The last 2 – 3 years have been guiding standard organizations as well as governmental entities towards the required elements of a Business Continuity Program. Unfortunately, even though those organizations agree 85% of the time, every standard that has been enacted or law that has been passed comes with different detailed requirements. The level of business resiliency focus from top management must be present to allow attention to this key issue.
Therefore, it may be said that this focus has really done nothing but confuse those individuals responsible for developing and maintaining a business continuity program in their organizations. Rather than debating the merits of all the various new standards and laws, which all have their merit, an organization should focus on its individual requirements. Afterward, it should determine what guidelines to follow to build your own business resiliency.
What Is Important?
The way your organization conducts its various businesses dictates what standard(s) and regulatory law(s) your organization should follow. There are 3 main drivers for an organization who is developing a business continuity program:
- Regulatory Requirements.
- Supply Chain Requirements.
- Internal Requirements – typically mandated when an incident has already occurred to the organization.
Determine what your primary driver is and then follow those guidelines. For instance, if you are a financial institution, you may be required to follow the FFIEC Business Continuity Handbook. If you are a sole or major supplier to a European entity, you may wish to follow BS 25999-2.
If you are an entity primarily based in a single geographic region such as the US and you have experienced an incident, you may wish to follow the DRII Best Practices or NFPA 1600. Remember it’s not the standard you follow, as they all have merits. On the contrary, it’s making sure that when an incident occurs, your organization can continue to operate and meet its obligations.
The Effects of September 11, 2001
September 11, 2001 demonstrated that although high impact, low probability misfortunes can occur, recovery is possible. Even though buildings were destroyed and blocks of Manhattan were affected, businesses and institutions with good continuity plans survived.
The lessons learned include:
- Plans must be updated and tested frequently;
- All types of threats must be considered equally;
- Dependencies and interdependencies should be carefully analyzed;
- Key personnel may be unavailable;
- Telecommunications are essential;
- Alternate sites for IT backup should not be situated close to the primary site;
- Employee support (counseling) is important;
- Copies of plans should be stored at a secure off-site location;
- Sizable security perimeters may surround the scene of incidents involving national security or law enforcement, and can impede personnel from returning to buildings;
- Despite shortcomings, Business Continuity Plans in place pre September 11 were indispensable to the continuity effort; and
- Increased uncertainty (following a high impact disruption such as terrorism) may lengthen time until operations are normalized.
Please pass this information about business resiliency among those business continuity and disaster recovery team members in your communities and where you work.