Business Continuity Programs and Fiduciary Duties

Bill Sjostrom —  22 February 2006

This article describes a new Deloitte & Touche/CPM Group survey on business continuity management programs.  The survey finds that “[m]ore than 83 percent of companies have developed business continuity management programs, compared with only 30 percent of companies just six years ago.â€?  Deloitte and CPM attribute the increase to the fact “that executive management remains primarily concerned with regulatory compliance, and with fulfilling fiduciary responsibilities by addressing operational resilience in response to a broad array of disruptive events.â€?Â

I don’t know offhand what regulations require or encourage a company to adopt a business continuity program, but I don’t doubt that there are some.  What I find curious is the reference to “fulfilling fiduciary responsibilitiesâ€? which seems to imply there is a fiduciary duty to adopt such a program.  There is no such specific duty.  A decision on whether a business should put a program in place is just like any other business decision.  Absent a conflict of interest, as long as the decision is made on an informed basis, in good faith and in the honest belief that the decision is in the best interests of the corporation, the board has fulfilled its fiduciary responsibilities regardless if the decision is to adopt or not to adopt a continuity program.  Ultimately, if the board takes up the issue, it should consider the probability and magnitude of various business disruption risks and make a judgment as to whether it believes it is in the best interest of the corporation to put a program in place.Â

Maybe I’m reading too much into the article, but this looks like another example, in addition to the one Gordon Smith points out here, of business people having a more expansive notion of fiduciary duty than is the case under corporate law, which seems to me is not a good thing because it leads to suboptimal risk taking by the board.