Broken beamers and more: shining a light on business continuity plans and compliance
Swiss politician and businesswoman Magdalena Martullo-Blocher once confronted her managers with a strange question: “What do you do when the beamer [projector] breaks down?” She was looking for creative solutions to a relatively minor problem, though this seemed to baffle her team when she asked the question.
She certainly wasn’t demanding a business continuity plan, which is on an altogether different scale compared to a broken projector.
When business continuity plans were first conceived back in the 1970s, they referred to the actions needed to keep an organisation functioning at the same time as dealing with an unplanned event arising from an external cause such as a natural disaster.
In more recent years they’ve been put into action following terrorist attacks, such as by US banks in the aftermath of 9/11. These days they are more likely necessary to address the fallout from a cyberattack or similar IT data catastrophes.
No business is risk-free
Even if corporate headquarters are far away from an earthquake zone and there’s no risk of a tsunami, nowhere is completely immune from some sort of major disaster or pandemic that presents business risks. An additional dimension confronts global businesses that may have operations or suppliers located in countries that are more exposed to natural disasters.
Having a business continuity plan that addresses specific local risks is therefore essential for some organisations.
The role of compliance officers in business continuity planning
Developing a business continuity plan and keeping it up to date, relevant and communicated to appropriate key staff will likely involve multiple business functions, managers and even board-level oversight.
At first sight, such plans may not appear to be relevant to the Compliance function. That would be short-sighted for several reasons:
- The compliance function manages information relevant to the risk analysis needed in the development phase of the plan.
- Any applicable regulatory compliance issues need to be addressed explicitly in the plan.
- The plan should include a realistic assessment of potential compliance risks if operational processes have to be simplified to keep business running at a critical time. It should also cover how these risks can be mitigated or even whether in a time of crisis they become acceptable – at least for a while.
- All business continuity plans should be tested with simulations or exercises that assess the effectiveness of the plan.
These stress tests can also provide the compliance function with useful information that can help to prevent compliance failures in future. This information will also feed into other types of regular risk assessment.
Business continuity plans give life to an organisation's culture and ethics
The culture and ethics of a company are usually said to be reflected in senior management’s actions and commitments. An organisation’s business continuity plan is arguably another example of giving life to those values because it demonstrates the commitment to all stakeholders in a time of crisis.
So compliance needs to know what to do when the roof has fallen in and the lights are off, never mind the broken beamer.
An adapted version of this article appeared in German in the January edition of Recht relevant – für Compliance Officers, published by Schulthess.