Private Sector Preparedness Program provides business continuity options

The best way to describe the current state of business continuity standards in the U.S. is "standby mode." The Federal Emergency Management Agency (FEMA), charged with implementing a Private Sector Preparedness Program (PS-Prep), as specified in Title IX of P.L. 110-53

    Requires Free Membership to View

    Login

has completed the following:

At some time in the future, FEMA will release a summary of the meeting results.

So, what does this mean to you as a business leader? Should you look further into the standards and possibly select one for your firm to adopt? The good news is that you have three from which to choose. (There are numerous other business continuity standards; these are simply the ones the U.S. government has selected.) This is certainly better than the situation in other countries, which either have one such standard of their own, one that was developed in another country, or none at all.

'Getting it'

In the U.S., business continuity traditionally has been ignored as an unnecessary expense with minimal chance of providing a return on investment -- except perhaps in the aftermath of a disaster. In other countries, such as the U.K., Singapore and Australia, for example, business continuity is quickly becoming a key aspect of business. Standards in those countries are eagerly anticipated and readily adopted. In short, these nations "get it."

Let's return to these shores, however. If your business has anything to do with banking; investment banking; utilities; and the oil, chemical, nuclear and maybe a few other vertical markets, you're aware of business continuity (or similar activities) because they're required by your regulators. The rest of U.S. businesses have no such requirement. The government appears to be gently easing us into business continuity with the PS-Prep program. At the moment, accreditation is voluntary -- which kind of takes away any sense of urgency or necessity.

Important questions

Let's ask some important questions: Will your business be affected -- for example, shut down, penalized or fined -- if you don't have a business continuity program? If your business is among the many that aren't regulated, the answer is "no."

By contrast, could competition make business continuity a desirable activity? The answer is "maybe." Here's an example: In some sectors, firms soliciting new suppliers or business partners seek evidence of business continuity programs that are documented and in use. The presence or absence of such a program may not be a show-stopper by itself, but could be the deciding factor if the finalists and their capabilities are otherwise identical. Could that affect your business?

Here's another thought: Regardless of the size of your business, you're always looking for ways to differentiate yourself from and beat the competition. Could a business continuity program provide a competitive advantage? The previous paragraph certainly suggests it.

More about business continuity
A business continuity management standard would offer consistency 

Are mandatory business continuity management standards good business? 
So, where do standards enter the game? Clearly, if you decide there are sound business reasons for introducing business continuity, will any standard do? The answer is "yes." The activities associated with business continuity are largely unchanged from their roots back in the 1960s and '70s. Sure, some processes have been updated, and lots of new definitions have been introduced. But the basic premise of business continuity -- ensuring that your business can return to normal following a disruptive event -- is unchanged. A closer look at the three standards that FEMA currently supports shows that -- with variations in language and structure -- each standard says virtually the same thing!

Can you continue business as usual without a business continuity program? Absolutely. Can your business survive without adopting a business continuity standard? Same answer. So, is it necessary to go any further? Nope. Can you go home now? Yep.

Considering governance

All that having been said, let's briefly examine the issue of governance, as that word describes how you run all aspects of your business. Let's assume you have invested much into your business to make it a success. Doesn't it also make good sense to ensure your business stays in business, especially when you're faced with an incident? How do you currently do that? How do you keep your business running? This is where business continuity -- standards notwithstanding -- becomes a key part of your firm's governance.

If you decide in favor of business continuity … use standards to help you design and establish a business continuity program.
,
Assuming you decide, from the perspective of governance or competition or maybe both, that it makes sense to protect your business and keep it running. What would you do? If you decide in favor of business continuity, and it is worth the investment, use standards to help you design and establish a business continuity program. Which standard is the best for such an activity? Probably the BSI Group's BS 25999, because besides being well-organized, it is widely considered an auditable standard. Any one of the three PS-Prep standards will work, however. Do the homework and review each standard to see which most fits your organization.

Summary

Business continuity standards are definitely right, provided you are comfortable with the rationales you use to justify business continuity. If you elect not to pursue business continuity, standards clearly make no sense. In this article, however, we have suggested a few strategies that may be worthwhile. A lot of work has gone into the current crop of business continuity standards. Each is good; each provides all you need. So, take the next step.

Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is secretary of the Business Continuity Institute USA Chapter. Email him at editor@searchcompliance.com.


This was first published in February 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top