Business Continuity: What’s your backup plan?

“By the time you hear the thunder, it’s too late to build the ark.” – Unknown

In today’s global economy, organizations don’t have to be in the same region of the world for their operations to be affected adversely by a catastrophic event. A prime example: the Tohoku earthquake in Japan in 2011, and the tsunami and nuclear crisis that followed. Simply consider Japan’s dominance in the auto and semiconductor industries, and it’s not hard to imagine how these events created ripple effects for companies in Europe, the United States and elsewhere. Many leading businesses suffered losses in the millions – and some in the billions – due to the triple disaster in Japan because they had assumed risks in their supply chain from which they could not recover on a timely basis when the “unthinkable” occurred.

Business continuity management (BCM) is an overarching strategy encompassing crisis management, business recovery planning and information technology (IT) disaster recovery.

Extreme weather, systems failures, cyberattacks and pandemic risks are just a few examples of plausible adverse events that can occur. In 2012, natural disasters alone accounted for $186 billion in global economic losses, according to a report by insurer Swiss Re.

Nobody can predict when the next disaster will strike or, importantly, whether it will impact the footprint of a company’s operations, including its upstream suppliers and downstream channels.  That said, companies can prepare by making BCM part of their risk management strategy.

In December, Protiviti published the third edition of our Guide to Business Continuity Management. While it offers a much deeper dive than this blog allows, to start this conversation, here are some elements of a good contingency management program:

  • Program design and deployment – Comprises policies, standards and responsibilities for each key area: crisis management, business resumption and IT disaster recovery.
  • Business impact analysis (BIA) – Represents recovery objectives for business processes and technology, with business and economic justification for each.
  • Risk assessment – Identifies and prioritizes threats and failure scenarios to which the organization may be vulnerable.
  • Strategy design and implementation – Establishes a cost-benefit analysis of the organization’s needs, and driven by the result of the BIA and risk assessment.
  • Documentation – Encompasses response, recovery and restoration procedures to enable effective business continuity operations.
  • Testing – Validates and continuously improves continuity strategies and plans.
  • Training – Keeps business continuity plans “top of mind” for employees.
  • Compliance monitoring and audit – Ensures compliance with business continuity standards.

That’s for starters. We also find that most companies want some savvy lessons learned based on the experience of others who have faced catastrophic disasters and significant disruptive events:

  • Decentralize core IT functions, so that if any one location is effectively wiped out, other sites can perhaps pick up the slack. While redundancy costs, it can save the day when the unexpected happens.
  • During business continuity planning, consider all scenarios stemming from the impact of losing strategic sources of supply for a period of time as a result of natural disasters and terrorism.  Assess the immediate impact to the supply chain (e.g., specific suppliers, products and markets) both in terms of supply outage and financial impact, determine expected recovery time following disruption, and implement pre-defined and tested response plans to minimize the impact.
  • If the unthinkable were to happen and affect a single source supplier or strategic supplier on which the company relies:

– Supplier relationships honed over a period of years cannot be replaced overnight with an expectation of comparable performance levels. Strategies to expedite the recovery process include identifying alternate suppliers or contract manufacturers that can assist following a no-notice manufacturing or logistics disruption.

– Engaging alternative suppliers may require changing product specifications or working closely with other key suppliers to develop alternatives, and may carry risks of quality issues that must be managed carefully.

– Contingency planning might also point to the merits of inventory buffers to protect against the uncertainties of supply and demand, maintain customer service levels, as well as prepare for unpredictable events.

  • Don’t rely on government assistance. As you conduct BCM plan reviews and exercises, search for unspoken assumptions about the availability and timeliness of government assistance. It may not be what you expect or need.
  • Plan to relocate employees to a recovery site or assume they will be unable to come to work in the days following a disaster. Some low-wage workers will simply never return, so you need to have a strategy for replacing them.
  • Provide early response to facilitate a faster recovery. When a natural disaster appears imminent, encourage your employees to relocate early, increasing the likelihood they’ll find accommodations as close as possible to the recovery site.
  • Give employees a reason to stay close and help you rebuild. Employees’ first concerns will be their families and homes, so develop and communicate an assistance plan in advance.
  • Make plans in advance for transportation back to the main work site. Air, rail and bus traffic may be compromised for months after the event.
  • Stick to your plan. When disaster strikes, many enterprises fail to follow their continuity plan, often because the plans are too detailed or unfamiliar to the people who actually have to carry them out. Evaluate your BCM plans to ensure that the information is complete, accurate and actionable. Subject-matter experts should be involved in that review.

As you put your BCM plan into place, remember that you don’t operate your business in a vacuum. Even if your physical plant and human resources have been restored to functional status, supporting infrastructure — including sanitation, utilities, mass transit, telecommunications, hotels and restaurants — may not be fully restored for many weeks, even months. Do what you can right now to make sure everyone else’s recovery efforts don’t negatively impact yours.

That’s a few thoughts. Anyone out there have any experience actually implementing a business continuity plan in a difficult recovery situation? Anything else you think should be added to the dialogue? Please share your experiences in the comment section below.


Is Your HIPAA House in Order?

Expect enforcement of the HIPAA Security Rule, part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to increase in 2014. I recommend taking steps right now to ensure that your organization is, and can demonstrate that it is, doing everything the HIPAA Security Rule requires, particularly if – or when, as seems more likely – a government auditor comes calling. Read on, if you’re not convinced.

Recently, the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published a critical report finding that the Department’s Office for Civil Rights (OCR) was not adequately overseeing and enforcing the HIPAA Security Rule. It found that the OCR has failed to provide for periodic audits, as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Instead, the OCR was following a complaint-driven approach to assessing compliance with the HIPAA Security Rule. The HHS OIG has concluded that level of oversight and enforcement is inadequate to meet federal requirements.

Continue reading

Assessing the Top Priorities for Today’s Internal Audit Functions

Protiviti’s research train keeps on rolling! Today we released the results of our latest Internal Audit Capabilities and Needs Survey. We’ve been conducting research to identify internal audit priorities and trends for eight years and have been very pleased with the response we continue to receive from the market. In looking at the major findings in our 2014 study, I expect this year will be no different. And kudos are due to our survey participants; they are the real “stars,” for without them studies of this nature would not be possible.

Infographic - 2014 Internal Audit Capabilities and Needs Survey

Infographic – 2014 Internal Audit Capabilities and Needs Survey

Internal audit functions today must anticipate and respond to a constant stream of new challenges – many of which deliver uncertain and still unfolding risk implications, from emerging technologies and new auditing standards to rapidly evolving business conditions. For example, in nearly every company over the past 12 months, the use of mobile and social media apps has presented new challenges, many of which are still emerging. Organizations’ growing reliance on cloud computing and data, in general, poses similarly complex challenges. Yet, these issues represent only a portion of those crowding internal audit’s 2014 priority list.

Our findings show that:

  • Social media, mobile applications, cloud computing and security (specifically with regard to the NIST Cybersecurity Framework) are critical areas of concern – Social media applications and related risks are top priorities for internal auditors to address, as are risks surrounding mobile applications, cloud computing and security.
  • CAATs and data analysis remain on center stage – As indicated in past years of our study, internal auditors plan to strengthen their knowledge of computer-assisted auditing tools, and continuous auditing and monitoring techniques.
  • Fraud management efforts focus more on technology as well as prevention – Auditors are concentrating more time and attention on fraud prevention and detection in increasingly automated business environments and workplaces.
  • “We have to keep pace with a raft of regulatory, rules-making and standards changes” – The updated COSO Internal Control – Integrated Framework represents a major change for internal audit, with significant implications for many financial, risk management and compliance activities. However, strengthening knowledge of the new COSO framework ranks as a lower priority compared to other critical rules-making changes internal auditors are digesting, including new Standards from The IIA and the new NIST Cybersecurity Framework.
  • Internal auditors want to take their collaboration with business partners to a new level – Internal audit’s longstanding desire to improve collaboration with the rest of the business has intensified, as is evident in the priority that CAEs and respondents place on communicating, and even marketing, the expertise and value that internal audit provides to the rest of the enterprise.

For more information and to download a copy of our full report, visit And I also encourage you to watch our short video:


Today’s IT Organization – Delivering Security, Value and Performance Amid Major Transformation

Today, Protiviti released the results of its 2014 IT Priorities Survey, and in it, there are some remarkable findings. Indeed, if there is one word to describe the state of IT organizations in 2014, it is transformation.

We found that nearly two out of three organizations are undergoing a major IT transformation. Consider the change and disruption this undoubtedly is creating within IT organizations, and it’s understandable to see why – as we found in our survey of more than 1,100 CIOs, IT executives and IT professionals – they have scores of significant priorities and likely are being pulled in multiple directions to address countless critical challenges. To no one’s surprise, these results show that IT is fundamental to executing the strategy of just about any company.

Take a look at our infographic:


Among the other key findings from our IT study:

  • Enhancing and protecting business value – The integration and alignment of IT planning and business strategy represents a paramount priority. In fact, enhancing and protecting the value of the organization – via data security as well as other IT risk management and business continuity capabilities – is top-of-mind not only for IT organizations, but also for their organizations’ boards and executive management teams.
  • All eyes are on security – Massive security breaches continue, with some organizations being questioned by congressional committees in recent months. More than ever before, this has IT departments – as well as boards and executive management – on edge, on notice and, in some cases, testifying under oath. Strengthening privacy and security around the organization’s systems and data is now a top priority across all industries. No organization is immune to this threat.
  • Managing and classifying all that data – As the need for stronger information security intensifies, CIOs and IT professionals are seeking out more effective ways to stratify the importance of the information they have, and organize and secure the growing volume of data they must manage.
  • Strengthening IT asset – and data – management – Companies are seeking to improve their data and information governance programs, a need no doubt driven by the growing use of mobile devices and applications, social media, and the continued integration of cloud computing into IT strategy and processes.
  • More mobile, more social – Mobile commerce management, mobile security and mobile integration remain focal points for IT departments in 2014, even as security-related priorities compete for their time and resources. A similar trend holds for social media, as organizations continue to rely on IT to support their investment in social media activities while improving the integration of these capabilities with other IT assets.

Let me know your thoughts on these IT challenges. And I invite you to visit our survey site at for more information and a free copy of our report.

Cybersecurity Framework: Where Do We Go From Here?

Protiviti just published a Flash Report on the National Institute of Standards and Technology’s (NIST) final version of its Framework for Improving Critical Infrastructure Cybersecurity. I highly recommend that anyone involved in cybersecurity in their organization become familiar with the NIST Framework by reading our report. This framework could end up being the new game in town.

Just over a year ago, President Obama signed an Executive Order calling for increased cybersecurity for the critical infrastructure of the United States. On the anniversary of this Executive Order, NIST issued the final Framework, along with a companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The Framework and Roadmap are the result of a 12-month development process that included the release of multiple versions for public comment and multiple working sessions with the private sector and security stakeholders.

Our Flash Report provides an overview of and observations on the new Framework. You can read it here.


Ethics in Corporate Governance: “Walking the Talk”

If it’s true you can’t legislate morality – and all evidence, including but certainly not limited to corporate malfeasance such as the Enron and Worldcom scandals or the questionable corporate behavior of reckless risk-taking to maximize short-term profits and compensation (under “heads I win, tails you lose” compensation structures that left shareholders with the short stick) that contributed to the financial crisis, supports this hypothesis – why do companies bother with ethics policies?

I know Section 406 of Sarbanes-Oxley requires publicly traded companies to disclose whether they have ethics policies and whether their executives are bound by them. But Enron had a beautiful 64-page ethics policy, suitable for framing – for all the good it did them. So what’s the big deal?

Continue reading

PreView-ing Today’s Emerging Risks

Cory Gunderson and Jim DeLoach

We want to share a heads up with you regarding a new Protiviti newsletter that we’re very excited about. We’ve just published the first edition of PreView, which will be a quarterly review of emerging risks likely to have a strategic impact on organizations over the long term. Our focus in issuing PreView is on helping organizations ask the right questions rather than provide answers. Therefore, we hope that PreView will prompt thought and dialogue within organizations.

We are big fans of the annual World Economic Forum (WEF) Global Risks Study in offering far-reaching perspectives for the long term for company executives and policymakers to consider. In PreView, we root our evaluation framework for emerging risks in the annual WEF reporting, which we like because each WEF periodic refresh provides rich, thought-provoking input into the likely mega trends expected over the next 10+ years. It is a great tool for stimulating truly long-term thinking for directors and executives in virtually any industry. Over time, we’re confident that Protiviti’s PreView will offer a useful perspective for board members and C-suite executives, providing yet another source of input for them to consider risks that are evolving in the marketplace.

Effective risk management requires companies to understand more about what they don’t know than what they do know. Emerging risks are those risks that are beginning to surface and could smolder over time before affecting an organization. They are often the result of macro-level changes in the business environment. Left unaddressed over the long-term, they can alter the assumptions underlying corporate strategies and could have a long-term impact that directors and executives might regard as “unthinkable” today. Therefore, we see these risks as distinctly different from risks that have been previously identified and present a focal point for current risk management capabilities.

We realize that the implications of emerging risks may not be fully understood at the present time even though we know they’re on the radar, and hence, comprehensive risk management options to assess, quantify, monitor and develop response plans are difficult for organizations to design and implement today. In fact, many emerging risks may warrant a strategic response, meaning the monitoring of vital signs in the environment and possibly making adjustments to the corporate strategy over time.

We hope this PreView newsletter serves as a thought-provoking piece in organizations’ consideration of emerging risks, particularly those risks that may have a direct impact on them, as businesses undertake steps to evolve and adapt progressive risk management practices.

To read the newsletter and to continue the conversation about emerging risks, we invite you to visit our Emerging Risks site ( As you will note, we’re trying to make PreView easy to read, and that means we selected a few risk issues to discuss and kept the discussion crisp rather than list everything we could think of. If you’re familiar with some of these issues, please comment on them here. If you have other issues you think we should explore, please raise them or any questions you have here.

The world is a complex place and our crystal ball is just as foggy as everyone else’s. But we hope to initiate and sustain a dialogue regarding emerging risks through quarterly issues of PreView and periodic entries in this blog over time.