|
By Norm Meier
The professional must be aware of the impact of various
global standards, regulations and laws not only for their multi-national
and global clients or employers BUT for the impact on their company
due to an infringement by a global supplier or client. Addressing
the standards and regulations that affect their business is yet
another hat that must not only be worn by the business continuity
professional but by other internal functions such as auditing.
International, Cross Industry Standards
- AS/NZ 4360 Risk Management Standard; Business Continuity. Addendum
currently under international peer review.
- AS/NZ 4390 Records Management Standard
- AS/NZ 4444 Information Security Standard; includes business
continuity section.
- ISO 17799 Code of Practice for information security management;
includes business continuity management section. It provides a
comprehensive set of defined risks and controls. (formerly BS
7799 now revised to BS 7799-2002)
- ISO 9002 Quality assurance standard; addresses risk management
and continuity planning issues for compliance.
- NFPA 1600 (under review into 2004; clearly a benchmark potentially
a requirement) benchmark for continuity and emergency planners
strong focus on crisis communications. Potential international
implications with broad support in the US public sector.
Standards and Guidelines for Financial and Technology
Industries
- Basel Committee 13 countries with 30 working groups; set framework
for appropriate risk management environment with guidelines on
risk identification, measurement, monitoring and control; focus
on international banking supervision.
- CobIT Control Objectives for Information and Related Technology
- COSO Committee of Sponsoring Organizations of Treadway Commission.
International framework to help management better control business
activities via assessing internal controls and consistent monitoring.
Guidelines for Publicly Traded Companies on Stock
Exchanges
- Turnbull Guidelines (UK) Addresses business continuity,
risk management and appropriate internal controls for companies
listed on the London Stock Exchange. This being the first stock
exchange mandated requirement of this type, stock exchanges around
the globe are watching the impact this has when the compliance
date has been reached and what the domino effect will be.
- NYSE (proposed) Rule 446 Business continuity, risk management
and appropriate internal controls for companies listed on the
New York Stock Exchange. NASD has required all of its members
to implement risk management and business continuity programs.
- Sarbanes Oxley Act (2002) Requires auditors (internal
and external) to provide a detailed report on a company's internal
controls to the SEC. This will be published in the annual reports
in its entirety.
Regulations Related to Holistic Risk Management
Issues and Corporate Governance
- HIPAA (US) Health Insurance Portability and Accountability
Act. Includes 7 specific BCM points with 2003 compliance by large
corporations. Includes federal civil and criminal penalties.
- Expedited Funds Availability Act (US) demonstrated BC
plan to ensure prompt availability of funds (Federally Charted
financial institutions).
- Gramm-Leach-Bliley Act (US) Wide range of organizations providing
financial services beyond banks (e.g.; auto dealers, retail stores,
financial planners, tax preparers as well as insurance and real
estate industries) requiring appropriate controls in place for
a strong focus on client privacy. An unusual addition to this
Act is that it also includes vendors and suppliers to the institutions
identified.
- PDD 63 (US) Presidential Decision Directive (1998) calls
for an effort to ensure the security and continuous availability
of critical infrastructures (physical, IT and telecommunication)
by 2003.
- Telecommunications Regulations 2000 (UK)
- Australian Commonwealth Criminal Code (December 2001
update) establishing criminal penalties for officers and directors
of organizations that experience a major disaster and fail to
have a proper business continuity plan in place.
- Telecommunications Act of 1996 (US)
- Numerous Codes addressing Corporate Governance throughout Europe
(similar issues that are addressed in Sarbanes Oxley but moving
beyond the year end mandatory audit report on risk management.
- Foreign Corrupt Practices Act (FCPA) which addresses
internal controls and criminal penalties.
About the Author
Norm Meier is a Senior Consultant with Business
Protection Systems. For more information on this subject, contact
him at normmeier@worldnet.att.net
|
