While the issue of disaster recovery and business continuity management (BCM) standards is in a state of flux in...
the U.S., in other countries it's a fact of life. For example, countries such as the United Kingdom and Singapore have national
standards and even legislation that supports BC. Many other nations have standards, and in this article we'll examine some of the well-established ones. The International Organization for Standardization (ISO) also is addressing business continuity, and could forge the basis for a global standard.
How long the U.S. and other countries with nonmandatory business continuity management standards will be able to voluntarily comply is up to market forces. What follows is a summary of regional standards around the world.
In Canada, the principal business continuity standard is Z1600, which was adopted in 2008 by the Canadian Standards Association. It is based on the U.S. National Fire Protection Association 1600 standard, and has been adapted to support Canadian interests. Like NFPA 1600, the Canadian standard addresses both emergency management and business continuity.
United Kingdom and Europe
At the leading edge of business continuity and disaster recovery for many years, the United Kingdom not only has an established standard -- BS 25999 Parts 1 and 2 -- but also legislation, in the form of the Civil Contingencies Act of 2004. Both of these underscore the country's commitment to preparing for and responding to various incidents. In the area of IT disaster recovery, the U.K. has BS 25777. The British Standards Institution is very active in standards development, not only in the U.K., but also worldwide. As such, BS 25999 is widely used as a baseline BC standard by many member countries of the European Union. The Basel II financial industry framework has elements that deal with risk and risk management.
Australia and New Zealand
Also very much on the leading edge of BC, Australia and New Zealand have some of the most innovative and comprehensive standards available. Standards Australia Ltd. and Standards New Zealand collaborate on the standards. The current standards in the two countries are HB 221 (Business Continuity Management Handbook), HB 292 (A Practitioner's Guide to Business Continuity Management) and HB 293 (Executive Guide to Business Continuity Management). HB 293 is unique in the profession in that it is designed to help senior management understand BC principles. The newest standards, which are set to replace these three either in 2009 or 2010, are AS/NZS 5050.1:200X (business continuity management system specification), AS/NZS 5050.2:200X (business continuity management practice standard) and AS/NZS 5050.3:200X (business continuity management audit and assurance standard).
The latest standard in Singapore is SS 540 : 2008, Business Continuity Management. Just passed last year, the standard underscores Singapore's growing commitment to business continuity and resilience. It is the latest in a series of standards that has included the first national standard that mandated the provision of BC by vendors and other designated third-party organizations. SS 540 : 2008 uses the Plan-Do-Check-Act (PDCA) process advocated by BS 25999 and key ISO standards, such as 9001, 14001 and 27001.
In Asia, key standards include the Bank of Thailand Guideline on BCM; the SIRIM Berhad Malaysian business continuity standard; Reserve Bank of India Guidelines for Relief Measures; business continuity guidelines from the government of Japan's Central Disaster Management Council; Monetary Authority TM-G-2 standard for BCM in Hong Kong; and the 7/25/PBI/2005 risk management certification for banks in Indonesia.
International standards development
The ISO has been actively working on a global standard for business continuity for several years. There are many opinions as to when the new standard will be approved and released to the global business community. Two documents in particular are worth mentioning here. First is the ISO's Publicly Available Specification 22399, guideline for incident preparedness and operational continuity management. The second is ISO/IEC (International Electrotechnical Commission) 24762, guidelines for information and communications technology disaster recovery. The feeling is that these two documents, plus input from many others, will be among the primary foundation documents for the new global standard. The time frame for introduction is projected anywhere from 2010 to 2013.
Compliance: Voluntary or mandatory?
U.S. legislation called Title IX, Private Sector Preparedness, is based on voluntary use of a BC standard. Unfortunately, that standard has yet to be identified. By contrast, certain business segments in the U.S., such as banking and finance, have standards mandated for BC. In other parts of the world, compliance is often mandatory. Such areas include the U.K., Singapore, Australia and Canada.
Compliance with business continuity standards is good business. It demonstrates that a company is firmly committed to protecting its business and ensuring that it can continue in the aftermath of an incident. It shows prospective investors, vendors, employees or other stakeholders that the company recognizes the importance of identifying and managing risk, and protecting its investments in people, process and technology.
Lack of interest in or reluctance to implement business continuity can be reversed by mandatory legislation or standards. At the moment only a few countries have made BC mandatory to any extent, as noted previously. Certain vertical markets also mandate it, regardless of the country. In time, market forces such as competition and corporate image may spur acceptance and implementation of BC standards.
Clearly, interest in business continuity and related activities is growing worldwide. The issue of compliance moves at different speeds depending on the nation. Ultimately, acceptance of and compliance with BC standards and legislation will increase the ability of public- and private-sector entities to ensure their resilience.
Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter. Write to him at firstname.lastname@example.org.