When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last.
That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause.
Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay into pension plans and make insurance payments – to financial reporting.
There may also be state laws and standards under ISO and SOC 2 that may be implicated.
If your institution is a recipient of federal grants, the reporting requirements don’t stop during disasters. Plus, if your organization will be seeking federal disaster grants, there will be compliance obligations there as well, including the need to document the damage.
To ensure the compliance team is a part of disaster planning, establish a relationship with the person in charge of leading that effort. Learn who else they work with and get to know them as well.
Take the time to understand what the risks are using resources such as Ready.gov. Think through what data you will need to collect and track during the pandemic, and be prepared to help your colleagues understand that compliance can play a vital row in disaster planning and recovery.