Business continuity in the finance and healthcare sectors

When it comes to business continuity (BC) in the banking/finance and healthcare sectors, the lessons to be learned from both sectors can be very valuable for those in other industries.

From business and operational views, the two sectors are clearly quite different. Both, however, are very sensitive to any kind of disruption that would impact their operations, their ability to help people and the vast amounts of data they require. Any operational disruption to critical banking systems or to hospital systems could negatively impact either institution, not only in terms of providing their primary services, but also their reputation in the community.

Regulations in the financial and healthcare sectors

Both sectors have regulations in place that address the need for business continuity. In the financial sector several are in place including, NASD 3510 and 3520, and NYSE Rule 446. Both 3510 and 446 describe the minimum BC processes for each institution, while 3520 specifies the need for emergency contact information. How these activities are implemented is up to the individual institution. There are others called banking circulars, which address emergency issues, but compliance with the above regulations is required by virtually all financial institutions in the U.S. The Federal Financial Institutions Examination Council (FFIEC) offers a BC planning handbook that is widely used in the financial sector.

Within the healthcare sector, The Joint Commission (formerly The Joint Commission for Accreditation of Healthcare Organizations) issues standards and guidelines for all kinds of healthcare entities. Failure to follow these standards, especially during a Joint Commission audit, could result in the institution losing its license. The Joint Commission standards for emergency management address business continuity in terms of continuity of operations, patient care and other critical functions.

At another level, financia...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disaster recovery tips Mapping COBIT and ITIL to your IT disaster recovery process Creating a pandemic response for your disaster recovery plan Acquiring key personnel to maintain and update your disaster recovery plan How to prepare and plan for a pandemic disaster Disaster recovery plan basics: Updating and reviewing DR plans Metrics for measuring business continuity management performance IT disaster recovery and business continuity planning for non-catastrophic disasters Is your disaster recovery (DR) plan out of date? The pros and cons of network-based data replication The importance of workforce continuity in a disaster recovery plan Disaster Recovery Planning/Management Disaster recovery and business continuity podcasts Mapping COBIT and ITIL to your IT disaster recovery process Creating a pandemic response for your disaster recovery plan Acquiring key personnel to maintain and update your disaster recovery plan Exploring Microsoft Windows clustering and high-availability tools in disaster recovery How to prepare and plan for a pandemic disaster Disaster recovery plan basics: Updating and reviewing DR plans Disaster recovery news briefs: SteelEye supports disaster recovery and business continuity for Windows Server 2008 R2 Metrics for measuring business continuity management performance Iowa Health System uses 'cloud' for disaster recovery to survive flood Disaster Recovery Networking WAN clustering emerges to provide transparent failover between physical sites The pros and cons of network-based data replication Disaster recovery and business continuity articles and podcasts by DR expert Paul Kirvan VMWorld 2009: VMware and Cisco support distance VMotion Evaluating remote access in disaster recovery plans before a disaster strikes Network disaster recovery and business continuity technology tutorial Network access during the disaster recovery operations process Disaster recovery methods for virtual servers A sample disaster recovery network checklist procedure Top server virtualization myths in disaster recovery and business continuity

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

l firms need to be consistent with Sarbanes-Oxley (SOX) legislation, particularly as it applies to financial reporting. While SOX legislation does not specifically address business continuity by name, Sections 302 and 404 require the establishment of controls for the processing and reporting of financial data. Within these controls is where business continuity can be established -- as yet another control. Within the healthcare sector, Health Insurance Portability and Accountability Act (HIPAA) legislation addresses the protection of patient records, among other activities. This is where business continuity can play a key role.

Finally, both sectors need to be aware of Public Law 110-53, signed in 2007, and Title IX in particular. The law's original goal was to address unresolved issues identified in the 9/11 Commission Report. Title IX was added to address business continuity, primarily within the private sector. The law calls for voluntary certification of BC plans by approved third-party accreditation firms. Currently the Department of Homeland Security (DHS) is managing Title IX implementation, and is in the process of identifying one or more standards against which company BC plans can be assessed. While Title IX currently requires voluntary compliance with its specifications, in time this could become a mandatory requirement.

Value to other business sectors

Lessons learned from incidents affecting healthcare and finance industries include dealing with system outages, loss of data, network disruptions and human error. For example, when you visit a bank and the computers are down, you cannot transact business and the bank could lose a customer. Similarly, in a hospital, the loss or destruction of patient data, or the unplanned shutdown of a critical system in an emergency room, could result in lawsuits or other litigation. Other business sectors should examine these two industries -- and their recognition of business continuity and disaster recovery (DR) as essential activities -- as models for justification of a BC/DR program.

Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.

Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.

Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchDisasterRecovery.com.