The best way to describe the current state of business continuity standards in the U.S. is "standby mode." The Federal Emergency Management Agency (FEMA), charged with implementing a Private Sector Preparedness Program (PS-Prep), as specified in Title IX of P.L. 110-53 has completed the following:
- Proposed three standards (NFPA 1600, BS 25999 and ASIS International's SPC.1-2009
- Selected the ANSI-ASQ National Accreditation Board to establish accreditation and certification requirements for PS-Prep
- Solicited comments on its proposed standards at a series of "town meetings" in 10 U.S. cities.
At some time in the future, FEMA will release a summary of the meeting results.
So, what does this mean to you as a business leader? Should you look further into the standards and possibly select one for your firm to adopt? The good news is that you have three from which to choose. (There are numerous other business continuity standards; these are simply the ones the U.S. government has selected.) This is certainly better than the situation in other countries, which either have one such standard of their own, one that was developed in another country, or none at all.
In the U.S., business continuity traditionally has been ignored as an unnecessary expense with minimal chance of providing a return on investment -- except perhaps in the aftermath of a disaster. In other countries, such as the U.K., Singapore and Australia, for example, business continuity is quickly becoming a key aspect of business. Standards in those countries are eagerly anticipated and readily adopted. In short, these nations "get it."
Let's return to these shores, however. If your business has anything to do with banking; investment banking; utilities; and the oil, chemical, nuclear and maybe a few other vertical markets, you're aware of business continuity (or similar activities) because they're required by your regulators. The rest of U.S. businesses have no such requirement. The government appears to be gently easing us into business continuity with the PS-Prep program. At the moment, accreditation is voluntary -- which kind of takes away any sense of urgency or necessity.
Let's ask some important questions: Will your business be affected -- for example, shut down, penalized or fined -- if you don't have a business continuity program? If your business is among the many that aren't regulated, the answer is "no."
By contrast, could competition make business continuity a desirable activity? The answer is "maybe." Here's an example: In some sectors, firms soliciting new suppliers or business partners seek evidence of business continuity programs that are documented and in use. The presence or absence of such a program may not be a show-stopper by itself, but could be the deciding factor if the finalists and their capabilities are otherwise identical. Could that affect your business?
Here's another thought: Regardless of the size of your business, you're always looking for ways to differentiate yourself from and beat the competition. Could a business continuity program provide a competitive advantage? The previous paragraph certainly suggests it.
Can you continue business as usual without a business continuity program? Absolutely. Can your business survive without adopting a business continuity standard? Same answer. So, is it necessary to go any further? Nope. Can you go home now? Yep.
All that having been said, let's briefly examine the issue of governance, as that word describes how you run all aspects of your business. Let's assume you have invested much into your business to make it a success. Doesn't it also make good sense to ensure your business stays in business, especially when you're faced with an incident? How do you currently do that? How do you keep your business running? This is where business continuity -- standards notwithstanding -- becomes a key part of your firm's governance.
Business continuity standards are definitely right, provided you are comfortable with the rationales you use to justify business continuity. If you elect not to pursue business continuity, standards clearly make no sense. In this article, however, we have suggested a few strategies that may be worthwhile. A lot of work has gone into the current crop of business continuity standards. Each is good; each provides all you need. So, take the next step.
Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is secretary of the Business Continuity Institute USA Chapter. Email him at firstname.lastname@example.org.