|
|
|
Features
< Back
Sarbanes Oxley : Technology : Risk Management
Managing Disaster Recovery Controls
By
Tom Johansmeyer
|
|
Tom Johansmeyer
President and CEO
j-Knowledge
|
The fact that small businesses are struggling with Sarbanes-Oxley compliance is beyond doubt. The internal control standards required by Sarbanes-Oxley tend to be perceived as Draconian, eroding earnings and constricting small company growth efforts. The result is a significant tax on smaller businesses, which many are quite eager to overcome.
Sarbanes-Oxley has led to a trend in the small business market toward innovation. Small businesses are consuming innovative solutions to compliance problems aggressively in order to reduce the total cost of compliance. Technology has moved to the forefront of this effort, as smaller public companies are eager to transfer the burden of compliance to technology providers. This enables small companies, essentially, to buy controls instead of having to develop complex internal procedures.
Disaster recovery planning, a favorite examination point of outside auditors, represents a common weakness among smaller public companies. Disaster recovery planning tends to be expensive, and there is rarely a demonstrable, immediate return. Since small businesses need to choose their investments carefully, the often eschew disaster recovery planning in favor of growth initiatives.
When I encountered the ioSafe Disaster-Ready Drive, I learned that disaster recovery gaps can be remedied quickly and with little expense. The ioSafe Disaster-Ready Drive is a hard drive wrapped in a steel-reinforced, fire-resistant, water-resistant case. Small businesses can use this device for rapid and reliable data protection, and it represents a disaster recovery plan in itself. Consequently, smaller businesses can satisfy their auditors with little expenditure while adopting the measures necessary to ensure business continuity.
Small Businesses Are Different
Sarbanes-Oxley does not discriminate between small and large publicly traded companies. All public companies with equity market capitalizations over US$75 million are required to comply with the Act. Smaller businesses, as a result, are compelled to enact the same internal control measures, pursuant to Section 404, as their larger counterparts. While larger companies have the internal expertise and financial resources to attain compliance, small businesses struggle.
The cost of compliance is high, with larger companies spending an average of US$4.36 million on Sarbanes-Oxley initiatives. While the cost to smaller companies is likely to be substantially lower, the proportionate impact may significantly exceed that of larger organizations. Even a compliance price tag of US$250,000 can discourage a smaller business from hiring key employees or cause it delay a vital marketing campaign in order to comply with the Act.
Because of the cost of compliance relative to earnings (and gross revenues), small public companies are drawn to low-cost innovative solutions. Such solutions allow small businesses to do more with less. The use of technology that is optimized for Sarbanes-Oxley compliance often requires a company to divert fewer resources (human and financial) to compliance efforts ? initially and on an ongoing basis. The reduced costs inherent in this approach enable smaller companies to continue to invest in growth and develop shareholder value.
Disaster recovery exemplifies the need for innovative control solutions. Universally, disaster recovery planning is perceived as a complex, expensive endeavor directed at situations that, by definition, are unlikely to occur. Smaller businesses tend to accept the risk of disaster, or limit their disaster recovery efforts to superficial measures, in order to allocate their resources to growth initiatives.
Since disaster recovery is on most auditor checklists, smaller public companies are being compelled to invest more heavily in disaster recovery planning. Not doing so can force them from stock exchanges, ultimately damaging their liquidity. It appears to be a no-win situation; both noncompliance and compliance can lead to the destruction of some shareholder value. As a result, smaller companies had to manage compliance efforts in a way that controls expenses while meeting auditor requirements.
Ascertaining Disaster Recovery Needs
In order to satisfy their outside auditors, small public companies need to implement sufficient disaster recovery measures. In doing so, they need to keep these measures as unobtrusive as possible in order to satisfy shareholders. Smaller companies consequently have to balance their obligations to comply with their commitments to equity participants.
The easiest way to balance these competing commitments is to understand clearly the disaster recovery measures required to satisfy auditors. To this end, smaller businesses should invest first in an analysis effort to determine how much disaster recovery effort is necessary. For small businesses, this task does not have to be overwhelming. It simply entails ascertaining the key risks that could lead to catastrophic loss and the measures required to mitigate the risks identified.
The output of this planning phase is a roadmap for disaster recovery ? and ultimately Sarbanes-Oxley compliance. Using this roadmap, the company can focus specifically on the measures needed for compliance without becoming distracted by ancillary considerations. This allows the company to streamline its disaster recovery efforts and reduce the total cost of compliance.
The role of innovation in disaster recovery compliance comes with remediation. Using the roadmap to determine the measures necessary for compliance, the company should look for solutions that are inexpensive to implement and easy to manage. This means, generally, finding a solution designed for small businesses. Those targeted at large companies tend to be expensive and complex ? requiring too much headcount to manage. Also, many of the features for which the small business pays simply are unnecessary.
To comply effectively, small businesses need to find inexpensive solutions that directly meet their needs. The market has responded with a plethora of tools that make disaster recovery planning easier.
Conclusion
Disaster recovery planning has become an unavoidable component of Sarbanes-Oxley compliance. Already expensive for small public companies, Sarbanes-Oxley can lead to even more expenditures, as a result of inefficient or inappropriate solutions. Small public companies, consequently, rely on inexpensive innovative solutions to make compliance possible while not unduly taxing the company?s earnings.
Disaster recovery planning is a necessity for public companies. With the ioSafe Disaster-Ready Drive, small public companies can implement a comprehensive, size-appropriate disaster recovery solution without incurring the ire of their shareholders.
Tom Johansmeyer
President and CEO
j-Knowledge
Tom Johansmeyer is President and CEO of j-knowledge.
|
|
|
|
|
