The United States Regulatory Landscape for Business Continuity Management

Transcription

1 The United States Regulatory Landscape for Business Continuity Management Presented by Chloe Demrovsky Director of Global Operations, DRI International Mumbai, India January 17, 2011

2 Agenda The Regulatory Landscape Standards Public Law Because it s good for business - 2 -

3 The Regulatory Landscape

4 Introduction Partnership between the public and private sectors is essential, in part because the private sector owns and operates approximately 85% of the nation's critical infrastructure. -Department of Homeland Security Release -Critical Infrastructure: systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters. (USA Patriot Act of 2001) - 4 -

5 Introduction Since the 1996 Critical Infrastructure Protection initiative, U.S. governmental and industry bodies have steadily increased the level of regulation for business continuity management. While these regulations go beyond the scope of information technology requirements, most call for heavy investment and development in technology and attention to its risks Attention to this matter has been spurred by a number of goals: To protect customers without the means to influence larger organizations continuity processes To safeguard the nation s critical infrastructure and ensure the continuity of critical services To force organizations to establish mature, defined continuity programs To capture best practices and lessons learned from successful recoveries - RIMS Risk Management Magazine, Brian J. Zawada - 5 -

6 Introduction Essentially, there are two specific types of regulations: 1. Standards and requirements that must be met in order to become a member of an organization (eg. ISO). 2. Government regulations imposed on specific industries which must be adhered to in order to do business. These regulations are created to protect the security of citizens, and create national standards of uniformity. Questions How does US regulation impact international supply chain? What about outsourcing partners? Other international partners? - 6 -

7 Pre-9/11 Post-9/11 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act ISO (Previously ISO17799) FFIEC BCP Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 FEMA FPC 65 CAR JHACO Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCP NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Federal and Legislative BC Requirements for IRS Basel Capital Accord MAS Proposed BCP Guidelines (Singapore) NFA Compliance Rule 2-38 FSA Handbook (UK) BCI Standard, PAS 56 (UK) Civil Contingencies Bill (UK) 2002 Safety Act FCD-1/2 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CP NISCC Good Practices (Telecomm) Australian Prudential Standard on BCM HB221 HB292 BS25999 SS507 SS540 TR19 CA Z1600 ISO/PAS HITECH Act of 2009 DRI Title IX

8 BCP for Financial Institutions Federal Financial Institutions Examination Council (FFIEC) BCP Handbook (2003) Business continuity planning is about maintaining, resuming, and recovering the business, it s not just the recovery of the technology. The planning process should be conducted on an enterprise-wide basis. A thorough business impact analysis and risk assessment are the foundation of an effective BCP. The effectiveness of a BCP can only be validated through testing or practical application. The BCP and test results should be subjected to an independent audit and reviewed by the board of directors. A BCP should be periodically updated to reflect and respond to changes in the financial institution or its service provider(s)

9 BCP for Financial Institutions National Association of Securities Dealers: NASD Rule 3510 (2004) Rule 3510 will require a business continuity plan that addresses, at a minimum: (1) Data back-up and recovery (hard copy and electronic); (2) All mission critical systems; (3) Financial and operational assessments; (4) Alternate communications between the member and its customers; (5) Alternate communications between the member and its employees; (6) Alternate physical location of employees; (7) Critical business constituent, bank, and counter-party impact; (8) Regulatory reporting; (9) Communications with regulators; All mission critical systems; Each member s plan must identify procedures relating to an emergency or significant business disruption that are reasonably designed to enable the member to meet its existing obligations to customers

10 BCP for Financial Institutions NYSE Rule 446: Business Continuity & Contingency Plans (2002) (a) Members and member organizations must develop and maintain a written business continuity and contingency plan establishing procedures to be followed in the event of an emergency or significant business disruption. Members and member organizations must make such plan available to the Exchange upon request. (b) Members and member organizations must conduct a yearly review of their business continuity and contingency plan to determine whether any modifications are necessary in light of changes to the member's or member organization's operations, structure, business or location. National Association of Insurance Commissioners (NAIC); (2002) For cross-sectoral international issues, the NAIC makes a valuable contribution to the work of the Joint Forum, which is a group that brings together banking, securities, and insurance regulators from many countries to evaluate and address cross-sectoral regulatory issues. Some key areas of the Joint Forum's work are the review of the regulatory and market differences across sectors; credit risk transfer; highlevel principles regarding outsourcing and business continuity; and the funding of liquidity risk. Many of these issues have the potential to affect financial stability and are of interest not only to the supervisors but to our central bank and finance ministry members. - Vice Chairman Roger W. Ferguson, Jr. National Futures Association Compliance Rule 2-38 (2003) (a) Each Member must establish and maintain a written business continuity and disaster recovery plan that outlines procedures to be followed in the event of an emergency or significant business disruption. The plan shall be reasonably designed to enable the Member to continue operating, to reestablish operations, or to transfer its business to another Member with minimal disruption to its customers, other Members, and the commodity futures markets

11 BCP for Financial Institutions Electronic Funds Transfer Act - FDIC 6500: Consumer Protection (1968) 908. Error resolution (c): If a financial institution receives notice of an error in the manner and within the time period specified in subsection (a), it may, in lieu of the requirements of subsections (a) and (b), within ten business days after receiving such notice provisionally recredit the consumer's account for the amount alleged to be in error, subject to section 909, including interest where applicable, pending the conclusion of its investigation and its determination of whether an error has occurred. Such investigation shall be concluded not later than forty-five days after receipt of notice of the error. During the pendency of the investigation, the consumer shall have full use of the funds provisionally recredited. This required the establishment of contingency plans to meet the standard of reasonable standard of care (the care that a reasonable man would exercise under the circumstances; the standard for determining legal duty.) Dodd-Frank Wall Street Reform and Consumer Protection Act (2010) (ii) establish and maintain emergency procedures, backup facilities, and a plan for disaster recovery that allows for (I) the timely recovery and resumption of operations of the derivatives clearing organization; and (II) the fulfillment of each obligation and responsibility of the derivatives clearing organization; and (iii) periodically conduct tests to verify that the backup resources of the derivatives clearing organization are sufficient to ensure daily processing, clearing, and settlement

12 BCP for Financial Institutions Basel Committee s Capital Accords and Sound Practices for the Management and Supervision of Operational Risk (2003) Business Resiliency and Continuity: Banks should have business resiliency and continuity plans in place to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption. Principle 10 in Sound Practices for Management and Supervision of Operational Risk BASEL II, BASEL Committee on Banking Supervision 2003 Requires that banks put in place BC?DR plans to ensure continuous operations and limit losses Best Practice Standard

13 BCP for Financial Institutions Expedited Funds Availability (EFA) Act, 1989 Federally chartered financial institutions must have demonstrable business continuity plans To ensure prompt availability of funds Gramm-Leach-Bliley Act 1999 Institutions are required to implement a written information security program that includes: admin., tech., and physical safeguards Requirements related to Business Continuity plan GAO/IMTEC Financial Markets: Computer Security Controls Outlines the need for risk assessments, data back-up procedures, Business Continuity operations, and security of U.S. Stock Exchanges Guidelines for stock markets

14 FINRA (Financial Industry Regulatory Authority) FINRA 4370 (Adopted 2004, Revised 2009) (c) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must at a minimum, address: 1) Data back-up and recovery (hard copy and electronic); 2) All mission critical systems; 3) Financial and operational assessments; 4) Alternate communications between customers and the member; 5) Alternate communications between the member and its employees; 6) Alternate physical location of employees; 7) Critical business constituent, bank, and counter-party impact; 8) Regulatory reporting; 9) Communications with regulators; and 10) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business

15 All Industries IRS Procedure Requires off-site protection and documentation of computer records of tax information Records must be available in the event that the primary facility is subjected to unplanned outage Consumer Credit Protection Act (CCPA) Section 2001 Title 1X Due diligence for availability of data in Electronic Funds Transfers including Point of Sale Foreign Corrupt Practices Act 1977 Publicly held corporations must provide reasonable protection for IT systems Holds management accountable

16 Cross-Industry BCP Standards Sarbanes-Oxley Act of 2002 SEC MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. IS THERE BCP IN SARBANES-OXLEY?

17 Is There BCP in Sarbanes-Oxley? NO PCAOB (Public Company Accounting Oversight Board) Furthermore, management's plans that could potentially affect financial reporting in future periods are not controls. For example, a company's business continuity or contingency planning has no effect on the company's current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company's business continuity or contingency planning is not part of internal control over financial reporting."

18 Is There BCP in Sarbanes-Oxley? YES Practitioners Issuers must disclose information on material changes in financial condition on a regular basis Auditors are increasing scrutiny of all areas of internal control, including security and business continuity controls Potential for data loss (ability to identify and rebuild lost transactions and source documentation) Vital records creation Potential Repercussions: Non-complying organizations may receive qualified opinions on their internal controls from their external auditors. If IT processing disruption results in lost data, officers and external auditors may not be able to sign off on quarterly or annual SOX disclosure and internal control operating effectiveness certifications/opinion

19 Not Just IT FFIEC (Revised: March 2008) Business continuity planning is about maintaining, resuming, and recovering the business, not just the recovery of the technology. The planning process should be conducted on an enterprise-wide basis. Monetary Authority of Singapore (June 2003) Business Continuity Management ( BCM ) is an over-arching framework that aims to minimize the impact to businesses due to operational disruptions. It not only addresses the restoration of information technology ( IT ) infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfillment of business obligations. Australian Prudential Standard APS 232 (April 2005) Business continuity management (BCM) describes a whole of business approach to ensure critical business functions can be maintained, or restored in a timely fashion

20 Are They A Client? FFIEC Appendix E: Interdependencies (1997) THIRD-PARTY PROVIDERS, KEY SUPPLIERS, AND BUSINESS PARTNERS Outsourcing information, transaction processing, and settlement activities Institutions should review and understand service providers' BCPs and ensure critical services can be restored within acceptable timeframes based upon the needs of the institution If possible the institution should consider participating in their provider s testing process. HOW FAR DOES THIS EXTEND?

21 BCP Standards for the Energy Industry Federal Electric Reliability Council s (FERC) Security Standards for Electric Market Participants (July 2002) Business Continuity: Every participant operating a critical electric resource shall have contingency plans that define roles, responsibilities and actions for protecting the rest of the electric grid and market from the failure of its own critical resources. Those plans should further define the roles, responsibilities and actions needed to quickly recover or reestablish electric grid and market functions, processes and systems, in the event that a critical physical or cyber resource fails or suffers harm or attack. Such plans shall be tested or exercised regularly. As we are all very aware, every day the electricity system manages myriad demands and challenges, including maintaining adequate levels of frequency response so that service to consumers is not interrupted. - Chairman Jon Wellinghoff North American Electric Reliability Council s (NERC) Security Guidelines for the Electricity Sector (June 2002) Continuity of Business Processes: Reduces the likelihood of prolonged interruptions and enhances prompt resumption of operations when interruptions occur. Consider flexible plans that address key areas such as telecommunications, information technology, customer service centers, facilities security, operations, generation, power delivery, customer remittance and payroll processes. It is useful to revise and test plans on a regular basis. It also is advisable to train personnel so they fully understand their roles with respect to the plans

22 BCP Standards for the Healthcare/Life Science Industries Food & Drug Administration Increasing accountability requirements GxP: Good Manufacturing Laboratory Clinical Practices FDA Guidance on Computerized Systems in Clinical Trials IX. SYSTEM CONTROLS B. Contingency Plans: Written procedures should describe contingency plans for continuing the study by alternate means in the event of failure of the computerized system. C. Backup and Recovery of Electronic Records: Backup and recovery procedures should be clearly outlined in the SOPs (Standard Operating Procedures) and be sufficient to protect against data loss. Records should be backed up regularly in a way that would prevent a catastrophic loss and ensure the quality and integrity of the data

23 BCP Standards for the Healthcare/Life Science Industries HITECH Act of 2009: More Reporting of Breaches, More Oversight Amended section 1176(b) of the Act by: Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation Health Insurance Portability and Accountability Act of 1996 (HIPAA), Final Security Rule: 7. Contingency Plan ( (a)(7)(i)): We would require a contingency plan to be in effect for responding to system emergencies. The organization would be required to perform periodic backups of data, have available critical facilities for continuing operations in the event of an emergency, and have disaster recovery procedures in place

24 HIPAA BCP REQUIREMENTS HIPAA Citation HIPAA Security Rule Standard Implementation Specification ADMINISTRATIVE SAFEGUARDS Is it enough? Implementation (a)(7)(i) Contingency Plan (a)(7)(ii)(A) Data Backup Plan Required (a)(7)(ii)(B) Disaster Recovery Plan Required (a)(7)(ii)(C) Emergency Mode Operation Plan Required (a)(7)(ii)(D) Testing and Revision Procedures Addressable (a)(7)(ii)(E) Applications and Data Criticality Analysis Addressable PHYSICAL SAFEGUARDS (a)(1) Facility Access Controls (a)(2)(i) Contingency Operations Addressable (d)(1) Device and Media Controls (d)(2)(iv) Data Backup and Storage Addressable TECHNICAL SAFEGUARDS (a)(1) Access Control (a)(2)(ii) Emergency Access Procedure Required State privacy laws are NOT preempted by federal privacy rules, unless there is a direct conflict If state law is more stringent, or covers an area not covered by federal rules, state law controls

25 Are They A Client? HIPAA Business Associate (aka Chain of Trust) The business associate must 1) implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity; 2) ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate safeguards. Implications for international partners?

26 Standards

27 Standards National Fire Protection Agency (NFPA 1600) Standard on Disaster/Emergency Management Uniform Commercial Code Preparing for foreseeable business disruption National Institute of Standards and Technology (NIST) Contingency Planning Guide for Information Technology Systems Requires electronic data to be available during a crisis Requires BC/DR and COOP plans Mandatory security controls that have specific requirements for continuity planning and testing IT Governance Institute Standards COBIT Control objectives for information and related technology

28 ISO Standards and Business Continuity ISO/TS Applicable to any supplier to automotive original equipment manufacturer Section Contingency Plans The organization shall prepare contingency plans to satisfy customer requirements in the event of an emergency such as a utility interruptions, labor shortages, key equipment failure, and field returns. ISO (Previously Designated (ISO17799) Deals with Information Security 11 BUSINESS CONTINUITY MANAGEMENT 11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT Business continuity management process Business continuity and impact analysis Writing and implementing continuity plans Business continuity planning framework Testing, maintaining and re-assessing business continuity plans ISO 9001, Quality Management Record Retention and Data Availability ISO 14001, Environmental Management Emergency Preparedness and Response ISO/PAS Societal Security: Guideline for incident preparedness and operational continuity management

29 BS Part 1 is an extension of PAS56 Guidance Prescriptive Not Performance Based Part 2 Certification Body Specification Auditable Create Ability to Demonstrate Compliance Stage 1 Audit Initial Assessment Desktop Review Successful Completion Required Before Moving To Stage 2 Stage 2 -Conformance Audit - Certification Audit Demonstrate Implementation Failure Requires Corrective Action Plan, Which Must be Agreed Upon Completion of Stage 1 & 2 Allows for Application to BS Certification Manager for Certification Surveillance Audits

30 Singapore The Model for the Future? SS 540 Revision to TR19 (PDCA Plan Do Check Act) New BCM Framework Standard for Business Continuity / Disaster Recovery Service Providers (SS507) - Singapore is the first country in the world to introduce a Standard and Certification program for BC/DR service providers. Developed by the Infocomm Development Authority of Singapore and the IT Standards Committee (ITSC), the Standard specifies the stringent requirements for BC/DR service providers. These requirements benchmark against the top practices in the region and stipulate the operating, monitoring and up-keeping of BC/DR services offered. TR19 Technical Reference 19 - aims to help Singapore based enterprises build competence, capacity, resilience and readiness to respond to and recover from events that threaten to disrupt normal business operations. PROPOSED BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX MEMBERS May

31 Legal Standards Liability of Corporations Liability of Corporate Executives Liability to Outside Parties Standard of Negligence Standard of Care: Prudent Man Doctrine Exercise same care in managing company affairs as in managing own affairs. Informed Business Judgment v. Gross Negligence

32 Case Law Legal Precedence Blake v. Woodford Bank & Trust Co. (1977) Foreseeable workload failure to prepare Sun Cattle Company, Inc. vs. Miners Bank (1974) Computer System Failure Foreseeable Computer Failure Uniform Commercial Code Preparing for foreseeable business disruption

33 Meeting the Standards US v. Carroll Towing Co. (1947) Probability of Harm (P): the chance that a damaging event will occur Magnitude of Harm (M): the amount of financial damage that would occur should a disaster happen Cost of Prevention (C): the price of putting in place a means of preventing the disaster s effects P * M = C

34 Negligent Failure To Plan/Prepare Liability Pandemics Canadian Nurses who contracted SARS file suit stating that the Government was Negligent in not preparing for the second wave of the disease after the first wave was identified (2003). Munich Re: American Bar Association

35 PUBLIC LAW IMPLEMENTING RECOMMENDATIONS OF THE 9/11 COMMISSION ACT OF 2007 TITLE IX

36 Title IX a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary. c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others. d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. e. One or more preparedness standards can be designated. NFPA 1600 is reference by example. f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated. g. Special consideration will be made for small business. h. Proprietary and confidential information is to be protected

37 Defining The Standard Process Used By Sloan Interdisciplinary Team Representatives of: ASIS, DRI International, NFPA, RIMS Review Existing Regulations FFIEC, NYSE, SEC, NASD NERC HIPAA Provide Credit for Work Already Done Reduce Start From Scratch Opposition Create Core Elements for Standard Core elements are those basic components that, when implemented within an organization s unique governance and culture, provide the underlying framework to enable the organization to sustain itself in spite of a disruptive event (i.e., the common set of criteria for preparedness, disaster management, emergency management, and business continuity programs..." called for under the law.)

38 Process For Implementation of Title IX 1. DHS will designate one or more organizations to act as the accrediting body, and oversee the certification process, and to accredit qualified third parties to carry out the certification program. 2. DHS will separately designate one or more standards for assessing private sector preparedness. 3. DHS will provide information and promote the business case for voluntary compliance with preparedness standards. 4. DHS will monitor the effectiveness program on an on-going basis

39 Gaining Accreditation ANSI-ANAB

40 Gaining Accreditation ANSI-ANAB DHS

41 9/11 Commission Report July 2004 Recommendation: We endorse the American National Standards Institute s recommended standard for private preparedness. We were encouraged by Secretary Tom Ridge s praise of the standard, and urge the Department of Homeland Security to promote its adoption. We also encourage the insurance and credit-rating industries to look closely at a company s compliance with the ANSI standard in assessing its insurability and creditworthiness. We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. Private-sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world

42 Title IX (PS-Prep) a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary. c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others. d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. e. One or more preparedness standards can be designated. NFPA 1600 is reference by example. f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated. g. Special consideration will be made for small business. h. Proprietary and confidential information is to be protected

43 Certification Risk/Reward Rewards May Satisfy Customer Inquiries Create Uniformity No Insurance/Rating Advantage Risks Discoverable (Corrective Action Plan) May Not Provide Legal Protection Judge and Jury Decision No Known NFPA1600 Defense Quality of Auditors Potential Conflict Financial Operational Audit Corporate Governance Regulation Expensive Will it meet customer requirements?

44 Regulations Created by Government/Industry Regulatory Bodies Punitive Fines Shutdown Subject to (Operational/Financial) Audit Annually Audit Conducted by Third Party Results are Board Issues May Create Vendor Requirements FFIEC HIPAA

45 Standards Voluntary Non-Punitive Auditable Through First, Second or Third Parties State of Flux

46 Because it s good for business

47 Combining Disciplines Business Continuity (Relocation) Disaster Recovery (IT Recovery and Continuity) More Integrated Solution Emergency Response Crisis Management Under The Banner of Business Continuity Management

48 The Increase in Supply Chain Concerns Nokia vs. Ericsson -- March 17, 2000 Pre Fire Ranking Nokia (32%) Motorola (22%) Ericsson (12%) 10 Minute Fire in Albuquerque Philips Microchip Plant Post Fire Ranking Nokia shipments grew by 10.5 percent over the previous year, to 140 million units. Motorola shipments dropped by 1.7 percent to 59 million units. Siemens shipments grew by 10.2 percent to 30 million units. Samsung shipments grew by 36.8 percent to 28 million units. Ericsson shipments dropped by 35 percent to 27 million units. On July 20, 2000, Ericsson reported that the fire and component shortages had caused a second-quarter operating loss of $200 million in its mobile phone division. Total loss $400 million

49 Why Nokia Gained and Ericsson Lost Preparation - Nokia Considered solutions before event occurred Understood the need Implemented recovery at other Philips plants Wishful Thinking - Ericsson Believed early reports of little damage and interruption Smart people will find a solution

50 Better BCM Means More Reliable Suppliers Once Burned. Business Interruption and Recovery Plan Supplier will provide Motorola with a detailed, written business interruption and recovery plan, including business impact and risk assessment, crisis management, information technology disaster recovery, and business continuity. Supplier will update the plan annually. Supplier will notify Motorola in writing within twenty-four (24) hours of any activation of the plan. -Motorola Corp 2002 About 50% of businesses that suffer from a major disaster without a disaster recovery plan in place, never re-open for business. American Management Association

51 Questions Thank You Statements concerning legal matters should be understood to be general observations based solely on our experience as risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified legal advisors in these areas