|
An Interview with Alan Berman, CBCP, MBCI
The Disaster Resource
GUIDE recently interviewed
Mr. Alan Berman, a noted
author and worldwide
speaker on the subject
of business continuity
regulations.
Mr. Berman is a CBCP, MBCI, and
NFPA committee member, a member
of the NY City Partnership for Security
and Risk Management, Treasurer and
Executive Director for Disaster Recovery
Institute and the co-chair for the
Alfred P. Sloan Foundation committee
to create the new standard for the US
Private Sector Preparedness Act (PL
110-53). Over a career that has spanned
25 years, he has served as a President
and CIO for a major financial
institution, National Practice Leader
for Operational Resiliency for PricewaterhouseCoopers
and Global Business
Continuity practice leader for Marsh.
Disaster Resource GUIDE: There
seems to be a lot of activity centered
around Business Continuity
regulations, guidances and standards
these days. Any comments?
Mr. Berman: The combination of a
British Standards Institute (BSI) standard
and a US requirement to create
a private sector preparedness standard
(Title IX of the US Private Sector
Preparedness Act) arriving within a
short span of each other has created
a flurry of activity around regulations
and standards. In reality there has been
increasing activity over the last 25
years, especially since 2001. The chart
below provides some indication as to
the volume and frequency of regulatory,
standards and guidance activity.
Q: Can you define the use of regulations,
guidances and standards?
A: A regulation is created and enforced
by a recognized regulatory body; e.g.,
the Securities and Exchange Commission,
the Federal Reserve or a
federal, state or municipal authority.
Regulations tend to be mandatory and
punitive. Guidances are produced by
professional organizations that provide “best practices” for various operational
and control matters. Standards, for
the sake of this discussion, are formally
approved policies, procedures or
instructions from a recognized standards
body, for example the American
National Standards Association (ANSI)
or the International Standards Association
(ISO). Standards like guidances
are non-punitive, but carry the positive
connotation of providing a “seal
of approval” for organizations that can
perform up to the standard.
Q: But aren’t most regulations and
guidances centered on the financial
industry?
A: Certainly, the financial sector (banking
and investment firms) has been at
the forefront of the regulations and has
invested the most money in creating a
more resilient processing and information
model. In the US the FFIEC (Federal
Financial Institution Examination
Council), which governs the operations
of federally chartered banks, has been
around the longest, and in my opinion
is the most robust of all the regulations.
It is used by both state and federal
bank auditors and provides the most
comprehensive set of detailed implementation
and review procedures. The
SEC, NASD and NYSE have created their own standards and operational
review procedures to govern security
dealers. The financial standards can be
seen around the world from the FSA
(Financial Services Authority) in the
UK to the MAS (Monetary Authority
of Singapore) in Asia to the more global
Basel Committee’s Capital Accords and
Sound Practices for the Management
and Supervision of Operational Risk.
In essence, the financial world has recognized
the impact associated with any
operational interruptions.
But it is also important to realize
that there are business continuity regulations
associated with other industry
sectors. Energy has FERC (Federal
Electric Reliability Council’s Security
Standards for Electric Market Participants)
and NERC (North American
Electric Reliability Council’s Security
Guidelines for the Electricity Sector).
Health care has HIPAA (Health Insurance
Portability and Accountability
Act) covering all healthcare providers
who transmit or store patient healthcare
information, as well as JHACO (The
Joint Commission on Accreditation
of Healthcare Organizations), and the
FDA (Federal Drug Administration)
good practices for manufacturing, laboratory
and clinical testing, as well as for
computerized systems, just to name a
few other industries.
In essence we are seeing more segments
creating standards for business
continuity.
(Click to enlarge)
Q: But aren’t most of the
activities centered on the recovery
and/or continuity of the technology
environment?
A: Fifteen years ago the answer probably
would have been yes, but business
continuity has become a more holistic
process, encompassing all of the elements
necessary to maintain the viability of
the business entity during an interruption.
Undoubtedly, the ability to use
technology is a very important aspect
of business continuity. But it is one of
many vertical components of the entire
operational environment. Consider the
facilities, personnel, equipment, supplies,
etc., all of which also play a key
role in restoring operations to a state of
normalcy. The regulatory bodies have
also recognized this and have clearly
pointed out that “Business continuity
planning is about maintaining, resuming,
and recovering the business, not
just the recovery of the technology,”
(FFIEC 2003); “Business Continuity
Management (BCM) is an over-arching
framework that aims to minimize the
impact to businesses due to operational
disruptions. It not only addresses the
restoration of information technology
(IT) infrastructure, but also focuses on
the rapid recovery and resumption of
critical business functions for the fulfillment
of business obligations,” (MAS
2003); and “Business continuity management
describes a whole of business
approach to ensure critical business
functions can be maintained or restored
in a timely fashion,” (Australian Prudential
Standard – 2005).
The world has recognized the need
to recover the business and operational
entity as a whole, not just the technology
components. In fact, given the
recent concern over pandemics, which is
clearly seen as a personnel issue having
little to do with technology, it points
out the need to take a holistic approach
to business continuity.
Q: What if my industry is not
covered by a regulation?
A: Even if your industry segment is not
specifically addressed by a regulation,
companies may find that their customers
will require that they adhere to the
same regulations as the covered entity.
For example, under appendix D of the
FFIEC, “Institutions should review and
understand service providers’ BCPs and
ensure critical services can be restored
within acceptable timeframes based
upon the needs of the institution. If
possible the institution should consider
participating in their provider’s testing
process.” HIPAA provides for similar
compliance from it’s “business associates.”
So the burden on non-regulated
organizations may even be more onerous
than that of covered entities. A supplier
may be forced by its banking clients to
comply with the very strenuous FFIEC
regulations, even if the activities they
perform may be as minor as being a
printer of forms used by banks.
And then there are the statutory considerations
that may find companies
and even governments negligent and
subject to civil penalties for “failure to
plan” or “failure to prepare.” So it is
very likely that in one way or another
all entities are probably going to have
to adopt a business continuity plan.
Q: What if I am a multi-national and
have to comply with the regulations
of many countries?
A: Very much like those entities that are
being required to conform to customer
regulations, multi-nationals will have
to create a business continuity program
that will have to allow them to adapt to
regulations of the country in which they
do business. That is why there is such
activity around creating standards. The
best business continuity programs provide “flexibility within a framework” to
allow them to adjust some aspect of the
plan to meet the requirements of varying
jurisdictions.
This ability to adjust to varying rules
is not dissimilar to adjusting to customer
requirements. So having a good
foundation for the planning process is
critical.
Q: There are many people who are
being pressured to comply with, but
are not sure what to do. Any advice?
A: Wait – remember this is a VOLUNTARY
standard. If you don’t
comply there is no penalty. BS25999
was announced with a lot of marketing
fanfare provided by non-government
training and consulting firms. The
swirl of misinformation has created a
sense of urgency, which does not really
exist. Consider the fact that this is a
British standard, not a global one. So if
you rush out to meet this standard and
the US one is different, you are likely to
have done more harm than good.
Q: What about the US “Private
Sector Preparedness Act”?
A: In August of 2007 the President
signed into law PL 110-53. Title IX
of that law provides for “Private Sector
Preparedness.” The law was originally
intended to implement the recommendations
of the 9/11 Commission. The
essence of the recommendations from
the commission was to implement the
NFPA (National Fire Prevention Association)
1600 ANSI standard for the
United States. Along the legislative
route the words “or others” was added
after NFPA 1600, opening up the possibility
of considering other standards.
This process is underway. DHS has
appointed FEMA as the government
organization responsible for creating
the standard and overseeing certification
of companies.
Q: I know you were involved in the
effort to help create a standard that
is being considered by the Department
of Homeland Security, Federal
Emergency Management Agency.
Can you describe the effort?
A: I was fortunate enough to have been
asked by the Alfred P. Sloan foundation
to chair the committee to create
the new standard. Working with some
of the most dedicated people from
the other professional organizations,
we were able to draft what we feel
is a workable and adaptable standard
that will achieve the objective of making
companies more prepared, without
adding an undue burden on them.
It provides for use of existing regulations
and standards requirements that
have eight basic elements needed to
show preparedness. The idea was to provide
credit for efforts already completed
by many companies as part of their
regulatory audit process and for those
who have used existing recognized standards
around which they have built
their programs. This would include
NFPA 1600, DRI International 10 professional
practices, FFIEC, NERC, and
other recognized standards. What we
are trying to avoid is a reoccurrence of
the expense and efforts that surrounded
Sarbanes-Oxley compliance.
Q: Do you have any other concerns
about the new regulations?
A: I am greatly concerned about the
legislation’s impact upon small and
medium sized businesses that will bear
an undue burden in an effort to comply.
Although PL 100-53 has language with
special considerations for small business,
once the large companies decide to comply
with the new standard, small and
medium sized companies will be forced
to comply in order to satisfy their customers’ requirements. The government
will be in no position to ask for relief
for small and medium sized businesses,
as the regulation is voluntary and hence
not subject to legislative relief. The only
practical way that small and medium
sized companies can demonstrate their
level of preparedness is for there to be
tools available to them that will let them
self assess their current state. A second
set of tools can provide a means to help
improve their preparedness. This will
ensure their customers that they have
attained a level of preparedness that will
allow them to survive interruptions.
Q: Any final thoughts?
A: The use of recognized processes for
creation of business continuity programs
will serve any organization well.
As the standard develops, it is very likely
to embrace an established structured
approach containing elements that are
recognized by business continuity professionals.
Those companies who have
used such a process will find that they
will have little trouble complying with
the new standard. |
