Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers

Sarbanes-Oxley
Another Driver for Business Continuity Management

By Brett Williams

Recent, high profile corporate failures have resulted in the creation and subsequent passage of the Sarbanes-Oxley Act, (SOA). While the introduction of SOA may not be news to the financial reporting world, the approach to compliance may prove compelling to those responsible for business continuity. Aside from requiring corporate officers to take greater responsibility for the accuracy of financial reports, SOA mandates that organizations understand the risks that may impact the financial reporting process. A proper assessment of this risk environment would likely include lesser known operational and IT risks resulting from, among other things, inadequate disaster recovery or business continuity plans. These deficiencies would undeniably impact the availability of the following financial-related processes and functions:

  • Transaction capturing/authorization during periods of downtime;
  • Processing cutoffs;
  • Ability to rollup disclosure data;
  • Pricing for fair value information; and
  • Understanding trading positions and other market exposures that must be monitored in real time.

Ideally, these processes and their related risks and controls would have already been assessed if a business continuity management (BCM) structure exists, is being considered, or is under development.

Business Continuity Management
In many ways, corporate malfeasance was the impetus for the development of Sarbanes-Oxley as much as September 11 renewed attention on business continuity and enterprise-wide risk management. Undoubtedly, September 11 increased business continuity awareness, and renewed the emphasis on addressing critical business operations and the process for resuming those operations. Long viewed as simply IT disaster recovery planning and data backup, a role of the IT technician, this planning effort is now expected across all areas of the organization and focuses on crisis management, crisis communication planning, business resumption planning, and IT disaster recovery, hence the updated term, "business continuity management." Embracing this broader, enterprise-wide view of business continuity management may prompt organizations to consider their BCM efforts as a significant step towards achieving compliance with Sarbanes-Oxley.

The Connection
The similarities between an SOA compliance project and a BCM effort should not be ignored. When done thoroughly, a comprehensive business impact analysis (BIA) and risk assessment, both core components of a BCM project, will help identify risk and control deficiencies that can result in process and system downtime. The BIA generally includes data gathering, process mapping and risk identification…all core requirements of Section 404 of Sarbanes-Oxley. Conversely, a comprehensive SOA compliance effort should yield valuable information for developing or updating a business continuity plan. Value can be derived through sharing the detailed by-products of both BCM and SOA efforts that may already be underway.

The Regulatory and Governance Angle
The assessment of Business Continuity and Disaster Recovery plans have long been included in the audit approach of various regulatory and standards organizations. The financial services industry experienced the most attention to disaster recovery planning even before September 11. Regulatory agencies, such as the Office of the Comptroller of Currency (OCC), regularly audit controls to ensure the integrity of transactions and the protection of sensitive customer information. The enactment of the Sarbanes-Oxley Act will likely increase the attention on business continuity management for all companies, regardless of industry. Though not yet explicitly stated in the Sarbanes-Oxley Act, the need to identify risks to the financial reporting process has a logical extension with the inclusion of the assessment and examination of supporting IT disaster recovery plans, but also the objectives of financial reporting process-oriented, business continuity and business resumption plans.

The Service Delivery and Customer Angle
Regulation aside, transaction integrity, service and IT asset availability, and the security and availability of sensitive customer information are all top-of-mind business imperatives across most industries. Companies are often quick to point out how business insurance minimizes the need for a business continuity plan. However, this insurance, like most compensating controls, will only extend to recovering lost business after a disaster occurs (in no way does this minimize the value of business insurance). Insurance does not guarantee the integrity of past transactions or that transaction processing or financial reporting can resume after a disaster. Business interruption insurance provides minimal comfort that customers, clients and suppliers will remain faithful or the media will look kindly on how an organization handles a disaster. Exploring practical contingency options across the enterprise that meet specific regulatory, contractual and customer demands will prove valuable for recovering from any disaster or business interruption.

Conclusions
While many organizations struggle with meeting regulatory requirements, few embrace the true benefits that result from exercises necessary to not only identify risks to the financial reporting process, but also mitigate those same risks. A comprehensive business continuity effort, including a rigorous business impact analysis and risk assessment, supplemented by an IT disaster recovery plan, can identify risks that, if left unchecked, could compound the impact to an organization after a disaster.

A recent Gartner survey revealed that only 36% of organizations surveyed possessed a contingency plan that addressed the complete loss of physical assets at a location.1 The survey, in general, points out that companies are least prepared for the risks that are most likely to impact their organization. In a pre-September 11, pre-Sarbanes-Oxley business environment, some companies would be quite comfortable in the majority of those without a plan for loss of physical assets. After all, there were other seemingly more important issues to focus on like profitability and investor confidence (these issues remain, of course). In a post-September 11, post-Sarbanes-Oxley business environment, finding oneself in this majority provides little comfort and could prove to be very costly. While SOA focuses on the financial reporting process, why neglect the momentum of, and investment in a comprehensive BCM effort?

About the Author
Brett Williams (CBCP), a Senior Manager, is located in Protiviti's Chicago office. Brett can be reached at brett.williams@protiviti.com. Brett specializes in the development and implementation of BCM solutions nationwide. Protiviti helps clients identify, measure, and manage operational and technology-related risks they face within their industries and throughout their systems and processes. The company also offers a full spectrum of internal audit services, technologies and skills for business risk management, and assists corporate board members in addressing corporate governance issues. For more information, (312) 476-6411 or brett.williams@protiviti.com

1 Source: Press Release - "Gartner Executive Programs and Society for Information Management Survey: Most Companies and Government Organizations Are Unprepared for Attacks or Natural Disasters," January 23, 2002

 
 
Copyright ©2008 DISASTER RESOURCE GUIDE P.O. Box 15243, Santa Ana, CA 92735 714/558-8940
Fax 714/558-8901