A well-designed, implemented, and maintained Business Continuity Management System (BCMS) always results in a more resilient organization!
A well-designed BCMS always results in a more resilient organization!
It would then seem to follow that any inclusive discussion of Business Continuity (BC) today requires addressing the use of standards, guidelines, and best practices that provide guidance in continuity planning that has as its goal to protect against, prepare for, respond to, and recover from disruptive incidents.
- We need guidance, a set of best practices, a roadmap when tasked with the implementation of a new BC initiative – Using a standard or best practices as a model will help ensure an end product that will serve the organization and all interested parties well.
- For those designing and implementing a new continuity program this guidance and help is invaluable – While a BC capability is being created, there is a need to know that steps taken will result in the organization being better prepared and more capable and that stakeholders can be assured that the resulting BC program will provide for the continuation of operations at a level that allows meeting their needs. This guidance is vital for those newly assigned to Business Continuity responsibilities.
- We need ways to measure and verify the sufficiency and value of existing continuity programs as we seek to maintain and continually improve – Using a recognized standard or set of best practices as a “measuring stick” provides an unbiased expert opinion of whether the BCMS is functioning properly to protect products and services and the interests of stakeholders.
- Organizations require a way to effectively measure Business Continuity programs, as well as a need for an objective method to assess the continuity capability of suppliers, outsourcing companies, contractors, and those who supply goods and services that directly and indirectly support critical operations – A globally recognized and accepted benchmark provides a way in which we can uniformly and equitably measure the continuity capability of all the links in our Supply Chain.
Standards, Guidelines, Best Practices, and Certifications
Today there are a wide range of continuity standards, guidelines, best practices, and certifications from which to choose. When making the decision about which to adopt, it is important to evaluate those under consideration and then select the one that will result in the greatest benefit for the organization.
Determine whether the selected standard or set of guidelines is the best vehicle for continually improving the organization’s continuity capability. Selecting the right one for the organization can help raise the continuity bar beyond simply meeting the requirements of a standard or following guidelines to the letter.
When considering what is best for your organization:
- Learn whether there is a Business Continuity standard that is preferred or recommended by your organization’s business sector, industry, or profession;
- Ascertain whether key customers or clients or other business partners have selected a standard or prescribed set of guidelines to apply to their continuity management planning;
- Investigate the value of using a standard that allows the organization, either currently or in the future, to obtain formal certification;
- Determine whether official certification is of benefit to the organization now or may be in the future;
- Consider if a globally recognized standard or set of guidelines has greater value than one that is recognized in a smaller geographic area;
- Ask whether the standard or guidelines meet the organization’s requirements well beyond the data center including executive commitment, inclusion of the Supply Chain links, maintenance, and training and exercises.
Strategic and essential
For full transparency, I fully and absolutely believe in the importance and value of using standards and guidelines.
To prove it, I hold multiple certifications, have experience applying them, and frequently provide related training.
I absolutely believe in the importance and value of using standards and guidelines
Yet, a caution. Gaining certification or being in full alignment with a set of guidelines or best practices should never be the only or even the foremost goal. The intent, the objective, is not simply to check all the boxes detailed in the standard or guidelines.
Rather, we must keep in mind the fundamental reason for having a Business Continuity program “(…) provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities”. – ISO 22301
Even when using a standard, view Business Continuity Management as strategic and essential to the organization’s welfare, not only a compliance / check-the-box requirement. The ultimate objective is to protect the organization, its employees, and other interested parties from the negative effects of disruptions and disasters.
To do that requires developing a strong continuity capability and ultimately making continuity a core element of organizational culture by providing an environment in which all employees work collaboratively to minimize the likelihood of losing the ability to function at a level that enables the company to meet its obligations to all concerned parties.
To BIA or not to BIA
In all cases it is ultimately the results that matter. Consider these often-discussed topics:
The order of conducting the Business Impact Analysis (BIA) and the Risk Assessment conundrum and the “to BIA or not to BIA” question. In both these examples there is no dictated order, process, or methodology. What is required is gathering and applying sufficient, appropriate, and accurate information needed to develop workable strategies that can then be documented in plans.
When people at all levels in the organization have the knowledge to carry out their continuity roles they have continuity capability
Capability should remain the focus: Measure of the ability of an entity (organization, department, person, system) to achieve its objectives, especially in relation to its overall mission. When people at all levels in the organization have the knowledge and experience to carry out their continuity roles and responsibilities and understand how what they do fits in the big picture, they have continuity capability.
- No standard, no set of best practice guidelines is intended to provide a detailed, one-size-fits-all, do it exactly this way or else Business Continuity process.
- They should be viewed as providing a framework, an outline, a code of practice, and defined content for business-specific continuity planning and implementation.
- Adapt them to avoid failed attempts to put square pegs in round holes.
- Avoid a “check-the-box” mentality. Keep your eyes on the prize: establishing and maintaining a robust organization-wide Business Continuity management system.
- The emphasis must be on what works for the organization – not what has always been done before, what other organizations are doing, the latest trend, or guidance that was chosen at random or because it was a perfect fit another company.
To succeed in the real world…
The purpose, the ongoing goal, should be an organization that is better prepared to face the challenges of operational disruptions and disasters. Ultimately, it must be understood that even fully meeting the requirements for certification does not necessarily guarantee success.
To succeed in the real world and not just on paper, Business Continuity must have the full commitment of executive management and be incorporated into the organization’s policies, day-to-day operations, and culture.
The goal should always be to develop, maintain, and continually improve a Business Continuity capability that serves the organization and all its stakeholders well.