Business Continuity Standards Don’t Matter — But They Should
The current state of business continuity management (BCM) standards? Abysmal. According to a joint Forrester/DRJ study, 69% of respondents said that British Standard (BS) 25999 did not influence or only somewhat influenced BCM at their company. It’s not much better for NFPA 1600, 70% of respondents said that it did not, or only somewhat, influenced BCM at their company. I find this shocking. BS 25999 is one of the most widely recognized standards for BCM worldwide and NFPA 1600 has been popular in the US for years. In addition, the U.S Department of Homeland Security’s Private Sector Preparedness Program (PS‑Prep) recognizes both of these standards for assessing preparedness. If you’re wondering what standards respondents named in the “Other” category, it was mostly the Federal Financial Institutions Examination Council (FFIEC) and NIST. Not surprising but also a little disheartening, it’s clear that unless compelled to do so, most BC professional would not adopt or follow a BCM standard.
Even if you don’t intend to certify to these standards, they should strongly influence your BCM program. Why? It’s because:
- They provide a foundation and a common vocabulary for BCM best practices and processes. This is important if you need to implement BCM across a geographically dispersed enterprise or you have to work with a multitude of global partners on joint preparedness.
- These standards represent the input and recommendations of hundreds of BC professionals and industry experts. Rather than reinvent the wheel, you can take advantage of years of expertise and the lessons learned from your peers.
There are also a few good reasons why you should consider certification in the long-term:
- It challenges your BCM program and your organization to reach a higher level of maturity and preparedness. Not only does this make good business sense but I believe preparedness is a fiduciary responsibility to your employees, customers, partners and shareholders.
- Partners may demand it of you anyway. I’ve come across several instances where a large enterprise forced a small partner to achieve certification. As new business models increasingly rely on a web of 3rd party suppliers, business process outsources, cloud service providers and channel partners, I expect external audit requests to increase.
- It can reduce the amount of time it takes to comply with external audits of your BCM program. When that externally party comes knocking on the door like a raven from an Edgar Alan Poe novel, how much easier it will it be to convince them of your preparedness if you’re certified?
- It can provide a competitive advantage – at least in the short-term. I’ve also seen several firms you use certification as an advantage over their competitors – particularly with customers like financial institutions that demand readiness.
And before everyone sends me a bevy of snide tweets and leaves me angry blog comments, I know that certification does not ensure complete readiness, any more than compliance equals security, however I do think it signifies a base level readiness and a commitment and seriousness about BCM.
I’m curious to hear from all of you, what standards are you using (or not) as part of your BCM programs? What made you decide to utilize (or not) certain standards?