Fifteen years ago, activities focused on recovery and/or continuity within the technology environment. Today, business continuity is a more holistic process, encompassing all of the elements necessary to maintain the viability of the business entity during an interruption. Undoubtedly, the sustainability of technology is a very important aspect of business continuity. However, it is only one of many vertical components of the entire operational environment. Consider the facilities, personnel, equipment, supplies, etc., all of which play a key role in restoring operations to a state of normalcy. The regulatory bodies have recognized this and have clearly pointed it out.
The world has recognized the need to recover the business and operational entity as a whole, not just the technology components. In fact, given the recent concern over pandemics, which is clearly seen as a personnel issue having little to do with technology, it points out the need to take a holistic approach to business continuity.
In August of 2007 the President of the United States signed into law PL 110-53. Title IX of that law provides for “Private Sector Preparedness.” The law was originally intended to implement the recommendations of the 9/11 Commission. The essence of the recommendations from the commission was to implement the NFPA (National Fire Prevention Association) 1600 ANSI standard for the United States. Vague language (such as “or others”) was added after NFPA 1600, opening the possibility of considering other standards. This process is underway. DHS has appointed FEMA as the government organization responsible for creating the standard and overseeing certification of companies.
Although PL 100-53 has language with special considerations for small business, once the large companies decide to comply with the new standard, small and medium sized companies will be forced to comply in order to satisfy their customers’ requirements. The government will be in no position to ask for relief for small and medium sized businesses, as the regulation is voluntary and hence not subject to legislative relief. The only practical way that small and medium sized companies can demonstrate their level of preparedness is for there to be tools available to them that will let them self assess their current state. A second set of tools can provide a means to help improve their preparedness. This will ensure their customers that they have attained a level of preparedness that will allow them to survive interruptions.
The use of recognized processes for creation of business continuity programs will serve any organization well. As the standard develops, it is very likely to embrace an established structured approach containing elements that are recognized by business continuity professionals. Those companies who have used such a process will find that they will have little trouble complying with the new standard.
About The Author: Al Berman is the executive director of DRI International. Berman is a member of the NY Partnership for Security and Risk Management. Over a career that has spanned 25 years he has served as a president and CIO for a major financial institution, national practice leader of operational resiliency for PricewaterhouseCoopers and global business continuity practice leader for Marsh.
"Appeared in DRJ's Spring 2008 Issue"