2005 Montague Technology Management, Inc. All Rights Reserved. Business Continuity for Small and Medium-Size Enterprises: Issues and Answers...and a short.

2005 Montague Technology Management, Inc. All Rights Reserved.

M ontaguetechnologymanagement, inc.

Business Continuity for Small and Medium-Size Enterprises:

Issues and Answers

...and a short brief on Sarbanes-Oxley

Kathleen A. [email protected]: 516-676-9234



Sarbanes-Oxley, briefly

Internal controls on financial reporting: Section 404

SOX pertains only to public companies, but... Oriented to results and objectives, not a checklist to follow.

“Reasonable Man” theory PCAOB (Public Company Accounting Oversight Board)

responsible for “auditing the auditors” Applicability: annual financial statements of public

companies with fiscal years ending Nov. 15, 2004 or later.



Sarbanes-Oxley, briefly

Compliance with Section 404 reporting requirements: internal controls on financial reporting

No one yet knows exactly what compliance meansPCAOB clarification of Auditing Standard 2: Audit of Internal

Controls over Financial Reporting Temporary Rule for #2 in effect though July 15, 2005SEC Announcement of Roundtable for April 2005SEC will also accept comments on 404 experience for posting on

website


M ontaguetechnologymanagement, inc. Section 404 Objectives

“maintain effective internal control over financial reporting means that no material weaknesses exist...”

“obtain reasonable assurance that no such material weaknesses exist...”

Significant deficiency or material weakness exists if there is: “more than a remote likelihood that a financial statement misstatement more than inconsequential will NOT be prevented or detected.”

Remote is defined to mean “chance of future event occurring is slight.”


M ontaguetechnologymanagement, inc. Players

Senior Executives and Board members Audit Committee, internal Auditors External Auditors Lawyers: Sections 307 and 404 - Gatekeepers

First reported use of SOX Section 307 on Dec. 12, 2004: Law firm informs Board of TV/Azteca and does a “noisy withdrawal”. Stock drops 9%. Law firm loses client. NY Times article.

General Counsel SEC prosecutions: » Stanley Silverstein, Warnaco» Jonathan Orlick, Gemstar-TV Guide» Leonard Goldner, Symbol Technologies


M ontaguetechnologymanagement, inc. Google Case

January 13, 2005: SEC charges Google failed to register $80 million in stock options awarded over 2 years prior to IPO.

SEC charges David Drummond, Google General Counsel: failed to properly advise Board of registration requirements.

“Attorneys who undertake action on behalf of their company are no less accountable than any other corporate officers. By deciding Google could escape its disclosure requirements, and failing to inform the Board of the legal risks of his determination, Drummond caused the company to run afoul of the federal securities laws.”

---Helane Morrison, SEC District Administrator


M ontaguetechnologymanagement, inc. Outside Counsel

Outside Counsel SEC prosecutions: » More than half of cases in last two years

» As gatekeepers, lawyers are scrutinized.

SEC is “actively” looking to enforce actions against lawyers who “assist in cover-ups, fraud, and misleading disclosures, or obstruction of internal investigations.”

“The SEC is very urgently looking for lawyers to make examples of.”

–William Sherma, Morrison & Foerster, Palo Alto, CA


M ontaguetechnologymanagement, inc. References

SEC Roundtable: www.sec.gov/news/press/2005-13.htmPCAOB clarification on Auditing Standard No. 1:

www.sec.gov/rule/pcaob/34-49528.htmPCAOB clarification on Auditing Standard No. 2:

www.sec.gov/rules/pcaob/34-49544.htmSpeech by Stephen M. Cutler, Director of SEC Division of

Enforcement, September 20, 2004: “The Themes of Sarbanes-Oxley as Reflected in the Commission’s Enforcement Program.” www.sec.gov/news/speech/spch092004.smc.htm

Bobelian, Michael: GCs in the Crosshairs, New York Law Journal, 02-09-05.



AND NOW FOR SOMETHING COMPLETELY DIFFERENT:



BUSINESS CONTINUITY (BC)

AT SMALL AND MEDIUM SIZE ENTERPRISES (SME’S)



the other kind of SME (subject matter expert)...

Wally the consultant


M ontaguetechnologymanagement, inc. Status

CONTINUITY AT SMALL AND MEDIUM-SIZE BUSINESSES IS CRITICAL

SME’s are the job-generation engines of the economy

SME’s represent more than half the value of the economy.

Considerably greater awareness and concern...but not a lot of action. Why?

Traditional techniques are designed for large, regulated corporations and government agencies.

Need tools specifically designed for SME’s.



Corporate Methodology vs. SME Needs

Corporate / Government BIA – Business Impact

Analysis. Planning target: “Worst-case

generic scenario” Continuity Plan used only in

case of very severe events (fire, bombing, etc.)

Still is heavily oriented to Information Technology Recovery.

Expensive to develop and to maintain



Corporate Methodology vs. SME Needs

Corporate / Government BIA – Business Impact

Analysis. Planning target: “Worst-case

generic scenario” Continuity Plan used only in

case of very severe events (fire, bombing, etc.)

Still is heavily oriented to Information Technology Recovery.

Expensive to develop and to maintain

SME’s across all Sectors Informal identification of all

activities and their risks. Planning target: scenario

classes for all interruptions. Continuity capability used for

ALL interruptions. Incorporates avoidance as

well as recovery. focuses on business priorities.

Provides visible benefits throughout gradual development.



START WITH THE PROPER EVENT

DN

A

Definition, Notification, Action

START WITH THE PROPER EVENT

DN

A

Definition, Notification, Action



Where are MOST of the Continuity Challenges ??

CONTINUITY ISSUES

Catastrophic InterruptionsCatastrophic Interruptions

Minor InterruptionsMinor Interruptions

Everyday BlipsEveryday Blips

Process DysfunctionsProcess Dysfunctions

SOLUTIONS

CContinuityontinuity

AAvailabilityvailability

RReliabilityeliability

Engineering

Core Business Value Chain

Processes


M ontaguetechnologymanagement, inc. What is DNA?

Definition of all interruptions into scenario classes.

NNotificationotification and communication activities required for various kinds of scenario classes.

Actions and Programs for avoidance,

mitigation, and recovery.



Lack of Correct Definition can cause emergency response tragedies:

Regional Blackout of August 14, 2003 Three Mile Island9/11



Notification and Communication tools and strategies must be:

Carefully designed for feasibility

Understood and rehearsed

Cover both initial interruption logistics management and continuing communications needs.



Actions and Programs Implemented

Additive: chosen to cover the least severe (most probable) scenarios first.

Include avoidance and mitigation programs to lower the number of interruptions.

Provide measurable and visible benefits during all phases of development.



Jump-starting the Process for SME’s

FIRST STEPS: 1

Define Interruption Scenario Classes:

Internal and External



Interruption Scenario Classes

EXTERNAL SCENARIOS

Classes: 1 - minor (a and b) to 5 - catastrophic

External scenario characteristics: Day / time (workday hours, non-working hours) Geographic scope Length of time Premises infrastructure services impact Firm premises damage Injuries to firm personnel Effect on workplace



External Scenario Classes

DURATION OF INTERRUPTION BY CLASS

Class Length of Interruption

1: Minor less than 1 day

2: Significant 1-3 days

3: Serious 3-5 days

4: Very serious 5-10 days

5: Catastrophic 10 or more days



Internal Scenario Classes

Specific to each firm and each site. For example:

Class Description

A Local equipment failureB Local Access Control System failureC Local network outageD Workplace violenceE Supplier outageF Central site network outageG Key staff succession planningH Negative PR incident



Jump-starting the Process

FIRST STEPS: 2

Design Strategies and Tools by Scenario Class:

Additive continuity components and interruption avoidance / mitigation measures.




FIRST STEPS: 3

Gap Analysis: The firm’s current capability vs. the recommended set of continuity components and avoidance / mitigation measures, by scenario class.

= list of projects




FIRST STEPS: 4.

Project Plan: Timeline and cost estimates to move forward using reasonable criteria:

Probability of event. Impact of event on people and operations. Support baseline interruption logistics. Business process priority. Cost and ease of implementation.


M ontaguetechnologymanagement, inc. Spotlight Benefits

Spread development costs over time by beginning first with the baseline strategies and tools necessary for all interruption scenarios. covering minor interruptions first and building to catastrophic scenarios step-by-step as warranted.

Demonstrate clearly the benefits of each tool as it is implemented: avoid analysis paralysis and the eternal perfection of development.

Move to implement the avoidance and mitigation measures for those scenarios with the greatest probability and greatest impact.


M ontaguetechnologymanagement, inc. Make It Visible

Ensure that the benefits from each continuity tool or strategy are clearly understood by the firm’s partners or owners:

visible

measurable

“present-able.”

If the owners don’t see the benefits, there aren’t any!



Kathleen LuceyPresident, Montague Technology Management516-676-9234, [email protected]

Questions???

2005 Montague Technology Management, Inc. All Rights Reserved. Business Continuity for Small and Medium-Size Enterprises: Issues and Answers...and a short.

Documents

montague technology

consultant slide

ca slide

website slide

sec charges google

symbol technologies

sec announcement of

references sec roundtable