It seems like less than a decade ago we didn’t have any standards on business continuity in the United States, and now we have four from which to choose. I’m not complaining, but now it’s almost like going to the restaurant that has so much on the menu you find it difficult to choose what to eat.
We have the three standards currently recognized by US-DHS Prep as part of the voluntary certification program:
- ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems-Requirements with Guidance for Use;
- BS 25999-2:2007-A Specification for BCM; and
- NFPA 1600:2010 Standard on Disaster/Emergency Management and Business Continuity Programs
And we now have the new ASIS/BSI.01-2010 Business Continuity Management Systems: Requirements with Guidance for Use approved on November 2, 2010.
So what’s new or different about this ASIS/BSI standard? Does it replace one of the existing three standards? Is it intended to more narrowly focus on business continuity versus crisis management, security and emergency response as the prior ANSI/ASIS SPC.1-2009? If so, shouldn’t it replace that standard? There is significant overlap between the two standards. Regardless of the intent at publishing this standard, it may create some confusion for business continuity professionals. If the only intent is to narrow the focus strictly to business continuity, it then fails to add anything of value to the already full field of standards. Having said that, there is one aspect of the previous ASIS resiliency and the new ASIS/BSI standards that is an important element.
The difference is partially defined in the abstract: “Based on the BS 25999 business continuity management (Part 1 and Part 2), this standard specifies requirements for the business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs — taking into account legal and other requirements to which the organization subscribes — to address disruptive events that might impact the organization and its stakeholders. This standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS with the context of managing an organization’s risks.
The difference is that it incorporates and promotes “A management systems approach for preparedness and business/operational continuity management.” In other words, implement a formal system or process to sustain and improve the business continuity program on a continuous basis. And yes, we have one more acronym, BCMS, to confuse both practitioners and non-practitioners.
Just how important is this management systems approach? Well, in the 30-plus years I have been involved in business continuity I’ve seen so many companies struggle to keep a program alive during downsizing, acquisitions, and change in management teams. Considering the current financial crisis, the challenge is even greater, and resources that were lost during this crisis are unlikely to be replenished anytime soon (if ever). This new standard provides an opportunity to interface the business continuity program and existing ISO programs which management has long recognized, adopted, supported and sustained during years of management changes, downsizing, and even major financial crises.
The fact that it is an American National Standard also provides value to those organizations who adopt it, in that the program elements are clearly defined, though flexible, and verifiable through an audit process. That in itself is no different than any other standard and is not as important as the management systems approach. The standard states “the adoption and implementation of a range of business continuity management techniques in a ‘systematic’ manner can contribute to optimal outcomes for all stakeholders and affected parties.”
The development process for the standard also followed an internationally recognized and formal process that helps ensure a consensus-based standard is developed with the review and input from hundreds of business continuity and non-business continuity professionals. Many of the individuals who were participants as commissioners, committee members, and working group members in the development of the standard are internationally recognized experts in their respective fields. The business continuity professional community had much greater input into this standard than the preceding ASIS standard.
Techniques or Practices Addressed in the Standard
The range of business continuity management techniques, practices, and areas of focus are pretty much the same as we’ve always had in the previous standards. Some of the practices are more heavily stressed in this standard and some areas of focus are missing entirely.
Business Continuity Management System (BCMS) Requirements
The requirements section addresses the “shall do” elements of the standards and is intentionally generic to allow flexibility in the specific means of implementing the requirement.
This section is followed by Annex A “Guidance On The Use Of The Standard” which is “informative” and provides the “should do” elements and examples of what would be considered the preferred approach for each requirement.
Establishing the Context
- Legal and other requirements
Policy and Management Commitment
- Management commitment
- BIA and risk analysis
- Business continuity objectives and targets
- Business continuity strategies
Implementation and Operation
- Roles, responsibilities, and authority
- Competence, training, and awareness
- Control of documents
- Developing and implementing a business continuity response
- Response structure
- Business continuity plans
- Communication and consultation
Checking and Corrective Action
- Monitoring and measurement
- Evaluation of conformance and system performance
- Evaluation of conformance
- Exercises and testing
- Non-conformity, corrective action, and preventive action
- Control of records
- Internal audit
- Review input
- Review output
- Opportunities for improvement
Adoption and Conformance to the Standard Does Not Ensure Recoverability
The standard cautions “However, adoption of this standard will not by itself guarantee optimal preparedness, continuity, and response outcomes. In order to achieve its objectives, the BCMS should incorporate the best available practices, techniques and technologies, where appropriate and where economically viable.” The cost-effectiveness of such practices, techniques, and technologies should be taken fully into account. In other words you still must evaluate and balance the costs of the program against the risk/impact of an interruption. The standard can define the business continuity elements to be implemented but will not and cannot define the depth or scope of the implementation. “The standard does not establish absolute requirements for preparedness, response, continuity, or recovery performance beyond commitments in the organization’s policy to:
A) Comply with applicable legal requirement and with other requirements to which the organization subscribes;
B) Support risk minimization and mitigation; and
C) Promote continual improvement.”
“The standard does not include requirements specific to other management systems such as those for quality, occupational health and safety, or financial risk management — though its elements can be aligned or integrated with those of other management systems.” It is possible for an organization to adapt its existing management system(s) in order to establish a BCMS that conforms to the criteria of this standard.”
Plan, Do, Check, Act (PDCA) Cycle
The PDCA model helps address the constant change that most organizations experience. New business processes, new products, new locations, new customers, new suppliers, new components, closure of locations, new staff, new and ever changing technology, all necessitate the use of a systematic planning approach. The BCMS takes as inputs the business requirements and expectations and through the necessary actions and processes produces business continuity outcomes that meet those requirements and expectations. Each phase of the PDCA model is applied to each stage of the BCMS process in an iterative or continuous improvement approach.
Plan (establish the management system)
Establish management system policy, objectives, processes, and procedures relevant to managing business continuity risks and improving response and recovery processes that deliver results in accordance with the organization’s strategic needs.
Do (implement and operate the management system)
Implement and operation the management system policy, controls, processes, and procedures.
Check (monitor and review the management system)
Monitor, assess, measure, and review performance against management system policy, objectives, and practical experience; report the results to management for review; and determine and authorize actions for remediation and improvement.
Act (maintain and improve the management system)
Take corrective and preventative actions, based on the results of the internal management system audit and management review, re-appraising the scope of the BCMS and business continuity policy, and objectives to achieve continual improvement of the management system.
Use of the PDCA model helps ensure a degree of consistency with other management systems standards such as ISO 9001:2008 (quality management systems), ISO 14001:2004 (environmental management systems), ISO/TEC 27001:2005 (information security management systems), ISO 28000 (security in the supply chain) and ISO/IEC 20000: 2005 (IT service management), thereby supporting consistent and integrated implementation and operation with related management systems. The key operational word is integrated. An organization that has adopted an ISO approach to management systems may be able to use their existing management system as a foundation for the business continuity management system.
Verification versus Certification
For those organizations wanting to become “certified” under any one of the DHS approved standards, the following should be reviewed prior to pursuing any external certification assistance.
Conformance with this standard can be verified by the auditing process described in ISO 19011:2002 that is compatible and consistent with this methodology used for ISO 9001:2008, ISO 14001: 2004, ISO 28000:2007, and/or ISO/IEC 27001:2005 and the PDCA model.
Verification of an organization’s conformance to this standard may be performed through an external or internal auditing process. Verification may be by a first-, second-, or third-party mechanism. Verification does not require a third-party certification.
What Does It Not Include?
First, let me state in my professional opinion “no existing individual standard” is sufficient without considering other related standards to augment it. The new standard states a primary objective is to provide a “safe and secure” environment but fails to address either objective. It is the same omission as BS 25999-2:2007 in that it just does not address the protection of the organization’s No. 1 asset, its people. NFPA 1600 addresses the “people” issue more completely than the other standards, and in the next 2010 version establishes a formal management system and a better defined continuous improvement process. However, even with this improvement the existing standards as written will continue to perpetuate the “business continuity silo” within the organization.
What Does It Include?
The new standard rightly stresses the importance of roles and responsibilities starting at the top of the organization. It stresses the critical role senior management plays in ensuring the effective implementation and maintenance. It places accountability exactly where it should be at the most senior level within the organization. Senior management is the key player in many of the key business continuity elements and must take an active role in the program. While this is critical, it is also the single most elusive element for most practitioners. It’s something that just cannot be mandated by a standard.
The new standard also has an increased focus on business continuity training, awareness, and competency within the organization. I strongly agree this is one of the key success factors in gaining an enterprise level of awareness and engagement. NFPA 1600 also recognizes these as key success factors in its 2010 version.
Most Glaring Omission
All of the existing standards fail to adequately address the interdependencies with the other “operational risk” oriented elements now pervasive within larger organizations. Business continuity cannot effectively operate as a “stand-alone” entity. At some point a standard needs to be developed and incorporate within that standard the critical interdependencies that directly affect the efficacy of the business continuity program elements. So far that standard has not been written. Within the annex the relationships and interdependencies are barely touched.
The standard as a narrowly focused business continuity standard is a step down from the previous ASIS Resiliency Standard that presented, while still incomplete, a more broadly scoped and somewhat integrated standard incorporating a subset of key operational risk elements. The profession is still waiting for the standard that mirrors modern operational risk requirements that will define a more integrated and cost effective approach to increasing resiliency and ensuring continuity of operations. So, what’s next?
Cole Emerson, CBCP, is president of Cole Emerson and Associates, Inc. He is an internationally-recognized expert in the field of business continuity planning and a member of the Disaster Recovery Journal Editorial Advisory Board.