As we talk to our clients, prospective clients and others involved in the business continuity industry some consistent themes, questions, misconceptions and general commentary have emerged. In order to encourage discussion and continual improvement in the Business Continuity Management industry, Avalution has started a semi-regular column to answer – or at least spur further discussion on – key topics. Below are ten items, divided into five “myths” and five “facts” that seem to be appearing on a regular basis along with answers and explanations that hopefully provide some clarification.
1. BS 25999 is a European standard
While BS 25999 was developed by the British Standards Institution, it is intended to be a global standard that is both country and industry independent. The standard is based on a compilation of industry best practices and methodologies and reflects input and commentary from BCP practitioners, regulators and industry groups around the world. The BS 25999 standard and accompanying certification are in fact designed to provide a common language and measure for global organizations, as well as a recognized credential for companies in the global supply chain.
2. Business continuity software is best practice
Business continuity software is a tool to assist in the documentation of a business continuity program. The diligent use of a comprehensive software tool can lead to the development of a higher quality program; however, reliance on a software package in place of expertise and effort generally leads to an incomplete program lacking in organization-specific detail.
3. Plans can be generated without a BIA
Business continuity plans are actionable documents designed to allow organizations to execute their business continuity strategies. Business continuity strategies are developed to satisfy business requirements. Business requirements, represented as recovery time objectives, manpower and resource needs must be gathered, analyzed and agreed to, a process normally referred to as a business impact analysis (BIA).
4. BS 25999 and Title IX are the same
BS 25999 is a comprehensive international standard for the establishment, development and maintenance of a Business Continuity Management System (BCMS) currently available for certification by an independent registrar. Public Law 110-53, specifically the voluntary preparedness certification program in Title IX of the law, directs the U.S. Department of Homeland Security to create a voluntary preparedness certification program for the private sector. Discussions are still underway related to the process, scope and approach of this effort; however, it is expected to rely on existing standards and certification processes offered by independent third parties. BS 25999 intends to participate in, not compete with, the Title IX initiative.
5. The threat of a pandemic has diminished since 2005
While the H5N1 influenza strain has not mutated to enable efficient human-to-human transmission, it has continued to spread in the avian populations of Asia, Europe and Northern Africa. The World Health Organization (WHO) continues to maintain a pandemic Phase III alert, and there have been approximately 100 documented human infections each of the last two years with a mortality rate of 62% (as of April 2008).
1. The “popularity” of (and perceived importance of) the risk assessment has increased over the past five years
The growing influence of Enterprise Risk Management (ERM) over the last several years has increased companies’ (and executive managers’) focus on operational risk issues. Risk assessment and risk treatment has emerged as a necessary set of proactive activities, as reflected in newer standards such as BS 25999 and even the 2008 version of the FFIEC’s business continuity booklet, moving business continuity beyond its traditional reactive focus.
2. Exercises are the best form of performance measurement and awareness generation
Thoughtfully designed business continuity exercises provide an opportunity to involve and educate employees from all aspects of the business specific to their roles in the business continuity program. Well-documented exercise objectives, test scripts, results and follow-up action items provide the clearest picture of a program’s potential performance.
3. Continuous improvement is a necessity – getting business continuity “right” takes some time
Building a robust business continuity capability is an iterative process that matures over time. While a comprehensive project can establish the framework for a strong business continuity management system, regular reviews, exercises and updates are required to identify and execute continuous improvement opportunities, as well as keep the program aligned with changing business priorities.
4. Training and awareness programs should reach all employees, not just the business continuity “team”
Whether a person is an integral member of a business continuity team or not, he/she has a role in a company’s business continuity program. Every employee needs to understand his/her role in emergency / life safety activities, what to expect during recovery, how to obtain official information, and how the company will handle external communications during and after an incident.
5. Crisis communications strategies are a core element of the business continuity program (but often overlooked)
While most business continuity programs provide some direction to internal resources during an event, many lack an organized structure to effectively communicate, both internally and externally. A comprehensive crisis communication process addressing the needs of all stakeholders, both internal and external, is a key business continuity program element – and essential in helping an organization provide timely information to employees, customers, vendors and other interested parties.
The good news is that business continuity continues to mature and become embedded in more organizations. Most of the questions we have been hearing are about ways to improve programs and increase their value to organizations rather than how to gain support and justify a program. There is also a growing interest in standards, methods to demonstrate capabilities to business partners and risk management integration. Confusion generated by uncertainties in the developing Title IX voluntary certification program is also a regular topic of conversation.
On an ongoing basis, Avalution would like to encourage anyone with questions or comments they think would be of interest to members of the Business Continuity community to email them to [email protected]. We will consolidate them and periodically publish responses.