Boardroom Briefing Business Continuity and Disaster Recovery
Transcription
Boardroom Briefing Business Continuity and Disaster Recovery
spring 2006 www.directorsandboards.com Boardroom Briefing A publication of Directors & Boards magazine Business Continuity and Disaster Recovery Exclusive New Research from Directors & Boards Ground Zero for the Boardroom Leading When It Counts We help our clients build the best LEADERSHIP teams in the world. D raw i ng upon a 50-year lega c y, we focus on quality service and build strong leadership teams through our relat i o n s hips with cl i e nts and indiv i dual s worldwide. With our experience, we excel in the development of best-in-class Boards of Directors. We are exp e r ts in re c r u it i ng board memb e rs who fulfill the hig h e st priorities of to day 's best-managed companies, includ i ng executives with financial expertise, operating dep th, strategic acumen, and those who enrich the dive rsity of the board. For more information about Heidrick & Struggles, visit www.heidrick.com. Joie Gregor Vice Chairman 212-867-9876 John Gardner Vice Chairman 312-496-1000 With the support of H ei d ri ck RED OUTLINE INDICATES BLEED. IT DOES NOT PRINT. & S tru ggl e s Conducting a Business Continuity Plan Audit 12 Questions Every Director Should Ask About Workplace Safety Business Continuity Legal Counsel © 2004 KPMG International. KPMG International is a Swiss cooperative which performs no client services. Services are provided by member firms. Since 1999, our Audit Committee Institute has listened and responded as audit committees dealt with increased demands. It’s the job the ACI was made for. KPMG’s Audit Committee Institute (ACI) was formed in 1999 for the sole purpose of providing audit committees and those that support them with meaningful dialogue and resources focused on their evolving financial oversight role. Through valuable programs like the ACI’s semiannual Roundtables, topical publications, and KPMG’s biweekly electronic publication Audit Committee Insights, we continue to offer the kind of objective, usable information needed in a rapidly evolving corporate governance environment. It’s a job that was important in 1999, and is even more important today. www.kpmg.com/aci To receive KPMG's Audit Committee Insights, visit www.kpmginsights.com. Spring 2006 Boardroom Briefing Vol. 3, No. 1 A publication of Directors & Boards magazine David Shaw GRID Media LLC Editor & Publisher Scott Chase GRID Media LLC Advertising & Marketing Director Directors & Boards James Kristie Editor & Associate Publisher Lisa M. Cody Chief Financial Officer Ground Zero for the Boardroom................................................................... 4 James Kristie Leading When It Counts.............................................................................. 6 Dee Soder Conducting a Business Continuity Plan Audit............................................. 10 Ted Brown Business Continuity, Homeland Security and Corporate Governance............ 14 Joe D. Whitley When Disaster Strikes: Are You Sure that Your Business is Adequately Insured?.............................. 17 Peter M. Gillon and Brian G. Friel The Directors & Boards Survey: Business Continuity and Disaster Recovery................................................. 19 Overseeing BCP: Just One More Reason to Consider CIOs as Directors......... 24 Jory J. Marino and Michael C. Nieset 12 Questions Every Director Should Ask About Workplace Safety................ 27 Tom Krause, John Balkcom and John Henshaw Surprises in CEO Succession...................................................................... 32 Daniel Fairley, J.D. and David A. Bjork, Ph.D. Boardroom Briefing: Business Continuity and Disaster Recovery Barbara Wenger Subscriptions/Circulation Jerri Smith Reprints/List Rentals Robert H. Rock President Art Direction Lise Holliker Dykes LHDesign Directors & Boards 1845 Walnut Street, Suite 900 Philadelphia, PA 19103 (215) 567-3200 www.directorsandboards.com Boardroom Briefing: Business Continuity and Disaster Recovery is copyright 2006 by MLR Holdings LLC. All rights reserved. POSTMASTER: Send address changes to 1845 Walnut Street, Suite 900, Philadelphia, PA 19103. No portion of this publication may be reproduced in any form whatsoever without prior written permission from the publisher. Created and produced by GRID Media LLC (www.gridmediallc.com). Ground Zero for the Boardroom By James Kristie What you don’t know or fail to anticipate can land you square in your own boardroom ground zero. W James Kristie hat is the role of a board of directors? There are a lot of ways to answer that question, but you can’t go wrong with this classic response: “To ensure the continuity of the enterprise.” A dear departed colleague and Directors & Boards author, Tom Horton, put it this way 20 years ago in our pages: “A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole.” improperly responding to the “known unknowns” can be devastating. Then layer on top of that the realization that you can be hit with “unknown unknowns,” and you as a director have to wonder if you are a sitting duck in a future boardroom ground zero. Not an enviable situation. It’s not atypical for a director to feel informationally deprived under the best of circumstances. Under uncertain circumstances, when a board has serious continuity issues on the agenda, an information deficit can be disastrous. It is incumbent on directors to demand information and insight that will help them secure the future of the organization—which could be everything from the seemingly most innocuous moves by a competitor to the most threatening moves by a foreign nation potentate. Well said. But if you are a director, you have to be in the camp of our nation’s secretary of defense when he ruminated in a press briefing in February 2002: “As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say, we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” I’d say Donald Rumsfeld pretty well pegged the state of affairs that exists in every boardroom in America today. Outside of your own company’s channels, there are lots of resources to draw upon for setting your own early warning system mindset. The trend spotters at McKinsey & Co., for example, issued earlier this year a “Ten Trends to Watch” advisory—macroeconomic trends (“The consumer landscape will change and expand significantly” is one), social and environmental trends (“The battlefield for talent will shift” is another), and business and industry trends (“New global industry structures are emerging” is a third for your radar screen). The challenge for boards is that the result of not anticipating or You also can’t go wrong being on the distribution list for the Dilenschneider Group Trend/Forecasting Report. The briefing is compiled by the strategic communications consultancy headed by Robert Dilenschneider (who we count as a valued member of the Directors & Boards editorial advisory board). The in-depth and data-packed report is must reading for business continuity planning. (Contact the firm at 212.922.0900 to be put on the list.) And there are other “survival guide” must-reads. This Boardroom Briefing is one. This is the sixth in a series of single-focused reports on matters of utmost concern to enlightened board decision making. The advisories in the following pages will help you skillfully address your contingency and crisis planning requirements. On a final note, my son gave me the hugely popular book Freakonomics as a Christmas present. In it is this observation: “The modern world, despite a surfeit of obfuscation, complication, and downright deceit, in not impenetrable, is not unknowable, and—if the right questions are asked—is even more intriguing than we think. All it takes is a new way of looking.” Again, well said. That is your job as board members—to ask the right questions and to be the “new look” eyes and ears for the management team. This Boardroom Briefing will seed many of those questions that you might ask. James Kristie is editor and associate publisher of Directors & Boards. He can be contacted at jkristie@ directorsandboards.com. Boardroom Briefing: Business Continuity and Disaster Recovery Minding your business ... ...or peace of mind? AlixPartners’ professionals have conducted large-scale internal investigations in some of the most complex corporate accounting matters in history. We’re independent and objective, and will help you find solutions. Our team of professionals includes certified public accountants, certified fraud examiners, computer forensic technology experts and other experienced investigators. For more information about how our Corporate Investigations Practice can help you, contact Harvey Kelly at (646) 746-2422. www.alixpartners.com Chicago Dallas Detroit Düsseldorf London Los Angeles Milan Munich New York Paris San Francisco Tokyo Leading When It Counts By Dee Soder, PhD Management at all levels needs to understand how to act during and, especially, after a crisis. A Dee Soder sk anyone who has experienced a crisis and they’ll tell you what counts is the way the people in charge acted. Leadership behavior is an essential element of business recovery. The behavior of leaders during and after a crisis has received relatively little attention, planning or board oversight. Without such guidance, some leaders handle crises superbly and others fail—at times, dramatically, as evidenced during Katrina. Directors and top executives need to plan for the “people side,” the psychological aspects of a crisis, as an integral part of business continuity. Management at all levels needs to understand how to act during and, especially, after a crisis. The accelerating number of devastating situations over the last ten years has necessitated better business continuity measures and management knowledge. As national, regional, local and company-specific crises become more common, directors need to ensure the efficacy of management’s plans, and the behaviors that expedite recovery. As was so clearly demonstrated after 9/11, leadership behavior is essential to recovery— to clean up, console, plan and rebuild. Positive and negative examples of leadership behavior after 9/11 will come readily to mind for most of us. Natural disasters, terrorism, workplace violence, corporate malfeasance, suicide, faulty products—every crisis has unique circumstances. Boards and management also differ widely. Yet an informal survey of more than 30 directors reveals amazingly similar views. A few perceived the board’s role as limited, but most believed the board should be more involved as part of its risk management What about “outsiders” who happen to be there at a critical time? (For example, in the midst of a power failure, a client was “lost” for several hours at one company.) Double check that your continuity plans work. And test them. Just as one client uses a former CIA official to test corporate security, companies may wish to have an outsider test their crisis management plans. Natural disasters, terrorism, workplace violence, corporate malfeasance, suicide, faulty products— every crisis has unique circumstances. responsibilities. Several prominent directors emphasized the “need to think more broadly” about crises such as difficulties resulting from a chief executive’s sudden death, lost data/security breach, and so on.. Board differences and unique circumstances aside, there is general agreement on lessons to be learned regarding behavior. Primary ones follow: Review disaster plans to ensure that behavior is explicitly considered Think about the “not likely to happen” events. Could directions be ignored if the boss is new or disliked? How should scared, crying and distraught people be handled? What if fighting starts? This year, a New York City-based media company assigned interns the task of developing “what if” scenarios. IBM executives have used drills for years, complete with “wild card incidents” to test their system. Whatever the actual method, directors should have a yearly, complete presentation of continuity plans, ensuring that disaster drills consider unlikely events and behavior. Communicate, communicate, communicate Good communication strategies consider peoples’ emotions and attitudes. Messages should be simple, clear, consistent, and tailored to the audience. Repeat messages—people often don’t hear it the first or second time. Be readily accessible, provide support and “stay on message.” Consider media Boardroom Briefing: Business Continuity and Disaster Recovery “I’m like the swan‚calm on the outside, paddling like mad underneath, “ one CEO shares. training for crisis situations before an incident, not in the midst of it (whether you face a mining disaster, sex scandal, hurricane or other problem—don’t practice on CNN.) Leaders can motivate and improve morale via a few words; helpful phrases include “together we’ll rebuild even better,” “remember that evil exists, but there’s more good in the world,” “sometimes bad things happen and there’s no reason,” “leaders play the hand that’s dealt,” “tomorrow will be better and the next day even better.” Be careful about religious messages (a normally devout employee lashed out when an executive attempted to “pray for him.”) Don’t force people to talk. After devastating events it is often best just to bring someone coffee or water, sitting comfortably in silence beside them. They’ll talk when they’re ready. Remember that style counts Directors and management at all levels should project calm and Boardroom Briefing: Business Continuity and Disaster Recovery Whether you face a mining disaster, sex scandal, hurricane or other problem— don’t practice for it on CNN. confidence. “I’m like the swan— calm on the outside, paddling like mad underneath,” one CEO shares. Show that you’re human, too. Cold efficiency will have short-term gains but long-term negatives, including the loss of valued employees. After the founder’s unexpected death, a company’s lead director became acting CEO to secure customer and employee confidence. Several months later, the dynamic, aggressive young president was promoted. The compassion of good leaders is readily evident; they don’t wait for directors to tell them appropriate actions. Speed of response is important—delays to assess “potential legal issues can be callous,” one director said. “We’ll generally support a CEO’s decision…don’t wait to ask us.” Thus the board applauded the CEO who paid the full salaries of employees called to service in Iraq. Symbolic acts may also illustrate compassion, concern and help expedite recovery. Don’t forget the importance of honesty—with employees and the public. A crisis puts a company in the spotlight Customers, suppliers, employees’ families and others close to the company are greatly influenced by management behavior. It’s thoughtful to change the company voicemail and provide information so that worried family and friends will know more: “It’s Monday, there’s no power, but everyone’s ok. It’s Tuesday, the sun’s up under stress and a very private executive may not seek needed input and help. In this instance, “a little knowledge” can provide a better understanding of behavior during difficult times. and we hope to be operating by Wednesday.” Ensure training for difficult situations at all levels Set up call centers to answer questions, modify websites and otherwise employ technology to let people know they’re valued. And don’t forget to update employees in other locations. Law enforcement has learned to give regular, frequent updates to keep people advised and minimize stress. People remember big and small gestures. Indeed when I was exposed to anthrax after a CBS Marketwatch interview, the network executives’ actions to reassure me were so commendable I remain an avid CBS fan (even working praise into this article.) In addition to disaster drills, add survival exercises to your offsites, executive training and other development programs. Used for years to foster teamwork and as ice-breakers, these exercises have additional value given today’s numerous crises. Ensure that leadership programs include a segment related to behavior and crisis management. Since corporations have experience incorporating broader concepts like ethics, diversity and global awareness, this isn’t difficult. Whatever the vehicle, directors and management need to ascertain that employees are prepared for things that aren’t likely to happen, but do. Learn a few stress basics Stressed people often won’t admit they’re stressed. Don’t expect people to perform normally after a major event—most will be operating at a 70% level for weeks. People will handle a crisis better if they have a “role,” whether giving out water, calling people, or other activities. Some people will be more susceptible to significant stress. Thus thoughtful/reflective individuals, empathetic individuals, and individuals without strong support systems (family, religion, friends) will be most impacted by disasters. Even employees in distant sites can become distressed by watching television. One of the few truisms of psychology is that a person’s dominant trait becomes more pronounced with stress. Accordingly, a manager concerned about details will micro-manage Leadership behavior is too important to be left to chance— not in today’s world. Hope isn’t a strategy for anyone, certainly not for those in charge. Dr. Dee Soder is founder and managing partner of the CEO Perspective Group, an executive advisory and assessment firm for top executives, companies and boards. The pioneer of executive coaching, Soder has helped leaders better manage business interruption and traumatic events for decades. Since 1976, she has also worked extensively with federal, state and local (NYC & DC) law enforcement agencies. A Directors & Boards contributor (“Ready, Fire, Aim” and “Early Warning Signs”), she is a director of several nonprofit boards. She can be reached at [email protected]. Boardroom Briefing: Business Continuity and Disaster Recovery The Right Connections, The Right Choice for Your Business Business Continuity via Satellite We live in an unpredictable world. Even the most reliable landbased data and voice infrastructures can be disrupted by natural or manmade disasters. SES AMERICOM’s satellite-based Business Continuity Solutions is the smart way to stay above the uncertainties of terrestriallybased communications. And the most secure solution to avoid the loss of mission critical communications in data, voice, video or IP. When your business is providing the right connections, it's what you know that really counts. Since 1973, SES AMERICOM has known more about satellite communications and how to put it to work for your business than anyone else in the industry. For a free cost-benefit analysis of your situation, please call +1-609-987-4555 or send an e-mail directly to: [email protected]. Our highly trained team provides 24/7 support for Disaster Recovery or relief of network overload, with regional, continental or transoceanic coverage. www.ses-americom.com Our Business is Connecting Yours Conducting a Business Continuity Plan Audit By Ted Brown There are no “generally accepted principles” with which to analyze business continuity. I Ted Brown n a recent survey, 37 percent of chief financial officers perceived their firms to be most vulnerable in the area of disaster preparedness and recovery. The survey reflects the anxiety of many executives concerning the state of their company’s business continuity plans. Why the concern? Because experts estimate that 50 percent of companies without business continuity plans go out of business within two years following a disaster. Just as companies conduct regular audits of their financial controls, they should also examine their business continuity plans, ensuring that critical business functions can be conducted in the event of a disaster, or other major disturbance. While, unlike finance, there are no “generally accepted principles” with which to analyze business continuity, the following questions should assist corporate directors in assessing their company’s business continuity posture. What are the business continuity objectives? Like any business plan, a business continuity plan is designed to address specific business objectives. These objectives should be outlined in the plan, and reflect the consensus of senior management relative to 10 Any change that affects critical business functions should trigger an automatic review of the business continuity plan. present recovery priorities. Each of the objectives should be: •S pecific, such as “restore accounts receivable,” and •M easurable, such as “within one business day.” If the business continuity objectives are not enumerated in the plan, the plan cannot be properly evaluated. Is the business continuity plan capable of satisfying the stated objectives? The business continuity plan, for example, may call for the restoration of e-commerce operations within twelve hours. If the data center supporting these functions is destroyed by a tornado, or terrorist bomb, can essential e-commerce activities be restarted within the twelve-hour recovery window? If the answer is no, then the plan objective is too ambitious, or the recovery scheme inadequate. In either case, the plan won’t work. Is the business continuity plan relevant to everyday employees? More specifically: •A re company personnel aware of— and familiar with—the business continuity plan? •D id they have input into the development of the plan? •D o they understand their obligations in the event the plan is invoked? •A re they comfortable with their level of training and preparation? •D o they have any reservations regarding the plan’s viability? When was the last business impact analysis conducted? Normally, a business continuity plan is predicated on the results of a business impact analysis (BIA). The purpose of a BIA is to identify: •A company’s critical business functions, such as e-commerce •T he threats to these functions, such as computer hacking •A ny related risks, such a denial of service (DoS) attack, and •T he financial impact of a disaster, such as lost revenue, or lost customer confidence Armed with this information, business continuity professionals can formulate strategies designed to minimize the impact of a major disruption, and to expedite recovery. Like a business continuity plan, the typical BIA suffers from a short shelf life, and must be periodically renewed, especially in highly-volatile business environments. Generally Boardroom Briefing: Business Continuity and Disaster Recovery speaking, if the company’s BIA is more than a year old, a new analysis should be commissioned—followed by an immediate update of the company’s business continuity plan. Is business continuity plan maintenance tied to change management? To remain viable, a business continuity plan must be revised coincident with major organizational, system, or business changes. These changes may include: •T he opening of a new office •T he introduction of a new product line, or •T he passage of new laws and regulations, like Sarbanes-Oxley, which imposes new records retention standards Any change that affects critical business functions should trigger an automatic review of the business continuity plan. Importantly, if any plan updates are indicated, these updates should be performed prior to—not after—the precipitating business change. Is the business continuity plan tested on a regular basis? To remain viable, a business continuity plan must be regularly tested. Importantly, the testing does not have to be extensive or expensive. In many cases, fullscale tests—especially those involving IT facilities—can be replaced by smaller-scale, “tabletop” exercises. These scenario-based tabletop drills are especially useful in establishing an organization’s ability to adapt to a rapidly evolving disaster environment. After all, in a real world disaster, it may be necessary to rewrite portions of the business continuity plan, literally “on the fly.” Does the business continuity plan require periodic retrieval and testing of offsite storage media? The data backup and recovery process is notoriously unreliable. Despite that fact, many IT departments adopt a “tape it and forget it” attitude, refusing to test the integrity of off-site storage media. The business continuity plan should provide for the random retrieval and testing of backup volumes. Does the business continuity plan offer sufficient detail? One revealing test is to determine if the plan can be executed by “non- Boardroom Briefing: Business Continuity and Disaster Recovery experts.” Planners often cut corners during the documentation phase, depending on the availability of subject-matter experts to “fill in the blanks” if the plan is invoked. Unfortunately, many of these experts may not be available in the aftermath of a disaster, leaving plan activation and execution to junior staffers. As a result, the documentation should be geared to lower level personnel. Does the business continuity plan provide for adequate post-disaster security? In addition to disrupting business operations, large-scale disasters often disturb security operations. For 11 example, in many cases, buildings are destroyed and sensitive documents are exposed to the elements— including the criminal element. Given the generally chaotic atmosphere that accompanies a recovery effort, normal levels of security should be maintained—even enhanced. Where is the backup backup site? Many companies rely on commercial “hot sites” to restore critical IT operations in the event of a data center disaster. The “primary” hot site is frequently located within a hundred miles of the affected facility, enabling ready access by data center personnel. Clark In the event of a regional disaster, affecting multiple hot site subscribers, the primary site may be unavailable, forcing a company to relocate its operations to a “secondary” site, which may be a thousand miles away. The business CC5020 R 11/30/05 1:17allow PM Page 1 continuity plan should for this possibility, discussing, for example, an alternative staffing strategy. Does the business continuity plan consider mobile computing resources as potential recovery assets? Most large companies support a network of telecommuters or other distributed workers. Mobile and wireless computing assets can be used to affect a partial, low-cost recovery strategy, and their deployment for that purpose should be explored in the business continuity plan. Does the business continuity plan provide for the failure of key business partners? In the world of the “virtual corporation,” it’s not enough for a company to plan for its own recovery. It must also consider the impact of disasters affecting key business partners. To accomplish this goal, a company’s business continuity plan must: •P rovide for periodic audits of business partner business continuity plans, and • I nclude recovery plans designed to mitigate the impact of a major business partner failure Typically, a business partner recovery plan consists of identifying an alternate source supplier, and establishing a procedure for engaging that supplier if the need arises. Does the business continuity plan encompass non-electronic records? In case you missed the memo, paper documents still account for a sizable portion of a company’s vital records. The business continuity plan should address the preservation and restoration of paper, or other hardcopy material, probably by means of electronic document imaging. When the old answers don’t address the new issues, it’s time to 12 Boardroom Briefing: Business Continuity and Disaster Recovery Does the business continuity plan encompass “print-to-mail” facilities? Every day, companies print and mail billions of invoices, financial statements, healthcare documents, payroll checks, and other vital records. These documents are imaged, printed, sorted, and mailed to customers, shareholders, regulatory agencies, employees, and business partners. Remarkably, the facilities, equipment, and systems responsible for performing these critical functions (generically “print-to-mail”) do not enjoy the same business continuity protection as their data center counterparts. According to the Disaster Recovery Journal, nearly 82 percent of backup providers do not support the printing and mailing of bills and statements. Does the business continuity plan encompass non-IT assets? Traditionally, business continuity plans have addressed the recovery of information technology assets. But disasters can claim non-IT assets, such as: •M anufacturing plants •V ehicles and equipment •R esearch and development laboratories •R aw materials, and •P roduct inventory Does the business continuity plan address the protection of these nonIT resources? If not, why not? Does the business continuity plan promote risk mitigation measures? Since not all disasters can be avoided, part of the business continuity plan should be devoted to lessening the impact of a disaster. One common device is encouraging the decentralization of critical assets. The plan, for example, should discourage the creation of large, central file rooms in favor of smaller, more distributed storage sites. In this way, a facility fire could only claim a portion of a company’s vital records. In the case of existing central file rooms, the plan should encourage the deployment of adequate fire detection and suppression equipment. Does the business continuity plan provide for “disruptions?” Most business continuity plans cover catastrophic incidents, such as earthquakes, hurricanes, tornados, floods, fires, bombings, etc. Most companies, however, will never experience a disaster of these proportions. Instead, they will suffer a series of smaller—but still expensive—disruptions, such as: •P ower outages •S torm-related travel difficulties (continued on page 34) innovate © 2006 Today’s Directors need new insights, new ideas, new tools. That’s why so many turn to Pearl Meyer & Partners. Faced with demanding new guidelines and regulations, plus increased pressure on the bottom line, it’s more important than ever to work with advisors who can provide real innovation in planning and executing compensation programs. That’s why more and more Boards are turning to Pearl Meyer & Partners, a Clark Consulting practice. PM&P serves as trusted counsel to Board Compensation Committees and senior executives of leading public, private and not-for-profit companies. They rely on our expertise. Our independent advice. And our track record of creating innovative solutions focused on business results. As new challenges arise, don’t hesitate – innovate. Call 508-460-9600 or register online for more information and the latest issue-driven White Papers at pearlmeyer.com. Boardroom Briefing: Business Continuity and Disaster Recovery 13 Business Continuity, Homeland Security and Corporate Governance By Joe D. Whitley With terrorist threats increasingly frequent and well-publicized, directors and officers will have a hard time claiming that corporate risk management did not need to include emergency preparedness. O n a Sunday afternoon in August 2004, Homeland Security Secretary Tom Ridge held a press conference to announce that the alert level on the Homeland Security Joe D. Whitley Advisory System had been raised to “orange,” the second highest level. Unusually specific information from reliable sources, confirmed by multiple intelligence streams, suggested that terrorists were plotting a strike against financial centers in New York City, northern New Jersey, and Washington D.C. Wall Street increased security to unprecedented levels, leaving some to wonder if the police outnumbered the floor traders. Similar measures were taken in Washington, a city already bristling with barriers and patrols. For companies and executives who are in the bull’s-eye of the terrorist threat, the warning brought home the importance of security and business continuity planning for financial markets. For America’s premier financial service providers— the members of the New York Stock Exchange (NYSE) and the National Association of Securities Dealers (NASD)—business continuity (BC) is no longer an option or just the domain of the corporate security department. It is a critical component of corporate governance and market stability. As an aside natural disasters like Katrina and Rita present very similar concerns to corporations and businesses. 14 The federal government—and particularly the Department of Homeland Security— needs industry’s participation and support to make the country secure. Self-regulation and Business Continuity Both the NYSE and the NASD are selfregulating organizations that require compliance with practices, standards, and policies as a prerequisite for membership. In response to 9/11, the NYSE and the NASD began formulating new business continuity requirements for broker-dealer members. Rule 446 for NYSE members and Rules 3510 and 3520 for NASD members address business continuity and contingency planning and are very similar in substance. The new rules recognize that there is no cookie-cutter approach to planning and therefore account for flexibility in business continuity design and implementation. But these rules require that, at a minimum, each firm’s plan contain ten elements: •D ata back-up and recovery (hard copy and electronic) •M ission-critical systems •F inancial and operational risk assessments •A lternate communications between customers and member •A lternate communications between the member and employees •A lternate physical location of employees •C ritical constituent, bank and counter-party impact •R egulatory reporting •C ommunications with regulators •A plan to assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business elements. Members of the NYSE and NASD must also publicly disclose the general configuration of their business continuity plan. Pursuant to its statutory authority, the Securities and Exchange Commission approved the NYSE’s and the NASD’s business continuity rules on April 7, 2004. At least in concept, forcing business continuity into the open serves as a de facto incentive to take the rules—and homeland security preparedness—seriously. There is an implicit reliance on market forces: it is assumed that if the public can compare business continuity plans, rational consumers will prefer to do business with those members whose plans are the strongest. Equally rational business leaders, in an attempt to capture competitive advantage, will establish robust plans. Considering that e-commerce Securities and Exchange Act Release No. 34-49537 (April 7, 2004), 69 FR 19586. April 13, 2004. See also NYSE Information Memo 04-24 as well as NASD Notice to members 04-37. May 2004 Boardroom Briefing: Business Continuity and Disaster Recovery These days, directors face sizeable responsibilities and risks. How well is your board performing? Are you at risk? companies and Internet Service Providers routinely use this type of security-related marketing, it soon may become prevalent among the largest financial institutions, all of which are members of the NYSE and the NASD. Any act of terror on American soil would accelerate this process. Private-Sector Responsibility The business continuity initiatives in the financial services sector highlight a significant issue for other business sectors: Even in the absence of regulation or statute, should corporations implement a business continuity plan as a matter of sensible corporate governance and sound policy? The answer clearly is yes. The federal government, and particularly the Department of Homeland Security, needs industry’s participation and support to make the country secure. The owners and operators of obvious targets— power plants, chemical facilities, telecommunication centers—have been tightening their defenses and have developed (or contracted for) business continuity plans. Yet, with finite budgets and only a transient sense of threat, most corporations have not initiated business continuity planning for the post-9/11 era—robust, tested, enterprise-wide programs that protect facilities, people, and which would permit the rapid resumption of business if an attack occurred. Many companies still don’t quite get it: business continuity is a strategic investment, and its dividends will be evident during an attack, and economically and legally, in the aftermath of a terrorist event. For example, when a cascading grid failure left tens of millions of people in the U.S. and Canada without electrical power in August 2003, corporations without business 16 continuity plans suffered. Without electricity to run computers, commerce simply stopped. Not so for the New York brokerage firms that had aggressively invested in business continuity after September 11. That preparedness, including installation of emergency generators and back-up trading systems, allowed commercial transactions to continue with minimal interruption. Considering the financial losses brokerage firms sustain from even an hour of missed trading, investments in business continuity paid for themselves many times over in that one event. Indeed, the 2003 blackout and the business continuity success stories within the financial services sector accelerated the NYSE’s and the NASD’s adoption of business continuity rules for the industry as a whole. SEC Oversight and Legislation SEC Chairman Chris Cox, who prior to his appointment was chair of the House of Representative’s Committee on Homeland Security, may be just the person who will trigger consideration of homeland security as a “material” matter in 10K reports. Chairman Cox is well aware that 85 to 90 per cent of America’s critical infrastructure is owned by the private sector. He, too, is familiar with the post 9/11 legislation that increased the responsibility of businesses that provide financial services, transport hazardous waste, provide and maintain maritime facilities ranging from ship terminals to storage facilities for LNG to refineries. All of these industries and many others are to some extent regulated by the Department of Homeland Security and it is likely that chemical plant security will soon be regulated by the Department. As these legislative efforts increase the responsibilities of the private sector to make homeland security a priority it makes good sense to have in place security programs that will reduce their vulnerability to the consequences of the next terrorist attack. Contingency planning to assure business continuity in addition to should include some of the following: • I nsurance—Does it adequately cover business interruption costs? Are the terms and provisions written in a manner favorable to quick recovery? •S upply chain—Is it capable of restoration after a terrorist event? Are there components and parts coming across U.S. borders that may be closed? •M arket resilience—Will the customer continue to purchase products and services after a terrorist event? Implementing a business continuity plan also may have legal significance for a corporation. Because business continuity recognizes risk and mitigates it, the creation and implementation of such a plan may help a corporation discharge its corporate governance responsibilities to customers and shareholders alike. The concept is only now being tested in the courts, but the normal standard of corporate responsibility—focusing on acknowledging and responding to knowledge of a threat—likely will be applied here, diminishing liability. With terrorist threats increasingly frequent and well-publicized, directors and officers will have a hard time claiming that corporate risk management did not need to include emergency preparedness. The Spectre of SOX There is not yet regulatory linkage between homeland security governance and Sarbanes-Oxley but it is likely that it would parallel developing SOX compliance in (continued on page 34) Boardroom Briefing: Business Continuity and Disaster Recovery When Disaster Strikes: Are You Sure that Your Business is Adequately Insured? By Peter M. Gillon and Brian G. Friel What companies must do to prepare for the next catastrophic loss 9 /11, and the recent devastation inflicted by Hurricanes Katrina and Wilma, have forced companies across the United States to take a hard look at how they Peter M. Gillon manage the risk of disaster—both man-made and natural. Of all the tools available to manage catastrophic risk, none is more important than property insurance. This is the one risk management tool Brian G. Friel that can ensure the survival of a corporation following the devastating effects of a terrorist attack, hurricane, earthquake, tornado, or fire. Unfortunately, the number of coverage disputes and unpaid claims related to September 11 and the recent hurricanes losses suggests that companies too often overlook or simply fail to understand the critical details of their property insurance programs. Far too often companies wait until after a disaster strikes to determine what they need to do to adequately prepare, evaluate and present their claims to their insurers. When disasters like September 11 or Hurricane Katrina hit, many companies find themselves playing “catch-up” and lose valuable time in adjusting their claims as a result. More than 30% of all businesses that close down following a disaster never re-open again. ALFA Insurance, “Can Your Business Survive a Natural Disaster?” http://www.alfains.com/business. It is imperative that the waiting period is expressed as total hours or even days rather than in business hours. This is understandable. In the immediate aftermath of a large-scale disaster, directors and officers are pressed by other competing and vital matters impacting their companies, such as employee deaths and injuries, employee relocations, office relocations, customer issues, media inquiries, and the like. This is why a clear, coherent risk management plan in advance is essential to maximize and expedite insurance recovery during a crisis. Many companies have developed a disaster response protocol, to be put in place in advance of a disaster. A claim team should be identified and assembled in advance, setting forth the roles of the risk manager, the general counsel and other response personnel. Pre-determine what you need to do, and by when, with respect to notifying the insurers of the loss. Have a process in place to obtain, analyze and maintain the necessary documentation to support your claims. Establish accounting procedures for capturing loss expenses accurately and efficiently. Establish communication protocols internally and externally. Insurance Coverage Issues There are many issues to consider in evaluating a property policy, including whether it provides the broadest coverage available at a reasonable cost. Below are some Boardroom Briefing: Business Continuity and Disaster Recovery of the most important policy considerations that are not being adequately addressed in the underwriting process. Hurricane Deductibles and Sublimits. Many commercial property policies contain a deductible for hurricanes (or “windstorms”) and other specific perils, based on a percentage of “total insured value” or “total insurable value” (“TIV”), rather than based on a flat dollar amount. This deductible is typically between 2%-5%. Thus, for example, if a policy’s deductible for hurricanes is 5% of TIV and the total limits of the policy are $60 million, an insured would be responsible for the first $3 million of damages. For many small- to mid-sized claims, this deductible effectively acts as a bar to coverage. One possible modification is to negotiate a lower deductible percentage; another is to reduce the limits for purposes of the deductible. Another common feature of commercial property policies is a sublimit (i.e., a lesser amount) for hurricanes and other perils. In light of the extremely active hurricanes in Florida and along the other parts of the Gulf Coast over the last few years, it is imperative that companies operating in hurricane regions reevaluate their sublimits, if any. In the wake of the vast number of claims filed because of Hurricanes 17 Katrina and Wilma, many insurers are attempting to apply the percentage deductibles to the total limits available under a policy even though the insured is only entitled to a lesser amount contained in a sublimit. Using the example above, if the policy has total limits of $60 million but a $10 million sublimit for hurricanes, insurers often are applying the 5% deductible to the $60 million (resulting in a $3 million deductible), rather than applying the 5% to the $10 million sublimit, which are the actual limits available, which would result in a deductible of only $500,000. Again, rather than wait for a disaster to hit, it is critical to clarify the language in the policy now to make sure that “TIV” refers only to the total limits available for a particular claim, including any sublimits. Business Interruption—Waiting Periods. Some policies impose a waiting period (e.g., 24 hours or 72 hours) before business interruption (or lost business income) losses are recoverable. The purpose of waiting periods is to ensure that the loss is of a minimum magnitude before coverage is triggered. Insurers do not want to expend the resources necessary to evaluate a business income claim in situations where a company is down for less than one or two days. There are two very important considerations for directors. First, it is imperative that the waiting period is expressed as total hours or even days rather than in business hours. For example, certain policies state that the waiting period is “72 business hours,” and certain insurers have argued that it is equivalent to nine calendar days for those businesses that do not operate on a 24-hour cycle. Second, some insurers have argued that the waiting period acts as a deductible. Thus, for example, with a policy that has a 24 hour waiting period and an insured’s business was closed for three days, rather than compute income for the full three days, some insurers have argued that the policies only cover lost income for the last two days. It is essential that the policies be clear that once the waiting period has been met, the policy covers lost income incurred starting on day one. Business Interruption—Total Suspension vs. Partial Interruption. A key issue with business interruption coverage is whether the policy requires a total suspension of your operations, or whether it also covers partial interruptions of your business. Most policies cover only “actual loss of business income you sustain due to the necessary suspension of your operations” from the date of the loss to the date the property should be repaired or replaced. Some policies contain broader language, covering business interruption losses when the policyholder is “wholly or partially prevented” from producing goods or continuing business operations or services. Considering that a significant number of claims involve an interruption of only a portion of a company’s business, such as the partial shutdown of a factory or a wing of a hotel, it is important to make sure your policy covers for partial interruption. The question every CEO, board member, general counsel and risk manager must ask is this: if your office building, hotel, factory or distribution center is destroyed tomorrow by a hurricane, earthquake or terrorist attack, will your claim team be ready to respond immediately and will your insurance cover both the physical damage to your property as well as the resulting lost business income? Recent experiences have shown that many companies are not ready to evaluate, prepare or submit their claims, and that there are significant gaps in coverage that otherwise could have been addressed in the underwriting/renewal process. It is imperative that companies, working with their brokers and outside counsel, start to address these issues now in order to better prepare themselves for the next disaster. Peter M. Gillon is a shareholder in the Washington, DC office of Greenberg Traurig, LLP and Brian G. Friel is of counsel in the Washington, DC and the Morristown, New Jersey offices of Greenberg Traurig, LLP, where they counsel corporate policyholders on the procurement of all lines of insurance, including property and business interruption policies, and prosecute coverage disputes on behalf of their clients. They currently are handling some of the largest claims arising from the September 11, 2001 terrorist attacks and Hurricanes Katrina and Wilma, along with the hurricanes that struck Florida in 2004. Subscribe to Directors & Boards! Directors & Boards is the thought leader in corporate governance, written by and for board members. Individual subscriptions: $325 annually • Full board subscriptions: $2500 annually Subscribe by phone at (800)637-4464, ext. 6072 or online at www.directorsandboards.com 18 Boardroom Briefing: Business Continuity and Disaster Recovery The Directors & Boards Survey: Business Continuity and Disaster Recovery Methodology Business Continuity Programs This Directors & Boards survey was conducted in February 2006 via the web, with an email invitation to participate. The invitation was emailed to the recipients of Directors & Boards’ monthly e-Briefing. A total of 332 usable surveys were completed. How important is business continuity planning/disaster recovery to your company? Somewhat important About the respondents (Multiple responses allowed) A director of a publicly held company 28.2% A senior level executive (CEO, CFO, CxO) of a publicly held company 9.2% A director of a privately held company 36.2% A senior level executive (CEO, CFO, CxO) of a privately held company 23.9% A director of a non-profit entity 27.6% Institutional shareholder 4.9% Other shareholder 17.8% Academic 8% Auditor, consultant, board advisor 23.9% Attorney 6.7% An investor relations professional/officer 1.8% Other 9.2% Revenues (For the primary company of the respondent) Average revenues: Less than $250 million $251 million-$500 million $501 million to $999 million $1 billion to $10 billion More than $10 billion $2.773 billion 57.1% 9.8% 8% 19.6% 5.5% Board Service (Average number of boards respondents serve) Public Company: Private Company: Charitable Total: 1.21 1.53 1.59 4.33 16.0% Important Not important 3.5% Extremely important 52.8% 27.8% Does your company have a business continuity management program? No 19.3% In process of creating 26.9% Yes, plan in place for less than year 13.1% Yes, plan in place for more than a year 39.3% Other 1.4% Does your company have a disaster recovery plan? No 24.3% In process of creating 23.6% Yes, plan in place for less than year 13.9% Yes, plan in place for more than a year 36.1% Other 2.1% Does your company have a crisis management plan? Does your company have an executive transition/leadership plan in the event of the sudden death of key leaders? No 28.1% In process of creating 23.3% Yes, plan in place for less than year 11% Yes, plan in place for more than a year 36.3% Other 1.4% No 37.9% In process of creating 21.4% Yes, plan in place for less than year 11.7% Yes, plan in place for more than a year 26.9% Other 2.1% Boardroom Briefing: Business Continuity and Disaster Recovery 19 If you answered yes to any of the above questions, does your company test these plans on a regular basis? 35 If you answered yes to any of the above questions, have your company’s plans been shared with employees? 34.1% 30 20 6.5% 5 0 Yes, more Yes, once Yes, less often than a year often than once a year once a year No Does not apply How do you rate your company’s ability to recover from a natural/manmade disaster or business interruption? 50 How do you rate your company’s management’s ability to calmly lead in times of crisis? 60 40 34.0% 30 52.4% 50 41.7% 40 30 20 34.5% 20 12.5% 10 0 Excellent 9.7% Good Fair 2.1% Poor Other (Other answers included: “Our plan is untested.”) How quickly do you estimate your company can recover from a significant/major business interruption? Weeks Months Other 17.9% 5.5% 4.8% Minutes 0.7% Hours Days 49.0% 22.1% 11.0% 10 0 Excellent Fair Poor Other How effectively are 3rd party partners, vendors and service providers integrated into your company’s business continuity/disaster recovery planning? 50 45.8% 40 30 10 (Other answers included: “Depends on the event–could be minutes to weeks.” “We can recover from an IT disaster pretty quickly. Loss of a plant would take much longer. By the way, we test IT disaster recovery once or twice a year, but do not test loss of a building or senior manager.”) Good 0.7% 1.4% (Other answers included: “Like everyone, I think it is good; but probably could be better.”) 22.9% 20 20 52.8% 20.6% 13.8% 10 Yes No 19.6% 15 17.6% 14.7% 26.1% 25 Does not apply Don’t know 0 13.9% 11.8% 5.6% Very Somewhat Not very effectively effectively effectively Not at all Other (Other answers included: “Not certain.” “We are working on the plan at this time and will address 3rd party partners, etc.” “Don’t know.”) Boardroom Briefing: Business Continuity and Disaster Recovery Board Responsibility in Business Continuity/ Disaster Recovery Planning What, in your opinion, is your board’s responsibility in business continuity, crisis management and disaster recovery planning? The board should take primary responsibility, directing management 15.9% Management should take primary responsibility, advising the board 79% Other 5.1% (Other answers included: “It will depend on the nature of the disaster.” “Management should take primary responsibility with the board having the responsibility to ensure that this is done.” “It should be a collaborative effort.”) Does your board have a dedicated business continuity or risk assessment committee or a board member tasked with this issue? Other Not applicable 5.1% 2.9% Yes 22.5% No 69.6% (Other answers included: “Audit committee periodically reviews the plan.” “For now, risk assessment has only been assessed by IT manager with outside consultants as backup.”) Other Not applicable Do you market your company’s business continuity/disaster recovery plans as a benefit to your company’s customers? 11.8% 2.8% Yes 12.5% No 72.9% Who’s responsible for informing the How often is business continuity board of risk issues at your company? planning/disaster recovery on the (Multiple responses allowed.) agenda for your board meetings? Board committee 15% Designated board member 7.1% CEO 72.9% CFO 35.7% Internal Auditor 27.1% Chief Risk Officer 7.9% Chief Legal Counsel 24.3% External auditor 20% Business unit leaders 13.6% Other 7.9% As needed 21.6% Every meeting 0.7% At least once per year 36% Less often than once per year 20.9% It’s never been on the agenda 14.4% Other 6.5% (Other answers included: “Never was included.” “ Formally, twice a year.” “In connection with strategic plan reviews.”) If you serve on multiple boards, do you see major differences among the companies you direct in terms of business continuity planning/disaster How important is business continuity recovery? Don’t serve Not applicable planning to your board? on multiple (Other answers included: “Probably the CFO and CLC.” “President & COO.” “Employees.” “CIO.” “Board at large.) Extremely important23.6% Important 40.7% Somewhat important21.4% Not important 12.1% Other2.1% Boardroom Briefing: Business Continuity and Disaster Recovery boards 15.3% No 16.8% 24.1% Yes 43.8% 21 Compare this expenditure to the prior year. Thinking about the year ahead, rate how likely it is that each of the following events would occur and have an impact on your company’s business operations. We budgeted more on business continuity programs 18.3% We budgeted less on business continuity programs 9.2% We budgeted approximately the same amount 23.7% We do not budget for business continuity programs 43.5% Other 5.3% Very Likely Somewhat Likely Not Very Likely A terrorist attack abroad A terrorist attack in the US A manmade disaster (electronic or otherwise) A natural disaster 8% 6% 15% 35% 77% 60% 10% 54% 36% 12% 50% 38% General Business Continuity If yes to any of the above, what do you estimate the total cost of these Questions Has your company been affected by any of the following interruptions in the past year? (Multiple responses allowed.) Natural Disaster 27.7% Technology failure 26.2% War 1.5% Terrorist activity 3.8% Information security breach 10.8% Human error, resulting in major business interruption 10.8% Labor dispute 6.2% Power failure 34.6% An interruption in service from a third party partner or vendor 17.7% Loss of key personnel, through death or unplanned resignation 20% Business partner failures 6.9% Loss of high-value customers 10% Weather-related disruptions to operations28.5% None of these occurred to my company 20.8% Other 6.2% (Other answers included: “Short term outages.” “Maintenance/facilities issues.” “Rail disruptions.” “Major rail accident caused by the railroad company that resulted in a chemical car containing our product being breached leading to the death of 9 people.” “Fire.”) 22 interruptions was to your company? Less than $100,000 40% $100,000-$500,000 17.5% $500,000 to $1 million 7.5% $1-5 million 9.2% $5-10 million 4.2% More than $10 million 2.5% Not applicable 19.2% Within your company, how many employees do you estimate are dedicated to business continuity planning/disaster recovery? 2-5 1 17.4% 8.3% None 6-10 More than 10 It’s part of some people’s full time 5.3% jobs 3.0% 46.2% 19.7% What do you estimate your company’s annual budget to be for business continuity planning/disaster recovery planning (not the cost of an Please rate your company’s internal interruption)? communication to and training of No budget 40.2% employees in business continuity Less than $100,000 31.8% planning and disaster recovery. $100,000-$500,000 $500,000 to $1 million $1-5 million $5-10 million More than $10 million Other 12.9% 3.8% 4.5% 0.8% 1.5% 4.5% (Other answers included: “Not designated as a line item.” “Don’t know.” “We are presently trying to determine what amount should be budgeted for disaster recovery.”) Non-existent Poor 17.3% 15.8% Fair 32.3% Other 4.5% 5.3% Excellent Good 24.1% Boardroom Briefing: Business Continuity and Disaster Recovery Growing from Disaster Recovery to Business Continuity? Leading the Way—KETCHConsulting • Senior Consultants • Certified • Experienced • Knowledgeable Contact KETCHConsulting Today! (888)538-2492 KETCHConsulting • P.O. Box 641 • Waverly, PA 18471 w w w.ketchconsulting.com Overseeing BCP: Just One More Reason to Consider CIOs as Directors By Jory J. Marino and Michael C. Nieset To meet this complex new responsibility, boards should consider a relatively new kind of board member—a current or former CIO W hile spectacular corporate meltdowns were leading to SarbanesOxley, a series of other cataclysms dramatically emphasized the risk of business Jory J. Marino disruption—and put business continuity planning on the front burner for boards. Y2K, though it proved to be less than met the eye, first sounded the alarm, followed shortly by 9/11, which highlighted Michael C. Nieset the vulnerability not only of computer networks but also of phone, power and transportation systems. A literal meltdown with the power outage of August 2003 renewed fears about the stability of the electrical grid. Continued globalization exposed companies to more risks in more places, while political instability, including war in the Middle East, turned many risks into reality. Hurricane Katrina is only the latest and surely not the last of these cataclysms. Following these upheavals, an increase at the global, country and state levels in regulatory requirements for disaster recovery planning (DRP) and business continuity planning (BCP) has heaped new expectations for the scope and quality of oversight on directors’ shoulders. Although directors are not responsible for directly managing and planning for calamities, no board will enjoy the scrutiny that is sure to follow for having failed to ensure that an adequate business continuity and disaster recovery plan was in place. To meet this complex new responsibility, boards should consider a relatively new kind of board member—a current or former CIO. Just as corporate boards have sought financial experts to meet their expanded fiduciary responsibilities in the SOX era, they must also now be prepared to extend seats to current or former CIOs who are best able to exercise oversight of disaster recovery and business continuity planning. Although the value CIOs bring to such oversight may be insufficient by itself to justify adding them to boards, that expertise joins a growing list of areas in which CIOs can make significant contributions as directors, including their valuable knowledge about how to maintain compliance with today’s rigorous business, financial management and reporting requirements. A CIO’s enterprise-wide understanding of business and technologydriven business strategies could prove invaluable in stewarding a company through a natural disaster or terrorist attack as well as contribute substantially to the board’s understanding of risk and information security. A Dearth of CIO Directors Nevertheless, only a handful of companies now include CIOs on their boards. Our research shows that among the Fortune 1000 companies, only 15 have a current or former CIO as an external director. Why this dearth of current or former CIOs on boards, despite their fitness to contribute in many areas of oversight? Part of the answer lies in perceptions. Board members and CEOs often see CIOs as exclusively concerned with operations and find it hard to imagine them moving from the server room to the boardroom. More narrowly still, CIOs are often seen as technologists, not strategists. CEOs want to learn from board members and often feel that CIOs have nothing to teach them about business. CIOs also lack visibility in the networks in which CEOs and board members move and from which they choose directors. Many companies like to add high- Our research shows that among the Fortune 1000 companies, only 15 have a current or former CIO as an external director. 24 Boardroom Briefing: Business Continuity and Disaster Recovery profile names to their boards—and that usually means a celebrated CEO. Even the obvious ability of CIOs to exercise oversight of disaster recovery and BCP is easily discounted by companies who may erroneously believe that creating a plan and signing on for backup sites are one-time events rather than part of an ongoing oversight process. A Compelling Case for Inclusion With companies increasingly restricting the number of boards on which their CEOs can serve, the pool of qualified director candidates is shrinking. CIOs can significantly enlarge that talent pool. For despite all of the negative perceptions of CIOs, those with the right combination of experience and talents can make substantial contributions in a wide variety of areas—especially risk management and compliance as well as business strategy—which, taken together, add up to a compelling case for adding a CIO director. Since the 1990s the financial control processes that now loom so large in SOX compliance have resided in ERP systems, presided over by CIOs, who can provide unique understanding of how to apply those systems to SOX. The best of these CIOs also know how to go beyond mere compliance to automate business processes and financial controls to drive down the enormous costs of compliance. business at risk. CIOs have not only been on the frontlines of data security, they also understand that ensuring data security encompasses links in the technology supplychain that extend far beyond the company’s control. Data security has also moved to the forefront of risk management, largely as a result of high-profile security breaches at information companies, credit card companies, and banks, elevating concern about protecting the public’s personal information. Companies that fail to exercise diligent oversight in this area put their reputations and their In matters of strategy and business acumen, the nature of global business and technology today ensures that CIOs in large, global and complex organizations have acquired skill and understanding that far exceeds the purely technical. Global businesses today operate complex supply chains, manage a variety of captive and outsourced Boardroom Briefing: Business Continuity and Disaster Recovery service providers, and manage multiple distribution channels and customer touch-points. In all of these activities, technology plays a central role, providing the CIO with an enterprise-wide view of business—and an enterprise-wide view of risk management. “As businesses continue to transform from batch to real time, risk management extends beyond traditional BCP/DRP to include a CIO’s ability on a board to provide a point of view and oversight on information, reputational, project execution and acquisition risks,” says James Dallas, Audit 25 Committee Member, KeyCorp and former CIO of Georgia Pacific Corporation. “All of these issues have technology at their core. The effective and innovative use of information and technology are the heart of strategies within both manufacturing and service industries. The pulse is the speed in which technology changes, which requires having someone on the board who knows the technologies that are here and around the corner that could transform competition.” Finding the Right CIO Candidate In our experience, CIO directorcandidates with the breadth of business and technology understanding that are required to make a real contribution to board deliberations are most likely to come from large companies, like the Fortune 250. In these global, complex organizations the role of the CIO has evolved into a position that today combines traditional technology responsibilities with the general management responsibilities of a COO. These CIOs may negotiate deals on behalf of the company with a variety of third parties and outsourcing organizations or they may create a captive outsourcing organization. To perform successfully these CIOs must be able to integrate their mastery of technology, understanding of business processes, and thorough knowledge of the business and industry into a comprehensive vision of the company and execute against it. In the largest companies they will often know more about the company’s business operations than business line managers or even the CEO. Not surprisingly, many CIOs have come up through the technology ranks and then stepped into 26 CIOs in large, global and complex organizations have acquired skill and understanding that far exceeds the purely technical. broader general management roles like COO or president of a business unit or large division. The president and COO of one of world’s most successful internet companies served as chief technology officer in his previous company, joined the internet company as CIO, rose to his present position and was recently elected to the board of a public software company. Sometimes the career trajectory runs in the opposite direction. The CIO of a leading building materials company came up through finance and then moved into technology mid-career and now sits on the boards of two companies. But whether an individual moves from technology to general management, general management to technology, or acts as a CIO whose role is almost indistinguishable from that of a COO, the lesson remains the same: The success of large companies today greatly depends on top executives who can operate effectively in both spheres. Boards can reflect that new reality by considering candidates who have: •O perated an organization of scale, where scale may be defined in terms of geography, complexity of the business, multiple business units, or overall size in revenues, capital investments, and budgets •D emonstrated strong financial and operational skills as well as knowledge of the business and industry •A ddressed operational and business risk across the many vulnerabilities in a complex, global organization •M oved up in a progressively responsible CIO career and later stepped into a full general management role, or moved from general management to absorb technology responsibilities •P resided over an operation as it globalized its business and customer base and addressed the impacts of sourcing and offshoring •D elivered significant business value Such candidates not only have a broad perspective on business, they can also broaden the perspective of boards at a time when effective oversight and risk management require a comprehensive, integrated understanding of business and information technology. Such directors may not only help ensure business continuity following disasters but also—contrary to narrow perceptions of CIOs—help avert business disasters. Jory Marino is managing partner of Heidrick & Struggles’ Global CIO practice and New York-Park Avenue office. Michael Nieset is a senior partner of Heidrick & Struggles Technology and Board of Directors practices. The authors can be contacted at [email protected], [email protected] or by phone at 312.496.1345. Boardroom Briefing: Business Continuity and Disaster Recovery 12 Questions Every Director Should Ask About Workplace Safety By Tom Krause, John Balkcom and John Henshaw The health and safety of the worker underpins the ability of any company to claim excellence in its dealings with customers, employees, investors, and the public. T Tom Krause John Balkcom he globalization of terror, the fear of potential pandemics, and the public’s concerns over corporate misconduct have brought new gravitas to the question of safety and health in every workplace. To some, worker safety may seem a mundane issue in an increasingly knowledge-intensive economy. But in our experience, the health and safety of the worker underpins the ability of any company to claim excellence in its dealings with customers, employees, investors, and the public. This article suggests the twelve primary John Henshaw questions every director should ask—and expect to have answered thoroughly and well—about safety in any company. The first five frame the relationship of safety-to-value creation. The remaining seven address the capabilities and processes whereby a firm either instills safety in the dayto-day mindset of every executive and employee—or creates an unacceptable risk of catastrophic failure and organizational incompetence. What is the relationship between worker safety and other performance metrics in this company? While this question may be interesting from a purely theoretical point of view, we pose it solely as an empirical question. That is, we seek to determine what longstanding statistical relationship exists between variations in safety and health outcomes (e.g., the rate of OSHArecordable incidents) from month to month and quarter to quarter, and contemporaneous changes in financial results. The latter include earnings, cashflow (and its working proxies, such as EBITDA), and unit costs of production. Our experience suggests these merely statistical relationships are idiosyncratic to the operations of each company, that no two companies have identical patterns. Moreover, these unique relationships when traced to root causes within a given company can be highly revealing of the organizational impediments to both safety and profitable growth. What should our safety goal be? Experienced observers believe that companies that are highly successful in safety performance are also successful in operational performance. Leading companies that are viewed as “socially responsible” set tough targets to challenge the organization continuously and improve safety performance the same way they set other operational targets. For example, DuPont is well known for striving to achieve zero workplace injuries and illnesses based upon the fundamental belief that “all injuries are preventable.” Alcoa, under the leadership of Paul O’Neill, set stringent goals for safety and reduced its lost-time incident rate from 1.86 in 1987 to 0.12 in 2002. Even the largest and most traditionbound organizations are capable of order-of-magnitude changes in safety performance. In addition to ensuring that a safety goal is set, a director should feel free to ask what benchmarking was done in establishing a safety goal, what such a change would mean in his or her company, what is blocking its accomplishment, and when a Experienced observers believe that companies that are highly successful in safety performance are also successful in operational performance. Boardroom Briefing: Business Continuity and Disaster Recovery 27 new level of accomplishment can be achieved and sustained. How do we know we’re being preventative in our safety efforts and how do we measure exposure to hazards in the absence of injuries or illnesses? Virtually every event that results in a workplace injury or illness is preceded by lower level decisions and outcomes that increase the likelihood of failure in safety. The catastrophic failure—the death of a worker or a serious injury—can be seen as the Virtually every event that results in a workplace injury or illness is preceded by lower level decisions and outcomes that increase the likelihood of failure in safety. tip of an iceberg undergirded by an architecture of behaviors, practices and outcomes that made the greater loss predictable. Leading indicators of lower-level safety decisions reveal the organizational culture that gives rise to the costly failure. Directors should ask what leading indicators are predictive for their organization, including measures related to organizational culture and safety climate. Then they should ask what is being done to move those leading indicators, how they are changing over time, and what the readings were before the most recent major safety failure. 28 Directors should ensure that the organization fully understands what goes on in the places where workers interact with the core technology of the company, what we call the Working Interface. Ultimately, safety excellence depends on keeping the Working Interface free of hazards, which include the facility, the equipment and the behavior of the worker. What is our exposure to a catastrophe such as Bhopal? The failure to anticipate an incident of catastrophic proportions—that is, a multiple-fatality event or something the magnitude of Bhopal—is above all a failure of imagination. Either that or it’s a suppression of the evidence of leading indicators that prefigured the likelihood of a major failure. With reflection, any CEO, COO, and chief safety officer should be able to tell a director where such risks lie, what their probability of occurrence is, and what preventative steps are being taken to head them off. ensuring that the performance data and the safety reporting are accurate. A director with sound answers to these first five questions should be able to get an exact answer to the next question, which addresses how safety and value relate to one another in the company. The remaining questions deal with the reliability, transparency, and fairness of safetyrelated decision-making in the organization. No organization can reasonably expect employees to take on the task of safety—except when the CEO happens to be in town or the board happens to make its annual plant visit—if it lacks integrity. Without the historical analyses, a clear goal, an awareness of early indicators, a “Bhopal” assessment, and validation of safety reporting, an organization may be unable to link safety and value. However, we are convinced that the two are closely linked and that any director deserves and has a duty to know the connection in a rigorous and validated way so as to optimize value creation for shareholders. How do we know there’s not fraud in our health and How much value are we safety reporting and that exposures and accidents are delivering through our not being under-reported? safety performance? Any discussions about safety depend on the integrity of safety reporting, which holds the same challenges in the verification of processes and outcomes as financial reporting. Indeed, safety performance is an important measure of enterprise risk management, and shareholders are more watchful now for fraudulent reporting. Just as directors now see their responsibility and liability for sound financial reporting, they also sit where the buck stops in the matter of risk management, and workplace safety and health reporting. Both the full board and the committee responsible for environment, health and safety are responsible for Economic value analysis has revealed the many value drivers that support the delivery of exceptional returns to shareholders. Within these “value trees” a director can see what dimensions are inherent in the safety-related behaviors, practices, and outcomes of the organization. By looking at the historical relationships between safety and financial outcomes, as well as the underlying causes of shortfalls in both, a company and its directors can assess the contribution a safe workplace makes to the organization’s value—or the degree to which safety breakdowns are inhibiting the creation of value. Boardroom Briefing: Business Continuity and Disaster Recovery What tone should we set in the boardroom about safety? While “tone at the top” has become a byword of the enactment of the Sarbanes Oxley Act, it is an essential element in the creation of an organizational culture of safety and incident-free operations. When we speak of “incidents,” we are referring to increases in exposure or risk, some of which result in recordable injury or illnesses or possibly major industrial accidents. Attention to safety in all its dimensions, including exposures or risk and not just recordable injuries, starts at the top. The top must include the representatives of the shareholders, in essence the owners, and not just senior management. Setting a tone in the boardroom favoring safety performance means more than just reviewing the injury and illness statistics at each meeting or appearing once a year at an operating site. It means paying attention to safety, requiring accountability, and expecting improved performance, without always looking to place blame. It’s this kind of attitude that will make possible the improvement of “leading” safety indicators and the delivery of incremental safety and organizational value. The safety tone is set at the top, primarily by the care and astuteness of board-level listening both to the safety outcomes of the organization and to the upward communication from operating management about the safety climate. While organizational culture may take years to change, our experience suggests that effective listening and caring about workplace safety and health almost immediately alters the safety climate and sets the tone for hazard avoidance. The failure to anticipate an incident of catastrophic proportions is above all a failure of imagination. What does management need from the board to achieve safety objectives? While “attention” may seem an obvious answer to this question, many other answers are both possible and more effective in improving workplace safety and health performance. These include: •C lear processes for periodic review of safety and health outcomes at the board level •D irect access for the senior safety officer to the members of the board, akin to the relationship of the outside auditor to the board’s audit committee • I nclusion of both leading and lagging safety and health indicators in the board’s periodic review of key performance indicators of the organization • I nclusion of safety and health results, both leading and lagging, in the performance management system for the most senior officers of the company •A ffirmation of leading and lagging workplace safety and health goals and targets at the board level, akin to the board’s consideration and ratification of strategic initiatives. What is essential here is a dialogue between senior leadership and the board so that a fully actionable view of the question can be formulated. driver. Safety requires an exchange of information among peers to reveal the full iceberg of hazards. Nonetheless, the board is the principal agent for the company’s owners, and the management serves as agents of the board. So, no team organization can overcome the principal-agent chain of command whereby the fiduciary responsibility of the board is exercised effectively (or not) by the directors on behalf of the owners. However, the location of decisionmaking power between the boardroom level and the shop floor differs radically from organization to organization. That means the real answer to “Who is driving safety?” may differ from one company to another. But the chain of command governing safety is only as strong as its weakest link. Each level of the organization—from the boardroom to the shop floor—must have a tangible role in the organizational mechanisms that assure the minimization of exposures to hazard. What matters most is that the decision-making process governing safety policies, practices, standards, monitoring, and accountability results in tangible steps that can be observed, verified, and modified as the organization learns how to optimize its own safety performance. Who is driving safety in the company? How are we protecting our people from safety and health risks originating outside the workplace? This question begs for both a “team” answer and a “chain of command” answer. But the answer is that neither is exclusively the Off-the-job injuries and absenteeism cost companies billions of dollars each year. Beyond routine off-the-job injuries and illness, roughly every Boardroom Briefing: Business Continuity and Disaster Recovery 29 Attention to safety in all its dimensions, including exposures or risk and not just recordable injuries, starts at the top. decade a new “X factor,” such as a potential flu pandemic, seems to come into play, threatening the optimization of a company’s human resources. Even the threat of terrorist attacks takes its toll on a company’s effectiveness as workers avoid the workplace or are less attentive to work. In many companies injuries and illnesses that originate during offduty hours exceed the total cost of on-the-job injuries or illnesses. Directors should be asking how the company is addressing these safety and health exposures. Is it advocating safe driving and seatbelt usage, as well as safe practices around home improvement jobs or other activities that may cause its workers to miss work or be less attentive while there, and increase health care costs? In our experience, the frequency and severity of off-thejob injuries or illnesses goes down as the organization’s safety climate and organizational culture improves. Today, the Avian Flu, HIV/AIDS, and threats of terrorist attacks may be seemingly uncontrollable risks for global firms. Terrorism is now a global threat designed in part to disrupt normal business and economic activity. In the past, outbreaks of Legionnaire’s Disease in the US, and globally, smallpox and malaria, have posed difficult problems and placed stress on the organization. Directors should be asking what anticipatory planning is 30 being done and how the leadership of the organization might respond to such threats. Are our employees aligned with the board, CEO and other leaders in our ongoing commitment to safety and how are we assuring maximum employee engagement? Organizations that achieve safety and health excellence find ways to engage employees throughout the organization. True employee engagement creates personal commitment and accountability, and accountability is critical in improving safety and creating a performance-oriented culture. This is equally true whether a workplace is organized or not. Engaging employees means more than putting up posters or having safety contests. Most employees have a natural interest in their own safety and the safety of others, and are open to becoming engaged. But actually engaging them requires an organizational culture that values safety highly, as well as leaders who express the value consistently in the things they say, the beliefs they hold, and the decisions they make every day. Directors should ask to what extent employees are engaged in safety improvement, how that engagement can be measured, and what steps are underway to improve it. What kinds of cognitive bias may be affecting the quality of deliberations on environment, health and safety among our senior leaders, including our own board members? to a variety of “cognitive biases,” habitual and largely unconscious ways of estimating the likelihood of uncertain future events. Such biases often cause wrong decisions. The most visible recent example of this process is the failure of the space shuttle Columbia. The accident investigation panel found that NASA knew the properties of foam and the hazard that it represented. However, the organization gradually became accustomed to the acceptability of the risk of foam loss and began to rely on its experience of successful missions rather than its knowledge of the actual risk. A culture developed that allowed this risk to exist in spite of the fact that it was known. This is one example of a bias in judgment that had catastrophic consequences for the nation. The director must ask: “Where are we subject to bias in the way we evaluate risk and predict the probability of uncertain future events?” Just asking these 12 questions at regular board meetings and at meetings of the board’s environment, safety and health committee will engender a safety climate that may over time lead an organization to a zero-tolerance culture for worker injuries and illnesses. At a minimum, they help the board in assuring its own diligence in the oversight of safety risks and threats, all of which erode the ability of a company to deliver great results. Tom Krause is the chairman of the board and cofounder of Behavioral Science Technology, Inc., (BST) in Ojai, California. John Balkcom is an independent director of Aleris International, Inc. (NYSE: ARS). John Henshaw is the former Assistant Secretary of Labor for Occupational Safety and Health. A rich literature suggests that even the most thoughtful leader is subject Boardroom Briefing: Business Continuity and Disaster Recovery Board Secretary The Washington Metropolitan Area Transit Authority (WMATA) operates the second largest rail transit system and the fifth largest bus network in the United States. America’s Transit System, a national monument in its own right, transports more than a third of the federal government to work and millions of tourists to landmarks in the Nation’s Capital. Metro ties the Washington region together and opens doors to opportunities—for jobs, economic development, education, and cultural experiences. WMATA is currently seeking candidates for the position of Board Secretary. This high-level executive position directs and manages the staff and functions of the Office of the Secretary to ensure the preparation and distribution of Board requests and agendas, meeting notices, and resolutions for the Authority. The Board Secretary conducts quality reviews on all Board items, coordinates the scheduling of board meetings, facilitates the public hearing process, and serves as the official record keeper for the Authority and as the principal contact for the Board of Directors. Successful candidates will have thorough knowledge of administrative systems and procedures; the ability to conceive and implement actions that provide responsive and effective support to the Board; demonstrated the ability to provide effective administrative support to the General Manager; communicate effectively on Authority and Board of Director issues, and can respond to directives with high levels of judgment, diplomacy and tact. Minimum Qualifications •B achelor’s Degree in Business Administration, Public Administration, or a related field •T welve (12) years of progressively responsible and diversified executive level administrative management •S upervisory experience that demonstrates expertise in developing and implementing major policies •E xperience in interacting with the public including external executives and/or Board of Director members WMATA offers competitive compensation and exceptional benefits packages. Qualified individuals may submit a cover letter and resume to (no emails or faxes please): Washington Metropolitan Area Transit Authority Attention: Ms. Katrina Wiggins, Director Office of Human Resource Management Services 600 Fifth Street NW Washington, DC 20001 Surprises in CEO Succession By Daniel Fairley, J.D. and David A. Bjork, Ph.D. One of the biggest disasters that can affect any business is a disability affecting the CEO. N o one had even thought about the possibility of partial disability when they developed a succession plan for the CEO. So when CEO Andy Brody recovered from a Daniel Fairley stroke but didn’t hit his stride again, the board needed to figure out what to do. It wasn’t clear that Andy was disabled, so he probably couldn’t qualify for disability insurance. And the opportunity for an important joint David A. Bjork venture meant that the board needed to step into the breach. While it didn’t work out quite the way it was meant to when the plan was developed, a good succession plan helped. Western HealthCare was a $1 billion business, with the lives of thousand of patients and the livelihoods of 5,000 employees and 800 physicians at stake. The crisis came at a difficult time for one of the biggest health systems in the West. The 55-year-old CEO of Western HealthCare didn’t seem focused on getting the deals done. The system had an opportunity to forge a closer relationship with the local medical school. It was negotiating a merger with the largest multi-specialty group practice in the area. And it was developing a new heart hospital with its cardiologists. The board didn’t know what to do. It wasn’t ready to fire Andy; it couldn’t even agree whether his lack of focus was a lingering effect of the stroke. Some directors thought he was getting better and wanted to wait to see if he returned to normal. Others felt that they couldn’t afford to wait, given the urgent need to settle the three impending deals. Andy couldn’t see that there was a problem. He didn’t think he was still suffering from the stroke. He’d come back to work several months ago and thought he was handling everything fine. And he’d just gotten a vote of confidence from the board when they extended his contract for another three years. Difficult Decisions There was a succession plan in place, but the board was having difficulty making a decision. The plan called for naming 42-year-old COO Sue Jensen the interim CEO, at least, if not actually giving her the job on a The board didn’t know what to do. It wasn’t ready to fire Andy; it couldn’t even agree whether his lack of focus was a lingering effect of the stroke. 32 permanent basis. She had 5 years’ experience as COO and was well regarded by the board and, for the most part, the medical staff. Andy had been increasing her responsibilities steadily over the years and had been giving her opportunities to develop her leadership skills for as long as they had been working together. The difficulty was figuring out whether or when to pull the trigger. The board suspected Andy wouldn’t qualify for disability insurance, and felt it wasn’t fair to terminate him without adequate income, given his stellar record leading the system for 15 years. Under Andy’s leadership, the system’s hospitals had won numerous awards and become one of the largest and most-respected health systems in the country. The severance policy would cover three years, but there would be a gap of four years before his SERP would begin paying retirement benefits. The board hired outside experts to help identify alternatives and decide how to proceed. Consultants interviewed board members and Andy. They found that Andy wasn’t willing to file a claim for disability or publicly admit that anything was wrong. The board had five choices: do nothing, wait and see, get Sue to quietly take on more responsibility, get board leaders to take on more responsibility, or make a change then and there. Transition Time The board settled on a combination of the last three. It asked Sue to take on much of the CEO’s leadership responsibility; several directors agreed Boardroom Briefing: Business Continuity and Disaster Recovery to take over negotiations with the medical school and the physicians; and it began to work out the details of a transition plan with Andy. The board wasn’t ready to appoint Sue as the next CEO because it couldn’t yet announce Andy’s resignation. And it decided that it would be best to look at other candidates as well, so that if and when it chose Sue, it would be because she was clearly the best qualified candidate for the position. Recognizing that the hospital couldn’t afford to lose Sue at the same time as Andy, it gave her a retention agreement that paid a large reward if she stayed in place for two years and a larger reward if she were not formally named the next CEO. Over the next few months, the board worked out the details of a transitional arrangement with Andy, which would maintain a reasonable income for him until age 62, when his SERP would begin to pay retirement benefits. It agreed to allow Andy to resign “to pursue other opportunities,” without acknowledging any disability. Once this agreement was made, Andy resigned, Sue was named interim CEO, and the board hired a search firm. The search yielded four external candidates, each of whom had already been CEO of a large health system. Much as the board liked, respected, and trusted Sue, it decided to hire one of the external candidates instead, mostly due to his substantial prior experience as CEO, but partly because Sue had had to make some changes within the system that alienated a significant number of faculty physicians. Hiring this new CEO from outside would give the system a fresh start in rebuilding relationships with the medical school, the cardiologists, and the multi-specialty group. Retention Issues Because Sue had already been managing all operations and was deeply involved in maintaining relationships with the medical school and the medical staff, she was ready and able to take on additional leadership responsibilities and managed to keep everything on a steady keel during the time between Andy’s departure and the new CEO’s arrival. At the same time, directors kept negotiations with the medical school and the multi-specialty group moving ahead, and Sue handled negotiations with the cardiologists. The new CEO, David Gonzalez, finally arrived 12 months later, 18 months after this transition process began, and 24 months after the stroke that set it all in motion. Sue stayed another six months, until the retention agreement was fulfilled, when she left for another CEO position. It took an additional 12 months to work out the deal with the medical school, and six more with the multispecialty group, but the agreement with the cardiologists was settled more quickly. The leaders of the board had to stay involved in the negotiations with the medical school to maintain continuity, but also because the new CEO hadn’t yet had time to develop credibility with the dean and faculty. Because Sue managed to keep the business running smoothly over the 30-month period, the crisis precipitated by Andy’s stroke did not cause any serious disruptions. Because directors were willing to devote the time needed to negotiate the details of the agreements with its most important partners, they managed to move the hospital into a stronger position. And because the board was able to offer Andy a generous settlement that allowed him to maintain much of his income without working, as well as lifetime health care benefits, the transition occurred with almost no publicity for the institution or for Andy. While the succession plan didn’t work out exactly as expected when it was developed, the existence of the plan made it significantly easier for the board to move ahead. Taking time to consider alternatives, choose the best option, and then develop a plan and timetable for the transition helped Western HealthCare proceed with business more or less on schedule. And while it took longer and was more expensive than anticipated to find and hire the new CEO, the board was satisfied that it had handled this crisis as well as it could have given the circumstances. David Bjork is a managing director in charge of the Cash Compensation Division for Clark Consulting—Healthcare Group. Dr. Bjork leads the Healthcare Group’s team of cash compensation consultants, which helps clients develop performance-based compensation programs and advises boards on governance of executive compensation. His projects include developing reward programs, refining performance measures, and helping boards govern executive compensation. He has published a number of articles and book chapters on executive compensation in the health care industry. Dr. Bjork earned an A.B. at Harvard, an M.B.A. in finance at the University of Chicago, and a Ph.D. from the University of California at Berkeley. Before joining the Healthcare Group, he was a consultant with the Hay Group for 12 years and, before that, taught at the University of California and the University of Chicago. Dan Fairley is a senior vice president of Clark Consulting— Healthcare Group. He specializes in leadership transition planning and executive compensation. Fairley’s distinguished career has emphasized health system development; acquisition strategy/implementation; and health care contract negotiations. Before joining Clark Consulting—Healthcare Group, he was senior vice president of the Memorial Health System and President of Healthcare Network Associates in Springfield, Illinois. Earlier in his career, Fairley was a vice president of the ServiceMaster Company LP. He also saw prior service as a vice president and assistant general counsel for VHA, Inc. and VHA Supply Company, Inc. Fairley served as legal counsel and as a business development officer. Fairley holds a bachelors degree and a Juris Doctor degree from Indiana University. Boardroom Briefing: Business Continuity and Disaster Recovery33 (continued from page 16) the environmental arena. Security compliance like environmental compliance should include oversight by a committee of the board, board review and audits of security matters and direct reporting from the chief security officer to the CEO. Terror warnings and color codes will remain a fact of life for the indefinite future. In an effort to do its part, the government will continue to look to the private sector not only to secure its own assets but to show judgment and leadership. Robust business continuity planning may not be a total deterrent, but it is a step toward better protection—of the interests of the corporation, and the larger public good. Alston & Bird partner Joe D. Whitley was appointed by the President as the first General Counsel to the United States Department of Homeland Security (DHS), the highest ranking legal official in the department. He held that position for two years before his departure and return to private practice. Previously he had led Alston & Bird’s white-collar and government investigations practice. At DHS Whitley oversaw approximately 1,500 lawyers and 400 support staff from numerous agencies, including the Secret Service, the Coast Guard, Border and Transportation Security, the Transportation Security Administration, Information Analysis and Infrastructure Protection, and Emergency Preparedness and Response (FEMA). Whitely previously had an extensive career in the Department of Justice, serving as the Acting Associate Attorney General, the third-ranking position in the Department of Justice, in the George H.W. Bush administration. He was appointed by Presidents Reagan and Bush, respectively, to serve as U.S. Attorney in the Middle and Northern Federal Districts of Georgia. At the time of his appointment he was one of the youngest persons ever to be appointed U.S. Attorney and the only person to ever serve as a Senate-confirmed U.S. Attorney for two separate jurisdictions. Throughout his career Whitley served under five United States Attorneys General. Whitley received his J.D. and his undergraduate degrees from the University of Georgia. 34 (continued from page 13) •L oss of key personnel, through death or resignation •L oss of high-value customers •B usiness partner failures •D enial of service (DoS) attacks •T heft or unauthorized disclosure of customer data •W ork stoppages, and •T heft or loss of mobile computing devices As in the case of non-IT assets, the business continuity plan should address these lesser incidents; in the process, providing a real return on business continuity investment. Is the business continuity plan integrated with other emergency management plans? A business continuity plan is only part of an overall emergency response protocol. To avoid redundancy, eliminate confusion, and expedite recovery, the business continuity plan should be consistent with—and developed with full knowledge of—all other emergency plans. These plans include: •E vacuation •S helter in-place •E mergency medical, and •C risis management Does the business continuity plan enjoy the support of senior management? For everyone but the business continuity planner, business continuity is a lesser priority, often viewed as an expensive distraction. Under these circumstances, it’s important (make that, essential) In case you missed the memo, paper documents still account for a sizable portion of a company’s vital records. that company executives and senior managers promote both the concept of business continuity, and all efforts aimed at developing, maintaining, testing, and auditing the company’s business continuity plan. Are copies of the business continuity plan readily accessible? All company managers and senior staff should have a current copy of the business continuity plan—both at work and at home. In addition, the Program Management Office (PMO) should accept responsibility for distributing plan updates as they become available. Ted Brown, CBCP, is president & CEO of KETCHConsulting. As IBM’s first Business Recovery Services sales executive, Brown led Business Recovery Services growth from zero revenues in 1989 to $500 million in 1998. Brown is the author of the acclaimed white paper, “How to Negotiate a Hot Site Agreement.” In 2002, he was elected to the Contingency Planning & Management Hall of Fame, along with former New York City mayor Rudy Giuliani. Most recently, Brown formed his own consulting firm, KETCHConsulting, specializing in business continuity planning and education. A graduate of Penn State University, Brown resides with his family in northeastern Pennsylvania. He can be reached at [email protected] One revealing test is to determine if the plan can be executed by “non-experts.” Boardroom Briefing: Business Continuity and Disaster Recovery Diversity is a defining characteristic of the best leadership team—yours and ours. A best-in-class board is much more than a roster of prominent names. Truly exemplary boards are well-balanced teams that harness the diverse experiences, skills and intellects of their directors to pursue the strategic objectives of the companies they serve. The global Board of Directors Practice of Heidrick & Struggles is expert in recruiting board members who fulfill the highest priorities of today's best-managed companies. We also proactively work with board members and CEOs on critical assignments such as executive assessment, succession planning and board director reviews to ensure that our clients have access to the best talent in the marketplace. For a copy of our publication, Building High-Performance Boards, please contact us at (312) 496-1345. www.heidrick.com/board