning, and IT recovery

X

X

 

 

X

 

Establish a BCM steering committee that includes a coordinator and others who have both operations and technology expertise

X

 

 

 

X

 

Define BCM objectives

X

X

 

X

X

 

Document a BCM Mission Statement

X

 

 

 

 

 

Schedule and document BCM testing and maintenance events

 

 

 

X

X

X 

Conduct a Risk Assessment

 

 

 

 

 

 

Identify key legislation, insurance, regulations and industry codes of practice

X

 

X

 

X

X

Define a formal, risk assessment process with the objective of identifying the source, likelihood and vulnerability of specific threats that may affect operations

X

X

 

X

X

X

Assess current mitigating controls

X

X

 

X

X

X

Conduct a Business Impact Analysis

 

 

 

 

 

 

Identify key business processes and critical dependencies; the impacts of potential business interruptions should be identified and continually updated

X

X

 

X

X

X

Identify process-specific Recovery Time Objectives (RTO)

X

X

X

 

X

 X

Identify minimum capacity requirements to restore business operations to an acceptable level

X

X

X

 

X

 X

Prioritize recovery efforts based on established RTOs

X

X

X

 

 

 

Review Service Level Agreements between the organization and its external partners

X

X

X

X

X

X

Identify and catalog critical resources, records, facilities, equipment, vital records, critical data and infrastructure

X

X

X

X

X

X

Define Recovery Strategies

 

 

 

 

 

Establish a procedure for contracting with vendors should be established in order to acquire critical resources in the event of a disaster

X

X

X

X

X

X

Identify and document contact information and procedures for local authorities

X

X

X

X

X

 

Identify alternate recovery site(s) for all critical business processes

X

X

X

X

X

X

Conduct a cost benefit analysis to determine the location and costs associated with recovery site alternatives and the distance from the primary site

X

 

X

 

X

 

Define Business Continuity Management Procedures

 

 

 

 

 

 

Standard methods for documenting response, recovery and restoration procedures, communication plans, etc. 

X

X

X

X

X

 

Develop and document procedures for relocating and recovering critical business processes based on management-approved recovery time objectives

X

X

X

 

X

X

Document emergency response and business/IT process recovery procedures that are
- team-based
- checklist oriented
- chronological

X

X

X

X

 

 

Define the names of emergency response and recovery team members, together with their contact information

X

X

X

X

X

 

Create response, recovery and restoration activities that take into account personnel safety and physical and IT security

X

X

X

 

X

X

Document crisis communication procedures

X

X

X

 

 

 

Identify a crisis communications coordinator should be identified

 

X

X

 

 

 

 

Develop and document training plans; training should occur on a regular, defined basis

X

 

X

 

X

X

Assign, document, and communicate roles and responsibilities for BCP testing; tests should involve all critical business units, departments and functions. 

X

 

X

X

X

X

Utilize numerous types of testing approaches (table top drills, disaster simulations and full plan tests)

X

 

X

 

X

 

Implement a post-test analysis report and review process

X

 

X

X

X

 

Define and document specific timelines for updating the business continuity plan

X

X

X

 

X

 

Store the BCP both online and off-site

X

 

X

 

X

 

Audit the BCM process on a periodic basis to ensure compliance with company standards

X

X

X

 

X

X

What is NFPA 1600?

NFPA is the National Fire Protection Association, a standards making body headquartered in Massachusetts. Their most popular work is NFPA 101, the Life Safety Code that governs most life safety issues in commercial buildings across the country. It is common for local and state governments to adopt NFPA standards verbatim into their building and life safety codes.

NFPA 1600 is the standard on Disaster Management and Business Continuity. Work on the standard began in the 1990's, and the first version was published in 2000. An updated version was published in 2004. Unlike many standards and regulatory requirements, NFPA is industry neutral, and even applies to the public sector's ability to prepare for, respond to and recover from disasters (commonly known as Continuity of Operations Planning, or COOP). This standard is only three pages long, and includes elements of prevention, preparedness, response and recovery.

NFPA is not nearly as far reaching as other standards in the industry, and is a reasonable first step for organizations without an up to date business continuity management program. Many industries, such as financial services and healthcare, have requirements that go far beyond NFPA 1600.

The standard became especially significant after the Federal 9/11 Commission recommended it as the National Preparedness Standard, encouraging everyone from insurance companies to credit rating agencies to include it in their evaluations of their customers. Since that time, Congressional leaders have introduced it into pending Homeland Security legislation (HR 4830) to direct the Secretary of Homeland Security to develop and implement a program to enhance private sector preparedness for emergencies and disasters preparedness. The Department of Homeland Security (DHS) initiative is also known as “Ready Business,” and includes its own endorsement of NFPA 1600.

There is a BCP requirement published by the SEC regarding New York Stock Exchange (NYSE) members. Are all NYSE listed companies required to follow these BCP guidelines?

The NYSE Rule 446 requires member companies to maintain and test business continuity plans/strategies – namely those who are members of the exchange. Member firms are the organizations trading securities, not those being traded. The National Association of Securities Dealers (NASD) published almost identical requirements for their membership. The SEC approved both the NYSE and NASD rules.

The NYSE/NASD requirement mandates a flexible plan that includes:

  • Data back-up and recovery (hard copy and electronic)
  • Identification of All mission critical systems
  • Financial and operational assessments
  • Alternate communications between the member and its customers
  • Alternate communications between the member and its employees
  • Alternate physical location of employees
  • Critical business constituent, bank, and counter-party impact
  • Regulatory reporting
  • Communications with regulators
  • How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
According to the NASD ad NYSE, each member's plan must address the above-listed categories to the extent applicable and necessary. At the same time, the categories are not exhaustive; members should address other key areas for their business continuity strategies to be considered complete and thorough. Additionally, members are required to assign a member of senior management to review and approve the plan each year.

Does HIPAA include a requirement to do business continuity management?

Several aspects of business continuity management are included in the security section of the HIPAA requirements. Specifically, HIPAA (Section 164.308) requires:

  • Data backup plan (required)
  • Disaster recovery plans (required)
  • Emergency mode operation plan (required)
  • Testing and revision processes (addressable)
  • Applications and data criticality analysis (addressable)
As noted above, the business continuity-related provisions of HIPAA are marked as required or addressable. In terms of HIPPA, addressable means that if, after the healthcare organization’s due diligence is complete, they can prove the provision is unnecessary, they do not have to comply.

Additionally, section 164.310 requires contingency plans for facility access and security. Section 164.312 requires procedures to gain access to protected health information during an emergency.

The contingency plan requirements were a major focus area during the public comment period. The Department of Health and Human Services did not agree that the requirement was overly burdensome or costly and emphasized that this requirement must be met on time (for most organizations, April 2005).

These HIPAA requirements generally expand on most healthcare organizations’ BCM requirements that are mandated by under JCAHO. A common misconception is that the HIPAA requirements are exclusively focused on information technology. Although most of HIPAA is IT focused, Protected Health Information (PHI) is found in many forms, and the Emergency Mode Operation plan is not an IT issue at all. Rather, this requirement addresses how the provider will continue to protect PHI if normal IT controls are gone, which could be considered the most difficult provision in the regulation.

Does the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) require business continuity management for hospitals?

EC.1.4 clearly states the healthcare organization (provider) must develop an emergency management plan that addresses mitigation, preparedness, response and recovery. The requirement includes a hazard vulnerability analysis (risk assessment), development and training of teams with a variety or roles, plan escalation protocols, business resumption procedures and annual maintenance and testing.

Business continuity management is especially important for healthcare organization because they could be in a situation where their normal operations are compromised concurrently with an increase in the community’s demand for their services.

Why is the FFIEC regulation called “the BCP Gold Standard?”

The Federal Financial Institutions Examination Council (FFIEC) standard is the most aggressive standard in the US marketplace. The FFIEC has greater governance, risk assessment, business impact analysis, planning, testing and maintenance requirements than any other standard. It contains an entire section on senior management’s business continuity responsibility, which is a helpful reference for any company in any industry.

The standard is also an excellent example of the increasing expectations surrounding business continuity management. The standard was significantly expanded from the 1996 version in 2003. Although still listed in the category of IT Examination, the standard itself states, “BCP is more than recovery of the technology, but rather a recovery of all critical business operations.”

The FFIEC’s own summary is an excellent resource for developing the scope of a business continuity program:

  • Business continuity planning should be conducted on an enterprise-wide basis.
  • Thorough business impact analyses and risk assessments are the foundation of an effective business continuity management program.
  • Business continuity planning is more than the recovery of the technology; it is the recovery of the business.
  • The effectiveness of a business continuity plan can only be validated through thorough testing.
  • The business continuity strategy/plan and test results should be subjected to independent audit.
  • A business continuity plan should be periodically updated to reflect and respond to changes in the institution.
Interestingly, the FFIEC is not a series of do’s and don’ts but rather a call for companies to make robust assessments of their needs and make reasonable judgments on the composition and content of their BCM programs. For example, following their discussion of institutions serving critical financial markets, the FFIEC states: “Smaller, less complex institutions generally do not need the same level of planning, but are expected to fulfill their responsibility by developing an appropriate BCP and periodically conducting adequate tests.”

What is COBIT? Is it focused solely on information technology disaster recovery planning?

Control Objectives for Information and Related Technologies (COBIT) has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners. COBIT, issued by the IT Governance Institute and now in its third edition, provides tools to assess and measure the enterprise’s IT capability for the 34 COBIT IT processes. COBIT’s importance has increased as a result of Sarbanes-Oxley Section 404 given its framework it useful for internal controls documentation and assessment.

Although the COBIT definition implies a sole focus on Information Technology, the standard is written in such a way as to apply to crisis management, business resumption planning and information technology disaster recovery. Because of the relationship between Sarbanes-Oxley Section 404 and COBIT, more practitioners are exposed to this standard than ever before (although business continuity management is specifically excluded from Section 404 compliance).

Are these the only BCM mandates one needs to consider?

There are many more BCM requirements that apply to most companies. OSHA regulations place some crisis management requirements on most US employers. Customer mandates, such as ISO/TS 16949 in the automotive industry require contingency planning.

The Federal Reserve Board, Office of the Comptroller of Currency and the SEC worked together to design and publish the Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, which outlines additional expectations for business continuity management in the context of a regional event.

The GAO issued a 111-page report on how the private sector needs to prepare for potential terrorist attacks.

Clearly, the expectations on both public and private sector organizations for improved preparedness are higher than it has ever been. Some of the additional government and industry requirements for business continuity and crisis management include:

  • Prudential Standard
  • Gramm-Leach Bliley Act
  • State EHS regulations
  • FDA Recall and Safety Requirements
  • Foreign Corrupt Practices Act
  • Critical Infrastructure Protection
  • ESEA Title IV
  • FEMA
  • National Contingency Plan
  • FERC
  • OSHA
  • State Insurance Departments
  • ISO 17799
  • Local high-rise emergency plan requirements
  • USA PATRIOT Act
  • Food industry guidelines
  • Turnbull Commission
  • Federal Preparedness Circulars
  • Australian/New Zealand 4360:1999
Note: The table associated with this question was originally printed in the Information Systems Control Journal (Volume 3). Business Continuity Program tasks/components were compiled based on DRI International and BCI professional practices and Protiviti personnel experiences.

About the Authors:

Brian Zawada (brian.zawada@protiviti.com) is a director and Michael Keating (michael.keating@protiviti.com) is an associate director with Protiviti Inc., a global firm specializing in internal audit and business and technology risk consulting services. Brian is based on Cleveland and is responsible for Protiviti’s global business continuity practice, whereas Mike is based in Atlanta and leads the delivery of business continuity services in the eastern half of the U.S.