When speaking about business continuity standards, we frequently hear the following feedback:
“I am waiting for the ‘dust to settle’ on the development of the standards and for one to be chosen by the industry as the front-runner.”
“We are not interested in complying and being audited against another regulation.”
Unfortunately, it’s these types of opinions that are causing many organizations to miss the value that standards can provide. Thomas L. Friedman outlined the value of standards in his best seller The World Is Flat when he stated, “Once a standard takes hold, people start to focus on the quality of what they do as opposed to how they are doing it.”
Business Continuity Standards Are Not Just a Set of Controls
Currently, business continuity practitioners have access to some of highest quality standards we’ve ever had; standards that have been revised and redefined to provide quality guidance that aligns to organizational need and strategic risk management. And, these standards are driving business continuity professionals to take a fresh look at their programs and reach higher levels of preparedness. To be clear, standards development is not tailored exclusively for those seeking certification. Standards can provide a much deeper and richer set of values without ever considering certification. The key to unlocking these values is looking past the debate about which standard to select and taking the time to investigate on your own – looking for the standard (or standards) that best align to your organization’s unique needs.
To help look past the “noise”, consider the following table outlining what standards are and are not:
|Standards Are:||Standards Are Not:|
The Core Value Associated with Business Continuity Standards
To begin gaining value from business continuity standards, it’s important to know their key elements and how they may benefit your organization. It is not necessary to develop an expert-level understanding of each standard. Of the business continuity standards available, the three “leaders” are BS 25999, NFPA 1600 and SPC.1-2009 (the three standards selected for inclusion in PS-PREP). All three have unique characteristics, but they also focus on two core components that can be adopted by any organization that wants to successfully manage business continuity-related risks:
- A proactive, resiliency-oriented approach
- Management system structures
A Proactive, Resiliency-Oriented Approach
A focus on resiliency – or proactive measures to minimize downtime/impact – means understanding a potential threat before it begins to impact an organization and taking action to mitigate that threat or its impact to a level that aligns to management’s risk tolerance. Risk management professionals agree that taking a proactive approach to mitigating risk is the best method; however, when it comes to putting this into action, organizations often fall short. This shortfall is oftentimes due to a variety of issues including:
- A lack of budget and/or resources
- An undefined risk tolerance or “appetite”
- A lack of buy-in regarding the potential threats/impacts to the organization
Yes, these hurdles can be difficult to overcome, but focusing on resiliency instead of an exclusive focus on recovery will enable the business continuity program to provide much greater value to the organization. Basically, it is the difference between being able to say “our organization was not impacted at all by X event” versus “our organization recovered from X event in 24 hours with minimal client and financial impact.”
Management System Structures
The definition of a management system is “a framework of processes that ensure an organization can fulfill all of the tasks required to achieve a set of related business objectives”. By building a business continuity program consistent with management system principles, an organization can evaluate business continuity performance based on the achievement of its resiliency and recovery objectives. This thinking also focuses the program on building processes that constantly strive to achieve these objectives in a cost-effective manner. Business continuity programs often fail when they do not meet (or are not perceived to meet) all of the organization’s needs or expectations. Using the management system structure will help bridge the gap between a business continuity program and the rest of the organization, and, further, create a mechanism to achieve dialogue regarding performance feedback and remediation priorities. Defining and working toward a core set of business objectives will enable a focused and more efficient program.
Once an organization realizes the value that current business continuity standards can offer, it is important to begin reviewing these standards and finding the specific guidance that will assist you in aligning to management’s objectives. Most standards, especially the “big three”, break down key preparedness concepts so practitioners can fully understand the desired outcomes and apply the recommended process within their organization. But, perhaps, the most significant advantage is helping practitioners think critically about implementing new ways to drive performance improvement. The longer an organization waits to leverage standards, the more time will pass where preparedness efforts may fail to align to expectations. Why not make the time to critically-review these standards and apply something new in your organization?
- What is a Management System?
- Plan Do Check Act (PDCA) – How it Applies to Business Continuity
- PS-Prep – Myth or Fact
- BS 25999 Certification – Four Myths and a Truth