Over the last few months, DRI has spent a lot of time spreading a message of caution with regard to organizational certification. Their article on this topic was published in the last issue of DRJ (Are You Really Prepared? Who Says So?), it was the topic of a recent webinar (October 29th), and has also been the message delivered by their executive director in several small group meetings.
What’s interesting about this PR blitz is that the only business continuity standard currently available for organizational certification in the US is British Standard (BS) 25999. The federal government is developing a voluntary certification program (as mandated in law PS 110-53), but that won’t be available for some time. As a result, DRI’s motivation to encourage the status quo is unclear.
Regardless of DRI’s motivation, let’s examine their argument. DRI’s message of caution is focused on the following arguments against certification (as provided by DRI in their recent webinar):
Discoverable (Corrective Action Plans)
With BS 25999 organizational certification (or any other organizational certification), DRI points out that an organization is required to document a corrective action plan and provide it to the auditors if the business continuity management system does not pass some aspect of the certification audit. DRI’s concern is that this action plan is discoverable if legal proceedings against the company were to occur related to disaster preparedness.
May Not Provide Legal Protection
DRI reminds us that lawsuits for failure to adequately protect the organization from disaster will still occur and that having an organizational certification will not provide an adequate defense. Note: this isn’t a risk per-se, and if true, is the absence of a benefit.
Quality of Auditors
DRI is greatly concerned about a rash of under-qualified auditors and the prospect that they may not fully be able to assess compliance to a standard. Note: DRI recently launched a Business Continuity Auditor certification.
Potential Conflicts Among Various Audit Findings
DRI also argues that by submitting to a certification audit, gaps may be identified that have not been previously identified by internal or external auditors. These gaps may cause confusion about where the true improvement opportunities lie.
Pursuing certification will cost money – typically an annual expense based on the size of the organization and how much time is needed to conduct the certification audit. Note: again, this isn’t a risk, just a cost.
Each of these concerns is not unique to business continuity. If you look at any other organizational certification, the same costs, concerns and/or risks are present. Three of the most common organizational certifications are for Quality Management (ISO 9001), Environmental Management (ISO 14001), and Information Security (ISO 27001). All have the same potential issues outlined above; however, in real practice, these issues are minor and significantly eclipsed by the resulting organizational benefit. Furthermore, ISO 9001 and ISO 14001 have been around for over 20 years with over 100,000 certified companies registered to date – and yet there have been no documented cases of “discovery” causing any adverse legal issues for these certified organizations. ISO 27001 has been around since 2005 with 5000 certified companies (95 in the US) – and there have been no documented court cases pointing to adverse effects of certification. As a matter of fact, the exact opposite is true. Documented court cases exist indicating that not using a formal, documented management system has caused companies to be sanctioned by the courts and evidence thrown out. DRI is correct that corrective action plans may be discoverable; however, all information that exists within an organization could be discoverable under subpoena if the courts deemed it necessary to the case.
Taken one step further, DRI’s own professional practices state that we, as business continuity professionals, should conduct exercises, and specific to post-exercise reporting, DRI states that activities must include the following:
- Provide a comprehensive summary with recommendations,
- Document Action Plan report
- Identify Open Issues
- Identify actionable items with responsibilities and timeframes for resolution
- Monitor (and escalate where necessary) progress to completion of agreed actions
Although I disagree with the premise that organizational certification, audit findings and corrective action plans introduce unnecessary or unique legal risk; don’t the actions advocated by DRI’s own professional practices do the same?
The concern over a lack of qualified auditors is also unfounded. Every certification program administered by national standards bodies (such as ANSI and BSI) must comply with an international standard for auditing and certification called ISO 17021. The following is ISO’s description of this standard:
ISO 17021:2006 contains principles and requirements for the competence, consistency and impartiality of the audit and certification of management systems of all types (e.g. quality management systems or environmental management systems) and for bodies providing these activities.
Clearly, the concerns identified by DRI are problems that have been solved before. So the natural question becomes: Why is DRI focused on devaluing certification?
Where do we go from here?
I believe this whole discussion actually comes back to DRI’s Ten Professional Practices. For many years, the Ten Professional Practices have been the basis of nearly every business continuity professional’s approach to preparedness and has helped drive widespread adoption of business continuity as a risk management discipline in many organizations. However, the way in which these professional practices are written (they are specific to a professional’s knowledge and competencies, not organizational planning activities per se) has led to significant variation in how the practices are implemented at an organizational level. At the same time, The Business Continuity Institute (BCI) advocated (and many business continuity practitioners began using) management system concepts as the foundation for their business continuity programs. This is the approach used in BS 25999, and is expected to be the approach found in the future ISO standard on preparedness and business continuity. While the details are different, the management systems approach is also used in quality, environmental, security and several other “certifiable” disciplines.
To me, there appears to be a defensive, and possibly self-serving, attitude being displayed by DRI representatives. This may be driven by their incorrect view that the DRI Professional Practices are in fact a standard competing with those presented as options for certification in PS-PREP. It may also be driven by a need to push hard to drive professionals considering employment as an organizational certification auditor toward the DRI auditor certification (which would seem odd since they are making an effort to influence organizations away from certification in the first place). I hope none of the above is the case because that would lead to a significant conflict of interest considering DRI is perceived as (and certainly should be) an independent organization representing business continuity professionals.
Perhaps more significant, I think there is a major lack of understanding on the part of DRI regarding the use and value of management systems, and as a result, there is a fear of change. DRI’s constituents are constantly challenged with seeking and keeping management’s attention specific to business continuity program involvement. By definition, a management system seeks to keep management’s attention, enable continuous improvement, and is designed to enable other standards to “plug into it” to drive performance and capability based on an organization’s unique needs. This means that an organization shouldn’t feel pressured to pick one standard; rather, pick and choose components from one or more standards that meet the unique needs of the organization. For example, a bank can comply with the FFIEC handbook, as well as BS 25999 and leverage components of DRI Professional Practices.
Overall, there’s room for multiple standards and approaches, and many organizations will find the benefits of certification outweigh the drawbacks, both for BS 25999 today and the PS-Prep program in the future.
Avalution Consulting: Business Continuity Consulting