Standard Issue: Is Your BCM Standard Making Things Worse?

Sometimes business continuity or BCM standards can go from making your program better to holding it back. This can happen if you use the wrong standard or take the wrong approach to aligning with it.

In today’s blog, we’ll talk about how your BCM standard can sometimes be more hindrance than a help. We’ll also share five questions you can ask yourself to see whether your approach to adopting a BC standard might be causing more problems than it solves.

THE POWER OF STANDARDS

At MHA Consulting and BCMMETRICS, we are big fans of business continuity management (BCM) standards. Our CEO Michael Herrera has written a number of blog posts discussing their benefits.

Here are a couple you should check out:

• Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
• How to Go from Adopting a BC Standard to Knowing What to Do to Comply with It

As Michael says in the first post mentioned above:

With every standard, the underlying framework is the same: in the professional judgment of the people who wrote the standard, the steps and benchmarks that it prescribes are their recommended recipe for creating a resilient, effective business continuity program.

He goes on to add:

A standard is not simply a bunch of hoops that you must jump through. It is a treasure trove of advice assembled by disinterested experts on how business continuity professionals like you can successfully carry out the mission of protecting their organizations in case of emergencies and disruptions.

You’ve probably heard of the most widely used BC standards. They include:

• ISO 22301
• FFIEC
• NFPA 1600
• NIST 800
• ITIL

For an overview of the main BC standards, check out this post from Michael. You might also take a look at “Chapter 5: Align with Standards,” in his free ebook 10 Keys to a Peak-Performing BCM Program.

However, if standards can bring great benefits, they can also cause problems.

WELCOME ABOARD THE BLACK PEARL

Have you seen the Pirates of the Caribbean movie The Curse of the Black Pearl? I love this dialog between Elizabeth and Captain Barbossa:

Elizabeth: Wait! You have to take me to shore. According to the Code of the Order of the Brethren—

Barbossa: First, your return to shore was not part of our negotiations nor our agreement so I must do nothing. And secondly, you must be a pirate for the pirate’s code to apply and you’re not. And thirdly, the code is more what you’d call “guidelines” than actual rules. Welcome aboard the Black Pearl, Miss Turner.

That’s not a bad approach to take to business continuity standards. Sometimes, depending on the industry, an organization is required to adhere to a specific standard. For example, if it must be ISO-certified or is required to follow FINRA rules.

But more often, companies have flexibility about whether, or how, to follow a standard. For organizations in the second category, this is the beauty of standards in BC: Just like with the Code of the Order of the Brethren, they are only guidelines.

And when we serve the standard instead of letting the standard serve us, we are losing sight of our responsibilities as business continuity professionals. Our first duty is not to the standard, it’s to our programs. Sometimes, they are not the same.

WEARING HANDCUFFS

At MHA, we often see situations where organizations adopt a standard to follow, and then the standard ends up handcuffing the BCM team.

We frequently see this, for example, with the ITIL standard for IT service, change, incident or problem management. ITIL is a wonderful framework and one which we at MHA use often. However, the full implementation of all of ITIL related to IT/Disaster Recovery (IT/DR) is not practical for organizations just getting started in BC/DR.

Did you happen to see last week’s blog, Sweating the Big Stuff: 5 Things that Really Matter in BCM? Another way that standards can cause problems is by distracting attention from the things that really matter. Sometimes the use of a standard keeps the BC team from focusing on the areas that are most at risk or in need of attention.

TOO MUCH OF A GOOD THING

Here’s an example of how an overemphasis on standards can be harmful: Standards often drive an increased focus on documentation. At some organizations, this is almost the last thing they should be worrying about. Far more important, in most cases, is to work on boosting execution and capability. It’s obvious when you think about it: What is more important, having all the documentation showing how your program is following a standard, or ensuring that your remote workforce can actually work remotely or that applications can be recovered, should the need arise?

The standards exist to help organizations be prepared. Organizations do not exist to implement standards.

IS YOUR BCM STANDARD MAKING THINGS WORSE?

Here are five questions you can ask to determine whether your current approach to aligning with your standard might be counterproductive:

• How much time are you spending managing for compliance to the standard vs. implementing the strategies of that standard?
• Have you ever dismissed a potentially good (cheap, easy) solution to a business problem because it did not meet your standard? Have you done this often?
• Do you ever discount a potential risk because it is not specifically called out in the standard?
• When was the last time you considered whether the standard your organization is following is still a good match for your mission and requirements?
• Is your standard implementation consistent with today’s technology and business functions?

KEEPING THE BABY

I’m not suggesting you throw the baby out with the bath water. Keep the baby. We do want to use standards. But we should do so with discipline and an appropriate focus.

Organizations should seek standards which meet their business needs and industry requirements. The emphasis should not be on blindly following the BCM standard but on taking steps to make the organization more functional and resilient.

FURTHER READING

For more on this and other hot topics in BCM, check out these recent blog posts from MHA and BCMMETRICS:

• Shark Attacks vs. Sunburn: Preparing for the Most Likely Problems
• IT Change Management: Don’t Leave Your Recovery Environment Behind
• What Is Chaos Engineering and Why Should I Care?