Business continuity management (BCM) tends to play second fiddle to disaster recovery at many companies, attracting fewer dollars and less attention from business executives. The recovery of IT infrastructure, a discrete and concrete task, is easier to think about than the continuity of all the people and processes required to run a business, even though business continuity standards, frameworks and certification programs are available.
But attitudes may change, with a shove from the federal government. The Department of Homeland Security is in the process of setting up the Voluntary Private Sector Preparedness Accreditation and Certification Program.
The goal of this voluntary program, which is contained in Title IX of Implementing Recommendations of the 9/11 Commission Act of 2007, is to develop a comprehensive set of business continuity standards by which American businesses can assess their preparedness for all hazards.
Although the law was signed on Aug. 3, 2007, thus far progress has been slow. The Department of Homeland Security has designated an officer and in July finally named an accrediting body, the ANSI-ASQ National Accreditation Board, headquartered in Milwaukee. But efforts to finalize Title IX seem to be picking up. The first of two public meetings calling for comment from the business community was held Jan. 13.
The word voluntary has understandably triggered the belief that Title IX is a precursor to public business continuity standards
Roberta Witty, an analyst at Stamford, Conn,-based Gartner Inc., agrees that progress has been slow. But, in addition, there are a number of obstacles that have not been clarified yet. For starters, backers wrote the law without a full understanding of the business continuity standards landscape.
"They didn't really know the law of the land, or they thought they were going to be able to push through their own standards," Witty said. "That ain't happening. There are enough frameworks in the marketplace." The financial services industry's Federal Financial Institutions Examination Council (FFIEC) handbook for business continuity, to name just one, is massive and possibly the best implementation guide out there, Witty said. "Financial services do not want to have to reinvent the wheel."
Nor is it a done deal that businesses will get lower business interruption insurance premiums for being certified, Witty said. "That's not how the insurance companies do it today." Plus, lawyers have weighed in on issues surrounding the disclosure of sensitive business continuity plans. "There's a lot of politics," she said. And who knows what the new administration's take will be?
But even if the value of the government's voluntary business continuity certification is still unknown, industry pundits like Witty say companies cannot afford to ignore BC standards, and, yes, that means small and medium-sized businesses, too.
"In some ways, it applies to midsized enterprises even more," Witty said.
Galvanizing business continuity in the midmarket
If you are a supplier to one of the big companies -- a Wal-Mart or a Boeing, or the military -- you may already have been required to show evidence of a certification-ready business continuity program, Witty said. "The big fish will start asking the small fish how they meet the recovery requirements."
Business continuity certification is available from a plethora of BC standards bodies, ranging from industry-based regulators such as the FFIEC to industry-neutral frameworks like the Information Technology Infrastructure Library. No framework seems to hold more sway than another; choosing the right route to business continuity certification will likely depend on the type and size of your business, analysts stressed.
Two business continuity standards getting a lot of attention are the British Standards Institution's BS 25999, which focuses on business continuity management, and National Fire Protection Association 1600 (NFPA 1600), which focuses on emergency and disaster recovery preparedness and provides overall guidance on BCM.
BS 25999 is certifiable, and the British Standards Institution expects it to become an International Organization for Standardization standard by about 2011. NFPA 1600 is not certifiable.
Forrester Research Inc. is advising organizations seeking to establish or assess a BCM program to start with BS 25999. Even if you don't pursue certification, you can still use the standard as a business continuity framework.
NFPA 1600 is popular with government agencies and not-for-profit groups in North America, so if you are a supplier or partner to these types of organizations, familiarize yourself with the NFPA 1600 standards.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer