|
Continuity Around The Continents Asia In South East Asia, the Bali and JW Marriott's bombings in Indonesia continue to send a message to the community, indicating the emergence of terrorism as the new and impending threat. Asia is expected to brace for more terrorist retaliation on "soft targets." For the first time since the Year 2000 bug, Asia awakens to an increased awareness at the executive (and senior) management level to address the pertinent issues of corporate survivability and business continuity management. In North Asia, earthquakes in Taiwan and Japan continue to be the major threats. The Japanese government conducted a national emergency planning exercise in August 2003, the first since the last devastating Kobe Earthquake. The tension between the borders of the Korean Peninsula and Taiwan-China Straits will continue to be closely observed. One major change is that the responsibility for BCM is beginning to move out from the IT organization. According to a survey by KPMG in 2003, 74% surveyed highlighted that BCM is now managed by a corporate function. Most organizations (74% surveyed) continue to have some form of IT disaster recovery plans in place. The shift of mindset from IT recovery to continuity of critical businesses and operation functions has just begun in Asia. The Asian community, like their American and European counterparts, is driven to business continuity through regulatory requirements. The lack of regulations with regard to business continuity and disaster recovery continues to inhibit organizations from budgeting for corporate-wide business continuity management programs, with the exception of the financial institutions industry, where the central banks across Asia such as Singapore and Hong Kong have issued supervisory policies and guidelines. The financial industry also recognizes the need for regulation and compliance from a global perspective; hence, the incentive to comply with the requirements listed in the Basel II Accord. Countries such as Korea and Japan are beginning to follow. However, it is observed that enforcement of policies is also limited. The business continuity and disaster recovery market is fairly isolated by local players within the borders of each country, with the exception of international service providers like IBM and Hewlett Packard. Governments in Asia are attracting multinationals to base their processing centers and also their disaster recovery sites in their respective countries. The Singapore government initiated the certification of BC/DR service providers to attract external organizations by easing their selection process with some form of standardization. The Singapore government also recognized the importance of having sufficient human resources to support and ensure the success of such programs. Hence, the Singapore government is supporting relevant courses, like DRI Asia's certification courses for BC and DR certifications, with grants for eligible organizations and individuals who successfully complete the courses. IDC forecasts the total estimated market size for the region to be US$1.3 billion by 2006, with Australia, Korea, and Singapore accounting for the majority of the regional disaster recovery market. The untapped opportunities are projected to be in markets like India, Philippines, and the People's Republic of China. Australia At the Special General Meeting of the Australasian Institute of Risk Management (AIRM) and the Association of Risk and Insurance Managers of Australasia Limited (ARIMA) on November 30, 2003, members voted overwhelmingly to unify the two organizations. The new entity will be known as the Risk Management Institution of Australasia Limited (www.airm.org.au) and will formally come into being as soon as the legal proceedings have been finalized. AIRM and ARIMA have much in common, including similar goals and objectives and similar corporate structure. Many individuals were involved in both organizations, and informal discussions have been taking place for some years. Advantages of unification include providing a single focal point for risk management in Australasia, as well as improved educational opportunities, higher profile, and enhanced services through economies of scale. Other active Australian organizations include Emergency Management Australia (www.ema.gov.au) and Monash University (www.monash.edu.au), which has undergraduate and postgraduate courses in risk management and business continuity. Europe SunGard Availability Services recently surveyed businesses across Europe to find out how prepared they would be if disaster should strike and confirmed that, as expected, there are fundamental differences in attitudes to business continuity across the continent. The results showed that, as a whole, businesses in the European Community are reasonably well prepared, with 80 percent of all respondents stating they had business continuity plans in place. However, while 96 percent of UK and Swedish respondents said they had plans in place, closely followed by Germany (84 percent) and Italy (76 percent), France lagged behind with less than half of French respondents (48 percent) saying they had business continuity plans. The survey found that European boards appear to be taking business continuity more seriously: 84 percent of German respondents said that their boards are now very aware of the need for business continuity; France and Sweden, 72 percent; and the UK, 68 percent. Overall, a third of respondents across Europe said that a board member was now responsible for business continuity. The top reason across all countries for the board taking an interest in business continuity was the realization that they relied heavily on IT to remain in business. This was followed by customers starting to ask for evidence of business continuity programs, compounded by increased industry regulation. When asked what disaster they most feared, apart from the UK all respondents said "hardware failure." UK businesses seem to have a deep-seated fear of fire, with 36 percent of respondents saying that the company going up in flames was the event that concerned them most. The UK has been the most active region in terms of implementing business continuity-related legislation. Most recently, The Higgs Report, published in early 2003, put the onus on company directors to take responsibility for risk management within a company. Higgs sets out a code for boardroom reform and calls on nonexecutive directors to satisfy themselves that systems of risk management within a company are robust and effective. In another recent development, the British House of Commons is currently scrutinizing the government's proposed Civil Contingencies Bill. This bill will replace and update the existing emergency planning bill created in the 1940s and is aimed partly at improving the UK's ability to respond to terrorist attacks. The bill will require local authority emergency planners to put proactive measures in place to provide civil protection, and it also requires critical infrastructure providers to adequately protect their infrastructure from disasters. It will place a duty on local authority emergency planners to develop continuity of operations plans and to ensure that businesses in their local area are aware of the importance of business continuity. This past year also saw the publication in the UK of Publicly Available Specification 56 Guide to Business Continuity Management (PAS 56), a joint development of the Business Continuity Institute and the British Standards Institution. It provides, for the first time, a semi-official guide to business continuity that allows companies to follow best practices and to benchmark their plans against those of their industry peers. PAS 56 has received some criticism for being too rigid, but nevertheless it constitutes an important step toward the development of a standards-based approach to business continuity management. Latin America and the Caribbean
The CRID's other objectives are to offer quality information services to a wide range of users in the Latin America and the Caribbean region, strengthen sub-regional (Central America, South America, and the Caribbean), national, and local capacities to establish and maintain disaster information and documentation centers; promote the use of electronic technology for the provision of information services; and contribute to the development of the Regional Disaster Information System. United Nations International Strategy
for Disaster Reduction (UN/ISDR) Caribbean Disaster Information Network
(CARDIN) North America As in Asia and Europe, the United States has begun to see responsibility for business continuity shift from an information technology base to one with a broader focus. With issues surrounding education, certification, and common interface terminology between the public and private sectors (and within the distinct business sectors that comprise the private sector), the scope of business continuity will continue to be dominant for the foreseeable future. A recent national symposium on security and competitiveness (Council on Competitiveness and Carnegie Mellon University) found CEOs from some of America's most prominent companies, government officials, labor leaders, and academics calling for a concerted joint effort to simultaneously protect security and safeguard America's economy through best practices and innovation. According to new research from TowerGroup, cost containment, the shift from strategic to tactical initiatives, and business continuity will continue to lead corporate thinking. These three issues headed the firm's list of the top 10 business issues that will drive investment in management strategies. Canadian companies are also working harder to build more comprehensive business continuity programs. The SARS breakout in Toronto and the August 2004 power blackout contributed to this greater focus. However, Canada has not felt the same pressure from terrorist threats as the United States. Canadian regulators have yet to increase requirements for business continuity management. U.S. regulations and legislation, such as Sarbanes Oxley, Gramm-Leach- Bliley, The Patriot Act, Vital Interdiction of Criminal Terrorist Organizations Act, Health Insurance Portability and Accountability Act (HIPAA), NYSE Rule 446, NASD 3510 and 3520, Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic Sig-natures, NFPA1600, Personal Inform-ation Protection and Electronic Documents Act (PIPEDA), and a host of legacy legislation with business continuity-related requirements in the areas of health, safety, and environmental compliance will continue to change the infrastructure of the profession and the practice.
South Africa Accordingly, infrastructure is generally on a par with other First World countries, though not as pervasive, and internationally accepted business trends and rules are the norm. Corporate governance has been a hot boardroom topic for some years, and in 1994 the first King Report on Corporate Governance was released, leading to changes in the way companies act and the way business is conducted. In 2002 this was completely revised, becoming known as King II, and has become a benchmark internationally on sound corporate governance. Relating to business continuity management and risk management, King II makes specific mention of having to conduct annual risk assessments and needing to have business continuity plans that account for worst-case scenarios. All of the major banks have international operations and are governed in compliance with the Basel Accord. Municipal and central government operations are governed by the Public Finance Management Act, which among other things lays down good corporate governance guidelines. There is also a disaster management initiative driven by central government to coordinate regional resources and responses with the emphasis on public safety. The Business Continuity Institute is represented in South Africa, with about 20 members and fellows. One of the key issues facing BCM practitioners is a general lack of knowledge of BCM in business. This is slowly changing, but many boards still would not be able to differentiate between a good implementation of a BCP and a poor one, or even understand what a BCP really is. This lack of understanding permeates IT continuity as well. There are some organizations who steadfastly maintain they have a good BCP or ITCP, but the backup system resides in an adjacent building or even the same computer room. |