What motivates an organization to adopt a business continuity program? Why do some organizations lead while others follow in this important discipline? Why do some companies build a sophisticated, mature business continuity management program while others simply skim the surface regarding business continuity program? These and other questions related to BCM are driven by a number of factors including standards and regulations as well as organizational and human factors.
The creation and maintenance of a sound BCM Program requires a disciplined approach to assessing organizational assets and then creating strategies to protect these assets. The organizations BCM program must be championed by the executive management of the organization to ensure the proper visibility and support for the program. If this support is not in place, the BCM program is almost guaranteed to fail or at best, have a minimal impact on protecting the assets of the company.
The most prevalent factor affecting the awareness, existence and maturity of a BCM program in an organization is the presence of regulations mandating business continuity initiatives. These regulations take many shapes and forms addressing various BCM disciplines. Regulations that include business continuity provisions are emerging on a regular basis. Some of these regulations are industry specific, addressing certain market segments such as the business continuity provisions contained within the operational risk guidelines of the Basel II Accord for financial institutions or the Brazilian Central Bank Resolution 3380 establishing BCM rules and responsibilities.
Regulations drive the awareness of business continuity up to the highest management and board levels of the organization resulting in varying degrees of executive commitment. In some cases, these regulations simply force companies to comply at a minimal level in order to meet audit requirements. Other organizations take a more proactive approach to business continuity, using the regulations as a catalyst to develop and maintain a mature business continuity program with automated and integrated continuity management solutions. Organizations who take this proactive approach versus the reactive Im doing this just to pass an audit approach see greater returns on their BCM investment. As these more mature programs develop, they focus not only on the most critical portion of the company but also extend their purview to all parts of the organization. Mature BCM programs assess risk and vulnerabilities associated with, not only their internal workforce, physical assets and infrastructure, but they also look externally to assess their supply chain and vendors disaster preparedness. This dual strategy of looking inward and outward provides a 360-degree view of the BCM landscapes ensuring that not only the companys internal team is prepared, but also protecting against interruptions to normal business activities as a result of a disaster or disruption to a key supplier or vendor.
Various BCM and crisis management standards also have emerged over the last few years. Some of these standards are countrywide, such as Singapores SS540:2008 which specifies the requirements for organizations to build competence, capacity, resilience and readiness to respond to and recover from events which threaten to disrupt normal business operations. The regulations also stipulate the requirement to attain and maintain readiness to deal with risks and risk events faced by the organization due to the nature of their businesses, external environment or regulatory requirements. In the U.S., US Public Law 110-53 was enacted in August 2007 and amends the Homeland Security Act of 2002 by providing information to the private sector regarding voluntary national preparedness standards and the business justification for preparedness.
Many of the standards receiving the most visibility globally are broad-based standards which can be followed across geographic borders and industry segments such as the BS 25999 Business Continuity Standard, BS 25777 Information and Communication Technology Standard and the US-based NFPA (National Fire Protection Act) 1600. While most organizations welcome these standards, they do at times cause confusion. The confusion lies in the fact that to date, globally recognized and accepted standards have not percolated to the top. The BS 25999 standard is working in that direction, but it is currently more widely recognized in some areas of the world, for example, Europe, than in other parts of the world, such as North America. The ultimate goal moving forward will be the creation of a unified ISO standard upon which organizations can base their BCM program, obtain certification and benchmark internal processes versus the standard.
One word of caution. As organizations are certified to a BCM standard, many tend to become complacent and do not strive for a higher level of maturity. There are a number of BCM maturity models that measure an organizations maturity as it relates to BCM. BCM professionals and organizations must be motivated to move to a higher maturity and certification level. This motivation in the future may come from insurance companies who recognize that sound business continuity practices and higher levels of maturity result in a lower risk to the insurance carrier. These lower risks should equate to lower insurance policy premiums and thus provide the motivation for continued BCM maturity.
Automated continuity management solutions aid in the assessment of the financial and operational impacts of a disaster as well as the assessment of risk, workforce and vendor preparedness as well as the creation and testing of the business continuity plans. During a disaster or incident, automated command center solutions and emergency notification solutions aid in the dissemination and collection of information which promotes prompt, informed decision-making. Current BCM standards such as the BS 25999 also aid organizations in establishing a foundation for their continuity management program. These standards as well as new emerging standards will provide a roadmap toward greater BCM maturity in the future.
Regulations and standards are indeed the predominant driving force behind BCM awareness and acceptance today. Human nature dictates that a majority of the time, we tend to only do something when we are forced to do so, not voluntarily. Initiatives are undertaken out of necessity. BCM is no exception for many companies. Organizations who have not felt the effects of a disaster or severe interruption and are not compelled by regulation often do not implement a business continuity program. However, higher awareness of catastrophic global events, pandemics, natural disasters, power outages, civil unrest and other disruptions are driving all organizations to take a closer look at BCM.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access