Disaster Recovery Journal, Spring 2011

What Does It Not Include?

First, let me state in my professional opinion “no existing individual standard” is sufficient without considering other related standards to augment it. The new standard states a primary objective is to provide a “safe and secure” environment but fails to address either objective. It is the same omission as BS 25999- 2:2007 in that it just does not address the protection of the organization’s No. 1 asset, its people. NFPA 1600 addresses the “people” issue more completely than the other standards, and in the next 2010 version establishes a formal management system and a better defined continuous improvement process. However, even with this improvement the existing standards as written will continue to perpetuate the “business continuity silo” within the organization.

What Does It Include?

The new standard rightly stresses the importance of roles and responsibilities starting at the top of the organization. It stresses the critical role senior management plays in ensuring the effective implementation and maintenance. It places accountability exactly where it should be at the most senior level within the organization. Senior management is the key player in many of the key business continuity elements and must take an active role in the program. While this is critical, it is also the single most elusive element for most practitioners. It’s something that just cannot be mandated by a standard.

The new standard also has an increased focus on business conti-
nuity training, awareness, and competency within the organization.
I strongly agree this is one of the key success factors in gaining
an enterprise level of awareness and engagement. NFPA 1600 also
recognizes these as key success factors in its 2010 version.

Most Glaring Omission

All of the existing standards fail to adequately address the interdependencies with the other “operational risk” oriented elements now pervasive within larger organizations. Business continuity cannot effectively operate as a “stand-alone” entity. At some point a standard needs to be developed and incorporate within that standard the critical interdependencies that directly affect the efficacy of the business continuity program elements. So far that standard has not been written. Within the annex the relationships and interdependencies are barely touched.

Conclusion

The standard as a narrowly focused business continuity standard is a step down from the previous ASIS Resiliency Standard that presented, while still incomplete, a more broadly scoped and somewhat integrated standard incorporating a subset of key operational risk elements. The profession is still waiting for the standard that mirrors modern operational risk requirements that will define a more integrated and cost effective approach to increasing resiliency and ensuring continuity of operations. So, what’s next?

v

Cole Emerson, CBCP, is president of Cole Emerson and Associates, Inc. He is an internationally-recognized expert in the field of business continuity planning and a member of the Disaster Recovery Journal Editorial Advisory Board.

THE RIGHT ANSWER...

TO THE RIGHT QUESTION

EMERGENCY RESPONSE ALLIANCE

Firestorm’s unique PREDICT. PLAN. PERFORM.™ Process is the foundation for a next-generation suite of consulting services, tools and software that create resilient, disaster-ready organizations.