Continuity Around the World, Contribution to the Asia
Continuity Around The Continents
Edited by William Swann
Throughout the world, business continuity professionals speak a common language; namely, protecting an organization's assets is critical to the survivability of that organization. Therefore, you shouldn't be surprised to read that businesses and governments all across the globe wrestle with many of the same issues. However, different regions are dealing with these issues in different ways, and much can be gained by observing their activities. The GUIDE gives you a global perspective on business continuity as we take you around the world in four pages.
Asia
The recent events of SARS (Atypical pneumonia virus) and Bird Flu in Asia continue to create a strong interest and concern among governments and organizations.
In South East Asia, the Bali and JW Marriott's bombings in Indonesia continue to send a message to the community, indicating the emergence of terrorism as the new and impending threat. Asia is expected to brace for more terrorist retaliation on "soft targets." For the first time since the Year 2000 bug, Asia awakens to an increased awareness at the executive (and senior) management level to address the pertinent issues of corporate survivability and business continuity management.
In North Asia, earthquakes in Taiwan and Japan continue to be the major threats. The Japanese government conducted a national emergency planning exercise in August 2003, the first since the last devastating Kobe Earthquake. The tension between the borders of the Korean Peninsula and Taiwan-China Straits will continue to be closely observed.
One major change is that the responsibility for BCM is beginning to move out from the IT organization. According to a survey by KPMG in 2003, 74% surveyed highlighted that BCM is now managed by a corporate function. Most organizations (74% surveyed) continue to have some form of IT disaster recovery plans in place. The shift of mindset from IT recovery to continuity of critical businesses and operation functions has just begun in Asia.
The Asian community, like their American and European counterparts, is driven to business continuity through regulatory requirements. The lack of regulations with regard to business continuity and disaster recovery continues to inhibit organizations from budgeting for corporate-wide business continuity management programs, with the exception of the financial institutions industry, where the central banks across Asia such as Singapore and Hong Kong have issued supervisory policies and guidelines. The financial industry also recognizes the need for regulation and compliance from a global perspective; hence, the incentive to comply with the requirements listed in the Basel II Accord. Countries such as Korea and Japan are beginning to follow. However, it is observed that enforcement of policies is also limited.
The business continuity and disaster recovery market is fairly isolated by local players within the borders of each country, with the exception of international service providers like IBM and Hewlett Packard. Governments in Asia are attracting multinationals to base their processing centers and also their disaster recovery sites in their respective countries. The Singapore government initiated the certification of BC/DR service providers to attract external organizations by easing their selection process with some form of standardization. The Singapore government also recognized the importance of having sufficient human resources to support and ensure the success of such programs. Hence, the Singapore government is supporting relevant courses, like DRI Asia's certification courses for BC and DR certifications, with grants for eligible organizations and individuals who successfully complete the courses.
IDC forecasts the total estimated market size for the region to be US$1.3 billion by 2006, with Australia, Korea, and Singapore accounting for the majority of the regional disaster recovery market. The untapped opportunities are projected to be in markets like India, Philippines, and the People's Republic of China.
- Dr Goh Moh Heng, CBCP, FBCI, executive director, DRI Asia moh_heng@driasia.org
Australia
In February 2004 the Australia Prudential Regulation Authority (APRA) issued their draft guidelines for risk management for superannuation funds and approved deposit funds. These guidelines are intended to supplement the Drafting Instructions - Regulations for Risk Management Strategies and Risk Management Plans issued by the Australian Government on December 11, 2003. The guidelines provide trustees and senior managers of these types of funds with an outline of the requirements to obtain and hold an operating license. APRA has already provided guidance notes to the insurance industry on the management of operational risks, including mandatory business continuity plans. At this stage, the finance and insurance industries are the only areas in Australia with a regulatory requirement for formal risk management programs including BCP. The Business Continuity Institute (BCI) has commenced regular forums for business continuity practitioners in both Sydney and Canberra. These forums are conducted each month at a different location and are aimed at providing a regular networking venue, extending the professional development of members, and encouraging new members. BCI intends to develop similar forums in Brisbane and Melbourne during 2004. The BCI currently has 43 members in Australia, with over 50 percent being located in New South Wales.
At the Special General Meeting of the Australasian Institute of Risk Management (AIRM) and the Association of Risk and Insurance Managers of Australasia Limited (ARIMA) on November 30, 2003, members voted overwhelmingly to unify the two organizations. The new entity will be known as the Risk Management Institution of Australasia Limited (www.airm.org.au) and will formally come into being as soon as the legal proceedings have been finalized. AIRM and ARIMA have much in common, including similar goals and objectives and similar corporate structure. Many individuals were involved in both organizations, and informal discussions have been taking place for some years. Advantages of unification include providing a single focal point for risk management in Australasia, as well as improved educational opportunities, higher profile, and enhanced services through economies of scale.
Other active Australian organizations include Emergency Management Australia (www.ema.gov.au) and Monash University (www.monash.edu.au), which has undergraduate and postgraduate courses in risk management and business continuity.
- Bill Edwards, CPRM, MBCI, principal, Disaster Survival Planning - Australia bill_edwards@bigpond.com
Europe
While terrorism has been high on the U.S. agenda over the past year, it has had much less impact on business continuity activities in UK and European companies. A survey by Synstar, a pan- Europe business continuity provider, found that terrorism features in just 20 percent of European business continuity plans. Instead, business continuity plans are more likely to focus on issues that feel closer to home. Corporate governance and the impact of severe weather were reported to be the two main issues driving companies to update business continuity plans.
SunGard Availability Services recently surveyed businesses across Europe to find out how prepared they would be if disaster should strike and confirmed that, as expected, there are fundamental differences in attitudes to business continuity across the continent. The results showed that, as a whole, businesses in the European Community are reasonably well prepared, with 80 percent of all respondents stating they had business continuity plans in place. However, while 96 percent of UK and Swedish respondents said they had plans in place, closely followed by Germany (84 percent) and Italy (76 percent), France lagged behind with less than half of French respondents (48 percent) saying they had business continuity plans.
The survey found that European boards appear to be taking business continuity more seriously: 84 percent of German respondents said that their boards are now very aware of the need for business continuity; France and Sweden, 72 percent; and the UK, 68 percent. Overall, a third of respondents across Europe said that a board member was now responsible for business continuity. The top reason across all countries for the board taking an interest in business continuity was the realization that they relied heavily on IT to remain in business. This was followed by customers starting to ask for evidence of business continuity programs, compounded by increased industry regulation.
When asked what disaster they most feared, apart from the UK all respondents said "hardware failure." UK businesses seem to have a deep-seated fear of fire, with 36 percent of respondents saying that the company going up in flames was the event that concerned them most.
The UK has been the most active region in terms of implementing business continuity-related legislation. Most recently, The Higgs Report, published in early 2003, put the onus on company directors to take responsibility for risk management within a company. Higgs sets out a code for boardroom reform and calls on nonexecutive directors to satisfy themselves that systems of risk management within a company are robust and effective.
In another recent development, the British House of Commons is currently scrutinizing the government's proposed Civil Contingencies Bill. This bill will replace and update the existing emergency planning bill created in the 1940s and is aimed partly at improving the UK's ability to respond to terrorist attacks. The bill will require local authority emergency planners to put proactive measures in place to provide civil protection, and it also requires critical infrastructure providers to adequately protect their infrastructure from disasters. It will place a duty on local authority emergency planners to develop continuity of operations plans and to ensure that businesses in their local area are aware of the importance of business continuity.
This past year also saw the publication in the UK of Publicly Available Specification 56 Guide to Business Continuity Management (PAS 56), a joint development of the Business Continuity Institute and the British Standards Institution. It provides, for the first time, a semi-official guide to business continuity that allows companies to follow best practices and to benchmark their plans against those of their industry peers. PAS 56 has received some criticism for being too rigid, but nevertheless it constitutes an important step toward the development of a standards-based approach to business continuity management.
- David Honour, publisher, Continuity Central dhonour@continuitycentral.com
Latin America and the Caribbean
CRID: Regional Disaster Information Center The Regional Disaster Information Center (CRID for its Spanish acronym) is an initiative sponsored by six organizations that decided to join efforts to promote the development of a prevention culture in the Latin American and Caribbean countries through the compilation and dissemination of disasterrelated information and to promote cooperative efforts to improve risk management in the region. These organizations are the Pan American Health Organization - Regional Office of the World Health Organization (PAHO/WHO), International Strategy for Disaster Reduction (ISDR/EIRD), Costa Rica National Risk Prevention and Emergency Commission (CNE), International Federation of Red Cross and Red Crescent Societies (IFRC), Coordination Center for Natural Disaster Prevention in Central America (CEPREDENAC), and the Regional Office of Doctors Without Borders (MSF).
The CRID's other objectives are to offer quality information services to a wide range of users in the Latin America and the Caribbean region, strengthen sub-regional (Central America, South America, and the Caribbean), national, and local capacities to establish and maintain disaster information and documentation centers; promote the use of electronic technology for the provision of information services; and contribute to the development of the Regional Disaster Information System.
- Regional Disaster Information Center www.crid.or.cr
United Nations International Strategy for Disaster Reduction (UN/ISDR) The UN has established the International Strategy for Disaster Reduction (ISDR) as a global framework for action with a view to enabling all societies to become resilient to the effects of natural hazards and related technological and environmental disasters in order to reduce human, economic, and social losses.
- www.eird.org
Caribbean Disaster Information Network (CARDIN) CARDIN was established in June 1999 to provide linkages with Caribbean disaster organizations, to widen the scope of the collection of disaster-related information, and to ensure improved access to such material. The project is funded by the European Community Humanitarian Office (ECHO). The Library of the University of the West Indies at Mona has been selected as the focal point for disaster information in the Caribbean.
- CARDIN cardin.uwimona.edu.jm:1104/home.htm
North America
In the United States, business continuity as a practice and as a profession continues to reel from new legislation with farreaching impacts and an ever-growing threat environment. Terrorism, workplace violence, outsourcing, restructuring, compliance, and corporate governance also continue to have significant impacts on the North American business continuity profession.
As in Asia and Europe, the United States has begun to see responsibility for business continuity shift from an information technology base to one with a broader focus. With issues surrounding education, certification, and common interface terminology between the public and private sectors (and within the distinct business sectors that comprise the private sector), the scope of business continuity will continue to be dominant for the foreseeable future.
A recent national symposium on security and competitiveness (Council on Competitiveness and Carnegie Mellon University) found CEOs from some of America's most prominent companies, government officials, labor leaders, and academics calling for a concerted joint effort to simultaneously protect security and safeguard America's economy through best practices and innovation.
According to new research from TowerGroup, cost containment, the shift from strategic to tactical initiatives, and business continuity will continue to lead corporate thinking. These three issues headed the firm's list of the top 10 business issues that will drive investment in management strategies.
Canadian companies are also working harder to build more comprehensive business continuity programs. The SARS breakout in Toronto and the August 2004 power blackout contributed to this greater focus. However, Canada has not felt the same pressure from terrorist threats as the United States. Canadian regulators have yet to increase requirements for business continuity management.
U.S. regulations and legislation, such as Sarbanes Oxley, Gramm-Leach- Bliley, The Patriot Act, Vital Interdiction of Criminal Terrorist Organizations Act, Health Insurance Portability and Accountability Act (HIPAA), NYSE Rule 446, NASD 3510 and 3520, Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic Sig-natures, NFPA1600, Personal Inform-ation Protection and Electronic Documents Act (PIPEDA), and a host of legacy legislation with business continuity-related requirements in the areas of health, safety, and environmental compliance will continue to change the infrastructure of the profession and the practice.
- Geary W. Sikich, principal, Logical Management Systems Corp. gsikich@aol.com
- Michael G. W. Smith, principal, Ernst & Young LLP michael.g.smith@ca.ey.com
South Africa
South Africa is an active player in the global business community, has spawned both international companies and brands such as Sasol and de Beers, and has had a good representation locally of international companies.
Accordingly, infrastructure is generally on a par with other First World countries, though not as pervasive, and internationally accepted business trends and rules are the norm. Corporate governance has been a hot boardroom topic for some years, and in 1994 the first King Report on Corporate Governance was released, leading to changes in the way companies act and the way business is conducted. In 2002 this was completely revised, becoming known as King II, and has become a benchmark internationally on sound corporate governance. Relating to business continuity management and risk management, King II makes specific mention of having to conduct annual risk assessments and needing to have business continuity plans that account for worst-case scenarios.
All of the major banks have international operations and are governed in compliance with the Basel Accord. Municipal and central government operations are governed by the Public Finance Management Act, which among other things lays down good corporate governance guidelines. There is also a disaster management initiative driven by central government to coordinate regional resources and responses with the emphasis on public safety. The Business Continuity Institute is represented in South Africa, with about 20 members and fellows.
One of the key issues facing BCM practitioners is a general lack of knowledge of BCM in business. This is slowly changing, but many boards still would not be able to differentiate between a good implementation of a BCP and a poor one, or even understand what a BCP really is. This lack of understanding permeates IT continuity as well. There are some organizations who steadfastly maintain they have a good BCP or ITCP, but the backup system resides in an adjacent building or even the same computer room.
- Allen Smith, Continuity SA, DRI Representative for South Africa allen.smith@continuitysa.co.za