Documente Academic
Documente Profesional
Documente Cultură
www.directorsandboards.com
Boardroom Briefing
A publication of Directors & Boards magazine
We help our
clients build the best
LEADERSHIP
Joie Gregor
Vice Chairman
212-867-9876
John Gardner
Vice Chairman
312-496-1000
With
the
support
of
H ei d ri ck
Conducting
a Business
Continuity
Plan Audit
12 Questions
Every Director
Should Ask About
Workplace Safety
Business
Continuity
Legal Counsel
2004 KPMG International. KPMG International is a Swiss cooperative which performs no client services. Services are provided by member firms.
as audit
committees
dealt with
increased
demands.
Spring 2006
Boardroom Briefing
Vol. 3, No. 1
A publication of
Directors & Boards magazine
David Shaw
GRID Media LLC
Editor & Publisher
Scott Chase
GRID Media LLC
Advertising & Marketing Director
Directors & Boards
James Kristie
Editor & Associate Publisher
Lisa M. Cody
Chief Financial Officer
Barbara Wenger
Subscriptions/Circulation
Jerri Smith
Reprints/List Rentals
Robert H. Rock
President
Art Direction
Lise Holliker Dykes
LHDesign
Directors & Boards
1845 Walnut Street, Suite 900
Philadelphia, PA 19103
(215) 567-3200
www.directorsandboards.com
Boardroom Briefing:
Business Continuity and Disaster
Recovery is copyright 2006 by
MLR Holdings LLC. All rights reserved.
POSTMASTER: Send address
changes to 1845 Walnut Street,
Suite 900, Philadelphia, PA 19103.
No portion of this publication may be
reproduced in any form whatsoever
without prior written permission
from the publisher. Created and
produced by GRID Media LLC
(www.gridmediallc.com).
What you dont know or fail to anticipate can land you square in your own boardroom ground zero.
W
James Kristie
hat is the
role of a
board of
directors? There are a
lot of ways to answer
that question, but
you cant go wrong
with this classic
response: To ensure
the continuity of the
enterprise.
www.alixpartners.com
Chicago Dallas Detroit Dsseldorf London Los Angeles Milan Munich New York Paris San Francisco Tokyo
Management at all levels needs to understand how to act during and, especially, after a crisis.
A
Dee Soder
sk anyone
who has
experienced
a crisis and theyll
tell you what counts
is the way the
people in charge
acted. Leadership
behavior is an
essential element of
business recovery.
Communicate,
communicate, communicate
Good communication strategies
consider peoples emotions and
attitudes. Messages should be
simple, clear, consistent, and
tailored to the audience. Repeat
messagespeople often dont hear
it the first or second time. Be readily
accessible, provide support and
stay on message. Consider media
Remember that
style counts
Directors and management at all
levels should project calm and
Business Continuity
via Satellite
We live in an unpredictable world. Even the most reliable landbased data and voice infrastructures can be disrupted by
natural or manmade disasters.
SES AMERICOMs satellite-based Business Continuity Solutions is
the smart way to stay above the uncertainties of terrestriallybased communications. And the most secure solution to avoid the
loss of mission critical communications in data, voice, video or IP.
www.ses-americom.com
There are no generally accepted principles with which to analyze business continuity.
I
Ted Brown
n a recent
survey, 37
percent of chief
financial officers
perceived their
firms to be most
vulnerable in the
area of disaster
preparedness and
recovery.
A
re company personnel aware of
and familiar withthe business
continuity plan?
D
id they have input into the
development of the plan?
D
o they understand their
obligations in the event the plan
is invoked?
A
re they comfortable with their
level of training and preparation?
D
o they have any reservations
regarding the plans viability?
Clark
When the old answers dont address the new issues, its time to
12
innovate
2006
13
With terrorist threats increasingly frequent and well-publicized, directors and officers will have a hard
time claiming that corporate risk management did not need to include emergency preparedness.
n a Sunday
afternoon
in August
2004, Homeland
Security Secretary
Tom Ridge held a
press conference to
announce that the
alert level on the
Homeland Security
Joe D. Whitley
Advisory System had
been raised to orange, the second
highest level. Unusually specific
information from reliable sources,
confirmed by multiple intelligence
streams, suggested that terrorists
were plotting a strike against financial
centers in New York City, northern
New Jersey, and Washington D.C.
Wall Street increased security to
unprecedented levels, leaving some to
wonder if the police outnumbered the
floor traders. Similar measures were
taken in Washington, a city already
bristling with barriers and patrols.
For companies and executives who
are in the bulls-eye of the terrorist
threat, the warning brought home
the importance of security and
business continuity planning for
financial markets. For Americas
premier financial service providers
the members of the New York Stock
Exchange (NYSE) and the National
Association of Securities Dealers
(NASD)business continuity
(BC) is no longer an option or
just the domain of the corporate
security department. It is a critical
component of corporate governance
and market stability.
As an aside natural disasters like Katrina and
Rita present very similar concerns to corporations and
businesses.
14
R
egulatory reporting
C
ommunications with regulators
A
plan to assure customers prompt
access to their funds and securities
in the event that the member
determines that it is unable to
continue its business elements.
Members of the NYSE and NASD
must also publicly disclose the
general configuration of their
business continuity plan. Pursuant to
its statutory authority, the Securities
and Exchange Commission approved
the NYSEs and the NASDs business
continuity rules on April 7, 2004.
At least in concept, forcing business
continuity into the open serves
as a de facto incentive to take the
rulesand homeland security
preparednessseriously. There is an
implicit reliance on market forces:
it is assumed that if the public can
compare business continuity plans,
rational consumers will prefer to
do business with those members
whose plans are the strongest.
Equally rational business leaders, in
an attempt to capture competitive
advantage, will establish robust
plans. Considering that e-commerce
Securities and Exchange Act Release No. 34-49537
(April 7, 2004), 69 FR 19586. April 13, 2004. See also
NYSE Information Memo 04-24 as well as NASD Notice
to members 04-37. May 2004
Private-Sector
Responsibility
The business continuity initiatives
in the financial services sector
highlight a significant issue for other
business sectors: Even in the absence
of regulation or statute, should
corporations implement a business
continuity plan as a matter of sensible
corporate governance and sound
policy? The answer clearly is yes.
The federal government, and
particularly the Department of
Homeland Security, needs industrys
participation and support to make
the country secure. The owners
and operators of obvious targets
power plants, chemical facilities,
telecommunication centershave
been tightening their defenses and
have developed (or contracted for)
business continuity plans.
Yet, with finite budgets and only
a transient sense of threat, most
corporations have not initiated
business continuity planning for
the post-9/11 erarobust, tested,
enterprise-wide programs that
protect facilities, people, and which
would permit the rapid resumption
of business if an attack occurred.
Many companies still dont quite get
it: business continuity is a strategic
investment, and its dividends will
be evident during an attack, and
economically and legally, in the
aftermath of a terrorist event. For
example, when a cascading grid
failure left tens of millions of people
in the U.S. and Canada without
electrical power in August 2003,
corporations without business
16
/11, and
the recent
devastation
inflicted by
Hurricanes Katrina
and Wilma, have
forced companies
across the United
States to take a hard
look at how they
Peter M. Gillon
manage the risk
of disasterboth
man-made and
natural. Of all the
tools available to
manage catastrophic
risk, none is more
important than
property insurance.
This is the one risk
management tool
Brian G. Friel that can ensure the
survival of a corporation following the
devastating effects of a terrorist attack,
hurricane, earthquake, tornado, or fire.
Unfortunately, the number of coverage
disputes and unpaid claims related to
September 11 and the recent hurricanes
losses suggests that companies
too often overlook or simply fail to
understand the critical details of their
property insurance programs.
Far too often companies wait until after
a disaster strikes to determine what
they need to do to adequately prepare,
evaluate and present their claims to
their insurers. When disasters like
September 11 or Hurricane Katrina
hit, many companies find themselves
playing catch-up and lose valuable
time in adjusting their claims as a result.
More than 30% of all businesses that close
down following a disaster never re-open again. ALFA
Insurance, Can Your Business Survive a Natural Disaster?
http://www.alfains.com/business.
18
How important is
business continuity
planning/disaster recovery
to your company?
Somewhat
important
Revenues
Average revenues:
Less than $250 million
$251 million-$500 million
$501 million to $999 million
$1 billion to $10 billion
More than $10 billion
$2.773 billion
57.1%
9.8%
8%
19.6%
5.5%
Board Service
Public Company:
Private Company:
Charitable
Total:
1.21
1.53
1.59
4.33
16.0%
Important
Not
important
3.5%
Extremely
important
52.8%
27.8%
No 28.1%
In process of creating 23.3%
Yes, plan in place for less than year
11%
Yes, plan in place for more than a year 36.3%
Other
1.4%
No
37.9%
In process of creating 21.4%
Yes, plan in place for less than year
11.7%
Yes, plan in place for more than a year 26.9%
Other 2.1%
19
34.1%
30
20
6.5%
5
0
No
Does
not apply
40
34.0%
30
52.4%
50
41.7%
40
30
20
34.5%
20
12.5%
10
0
Excellent
9.7%
Good
Fair
2.1%
Poor
Other
Months
Other
17.9% 5.5%
4.8%
Minutes
0.7%
Hours
Days
49.0%
22.1%
11.0%
10
0
Excellent
Fair
Poor
Other
45.8%
40
30
10
Good
0.7% 1.4%
22.9%
20
20
52.8%
20.6%
13.8%
10
Yes
No
19.6%
15
17.6%
14.7%
26.1%
25
Dont know
13.9%
11.8%
5.6%
Very
Somewhat Not very
effectively effectively effectively
Not at all
Other
Board Responsibility in
Business Continuity/
Disaster Recovery Planning
What, in your opinion, is your boards
responsibility in business continuity,
crisis management and disaster
recovery planning?
The board should take primary
responsibility, directing management 15.9%
Management should take primary
responsibility, advising the board
79%
Other
5.1%
(Other answers included: It will
depend on the nature of the disaster.
Management should take primary
responsibility with the board having the
responsibility to ensure that this is done.
It should be a collaborative effort.)
5.1%
2.9%
Yes
22.5%
No
69.6%
Other
Not applicable
11.8%
2.8%
Yes
12.5%
No
72.9%
As needed 21.6%
Every meeting
0.7%
At least once per year
36%
Less often than once per year 20.9%
Its never been on the agenda
14.4%
Other
6.5%
(Other answers included: Never was
included. Formally, twice a year. In
connection with strategic plan reviews.)
boards
15.3%
No
16.8%
24.1%
Yes
43.8%
21
Thinking about the year ahead, rate how likely it is that each of the
following events would occur and have an impact on your companys
business operations.
We budgeted more
on business continuity programs
18.3%
We budgeted less
on business continuity programs
9.2%
We budgeted approximately
the same amount 23.7%
We do not budget
for business continuity programs
43.5%
Other
5.3%
8%
6%
15%
35%
77%
60%
10%
54%
36%
12%
50%
38%
22
17.4%
8.3%
None
6-10
More
than 10
Its part of
some peoples
full time
5.3%
jobs
3.0%
46.2%
19.7%
12.9%
3.8%
4.5%
0.8%
1.5%
4.5%
Non-existent
Poor
17.3%
15.8%
Fair
32.3%
Other
4.5%
5.3%
Excellent
Good
24.1%
Senior Consultants
Certified
Experienced
Knowledgeable
Contact
KETCHConsulting
Today!
(888)538-2492
KETCHConsulting P.O. Box 641 Waverly, PA 18471
w w w.ketchconsulting.com
Overseeing BCP:
Just One More Reason to Consider CIOs as Directors
By Jory J. Marino and Michael C. Nieset
To meet this complex new responsibility, boards should consider a relatively new kind of board
membera current or former CIO
hile
spectacular
corporate
meltdowns were
leading to SarbanesOxley, a series of
other cataclysms
dramatically
emphasized the
risk of business
Jory J. Marino
disruptionand put
business continuity
planning on the
front burner for
boards. Y2K, though
it proved to be less
than met the eye,
first sounded the
alarm, followed
shortly by 9/11,
which highlighted
Michael C. Nieset the vulnerability not
only of computer networks but also
of phone, power and transportation
systems. A literal meltdown with
the power outage of August 2003
renewed fears about the stability
of the electrical grid. Continued
globalization exposed companies
to more risks in more places, while
political instability, including war in
the Middle East, turned many risks
into reality. Hurricane Katrina is only
the latest and surely not the last of
these cataclysms.
Following these upheavals, an
increase at the global, country
and state levels in regulatory
Finding the
Right CIO Candidate
In our experience, CIO directorcandidates with the breadth
of business and technology
understanding that are required to
make a real contribution to board
deliberations are most likely to
come from large companies, like
the Fortune 250. In these global,
complex organizations the role of
the CIO has evolved into a position
that today combines traditional
technology responsibilities with the
general management responsibilities
of a COO. These CIOs may negotiate
deals on behalf of the company
with a variety of third parties and
outsourcing organizations or they
may create a captive outsourcing
organization. To perform
successfully these CIOs must be
able to integrate their mastery
of technology, understanding of
business processes, and thorough
knowledge of the business and
industry into a comprehensive
vision of the company and execute
against it. In the largest companies
they will often know more about
the companys business operations
than business line managers or even
the CEO.
Not surprisingly, many CIOs have
come up through the technology
ranks and then stepped into
26
A
ddressed operational
and business risk across the many
vulnerabilities in a complex,
global organization
M
oved up in a progressively
responsible CIO career and
later stepped into a full general
management role, or moved from
general management to absorb
technology responsibilities
P
resided over an operation as
it globalized its business and
customer base and addressed
the impacts of sourcing and
offshoring
D
elivered significant business
value
Such candidates not only have a
broad perspective on business, they
can also broaden the perspective
of boards at a time when effective
oversight and risk management
require a comprehensive, integrated
understanding of business and
information technology. Such
directors may not only help ensure
business continuity following
disasters but alsocontrary to
narrow perceptions of CIOshelp
avert business disasters.
Jory Marino is managing partner of Heidrick &
Struggles Global CIO practice and New York-Park
Avenue office. Michael Nieset is a senior partner
of Heidrick & Struggles Technology and Board of
Directors practices. The authors can be contacted at
jmarino@heidrick.com, mnieset@heidrick.com or
by phone at 312.496.1345.
The health and safety of the worker underpins the ability of any company to claim excellence in its
dealings with customers, employees, investors, and the public.
T
Tom Krause
John Balkcom
he
globalization
of terror, the
fear of potential
pandemics, and the
publics concerns
over corporate
misconduct have
brought new gravitas
to the question of
safety and health
in every workplace.
To some, worker
safety may seem
a mundane issue
in an increasingly
knowledge-intensive
economy. But in
our experience, the
health and safety
of the worker
underpins the ability
of any company to
claim excellence
in its dealings
with customers,
employees,
investors, and the
public.
27
Virtually every
event that results
in a workplace
injury or illness is
preceded by lower
level decisions
and outcomes
that increase the
likelihood of failure
in safety.
tip of an iceberg undergirded by an
architecture of behaviors, practices
and outcomes that made the greater
loss predictable. Leading indicators
of lower-level safety decisions reveal
the organizational culture that gives
rise to the costly failure. Directors
should ask what leading indicators
are predictive for their organization,
including measures related to
organizational culture and safety
climate. Then they should ask what
is being done to move those leading
indicators, how they are changing
over time, and what the readings
were before the most recent major
safety failure.
28
29
Attention to safety
in all its dimensions,
including exposures
or risk and not just
recordable injuries,
starts at the top.
decade a new X factor, such as
a potential flu pandemic, seems
to come into play, threatening
the optimization of a companys
human resources. Even the threat
of terrorist attacks takes its toll on a
companys effectiveness as workers
avoid the workplace or are less
attentive to work.
In many companies injuries and
illnesses that originate during offduty hours exceed the total cost
of on-the-job injuries or illnesses.
Directors should be asking how
the company is addressing these
safety and health exposures. Is it
advocating safe driving and seatbelt
usage, as well as safe practices
around home improvement jobs
or other activities that may cause
its workers to miss work or be less
attentive while there, and increase
health care costs? In our experience,
the frequency and severity of off-thejob injuries or illnesses goes down as
the organizations safety climate and
organizational culture improves.
Today, the Avian Flu, HIV/AIDS,
and threats of terrorist attacks
may be seemingly uncontrollable
risks for global firms. Terrorism is
now a global threat designed in
part to disrupt normal business
and economic activity. In the past,
outbreaks of Legionnaires Disease
in the US, and globally, smallpox
and malaria, have posed difficult
problems and placed stress on the
organization. Directors should be
asking what anticipatory planning is
30
Board Secretary
The Washington Metropolitan Area Transit Authority (WMATA) operates the second largest rail
transit system and the fifth largest bus network in the United States. Americas Transit System, a
national monument in its own right, transports more than a third of the federal government to work and
millions of tourists to landmarks in the Nations Capital. Metro ties the Washington region together and
opens doors to opportunitiesfor jobs, economic development, education, and cultural experiences.
WMATA is currently seeking candidates for the position of Board Secretary. This high-level executive
position directs and manages the staff and functions of the Office of the Secretary to ensure the
preparation and distribution of Board requests and agendas, meeting notices, and resolutions for the
Authority. The Board Secretary conducts quality reviews on all Board items, coordinates the scheduling
of board meetings, facilitates the public hearing process, and serves as the official record keeper for the
Authority and as the principal contact for the Board of Directors.
Successful candidates will have thorough knowledge of administrative systems and procedures;
the ability to conceive and implement actions that provide responsive and effective support to the
Board; demonstrated the ability to provide effective administrative support to the General Manager;
communicate effectively on Authority and Board of Director issues, and can respond to directives with
high levels of judgment, diplomacy and tact.
Minimum Qualifications
B
achelors Degree in Business Administration, Public Administration,
or a related field
T
welve (12) years of progressively responsible and diversified executive
level administrative management
S
upervisory experience that demonstrates expertise in developing and
implementing major policies
E
xperience in interacting with the public including external executives
and/or Board of Director members
WMATA offers competitive compensation and exceptional benefits packages.
Qualified individuals may submit a cover letter and resume to (no emails or faxes please):
Washington Metropolitan Area Transit Authority
Attention: Ms. Katrina Wiggins, Director
Office of Human Resource Management Services
600 Fifth Street NW
Washington, DC 20001
One of the biggest disasters that can affect any business is a disability affecting the CEO.
o one had
even thought
about the
possibility of partial
disability when
they developed a
succession plan for
the CEO. So when
CEO Andy Brody
recovered from a
Daniel Fairley stroke but didnt
hit his stride again,
the board needed to
figure out what to do.
It wasnt clear that
Andy was disabled,
so he probably
couldnt qualify for
disability insurance.
And the opportunity
for an important joint
David A. Bjork venture meant that
the board needed to
step into the breach. While it didnt
work out quite the way it was meant
to when the plan was developed, a
good succession plan helped.
Western HealthCare was a $1 billion
business, with the lives of thousand
of patients and the livelihoods of
5,000 employees and 800 physicians
at stake. The crisis came at a difficult
time for one of the biggest health
systems in the West.
The 55-year-old CEO of Western
HealthCare didnt seem focused on
Difficult Decisions
There was a succession plan in place,
but the board was having difficulty
making a decision. The plan called
for naming 42-year-old COO Sue
Jensen the interim CEO, at least, if
not actually giving her the job on a
Transition Time
The board settled on a combination
of the last three. It asked Sue to take
on much of the CEOs leadership
responsibility; several directors agreed
Retention Issues
Because Sue had already been
managing all operations and was
deeply involved in maintaining
relationships with the medical school
and the medical staff, she was
ready and able to take on additional
leadership responsibilities and
managed to keep everything on a
steady keel during the time between
Andys departure and the new CEOs
arrival. At the same time, directors
kept negotiations with the medical
school and the multi-specialty group
moving ahead, and Sue handled
negotiations with the cardiologists.
The new CEO, David Gonzalez, finally
arrived 12 months later, 18 months
after this transition process began, and
24 months after the stroke that set it
all in motion. Sue stayed another six
months, until the retention agreement
was fulfilled, when she left for
another CEO position.
It took an additional 12 months to
work out the deal with the medical
school, and six more with the multispecialty group, but the agreement
with the cardiologists was settled
more quickly. The leaders of the
board had to stay involved in the
negotiations with the medical school
to maintain continuity, but also
because the new CEO hadnt yet had
time to develop credibility with the
dean and faculty.
Because Sue managed to keep the
business running smoothly over
the 30-month period, the crisis
precipitated by Andys stroke did
not cause any serious disruptions.
Because directors were willing to
devote the time needed to negotiate
the details of the agreements with
its most important partners, they
managed to move the hospital into
a stronger position. And because
the board was able to offer Andy a
generous settlement that allowed
him to maintain much of his income
without working, as well as lifetime
L
oss of key personnel, through
death or resignation
L
oss of high-value customers
B
usiness partner failures
D
enial of service (DoS) attacks
T
heft or unauthorized disclosure of
customer data
W
ork stoppages, and
T
heft or loss of mobile computing
devices
As in the case of non-IT assets, the
business continuity plan should
address these lesser incidents; in the
process, providing a real return on
business continuity investment.
In case you
missed the memo,
paper documents
still account for
a sizable portion
of a companys
vital records.
that company executives and senior
managers promote both the concept
of business continuity, and all efforts
aimed at developing, maintaining,
testing, and auditing the companys
business continuity plan.
www.heidrick.com/board