Business Continuity and Compliance Management
NEDRIX Conference - 13 June 2006
Donald Byrne, CBCP
NORTH RIVER SOLUTIONS, Inc.&
Communication Monitoring and Surveillance Systems, LLC
Background:• $100 million division of a public $1.8 billion specialty gas and propane company• A Sunday in February, around 8:30 PM. • Accident involving driver of propane truck who was loading the tanker.• Lost both legs
* WASHINGTON, DC, February 24, 2000— Concerned about the number of fatigue-related truck and bus crashes on the nation's highways, the National Sleep Foundation (NSF) today released a position statement calling for new hours-of-service rules for commercial drivers based on scientific research regarding sleep.
OSHA and police investigation shuts down “tanker farm” for at least 1 week• Immediate Business Continuity challenges include:
- Locating “valid drivers”*- Finding available trucks of the right configuration- Finding an alternative supply of “product”- Equipping the drivers with route material
• Longer Term Business Continuity Challenges include:- Crisis Communication and PR challenge- Potential litigation problem- Need to cooperate with local authorities- Customer Communication and expectation management
Business Continuity Challenge:
An Example
Compliance IssueCompliance Issue
Compliance Issue
Compliance Issue
Compliance Issue
The Role of BCP is…… to keep your business running regardless
of the size, extent or nature of the “interruption.”
BCP is not just about disasters & 1st Response!
It’s About Dealing With Everyday ChallengesAND
Protection Of Certain Types of Strategic Assets
Compliance Is A Different MatterAdherence to standards, rules and policies
Compliance is also an Everyday Responsibilityand Sometimes…
It’s the Law! (or something close to it)
Some Take Away’s
Gain insight into the interplay betweenBusiness Continuity and Compliance Management
Introduce some helpful models
Speculate about future development
Why You Should Care?!!
Regulators are working on these issues FULL TIME - are You? (Elliot Spitzer has a lot of energy)
Advisors and can’t tell you what they don’t know
CEOs and BODs are becoming aware of compliance and its implications
Enron Founder, Kenneth Lay
Lawyers have little understanding of theinterplay between BCP and Compliance
Deputy Attorney GeneralPaul McNulty (center)
Former Enron ExecutiveJeff Skilling and his attorney
Dan Petrocelli
Why You Should Care?!!
How BC and CM Relate To Each Other
Compliance: Focus is on a set of prescribed requirements (processes and reports) that demonstrate adherence to certain proscribed activities that must be followed and maintained.
Business Continuity: Generally, a response to risks that threaten the operations of an enterprise or public service.
But this is changing!
Two Different Personalities
BC Planners are a hardy group!
They spend their time focusedon the unthinkable.
Whereas regulators are oftenmisunderstood!
They are concerned with publicwelfare and maintaining fairand consistent treatment levels.
An Integrated Protection Model
Life Safety Emergency Response
* According to the Brookings Institute, 15% of the market value of an enterprise resides in tangible assets, while 85% rests in intangible assets - the largest part of those intangibles being information.
Intellectual Property,Processes & Vital Records*
Business ContinuityPlanning
Operations
ResiliencyPlanning
Regulations
CorporateGovernance
Property, Facilitiesand Infrastructure
PhysicalSecurity
FinancialCapacity
Cash & CreditManagement
InsuranceBusiness
Risk
Laws
Statutes
Legislators and Government Agencies
Rules
Regulations
SEC
ABA
FASB
NASD
AMAAICPA
ProfessionalAssociations & Agencies(Quasi-Government)
Contracts
SLAsMarket Forces
AndCompetition
Compliance Tiers: A 5 Layer Model
Policies
Governance
OrganizationsAnd
Management
PracticeStandards
A Bit More On GovernanceThe 5 Elements of Governance
1. There is a Mission Statement or set of Guiding Principles
2. There are clear policies and standards
3. There is someone who is clearly in charge and accountable
4. There is a reporting framework
5. There is an oversight function
The new emphasis on governance is a reaction to events and an attemptat self regulation
Record Keeping StandardsHigh
Medium
Low
Laws &Statutes
Rules &Regulations
Contracts& SLAs
Policies &Governance
Practice &Standards
QUESTION: How long must I keep the information?
BEST ANSWER: What is the statute of limitation?
BCP And Protection: An IT Example
SecsMinsHrsDaysWks Secs Mins Hrs Days Wks
Sync.Replication
Async.Replication
Tape Backup
Recovery PointRecovery Point
Tape Restore
Clustering
OnlineRestore
Remote Replication
Recovery TimeRecovery Time
BusinessInterruption
RPO(Data)
RTO(Processes)
Key Point!
VaryingRTO and RPORequirements
A business interruption does not justify a suspension of compliance practices.
Business Cycle Compliance Deadlines
New BCP/CM Considerations
• Quality of the Information
• Security of the Information
• Chain of Custody Records
Issues notaddressed
by simple
RTO & RPOguidelines
• Preservation of Metadata (the concept of Spoliation) - Spoliation can lead to very sever consequences- Legal Consequences (evidence refused)- Financial (settlements and legal fees)- Fines (up to $5 M for SOX violations)- Imprisonment- New Causes of Action
Setting New GuidelinesSince organizations must remain compliance, even in the face of amajor interruption…
AND… since the consequence of non-compliance are fines, suspension,or possible executive imprisonment …
…what priority will you assign to compliance processes and reporting?
Perhaps a new metric is appropriate:
Recovery to Compliance Objective (RCO?)
Who will decide if…… you have a quality business continuity plan?… you trained your fellow employees adequately?… you doing a good job?
A. Your Immediate Supervisor?B. Your CEO?C. The Regulators?
Answer “D”
Pop Quiz
Let’s Talk About Laws
“Laws are like sausages, it isbetter not to
see them being made.”Otto von Bismarck
Laws Govern Every Area Of Life10,000 + laws already “on the books!”
> 4,000,000 Employees Enforcing These Rules
Laws - Statues - Acts
RegulationWritten
Awarenessand
Briefings
Regulation is Interpreted
by the Courts
GeneralUnderstanding
Evolution of a Regulation
Guideline: It takes ~100 Court Casesto “understand” what a law means!
SOXGLBUSA PATRIOT ActOther Post- 9/11 Regulations
TODAY
Establishing Compliance Guidelines
Tier Guideline Category Who Decides Review #Tier 1 Laws, Statutes, Acts The Courts ≥ 100
Tier 2 Rules & Regulations Arbitration ≥ 25
Tier 3 Contracts & SLAs Negotiation Individual
Tier 4 Policies & Governance Management Arbitrary
Tier 5 Practice Standards Dept Head Arbitrary
The courts are always an option!
Compliance Differs Across Industries
Financial Services
HealthcareMfg & Distribution
Legal
Retail
Hospitality
Energy
Telecom
Real Estate
Service Industries
LocalStatutes
StateStatutes
FederalStatutes
InternationalStatutes
IndustryStatutes
* This graphic is for illustration purposes only and not meant to be a precise representation
Pop QuizMeaning of the Title: USA PATRIOT Act?
Uniting andStrengtheningAmerica by
ProvidingAppropriateToolsRequired toIntercept andObstructTerrorism
The High Cost of Compliance!• The Cost of Compliance in the US - SIA Research Report.
- Key Finding: The cost of compliance has doubled in 3 years from $13B to $25B- “The overwhelming percentage of this cost was due to staffing requirements.”- The SEC is considering an initiative against corporations funding executive defense- NASD Rule 3013 augments and extends CEO accountability
• 50,XXX,XXX personal files lost - cost ~ $400,000
• Financial Executive Institute estimates that the Russell 2000 firmsspent an average of $4M each on preparing for SOX audit standards
• Freedom of Information Act has released hundreds of millions ofpages of information. A similar Act has just gone into effect in the UK.
• Recent survey: spending on compliance is averaging 2% - 10% of IT
• Sadly, there are many other examples.
Every day the cost of non-conformity goes up!
A Mid Point Summary
BusinessContinuity
People
Workspace
Facilities
Processes
Public AgencyCoordination
CrisisCommunication
EmergencyResponse Plan
ComplianceManagement
SarbanesOxley
US PatriotAct
HIPAA
Graham, LeachBliley
Over 10,000+
Regulations
Documentsand Records
Databases
CustomerRecords
OrganizationalIntellectual Property
IndustryRegulations
GovernmentStatues
LawsandRules
ComplianceManagement
BusinessContinuityManagement
The Convergence of BC and C
Business Continuity and Compliance ManagementOVERLAP
with regard to processes, vital records and custody chains!
BusinessContinuity
ComplianceManagement
• Processes
and
• Records
People
Workspace
Facilities
Processes
Public AgencyCoordination
CrisisCommunication
EmergencyResponse Plan
SarbanesOxley
US PatriotAct
HIPAA
Graham, LeachBliley
Over 10,000+
Regulations
Current and Future Trends
• Emerging Standards• Further encroachment by existing regulations• Electronic Usage Policies and E-Discovery
• Digital Signatures
Emerging StandardsISO 17799 PAS 56
Prediction: These will become the accepted standardsEach US State will also “get involved”The ICS model will dominateThere will be a terminology “battle”
NFPA - 1600
Electronic Usage Policies
NASD 3010, 3020, 3510
Rule 206 (4)-7
USA PATRIOT Act
HIPAA
Graham, Leach Bliley
Sarbanes Oxley
SEC 17a
Policies
and
Procedures
Regulators
Every major regulation has a requirement to monitor communications,and the requirements are the same regardless of organization size!
A Second ConsiderationE- Discovery: the review of electronic records as part of a litigation.A recent California study showed that the cost of E-Discovery wassignificantly impacted by the existence of a well organized, welldocumented archiving system.
: For “serious cases” - Unorganized files took an average of 37 days per employee ($257,400)- Organized files took an average of 23 days per employee ($160,000) - 80% of these costs are related to the labor rate of the lawyers hired
The alternative: $15 M fine to Morgan Stanley for destruction of e-mail records: Several court cases have responded to the unavailability of e-documents as a reason to give an “adverse instructions” to a jury
How long to hold on to information?: Best advice - check the statues of limitations: Be consistent but not retrospectively!
Active Management Is A Requirement
The Consequences Are Sever,But who has the time?
• NASD and SEC Rules• SOX, HIPAA, GLB, etc. - all have
monitoring requirements or at leastaudit, review and retention policies
E-Discovery And BCPFederal statute: Title 18 Part 1 Chapter 47 Section 1030“Fraud and related activity in connection with computers”
3 Emerging Areas of E-Discovery:• E-Communications: the collection, processing, review and
production of electronic documents for resolution of importantinvestigations and litigation matters.
• Computer Forensics - the who, what, when, where, and how ofcomputer-related conduct.
• Paper Review - analysis and comparison of paper files versus theironline equivalents.
These principles are being expressed in newer statutes• Sections of the Sarbanes Oxley Act of 2002:“Criminal Penalties for Altering Documents” - Section 802“Tampering with a Record or Otherwise Impeding an Official Proceeding”
Another Trend To Watch: E-Signature
• “The Electronic Signatures in Global and National Commerce Act”signed into law by President Clinton in November, 2000 at Congress Hall in Philadelphia near Independence Hall.
• First version of the law was promulgated in Utah
• Augments the “Government Paperwork Elimination Act”
• In May, 2003 the Office of Management and Budget provided government agencies with guidance that they should begin usingE-Sign technology.
• Unfortunately, the Department of Justice told some of the sameagencies that without case law, they couldn’t certify that E-Signatures are legal.
Lack of trust is a HUGE issue!
The world is getting more confusing and overwhelming every day
Some Conclusions
BC&C
Disaster Recovery
Emergency Response
Contingency Planning
Incident Management
Risk ManagementBusiness Continuity
Data Backup
Rules
StatutesReportsOperational Resiliency
Filings
HIPAA
NASD 3510 SOX
USA PATRIOT Act
SEC 17 a
Graham, Leach, Bliley
ISO 17799
Conclusions - Continued
• The merger of Business Continuity and Regulatory Compliance Management markets is taking place rapidly and is irreversible!
• This market requires annuity spending on goods & services“Unlike Y2K, this (SOX compliance) is not a one-time buy. It will be a fact of life for years to come”
John Hagerty, ARM ResearchAMR anticipates that the breakdown (compliance spending) will be:
: Internal labour/headcount 44%: Outsourced services (advisors and consultants) 33%: Technology 19%: Other 4%
• Regulatory Compliance may be as big as Business Continuity“Guardian Life spends 3 percent of its IT budget on compliance and another 2% on somewhat related functions, such as business continuity and risk management” Bank Systems & Technology
“59% (of business-technology executives) say their spending on compliance will go up this year, while only 6% predict a decline”
Bank Systems & Technology
Spending Will Increase!
Closing Take Away’s
• Reach out it your compliance colleagues - they are allies!
• Brief management on the need to stay compliance (justification)
• Incorporate compliance into your BCP plan
• Monitor changes to regulations
• Most important, don’t just meet your obligations - go beyond