|
Edited by William Swann
Throughout the world, business continuity professionals speak a common language;
namely, protecting an organization's assets is critical to the survivability of that
organization. Therefore, you shouldn't be surprised to read that businesses and
governments all across the globe wrestle with many of the same issues. However,
different regions are dealing with these issues in different ways, and much can
be gained by observing their activities. The GUIDE gives you a global perspective
on business continuity as we take you around the world in four pages.
Asia
The recent events of SARS (Atypical pneumonia virus) and Bird Flu in Asia
continue to create a strong interest and concern among governments and
organizations.
In South East Asia, the Bali and JW Marriott's bombings
in Indonesia continue to send a message to the community, indicating the
emergence of terrorism as the new and impending threat. Asia is expected
to brace for more terrorist retaliation on "soft targets." For the first
time since the Year 2000 bug, Asia awakens to an increased awareness at
the executive (and senior) management level to address the pertinent issues
of corporate survivability and business continuity management.
In North Asia, earthquakes in Taiwan and Japan continue
to be the major threats. The Japanese government conducted a national
emergency planning exercise in August 2003, the first since the last devastating
Kobe Earthquake. The tension between the borders of the Korean Peninsula
and Taiwan-China Straits will continue to be closely observed.
One major change is that the responsibility for BCM is beginning
to move out from the IT organization. According to a survey by KPMG in
2003, 74% surveyed highlighted that BCM is now managed by a corporate
function. Most organizations (74% surveyed) continue to have some form
of IT disaster recovery plans in place. The shift of mindset from IT recovery
to continuity of critical businesses and operation functions has just
begun in Asia.
The Asian community, like their American and European counterparts,
is driven to business continuity through regulatory requirements. The
lack of regulations with regard to business continuity and disaster recovery
continues to inhibit organizations from budgeting for corporate-wide business
continuity management programs, with the exception of the financial institutions
industry, where the central banks across Asia such as Singapore and Hong
Kong have issued supervisory policies and guidelines. The financial industry
also recognizes the need for regulation and compliance from a global perspective;
hence, the incentive to comply with the requirements listed in the Basel
II Accord. Countries such as Korea and Japan are beginning to follow.
However, it is observed that enforcement of policies is also limited.
The business continuity and disaster recovery market is
fairly isolated by local players within the borders of each country, with
the exception of international service providers like IBM and Hewlett
Packard. Governments in Asia are attracting multinationals to base their
processing centers and also their disaster recovery sites in their respective
countries. The Singapore government initiated the certification of BC/DR
service providers to attract external organizations by easing their selection
process with some form of standardization. The Singapore government also
recognized the importance of having sufficient human resources to support
and ensure the success of such programs. Hence, the Singapore government
is supporting relevant courses, like DRI Asia's certification courses
for BC and DR certifications, with grants for eligible organizations and
individuals who successfully complete the courses.
IDC forecasts the total estimated market size for the region
to be US$1.3 billion by 2006, with Australia, Korea, and Singapore accounting
for the majority of the regional disaster recovery market. The untapped
opportunities are projected to be in markets like India, Philippines,
and the People's Republic of China.
- Dr Goh Moh Heng, CBCP, FBCI,
executive director, DRI Asia
moh_heng@driasia.org
Australia
In February 2004 the Australia Prudential Regulation Authority (APRA)
issued their draft guidelines for risk management for superannuation funds
and approved deposit funds. These guidelines are intended to supplement
the Drafting Instructions - Regulations for Risk Management Strategies
and Risk Management Plans issued by the Australian Government on December
11, 2003. The guidelines provide trustees and senior managers of these
types of funds with an outline of the requirements to obtain and hold
an operating license. APRA has already provided guidance notes to the
insurance industry on the management of operational risks, including mandatory
business continuity plans. At this stage, the finance and insurance industries
are the only areas in Australia with a regulatory requirement for formal
risk management programs including BCP. The Business Continuity Institute
(BCI) has commenced regular forums for business continuity practitioners
in both Sydney and Canberra. These forums are conducted each month at
a different location and are aimed at providing a regular networking venue,
extending the professional development of members, and encouraging new
members. BCI intends to develop similar forums in Brisbane and Melbourne
during 2004. The BCI currently has 43 members in Australia, with over
50 percent being located in New South Wales.
At the Special General Meeting of the Australasian Institute
of Risk Management (AIRM) and the Association of Risk and Insurance Managers
of Australasia Limited (ARIMA) on November 30, 2003, members voted overwhelmingly
to unify the two organizations. The new entity will be known as the Risk
Management Institution of Australasia Limited (www.airm.org.au)
and will formally come into being as soon as the legal proceedings have
been finalized. AIRM and ARIMA have much in common, including similar
goals and objectives and similar corporate structure. Many individuals
were involved in both organizations, and informal discussions have been
taking place for some years. Advantages of unification include providing
a single focal point for risk management in Australasia, as well as improved
educational opportunities, higher profile, and enhanced services through
economies of scale.
Other active Australian organizations include Emergency
Management Australia (www.ema.gov.au)
and Monash University (www.monash.edu.au),
which has undergraduate and postgraduate courses in risk management and
business continuity.
- Bill Edwards, CPRM, MBCI, principal,
Disaster Survival Planning - Australia
bill_edwards@bigpond.com
Europe
While terrorism has been high on the U.S. agenda over the past year, it
has had much less impact on business continuity activities in UK and European
companies. A survey by Synstar, a pan- Europe business continuity provider,
found that terrorism features in just 20 percent of European business
continuity plans. Instead, business continuity plans are more likely to
focus on issues that feel closer to home. Corporate governance and the
impact of severe weather were reported to be the two main issues driving
companies to update business continuity plans.
SunGard Availability Services recently surveyed businesses
across Europe to find out how prepared they would be if disaster should
strike and confirmed that, as expected, there are fundamental differences
in attitudes to business continuity across the continent. The results
showed that, as a whole, businesses in the European Community are reasonably
well prepared, with 80 percent of all respondents stating they had business
continuity plans in place. However, while 96 percent of UK and Swedish
respondents said they had plans in place, closely followed by Germany
(84 percent) and Italy (76 percent), France lagged behind with less than
half of French respondents (48 percent) saying they had business continuity
plans.
The survey found that European boards appear to be taking
business continuity more seriously: 84 percent of German respondents said
that their boards are now very aware of the need for business continuity;
France and Sweden, 72 percent; and the UK, 68 percent. Overall, a third
of respondents across Europe said that a board member was now responsible
for business continuity. The top reason across all countries for the board
taking an interest in business continuity was the realization that they
relied heavily on IT to remain in business. This was followed by customers
starting to ask for evidence of business continuity programs, compounded
by increased industry regulation.
When asked what disaster they most feared, apart from the
UK all respondents said "hardware failure." UK businesses seem to have
a deep-seated fear of fire, with 36 percent of respondents saying that
the company going up in flames was the event that concerned them most.
The UK has been the most active region in terms of implementing
business continuity-related legislation. Most recently, The Higgs Report,
published in early 2003, put the onus on company directors to take responsibility
for risk management within a company. Higgs sets out a code for boardroom
reform and calls on nonexecutive directors to satisfy themselves that
systems of risk management within a company are robust and effective.
In another recent development, the British House of Commons
is currently scrutinizing the government's proposed Civil Contingencies
Bill. This bill will replace and update the existing emergency planning
bill created in the 1940s and is aimed partly at improving the UK's ability
to respond to terrorist attacks. The bill will require local authority
emergency planners to put proactive measures in place to provide civil
protection, and it also requires critical infrastructure providers to
adequately protect their infrastructure from disasters. It will place
a duty on local authority emergency planners to develop continuity of
operations plans and to ensure that businesses in their local area are
aware of the importance of business continuity.
This past year also saw the publication in the UK of Publicly
Available Specification 56 Guide to Business Continuity Management (PAS
56), a joint development of the Business Continuity Institute and the
British Standards Institution. It provides, for the first time, a semi-official
guide to business continuity that allows companies to follow best practices
and to benchmark their plans against those of their industry peers. PAS
56 has received some criticism for being too rigid, but nevertheless it
constitutes an important step toward the development of a standards-based
approach to business continuity management.
- David Honour, publisher,
Continuity Central
dhonour@continuitycentral.com
Latin America and the Caribbean
CRID: Regional Disaster Information Center
The Regional Disaster Information Center (CRID for its Spanish acronym)
is an initiative sponsored by six organizations that decided to join efforts
to promote the development of a prevention culture in the Latin American
and Caribbean countries through the compilation and dissemination of disasterrelated
information and to promote cooperative efforts to improve risk management
in the region. These organizations are the Pan American Health Organization
- Regional Office of the World Health Organization (PAHO/WHO), International
Strategy for Disaster Reduction (ISDR/EIRD), Costa Rica National Risk
Prevention and Emergency Commission (CNE), International Federation of
Red Cross and Red Crescent Societies (IFRC), Coordination Center for Natural
Disaster Prevention in Central America (CEPREDENAC), and the Regional
Office of Doctors Without Borders (MSF).
The CRID's other objectives are to offer quality information
services to a wide range of users in the Latin America and the Caribbean
region, strengthen sub-regional (Central America, South America, and the
Caribbean), national, and local capacities to establish and maintain disaster
information and documentation centers; promote the use of electronic technology
for the provision of information services; and contribute to the development
of the Regional Disaster Information System.
- Regional Disaster Information Center
www.crid.or.cr
United Nations International Strategy
for Disaster Reduction (UN/ISDR)
The UN has established the International Strategy for Disaster Reduction
(ISDR) as a global framework for action with a view to enabling all societies
to become resilient to the effects of natural hazards and related technological
and environmental disasters in order to reduce human, economic, and social
losses.
- www.eird.org
Caribbean Disaster Information Network
(CARDIN)
CARDIN was established in June 1999 to provide linkages with Caribbean
disaster organizations, to widen the scope of the collection of disaster-related
information, and to ensure improved access to such material. The project
is funded by the European Community Humanitarian Office (ECHO). The Library
of the University of the West Indies at Mona has been selected as the
focal point for disaster information in the Caribbean.
- CARDIN
cardin.uwimona.edu.jm:1104/home.htm
North America
In the United States, business continuity as a practice and as a profession
continues to reel from new legislation with farreaching impacts and an
ever-growing threat environment. Terrorism, workplace violence, outsourcing,
restructuring, compliance, and corporate governance also continue to have
significant impacts on the North American business continuity profession.
As in Asia and Europe, the United States has begun to see
responsibility for business continuity shift from an information technology
base to one with a broader focus. With issues surrounding education, certification,
and common interface terminology between the public and private sectors
(and within the distinct business sectors that comprise the private sector),
the scope of business continuity will continue to be dominant for the
foreseeable future.
A recent national symposium on security and competitiveness
(Council on Competitiveness and Carnegie Mellon University) found CEOs
from some of America's most prominent companies, government officials,
labor leaders, and academics calling for a concerted joint effort to simultaneously
protect security and safeguard America's economy through best practices
and innovation.
According to new research from TowerGroup, cost containment,
the shift from strategic to tactical initiatives, and business continuity
will continue to lead corporate thinking. These three issues headed the
firm's list of the top 10 business issues that will drive investment in
management strategies.
Canadian companies are also working harder to build more
comprehensive business continuity programs. The SARS breakout in Toronto
and the August 2004 power blackout contributed to this greater focus.
However, Canada has not felt the same pressure from terrorist threats
as the United States. Canadian regulators have yet to increase requirements
for business continuity management.
U.S. regulations and legislation, such as Sarbanes Oxley,
Gramm-Leach- Bliley, The Patriot Act, Vital Interdiction of Criminal Terrorist
Organizations Act, Health Insurance Portability and Accountability Act
(HIPAA), NYSE Rule 446, NASD 3510 and 3520, Title 21 Code of Federal Regulations
(21 CFR Part 11) Electronic Records; Electronic Sig-natures, NFPA1600,
Personal Inform-ation Protection and Electronic Documents Act (PIPEDA),
and a host of legacy legislation with business continuity-related requirements
in the areas of health, safety, and environmental compliance will continue
to change the infrastructure of the profession and the practice.
- Geary W. Sikich, principal,
Logical Management Systems Corp.
gsikich@aol.com
- Michael G. W. Smith, principal,
Ernst & Young LLP
michael.g.smith@ca.ey.com
South Africa
South Africa is an active player in the global business community, has
spawned both international companies and brands such as Sasol and de Beers,
and has had a good representation locally of international companies.
Accordingly, infrastructure is generally on a par with other
First World countries, though not as pervasive, and internationally accepted
business trends and rules are the norm. Corporate governance has been
a hot boardroom topic for some years, and in 1994 the first King Report
on Corporate Governance was released, leading to changes in the way companies
act and the way business is conducted. In 2002 this was completely revised,
becoming known as King II, and has become a benchmark internationally
on sound corporate governance. Relating to business continuity management
and risk management, King II makes specific mention of having to conduct
annual risk assessments and needing to have business continuity plans
that account for worst-case scenarios.
All of the major banks have international operations and
are governed in compliance with the Basel Accord. Municipal and central
government operations are governed by the Public Finance Management Act,
which among other things lays down good corporate governance guidelines.
There is also a disaster management initiative driven by central government
to coordinate regional resources and responses with the emphasis on public
safety. The Business Continuity Institute is represented in South Africa,
with about 20 members and fellows.
One of the key issues facing BCM practitioners is a general
lack of knowledge of BCM in business. This is slowly changing, but many
boards still would not be able to differentiate between a good implementation
of a BCP and a poor one, or even understand what a BCP really is. This
lack of understanding permeates IT continuity as well. There are some
organizations who steadfastly maintain they have a good BCP or ITCP, but
the backup system resides in an adjacent building or even the same computer
room.
- Allen Smith, Continuity SA,
DRI Representative for South Africa
allen.smith@continuitysa.co.za
|
