Do We Really Need
By COLE EMERSON
It seems like less than a decade ago we didn’t have any stan- dards on business continuity in the United States, and now e have four from which to choose. I’m not complaining, but now it’s almost like going to the restaurant that has so
much on the menu you find it difficult to choose what to eat.
We have the three standards currently recognized by US-DHS
Prep as part of the voluntary certification program:
u ANSI/ASIS SPC.1-2009 Organizational Resilience: Security,
Preparedness, and Continuity Management Systems-
Requirements with Guidance for Use;
u BS 25999-2:2007-A Specification for BCM; and
u NFPA 1600:2010 Standard on Disaster/Emergency
Management and Business Continuity Programs
And we now have the new ASIS/BSI.01-2010 Business
Continuity Management Systems: Requirements with Guidance
for Use approved on November 2, 2010.
So what’s new or different about this ASIS/BSI standard?
Does it replace one of the existing three standards? Is it intended
to more narrowly focus on business continuity versus crisis management, security and emergency response as the prior ANSI/
ASIS SPC.1-2009? If so, shouldn’t it replace that standard? There
is significant overlap between the two standards. Regardless of
the intent at publishing this standard, it may create some confusion for business continuity professionals. If the only intent is to
narrow the focus strictly to business continuity, it then fails to add
anything of value to the already full field of standards. Having
said that, there is one aspect of the previous ASIS resiliency and
the new ASIS/BSI standards that is an important element.
The difference is partially defined in the abstract: “Based on
the BS 25999 business continuity management (Part 1 and Part
2), this standard specifies requirements for the business continuity management system (BCMS) to enable an organization to
identify, develop, and implement policies, objectives, capabilities, processes, and programs — taking into account legal and
other requirements to which the organization subscribes — to
address disruptive events that might impact the organization and
its stakeholders. This standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS
with the context of managing an organization’s risks.
The difference is that it incorporates and promotes “A management systems approach for preparedness and business/opera-tional continuity management.” In other words, implement a
formal system or process to sustain and improve the business
continuity program on a continuous basis. And yes, we have one
more acronym, BCMS, to confuse both practitioners and non-practitioners.
Just how important is this management systems approach?
Well, in the 30-plus years I have been involved in business continuity I’ve seen so many companies struggle to keep a program
alive during downsizing, acquisitions, and change in management
teams. Considering the current financial crisis, the challenge is
even greater, and resources that were lost during this crisis are
unlikely to be replenished anytime soon (if ever). This new standard provides an opportunity to interface the business continuity
program and existing ISO programs which management has long
recognized, adopted, supported and sustained during years of management changes, downsizing, and even major financial crises.
The fact that it is an American National Standard also pro-
Techniques or Practices Addressed in the Standard
vides value to those organizations who adopt it, in that the pro-
gram elements are clearly defined, though flexible, and verifiable
through an audit process. That in itself is no different than any
other standard and is not as important as the management systems
approach. The standard states “the adoption and implementation
of a range of business continuity management techniques in a
‘systematic’ manner can contribute to optimal outcomes for all
stakeholders and affected parties.”
The development process for the standard also followed an
internationally recognized and formal process that helps ensure a
consensus-based standard is developed with the review and input
from hundreds of business continuity and non-business continu-
ity professionals. Many of the individuals who were participants
as commissioners, committee members, and working group
members in the development of the standard are internationally
recognized experts in their respective fields. The business conti-
nuity professional community had much greater input into this
standard than the preceding ASIS standard.
Business Continuity Management System (BCMS)