Should You Use Business Continuity Standards?

Here’s a question I like to pose to clients who are reluctant to adopt or embrace business continuity (BC) standards for their program: Would you trust your life to an airline that didn’t follow safety standards?

How about a hospital that didn’t comply with standards of care? Or a drug company that pieced together its own manufacturing and quality standards instead of following prescribed ones? The answer is always: No way.

Each of the examples above represents a life or death situation, so they might seem like extreme comparisons. But your business continuity program is also protecting a life—the life of your business.

Why is it smart to adopt business continuity standards?

Standards in general are an agreed-upon way of doing something—making a product, developing a program, implementing a process, delivering a service, etc. Across all industries, standards represent the collective wisdom of a group of experienced, knowledgeable people who’ve been down that road (whatever road it is) many times before.

Like any set of standards, business continuity standards draw on the considerable expertise and experience of numerous practicing professionals who have turned the complexities of business continuity into a science. Building a program without following any standards is like building a house without any regard for building codes. In both cases, the potential for success is greater when you’re practicing your trade using methods that have already been proven to work.

There are several well-known business continuity standards, including the ISO standards for business continuity, the NFPA 1600, the BCI Good Practice Guidelines, and many more. When you “adopt” one or more sets of standards, it means you make a formal commitment to developing your program using those standards as a framework. Companies that do not embrace standards may still have business continuity programs, but those programs are often made up of elements that are more likely chosen for their ease of completion than for any real interest in business continuity.

There are numerous good arguments to be made in favor of standards adoption, among them:

• Recovery potential is higher. Companies that use business continuity standards as a guide for their program are much better prepared to keep their critical functions up and running in the event of a disruption than those that don’t. Standards adoption is taking a proactive approach to business continuity.
• It’s easier to build your program. Searching the internet to string together various components of a BC program is actually more difficult than simply following a recipe that has already been written. Plus, there’s no guarantee that what you’ve come up with will work.
• It provides proof to stakeholders that you are running your business responsibly. Building a BC program according to the specifications of a rigorous set of standards shows stakeholders that you’re committed to protecting your (and by extension, their) well-being. (If your customers knew that survival was not among your priorities, would they still want to do business with you?)
• It minimizes downtime. Any business that adheres to an exacting set of BC standards reduces the amount of downtime experienced during an event simply because there are processes in place, people who know what to do, and faster response times overall.

Hesitant to commit to a standard? Here’s what I’d say…

In spite of the benefits to be gained by embracing a set of standards, few business continuity managers do so. Many are worried about achieving the high level of rigor required by the standards. (Yes, they are rigorous.) Others are hesitant to measure how well their program is really doing. (If it’s not doing well, then what’s the point of having it?)

Here are some other statements I’ve heard when it comes to adopting business continuity standards:

• “Standards adoption requires too much money, too many resources, and too many people.” This is the most common concern. But if you implement the standards properly, the cost of adoption isn’t what you’d expect. You will incur higher costs during the implementation phase—the first couple of years—but once the standards have been implemented, the costs go down. It’s like working out at the gym—if you haven’t been there in a while, you have to work hard to get in shape initially, but once you’ve reached a certain level of fitness, it’s not as challenging to maintain it.
• “My business/industry doesn’t need to reach the highest level of protection.” Adopting a set of standards isn’t all about meeting each one to a T; it’s more about ensuring you have all the necessary components for a strong business continuity program. If you don’t feel you need to be world-class in a particular area of the standards or you don’t think you can afford to institute certain components, then simply decide on a more moderate level of implementation in those areas. You’ll still be better off than you are not following any standards at all.
• “My business/industry is not regulated.” Planning for survival is important even if you’re not in a regulated industry—not only for the sake of your customers but for your employees as well. A strong business continuity program that’s compliant with the standards will provide your company with all the benefits listed above.
• “Complying with the standards will take too much time.” Bite-size implementation steps will reduce the overall amount of time you invest in the process and still get you where you need to be. Start by doing a quick review to see where you stand, and determine what actions will reduce your risk the most over time. From there, build a road map for slow implementation, outlining what to do in year one, year two, and so on. By year five, you’ll have achieved your goal and reduced your risk.

Do you need help building a program aligned with business continuity standards?

With all the time, money, and effort you’re already putting into your business continuity program, why not be assured that it will work? The best way to do that is to build your program from the start around the appropriate set of industry standards. If you need guidance on choosing the right standards or how to start implementing them in your program, schedule a consultation call with one of our experts.

Or, take all the guesswork out of the equation and simply try our Compliance Confidence (C²) tool on your own. Part of the BCMMetrics™ suite of business continuity software, this cloud-based self-assessment tool was specifically designed to evaluate your business continuity program against multiple major industry standards, including the ISO standards for business continuity, FFIEC, NFPA 1600, and BCI Good Practices. It’s easy to use and walks you through a set of evaluation questions that you can complete at your own pace. A simple scoring system not only gives you an overall score for your compliance with the business continuity standards; it also provides you with areas of success and opportunities for improvement.