Boardroom Briefing Business Continuity and Disaster Recovery

Transcription

Boardroom Briefing Business Continuity and Disaster Recovery
spring 2006
www.directorsandboards.com
Boardroom Briefing
A publication of Directors & Boards magazine
Business Continuity and Disaster Recovery
Exclusive New Research
from Directors & Boards
Ground Zero for
the Boardroom
Leading When
It Counts
We help our
clients build the best
LEADERSHIP
teams in the world.
D
raw i ng upon a 50-year lega c y, we
focus on quality service and build
strong leadership teams through our
relat i o n s hips with cl i e nts and indiv i dual s
worldwide. With our experience, we excel in
the development of best-in-class Boards of
Directors. We are exp e r ts in re c r u it i ng board
memb e rs who fulfill the hig h e st priorities of
to day 's best-managed companies, includ i ng
executives with financial expertise, operating
dep th, strategic acumen, and those who
enrich the dive rsity of the board. For more
information about Heidrick & Struggles, visit
www.heidrick.com.
Joie Gregor
Vice Chairman
212-867-9876
John Gardner
Vice Chairman
312-496-1000
With
the
support
of
H ei d ri ck
RED OUTLINE INDICATES BLEED. IT DOES NOT PRINT.
& S tru ggl e s
Conducting
a Business
Continuity
Plan Audit
12 Questions
Every Director
Should Ask About
Workplace Safety
Business
Continuity
Legal Counsel
© 2004 KPMG International. KPMG International is a Swiss cooperative which performs no client services. Services are provided by member firms.
Since 1999, our
Audit Committee
Institute
has listened
and responded
as audit
committees
dealt with
increased
demands.
It’s the job
the ACI
was made for.
KPMG’s Audit Committee
Institute (ACI) was formed in
1999 for the sole purpose of
providing audit committees
and those that support them
with meaningful dialogue
and resources focused
on their evolving financial
oversight role. Through
valuable programs like the
ACI’s semiannual Roundtables,
topical publications, and
KPMG’s biweekly electronic
publication Audit Committee
Insights, we continue to
offer the kind of objective,
usable information needed in
a rapidly evolving corporate
governance environment.
It’s a job that was important
in 1999, and is even more
important today.
www.kpmg.com/aci
To receive KPMG's Audit Committee Insights,
visit www.kpmginsights.com.
Spring 2006
Boardroom Briefing
Vol. 3, No. 1
A publication of
Directors & Boards magazine
David Shaw
GRID Media LLC
Editor & Publisher
Scott Chase
GRID Media LLC
Advertising & Marketing Director
Directors & Boards
James Kristie
Editor & Associate Publisher
Lisa M. Cody
Chief Financial Officer
Ground Zero for the Boardroom................................................................... 4
James Kristie
Leading When It Counts.............................................................................. 6
Dee Soder
Conducting a Business Continuity Plan Audit............................................. 10
Ted Brown
Business Continuity, Homeland Security and Corporate Governance............ 14
Joe D. Whitley
When Disaster Strikes:
Are You Sure that Your Business is Adequately Insured?.............................. 17
Peter M. Gillon and Brian G. Friel
The Directors & Boards Survey:
Business Continuity and Disaster Recovery................................................. 19
Overseeing BCP: Just One More Reason to Consider CIOs as Directors......... 24
Jory J. Marino and Michael C. Nieset
12 Questions Every Director Should Ask About Workplace Safety................ 27
Tom Krause, John Balkcom and John Henshaw
Surprises in CEO Succession...................................................................... 32
Daniel Fairley, J.D. and David A. Bjork, Ph.D.
Boardroom Briefing: Business Continuity and Disaster Recovery
Barbara Wenger
Subscriptions/Circulation
Jerri Smith
Reprints/List Rentals
Robert H. Rock
President
Art Direction
Lise Holliker Dykes
LHDesign
Directors & Boards
1845 Walnut Street, Suite 900
Philadelphia, PA 19103
(215) 567-3200
www.directorsandboards.com
Boardroom Briefing:
Business Continuity and Disaster
Recovery is copyright 2006 by
MLR Holdings LLC. All rights reserved.
POSTMASTER: Send address
changes to 1845 Walnut Street,
Suite 900, Philadelphia, PA 19103.
No portion of this publication may be
reproduced in any form whatsoever
without prior written permission
from the publisher. Created and
produced by GRID Media LLC
(www.gridmediallc.com).
Ground Zero for the Boardroom
By James Kristie
What you don’t know or fail to anticipate can land you square in your own boardroom ground zero.
W
James Kristie
hat is the
role of a
board of
directors? There are a
lot of ways to answer
that question, but
you can’t go wrong
with this classic
response: “To ensure
the continuity of the
enterprise.”
A dear departed colleague and
Directors & Boards author, Tom
Horton, put it this way 20 years
ago in our pages: “A primary
responsibility of every board of
directors is to secure the future of the
organization. The very survival of the
organization depends on the ability
of the board and management not
only to cope with future events but
to anticipate the impact those events
will have on both the company and
the industry as a whole.”
improperly responding to the “known
unknowns” can be devastating. Then
layer on top of that the realization
that you can be hit with “unknown
unknowns,” and you as a director
have to wonder if you are a sitting
duck in a future boardroom ground
zero. Not an enviable situation.
It’s not atypical for a director to
feel informationally deprived under
the best of circumstances. Under
uncertain circumstances, when a
board has serious continuity issues
on the agenda, an information deficit
can be disastrous.
It is incumbent on directors to
demand information and insight that
will help them secure the future of
the organization—which could be
everything from the seemingly most
innocuous moves by a competitor
to the most threatening moves by a
foreign nation potentate.
Well said. But if you are a director,
you have to be in the camp of our
nation’s secretary of defense when
he ruminated in a press briefing
in February 2002: “As we know,
there are known knowns. There
are things we know we know.
We also know there are known
unknowns. That is to say, we know
there are some things we do not
know. But there are also unknown
unknowns—the ones we don’t
know we don’t know.” I’d say
Donald Rumsfeld pretty well pegged
the state of affairs that exists in
every boardroom in America today.
Outside of your own company’s
channels, there are lots of resources
to draw upon for setting your own
early warning system mindset.
The trend spotters at McKinsey
& Co., for example, issued earlier
this year a “Ten Trends to Watch”
advisory—macroeconomic trends
(“The consumer landscape will
change and expand significantly”
is one), social and environmental
trends (“The battlefield for talent
will shift” is another), and business
and industry trends (“New global
industry structures are emerging” is a
third for your radar screen).
The challenge for boards is that
the result of not anticipating or
You also can’t go wrong being on the
distribution list for the Dilenschneider
Group Trend/Forecasting Report. The
briefing is compiled by the strategic
communications consultancy headed
by Robert Dilenschneider (who
we count as a valued member of
the Directors & Boards editorial
advisory board). The in-depth and
data-packed report is must reading
for business continuity planning.
(Contact the firm at 212.922.0900 to
be put on the list.)
And there are other “survival
guide” must-reads. This Boardroom
Briefing is one. This is the sixth in
a series of single-focused reports
on matters of utmost concern to
enlightened board decision making.
The advisories in the following pages
will help you skillfully address your
contingency and crisis planning
requirements.
On a final note, my son gave me the
hugely popular book Freakonomics
as a Christmas present. In it is this
observation: “The modern world,
despite a surfeit of obfuscation,
complication, and downright
deceit, in not impenetrable, is not
unknowable, and—if the right
questions are asked—is even more
intriguing than we think. All it
takes is a new way of looking.”
Again, well said. That is your job
as board members—to ask the right
questions and to be the “new look”
eyes and ears for the management
team. This Boardroom Briefing will
seed many of those questions that
you might ask.
James Kristie is editor and associate publisher of
Directors & Boards. He can be contacted at jkristie@
directorsandboards.com.
Boardroom Briefing: Business Continuity and Disaster Recovery
Minding your business ...
...or peace of mind?
AlixPartners’ professionals have conducted
large-scale internal investigations in some of the most
complex corporate accounting matters in history. We’re
independent and objective, and will help you find solutions.
Our team of professionals includes certified public accountants,
certified fraud examiners, computer forensic technology
experts and other experienced investigators.
For more information about how our Corporate Investigations Practice
can help you, contact Harvey Kelly at (646) 746-2422.
www.alixpartners.com
Chicago Dallas Detroit Düsseldorf London Los Angeles Milan Munich New York Paris San Francisco Tokyo
Leading When It Counts
By Dee Soder, PhD
Management at all levels needs to understand how to act during and, especially, after a crisis.
A
Dee Soder
sk anyone
who has
experienced
a crisis and they’ll
tell you what counts
is the way the
people in charge
acted. Leadership
behavior is an
essential element of
business recovery.
The behavior of leaders during
and after a crisis has received
relatively little attention, planning
or board oversight. Without such
guidance, some leaders handle
crises superbly and others fail—at
times, dramatically, as evidenced
during Katrina. Directors and top
executives need to plan for the
“people side,” the psychological
aspects of a crisis, as an integral
part of business continuity.
Management at all levels needs to
understand how to act during and,
especially, after a crisis.
The accelerating number of
devastating situations over the last
ten years has necessitated better
business continuity measures
and management knowledge.
As national, regional, local and
company-specific crises become
more common, directors need to
ensure the efficacy of management’s
plans, and the behaviors that
expedite recovery. As was so clearly
demonstrated after 9/11, leadership
behavior is essential to recovery—
to clean up, console, plan and
rebuild. Positive and negative
examples of leadership behavior
after 9/11 will come readily to mind
for most of us.
Natural disasters, terrorism,
workplace violence, corporate
malfeasance, suicide, faulty
products—every crisis has unique
circumstances. Boards and
management also differ widely. Yet
an informal survey of more than 30
directors reveals amazingly similar
views. A few perceived the board’s
role as limited, but most believed
the board should be more involved
as part of its risk management
What about “outsiders” who
happen to be there at a critical time?
(For example, in the midst of a
power failure, a client was “lost” for
several hours at one company.)
Double check that your continuity
plans work. And test them. Just as
one client uses a former CIA official
to test corporate security, companies
may wish to have an outsider test
their crisis management plans.
Natural disasters, terrorism,
workplace violence, corporate malfeasance,
suicide, faulty products—
every crisis has unique circumstances.
responsibilities. Several prominent
directors emphasized the “need to
think more broadly” about crises
such as difficulties resulting from a
chief executive’s sudden death, lost
data/security breach, and so on..
Board differences and unique
circumstances aside, there is
general agreement on lessons to be
learned regarding behavior. Primary
ones follow:
Review disaster plans
to ensure that
behavior is explicitly
considered
Think about the “not likely to
happen” events. Could directions
be ignored if the boss is new or
disliked? How should scared,
crying and distraught people be
handled? What if fighting starts?
This year, a New York City-based
media company assigned interns
the task of developing “what if”
scenarios. IBM executives have
used drills for years, complete
with “wild card incidents” to test
their system. Whatever the actual
method, directors should have a
yearly, complete presentation of
continuity plans, ensuring that
disaster drills consider unlikely
events and behavior.
Communicate,
communicate, communicate
Good communication strategies
consider peoples’ emotions and
attitudes. Messages should be
simple, clear, consistent, and
tailored to the audience. Repeat
messages—people often don’t hear
it the first or second time. Be readily
accessible, provide support and
“stay on message.” Consider media
Boardroom Briefing: Business Continuity and Disaster Recovery
“I’m like the swan‚calm on the outside,
paddling like mad underneath, “ one CEO shares.
training for crisis situations before
an incident, not in the midst of it
(whether you face a mining disaster,
sex scandal, hurricane or other
problem—don’t practice on CNN.)
Leaders can motivate and improve
morale via a few words; helpful
phrases include “together we’ll
rebuild even better,” “remember that
evil exists, but there’s more good in
the world,” “sometimes bad things
happen and there’s no reason,”
“leaders play the hand that’s dealt,”
“tomorrow will be better and the
next day even better.” Be careful
about religious messages (a normally
devout employee lashed out when
an executive attempted to “pray for
him.”) Don’t force people to talk. After
devastating events it is often best just
to bring someone coffee or water,
sitting comfortably in silence beside
them. They’ll talk when they’re ready.
Remember that
style counts
Directors and management at all
levels should project calm and
Boardroom Briefing: Business Continuity and Disaster Recovery
Whether you face a mining disaster,
sex scandal, hurricane or other problem—
don’t practice for it on CNN.
confidence. “I’m like the swan—
calm on the outside, paddling like
mad underneath,” one CEO shares.
Show that you’re human, too. Cold
efficiency will have short-term
gains but long-term negatives,
including the loss of valued
employees. After the founder’s
unexpected death, a company’s
lead director became acting CEO
to secure customer and employee
confidence. Several months later,
the dynamic, aggressive young
president was promoted.
The compassion of good leaders
is readily evident; they don’t
wait for directors to tell them
appropriate actions. Speed of
response is important—delays to
assess “potential legal issues can
be callous,” one director said.
“We’ll generally support a CEO’s
decision…don’t wait to ask us.”
Thus the board applauded the
CEO who paid the full salaries of
employees called to service in Iraq.
Symbolic acts may also illustrate
compassion, concern and help
expedite recovery. Don’t forget
the importance of honesty—with
employees and the public.
A crisis puts a company
in the spotlight
Customers, suppliers, employees’
families and others close to the
company are greatly influenced
by management behavior. It’s
thoughtful to change the company
voicemail and provide information
so that worried family and friends
will know more: “It’s Monday,
there’s no power, but everyone’s
ok. It’s Tuesday, the sun’s up
under stress and a very private
executive may not seek needed
input and help. In this instance,
“a little knowledge” can provide a
better understanding of behavior
during difficult times.
and we hope to be operating by
Wednesday.”
Ensure training for difficult
situations at all levels
Set up call centers to answer
questions, modify websites and
otherwise employ technology to
let people know they’re valued.
And don’t forget to update
employees in other locations. Law
enforcement has learned to give
regular, frequent updates to keep
people advised and minimize
stress. People remember big and
small gestures. Indeed when I
was exposed to anthrax after a
CBS Marketwatch interview, the
network executives’ actions to
reassure me were so commendable
I remain an avid CBS fan (even
working praise into this article.)
In addition to disaster drills, add
survival exercises to your offsites, executive training and other
development programs. Used for
years to foster teamwork and as
ice-breakers, these exercises have
additional value given today’s
numerous crises. Ensure that
leadership programs include
a segment related to behavior
and crisis management. Since
corporations have experience
incorporating broader concepts
like ethics, diversity and global
awareness, this isn’t difficult.
Whatever the vehicle, directors and
management need to ascertain that
employees are prepared for things
that aren’t likely to happen, but do.
Learn a few stress basics
Stressed people often won’t admit
they’re stressed. Don’t expect
people to perform normally after
a major event—most will be
operating at a 70% level for weeks.
People will handle a crisis better
if they have a “role,” whether
giving out water, calling people, or
other activities. Some people will
be more susceptible to significant
stress. Thus thoughtful/reflective
individuals, empathetic individuals,
and individuals without strong
support systems (family, religion,
friends) will be most impacted
by disasters. Even employees in
distant sites can become distressed
by watching television. One of the
few truisms of psychology is that
a person’s dominant trait becomes
more pronounced with stress.
Accordingly, a manager concerned
about details will micro-manage
Leadership behavior is too
important to be left to chance—
not in today’s world. Hope isn’t a
strategy for anyone, certainly not
for those in charge.
Dr. Dee Soder is founder and managing partner
of the CEO Perspective Group, an executive
advisory and assessment firm for top executives,
companies and boards. The pioneer of executive
coaching, Soder has helped leaders better manage
business interruption and traumatic events
for decades. Since 1976, she has also worked
extensively with federal, state and local (NYC
& DC) law enforcement agencies. A Directors
& Boards contributor (“Ready, Fire, Aim” and
“Early Warning Signs”), she is a director of
several nonprofit boards. She can be reached at
[email protected].
Boardroom Briefing: Business Continuity and Disaster Recovery
The Right Connections,
The Right Choice for
Your Business
Business Continuity
via Satellite
We live in an unpredictable world. Even the most reliable landbased data and voice infrastructures can be disrupted by
natural or manmade disasters.
SES AMERICOM’s satellite-based Business Continuity Solutions is
the smart way to stay above the uncertainties of terrestriallybased communications. And the most secure solution to avoid the
loss of mission critical communications in data, voice, video or IP.
When your business is providing the right connections, it's what
you know that really counts. Since 1973, SES AMERICOM has
known more about satellite communications and how to put it to
work for your business than anyone else in the industry.
For a free cost-benefit analysis of your situation, please call
+1-609-987-4555 or send an e-mail directly to:
[email protected].
Our highly trained team provides 24/7 support for Disaster
Recovery or relief of network overload, with regional,
continental or transoceanic coverage.
www.ses-americom.com
Our Business is Connecting Yours
Conducting a Business Continuity Plan Audit
By Ted Brown
There are no “generally accepted principles” with which to analyze business continuity.
I
Ted Brown
n a recent
survey, 37
percent of chief
financial officers
perceived their
firms to be most
vulnerable in the
area of disaster
preparedness and
recovery.
The survey reflects the anxiety of
many executives concerning the
state of their company’s business
continuity plans. Why the concern?
Because experts estimate that 50
percent of companies without
business continuity plans go out of
business within two years following
a disaster.
Just as companies conduct regular
audits of their financial controls,
they should also examine their
business continuity plans, ensuring
that critical business functions
can be conducted in the event of a
disaster, or other major disturbance.
While, unlike finance, there are
no “generally accepted principles”
with which to analyze business
continuity, the following questions
should assist corporate directors in
assessing their company’s business
continuity posture.
What are the business continuity
objectives?
Like any business plan, a business
continuity plan is designed to
address specific business objectives.
These objectives should be outlined
in the plan, and reflect the consensus
of senior management relative to
10
Any change that affects critical business
functions should trigger an automatic review
of the business continuity plan.
present recovery priorities.
Each of the objectives should be:
•S
pecific, such as “restore accounts
receivable,” and
•M
easurable, such as “within one
business day.”
If the business continuity objectives
are not enumerated in the plan, the
plan cannot be properly evaluated.
Is the business continuity plan
capable of satisfying the stated
objectives?
The business continuity plan, for
example, may call for the restoration
of e-commerce operations within
twelve hours. If the data center
supporting these functions is
destroyed by a tornado, or terrorist
bomb, can essential e-commerce
activities be restarted within the
twelve-hour recovery window? If the
answer is no, then the plan objective
is too ambitious, or the recovery
scheme inadequate. In either case,
the plan won’t work.
Is the business continuity plan
relevant to everyday employees?
More specifically:
•A
re company personnel aware of—
and familiar with—the business
continuity plan?
•D
id they have input into the
development of the plan?
•D
o they understand their
obligations in the event the plan
is invoked?
•A
re they comfortable with their
level of training and preparation?
•D
o they have any reservations
regarding the plan’s viability?
When was the last business impact
analysis conducted?
Normally, a business continuity
plan is predicated on the results of a
business impact analysis (BIA).
The purpose of a BIA is to identify:
•A
company’s critical business
functions, such as e-commerce
•T
he threats to these functions, such
as computer hacking
•A
ny related risks, such a denial of
service (DoS) attack, and
•T
he financial impact of a disaster,
such as lost revenue, or lost
customer confidence
Armed with this information,
business continuity professionals
can formulate strategies designed
to minimize the impact of a major
disruption, and to expedite recovery.
Like a business continuity plan,
the typical BIA suffers from a short
shelf life, and must be periodically
renewed, especially in highly-volatile
business environments. Generally
Boardroom Briefing: Business Continuity and Disaster Recovery
speaking, if the company’s BIA is
more than a year old, a new analysis
should be commissioned—followed
by an immediate update of the
company’s business continuity plan.
Is business continuity plan
maintenance tied to change
management?
To remain viable, a business
continuity plan must be revised
coincident with major organizational,
system, or business changes. These
changes may include:
•T
he opening of a new office
•T
he introduction of a new product
line, or
•T
he passage of new laws and
regulations, like Sarbanes-Oxley,
which imposes new records
retention standards
Any change that affects critical
business functions should trigger
an automatic review of the business
continuity plan. Importantly, if any
plan updates are indicated, these
updates should be performed prior
to—not after—the precipitating
business change.
Is the business continuity plan tested
on a regular basis?
To remain viable, a business
continuity plan must be regularly
tested.
Importantly, the testing does
not have to be extensive or
expensive. In many cases, fullscale tests—especially those
involving IT facilities—can be
replaced by smaller-scale, “tabletop”
exercises. These scenario-based
tabletop drills are especially useful in
establishing an organization’s ability
to adapt to a rapidly evolving disaster
environment. After all, in a real
world disaster, it may be necessary
to rewrite portions of the business
continuity plan, literally “on the fly.”
Does the business continuity plan
require periodic retrieval and
testing of offsite storage media?
The data backup and recovery
process is notoriously unreliable.
Despite that fact, many IT
departments adopt a “tape it and
forget it” attitude, refusing to test the
integrity of off-site storage media.
The business continuity plan should
provide for the random retrieval and
testing of backup volumes.
Does the business continuity plan
offer sufficient detail?
One revealing test is to determine if
the plan can be executed by “non-
Boardroom Briefing: Business Continuity and Disaster Recovery
experts.” Planners often cut corners
during the documentation phase,
depending on the availability of
subject-matter experts to “fill in
the blanks” if the plan is invoked.
Unfortunately, many of these experts
may not be available in the aftermath
of a disaster, leaving plan activation
and execution to junior staffers. As a
result, the documentation should be
geared to lower level personnel.
Does the business continuity plan
provide for adequate post-disaster
security?
In addition to disrupting business
operations, large-scale disasters often
disturb security operations. For
11
example, in many cases, buildings are
destroyed and sensitive documents
are exposed to the elements—
including the criminal element. Given
the generally chaotic atmosphere
that accompanies a recovery effort,
normal levels of security should be
maintained—even enhanced.
Where is the backup backup site?
Many companies rely on commercial
“hot sites” to restore critical IT
operations in the event of a data
center disaster. The “primary” hot site
is frequently located within a hundred
miles of the affected facility, enabling
ready access by data center personnel.
Clark
In the event of a regional disaster,
affecting multiple hot site
subscribers, the primary site may
be unavailable, forcing a company
to relocate its operations to a
“secondary” site, which may be a
thousand miles away. The business
CC5020
R 11/30/05
1:17allow
PM Page
1
continuity
plan should
for this
possibility, discussing, for example,
an alternative staffing strategy.
Does the business continuity plan
consider mobile computing resources
as potential recovery assets?
Most large companies support a
network of telecommuters or other
distributed workers. Mobile and
wireless computing assets can be used
to affect a partial, low-cost recovery
strategy, and their deployment for that
purpose should be explored in the
business continuity plan.
Does the business continuity
plan provide for the failure
of key business partners?
In the world of the “virtual
corporation,” it’s not enough for
a company to plan for its own
recovery. It must also consider the
impact of disasters affecting key
business partners.
To accomplish this goal, a company’s
business continuity plan must:
•P
rovide for periodic audits
of business partner business
continuity plans, and
• I nclude recovery plans designed
to mitigate the impact of a major
business partner failure
Typically, a business partner
recovery plan consists of identifying
an alternate source supplier, and
establishing a procedure for engaging
that supplier if the need arises.
Does the business continuity plan
encompass non-electronic records?
In case you missed the memo,
paper documents still account for a
sizable portion of a company’s vital
records. The business continuity plan
should address the preservation and
restoration of paper, or other hardcopy
material, probably by means of
electronic document imaging.
When the old answers don’t address the new issues, it’s time to
12
Boardroom Briefing: Business Continuity and Disaster Recovery
Does the business continuity plan
encompass “print-to-mail” facilities?
Every day, companies print and
mail billions of invoices, financial
statements, healthcare documents,
payroll checks, and other vital records.
These documents are imaged, printed,
sorted, and mailed to customers,
shareholders, regulatory agencies,
employees, and business partners.
Remarkably, the facilities, equipment,
and systems responsible for performing
these critical functions (generically
“print-to-mail”) do not enjoy the same
business continuity protection as their
data center counterparts. According to
the Disaster Recovery Journal, nearly
82 percent of backup providers do not
support the printing and mailing of
bills and statements.
Does the business continuity plan
encompass non-IT assets?
Traditionally, business continuity
plans have addressed the recovery of
information technology assets. But
disasters can claim non-IT assets,
such as:
•M
anufacturing plants
•V
ehicles and equipment
•R
esearch and development
laboratories
•R
aw materials, and
•P
roduct inventory
Does the business continuity plan
address the protection of these nonIT resources? If not, why not?
Does the business continuity plan
promote risk mitigation measures?
Since not all disasters can be
avoided, part of the business
continuity plan should be devoted to
lessening the impact of a disaster.
One common device is encouraging
the decentralization of critical assets.
The plan, for example, should
discourage the creation of large,
central file rooms in favor of smaller,
more distributed storage sites. In this
way, a facility fire could only claim a
portion of a company’s vital records.
In the case of existing central file
rooms, the plan should encourage the
deployment of adequate fire detection
and suppression equipment.
Does the business continuity plan
provide for “disruptions?”
Most business continuity plans
cover catastrophic incidents,
such as earthquakes, hurricanes,
tornados, floods, fires, bombings,
etc. Most companies, however,
will never experience a disaster of
these proportions. Instead, they will
suffer a series of smaller—but still
expensive—disruptions, such as:
•P
ower outages
•S
torm-related travel difficulties
(continued on page 34)
innovate
© 2006
Today’s Directors need new insights, new ideas, new tools.
That’s why so many turn to Pearl Meyer & Partners.
Faced with demanding new guidelines and regulations, plus increased
pressure on the bottom line, it’s more important than ever to work with advisors who can provide real
innovation in planning and executing compensation programs. That’s why more and more Boards are
turning to Pearl Meyer & Partners, a Clark Consulting practice.
PM&P serves as trusted counsel to Board Compensation Committees and senior executives of leading
public, private and not-for-profit companies. They rely on our expertise. Our independent advice.
And our track record of creating innovative solutions focused on business results.
As new challenges arise, don’t hesitate – innovate. Call 508-460-9600 or register online for more
information and the latest issue-driven White Papers at pearlmeyer.com.
Boardroom Briefing: Business Continuity and Disaster Recovery
13
Business Continuity, Homeland Security
and Corporate Governance
By Joe D. Whitley
With terrorist threats increasingly frequent and well-publicized, directors and officers will have a hard
time claiming that corporate risk management did not need to include emergency preparedness.
O
n a Sunday
afternoon
in August
2004, Homeland
Security Secretary
Tom Ridge held a
press conference to
announce that the
alert level on the
Homeland Security
Joe D. Whitley
Advisory System had
been raised to “orange,” the second
highest level. Unusually specific
information from reliable sources,
confirmed by multiple intelligence
streams, suggested that terrorists
were plotting a strike against financial
centers in New York City, northern
New Jersey, and Washington D.C.
Wall Street increased security to
unprecedented levels, leaving some to
wonder if the police outnumbered the
floor traders. Similar measures were
taken in Washington, a city already
bristling with barriers and patrols.
For companies and executives who
are in the bull’s-eye of the terrorist
threat, the warning brought home
the importance of security and
business continuity planning for
financial markets. For America’s
premier financial service providers—
the members of the New York Stock
Exchange (NYSE) and the National
Association of Securities Dealers
(NASD)—business continuity
(BC) is no longer an option or
just the domain of the corporate
security department. It is a critical
component of corporate governance
and market stability.
As an aside natural disasters like Katrina and
Rita present very similar concerns to corporations and
businesses.
14
The federal government—and particularly
the Department of Homeland Security—
needs industry’s participation and support to
make the country secure.
Self-regulation and
Business Continuity
Both the NYSE and the NASD are selfregulating organizations that require
compliance with practices, standards,
and policies as a prerequisite for
membership. In response to 9/11,
the NYSE and the NASD began
formulating new business continuity
requirements for broker-dealer
members. Rule 446 for NYSE
members and Rules 3510 and 3520
for NASD members address business
continuity and contingency planning
and are very similar in substance. The
new rules recognize that there is no
cookie-cutter approach to planning
and therefore account for flexibility
in business continuity design and
implementation. But these rules
require that, at a minimum, each
firm’s plan contain ten elements:
•D
ata back-up and recovery (hard
copy and electronic)
•M
ission-critical systems
•F
inancial and operational risk
assessments
•A
lternate communications between
customers and member
•A
lternate communications between
the member and employees
•A
lternate physical location of
employees
•C
ritical constituent, bank and
counter-party impact
•R
egulatory reporting
•C
ommunications with regulators
•A
plan to assure customers’ prompt
access to their funds and securities
in the event that the member
determines that it is unable to
continue its business elements.
Members of the NYSE and NASD
must also publicly disclose the
general configuration of their
business continuity plan. Pursuant to
its statutory authority, the Securities
and Exchange Commission approved
the NYSE’s and the NASD’s business
continuity rules on April 7, 2004.
At least in concept, forcing business
continuity into the open serves
as a de facto incentive to take the
rules—and homeland security
preparedness—seriously. There is an
implicit reliance on market forces:
it is assumed that if the public can
compare business continuity plans,
rational consumers will prefer to
do business with those members
whose plans are the strongest.
Equally rational business leaders, in
an attempt to capture competitive
advantage, will establish robust
plans. Considering that e-commerce
Securities and Exchange Act Release No. 34-49537
(April 7, 2004), 69 FR 19586. April 13, 2004. See also
NYSE Information Memo 04-24 as well as NASD Notice
to members 04-37. May 2004
Boardroom Briefing: Business Continuity and Disaster Recovery
These days, directors face
sizeable responsibilities
and risks.
How well is your
board performing?
Are you at risk?
companies and Internet Service
Providers routinely use this type of
security-related marketing, it soon
may become prevalent among the
largest financial institutions, all of
which are members of the NYSE
and the NASD. Any act of terror on
American soil would accelerate this
process.
Private-Sector
Responsibility
The business continuity initiatives
in the financial services sector
highlight a significant issue for other
business sectors: Even in the absence
of regulation or statute, should
corporations implement a business
continuity plan as a matter of sensible
corporate governance and sound
policy? The answer clearly is yes.
The federal government, and
particularly the Department of
Homeland Security, needs industry’s
participation and support to make
the country secure. The owners
and operators of obvious targets—
power plants, chemical facilities,
telecommunication centers—have
been tightening their defenses and
have developed (or contracted for)
business continuity plans.
Yet, with finite budgets and only
a transient sense of threat, most
corporations have not initiated
business continuity planning for
the post-9/11 era—robust, tested,
enterprise-wide programs that
protect facilities, people, and which
would permit the rapid resumption
of business if an attack occurred.
Many companies still don’t quite get
it: business continuity is a strategic
investment, and its dividends will
be evident during an attack, and
economically and legally, in the
aftermath of a terrorist event. For
example, when a cascading grid
failure left tens of millions of people
in the U.S. and Canada without
electrical power in August 2003,
corporations without business
16
continuity plans suffered. Without
electricity to run computers,
commerce simply stopped.
Not so for the New York brokerage
firms that had aggressively invested
in business continuity after
September 11. That preparedness,
including installation of emergency
generators and back-up trading
systems, allowed commercial
transactions to continue with
minimal interruption. Considering
the financial losses brokerage firms
sustain from even an hour of missed
trading, investments in business
continuity paid for themselves many
times over in that one event. Indeed,
the 2003 blackout and the business
continuity success stories within the
financial services sector accelerated
the NYSE’s and the NASD’s adoption
of business continuity rules for the
industry as a whole.
SEC Oversight and
Legislation
SEC Chairman Chris Cox, who prior
to his appointment was chair of the
House of Representative’s Committee
on Homeland Security, may be
just the person who will trigger
consideration of homeland security
as a “material” matter in 10K reports.
Chairman Cox is well aware that 85
to 90 per cent of America’s critical
infrastructure is owned by the private
sector. He, too, is familiar with the
post 9/11 legislation that increased
the responsibility of businesses that
provide financial services, transport
hazardous waste, provide and
maintain maritime facilities ranging
from ship terminals to storage
facilities for LNG to refineries. All
of these industries and many others
are to some extent regulated by the
Department of Homeland Security
and it is likely that chemical plant
security will soon be regulated by
the Department.
As these legislative efforts increase
the responsibilities of the private
sector to make homeland security
a priority it makes good sense to
have in place security programs that
will reduce their vulnerability to the
consequences of the next terrorist
attack. Contingency planning
to assure business continuity in
addition to should include some of
the following:
• I nsurance—Does it adequately
cover business interruption costs?
Are the terms and provisions
written in a manner favorable to
quick recovery?
•S
upply chain—Is it capable of
restoration after a terrorist event?
Are there components and parts
coming across U.S. borders that
may be closed?
•M
arket resilience—Will the
customer continue to purchase
products and services after a
terrorist event?
Implementing a business continuity
plan also may have legal significance
for a corporation. Because
business continuity recognizes
risk and mitigates it, the creation
and implementation of such a
plan may help a corporation
discharge its corporate governance
responsibilities to customers and
shareholders alike. The concept
is only now being tested in the
courts, but the normal standard of
corporate responsibility—focusing
on acknowledging and responding
to knowledge of a threat—likely will
be applied here, diminishing liability.
With terrorist threats increasingly
frequent and well-publicized,
directors and officers will have a
hard time claiming that corporate
risk management did not need to
include emergency preparedness.
The Spectre of SOX
There is not yet regulatory linkage
between homeland security
governance and Sarbanes-Oxley
but it is likely that it would parallel
developing SOX compliance in
(continued on page 34)
Boardroom Briefing: Business Continuity and Disaster Recovery
When Disaster Strikes:
Are You Sure that Your Business is Adequately Insured?
By Peter M. Gillon and Brian G. Friel
What companies must do to prepare for the next catastrophic loss
9
/11, and
the recent
devastation
inflicted by
Hurricanes Katrina
and Wilma, have
forced companies
across the United
States to take a hard
look at how they
Peter M. Gillon
manage the risk
of disaster—both
man-made and
natural. Of all the
tools available to
manage catastrophic
risk, none is more
important than
property insurance.
This is the one risk
management tool
Brian G. Friel that can ensure the
survival of a corporation following the
devastating effects of a terrorist attack,
hurricane, earthquake, tornado, or fire.
Unfortunately, the number of coverage
disputes and unpaid claims related to
September 11 and the recent hurricanes
losses suggests that companies
too often overlook or simply fail to
understand the critical details of their
property insurance programs.
Far too often companies wait until after
a disaster strikes to determine what
they need to do to adequately prepare,
evaluate and present their claims to
their insurers. When disasters like
September 11 or Hurricane Katrina
hit, many companies find themselves
playing “catch-up” and lose valuable
time in adjusting their claims as a result.
More than 30% of all businesses that close
down following a disaster never re-open again. ALFA
Insurance, “Can Your Business Survive a Natural Disaster?”
http://www.alfains.com/business.
It is imperative that the waiting period
is expressed as total hours or even days
rather than in business hours.
This is understandable. In the
immediate aftermath of a large-scale
disaster, directors and officers are
pressed by other competing and vital
matters impacting their companies,
such as employee deaths and
injuries, employee relocations, office
relocations, customer issues, media
inquiries, and the like. This is why
a clear, coherent risk management
plan in advance is essential to
maximize and expedite insurance
recovery during a crisis.
Many companies have developed a
disaster response protocol, to be put
in place in advance of a disaster. A
claim team should be identified and
assembled in advance, setting forth
the roles of the risk manager, the
general counsel and other response
personnel. Pre-determine what you
need to do, and by when, with
respect to notifying the insurers of
the loss. Have a process in place to
obtain, analyze and maintain the
necessary documentation to support
your claims. Establish accounting
procedures for capturing loss
expenses accurately and efficiently.
Establish communication protocols
internally and externally.
Insurance Coverage Issues
There are many issues to consider
in evaluating a property policy,
including whether it provides the
broadest coverage available at a
reasonable cost. Below are some
Boardroom Briefing: Business Continuity and Disaster Recovery
of the most important policy
considerations that are not being
adequately addressed in the
underwriting process.
Hurricane Deductibles and Sublimits.
Many commercial property policies
contain a deductible for hurricanes
(or “windstorms”) and other specific
perils, based on a percentage of “total
insured value” or “total insurable
value” (“TIV”), rather than based on
a flat dollar amount. This deductible
is typically between 2%-5%. Thus, for
example, if a policy’s deductible for
hurricanes is 5% of TIV and the total
limits of the policy are $60 million,
an insured would be responsible for
the first $3 million of damages. For
many small- to mid-sized claims, this
deductible effectively acts as a bar to
coverage. One possible modification
is to negotiate a lower deductible
percentage; another is to reduce the
limits for purposes of the deductible.
Another common feature of
commercial property policies is a
sublimit (i.e., a lesser amount) for
hurricanes and other perils. In light
of the extremely active hurricanes
in Florida and along the other parts
of the Gulf Coast over the last few
years, it is imperative that companies
operating in hurricane regions reevaluate their sublimits, if any.
In the wake of the vast number of
claims filed because of Hurricanes
17
Katrina and Wilma, many insurers are
attempting to apply the percentage
deductibles to the total limits available
under a policy even though the
insured is only entitled to a lesser
amount contained in a sublimit.
Using the example above, if the policy
has total limits of $60 million but a
$10 million sublimit for hurricanes,
insurers often are applying the
5% deductible to the $60 million
(resulting in a $3 million deductible),
rather than applying the 5% to the $10
million sublimit, which are the actual
limits available, which would result in
a deductible of only $500,000. Again,
rather than wait for a disaster to hit, it
is critical to clarify the language in the
policy now to make sure that “TIV”
refers only to the total limits available
for a particular claim, including any
sublimits.
Business Interruption—Waiting
Periods. Some policies impose a
waiting period (e.g., 24 hours or 72
hours) before business interruption
(or lost business income) losses are
recoverable. The purpose of waiting
periods is to ensure that the loss is
of a minimum magnitude before
coverage is triggered. Insurers do
not want to expend the resources
necessary to evaluate a business
income claim in situations where a
company is down for less than one
or two days.
There are two very important
considerations for directors. First,
it is imperative that the waiting
period is expressed as total hours or
even days rather than in business
hours. For example, certain policies
state that the waiting period is “72
business hours,” and certain insurers
have argued that it is equivalent
to nine calendar days for those
businesses that do not operate on a
24-hour cycle. Second, some insurers
have argued that the waiting period
acts as a deductible. Thus, for
example, with a policy that has a 24
hour waiting period and an insured’s
business was closed for three days,
rather than compute income for the
full three days, some insurers have
argued that the policies only cover
lost income for the last two days.
It is essential that the policies be
clear that once the waiting period
has been met, the policy covers lost
income incurred starting on day one.
Business Interruption—Total
Suspension vs. Partial Interruption.
A key issue with business
interruption coverage is whether the
policy requires a total suspension
of your operations, or whether it
also covers partial interruptions of
your business. Most policies cover
only “actual loss of business income
you sustain due to the necessary
suspension of your operations”
from the date of the loss to the date
the property should be repaired
or replaced. Some policies contain
broader language, covering business
interruption losses when the
policyholder is “wholly or partially
prevented” from producing goods
or continuing business operations
or services. Considering that a
significant number of claims involve
an interruption of only a portion of
a company’s business, such as the
partial shutdown of a factory or a
wing of a hotel, it is important to
make sure your policy covers for
partial interruption.
The question every CEO, board
member, general counsel and risk
manager must ask is this: if your
office building, hotel, factory or
distribution center is destroyed
tomorrow by a hurricane, earthquake
or terrorist attack, will your claim
team be ready to respond immediately
and will your insurance cover both
the physical damage to your property
as well as the resulting lost business
income? Recent experiences have
shown that many companies are
not ready to evaluate, prepare or
submit their claims, and that there
are significant gaps in coverage that
otherwise could have been addressed
in the underwriting/renewal process.
It is imperative that companies,
working with their brokers and
outside counsel, start to address these
issues now in order to better prepare
themselves for the next disaster.
Peter M. Gillon is a shareholder in the Washington,
DC office of Greenberg Traurig, LLP and Brian G.
Friel is of counsel in the Washington, DC and the
Morristown, New Jersey offices of Greenberg
Traurig, LLP, where they counsel corporate
policyholders on the procurement of all lines
of insurance, including property and business
interruption policies, and prosecute coverage
disputes on behalf of their clients. They currently
are handling some of the largest claims arising
from the September 11, 2001 terrorist attacks
and Hurricanes Katrina and Wilma, along with the
hurricanes that struck Florida in 2004.
Subscribe to Directors & Boards!
Directors & Boards is the thought leader
in corporate governance, written by and for board members.
Individual subscriptions: $325 annually • Full board subscriptions: $2500 annually
Subscribe by phone at (800)637-4464, ext. 6072
or online at www.directorsandboards.com
18
Boardroom Briefing: Business Continuity and Disaster Recovery
The Directors & Boards Survey:
Business Continuity and Disaster Recovery
Methodology
Business Continuity Programs
This Directors & Boards survey was
conducted in February 2006 via the
web, with an email invitation to
participate. The invitation was emailed
to the recipients of Directors &
Boards’ monthly e-Briefing. A total of
332 usable surveys were completed.
How important is
business continuity
planning/disaster recovery
to your company?
Somewhat
important
About the respondents
(Multiple responses allowed)
A director of a publicly held company 28.2%
A senior level executive (CEO, CFO, CxO)
of a publicly held company 9.2%
A director of a privately held company 36.2%
A senior level executive (CEO, CFO, CxO)
of a privately held company 23.9%
A director of a non-profit entity 27.6%
Institutional shareholder 4.9%
Other shareholder 17.8%
Academic 8%
Auditor, consultant, board advisor 23.9%
Attorney 6.7%
An investor relations professional/officer 1.8%
Other 9.2%
Revenues
(For the primary company of the respondent)
Average revenues: Less than $250 million $251 million-$500 million $501 million to $999 million $1 billion to $10 billion More than $10 billion $2.773 billion
57.1%
9.8%
8%
19.6%
5.5%
Board Service
(Average number of boards respondents serve)
Public Company: Private Company: Charitable Total: 1.21
1.53
1.59
4.33
16.0%
Important
Not
important
3.5%
Extremely
important
52.8%
27.8%
Does your company have a
business continuity management
program?
No 19.3%
In process of creating 26.9%
Yes, plan in place for less than year 13.1%
Yes, plan in place for more than a year 39.3%
Other 1.4%
Does your company have a disaster
recovery plan?
No 24.3%
In process of creating 23.6%
Yes, plan in place for less than year 13.9%
Yes, plan in place for more than a year 36.1%
Other 2.1%
Does your company have a crisis
management plan?
Does your company have an executive
transition/leadership plan in the event
of the sudden death of key leaders?
No 28.1%
In process of creating 23.3%
Yes, plan in place for less than year 11%
Yes, plan in place for more than a year 36.3%
Other 1.4%
No 37.9%
In process of creating 21.4%
Yes, plan in place for less than year 11.7%
Yes, plan in place for more than a year 26.9%
Other 2.1%
Boardroom Briefing: Business Continuity and Disaster Recovery
19
If you answered yes to any of the above questions, does
your company test these plans on a regular basis?
35
If you answered yes to any of the above questions, have
your company’s plans been shared with employees?
34.1%
30
20
6.5%
5
0
Yes, more Yes, once Yes, less
often than a year often than
once a year
once a year
No
Does
not apply
How do you rate your company’s ability to recover from a
natural/manmade disaster or business interruption?
50
How do you rate your company’s management’s ability to
calmly lead in times of crisis?
60
40
34.0%
30
52.4%
50
41.7%
40
30
20
34.5%
20
12.5%
10
0
Excellent
9.7%
Good
Fair
2.1%
Poor
Other
(Other answers included: “Our plan is untested.”)
How quickly do you estimate your company can recover
from a significant/major business interruption?
Weeks
Months
Other
17.9% 5.5%
4.8%
Minutes
0.7%
Hours
Days
49.0%
22.1%
11.0%
10
0
Excellent
Fair
Poor
Other
How effectively are 3rd party partners, vendors and
service providers integrated into your company’s business
continuity/disaster recovery planning?
50
45.8%
40
30
10
(Other answers included: “Depends on the event–could be
minutes to weeks.” “We can recover from an IT disaster pretty
quickly. Loss of a plant would take much longer. By the way, we
test IT disaster recovery once or twice a year, but do not test loss
of a building or senior manager.”)
Good
0.7% 1.4%
(Other answers included: “Like everyone, I think it is good;
but probably could be better.”)
22.9%
20
20
52.8%
20.6%
13.8%
10
Yes
No
19.6%
15
17.6%
14.7%
26.1%
25
Does not apply
Don’t know
0
13.9%
11.8%
5.6%
Very
Somewhat Not very
effectively effectively effectively
Not at all
Other
(Other answers included: “Not certain.” “We are working on
the plan at this time and will address 3rd party partners,
etc.” “Don’t know.”)
Boardroom Briefing: Business Continuity and Disaster Recovery
Board Responsibility in
Business Continuity/
Disaster Recovery Planning
What, in your opinion, is your board’s
responsibility in business continuity,
crisis management and disaster
recovery planning?
The board should take primary
responsibility, directing management 15.9%
Management should take primary
responsibility, advising the board 79%
Other 5.1%
(Other answers included: “It will
depend on the nature of the disaster.”
“Management should take primary
responsibility with the board having the
responsibility to ensure that this is done.”
“It should be a collaborative effort.”)
Does your board have a dedicated
business continuity or risk
assessment committee or a board
member tasked with this issue?
Other
Not applicable
5.1%
2.9%
Yes
22.5%
No
69.6%
(Other answers included: “Audit
committee periodically reviews the
plan.” “For now, risk assessment has
only been assessed by IT manager with
outside consultants as backup.”)
Other
Not applicable
Do you market your
company’s business
continuity/disaster
recovery plans as
a benefit to your
company’s customers?
11.8%
2.8%
Yes
12.5%
No
72.9%
Who’s responsible for informing the How often is business continuity
board of risk issues at your company? planning/disaster recovery on the
(Multiple responses allowed.)
agenda for your board meetings?
Board committee 15%
Designated board member 7.1%
CEO 72.9%
CFO 35.7%
Internal Auditor 27.1%
Chief Risk Officer 7.9%
Chief Legal Counsel 24.3%
External auditor 20%
Business unit leaders 13.6%
Other 7.9%
As needed 21.6%
Every meeting 0.7%
At least once per year 36%
Less often than once per year 20.9%
It’s never been on the agenda 14.4%
Other 6.5%
(Other answers included: “Never was
included.” “ Formally, twice a year.” “In
connection with strategic plan reviews.”)
If you serve on multiple boards, do
you see major differences among
the companies you direct in terms of
business continuity planning/disaster
How important is business continuity recovery?
Don’t serve
Not applicable
planning to your board?
on multiple
(Other answers included: “Probably
the CFO and CLC.” “President & COO.”
“Employees.” “CIO.” “Board at large.)
Extremely important23.6%
Important
40.7%
Somewhat important21.4%
Not important
12.1%
Other2.1%
Boardroom Briefing: Business Continuity and Disaster Recovery
boards
15.3%
No
16.8%
24.1%
Yes
43.8%
21
Compare this expenditure to the
prior year.
Thinking about the year ahead, rate how likely it is that each of the
following events would occur and have an impact on your company’s
business operations.
We budgeted more
on business continuity programs 18.3%
We budgeted less
on business continuity programs 9.2%
We budgeted approximately
the same amount 23.7%
We do not budget
for business continuity programs 43.5%
Other 5.3%
Very Likely Somewhat Likely Not Very Likely
A terrorist attack abroad
A terrorist attack in the US
A manmade disaster
(electronic or otherwise)
A natural disaster
8%
6%
15%
35%
77%
60%
10%
54%
36%
12%
50%
38%
General Business Continuity If yes to any of the above, what do
you estimate the total cost of these
Questions
Has your company been affected by
any of the following interruptions in
the past year?
(Multiple responses allowed.)
Natural Disaster 27.7%
Technology failure 26.2%
War 1.5%
Terrorist activity 3.8%
Information security breach 10.8%
Human error, resulting in major
business interruption 10.8%
Labor dispute 6.2%
Power failure 34.6%
An interruption in service from a
third party partner or vendor 17.7%
Loss of key personnel, through death
or unplanned resignation 20%
Business partner failures 6.9%
Loss of high-value customers 10%
Weather-related disruptions to operations28.5%
None of these occurred to my company 20.8%
Other 6.2%
(Other answers included: “Short term
outages.” “Maintenance/facilities issues.”
“Rail disruptions.” “Major rail accident
caused by the railroad company that
resulted in a chemical car containing our
product being breached leading to the
death of 9 people.” “Fire.”)
22
interruptions was to your company?
Less than $100,000 40%
$100,000-$500,000 17.5%
$500,000 to $1 million 7.5%
$1-5 million 9.2%
$5-10 million 4.2%
More than $10 million 2.5%
Not applicable 19.2%
Within your company, how many
employees do you estimate are
dedicated to business continuity
planning/disaster recovery?
2-5
1
17.4%
8.3%
None
6-10
More
than 10
It’s part of
some people’s
full time
5.3%
jobs
3.0%
46.2%
19.7%
What do you estimate your
company’s annual budget to be for
business continuity planning/disaster
recovery planning (not the cost of an
Please rate your company’s internal
interruption)?
communication to and training of
No budget 40.2% employees in business continuity
Less than $100,000 31.8% planning and disaster recovery.
$100,000-$500,000 $500,000 to $1 million $1-5 million $5-10 million More than $10 million
Other 12.9%
3.8%
4.5%
0.8%
1.5%
4.5%
(Other answers included: “Not
designated as a line item.” “Don’t
know.” “We are presently trying to
determine what amount should be
budgeted for disaster recovery.”)
Non-existent
Poor
17.3%
15.8%
Fair
32.3%
Other
4.5%
5.3%
Excellent
Good
24.1%
Boardroom Briefing: Business Continuity and Disaster Recovery
Growing from Disaster Recovery
to Business Continuity?
Leading the Way—KETCHConsulting
• Senior Consultants
• Certified
• Experienced
• Knowledgeable
Contact
KETCHConsulting
Today!
(888)538-2492
KETCHConsulting • P.O. Box 641 • Waverly, PA 18471
w w w.ketchconsulting.com
Overseeing BCP:
Just One More Reason to Consider CIOs as Directors
By Jory J. Marino and Michael C. Nieset
To meet this complex new responsibility, boards should consider a relatively new kind of board
member—a current or former CIO
W
hile
spectacular
corporate
meltdowns were
leading to SarbanesOxley, a series of
other cataclysms
dramatically
emphasized the
risk of business
Jory J. Marino
disruption—and put
business continuity
planning on the
front burner for
boards. Y2K, though
it proved to be less
than met the eye,
first sounded the
alarm, followed
shortly by 9/11,
which highlighted
Michael C. Nieset the vulnerability not
only of computer networks but also
of phone, power and transportation
systems. A literal meltdown with
the power outage of August 2003
renewed fears about the stability
of the electrical grid. Continued
globalization exposed companies
to more risks in more places, while
political instability, including war in
the Middle East, turned many risks
into reality. Hurricane Katrina is only
the latest and surely not the last of
these cataclysms.
Following these upheavals, an
increase at the global, country
and state levels in regulatory
requirements for disaster recovery
planning (DRP) and business
continuity planning (BCP) has
heaped new expectations for the
scope and quality of oversight on
directors’ shoulders. Although
directors are not responsible for
directly managing and planning
for calamities, no board will enjoy
the scrutiny that is sure to follow
for having failed to ensure that
an adequate business continuity
and disaster recovery plan was
in place. To meet this complex
new responsibility, boards should
consider a relatively new kind of
board member—a current or former
CIO. Just as corporate boards
have sought financial experts to
meet their expanded fiduciary
responsibilities in the SOX era,
they must also now be prepared to
extend seats to current or former
CIOs who are best able to exercise
oversight of disaster recovery and
business continuity planning.
Although the value CIOs bring to
such oversight may be insufficient
by itself to justify adding them
to boards, that expertise joins a
growing list of areas in which CIOs
can make significant contributions
as directors, including their valuable
knowledge about how to maintain
compliance with today’s rigorous
business, financial management
and reporting requirements. A CIO’s
enterprise-wide understanding
of business and technologydriven business strategies could
prove invaluable in stewarding
a company through a natural
disaster or terrorist attack as well
as contribute substantially to the
board’s understanding of risk and
information security.
A Dearth of CIO Directors
Nevertheless, only a handful of
companies now include CIOs on
their boards. Our research shows
that among the Fortune 1000
companies, only 15 have a current
or former CIO as an external
director. Why this dearth of current
or former CIOs on boards, despite
their fitness to contribute in many
areas of oversight?
Part of the answer lies in
perceptions. Board members and
CEOs often see CIOs as exclusively
concerned with operations and
find it hard to imagine them
moving from the server room to the
boardroom. More narrowly still,
CIOs are often seen as technologists,
not strategists. CEOs want to learn
from board members and often feel
that CIOs have nothing to teach
them about business.
CIOs also lack visibility in the
networks in which CEOs and
board members move and from
which they choose directors.
Many companies like to add high-
Our research shows that among the Fortune 1000 companies,
only 15 have a current or former CIO as an external director.
24
Boardroom Briefing: Business Continuity and Disaster Recovery
profile names to their boards—and
that usually means a celebrated
CEO. Even the obvious ability
of CIOs to exercise oversight of
disaster recovery and BCP is easily
discounted by companies who may
erroneously believe that creating a
plan and signing on for backup sites
are one-time events rather than part
of an ongoing oversight process.
A Compelling Case for
Inclusion
With companies increasingly
restricting the number of boards
on which their CEOs can serve,
the pool of qualified director
candidates is shrinking. CIOs can
significantly enlarge that talent
pool. For despite all of the negative
perceptions of CIOs, those with the
right combination of experience
and talents can make substantial
contributions in a wide variety of
areas—especially risk management
and compliance as well as business
strategy—which, taken together,
add up to a compelling case for
adding a CIO director.
Since the 1990s the financial
control processes that now loom
so large in SOX compliance have
resided in ERP systems, presided
over by CIOs, who can provide
unique understanding of how to
apply those systems to SOX. The
best of these CIOs also know how
to go beyond mere compliance to
automate business processes and
financial controls to drive down the
enormous costs of compliance.
business at risk. CIOs have not
only been on the frontlines of data
security, they also understand that
ensuring data security encompasses
links in the technology supplychain that extend far beyond the
company’s control.
Data security has also moved to
the forefront of risk management,
largely as a result of high-profile
security breaches at information
companies, credit card companies,
and banks, elevating concern about
protecting the public’s personal
information. Companies that fail to
exercise diligent oversight in this
area put their reputations and their
In matters of strategy and business
acumen, the nature of global
business and technology today
ensures that CIOs in large, global
and complex organizations have
acquired skill and understanding
that far exceeds the purely technical.
Global businesses today operate
complex supply chains, manage a
variety of captive and outsourced
Boardroom Briefing: Business Continuity and Disaster Recovery
service providers, and manage
multiple distribution channels and
customer touch-points. In all of
these activities, technology plays
a central role, providing the CIO
with an enterprise-wide view of
business—and an enterprise-wide
view of risk management.
“As businesses continue to
transform from batch to real time,
risk management extends beyond
traditional BCP/DRP to include a
CIO’s ability on a board to provide
a point of view and oversight
on information, reputational,
project execution and acquisition
risks,” says James Dallas, Audit
25
Committee Member, KeyCorp
and former CIO of Georgia Pacific
Corporation. “All of these issues
have technology at their core.
The effective and innovative use
of information and technology
are the heart of strategies within
both manufacturing and service
industries. The pulse is the speed
in which technology changes,
which requires having someone
on the board who knows the
technologies that are here and
around the corner that could
transform competition.”
Finding the
Right CIO Candidate
In our experience, CIO directorcandidates with the breadth
of business and technology
understanding that are required to
make a real contribution to board
deliberations are most likely to
come from large companies, like
the Fortune 250. In these global,
complex organizations the role of
the CIO has evolved into a position
that today combines traditional
technology responsibilities with the
general management responsibilities
of a COO. These CIOs may negotiate
deals on behalf of the company
with a variety of third parties and
outsourcing organizations or they
may create a captive outsourcing
organization. To perform
successfully these CIOs must be
able to integrate their mastery
of technology, understanding of
business processes, and thorough
knowledge of the business and
industry into a comprehensive
vision of the company and execute
against it. In the largest companies
they will often know more about
the company’s business operations
than business line managers or even
the CEO.
Not surprisingly, many CIOs have
come up through the technology
ranks and then stepped into
26
CIOs in large, global and complex
organizations have acquired skill and
understanding that far exceeds the purely
technical.
broader general management roles
like COO or president of a business
unit or large division. The president
and COO of one of world’s most
successful internet companies
served as chief technology officer
in his previous company, joined
the internet company as CIO,
rose to his present position and
was recently elected to the board
of a public software company.
Sometimes the career trajectory
runs in the opposite direction. The
CIO of a leading building materials
company came up through finance
and then moved into technology
mid-career and now sits on the
boards of two companies.
But whether an individual
moves from technology to
general management, general
management to technology,
or acts as a CIO whose role is
almost indistinguishable from
that of a COO, the lesson remains
the same: The success of large
companies today greatly depends
on top executives who can operate
effectively in both spheres. Boards
can reflect that new reality by
considering candidates who have:
•O
perated an organization of scale,
where scale may be defined in
terms of geography, complexity
of the business, multiple business
units, or overall size in revenues,
capital investments, and budgets
•D
emonstrated strong financial
and operational skills as well as
knowledge of the business and
industry
•A
ddressed operational
and business risk across the many
vulnerabilities in a complex,
global organization
•M
oved up in a progressively
responsible CIO career and
later stepped into a full general
management role, or moved from
general management to absorb
technology responsibilities
•P
resided over an operation as
it globalized its business and
customer base and addressed
the impacts of sourcing and
offshoring
•D
elivered significant business
value
Such candidates not only have a
broad perspective on business, they
can also broaden the perspective
of boards at a time when effective
oversight and risk management
require a comprehensive, integrated
understanding of business and
information technology. Such
directors may not only help ensure
business continuity following
disasters but also—contrary to
narrow perceptions of CIOs—help
avert business disasters.
Jory Marino is managing partner of Heidrick &
Struggles’ Global CIO practice and New York-Park
Avenue office. Michael Nieset is a senior partner
of Heidrick & Struggles Technology and Board of
Directors practices. The authors can be contacted at
[email protected], [email protected] or
by phone at 312.496.1345.
Boardroom Briefing: Business Continuity and Disaster Recovery
12 Questions Every Director Should Ask
About Workplace Safety
By Tom Krause, John Balkcom and John Henshaw
The health and safety of the worker underpins the ability of any company to claim excellence in its
dealings with customers, employees, investors, and the public.
T
Tom Krause
John Balkcom
he
globalization
of terror, the
fear of potential
pandemics, and the
public’s concerns
over corporate
misconduct have
brought new gravitas
to the question of
safety and health
in every workplace.
To some, worker
safety may seem
a mundane issue
in an increasingly
knowledge-intensive
economy. But in
our experience, the
health and safety
of the worker
underpins the ability
of any company to
claim excellence
in its dealings
with customers,
employees,
investors, and the
public.
This article suggests
the twelve primary
John Henshaw
questions every
director should ask—and expect
to have answered thoroughly and
well—about safety in any company.
The first five frame the relationship
of safety-to-value creation. The
remaining seven address the
capabilities and processes whereby a
firm either instills safety in the dayto-day mindset of every executive
and employee—or creates an
unacceptable risk of catastrophic
failure and organizational
incompetence.
What is the relationship
between worker safety and
other performance metrics
in this company?
While this question may be
interesting from a purely theoretical
point of view, we pose it solely as
an empirical question. That is, we
seek to determine what longstanding
statistical relationship exists between
variations in safety and health
outcomes (e.g., the rate of OSHArecordable incidents) from month
to month and quarter to quarter,
and contemporaneous changes in
financial results. The latter include
earnings, cashflow (and its working
proxies, such as EBITDA), and unit
costs of production.
Our experience suggests these
merely statistical relationships
are idiosyncratic to the operations
of each company, that no two
companies have identical patterns.
Moreover, these unique relationships
when traced to root causes within
a given company can be highly
revealing of the organizational
impediments to both safety and
profitable growth.
What should our
safety goal be?
Experienced observers believe
that companies that are highly
successful in safety performance
are also successful in operational
performance. Leading companies
that are viewed as “socially
responsible” set tough targets
to challenge the organization
continuously and improve safety
performance the same way they set
other operational targets.
For example, DuPont is well known
for striving to achieve zero workplace
injuries and illnesses based upon the
fundamental belief that “all injuries
are preventable.” Alcoa, under
the leadership of Paul O’Neill, set
stringent goals for safety and reduced
its lost-time incident rate from 1.86 in
1987 to 0.12 in 2002.
Even the largest and most traditionbound organizations are capable
of order-of-magnitude changes in
safety performance. In addition to
ensuring that a safety goal is set,
a director should feel free to ask
what benchmarking was done in
establishing a safety goal, what
such a change would mean in his
or her company, what is blocking
its accomplishment, and when a
Experienced observers believe that companies that are
highly successful in safety performance are also
successful in operational performance.
Boardroom Briefing: Business Continuity and Disaster Recovery
27
new level of accomplishment can be
achieved and sustained.
How do we know we’re
being preventative in our
safety efforts and how do
we measure exposure to
hazards in the absence of
injuries or illnesses?
Virtually every event that results
in a workplace injury or illness is
preceded by lower level decisions and
outcomes that increase the likelihood
of failure in safety. The catastrophic
failure—the death of a worker or a
serious injury—can be seen as the
Virtually every
event that results
in a workplace
injury or illness is
preceded by lower
level decisions
and outcomes
that increase the
likelihood of failure
in safety.
tip of an iceberg undergirded by an
architecture of behaviors, practices
and outcomes that made the greater
loss predictable. Leading indicators
of lower-level safety decisions reveal
the organizational culture that gives
rise to the costly failure. Directors
should ask what leading indicators
are predictive for their organization,
including measures related to
organizational culture and safety
climate. Then they should ask what
is being done to move those leading
indicators, how they are changing
over time, and what the readings
were before the most recent major
safety failure.
28
Directors should ensure that the
organization fully understands what
goes on in the places where workers
interact with the core technology
of the company, what we call the
Working Interface. Ultimately, safety
excellence depends on keeping the
Working Interface free of hazards,
which include the facility, the
equipment and the behavior of the
worker.
What is our exposure to a
catastrophe such as Bhopal?
The failure to anticipate an incident
of catastrophic proportions—that is,
a multiple-fatality event or something
the magnitude of Bhopal—is above
all a failure of imagination. Either that
or it’s a suppression of the evidence
of leading indicators that prefigured
the likelihood of a major failure. With
reflection, any CEO, COO, and chief
safety officer should be able to tell a
director where such risks lie, what
their probability of occurrence is, and
what preventative steps are being
taken to head them off.
ensuring that the performance data
and the safety reporting are accurate.
A director with sound answers to
these first five questions should be
able to get an exact answer to the
next question, which addresses how
safety and value relate to one another
in the company. The remaining
questions deal with the reliability,
transparency, and fairness of safetyrelated decision-making in the
organization. No organization can
reasonably expect employees to take
on the task of safety—except when
the CEO happens to be in town or
the board happens to make its annual
plant visit—if it lacks integrity.
Without the historical analyses, a
clear goal, an awareness of early
indicators, a “Bhopal” assessment,
and validation of safety reporting,
an organization may be unable to
link safety and value. However,
we are convinced that the two are
closely linked and that any director
deserves and has a duty to know
the connection in a rigorous and
validated way so as to optimize
value creation for shareholders.
How do we know there’s
not fraud in our health and
How much value are we
safety reporting and that
exposures and accidents are delivering through our
not being under-reported? safety performance?
Any discussions about safety depend
on the integrity of safety reporting,
which holds the same challenges
in the verification of processes and
outcomes as financial reporting.
Indeed, safety performance is an
important measure of enterprise risk
management, and shareholders are
more watchful now for fraudulent
reporting. Just as directors now see
their responsibility and liability for
sound financial reporting, they also
sit where the buck stops in the matter
of risk management, and workplace
safety and health reporting. Both
the full board and the committee
responsible for environment, health
and safety are responsible for
Economic value analysis has
revealed the many value drivers that
support the delivery of exceptional
returns to shareholders. Within
these “value trees” a director can
see what dimensions are inherent
in the safety-related behaviors,
practices, and outcomes of the
organization. By looking at the
historical relationships between
safety and financial outcomes, as
well as the underlying causes of
shortfalls in both, a company and its
directors can assess the contribution
a safe workplace makes to the
organization’s value—or the degree
to which safety breakdowns are
inhibiting the creation of value.
Boardroom Briefing: Business Continuity and Disaster Recovery
What tone should we
set in the boardroom
about safety?
While “tone at the top” has
become a byword of the enactment
of the Sarbanes Oxley Act, it is an
essential element in the creation of
an organizational culture of safety
and incident-free operations. When
we speak of “incidents,” we are
referring to increases in exposure
or risk, some of which result in
recordable injury or illnesses or
possibly major industrial accidents.
Attention to safety in all its
dimensions, including exposures
or risk and not just recordable
injuries, starts at the top. The top
must include the representatives
of the shareholders, in essence
the owners, and not just senior
management. Setting a tone in
the boardroom favoring safety
performance means more than
just reviewing the injury and
illness statistics at each meeting
or appearing once a year at an
operating site. It means paying
attention to safety, requiring
accountability, and expecting
improved performance, without
always looking to place blame.
It’s this kind of attitude that will
make possible the improvement of
“leading” safety indicators and the
delivery of incremental safety and
organizational value.
The safety tone is set at the top,
primarily by the care and astuteness
of board-level listening both to the
safety outcomes of the organization
and to the upward communication
from operating management
about the safety climate. While
organizational culture may take
years to change, our experience
suggests that effective listening and
caring about workplace safety and
health almost immediately alters the
safety climate and sets the tone for
hazard avoidance.
The failure to anticipate an incident
of catastrophic proportions
is above all a failure of imagination.
What does management
need from the board to
achieve safety objectives?
While “attention” may seem an
obvious answer to this question,
many other answers are both
possible and more effective in
improving workplace safety and
health performance. These include:
•C
lear processes for periodic review
of safety and health outcomes at
the board level
•D
irect access for the senior safety
officer to the members of the
board, akin to the relationship of
the outside auditor to the board’s
audit committee
• I nclusion of both leading and
lagging safety and health indicators
in the board’s periodic review of
key performance indicators of the
organization
• I nclusion of safety and health
results, both leading and lagging,
in the performance management
system for the most senior officers
of the company
•A
ffirmation of leading and lagging
workplace safety and health goals
and targets at the board level, akin
to the board’s consideration and
ratification of strategic initiatives.
What is essential here is a dialogue
between senior leadership and the
board so that a fully actionable view
of the question can be formulated.
driver. Safety requires an exchange
of information among peers to
reveal the full iceberg of hazards.
Nonetheless, the board is the
principal agent for the company’s
owners, and the management serves
as agents of the board. So, no team
organization can overcome the
principal-agent chain of command
whereby the fiduciary responsibility
of the board is exercised effectively
(or not) by the directors on behalf of
the owners.
However, the location of decisionmaking power between the
boardroom level and the shop floor
differs radically from organization
to organization. That means the real
answer to “Who is driving safety?”
may differ from one company to
another. But the chain of command
governing safety is only as strong
as its weakest link. Each level of the
organization—from the boardroom
to the shop floor—must have a
tangible role in the organizational
mechanisms that assure the
minimization of exposures to hazard.
What matters most is that the
decision-making process governing
safety policies, practices, standards,
monitoring, and accountability
results in tangible steps that can be
observed, verified, and modified
as the organization learns how to
optimize its own safety performance.
Who is driving safety in the
company?
How are we protecting our
people from safety and
health risks originating
outside the workplace?
This question begs for both a
“team” answer and a “chain of
command” answer. But the answer
is that neither is exclusively the
Off-the-job injuries and absenteeism
cost companies billions of dollars
each year. Beyond routine off-the-job
injuries and illness, roughly every
Boardroom Briefing: Business Continuity and Disaster Recovery
29
Attention to safety
in all its dimensions,
including exposures
or risk and not just
recordable injuries,
starts at the top.
decade a new “X factor,” such as
a potential flu pandemic, seems
to come into play, threatening
the optimization of a company’s
human resources. Even the threat
of terrorist attacks takes its toll on a
company’s effectiveness as workers
avoid the workplace or are less
attentive to work.
In many companies injuries and
illnesses that originate during offduty hours exceed the total cost
of on-the-job injuries or illnesses.
Directors should be asking how
the company is addressing these
safety and health exposures. Is it
advocating safe driving and seatbelt
usage, as well as safe practices
around home improvement jobs
or other activities that may cause
its workers to miss work or be less
attentive while there, and increase
health care costs? In our experience,
the frequency and severity of off-thejob injuries or illnesses goes down as
the organization’s safety climate and
organizational culture improves.
Today, the Avian Flu, HIV/AIDS,
and threats of terrorist attacks
may be seemingly uncontrollable
risks for global firms. Terrorism is
now a global threat designed in
part to disrupt normal business
and economic activity. In the past,
outbreaks of Legionnaire’s Disease
in the US, and globally, smallpox
and malaria, have posed difficult
problems and placed stress on the
organization. Directors should be
asking what anticipatory planning is
30
being done and how the leadership
of the organization might respond to
such threats.
Are our employees aligned
with the board, CEO and
other leaders in our ongoing
commitment to safety
and how are we assuring
maximum employee
engagement?
Organizations that achieve safety
and health excellence find ways
to engage employees throughout
the organization. True employee
engagement creates personal
commitment and accountability,
and accountability is critical in
improving safety and creating a
performance-oriented culture. This
is equally true whether a workplace
is organized or not.
Engaging employees means more
than putting up posters or having
safety contests. Most employees
have a natural interest in their own
safety and the safety of others, and
are open to becoming engaged. But
actually engaging them requires an
organizational culture that values
safety highly, as well as leaders who
express the value consistently in the
things they say, the beliefs they hold,
and the decisions they make every
day. Directors should ask to what
extent employees are engaged in safety
improvement, how that engagement
can be measured, and what steps are
underway to improve it.
What kinds of cognitive
bias may be affecting the
quality of deliberations on
environment, health and
safety among our senior
leaders, including our own
board members?
to a variety of “cognitive biases,”
habitual and largely unconscious
ways of estimating the likelihood of
uncertain future events. Such biases
often cause wrong decisions. The
most visible recent example of this
process is the failure of the space
shuttle Columbia. The accident
investigation panel found that NASA
knew the properties of foam and the
hazard that it represented. However,
the organization gradually became
accustomed to the acceptability of
the risk of foam loss and began to
rely on its experience of successful
missions rather than its knowledge of
the actual risk. A culture developed
that allowed this risk to exist in spite
of the fact that it was known. This is
one example of a bias in judgment
that had catastrophic consequences
for the nation. The director must ask:
“Where are we subject to bias in the
way we evaluate risk and predict
the probability of uncertain future
events?”
Just asking these 12 questions
at regular board meetings and at
meetings of the board’s environment,
safety and health committee will
engender a safety climate that may
over time lead an organization to
a zero-tolerance culture for worker
injuries and illnesses. At a minimum,
they help the board in assuring its
own diligence in the oversight of
safety risks and threats, all of which
erode the ability of a company to
deliver great results.
Tom Krause is the chairman of the board and
cofounder of Behavioral Science Technology,
Inc., (BST) in Ojai, California. John Balkcom is an
independent director of Aleris International, Inc.
(NYSE: ARS). John Henshaw is the former Assistant
Secretary of Labor for Occupational Safety and Health.
A rich literature suggests that even
the most thoughtful leader is subject
Boardroom Briefing: Business Continuity and Disaster Recovery
Board Secretary
The Washington Metropolitan Area Transit Authority (WMATA) operates the second largest rail
transit system and the fifth largest bus network in the United States. America’s Transit System, a
national monument in its own right, transports more than a third of the federal government to work and
millions of tourists to landmarks in the Nation’s Capital. Metro ties the Washington region together and
opens doors to opportunities—for jobs, economic development, education, and cultural experiences.
WMATA is currently seeking candidates for the position of Board Secretary. This high-level executive
position directs and manages the staff and functions of the Office of the Secretary to ensure the
preparation and distribution of Board requests and agendas, meeting notices, and resolutions for the
Authority. The Board Secretary conducts quality reviews on all Board items, coordinates the scheduling
of board meetings, facilitates the public hearing process, and serves as the official record keeper for the
Authority and as the principal contact for the Board of Directors.
Successful candidates will have thorough knowledge of administrative systems and procedures;
the ability to conceive and implement actions that provide responsive and effective support to the
Board; demonstrated the ability to provide effective administrative support to the General Manager;
communicate effectively on Authority and Board of Director issues, and can respond to directives with
high levels of judgment, diplomacy and tact.
Minimum Qualifications
•B
achelor’s Degree in Business Administration, Public Administration,
or a related field
•T
welve (12) years of progressively responsible and diversified executive
level administrative management
•S
upervisory experience that demonstrates expertise in developing and
implementing major policies
•E
xperience in interacting with the public including external executives
and/or Board of Director members
WMATA offers competitive compensation and exceptional benefits packages.
Qualified individuals may submit a cover letter and resume to (no emails or faxes please):
Washington Metropolitan Area Transit Authority
Attention: Ms. Katrina Wiggins, Director
Office of Human Resource Management Services
600 Fifth Street NW
Washington, DC 20001
Surprises in CEO Succession
By Daniel Fairley, J.D. and David A. Bjork, Ph.D.
One of the biggest disasters that can affect any business is a disability affecting the CEO.
N
o one had
even thought
about the
possibility of partial
disability when
they developed a
succession plan for
the CEO. So when
CEO Andy Brody
recovered from a
Daniel Fairley stroke but didn’t
hit his stride again,
the board needed to
figure out what to do.
It wasn’t clear that
Andy was disabled,
so he probably
couldn’t qualify for
disability insurance.
And the opportunity
for an important joint
David A. Bjork venture meant that
the board needed to
step into the breach. While it didn’t
work out quite the way it was meant
to when the plan was developed, a
good succession plan helped.
Western HealthCare was a $1 billion
business, with the lives of thousand
of patients and the livelihoods of
5,000 employees and 800 physicians
at stake. The crisis came at a difficult
time for one of the biggest health
systems in the West.
The 55-year-old CEO of Western
HealthCare didn’t seem focused on
getting the deals done. The system
had an opportunity to forge a closer
relationship with the local medical
school. It was negotiating a merger
with the largest multi-specialty group
practice in the area. And it was
developing a new heart hospital with
its cardiologists.
The board didn’t know what to do. It
wasn’t ready to fire Andy; it couldn’t
even agree whether his lack of focus
was a lingering effect of the stroke.
Some directors thought he was
getting better and wanted to wait to
see if he returned to normal. Others
felt that they couldn’t afford to wait,
given the urgent need to settle the
three impending deals.
Andy couldn’t see that there was
a problem. He didn’t think he was
still suffering from the stroke. He’d
come back to work several months
ago and thought he was handling
everything fine. And he’d just gotten
a vote of confidence from the board
when they extended his contract for
another three years.
Difficult Decisions
There was a succession plan in place,
but the board was having difficulty
making a decision. The plan called
for naming 42-year-old COO Sue
Jensen the interim CEO, at least, if
not actually giving her the job on a
The board didn’t know what to do.
It wasn’t ready to fire Andy;
it couldn’t even agree whether his lack of
focus was a lingering effect of the stroke.
32
permanent basis. She had 5 years’
experience as COO and was well
regarded by the board and, for the
most part, the medical staff. Andy had
been increasing her responsibilities
steadily over the years and had been
giving her opportunities to develop
her leadership skills for as long as they
had been working together.
The difficulty was figuring out
whether or when to pull the trigger.
The board suspected Andy wouldn’t
qualify for disability insurance, and
felt it wasn’t fair to terminate him
without adequate income, given his
stellar record leading the system for
15 years. Under Andy’s leadership,
the system’s hospitals had won
numerous awards and become one
of the largest and most-respected
health systems in the country. The
severance policy would cover three
years, but there would be a gap of
four years before his SERP would
begin paying retirement benefits.
The board hired outside experts
to help identify alternatives and
decide how to proceed. Consultants
interviewed board members and Andy.
They found that Andy wasn’t willing
to file a claim for disability or publicly
admit that anything was wrong. The
board had five choices: do nothing,
wait and see, get Sue to quietly take on
more responsibility, get board leaders
to take on more responsibility, or make
a change then and there.
Transition Time
The board settled on a combination
of the last three. It asked Sue to take
on much of the CEO’s leadership
responsibility; several directors agreed
Boardroom Briefing: Business Continuity and Disaster Recovery
to take over negotiations with the
medical school and the physicians;
and it began to work out the details of
a transition plan with Andy.
The board wasn’t ready to appoint
Sue as the next CEO because it
couldn’t yet announce Andy’s
resignation. And it decided that
it would be best to look at other
candidates as well, so that if and
when it chose Sue, it would be
because she was clearly the best
qualified candidate for the position.
Recognizing that the hospital
couldn’t afford to lose Sue at the
same time as Andy, it gave her a
retention agreement that paid a large
reward if she stayed in place for two
years and a larger reward if she were
not formally named the next CEO.
Over the next few months, the
board worked out the details of
a transitional arrangement with
Andy, which would maintain a
reasonable income for him until age
62, when his SERP would begin to
pay retirement benefits. It agreed
to allow Andy to resign “to pursue
other opportunities,” without
acknowledging any disability.
Once this agreement was made,
Andy resigned, Sue was named
interim CEO, and the board hired a
search firm. The search yielded four
external candidates, each of whom
had already been CEO of a large
health system. Much as the board
liked, respected, and trusted Sue, it
decided to hire one of the external
candidates instead, mostly due to
his substantial prior experience as
CEO, but partly because Sue had had
to make some changes within the
system that alienated a significant
number of faculty physicians.
Hiring this new CEO from outside
would give the system a fresh start
in rebuilding relationships with the
medical school, the cardiologists,
and the multi-specialty group.
Retention Issues
Because Sue had already been
managing all operations and was
deeply involved in maintaining
relationships with the medical school
and the medical staff, she was
ready and able to take on additional
leadership responsibilities and
managed to keep everything on a
steady keel during the time between
Andy’s departure and the new CEO’s
arrival. At the same time, directors
kept negotiations with the medical
school and the multi-specialty group
moving ahead, and Sue handled
negotiations with the cardiologists.
The new CEO, David Gonzalez, finally
arrived 12 months later, 18 months
after this transition process began, and
24 months after the stroke that set it
all in motion. Sue stayed another six
months, until the retention agreement
was fulfilled, when she left for
another CEO position.
It took an additional 12 months to
work out the deal with the medical
school, and six more with the multispecialty group, but the agreement
with the cardiologists was settled
more quickly. The leaders of the
board had to stay involved in the
negotiations with the medical school
to maintain continuity, but also
because the new CEO hadn’t yet had
time to develop credibility with the
dean and faculty.
Because Sue managed to keep the
business running smoothly over
the 30-month period, the crisis
precipitated by Andy’s stroke did
not cause any serious disruptions.
Because directors were willing to
devote the time needed to negotiate
the details of the agreements with
its most important partners, they
managed to move the hospital into
a stronger position. And because
the board was able to offer Andy a
generous settlement that allowed
him to maintain much of his income
without working, as well as lifetime
health care benefits, the transition
occurred with almost no publicity for
the institution or for Andy.
While the succession plan didn’t
work out exactly as expected when
it was developed, the existence
of the plan made it significantly
easier for the board to move ahead.
Taking time to consider alternatives,
choose the best option, and then
develop a plan and timetable for the
transition helped Western HealthCare
proceed with business more or
less on schedule. And while it took
longer and was more expensive than
anticipated to find and hire the new
CEO, the board was satisfied that it
had handled this crisis as well as it
could have given the circumstances.
David Bjork is a managing director in charge of the Cash
Compensation Division for Clark Consulting—Healthcare
Group. Dr. Bjork leads the Healthcare Group’s team of cash
compensation consultants, which helps clients develop
performance-based compensation programs and advises
boards on governance of executive compensation. His
projects include developing reward programs, refining
performance measures, and helping boards govern
executive compensation. He has published a number of
articles and book chapters on executive compensation
in the health care industry. Dr. Bjork earned an A.B. at
Harvard, an M.B.A. in finance at the University of Chicago,
and a Ph.D. from the University of California at Berkeley.
Before joining the Healthcare Group, he was a consultant
with the Hay Group for 12 years and, before that, taught at
the University of California and the University of Chicago.
Dan Fairley is a senior vice president of Clark Consulting—
Healthcare Group. He specializes in leadership transition
planning and executive compensation. Fairley’s
distinguished career has emphasized health system
development; acquisition strategy/implementation;
and health care contract negotiations. Before joining
Clark Consulting—Healthcare Group, he was senior vice
president of the Memorial Health System and President
of Healthcare Network Associates in Springfield, Illinois.
Earlier in his career, Fairley was a vice president of the
ServiceMaster Company LP. He also saw prior service as
a vice president and assistant general counsel for VHA,
Inc. and VHA Supply Company, Inc. Fairley served as legal
counsel and as a business development officer. Fairley
holds a bachelors degree and a Juris Doctor degree from
Indiana University.
Boardroom Briefing: Business Continuity and Disaster Recovery33
(continued from page 16)
the environmental arena. Security
compliance like environmental
compliance should include oversight
by a committee of the board, board
review and audits of security matters
and direct reporting from the chief
security officer to the CEO.
Terror warnings and color codes
will remain a fact of life for the
indefinite future. In an effort to
do its part, the government will
continue to look to the private
sector not only to secure its own
assets but to show judgment
and leadership. Robust business
continuity planning may not be a
total deterrent, but it is a step
toward better protection—of the
interests of the corporation, and the
larger public good.
Alston & Bird partner Joe D. Whitley was appointed
by the President as the first General Counsel to the
United States Department of Homeland Security
(DHS), the highest ranking legal official in the
department. He held that position for two years
before his departure and return to private practice.
Previously he had led Alston & Bird’s white-collar and
government investigations practice.
At DHS Whitley oversaw approximately 1,500
lawyers and 400 support staff from numerous
agencies, including the Secret Service, the Coast
Guard, Border and Transportation Security, the
Transportation Security Administration, Information
Analysis and Infrastructure Protection, and
Emergency Preparedness and Response (FEMA).
Whitely previously had an extensive career in
the Department of Justice, serving as the Acting
Associate Attorney General, the third-ranking
position in the Department of Justice, in the George
H.W. Bush administration. He was appointed by
Presidents Reagan and Bush, respectively, to serve
as U.S. Attorney in the Middle and Northern Federal
Districts of Georgia. At the time of his appointment
he was one of the youngest persons ever to be
appointed U.S. Attorney and the only person to ever
serve as a Senate-confirmed U.S. Attorney for two
separate jurisdictions. Throughout his career Whitley
served under five United States Attorneys General.
Whitley received his J.D. and his undergraduate
degrees from the University of Georgia.
34
(continued from page 13)
•L
oss of key personnel, through
death or resignation
•L
oss of high-value customers
•B
usiness partner failures
•D
enial of service (DoS) attacks
•T
heft or unauthorized disclosure of
customer data
•W
ork stoppages, and
•T
heft or loss of mobile computing
devices
As in the case of non-IT assets, the
business continuity plan should
address these lesser incidents; in the
process, providing a real return on
business continuity investment.
Is the business continuity plan
integrated with other emergency
management plans?
A business continuity plan is
only part of an overall emergency
response protocol. To avoid
redundancy, eliminate confusion,
and expedite recovery, the business
continuity plan should be consistent
with—and developed with full
knowledge of—all other emergency
plans. These plans include:
•E
vacuation
•S
helter in-place
•E
mergency medical, and
•C
risis management
Does the business continuity
plan enjoy the support of senior
management?
For everyone but the business
continuity planner, business
continuity is a lesser priority, often
viewed as an expensive distraction.
Under these circumstances, it’s
important (make that, essential)
In case you
missed the memo,
paper documents
still account for
a sizable portion
of a company’s
vital records.
that company executives and senior
managers promote both the concept
of business continuity, and all efforts
aimed at developing, maintaining,
testing, and auditing the company’s
business continuity plan.
Are copies of the business
continuity plan readily accessible?
All company managers and senior
staff should have a current copy of
the business continuity plan—both
at work and at home. In addition,
the Program Management Office
(PMO) should accept responsibility
for distributing plan updates as they
become available.
Ted Brown, CBCP, is president & CEO of
KETCHConsulting. As IBM’s first Business Recovery
Services sales executive, Brown led Business
Recovery Services growth from zero revenues in
1989 to $500 million in 1998. Brown is the author
of the acclaimed white paper, “How to Negotiate
a Hot Site Agreement.” In 2002, he was elected to
the Contingency Planning & Management Hall
of Fame, along with former New York City mayor
Rudy Giuliani. Most recently, Brown formed his
own consulting firm, KETCHConsulting, specializing
in business continuity planning and education. A
graduate of Penn State University, Brown resides
with his family in northeastern Pennsylvania. He
can be reached at [email protected]
One revealing test is to determine if the plan
can be executed by “non-experts.”
Boardroom Briefing: Business Continuity and Disaster Recovery
Diversity is a defining characteristic of
the best leadership team—yours and ours.
A best-in-class board is much more than a roster of prominent names. Truly exemplary
boards are well-balanced teams that harness the diverse experiences, skills and intellects
of their directors to pursue the strategic objectives of the companies they serve.
The global Board of Directors Practice of Heidrick & Struggles is expert in recruiting
board members who fulfill the highest priorities of today's best-managed companies. We
also proactively work with board members and CEOs on critical assignments such as
executive assessment, succession planning and board director reviews to ensure that our
clients have access to the best talent in the marketplace.
For a copy of our publication, Building High-Performance Boards, please contact us
at (312) 496-1345.
www.heidrick.com/board