Corporate Governance, Business Continuity Planning, and Disaster Recovery
Introduction
Until recently, corporations had been obliged to protect the interests of shareholders, but not necessarily other stakeholders. Stakeholders of an organization include not just the shareholders, but employees, customers, business partners, and even those living in the neighborhood of or society affected by the activities of the organization.
In light of various corporate scandals (Enron, WorldCom) as well as huge disasters (9/11, the December 2004 tsunami, recent hurricanes such as Katrina and Rita), and the high availability requirements of eCommerce, shareholder interest in corporate governance is increasing, particularly in relationship to business continuity/availability. Corporate governance is the buzzword covering all measures and systems within an organization, aimed at controlling and managing the organization in order to protect stakeholders.
In recent years, corporate governance has taken on increased significance in the U.S. as more and more legislation, regulations, and external standards require organizations to provide proof of control measures to external auditors and assessors. Compliance with these laws, regulations, and standards is a key concern of business continuity planning/disaster recovery (BCP/DR) personnel.
Organizations not only must have disaster recovery plans, but full business continuity plans to ensure that key parts of the organization—not just the IT systems, but also the personnel, functions, and processes—can continue operating in the event of an emergency.
Business continuity plans and disaster recovery plans include the following information:
- Who is responsible for which aspects of the business continuity procedures and plans
- How disasters will be avoided and mitigated
- Which risks have been identified
- How various scenarios will be handled
- How people will be evacuated and to where
- How medical emergencies will be handled
- Alternate site locations and how they will be used
- Communications/notification procedures
- How the business continuity plan will be tested, updated, reviewed, and approved
Many BCP/DR personnel are aware of these requirements, but are not sure how to demonstrate compliance. This article explains how compliance can be ensured, measured, and maintained.