Corporate governance: Threats forcing boards to take action

Among the resolutions filed by an increasingly activist shareholding community, none has yet centred on a company’s failure to address business continuity planning.

However, consultants and security experts believe it is only a matter of time before proxy votes are applied to corporate performance on business continuity.

Investors are scrutinising operations of companies in which they put their money. As growing numbers of terrorist attacks have hit corporations – such as the bombs exploding at the US owned Marriott Hotel in Jakarta or the HSBC bank headquarters in Istanbul – shareholders are becoming aware that company value is at risk if organisations fail to recover from such incidents.

And terrorism is not the only threat. The 2002 strike by dockers at US West Coast ports paralysed the transport of goods across the Pacific, leaving retailers and manufacturers short of goods and vital components.

“Shareholders have realised that, as a consequence of events like 9/11, the organisations in which they’ve invested may be vulnerable through factors that they can’t influence,” says Debbie Rosario, head of the business continuity practice at Compass Management Consultancy. “So they want to be sure those organisations are protected. The language they’re using may be different, but the underlying pressure is about protection – and that’s where business continuity comes in.”

As a result of this pressure, says Ms Rosario, companies’ end of year filings are starting to include references to “operational risk” and “protection of the business”.

However, it is not only shareholder pressure that has brought business continuity to the attention of the board of directors. The regulatory environment established in the wake of corporate scandals at companies such as Enron and WorldCom is also driving an awareness that securing data and assets is a governance issue. Most prominent are the Basel II regulatory framework – an overhaul of capital adequacy rules for banks – and the US Sarbanes-Oxley reforms of corporate governance that affect any company whose shares trade on US exchanges.

Legislation such as Sarbanes-Oxley is pushing companies to protect data necessary for such auditing. As a result, corporate boards have taken a greater interest in their IT security.

“Security is a huge part of Sarbanes-Oxley,” says John Bronjewski, client service director in the information management practice at Resources Global Professionals. “What has up till now been a very IT focused thing is now right in the face of the board and they’re understanding for the first time that business continuity planning is not only a technical issue – it affects every part of the organisation.”

Voluntary initiatives are also playing a role in raising awareness of business continuity as a governance issue. The Committee of Sponsoring Organisations, a voluntary body that strives to improve financial reporting through corporate governance, business ethics and internal controls, has broadened the Control Framework – a set of guidelines used by much of the corporate sector – to include business continuity.

“So there’s now an updated control model that’s influencing companies,” says Steve Mezzio, managing director in the governance and audit solutions practice at Resources Global Professionals. “And companies are looking to have a more holistic approach to this – it’s an enterprise risk view.”

As companies outsource more of their operations to third-party suppliers, companies are starting to demand evidence of business continuity planning as part of contract governance. Client companies now often request some sort of assurance that their business partners are putting in place policies that will secure their operations.

“What we’re certainly seeing is that risk management and business continuity are starting to appear in things like requests for information and requests for proposals,” says Ms Rosario. “So it’s starting to make its presence felt that way too.”

Yet another community that is putting pressure on companies to address business continuity is the insurance industry. Underwriters increasingly take business continuity plans into consideration. And well-planned measures to ensure there are no disruptions to the business can not only help companies manage risk better but will also contribute to lower insurance premiums.

“Insurance carriers want to know that, from a business interruption standpoint, an adequate amount of business continuity planning has been done,” says Gary Lynch, US practice leader of business continuity for Kroll, the business risk consultancy.

As it hits the radar screen of the board membership, business continuity is becoming more deeply entrenched in the corporate hierarchy, with many companies appointing chief security officers.

And with shareholders, insurers and regulators increasing pressure on companies to put in place continuity plans, the days when boards were happy simply to sign off on office evacuation plans are over.

END

Continuity Forum building resilience...

 

Creating Continuity ... Building Resilience ...

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.