What Does It Not Include?
First, let me state in my professional opinion “no existing individual standard” is sufficient without considering other related
standards to augment it. The new standard states a primary objective is to provide a “safe and secure” environment but fails to
address either objective. It is the same omission as BS 25999-
2:2007 in that it just does not address the protection of the organization’s No. 1 asset, its people. NFPA 1600 addresses the “people”
issue more completely than the other standards, and in the next
2010 version establishes a formal management system and a better
defined continuous improvement process. However, even with
this improvement the existing standards as written will continue to
perpetuate the “business continuity silo” within the organization.
What Does It Include?
The new standard rightly stresses the importance of roles and
responsibilities starting at the top of the organization. It stresses the
critical role senior management plays in ensuring the effective implementation and maintenance. It places accountability exactly where it
should be at the most senior level within the organization. Senior
management is the key player in many of the key business continuity
elements and must take an active role in the program. While this is
critical, it is also the single most elusive element for most practitioners. It’s something that just cannot be mandated by a standard.
The new standard also has an increased focus on business conti-
nuity training, awareness, and competency within the organization.
I strongly agree this is one of the key success factors in gaining
an enterprise level of awareness and engagement. NFPA 1600 also
recognizes these as key success factors in its 2010 version.
Most Glaring Omission
All of the existing standards fail to adequately address the
interdependencies with the other “operational risk” oriented
elements now pervasive within larger organizations. Business
continuity cannot effectively operate as a “stand-alone” entity.
At some point a standard needs to be developed and incorporate
within that standard the critical interdependencies that directly
affect the efficacy of the business continuity program elements.
So far that standard has not been written. Within the annex the
relationships and interdependencies are barely touched.
The standard as a narrowly focused business continuity standard is a step down from the previous ASIS Resiliency Standard
that presented, while still incomplete, a more broadly scoped and
somewhat integrated standard incorporating a subset of key operational risk elements. The profession is still waiting for the standard that mirrors modern operational risk requirements that will
define a more integrated and cost effective approach to increasing
resiliency and ensuring continuity of operations. So, what’s next?
Cole Emerson, CBCP, is president of Cole Emerson and Associates, Inc. He
is an internationally-recognized expert in the field of business continuity planning and a member of the Disaster Recovery Journal Editorial Advisory Board.
THE RIGHT ANSWER...
TO THE RIGHT QUESTION
EMERGENCY RESPONSE ALLIANCE
Firestorm’s unique PREDICT. PLAN. PERFORM.™ Process is the foundation for a next-generation suite
of consulting services, tools and software that create resilient, disaster-ready organizations.