Define IT risks to the company to comply with new business continuity legislation

The board will be legally required to protect the business from known risks, says Marcus Hill

New Asset  
The board will be legally required to protect the business from known risks, says Marcus Hill





Is your board taking adequate measures to avoid risks to your company? Apparently not, according to a report released in 2004 by the Chartered Management Institute, which found that three out of four directors are putting their businesses at risk.

To compound matters, if IT directors continue to do this, they will be breaking the law if new legislation is introduced as planned in 2005.

The Operating and Financial Review, overseen by the Department of Trade & Industry, has stated that board members will be legally responsible for protecting their business from risks, such as environmental and health and safety dangers or irretrievable data loss. This legislation will affect all 1,290 UK quoted companies.

All board members of large companies will need to include in their annual report details of the risks facing the business and the steps that should be taken to reasonably protect against them. Failure to do so, or one of these risks becoming a reality, could mean the loss of licence to operate and, in some cases, imprisonment.

A business continuity plan is one of the obvious safeguards against disaster, but the Chartered Management Institute report, which questioned 461 institute members, found that less than 50% of all companies had one and, of those, only 57% tested it annually to make sure it works.

The fragmented nature of modern business - with many organisations working across multiple locations using different applications and devices - make business continuity more of a challenge. Business continuity plans also need to be tested regularly and be adequately funded.

But business continuity is not the only issue that needs to be addressed by IT departments and their boards under the Operating and Financial Review.

The review will also require companies to disclose any threats to revenue-generating assets; declare the integrity of their supply chain and their customer data; say what their intellectual property rights are; and what organisations are doing to safeguard them.

IT directors need to answer a wide range of questions, such as what steps they would take to maintain critical business and customer transactions in emergency or disaster situations; what the value of their business data is; and what would happen if that data is lost.

IT directors should be sure their department could manage continuity of business operations over multiple locations, functions, countries and activities.

Company boards ignore the risks faced by business at their peril. The challenge for IT directors is explaining how technology can ease the pain of compliance with yet another regulation.

Marcus Hill is business development director for corporate mid-market at BT Retail

Read more on Business continuity planning