Business Continuity Planning — It’s the Law!

Many businesses are required by law to have Disaster Recovery and Business Continuity Plans. Is yours one of them?

Business Continuity Planning Laws - Dynamic QuestFor some businesses, disaster planning is low on their list of priorities. But for many others, establishing a contingency plan is anything but optional. Critical organizations (especially those in health care, financial, and government sectors) are often required by law to be able to weather any storm with their operations and data intact — or else face steep penalties from federal, state, or local governments.

The problem is, some business professionals are not fully aware of the laws and regulations that require them to go further in establishing a viable and actionable Disaster Recovery (DR) and Business Continuity Plan (BCP).

To keep your business safe (and out of the legal penalty box), you should take the time to discover if there are business continuity regulations that mandate your company’s compliance with advanced disaster planning. That way, in the face of disaster you’ll not only be within full legal compliance, but you’ll be able to successfully protect your sensitive data and get back to work quickly serving consumers.

Health Care

Thanks to the Health Insurance Portability and Accountability Act (HIPAA), Disaster Recovery and Business Continuity planning strategies are mandatory for health care organizations and can carry steep penalties and fines for noncompliance.

First and foremost, health care organizations require a quickly actionable contingency plan for establishing and operating an emergency base of operations during a crisis. By arranging a stocked and functional backup facility ahead of time, health care organizations can continue to triage and treat patients during an emergency situation.

Additionally, because health care data is considered critical/sensitive information, health information systems and databases require advanced data management capabilities, including reliable backup and Disaster Recovery.

Functions of a BCP for health care organizations can include:

  • Establishing an Emergency Operations Center (EOC)
  • Developing crisis management, emergency notification, and media interaction guidelines
  • Maintaining a hard-copy of local backup strategies and key vendor information
  • Composing teams to handle recovery, logistics, and staffing
  • Establishing responsibilities and accountability during contingency operations


The financial sector also is beholden to regulatory agencies and governmental policies to ensure all that critical financial data is preserved and banking centers can remain active in a crisis. Much of the focus on financial sector contingency planning focuses on retention of data across the entire system.

The Financial Industry Regulatory Authority (FINRA) mandates that all financial institutions be covered by a clear and actionable BCP that adequately meets the needs of their organization. While the specifics may vary from company to company, they all must include reasonable provisions for the following elements:

  • Data backup and recovery (hard copy and electronic)
  • All mission critical systems
  • Financial and operational assessments
  • Alternate communications between customers and the firm, and between the firm and employees
  • Alternate physical location of employees
  • Critical business constituent, bank, and counterparty impact
  • Regulatory reporting
  • Communications with regulators
  • How the firm will assure customers’ prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business

Additionally, there are a number of policies and regulations that apply to financial centers’ disaster planning, including:

The Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, 2003, which requires BCPs to be regularly upgraded and tested.

The Federal Financial Institutions Examination Council (FFIEC) Handbook, 2003-2004 (Chapter 10), which specifies that directors and managers are accountable for organization-wide contingency planning and for the “timely resumption of operations in the event of a disaster.”

The Expedited Funds Availability (EFA) Act, 1989, which requires that federally chartered financial institutions have a demonstrable BCP to ensure prompt availability of funds.

The Basel II, Basel Committee on Banking Supervision, Sound Practices for Management and Supervision, 2003, which requires that banks put in place Disaster Recovery (DR) and Business Continuity Plans (BCP) to ensure continuous operation and to limit losses.


In case of a crisis, government centers and operations mandate contingency plans to keep them open and operational in a crisis.

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, Contingency Planning Guide for Information Technology Systems, June 2002 gives specific requirements for governmental Business Continuity Planning, including:

  • Contingency planning policy and procedures
  • Contingency plan
  • Contingency training
  • Contingency plan testing
  • Contingency plan update

Additionally, the Federal Information Security Act (FISMA) of 2002, Title III of the E-Government Act of 2002 (PL 107-347, 17 December 2002) and the Executive Order on Critical Infrastructure Protection in the Information Age, 16 October 2001 both emphasize the need for governments to maintain Business Continuity Plans (BCP) and Disaster Recovery (DR) without specifying how it should be done. While local governments are able to make their own decisions regarding these plans, they are required to continue operating during a crisis.

The COOP and Continuity of Government (COG). Federal Preparedness Circular 69, 26 July 1999 establishes minimum planning considerations for federal government operations.

In each of these cases, we observe the emphasis that regulatory bodies and governments place on making sure that critical industries maintain up-to-date and thorough business contingency plans. But in many cases, the specifics of these plans are left up to a managers’ discretion for what is appropriate!

This is why it is imperative that you consult with a business continuity and disaster recovery professional. By starting with a thorough evaluation of your organization’s specific needs, challenges and areas of focus, we can help you discover the best way to prepare for a crisis and stay not he right side of the law.

Want to know more about Business Continuity Planning Strategies?

Our Vendors