An Explosion of Standards
The last 2 – 3 years have focused standards organizations as well as governmental entities on what are the required elements of a Business Continuity Program. Unfortunately even though those organizations agree 85% of the time, every standard that has been enacted or law that has been passed, has different detailed requirements. The level of business resiliency focus from top management must be present to allow attention to this key issue.
Therefore, it may be said that this focus has really done nothing but confuse those individuals responsible for developing and maintaining a business continuity program in their organizations. Rather than debate the merits of all the various new standards and laws, which all have their merit, an organization should focus on its individual requirements and then determine what guidelines to follow.
What is Important
Your organization and how it does what it says it should do is what drives what standard(s) and regulatory law(s) your organization should follow.
There are 3 main drivers for an organization who is developing a business continuity program:
- Regulatory Requirements
- Supply Chain Requirements
- Internal Requirements – typically mandated when an incident has already occurred to the organization.
Determine what your primary driver is and then follow those guidelines. If for instance you are a financial institution you may be required to follow the FFIEC Business Continuity Handbook. If you are a sole or major supplier to a European entity, you may wish to follow BS 25999-2. If you are an entity primarily based in a single geographic region such as the US and you have experienced an incident, you may wish to follow the DRII Best Practices or NFPA 1600. Remember it’s not the standard you follow, as they all have merits, its making sure that when an incident occurs, your organization can continue to operate and meet its obligations.
The effects of September 11, 2001
September 11, 2001 demonstrated that although high impact, low probability events could occur, recovery is possible. Even though buildings were destroyed and blocks of Manhattan were affected, businesses and institutions with good continuity plans survived.
The lessons learned include:
• plans must be updated and tested frequently;
• all types of threats must be considered;
• dependencies and interdependencies should be carefully analyzed;
• key personnel may be unavailable;
• telecommunications are essential;
• alternate sites for IT backup should not be situated close to the primary site;
• employee support (counselling) is important;
• copies of plans should be stored at a secure off-site location;
• sizable security perimeters may surround the scene of incidents involving national security or law enforcement, and can impede personnel from returning to buildings;
• despite shortcomings, Business Continuity Plans in place pre September 11 were indispensable to the continuity effort; and
• Increased uncertainty (following a high impact disruption such as terrorism) may lengthen time until operations are normalized.
Please pass this information along to those business continuity and disaster recovery team members in your communities and where you work.