In the U.S. and around the globe, many organizations follow business continuity management (BCM) standards in an attempt to ensure that they are meeting their BCM goals. Standards also give businesses a chance to demonstrate that they are effectively protecting their facilities, employees, assets, and stakeholders. However, just because a wide range of standards exists does not mean that organizations are meeting their recommendations. How does your company stack up?
First, let’s take a look at the BCM standards landscape—which has become increasingly crowded in recent years—and how it impacts your organization.
BCM Standards
For years, BCM professionals were calling for a single international standard that would reflect the increasingly global nature of many organizations. In 2012, their suggestions were heard:
The International Organization for Standardization released the ISO 22301 business continuity standard. Meanwhile, ASIS International and the British Standards Institution debuted the BCM.01-2010 standard, providing companies multiple options for internationally recognized good practices.
In addition to ISO 22301 and BCM.01-2010, there is a range of other well-known U.S. and regional standards, including:
- British Standards Institute: BS 25999, Parts 1 and 2
- National Fire Protection Association: NFPA 1600:2010
- ASIS International: ASIS SPC.1-2009
- ISO 24762 (IT Disaster Recovery)
- National Association of Stock Dealers: NASD 3510/3520
- National Institute of Standards and Technology: NIST SP 800-34
- New York Stock Exchange: NYSE Rule 446
Several of these apply to specific industries, such as finance and technology, and to publicly traded companies. Many countries, including Australia, Canada, and Japan, also have their own national standards. In some areas, adherence to BCM standards is required by law. In the U.S., meeting BCM standards is voluntary.
According to the Business Continuity Institute’s Horizon Scan Report 2016, 51 percent of the surveyed organizations said that they are now using ISO 22301 as a framework for BCM. This increasingly popular standard includes a “plan–do–check–act” type of framework for managing an organization’s business continuity program. It includes guidelines for the role of people and information and communication technology in business continuity.
Does Your Organization Stack Up?
With all these competing BCM standards, how does your company stack up to established best practices?
You may have adopted ISO 22301, or you may be sticking to a previous standard. Or, as is the case at many organizations, you may not be referencing a standard at all.
Wherever your organization lands on that spectrum, it’s important to realize that BCM standards are developed to provide a framework for ongoing success. It’s up to you and your team to develop and maintain the plan, get buy-in from leadership, and ensure the program gets the necessary support.
As you consider the success of your BCM program, ask yourself the following questions:
- Does your leadership team provide sufficient resources to support a full-fledged BCM system? Does the leadership team understand the importance of BCM?
- Have you developed a BCM program that is well-suited to your organization, its risks, needs, and ongoing goals? Remember that each business is unique, and your program should reflect that.
- Does your plan align with overall business continuity objectives? Are your goals relevant and measurable?
- Have you looped in relevant stakeholders, such as contractors, suppliers, and first responders? Does each group know its role within the BCM program?
- Does your organization have effective communication channels in place to relay information with stakeholders before, during, and after an incident?
- Does your program include regular audits and continual improvement?
Remember—business continuity management is a continual process, not a “one-and-done” task. Standards like ISO 22301 exist to help organizations like yours work through the important tasks associated with successful BCM and ensure you are benefiting from widely accepted best practices and industry knowledge.
As Stefan Tangen, secretary of ISO/TC 221, Societal security, and Dave Austin, project leader for ISO 22301, write, “Rather than being simply about a project or developing ‘a plan,’ BCM is an ongoing management process requiring competent people working with appropriate support and structures that will perform when needed.”
Does your organization follow a BCM standard? Why or why not?
