2005 Montague Technology Management, Inc. All Rights Reserved. M ontague technology management, inc. Business Continuity for Small and Medium-Size Enterprises: Issues and Answers ...and a short brief on Sarbanes-Oxley Kathleen A. Lucey [email protected]tel: 516-676-9234
30
Embed
2005 Montague Technology Management, Inc. All Rights Reserved. Business Continuity for Small and Medium-Size Enterprises: Issues and Answers...and a short.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Business Continuity for Small and Medium-Size Enterprises:
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Sarbanes-Oxley, briefly
Internal controls on financial reporting: Section 404
SOX pertains only to public companies, but... Oriented to results and objectives, not a checklist to follow.
“Reasonable Man” theory PCAOB (Public Company Accounting Oversight Board)
responsible for “auditing the auditors” Applicability: annual financial statements of public
companies with fiscal years ending Nov. 15, 2004 or later.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Sarbanes-Oxley, briefly
Compliance with Section 404 reporting requirements: internal controls on financial reporting
No one yet knows exactly what compliance meansPCAOB clarification of Auditing Standard 2: Audit of Internal
Controls over Financial Reporting Temporary Rule for #2 in effect though July 15, 2005SEC Announcement of Roundtable for April 2005SEC will also accept comments on 404 experience for posting on
website
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. Section 404 Objectives
“maintain effective internal control over financial reporting means that no material weaknesses exist...”
“obtain reasonable assurance that no such material weaknesses exist...”
Significant deficiency or material weakness exists if there is: “more than a remote likelihood that a financial statement misstatement more than inconsequential will NOT be prevented or detected.”
Remote is defined to mean “chance of future event occurring is slight.”
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. Players
Senior Executives and Board members Audit Committee, internal Auditors External Auditors Lawyers: Sections 307 and 404 - Gatekeepers
First reported use of SOX Section 307 on Dec. 12, 2004: Law firm informs Board of TV/Azteca and does a “noisy withdrawal”. Stock drops 9%. Law firm loses client. NY Times article.
General Counsel SEC prosecutions: » Stanley Silverstein, Warnaco» Jonathan Orlick, Gemstar-TV Guide» Leonard Goldner, Symbol Technologies
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. Google Case
January 13, 2005: SEC charges Google failed to register $80 million in stock options awarded over 2 years prior to IPO.
SEC charges David Drummond, Google General Counsel: failed to properly advise Board of registration requirements.
“Attorneys who undertake action on behalf of their company are no less accountable than any other corporate officers. By deciding Google could escape its disclosure requirements, and failing to inform the Board of the legal risks of his determination, Drummond caused the company to run afoul of the federal securities laws.”
---Helane Morrison, SEC District Administrator
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. Outside Counsel
Outside Counsel SEC prosecutions: » More than half of cases in last two years
» As gatekeepers, lawyers are scrutinized.
SEC is “actively” looking to enforce actions against lawyers who “assist in cover-ups, fraud, and misleading disclosures, or obstruction of internal investigations.”
“The SEC is very urgently looking for lawyers to make examples of.”
–William Sherma, Morrison & Foerster, Palo Alto, CA
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. References
SEC Roundtable: www.sec.gov/news/press/2005-13.htmPCAOB clarification on Auditing Standard No. 1:
www.sec.gov/rule/pcaob/34-49528.htmPCAOB clarification on Auditing Standard No. 2:
www.sec.gov/rules/pcaob/34-49544.htmSpeech by Stephen M. Cutler, Director of SEC Division of
Enforcement, September 20, 2004: “The Themes of Sarbanes-Oxley as Reflected in the Commission’s Enforcement Program.” www.sec.gov/news/speech/spch092004.smc.htm
Bobelian, Michael: GCs in the Crosshairs, New York Law Journal, 02-09-05.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
AND NOW FOR SOMETHING COMPLETELY DIFFERENT:
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
BUSINESS CONTINUITY (BC)
AT SMALL AND MEDIUM SIZE ENTERPRISES (SME’S)
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
the other kind of SME (subject matter expert)...
Wally the consultant
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. Status
CONTINUITY AT SMALL AND MEDIUM-SIZE BUSINESSES IS CRITICAL
SME’s are the job-generation engines of the economy
SME’s represent more than half the value of the economy.
Considerably greater awareness and concern...but not a lot of action. Why?
Traditional techniques are designed for large, regulated corporations and government agencies.
Need tools specifically designed for SME’s.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Corporate Methodology vs. SME Needs
Corporate / Government BIA – Business Impact
Analysis. Planning target: “Worst-case
generic scenario” Continuity Plan used only in
case of very severe events (fire, bombing, etc.)
Still is heavily oriented to Information Technology Recovery.
Expensive to develop and to maintain
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Corporate Methodology vs. SME Needs
Corporate / Government BIA – Business Impact
Analysis. Planning target: “Worst-case
generic scenario” Continuity Plan used only in
case of very severe events (fire, bombing, etc.)
Still is heavily oriented to Information Technology Recovery.
Expensive to develop and to maintain
SME’s across all Sectors Informal identification of all
activities and their risks. Planning target: scenario
classes for all interruptions. Continuity capability used for
ALL interruptions. Incorporates avoidance as
well as recovery. focuses on business priorities.
Provides visible benefits throughout gradual development.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
START WITH THE PROPER EVENT
DN
A
Definition, Notification, Action
START WITH THE PROPER EVENT
DN
A
Definition, Notification, Action
2005 Montague Technology Management, Inc. All Rights Reserved.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. What is DNA?
Definition of all interruptions into scenario classes.
NNotificationotification and communication activities required for various kinds of scenario classes.
Actions and Programs for avoidance,
mitigation, and recovery.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Lack of Correct Definition can cause emergency response tragedies:
Regional Blackout of August 14, 2003 Three Mile Island9/11
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Notification and Communication tools and strategies must be:
Carefully designed for feasibility
Understood and rehearsed
Cover both initial interruption logistics management and continuing communications needs.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Actions and Programs Implemented
Additive: chosen to cover the least severe (most probable) scenarios first.
Include avoidance and mitigation programs to lower the number of interruptions.
Provide measurable and visible benefits during all phases of development.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Jump-starting the Process for SME’s
FIRST STEPS: 1
Define Interruption Scenario Classes:
Internal and External
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Interruption Scenario Classes
EXTERNAL SCENARIOS
Classes: 1 - minor (a and b) to 5 - catastrophic
External scenario characteristics: Day / time (workday hours, non-working hours) Geographic scope Length of time Premises infrastructure services impact Firm premises damage Injuries to firm personnel Effect on workplace
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
External Scenario Classes
DURATION OF INTERRUPTION BY CLASS
Class Length of Interruption
1: Minor less than 1 day
2: Significant 1-3 days
3: Serious 3-5 days
4: Very serious 5-10 days
5: Catastrophic 10 or more days
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Internal Scenario Classes
Specific to each firm and each site. For example:
Class Description
A Local equipment failureB Local Access Control System failureC Local network outageD Workplace violenceE Supplier outageF Central site network outageG Key staff succession planningH Negative PR incident
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Jump-starting the Process
FIRST STEPS: 2
Design Strategies and Tools by Scenario Class:
Additive continuity components and interruption avoidance / mitigation measures.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Jump-starting the Process
FIRST STEPS: 3
Gap Analysis: The firm’s current capability vs. the recommended set of continuity components and avoidance / mitigation measures, by scenario class.
= list of projects
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc.
Jump-starting the Process
FIRST STEPS: 4.
Project Plan: Timeline and cost estimates to move forward using reasonable criteria:
Probability of event. Impact of event on people and operations. Support baseline interruption logistics. Business process priority. Cost and ease of implementation.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. Spotlight Benefits
Spread development costs over time by beginning first with the baseline strategies and tools necessary for all interruption scenarios. covering minor interruptions first and building to catastrophic scenarios step-by-step as warranted.
Demonstrate clearly the benefits of each tool as it is implemented: avoid analysis paralysis and the eternal perfection of development.
Move to implement the avoidance and mitigation measures for those scenarios with the greatest probability and greatest impact.
2005 Montague Technology Management, Inc. All Rights Reserved.
M ontaguetechnologymanagement, inc. Make It Visible
Ensure that the benefits from each continuity tool or strategy are clearly understood by the firm’s partners or owners:
visible
measurable
“present-able.”
If the owners don’t see the benefits, there aren’t any!
2005 Montague Technology Management, Inc. All Rights Reserved.