Boardroom Briefing 6

Boardroom Briefing
Business Continuity and Disaster Recovery

With
the
support
of
A publication of Directors & Boards magazine
s p r i n g 2 0 0 6
w w w. d i r e c t o r s a n d b o a r d s . c o m
Exclusive New Research
from Directors & Boards
Ground Zero for
the Boardroom
Leading When
It Counts
Conducting
a Business
Continuity
Plan Audit
12 Questions
Every Director
Should Ask About
Workplace Safety
Business
Continuity
Legal Counsel
We help our
cl i e ntsb u i ld the best
LE A DE R S H I P
teams inthe wo rld .
D
rawing upon a 50-year legacy, we
focus on quality service and build
strong leadership teams through our
relationships with cl i ents and indivi duals
worldwide. With our experience, we excel in
the development of best-in-class Boards of
Directors. We are experts in recruiting board
memberswho fulfill the highest priorities of
today's best-managed companies, includi ng
executives with financial expertise, operating
depth, strategic acumen, and those who
enrich the diversity of the board. For more
information about Heidrick & Struggles, visit
www.heidrick.com.
Joie Gregor
Vice Chairman
212-867-9876
John Gardner
Vice Chairman
312-496-1000
RED OUTLINE INDICATES BLEED. IT DOES NOT PRINT.
Hei d ri ck & Stru ggl e s
2004 KPMG International. KPMG International is a Swiss cooperative which performs no client services. Services are provided by member firms.
KPMGs Audit Committee
Institute (ACI) was formed in
1999 for the sole purpose of
providing audit committees
and those that support them
with meaningful dialogue
and resources focused
on their evolving financial
oversight role. Through
valuable programs like the
ACIs semiannual Roundtables,
topical publications, and
KPMGs biweekly electronic
publication Audit Committee
Insights, we continue to
offer the kind of objective,
usable information needed in
a rapidly evolving corporate
governance environment.
Its a job that was important
in 1999, and is even more
important today.
www.kpmg.com/aci
Since 1999, our
Audit Committee
Institute
has listened
and responded
as audit
committees
dealt with
increased
demands.
Its the job
the ACI
was made for.
To receive KPMG's Audit Committee Insights,
visit www.kpmginsights.com.
FAD0904_ACI_specs8.qxd 9/17/04 4:11PM
Boardroom Briefng: Business Continuity and Disaster Recovery
Ground Zero for the Boardroom .................................................................. 4
James Kristie
Leading When It Counts ............................................................................. 6
Dee Soder
Conducting a Business Continuity Plan Audit ............................................ 10
Ted Brown
Business Continuity, Homeland Security and Corporate Governance ........... 14
Joe D. Whitley
When Disaster Strikes:
Are You Sure that Your Business is Adequately Insured? ............................. 17
Peter M. Gillon and Brian G. Friel
The Directors & Boards Survey:
Business Continuity and Disaster Recovery ................................................ 19
Overseeing BCP: Just One More Reason to Consider CIOs as Directors ........ 24
Jory J. Marino and Michael C. Nieset
12 Questions Every Director Should Ask About Workplace Safety ............... 27
Tom Krause, John Balkcom and John Henshaw
Surprises in CEO Succession ..................................................................... 32
Daniel Fairley, J.D. and David A. Bjork, Ph.D.
Boardroom Briefing
Vol. , No. 1
A publication of
Directors & Boards magazine
David Shaw
GRID Media LLC
Editor & Publisher
Scott Chase
GRID Media LLC
Advertising & Marketing Director
Directors & Boards
James Kristie
Editor & Associate Publisher
Lisa M. Cody
Chief Financial Ofcer
Barbara Wenger
Subscriptions/Circulation
Jerri Smith
Reprints/List Rentals
Robert H. Rock
President
Art Direction
Lise Holliker Dykes
LHDesign
Directors & Boards
1845 Walnut Street, Suite 900
Philadelphia, PA 1910
(215) 567-200
www.directorsandboards.com
Boardroom Briefng:
Business Continuity and Disaster
Recovery is copyright 2006 by
MLR Holdings LLC. All rights reserved.
POSTMASTER: Send address
changes to 1845 Walnut Street,
Suite 900, Philadelphia, PA 1910.
No portion of this publication may be
reproduced in any form whatsoever
without prior written permission
from the publisher. Created and
produced by GRID Media LLC
(www.gridmediallc.com).
s p r i n g 2 0 0 6
4 Boardroom Briefng: Business Continuity and Disaster Recovery
W
hat is the
role of a
board of
directors? There are a
lot of ways to answer
that question, but
you cant go wrong
with this classic
response: To ensure
the continuity of the
enterprise.

A dear departed colleague and
Directors & Boards author, Tom
Horton, put it this way 20 years
ago in our pages: A primary
responsibility of every board of
directors is to secure the future of the
organization. The very survival of the
organization depends on the ability
of the board and management not
only to cope with future events but
to anticipate the impact those events
will have on both the company and
the industry as a whole.

Well said. But if you are a director,
you have to be in the camp of our
nations secretary of defense when
he ruminated in a press briefng
in February 2002: As we know,
there are known knowns. There
are things we know we know.
We also know there are known
unknowns. That is to say, we know
there are some things we do not
know. But there are also unknown
unknownsthe ones we dont
know we dont know. Id say
Donald Rumsfeld pretty well pegged
the state of affairs that exists in
every boardroom in America today.

The challenge for boards is that
the result of not anticipating or
improperly responding to the known
unknowns can be devastating. Then
layer on top of that the realization
that you can be hit with unknown
unknowns, and you as a director
have to wonder if you are a sitting
duck in a future boardroom ground
zero. Not an enviable situation.

Its not atypical for a director to
feel informationally deprived under
the best of circumstances. Under
uncertain circumstances, when a
board has serious continuity issues
on the agenda, an information defcit
can be disastrous.

It is incumbent on directors to
demand information and insight that
will help them secure the future of
the organizationwhich could be
everything from the seemingly most
innocuous moves by a competitor
to the most threatening moves by a
foreign nation potentate.

Outside of your own companys
channels, there are lots of resources
to draw upon for setting your own
early warning system mindset.
The trend spotters at McKinsey
& Co., for example, issued earlier
this year a Ten Trends to Watch
advisorymacroeconomic trends
(The consumer landscape will
change and expand signifcantly
is one), social and environmental
trends (The battlefeld for talent
will shift is another), and business
and industry trends (New global
industry structures are emerging is a
third for your radar screen).

You also cant go wrong being on the
distribution list for the Dilenschneider
Group Trend/Forecasting Report. The
briefng is compiled by the strategic
communications consultancy headed
by Robert Dilenschneider (who
we count as a valued member of
the Directors & Boards editorial
advisory board). The in-depth and
data-packed report is must reading
for business continuity planning.
(Contact the frm at 212.922.0900 to
be put on the list.)

And there are other survival
guide must-reads. This Boardroom
Briefng is one. This is the sixth in
a series of single-focused reports
on matters of utmost concern to
enlightened board decision making.
The advisories in the following pages
will help you skillfully address your
contingency and crisis planning
requirements.

On a fnal note, my son gave me the
hugely popular book Freakonomics
as a Christmas present. In it is this
observation: The modern world,
despite a surfeit of obfuscation,
complication, and downright
deceit, in not impenetrable, is not
unknowable, andif the right
questions are askedis even more
intriguing than we think. All it
takes is a new way of looking.
Again, well said. That is your job
as board membersto ask the right
questions and to be the new look
eyes and ears for the management
team. This Boardroom Briefng will
seed many of those questions that
you might ask.

James Kristie is editor and associate publisher of
Directors & Boards. He can be contacted at jkristie@
directorsandboards.com.
James Kristie

Ground Zero for the Boardroom
By James Kristie
What you dont know or fail to anticipate can land you square in your own boardroom ground zero.
AlixPartners professionals have conducted
large-scale internal investigations in some of the most
complex corporate accounting matters in history. Were
independent and objective, and will help you find solutions.
Our team of professionals includes certified public accountants,
certified fraud examiners, computer forensic technology
experts and other experienced investigators.
For more information about how our Corporate Investigations Practice
can help you, contact Harvey Kelly at (646) 746-2422.
www.alixpartners.com
Chicago Dallas Detroit Dsseldorf London Los Angeles Milan Munich New York Paris San Francisco Tokyo
Minding your business... Minding your business...
... or peace of mind?

A
sk anyone
who has
experienced
a crisis and theyll
tell you what counts
is the way the
people in charge
acted. Leadership
behavior is an
essential element of
business recovery.
The behavior of leaders during
and after a crisis has received
relatively little attention, planning
or board oversight. Without such
guidance, some leaders handle
crises superbly and others failat
times, dramatically, as evidenced
during Katrina. Directors and top
executives need to plan for the
people side, the psychological
aspects of a crisis, as an integral
part of business continuity.
Management at all levels needs to
understand how to act during and,
especially, after a crisis.
The accelerating number of
devastating situations over the last
ten years has necessitated better
business continuity measures
and management knowledge.
As national, regional, local and
company-specifc crises become
more common, directors need to
ensure the effcacy of managements
plans, and the behaviors that
expedite recovery. As was so clearly
demonstrated after 9/11, leadership
behavior is essential to recovery
to clean up, console, plan and
rebuild. Positive and negative
examples of leadership behavior
after 9/11 will come readily to mind
for most of us.
Natural disasters, terrorism,
workplace violence, corporate
malfeasance, suicide, faulty
productsevery crisis has unique
circumstances. Boards and
management also differ widely. Yet
an informal survey of more than 30
directors reveals amazingly similar
views. A few perceived the boards
role as limited, but most believed
the board should be more involved
as part of its risk management
responsibilities. Several prominent
directors emphasized the need to
think more broadly about crises
such as diffculties resulting from a
chief executives sudden death, lost
data/security breach, and so on..
Board differences and unique
circumstances aside, there is
general agreement on lessons to be
learned regarding behavior. Primary
ones follow:

Review disaster plans
to ensure that
behavior is explicitly
considered
Think about the not likely to
happen events. Could directions
be ignored if the boss is new or
disliked? How should scared,
crying and distraught people be
handled? What if fghting starts?
What about outsiders who
happen to be there at a critical time?
(For example, in the midst of a
power failure, a client was lost for
several hours at one company.)
Double check that your continuity
plans work. And test them. Just as
one client uses a former CIA offcial
to test corporate security, companies
may wish to have an outsider test
their crisis management plans.
This year, a New York City-based
media company assigned interns
the task of developing what if
scenarios. IBM executives have
used drills for years, complete
with wild card incidents to test
their system. Whatever the actual
method, directors should have a
yearly, complete presentation of
continuity plans, ensuring that
disaster drills consider unlikely
events and behavior.
Communicate,
communicate, communicate
Good communication strategies
consider peoples emotions and
attitudes. Messages should be
simple, clear, consistent, and
tailored to the audience. Repeat
messagespeople often dont hear
it the frst or second time. Be readily
accessible, provide support and
stay on message. Consider media

Leading When It Counts
By Dee Soder, PhD
Management at all levels needs to understand how to act during and, especially, after a crisis.
Dee Soder
Natural disasters, terrorism,
workplace violence, corporate malfeasance,
suicide, faulty products
every crisis has unique circumstances.
Boardroom Briefng: Business Continuity and Disaster Recovery 7
training for crisis situations before
an incident, not in the midst of it
(whether you face a mining disaster,
sex scandal, hurricane or other
problemdont practice on CNN.)
Leaders can motivate and improve
morale via a few words; helpful
phrases include together well
rebuild even better, remember that
evil exists, but theres more good in
the world, sometimes bad things
happen and theres no reason,
leaders play the hand thats dealt,
tomorrow will be better and the
next day even better. Be careful
about religious messages (a normally
devout employee lashed out when
an executive attempted to pray for
him.) Dont force people to talk. After
devastating events it is often best just
to bring someone coffee or water,
sitting comfortably in silence beside
them. Theyll talk when theyre ready.
Remember that
style counts
Directors and management at all
levels should project calm and
7
Im like the swancalm on the outside,
paddling like mad underneath, one CEO shares.
confdence. Im like the swan
calm on the outside, paddling like
mad underneath, one CEO shares.
Show that youre human, too. Cold
effciency will have short-term
gains but long-term negatives,
including the loss of valued
employees. After the founders
unexpected death, a companys
lead director became acting CEO
to secure customer and employee
confdence. Several months later,
the dynamic, aggressive young
president was promoted.
The compassion of good leaders
is readily evident; they dont
wait for directors to tell them
appropriate actions. Speed of
response is importantdelays to
assess potential legal issues can
be callous, one director said.
Well generally support a CEOs
decisiondont wait to ask us.
Thus the board applauded the
CEO who paid the full salaries of
employees called to service in Iraq.
Symbolic acts may also illustrate
compassion, concern and help
expedite recovery. Dont forget
the importance of honestywith
employees and the public.
A crisis puts a company
in the spotlight
Customers, suppliers, employees
families and others close to the
company are greatly infuenced
by management behavior. Its
thoughtful to change the company
voicemail and provide information
so that worried family and friends
will know more: Its Monday,
theres no power, but everyones
ok. Its Tuesday, the suns up
and we hope to be operating by
Wednesday.
Set up call centers to answer
questions, modify websites and
otherwise employ technology to
let people know theyre valued.
And dont forget to update
employees in other locations. Law
enforcement has learned to give
regular, frequent updates to keep
people advised and minimize
stress. People remember big and
small gestures. Indeed when I
was exposed to anthrax after a
CBS Marketwatch interview, the
network executives actions to
reassure me were so commendable
I remain an avid CBS fan (even
working praise into this article.)
Learn a few stress basics
Stressed people often wont admit
theyre stressed. Dont expect
people to perform normally after
a major eventmost will be
operating at a 70% level for weeks.
People will handle a crisis better
if they have a role, whether
giving out water, calling people, or
other activities. Some people will
be more susceptible to signifcant
stress. Thus thoughtful/refective
individuals, empathetic individuals,
and individuals without strong
support systems (family, religion,
friends) will be most impacted
by disasters. Even employees in
distant sites can become distressed
by watching television. One of the
few truisms of psychology is that
a persons dominant trait becomes
more pronounced with stress.
Accordingly, a manager concerned
about details will micro-manage
under stress and a very private
executive may not seek needed
input and help. In this instance,
a little knowledge can provide a
better understanding of behavior
during diffcult times.
Ensure training for difcult
situations at all levels
In addition to disaster drills, add
survival exercises to your off-
sites, executive training and other
development programs. Used for
years to foster teamwork and as
ice-breakers, these exercises have
additional value given todays
numerous crises. Ensure that
leadership programs include
a segment related to behavior
and crisis management. Since
corporations have experience
incorporating broader concepts
like ethics, diversity and global
awareness, this isnt diffcult.
Whatever the vehicle, directors and
management need to ascertain that
employees are prepared for things
that arent likely to happen, but do.
Leadership behavior is too
important to be left to chance
not in todays world. Hope isnt a
strategy for anyone, certainly not
for those in charge.
Dr. Dee Soder is founder and managing partner
of the CEO Perspective Group, an executive
advisory and assessment frm for top executives,
companies and boards. The pioneer of executive
coaching, Soder has helped leaders better manage
business interruption and traumatic events
for decades. Since 1976, she has also worked
extensively with federal, state and local (NYC
& DC) law enforcement agencies. A Directors
& Boards contributor (Ready, Fire, Aimand
Early Warning Signs), she is a director of
several nonproft boards. She can be reached at
dee@ceoperspective.com.
Whether you face a mining disaster,
sex scandal, hurricane or other problem
dont practice for it on CNN.
We live in an unpredictable world. Even the most reliable land-
based data and voice infrastructures can be disrupted by
natural or manmade disasters.
SES AMERICOMs satellite-based Business Continuity Solutions is
the smart way to stay above the uncertainties of terrestrially-
based communications. And the most secure solution to avoid the
loss of mission critical communications in data, voice, video or IP.
Our highly trained team provides 24/7 support for Disaster
Recovery or relief of network overload, with regional,
continental or transoceanic coverage.
When your business is providing the right connections, it's what
you know that really counts. Since 1973, SES AMERICOM has
known more about satellite communications and how to put it to
work for your business than anyone else in the industry.
For a free cost-benefit analysis of your situation, please call
+1-609-987-4555 or send an e-mail directly to:
enterprise.americom@ses-americom.com.
The Right Connections,
The Right Choice for
Your Business
Business Continuity
via Satellite
www.ses-americom.com
Our Business is Connecting Yours
disaster_2005_final.qxd 8/5/2005 5:06 PM Page 1
I
n a recent
survey, 37
percent of chief
fnancial offcers
perceived their
frms to be most
vulnerable in the
area of disaster
preparedness and
recovery.
The survey refects the anxiety of
many executives concerning the
state of their companys business
continuity plans. Why the concern?
Because experts estimate that 50
percent of companies without
business continuity plans go out of
business within two years following
a disaster.
Just as companies conduct regular
audits of their fnancial controls,
they should also examine their
business continuity plans, ensuring
that critical business functions
can be conducted in the event of a
disaster, or other major disturbance.
While, unlike fnance, there are
no generally accepted principles
with which to analyze business
continuity, the following questions
should assist corporate directors in
assessing their companys business
continuity posture.
What are the business continuity
objectives?
Like any business plan, a business
continuity plan is designed to
address specifc business objectives.
These objectives should be outlined
in the plan, and refect the consensus
of senior management relative to
present recovery priorities.
Each of the objectives should be:
Specifc, such as restore accounts
receivable, and
Measurable, such as within one
business day.
If the business continuity objectives
are not enumerated in the plan, the
plan cannot be properly evaluated.
Is the business continuity plan
capable of satisfying the stated
objectives?
The business continuity plan, for
example, may call for the restoration
of e-commerce operations within
twelve hours. If the data center
supporting these functions is
destroyed by a tornado, or terrorist
bomb, can essential e-commerce
activities be restarted within the
twelve-hour recovery window? If the
answer is no, then the plan objective
is too ambitious, or the recovery
scheme inadequate. In either case,
the plan wont work.
relevant to everyday employees?
More specifcally:
Are company personnel aware of
and familiar withthe business
continuity plan?
Did they have input into the
development of the plan?
Do they understand their
obligations in the event the plan
is invoked?
Are they comfortable with their
level of training and preparation?
Do they have any reservations
regarding the plans viability?
When was the last business impact
analysis conducted?
Normally, a business continuity
plan is predicated on the results of a
business impact analysis (BIA).
The purpose of a BIA is to identify:
A companys critical business
functions, such as e-commerce
The threats to these functions, such
as computer hacking
Any related risks, such a denial of
service (DoS) attack, and
The fnancial impact of a disaster,
such as lost revenue, or lost
customer confdence
Armed with this information,
business continuity professionals
can formulate strategies designed
to minimize the impact of a major
disruption, and to expedite recovery.
Like a business continuity plan,
the typical BIA suffers from a short
shelf life, and must be periodically
renewed, especially in highly-volatile
business environments. Generally
Ted Brown

Conducting a Business Continuity Plan Audit
By Ted Brown
There are no generally accepted principles with which to analyze business continuity.
Any change that afects critical business
functions should trigger an automatic review
of the business continuity plan.
speaking, if the companys BIA is
more than a year old, a new analysis
should be commissionedfollowed
by an immediate update of the
companys business continuity plan.

Is business continuity plan
maintenance tied to change
management?
To remain viable, a business
continuity plan must be revised
coincident with major organizational,
system, or business changes. These
changes may include:
The opening of a new offce
The introduction of a new product
line, or
The passage of new laws and
regulations, like Sarbanes-Oxley,
which imposes new records
retention standards
Any change that affects critical
business functions should trigger
an automatic review of the business
continuity plan. Importantly, if any
plan updates are indicated, these
updates should be performed prior
tonot afterthe precipitating
business change.
Is the business continuity plan tested
on a regular basis?
To remain viable, a business
continuity plan must be regularly
tested.
Importantly, the testing does
not have to be extensive or
expensive. In many cases, full-
scale testsespecially those
involving IT facilitiescan be
replaced by smaller-scale, tabletop
exercises. These scenario-based
tabletop drills are especially useful in
establishing an organizations ability
to adapt to a rapidly evolving disaster
environment. After all, in a real
world disaster, it may be necessary
to rewrite portions of the business
continuity plan, literally on the fy.
Does the business continuity plan
require periodic retrieval and
testing of ofsite storage media?
The data backup and recovery
process is notoriously unreliable.
Despite that fact, many IT
departments adopt a tape it and
forget it attitude, refusing to test the
integrity of off-site storage media.
The business continuity plan should
provide for the random retrieval and
testing of backup volumes.
ofer sufcient detail?
One revealing test is to determine if
the plan can be executed by non-
experts. Planners often cut corners
during the documentation phase,
depending on the availability of
subject-matter experts to fll in
the blanks if the plan is invoked.
Unfortunately, many of these experts
may not be available in the aftermath
of a disaster, leaving plan activation
and execution to junior staffers. As a
result, the documentation should be
geared to lower level personnel.
provide for adequate post-disaster
security?
In addition to disrupting business
operations, large-scale disasters often
disturb security operations. For
example, in many cases, buildings are
destroyed and sensitive documents
are exposed to the elements
including the criminal element. Given
the generally chaotic atmosphere
that accompanies a recovery effort,
normal levels of security should be
maintainedeven enhanced.
Where is the backup backup site?
Many companies rely on commercial
hot sites to restore critical IT
operations in the event of a data
center disaster. The primary hot site
is frequently located within a hundred
miles of the affected facility, enabling
ready access by data center personnel.
In the event of a regional disaster,
affecting multiple hot site
subscribers, the primary site may
be unavailable, forcing a company
to relocate its operations to a
secondary site, which may be a
thousand miles away. The business
continuity plan should allow for this
possibility, discussing, for example,
an alternative staffng strategy.
consider mobile computing resources
as potential recovery assets?
Most large companies support a
network of telecommuters or other
distributed workers. Mobile and
wireless computing assets can be used
to affect a partial, low-cost recovery
strategy, and their deployment for that
purpose should be explored in the
business continuity plan.
Does the business continuity
plan provide for the failure
of key business partners?
In the world of the virtual
corporation, its not enough for
a company to plan for its own
recovery. It must also consider the
impact of disasters affecting key
business partners.
To accomplish this goal, a companys
business continuity plan must:
Provide for periodic audits
of business partner business
continuity plans, and
Include recovery plans designed
to mitigate the impact of a major
business partner failure
Typically, a business partner
recovery plan consists of identifying
an alternate source supplier, and
establishing a procedure for engaging
that supplier if the need arises.
encompass non-electronic records?
In case you missed the memo,
paper documents still account for a
sizable portion of a companys vital
records. The business continuity plan
should address the preservation and
restoration of paper, or other hardcopy
material, probably by means of
electronic document imaging.
Todays Directors need new insights, new ideas, new tools.
Thats why so many turn to Pearl Meyer & Partners.
Faced with demanding new guidelines and regulations, plus increased
pressure on the bottom line, its more important than ever to work with advisors who can provide real
innovation in planning and executing compensation programs. Thats why more and more Boards are
turning to Pearl Meyer & Partners, a Clark Consulting practice.
PM&P serves as trusted counsel to Board Compensation Committees and senior executives of leading
public, private and not-for-profit companies. They rely on our expertise. Our independent advice.
And our track record of creating innovative solutions focused on business results.
As new challenges arise, dont hesitate innovate. Call 508-460-9600 or register online for more
information and the latest issue-driven White Papers at pearlmeyer.com.
innovate
When the old answers dont address the new issues, its time to When the old answers dont address the new issues, its time to
2
0
0
6
Clark CC5020 R 11/30/05 1:17 PM Page 1
encompass print-to-mail facilities?
Every day, companies print and
mail billions of invoices, fnancial
statements, healthcare documents,
payroll checks, and other vital records.
These documents are imaged, printed,
sorted, and mailed to customers,
shareholders, regulatory agencies,
employees, and business partners.
Remarkably, the facilities, equipment,
and systems responsible for performing
these critical functions (generically
print-to-mail) do not enjoy the same
business continuity protection as their
data center counterparts. According to
the Disaster Recovery Journal, nearly
82 percent of backup providers do not
support the printing and mailing of
bills and statements.
encompass non-IT assets?
Traditionally, business continuity
plans have addressed the recovery of
information technology assets. But
disasters can claim non-IT assets,
such as:
Manufacturing plants
Vehicles and equipment
Research and development
laboratories
Raw materials, and
Product inventory
address the protection of these non-
IT resources? If not, why not?
promote risk mitigation measures?
Since not all disasters can be
avoided, part of the business
continuity plan should be devoted to
lessening the impact of a disaster.
One common device is encouraging
the decentralization of critical assets.
The plan, for example, should
discourage the creation of large,
central fle rooms in favor of smaller,
more distributed storage sites. In this
way, a facility fre could only claim a
portion of a companys vital records.
In the case of existing central fle
rooms, the plan should encourage the
deployment of adequate fre detection
and suppression equipment.
provide for disruptions?
Most business continuity plans
cover catastrophic incidents,
such as earthquakes, hurricanes,
tornados, foods, fres, bombings,
etc. Most companies, however,
will never experience a disaster of
these proportions. Instead, they will
suffer a series of smallerbut still
expensivedisruptions, such as:
Power outages
Storm-related travel diffculties
(continued on page 34)
Todays Directors need new insights, new ideas, new tools.
Thats why so many turn to Pearl Meyer & Partners.
Faced with demanding new guidelines and regulations, plus increased
pressure on the bottom line, its more important than ever to work with advisors who can provide real
innovation in planning and executing compensation programs. Thats why more and more Boards are
turning to Pearl Meyer & Partners, a Clark Consulting practice.
PM&P serves as trusted counsel to Board Compensation Committees and senior executives of leading
public, private and not-for-profit companies. They rely on our expertise. Our independent advice.
And our track record of creating innovative solutions focused on business results.
As new challenges arise, dont hesitate innovate. Call 508-460-9600 or register online for more
information and the latest issue-driven White Papers at pearlmeyer.com.
innovate
When the old answers dont address the new issues, its time to When the old answers dont address the new issues, its time to
2
0
0
6
Clark CC5020 R 11/30/05 1:17 PM Page 1
O
n a Sunday
afternoon
in August
2004, Homeland
Security Secretary
Tom Ridge held a
press conference to
announce that the
alert level on the
Homeland Security
Advisory System had
been raised to orange, the second
highest level. Unusually specifc
information from reliable sources,
confrmed by multiple intelligence
streams, suggested that terrorists
were plotting a strike against fnancial
centers in New York City, northern
New Jersey, and Washington D.C.
Wall Street increased security to
unprecedented levels, leaving some to
wonder if the police outnumbered the
foor traders. Similar measures were
taken in Washington, a city already
bristling with barriers and patrols.
For companies and executives who
are in the bulls-eye of the terrorist
threat, the warning brought home
the importance of security and
business continuity planning for
fnancial markets.
1
For Americas
premier fnancial service providers
the members of the New York Stock
Exchange (NYSE) and the National
Association of Securities Dealers
(NASD)business continuity
(BC) is no longer an option or
just the domain of the corporate
security department. It is a critical
component of corporate governance
and market stability.
1 As an aside natural disasters like Katrina and
Rita present very similar concerns to corporations and
businesses.
Self-regulation and
Business Continuity
Both the NYSE and the NASD are self-
regulating organizations that require
compliance with practices, standards,
and policies as a prerequisite for
membership. In response to 9/11,
the NYSE and the NASD began
formulating new business continuity
requirements for broker-dealer
members. Rule 446 for NYSE
members and Rules 3510 and 3520
for NASD members address business
continuity and contingency planning
and are very similar in substance. The
new rules recognize that there is no
cookie-cutter approach to planning
and therefore account for fexibility
in business continuity design and
implementation. But these rules
require that, at a minimum, each
frms plan contain ten elements:
Data back-up and recovery (hard
copy and electronic)
Mission-critical systems
Financial and operational risk
assessments
Alternate communications between
customers and member
Alternate communications between
the member and employees
Alternate physical location of
employees
Critical constituent, bank and
counter-party impact
Regulatory reporting
Communications with regulators
A plan to assure customers prompt
access to their funds and securities
in the event that the member
determines that it is unable to
continue its business elements.
Members of the NYSE and NASD
must also publicly disclose the
general confguration of their
business continuity plan. Pursuant to
its statutory authority, the Securities
and Exchange Commission approved
the NYSEs and the NASDs business
continuity rules on April 7, 2004.
2
At least in concept, forcing business
continuity into the open serves
as a de facto incentive to take the
rulesand homeland security
preparednessseriously. There is an
implicit reliance on market forces:
it is assumed that if the public can
compare business continuity plans,
rational consumers will prefer to
do business with those members
whose plans are the strongest.
Equally rational business leaders, in
an attempt to capture competitive
advantage, will establish robust
plans. Considering that e-commerce
Securities and Exchange Act Release No. 34-49537
(April 7, 004), 69 FR 19586. April 13, 004. See also
NYSE Information Memo 04-4 as well as NASD Notice
to members 04-37. May 004
Business Continuity, Homeland Security
and Corporate Governance
By Joe D. Whitley
With terrorist threats increasingly frequent and well-publicized, directors and ofcers will have a hard
time claiming that corporate risk management did not need to include emergency preparedness.
Joe D. Whitley
The federal governmentand particularly
the Department of Homeland Security
needs industrys participation and support to
make the country secure.
Untitled-1 1 6/15/05 1:25:25 PM
companies and Internet Service
Providers routinely use this type of
security-related marketing, it soon
may become prevalent among the
largest fnancial institutions, all of
which are members of the NYSE
and the NASD. Any act of terror on
American soil would accelerate this
process.
Private-Sector
Responsibility
The business continuity initiatives
in the fnancial services sector
highlight a signifcant issue for other
business sectors: Even in the absence
of regulation or statute, should
corporations implement a business
continuity plan as a matter of sensible
corporate governance and sound
policy? The answer clearly is yes.
The federal government, and
particularly the Department of
Homeland Security, needs industrys
participation and support to make
the country secure. The owners
and operators of obvious targets
power plants, chemical facilities,
telecommunication centershave
been tightening their defenses and
have developed (or contracted for)
business continuity plans.
Yet, with fnite budgets and only
a transient sense of threat, most
corporations have not initiated
business continuity planning for
the post-9/11 erarobust, tested,
enterprise-wide programs that
protect facilities, people, and which
would permit the rapid resumption
of business if an attack occurred.
Many companies still dont quite get
it: business continuity is a strategic
investment, and its dividends will
be evident during an attack, and
economically and legally, in the
aftermath of a terrorist event. For
example, when a cascading grid
failure left tens of millions of people
in the U.S. and Canada without
electrical power in August 2003,
corporations without business
continuity plans suffered. Without
electricity to run computers,
commerce simply stopped.
Not so for the New York brokerage
frms that had aggressively invested
in business continuity after
September 11. That preparedness,
including installation of emergency
generators and back-up trading
systems, allowed commercial
transactions to continue with
minimal interruption. Considering
the fnancial losses brokerage frms
sustain from even an hour of missed
trading, investments in business
continuity paid for themselves many
times over in that one event. Indeed,
the 2003 blackout and the business
continuity success stories within the
fnancial services sector accelerated
the NYSEs and the NASDs adoption
of business continuity rules for the
industry as a whole.
SEC Oversight and
Legislation
SEC Chairman Chris Cox, who prior
to his appointment was chair of the
House of Representatives Committee
on Homeland Security, may be
just the person who will trigger
consideration of homeland security
as a material matter in 10K reports.
Chairman Cox is well aware that 85
to 90 per cent of Americas critical
infrastructure is owned by the private
sector. He, too, is familiar with the
post 9/11 legislation that increased
the responsibility of businesses that
provide fnancial services, transport
hazardous waste, provide and
maintain maritime facilities ranging
from ship terminals to storage
facilities for LNG to refneries. All
of these industries and many others
are to some extent regulated by the
Department of Homeland Security
and it is likely that chemical plant
security will soon be regulated by
the Department.
As these legislative efforts increase
the responsibilities of the private
sector to make homeland security
a priority it makes good sense to
have in place security programs that
will reduce their vulnerability to the
consequences of the next terrorist
attack. Contingency planning
to assure business continuity in
addition to should include some of
the following:
InsuranceDoes it adequately
cover business interruption costs?
Are the terms and provisions
written in a manner favorable to
quick recovery?
Supply chainIs it capable of
restoration after a terrorist event?
Are there components and parts
coming across U.S. borders that
may be closed?
Market resilienceWill the
customer continue to purchase
products and services after a
terrorist event?
Implementing a business continuity
plan also may have legal signifcance
for a corporation. Because
business continuity recognizes
risk and mitigates it, the creation
and implementation of such a
plan may help a corporation
discharge its corporate governance
responsibilities to customers and
shareholders alike. The concept
is only now being tested in the
courts, but the normal standard of
corporate responsibilityfocusing
on acknowledging and responding
to knowledge of a threatlikely will
be applied here, diminishing liability.
With terrorist threats increasingly
frequent and well-publicized,
directors and offcers will have a
hard time claiming that corporate
risk management did not need to
include emergency preparedness.
The Spectre of SOX
There is not yet regulatory linkage
between homeland security
governance and Sarbanes-Oxley
but it is likely that it would parallel
developing SOX compliance in
(continued on page 34)
9
/11, and
the recent
devastation
inficted by
Hurricanes Katrina
and Wilma, have
forced companies
across the United
States to take a hard
look at how they
manage the risk
of disasterboth
man-made and
natural.
1
Of all the
tools available to
manage catastrophic
risk, none is more
important than
property insurance.
This is the one risk
management tool
that can ensure the
survival of a corporation following the
devastating effects of a terrorist attack,
hurricane, earthquake, tornado, or fre.
Unfortunately, the number of coverage
disputes and unpaid claims related to
September 11 and the recent hurricanes
losses suggests that companies
too often overlook or simply fail to
understand the critical details of their
property insurance programs.

Far too often companies wait until after
a disaster strikes to determine what
they need to do to adequately prepare,
evaluate and present their claims to
their insurers. When disasters like
September 11 or Hurricane Katrina
hit, many companies fnd themselves
playing catch-up and lose valuable
time in adjusting their claims as a result.
1 More than 30% of all businesses that close
down following a disaster never re-open again. ALFA
Insurance, Can Your Business Survive a Natural Disaster?
http://www.alfains.com/business.
This is understandable. In the
immediate aftermath of a large-scale
disaster, directors and offcers are
pressed by other competing and vital
matters impacting their companies,
such as employee deaths and
injuries, employee relocations, offce
relocations, customer issues, media
inquiries, and the like. This is why
a clear, coherent risk management
plan in advance is essential to
maximize and expedite insurance
recovery during a crisis.

Many companies have developed a
disaster response protocol, to be put
in place in advance of a disaster. A
claim team should be identifed and
assembled in advance, setting forth
the roles of the risk manager, the
general counsel and other response
personnel. Pre-determine what you
need to do, and by when, with
respect to notifying the insurers of
the loss. Have a process in place to
obtain, analyze and maintain the
necessary documentation to support
your claims. Establish accounting
procedures for capturing loss
expenses accurately and effciently.
Establish communication protocols
internally and externally.
Insurance Coverage Issues
There are many issues to consider
in evaluating a property policy,
including whether it provides the
broadest coverage available at a
reasonable cost. Below are some
of the most important policy
considerations that are not being
adequately addressed in the
underwriting process.
Hurricane Deductibles and Sublimits.
Many commercial property policies
contain a deductible for hurricanes
(or windstorms) and other specifc
perils, based on a percentage of total
insured value or total insurable
value (TIV), rather than based on
a fat dollar amount. This deductible
is typically between 2%-5%. Thus, for
example, if a policys deductible for
hurricanes is 5% of TIV and the total
limits of the policy are $60 million,
an insured would be responsible for
the frst $3 million of damages. For
many small- to mid-sized claims, this
deductible effectively acts as a bar to
coverage. One possible modifcation
is to negotiate a lower deductible
percentage; another is to reduce the
limits for purposes of the deductible.

Another common feature of
commercial property policies is a
sublimit (i.e., a lesser amount) for
hurricanes and other perils. In light
of the extremely active hurricanes
in Florida and along the other parts
of the Gulf Coast over the last few
years, it is imperative that companies
operating in hurricane regions re-
evaluate their sublimits, if any.

In the wake of the vast number of
claims fled because of Hurricanes
When Disaster Strikes:
Are You Sure that Your Business is Adequately Insured?
By Peter M. Gillon and Brian G. Friel
What companies must do to prepare for the next catastrophic loss
Peter M. Gillon
It is imperative that the waiting period
is expressed as total hours or even days
rather than in business hours.
Brian G. Friel
Katrina and Wilma, many insurers are
attempting to apply the percentage
deductibles to the total limits available
under a policy even though the
insured is only entitled to a lesser
amount contained in a sublimit.
Using the example above, if the policy
has total limits of $60 million but a
$10 million sublimit for hurricanes,
insurers often are applying the
5% deductible to the $60 million
(resulting in a $3 million deductible),
rather than applying the 5% to the $10
million sublimit, which are the actual
limits available, which would result in
a deductible of only $500,000. Again,
rather than wait for a disaster to hit, it
is critical to clarify the language in the
policy now to make sure that TIV
refers only to the total limits available
for a particular claim, including any
sublimits.
Business InterruptionWaiting
Periods. Some policies impose a
waiting period (e.g., 24 hours or 72
hours) before business interruption
(or lost business income) losses are
recoverable. The purpose of waiting
periods is to ensure that the loss is
of a minimum magnitude before
coverage is triggered. Insurers do
not want to expend the resources
necessary to evaluate a business
income claim in situations where a
company is down for less than one
or two days.
There are two very important
considerations for directors. First,
it is imperative that the waiting
period is expressed as total hours or
even days rather than in business
hours. For example, certain policies
state that the waiting period is 72
business hours, and certain insurers
have argued that it is equivalent
to nine calendar days for those
businesses that do not operate on a
24-hour cycle. Second, some insurers
have argued that the waiting period
acts as a deductible. Thus, for
example, with a policy that has a 24
hour waiting period and an insureds
business was closed for three days,
rather than compute income for the
full three days, some insurers have
argued that the policies only cover
lost income for the last two days.
It is essential that the policies be
clear that once the waiting period
has been met, the policy covers lost
income incurred starting on day one.
Business InterruptionTotal
Suspension vs. Partial Interruption.
A key issue with business
interruption coverage is whether the
policy requires a total suspension
of your operations, or whether it
also covers partial interruptions of
your business. Most policies cover
only actual loss of business income
you sustain due to the necessary
suspension of your operations
from the date of the loss to the date
the property should be repaired
or replaced. Some policies contain
broader language, covering business
interruption losses when the
policyholder is wholly or partially
prevented from producing goods
or continuing business operations
or services. Considering that a
signifcant number of claims involve
an interruption of only a portion of
a companys business, such as the
partial shutdown of a factory or a
wing of a hotel, it is important to
make sure your policy covers for
partial interruption.
The question every CEO, board
member, general counsel and risk
manager must ask is this: if your
offce building, hotel, factory or
distribution center is destroyed
tomorrow by a hurricane, earthquake
or terrorist attack, will your claim
team be ready to respond immediately
and will your insurance cover both
the physical damage to your property
as well as the resulting lost business
income? Recent experiences have
shown that many companies are
not ready to evaluate, prepare or
submit their claims, and that there
are signifcant gaps in coverage that
otherwise could have been addressed
in the underwriting/renewal process.
It is imperative that companies,
working with their brokers and
outside counsel, start to address these
issues now in order to better prepare
themselves for the next disaster.
Peter M. Gillon is a shareholder in the Washington,
DC ofce of Greenberg Traurig, LLP and Brian G.
Friel is of counsel in the Washington, DC and the
Morristown, New Jersey ofces of Greenberg
Traurig, LLP, where they counsel corporate
policyholders on the procurement of all lines
of insurance, including property and business
interruption policies, and prosecute coverage
disputes on behalf of their clients. They currently
are handling some of the largest claims arising
from the September 11, 001 terrorist attacks
and Hurricanes Katrina and Wilma, along with the
hurricanes that struck Florida in 004.
Subscribe to Directors & Boards!
Directors & Boards is the thought leader
in corporate governance, written by and for board members.
Individual subscriptions: $325 annually Full board subscriptions: $2500 annually
Subscribe by phone at (800)637-4464, ext. 6072
or online at www.directorsandboards.com
The Directors & Boards Survey:
Business Continuity and Disaster Recovery
Does your company have a
business continuity management
program?

No 19.3%
In process of creating 6.9%
Yes, plan in place for less than year 13.1%
Yes, plan in place for more than a year 39.3%
Other 1.4%
Does your company have a crisis
management plan?

No 8.1%
Yes, plan in place for less than year 11%
Other 1.4%
Does your company have a disaster
recovery plan?

No 4.3%
Other .1%
Does your company have an executive
transition/leadership plan in the event
of the sudden death of key leaders?

No 37.9%
Other .1%
Methodology
This Directors & Boards survey was
conducted in February 2006 via the
web, with an email invitation to
participate. The invitation was emailed
to the recipients of Directors &
Boards monthly e-Briefng. A total of
332 usable surveys were completed.
About the respondents
(Multiple responses allowed)
A director of a publicly held company 8.%
A senior level executive (CEO, CFO, CxO)
of a publicly held company 9.%
A director of a privately held company 36.%
A senior level executive (CEO, CFO, CxO)
of a privately held company 3.9%
A director of a non-proft entity 7.6%
Institutional shareholder 4.9%
Other shareholder 17.8%
Academic 8%
Auditor, consultant, board advisor 3.9%
Attorney 6.7%
An investor relations professional/ofcer 1.8%
Other 9.%
Revenues
(For the primary company of the respondent)
Average revenues: $.773 billion
Less than $50 million 57.1%
$51 million-$500 million 9.8%
$501 million to $999 million 8%
$1 billion to $10 billion 19.6%
More than $10 billion 5.5%
Board Service
(Average number of boards respondents serve)
Public Company: 1.1
Private Company: 1.53
Charitable 1.59
Total: 4.33
Business Continuity Programs

How important is
business continuity
planning/disaster recovery
to your company?

27.8%
16.0%
3.5%
52.8%
Extremely
important
Not
important
Important
Somewhat
important
If you answered yes to any of the above questions, does
your company test these plans on a regular basis?

If you answered yes to any of the above questions, have
your companys plans been shared with employees?

0
5
10
15
20
25
30
35
Yes, more
often than
once a year
Yes, once
a year
Yes, less
often than
once a year
No Does
not apply
6.5%
26.1%
13.8%
34.1%
19.6%
20.6%
14.7%
17.6%
52.8%
Yes
Does not apply
No
Dont know
How do you rate your companys ability to recover from a
natural/manmade disaster or business interruption?

(Other answers included: Our plan is untested.)
How quickly do you estimate your company can recover
from a signifcant/major business interruption?

(Other answers included: Depends on the eventcould be
minutes to weeks. We can recover from an IT disaster pretty
quickly. Loss of a plant would take much longer. By the way, we
test IT disaster recovery once or twice a year, but do not test loss
of a building or senior manager.)
How do you rate your companys managements ability to
calmly lead in times of crisis?

(Other answers included: Like everyone, I think it is good;
but probably could be better.)
How efectively are 3rd party partners, vendors and
service providers integrated into your companys business
continuity/disaster recovery planning?

(Other answers included: Not certain. We are working on
the plan at this time and will address 3rd party partners,
etc. Dont know.)
0
10
20
30
40
50
Excellent Good Fair Poor Other
12.5%
41.7%
34.0%
9.7%
2.1%
49.0%
5.5%
4.8% 0.7%
17.9%
22.1%
Hours
Months
Other
Minutes
Days
Weeks
0
10
20
30
40
50
60
Excellent Good Fair Poor Other
34.5%
52.4%
11.0%
0.7%
1.4%
0
10
20
30
40
50
Very
eectively
Somewhat
eectively
Not very
eectively
Not at all Other
13.9%
45.8%
22.9%
11.8%
5.6%
72.9%
11.8%
2.8%
12.5%
Yes
Other
No
Not applicable
Board Responsibility in
Business Continuity/
Disaster Recovery Planning
What, in your opinion, is your boards
responsibility in business continuity,
crisis management and disaster
recovery planning?

The board should take primary
responsibility, directing management 15.9%
Management should take primary
responsibility, advising the board 79%
Other 5.1%
(Other answers included: It will
depend on the nature of the disaster.
Management should take primary
responsibility with the board having the
responsibility to ensure that this is done.
It should be a collaborative effort.)
Does your board have a dedicated
business continuity or risk
assessment committee or a board
member tasked with this issue?

(Other answers included: Audit
committee periodically reviews the
plan. For now, risk assessment has
only been assessed by IT manager with
outside consultants as backup.)
Whos responsible for informing the
board of risk issues at your company?
(Multiple responses allowed.)

Board committee 15%
Designated board member 7.1%
CEO 7.9%
CFO 35.7%
Internal Auditor 7.1%
Chief Risk Ofcer 7.9%
Chief Legal Counsel 4.3%
External auditor 0%
Business unit leaders 13.6%
Other 7.9%
(Other answers included: Probably
the CFO and CLC. President & COO.
Employees. CIO. Board at large.)
How important is business continuity
planning to your board?
Extremely important 3.6%
Important 40.7%
Somewhat important 1.4%
Not important 1.1%
Other .1%
How often is business continuity
planning/disaster recovery on the
agenda for your board meetings?

As needed 1.6%
Every meeting 0.7%
At least once per year 36%
Less often than once per year 0.9%
Its never been on the agenda 14.4%
Other 6.5%
(Other answers included: Never was
included. Formally, twice a year. In
connection with strategic plan reviews.)
If you serve on multiple boards, do
you see major diferences among
the companies you direct in terms of
business continuity planning/disaster
recovery?
Do you market your
companys business
continuity/disaster
recovery plans as
a beneft to your
companys customers?
69.6%
5.1%
2.9%
22.5%
Yes
Other
No
Not applicable
16.8%
15.3%
24.1%
43.8%
Yes
Not applicable
No
Dont serve
on multiple
boards
General Business Continuity
Questions
Has your company been afected by
any of the following interruptions in
the past year?
(Multiple responses allowed.)

Natural Disaster 7.7%
Technology failure 6.%
War 1.5%
Terrorist activity 3.8%
Information security breach 10.8%
Human error, resulting in major
business interruption 10.8%
Labor dispute 6.%
Power failure 34.6%
An interruption in service from a
third party partner or vendor 17.7%
Loss of key personnel, through death
or unplanned resignation 0%
Business partner failures 6.9%
Loss of high-value customers 10%
Weather-related disruptions to operations 8.5%
None of these occurred to my company 0.8%
Other 6.%
(Other answers included: Short term
outages. Maintenance/facilities issues.
Rail disruptions. Major rail accident
caused by the railroad company that
resulted in a chemical car containing our
product being breached leading to the
death of 9 people. Fire.)
If yes to any of the above, what do
you estimate the total cost of these
interruptions was to your company?

Less than $100,000 40%
$100,000-$500,000 17.5%
$500,000 to $1 million 7.5%
$1-5 million 9.%
$5-10 million 4.%
More than $10 million .5%
Not applicable 19.%
What do you estimate your
companys annual budget to be for
business continuity planning/disaster
recovery planning (not the cost of an
interruption)?

No budget 40.%
Less than $100,000 31.8%
$100,000-$500,000 1.9%
$500,000 to $1 million 3.8%
$1-5 million 4.5%
$5-10 million 0.8%
More than $10 million 1.5%
Other 4.5%
(Other answers included: Not
designated as a line item. Dont
know. We are presently trying to
determine what amount should be
budgeted for disaster recovery.)

Compare this expenditure to the
prior year.

We budgeted more
on business continuity programs 18.3%
We budgeted less
on business continuity programs 9.%
We budgeted approximately
the same amount 3.7%
We do not budget
for business continuity programs 43.5%
Other 5.3%
Within your company, how many
employees do you estimate are
dedicated to business continuity
planning/disaster recovery?
Please rate your companys internal
communication to and training of
employees in business continuity
planning and disaster recovery.
Thinking about the year ahead, rate how likely it is that each of the
following events would occur and have an impact on your companys
business operations.
Very Likely Somewhat Likely Not Very Likely
A terrorist attack abroad 8% 15% 77%
A terrorist attack in the US 6% 35% 60%
A manmade disaster
(electronic or otherwise)
10% 54% 36%
A natural disaster 1% 50% 38%
19.7%
8.3%
5.3%
3.0%
17.4%
46.2%
Its part of
some peoples
full time
jobs
More
than 10
None
1
2-5
6-10
32.3%
15.8%
4.5%
5.3%
17.3%
24.1%
Good
Other
Excellent
Fair
Poor
Non-existent
Growing from Disaster Recovery
to Business Continuity?
Leading the WayKETCHConsulting
w w w . k e t c h c o n s u l t i n g . c o m
Senior Consultants
Certified
Experienced
Knowledgeable
Contact
KETCHConsulting
Today!
(888)538-2492
KETCHConsulting P.O. Box 641 Waverly, PA 18471
W
hile
spectacular
corporate
meltdowns were
leading to Sarbanes-
Oxley, a series of
other cataclysms
dramatically
emphasized the
risk of business
disruptionand put
business continuity
planning on the
front burner for
boards. Y2K, though
it proved to be less
than met the eye,
frst sounded the
alarm, followed
shortly by 9/11,
which highlighted
the vulnerability not
only of computer networks but also
of phone, power and transportation
systems. A literal meltdown with
the power outage of August 2003
renewed fears about the stability
of the electrical grid. Continued
globalization exposed companies
to more risks in more places, while
political instability, including war in
the Middle East, turned many risks
into reality. Hurricane Katrina is only
the latest and surely not the last of
these cataclysms.
Following these upheavals, an
increase at the global, country
and state levels in regulatory
requirements for disaster recovery
planning (DRP) and business
continuity planning (BCP) has
heaped new expectations for the
scope and quality of oversight on
directors shoulders. Although
directors are not responsible for
directly managing and planning
for calamities, no board will enjoy
the scrutiny that is sure to follow
for having failed to ensure that
an adequate business continuity
and disaster recovery plan was
in place. To meet this complex
new responsibility, boards should
consider a relatively new kind of
board membera current or former
CIO. Just as corporate boards
have sought fnancial experts to
meet their expanded fduciary
responsibilities in the SOX era,
they must also now be prepared to
extend seats to current or former
CIOs who are best able to exercise
oversight of disaster recovery and
business continuity planning.
Although the value CIOs bring to
such oversight may be insuffcient
by itself to justify adding them
to boards, that expertise joins a
growing list of areas in which CIOs
can make signifcant contributions
as directors, including their valuable
knowledge about how to maintain
compliance with todays rigorous
business, fnancial management
and reporting requirements. A CIOs
enterprise-wide understanding
of business and technology-
driven business strategies could
prove invaluable in stewarding
a company through a natural
disaster or terrorist attack as well
as contribute substantially to the
boards understanding of risk and
information security.
A Dearth of CIO Directors
Nevertheless, only a handful of
companies now include CIOs on
their boards. Our research shows
that among the Fortune 1000
companies, only 15 have a current
or former CIO as an external
director. Why this dearth of current
or former CIOs on boards, despite
their ftness to contribute in many
areas of oversight?
Part of the answer lies in
perceptions. Board members and
CEOs often see CIOs as exclusively
concerned with operations and
fnd it hard to imagine them
moving from the server room to the
boardroom. More narrowly still,
CIOs are often seen as technologists,
not strategists. CEOs want to learn
from board members and often feel
that CIOs have nothing to teach
them about business.
CIOs also lack visibility in the
networks in which CEOs and
board members move and from
which they choose directors.
Many companies like to add high-
Overseeing BCP:
Just One More Reason to Consider CIOs as Directors
By Jory J. Marino and Michael C. Nieset
To meet this complex new responsibility, boards should consider a relatively new kind of board
membera current or former CIO
Jory J. Marino
Our research shows that among the Fortune 1000 companies,
only 15 have a current or former CIO as an external director.
Michael C. Nieset
profle names to their boardsand
that usually means a celebrated
CEO. Even the obvious ability
of CIOs to exercise oversight of
disaster recovery and BCP is easily
discounted by companies who may
erroneously believe that creating a
plan and signing on for backup sites
are one-time events rather than part
of an ongoing oversight process.
A Compelling Case for
Inclusion
With companies increasingly
restricting the number of boards
on which their CEOs can serve,
the pool of qualifed director
candidates is shrinking. CIOs can
signifcantly enlarge that talent
pool. For despite all of the negative
perceptions of CIOs, those with the
right combination of experience
and talents can make substantial
contributions in a wide variety of
areasespecially risk management
and compliance as well as business
strategywhich, taken together,
add up to a compelling case for
adding a CIO director.
Since the 1990s the fnancial
control processes that now loom
so large in SOX compliance have
resided in ERP systems, presided
over by CIOs, who can provide
unique understanding of how to
apply those systems to SOX. The
best of these CIOs also know how
to go beyond mere compliance to
automate business processes and
fnancial controls to drive down the
enormous costs of compliance.
Data security has also moved to
the forefront of risk management,
largely as a result of high-profle
security breaches at information
companies, credit card companies,
and banks, elevating concern about
protecting the publics personal
information. Companies that fail to
exercise diligent oversight in this
area put their reputations and their
business at risk. CIOs have not
only been on the frontlines of data
security, they also understand that
ensuring data security encompasses
links in the technology supply-
chain that extend far beyond the
companys control.
In matters of strategy and business
acumen, the nature of global
business and technology today
ensures that CIOs in large, global
and complex organizations have
acquired skill and understanding
that far exceeds the purely technical.
Global businesses today operate
complex supply chains, manage a
variety of captive and outsourced
service providers, and manage
multiple distribution channels and
customer touch-points. In all of
these activities, technology plays
a central role, providing the CIO
with an enterprise-wide view of
businessand an enterprise-wide
view of risk management.
As businesses continue to
transform from batch to real time,
risk management extends beyond
traditional BCP/DRP to include a
CIOs ability on a board to provide
a point of view and oversight
on information, reputational,
project execution and acquisition
risks, says James Dallas, Audit
Committee Member, KeyCorp
and former CIO of Georgia Pacifc
Corporation. All of these issues
have technology at their core.
The effective and innovative use
of information and technology
are the heart of strategies within
both manufacturing and service
industries. The pulse is the speed
in which technology changes,
which requires having someone
on the board who knows the
technologies that are here and
around the corner that could
transform competition.
Finding the
Right CIO Candidate
In our experience, CIO director-
candidates with the breadth
of business and technology
understanding that are required to
make a real contribution to board
deliberations are most likely to
come from large companies, like
the Fortune 250. In these global,
complex organizations the role of
the CIO has evolved into a position
that today combines traditional
technology responsibilities with the
general management responsibilities
of a COO. These CIOs may negotiate
deals on behalf of the company
with a variety of third parties and
outsourcing organizations or they
may create a captive outsourcing
organization. To perform
successfully these CIOs must be
able to integrate their mastery
of technology, understanding of
business processes, and thorough
knowledge of the business and
industry into a comprehensive
vision of the company and execute
against it. In the largest companies
they will often know more about
the companys business operations
than business line managers or even
the CEO.
Not surprisingly, many CIOs have
come up through the technology
ranks and then stepped into
broader general management roles
like COO or president of a business
unit or large division. The president
and COO of one of worlds most
successful internet companies
served as chief technology offcer
in his previous company, joined
the internet company as CIO,
rose to his present position and
was recently elected to the board
of a public software company.
Sometimes the career trajectory
runs in the opposite direction. The
CIO of a leading building materials
company came up through fnance
and then moved into technology
mid-career and now sits on the
boards of two companies.
But whether an individual
moves from technology to
general management, general
management to technology,
or acts as a CIO whose role is
almost indistinguishable from
that of a COO, the lesson remains
the same: The success of large
companies today greatly depends
on top executives who can operate
effectively in both spheres. Boards
can refect that new reality by
considering candidates who have:
Operated an organization of scale,
where scale may be defned in
terms of geography, complexity
of the business, multiple business
units, or overall size in revenues,
capital investments, and budgets
Demonstrated strong fnancial
and operational skills as well as
knowledge of the business and
industry
Addressed operational
and business risk across the many
vulnerabilities in a complex,
global organization
Moved up in a progressively
responsible CIO career and
later stepped into a full general
management role, or moved from
general management to absorb
technology responsibilities
Presided over an operation as
it globalized its business and
customer base and addressed
the impacts of sourcing and
offshoring
Delivered signifcant business
value
Such candidates not only have a
broad perspective on business, they
can also broaden the perspective
of boards at a time when effective
oversight and risk management
require a comprehensive, integrated
understanding of business and
information technology. Such
directors may not only help ensure
business continuity following
disasters but alsocontrary to
narrow perceptions of CIOshelp
avert business disasters.
Jory Marino is managing partner of Heidrick &
Struggles Global CIO practice and New York-Park
Avenue ofce. Michael Nieset is a senior partner
of Heidrick & Struggles Technology and Board of
Directors practices. The authors can be contacted at
jmarino@heidrick.com, mnieset@heidrick.com or
by phone at 31.496.1345.
CIOs in large, global and complex
organizations have acquired skill and
understanding that far exceeds the purely
technical.
T
he
globalization
of terror, the
fear of potential
pandemics, and the
publics concerns
over corporate
misconduct have
brought new gravitas
to the question of
safety and health
in every workplace.
To some, worker
safety may seem
a mundane issue
in an increasingly
knowledge-intensive
economy. But in
our experience, the
health and safety
of the worker
underpins the ability
of any company to
claim excellence
in its dealings
with customers,
employees,
investors, and the
public.
This article suggests
the twelve primary
questions every
director should askand expect
to have answered thoroughly and
wellabout safety in any company.
The frst fve frame the relationship
of safety-to-value creation. The
remaining seven address the
capabilities and processes whereby a
frm either instills safety in the day-
to-day mindset of every executive
and employeeor creates an
unacceptable risk of catastrophic
failure and organizational
incompetence.
What is the relationship
between worker safety and
other performance metrics
in this company?
While this question may be
interesting from a purely theoretical
point of view, we pose it solely as
an empirical question. That is, we
seek to determine what longstanding
statistical relationship exists between
variations in safety and health
outcomes (e.g., the rate of OSHA-
recordable incidents) from month
to month and quarter to quarter,
and contemporaneous changes in
fnancial results. The latter include
earnings, cashfow (and its working
proxies, such as EBITDA), and unit
costs of production.
Our experience suggests these
merely statistical relationships
are idiosyncratic to the operations
of each company, that no two
companies have identical patterns.
Moreover, these unique relationships
when traced to root causes within
a given company can be highly
revealing of the organizational
impediments to both safety and
proftable growth.
What should our
safety goal be?
Experienced observers believe
that companies that are highly
successful in safety performance
are also successful in operational
performance. Leading companies
that are viewed as socially
responsible set tough targets
to challenge the organization
continuously and improve safety
performance the same way they set
other operational targets.
For example, DuPont is well known
for striving to achieve zero workplace
injuries and illnesses based upon the
fundamental belief that all injuries
are preventable. Alcoa, under
the leadership of Paul ONeill, set
stringent goals for safety and reduced
its lost-time incident rate from 1.86 in
1987 to 0.12 in 2002.
Even the largest and most tradition-
bound organizations are capable
of order-of-magnitude changes in
safety performance. In addition to
ensuring that a safety goal is set,
a director should feel free to ask
what benchmarking was done in
establishing a safety goal, what
such a change would mean in his
or her company, what is blocking
its accomplishment, and when a
12 Questions Every Director Should Ask
About Workplace Safety
By Tom Krause, John Balkcom and John Henshaw
The health and safety of the worker underpins the ability of any company to claim excellence in its
dealings with customers, employees, investors, and the public.
Tom Krause
John Balkcom
Experienced observers believe that companies that are
highly successful in safety performance are also
successful in operational performance.
John Henshaw
new level of accomplishment can be
achieved and sustained.
How do we know were
being preventative in our
safety eforts and how do
we measure exposure to
hazards in the absence of
injuries or illnesses?
Virtually every event that results
in a workplace injury or illness is
preceded by lower level decisions and
outcomes that increase the likelihood
of failure in safety. The catastrophic
failurethe death of a worker or a
serious injurycan be seen as the
tip of an iceberg undergirded by an
architecture of behaviors, practices
and outcomes that made the greater
loss predictable. Leading indicators
of lower-level safety decisions reveal
the organizational culture that gives
rise to the costly failure. Directors
should ask what leading indicators
are predictive for their organization,
including measures related to
organizational culture and safety
climate. Then they should ask what
is being done to move those leading
indicators, how they are changing
over time, and what the readings
were before the most recent major
safety failure.
Directors should ensure that the
organization fully understands what
goes on in the places where workers
interact with the core technology
of the company, what we call the
Working Interface. Ultimately, safety
excellence depends on keeping the
Working Interface free of hazards,
which include the facility, the
equipment and the behavior of the
worker.
What is our exposure to a
catastrophe such as Bhopal?
The failure to anticipate an incident
of catastrophic proportionsthat is,
a multiple-fatality event or something
the magnitude of Bhopalis above
all a failure of imagination. Either that
or its a suppression of the evidence
of leading indicators that prefgured
the likelihood of a major failure. With
refection, any CEO, COO, and chief
safety offcer should be able to tell a
director where such risks lie, what
their probability of occurrence is, and
what preventative steps are being
taken to head them off.
How do we know theres
not fraud in our health and
safety reporting and that
exposures and accidents are
not being under-reported?
Any discussions about safety depend
on the integrity of safety reporting,
which holds the same challenges
in the verifcation of processes and
outcomes as fnancial reporting.
Indeed, safety performance is an
important measure of enterprise risk
management, and shareholders are
more watchful now for fraudulent
reporting. Just as directors now see
their responsibility and liability for
sound fnancial reporting, they also
sit where the buck stops in the matter
of risk management, and workplace
safety and health reporting. Both
the full board and the committee
responsible for environment, health
and safety are responsible for
ensuring that the performance data
and the safety reporting are accurate.
A director with sound answers to
these frst fve questions should be
able to get an exact answer to the
next question, which addresses how
safety and value relate to one another
in the company. The remaining
questions deal with the reliability,
transparency, and fairness of safety-
related decision-making in the
organization. No organization can
reasonably expect employees to take
on the task of safetyexcept when
the CEO happens to be in town or
the board happens to make its annual
plant visitif it lacks integrity.
Without the historical analyses, a
clear goal, an awareness of early
indicators, a Bhopal assessment,
and validation of safety reporting,
an organization may be unable to
link safety and value. However,
we are convinced that the two are
closely linked and that any director
deserves and has a duty to know
the connection in a rigorous and
validated way so as to optimize
value creation for shareholders.
How much value are we
delivering through our
safety performance?
Economic value analysis has
revealed the many value drivers that
support the delivery of exceptional
returns to shareholders. Within
these value trees a director can
see what dimensions are inherent
in the safety-related behaviors,
practices, and outcomes of the
organization. By looking at the
historical relationships between
safety and fnancial outcomes, as
well as the underlying causes of
shortfalls in both, a company and its
directors can assess the contribution
a safe workplace makes to the
organizations valueor the degree
to which safety breakdowns are
inhibiting the creation of value.
Virtually every
event that results
in a workplace
injury or illness is
preceded by lower
level decisions
and outcomes
that increase the
likelihood of failure
in safety.
What tone should we
set in the boardroom
about safety?
While tone at the top has
become a byword of the enactment
of the Sarbanes Oxley Act, it is an
essential element in the creation of
an organizational culture of safety
and incident-free operations. When
we speak of incidents, we are
referring to increases in exposure
or risk, some of which result in
recordable injury or illnesses or
possibly major industrial accidents.
Attention to safety in all its
dimensions, including exposures
or risk and not just recordable
injuries, starts at the top. The top
must include the representatives
of the shareholders, in essence
the owners, and not just senior
management. Setting a tone in
the boardroom favoring safety
performance means more than
just reviewing the injury and
illness statistics at each meeting
or appearing once a year at an
operating site. It means paying
attention to safety, requiring
accountability, and expecting
improved performance, without
always looking to place blame.
Its this kind of attitude that will
make possible the improvement of
leading safety indicators and the
delivery of incremental safety and
organizational value.
The safety tone is set at the top,
primarily by the care and astuteness
of board-level listening both to the
safety outcomes of the organization
and to the upward communication
from operating management
about the safety climate. While
organizational culture may take
years to change, our experience
suggests that effective listening and
caring about workplace safety and
health almost immediately alters the
safety climate and sets the tone for
hazard avoidance.
What does management
need from the board to
achieve safety objectives?
While attention may seem an
obvious answer to this question,
many other answers are both
possible and more effective in
improving workplace safety and
health performance. These include:
Clear processes for periodic review
of safety and health outcomes at
the board level
Direct access for the senior safety
offcer to the members of the
board, akin to the relationship of
the outside auditor to the boards
audit committee
Inclusion of both leading and
lagging safety and health indicators
in the boards periodic review of
key performance indicators of the
organization
Inclusion of safety and health
results, both leading and lagging,
in the performance management
system for the most senior offcers
of the company
Affrmation of leading and lagging
workplace safety and health goals
and targets at the board level, akin
to the boards consideration and
ratifcation of strategic initiatives.
What is essential here is a dialogue
between senior leadership and the
board so that a fully actionable view
of the question can be formulated.
Who is driving safety in the
company?
This question begs for both a
team answer and a chain of
command answer. But the answer
is that neither is exclusively the
driver. Safety requires an exchange
of information among peers to
reveal the full iceberg of hazards.
Nonetheless, the board is the
principal agent for the companys
owners, and the management serves
as agents of the board. So, no team
organization can overcome the
principal-agent chain of command
whereby the fduciary responsibility
of the board is exercised effectively
(or not) by the directors on behalf of
the owners.
However, the location of decision-
making power between the
boardroom level and the shop foor
differs radically from organization
to organization. That means the real
answer to Who is driving safety?
may differ from one company to
another. But the chain of command
governing safety is only as strong
as its weakest link. Each level of the
organizationfrom the boardroom
to the shop foormust have a
tangible role in the organizational
mechanisms that assure the
minimization of exposures to hazard.
What matters most is that the
decision-making process governing
safety policies, practices, standards,
monitoring, and accountability
results in tangible steps that can be
observed, verifed, and modifed
as the organization learns how to
optimize its own safety performance.
How are we protecting our
people from safety and
health risks originating
outside the workplace?
Off-the-job injuries and absenteeism
cost companies billions of dollars
each year. Beyond routine off-the-job
injuries and illness, roughly every
The failure to anticipate an incident
of catastrophic proportions
is above all a failure of imagination.
decade a new X factor, such as
a potential fu pandemic, seems
to come into play, threatening
the optimization of a companys
human resources. Even the threat
of terrorist attacks takes its toll on a
companys effectiveness as workers
avoid the workplace or are less
attentive to work.
In many companies injuries and
illnesses that originate during off-
duty hours exceed the total cost
of on-the-job injuries or illnesses.
Directors should be asking how
the company is addressing these
safety and health exposures. Is it
advocating safe driving and seatbelt
usage, as well as safe practices
around home improvement jobs
or other activities that may cause
its workers to miss work or be less
attentive while there, and increase
health care costs? In our experience,
the frequency and severity of off-the-
job injuries or illnesses goes down as
the organizations safety climate and
organizational culture improves.
Today, the Avian Flu, HIV/AIDS,
and threats of terrorist attacks
may be seemingly uncontrollable
risks for global frms. Terrorism is
now a global threat designed in
part to disrupt normal business
and economic activity. In the past,
outbreaks of Legionnaires Disease
in the US, and globally, smallpox
and malaria, have posed diffcult
problems and placed stress on the
organization. Directors should be
asking what anticipatory planning is
being done and how the leadership
of the organization might respond to
such threats.
Are our employees aligned
with the board, CEO and
other leaders in our ongoing
commitment to safety
and how are we assuring
maximum employee
engagement?
Organizations that achieve safety
and health excellence fnd ways
to engage employees throughout
the organization. True employee
engagement creates personal
commitment and accountability,
and accountability is critical in
improving safety and creating a
performance-oriented culture. This
is equally true whether a workplace
is organized or not.
Engaging employees means more
than putting up posters or having
safety contests. Most employees
have a natural interest in their own
safety and the safety of others, and
are open to becoming engaged. But
actually engaging them requires an
organizational culture that values
safety highly, as well as leaders who
express the value consistently in the
things they say, the beliefs they hold,
and the decisions they make every
day. Directors should ask to what
extent employees are engaged in safety
improvement, how that engagement
can be measured, and what steps are
underway to improve it.
What kinds of cognitive
bias may be afecting the
quality of deliberations on
environment, health and
safety among our senior
leaders, including our own
board members?
A rich literature suggests that even
the most thoughtful leader is subject
to a variety of cognitive biases,
habitual and largely unconscious
ways of estimating the likelihood of
uncertain future events. Such biases
often cause wrong decisions. The
most visible recent example of this
process is the failure of the space
shuttle Columbia. The accident
investigation panel found that NASA
knew the properties of foam and the
hazard that it represented. However,
the organization gradually became
accustomed to the acceptability of
the risk of foam loss and began to
rely on its experience of successful
missions rather than its knowledge of
the actual risk. A culture developed
that allowed this risk to exist in spite
of the fact that it was known. This is
one example of a bias in judgment
that had catastrophic consequences
for the nation. The director must ask:
Where are we subject to bias in the
way we evaluate risk and predict
the probability of uncertain future
events?
Just asking these 12 questions
at regular board meetings and at
meetings of the boards environment,
safety and health committee will
engender a safety climate that may
over time lead an organization to
a zero-tolerance culture for worker
injuries and illnesses. At a minimum,
they help the board in assuring its
own diligence in the oversight of
safety risks and threats, all of which
erode the ability of a company to
deliver great results.
Tom Krause is the chairman of the board and
cofounder of Behavioral Science Technology,
Inc., (BST) in Ojai, California. John Balkcom is an
independent director of Aleris International, Inc.
(NYSE: ARS). John Henshaw is the former Assistant
Secretary of Labor for Occupational Safety and Health.
Attention to safety
in all its dimensions,
including exposures
or risk and not just
recordable injuries,
starts at the top.
Board Secretary
Te Washington Metropolitan Area Transit Authority (WMATA) operates the second largest rail
transit system and the ffth largest bus network in the United States. Americas Transit System, a
national monument in its own right, transports more than a third of the federal government to work and
millions of tourists to landmarks in the Nations Capital. Metro ties the Washington region together and
opens doors to opportunitiesfor jobs, economic development, education, and cultural experiences.
WMATA is currently seeking candidates for the position of Board Secretary. Tis high-level executive
position directs and manages the staf and functions of the Ofce of the Secretary to ensure the
preparation and distribution of Board requests and agendas, meeting notices, and resolutions for the
Authority. Te Board Secretary conducts quality reviews on all Board items, coordinates the scheduling
of board meetings, facilitates the public hearing process, and serves as the ofcial record keeper for the
Authority and as the principal contact for the Board of Directors.
Successful candidates will have thorough knowledge of administrative systems and procedures;
the ability to conceive and implement actions that provide responsive and efective support to the
Board; demonstrated the ability to provide efective administrative support to the General Manager;
communicate efectively on Authority and Board of Director issues, and can respond to directives with
high levels of judgment, diplomacy and tact.
Minimum Qualifications
Bachelors Degree in Business Administration, Public Administration,
or a related feld
Twelve (12) years of progressively responsible and diversifed executive
level administrative management
Supervisory experience that demonstrates expertise in developing and
implementing major policies
Experience in interacting with the public including external executives
and/or Board of Director members

WMATA ofers competitive compensation and exceptional benefts packages.
Qualifed individuals may submit a cover letter and resume to (no emails or faxes please):

Washington Metropolitan Area Transit Authority
Attention: Ms. Katrina Wiggins, Director
Ofce of Human Resource Management Services
600 Fifth Street NW
Washington, DC 20001

N
o one had
even thought
about the
possibility of partial
disability when
they developed a
succession plan for
the CEO. So when
CEO Andy Brody
recovered from a
stroke but didnt
hit his stride again,
the board needed to
fgure out what to do.
It wasnt clear that
Andy was disabled,
so he probably
couldnt qualify for
disability insurance.
And the opportunity
for an important joint
venture meant that
the board needed to
step into the breach. While it didnt
work out quite the way it was meant
to when the plan was developed, a
good succession plan helped.
Western HealthCare was a $1 billion
business, with the lives of thousand
of patients and the livelihoods of
5,000 employees and 800 physicians
at stake. The crisis came at a diffcult
time for one of the biggest health
systems in the West.
The 55-year-old CEO of Western
HealthCare didnt seem focused on
getting the deals done. The system
had an opportunity to forge a closer
relationship with the local medical
school. It was negotiating a merger
with the largest multi-specialty group
practice in the area. And it was
developing a new heart hospital with
its cardiologists.
The board didnt know what to do. It
wasnt ready to fre Andy; it couldnt
even agree whether his lack of focus
was a lingering effect of the stroke.
Some directors thought he was
getting better and wanted to wait to
see if he returned to normal. Others
felt that they couldnt afford to wait,
given the urgent need to settle the
three impending deals.
Andy couldnt see that there was
a problem. He didnt think he was
still suffering from the stroke. Hed
come back to work several months
ago and thought he was handling
everything fne. And hed just gotten
a vote of confdence from the board
when they extended his contract for
another three years.
Difcult Decisions
There was a succession plan in place,
but the board was having diffculty
making a decision. The plan called
for naming 42-year-old COO Sue
Jensen the interim CEO, at least, if
not actually giving her the job on a
permanent basis. She had 5 years
experience as COO and was well
regarded by the board and, for the
most part, the medical staff. Andy had
been increasing her responsibilities
steadily over the years and had been
giving her opportunities to develop
her leadership skills for as long as they
had been working together.
The diffculty was fguring out
whether or when to pull the trigger.
The board suspected Andy wouldnt
qualify for disability insurance, and
felt it wasnt fair to terminate him
without adequate income, given his
stellar record leading the system for
15 years. Under Andys leadership,
the systems hospitals had won
numerous awards and become one
of the largest and most-respected
health systems in the country. The
severance policy would cover three
years, but there would be a gap of
four years before his SERP would
begin paying retirement benefts.
The board hired outside experts
to help identify alternatives and
decide how to proceed. Consultants
interviewed board members and Andy.
They found that Andy wasnt willing
to fle a claim for disability or publicly
admit that anything was wrong. The
board had fve choices: do nothing,
wait and see, get Sue to quietly take on
more responsibility, get board leaders
to take on more responsibility, or make
a change then and there.
Transition Time
The board settled on a combination
of the last three. It asked Sue to take
on much of the CEOs leadership
responsibility; several directors agreed
Surprises in CEO Succession
By Daniel Fairley, J.D. and David A. Bjork, Ph.D.
One of the biggest disasters that can afect any business is a disability afecting the CEO.
Daniel Fairley
The board didnt know what to do.
It wasnt ready to fre Andy;
it couldnt even agree whether his lack of
focus was a lingering efect of the stroke.
David A. Bjork
Boardroom Briefng: Business Continuity and Disaster Recovery
to take over negotiations with the
medical school and the physicians;
and it began to work out the details of
a transition plan with Andy.
The board wasnt ready to appoint
Sue as the next CEO because it
couldnt yet announce Andys
resignation. And it decided that
it would be best to look at other
candidates as well, so that if and
when it chose Sue, it would be
because she was clearly the best
qualifed candidate for the position.
Recognizing that the hospital
couldnt afford to lose Sue at the
same time as Andy, it gave her a
retention agreement that paid a large
reward if she stayed in place for two
years and a larger reward if she were
not formally named the next CEO.
Over the next few months, the
board worked out the details of
a transitional arrangement with
Andy, which would maintain a
reasonable income for him until age
62, when his SERP would begin to
pay retirement benefts. It agreed
to allow Andy to resign to pursue
other opportunities, without
acknowledging any disability.
Once this agreement was made,
Andy resigned, Sue was named
interim CEO, and the board hired a
search frm. The search yielded four
external candidates, each of whom
had already been CEO of a large
health system. Much as the board
liked, respected, and trusted Sue, it
decided to hire one of the external
candidates instead, mostly due to
his substantial prior experience as
CEO, but partly because Sue had had
to make some changes within the
system that alienated a signifcant
number of faculty physicians.
Hiring this new CEO from outside
would give the system a fresh start
in rebuilding relationships with the
medical school, the cardiologists,
and the multi-specialty group.
Retention Issues
Because Sue had already been
managing all operations and was
deeply involved in maintaining
relationships with the medical school
and the medical staff, she was
ready and able to take on additional
leadership responsibilities and
managed to keep everything on a
steady keel during the time between
Andys departure and the new CEOs
arrival. At the same time, directors
kept negotiations with the medical
school and the multi-specialty group
moving ahead, and Sue handled
negotiations with the cardiologists.
The new CEO, David Gonzalez, fnally
arrived 12 months later, 18 months
after this transition process began, and
24 months after the stroke that set it
all in motion. Sue stayed another six
months, until the retention agreement
was fulflled, when she left for
another CEO position.
It took an additional 12 months to
work out the deal with the medical
school, and six more with the multi-
specialty group, but the agreement
with the cardiologists was settled
more quickly. The leaders of the
board had to stay involved in the
negotiations with the medical school
to maintain continuity, but also
because the new CEO hadnt yet had
time to develop credibility with the
dean and faculty.
Because Sue managed to keep the
business running smoothly over
the 30-month period, the crisis
precipitated by Andys stroke did
not cause any serious disruptions.
Because directors were willing to
devote the time needed to negotiate
the details of the agreements with
its most important partners, they
managed to move the hospital into
a stronger position. And because
the board was able to offer Andy a
generous settlement that allowed
him to maintain much of his income
without working, as well as lifetime
health care benefts, the transition
occurred with almost no publicity for
the institution or for Andy.
While the succession plan didnt
work out exactly as expected when
it was developed, the existence
of the plan made it signifcantly
easier for the board to move ahead.
Taking time to consider alternatives,
choose the best option, and then
develop a plan and timetable for the
transition helped Western HealthCare
proceed with business more or
less on schedule. And while it took
longer and was more expensive than
anticipated to fnd and hire the new
CEO, the board was satisfed that it
had handled this crisis as well as it
could have given the circumstances.
David Bjork is a managing director in charge of the Cash
Compensation Division for Clark ConsultingHealthcare
Group. Dr. Bjork leads the Healthcare Groups team of cash
compensation consultants, which helps clients develop
performance-based compensation programs and advises
boards on governance of executive compensation. His
projects include developing reward programs, refning
performance measures, and helping boards govern
executive compensation. He has published a number of
articles and book chapters on executive compensation
in the health care industry. Dr. Bjork earned an A.B. at
Harvard, an M.B.A. in fnance at the University of Chicago,
and a Ph.D. from the University of California at Berkeley.
Before joining the Healthcare Group, he was a consultant
with the Hay Group for 1 years and, before that, taught at
the University of California and the University of Chicago.

Dan Fairley is a senior vice president of Clark Consulting
Healthcare Group. He specializes in leadership transition
planning and executive compensation. Fairleys
distinguished career has emphasized health system
development; acquisition strategy/implementation;
and health care contract negotiations. Before joining
Clark ConsultingHealthcare Group, he was senior vice
president of the Memorial Health System and President
of Healthcare Network Associates in Springfeld, Illinois.
Earlier in his career, Fairley was a vice president of the
ServiceMaster Company LP. He also saw prior service as
a vice president and assistant general counsel for VHA,
Inc. and VHA Supply Company, Inc. Fairley served as legal
counsel and as a business development ofcer. Fairley
holds a bachelors degree and a Juris Doctor degree from
Indiana University.
(continued from page 16)
the environmental arena. Security
compliance like environmental
compliance should include oversight
by a committee of the board, board
review and audits of security matters
and direct reporting from the chief
security offcer to the CEO.
Terror warnings and color codes
will remain a fact of life for the
indefnite future. In an effort to
do its part, the government will
continue to look to the private
sector not only to secure its own
assets but to show judgment
and leadership. Robust business
continuity planning may not be a
total deterrent, but it is a step
toward better protectionof the
interests of the corporation, and the
larger public good.
Alston & Bird partner Joe D. Whitley was appointed
by the President as the frst General Counsel to the
United States Department of Homeland Security
(DHS), the highest ranking legal ofcial in the
department. He held that position for two years
before his departure and return to private practice.
Previously he had led Alston & Birds white-collar and
government investigations practice.

At DHS Whitley oversaw approximately 1,500
lawyers and 400 support staf from numerous
agencies, including the Secret Service, the Coast
Guard, Border and Transportation Security, the
Transportation Security Administration, Information
Analysis and Infrastructure Protection, and
Emergency Preparedness and Response (FEMA).

Whitely previously had an extensive career in
the Department of Justice, serving as the Acting
Associate Attorney General, the third-ranking
position in the Department of Justice, in the George
H.W. Bush administration. He was appointed by
Presidents Reagan and Bush, respectively, to serve
as U.S. Attorney in the Middle and Northern Federal
Districts of Georgia. At the time of his appointment
he was one of the youngest persons ever to be
appointed U.S. Attorney and the only person to ever
serve as a Senate-confrmed U.S. Attorney for two
separate jurisdictions. Throughout his career Whitley
served under fve United States Attorneys General.

Whitley received his J.D. and his undergraduate
degrees from the University of Georgia.
(continued from page 13)
Loss of key personnel, through
death or resignation
Loss of high-value customers
Business partner failures
Denial of service (DoS) attacks
Theft or unauthorized disclosure of
customer data
Work stoppages, and
Theft or loss of mobile computing
devices
As in the case of non-IT assets, the
business continuity plan should
address these lesser incidents; in the
process, providing a real return on
business continuity investment.
integrated with other emergency
management plans?
A business continuity plan is
only part of an overall emergency
response protocol. To avoid
redundancy, eliminate confusion,
and expedite recovery, the business
continuity plan should be consistent
withand developed with full
knowledge ofall other emergency
plans. These plans include:
Evacuation
Shelter in-place
Emergency medical, and
Crisis management
Does the business continuity
plan enjoy the support of senior
management?
For everyone but the business
continuity planner, business
continuity is a lesser priority, often
viewed as an expensive distraction.
Under these circumstances, its
important (make that, essential)
that company executives and senior
managers promote both the concept
of business continuity, and all efforts
aimed at developing, maintaining,
testing, and auditing the companys
business continuity plan.
Are copies of the business
continuity plan readily accessible?
All company managers and senior
staff should have a current copy of
the business continuity planboth
at work and at home. In addition,
the Program Management Offce
(PMO) should accept responsibility
for distributing plan updates as they
become available.
Ted Brown, CBCP, is president & CEO of
KETCHConsulting. As IBMs frst Business Recovery
Services sales executive, Brown led Business
Recovery Services growth from zero revenues in
1989 to $500 million in 1998. Brown is the author
of the acclaimed white paper, How to Negotiate
a Hot Site Agreement.In 00, he was elected to
the Contingency Planning & Management Hall
of Fame, along with former New York City mayor
Rudy Giuliani. Most recently, Brown formed his
own consulting frm, KETCHConsulting, specializing
in business continuity planning and education. A
graduate of Penn State University, Brown resides
with his family in northeastern Pennsylvania. He
can be reached at tedbrown@ketchconsulting.com
In case you
missed the memo,
paper documents
still account for
a sizable portion
of a companys
vital records.
One revealing test is to determine if the plan
can be executed by non-experts.
Diversity is a defining characteristic of
the best leadership teamyours and ours.
A best-in-class board is much more than a roster of prominent names. Truly exemplary
boards are well-balanced teams that harness the diverse experiences, skills and intellects
of their directors to pursue the strategic objectives of the companies they serve.
The global Board of Directors Practice of Heidrick & Struggles is expert in recruiting
board members who fulfill the highest priorities of today's best-managed companies. We
also proactively work with board members and CEOs on critical assignments such as
executive assessment, succession planning and board director reviews to ensure that our
clients have access to the best talent in the marketplace.
For a copy of our publication, Building High-Performance Boards, please contact us
at (312) 496-1345.
www.heidrick.com/board

Boardroom Briefing 6

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Boardroom Briefing 6

Încărcat de

Drepturi de autor:

Formate disponibile

Boardroom Briefing

Business Continuity and Disaster Recovery

S-ar putea să vă placă și