Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now

If I told you about something you could do that would swiftly vault your organization into the ranks of the elite, in terms of your business continuity management program, would you do it? Would you at least be interested in learning more about it?

There is such a step you can take, and it’s so easy, inexpensive, and helpful in terms of the direction it can give your BC program that I’m always amazed that more companies don’t do it. In fact, I would say that fewer than 10 percent of the organizations have implemented this measure, based on the informal surveys I conduct when I speak at business continuity events around the country.

What is the step I am talking about? Adopting a business continuity standard for your organization.

Now, when I say it is easy to adopt a standard I am not saying that coming into compliance with one is necessarily a piece of cake. Some standards are tougher than others to align with and some are very hard to meet indeed (here’s looking at you, FFIEC—and if you don’t know what I mean by “FFIEC” keep reading).

However, deciding which standard is right for your organization and committing yourself to coming into alignment with it is comparatively easy and brings many valuable benefits.

It’s a first step rather than a complete journey, but the importance of taking the step can hardly be overstated.

The difference between not having adopted a standard and having adopted one is the difference between wandering through the wilderness hoping you end up somewhere nice versus having a map in your hand, knowing exactly where you are on it, and having a highly recommended destination very clearly marked out for you to navigate to.

To help explain why adopting a standard is so worthwhile, it might be helpful to remind you of what a business continuity standard is.

With every standard, the underlying framework is the same: in the professional judgment of the people who wrote the standard, the steps and benchmarks that it prescribes are their recommended recipe for creating a resilient, effective business continuity program.

A standard is not simply a bunch of hoops that you must jump through. It is a treasure trove of advice assembled by disinterested experts on how business continuity professionals like you can successfully carry out the mission of protecting their organizations in case of emergencies and disruptions.

Have I convinced you about the wisdom of adopting a business continuity standard? Well, hopefully, you’ll at least think about it, if your program is one of the 90 percent or so that has not yet committed to one of them.

If you are interested in adopting a standard, you might appreciate a refresher regarding which standards are out there.

I’ll round out today’s blog by giving a brief description of each of the five main BC standards then offering a few suggestions regarding which ones are best suited for different industries and situations. (For even more information on standards, see Chapter 5 of my e-book, “10 Keys to a Peak-Performing BCM Program,” which you can download for free here.)

In alphabetical order, the five main business continuity standards are:

• Business Continuity Institute (BCI) Good Practice Guidelines. Industry agnostic. Inexpensive (less than $250). From the UK. Similar to ISO 22301 (see below) but goes one level deeper. 
• Federal Financial Institution Examination Council (FFIEC) IT Examination Handbook. Originally intended for the financial industry. Free. The gold standard. The most aggressive standard in the U.S. marketplace. Has greater governance, risk assessment, business impact analysis, planning, testing, and maintenance requirements than any other standard. Most likely a requirement if your organization is a bank, and hard to comply with even for the best of them. Sometimes chosen by ambitious non-bank organizations that are intent on building top-notch programs.
• International Organization for Standardization ISO 22301. Industry agnostic. More expensive ($500). Widely used and backed by the most authoritative standards-making body in the world. High-level and strategic. Because of its brevity (it’s only 20 pages long), it does leave some room for interpretation. The lack of specificity can be a problem in that it doesn’t tell you exactly what you need to do. Sometimes people who use it are unclear whether they’re in compliance or not.
• National Fire Protection Act (NFPA) 1600. Industry agnostic. Free. Recently updated and extremely thorough. Covers business continuity needs from end to end. Not only strategic but tactical. Easy to understand. Gets down in the trenches with you, telling you what you should and shouldn’t do.
• National Institute Standards Technology (NIST) 800. Industry agnostic. Free. Totally IT-focused. Says, “Here’s what you should do for your IT” in terms of making sure data is backed up properly and how to recover it. Very detailed and thorough. Originally intended for use in government, but any organization can use it. Not used as much for general disaster recovery.

Which standard should you use? As I mentioned, if you’re a financial institution, you probably have no choice. You almost certainly have to comply with FFIEC. You also might like FFIEC if you’re not a bank but are committed to building a top-flight program (and have the resources to do it).

That said, I’m a big fan of the NFPA 1600. I think it’s a great place to start for most businesses. It’s thorough, to the point, and is applicable across a wide spectrum of industries. It can guide you in everything from overall strategy to the specific steps you should take, stage by stage.

I’ll send you on your way with three final recommendations:

• Adopt a standard!
• In choosing a standard, seek one that makes sense for your industry, ambitions, resources, and regulatory situation.
• Once you’ve adopted a standard, use it to evaluate your program. Do a self-check. See where you stand, identifying the gaps in your program and making a roadmap for improvement—then start improving!

Need Help Complying with These Business Continuity Standards?

Standards compliance is critical, but it doesn’t have to be hard.

Our BCMMetrics™ software tools support business continuity for healthcare providers, financial institutions, and many other industries—including the comprehensive measurement of programs and their alignment with the standards.

Do a self-assessment of your program with our Confidence Compliance (C²) tool, which is automatically updated to align with eight industry standards, including FFIEC. You’ll get a score for your compliance level and an evaluation of areas that need improvement. You can also print out management reports—summary or detailed—that are easy to read and easy to share. If you receive a high score, you can be certain your program is compliant.