Meeting the Standard: The 3 Scenarios Encountered in Complying With BCM Standards
Many people are confused about what it means to comply with a business continuity standard and when a company should do this. There are three scenarios under which a company might be complying with a BCM standard—regulatory, contractual, and voluntary; in today’s blog, we’ll look at each one.
Related on MHA Consulting: Standard Issue: Is Your BCM Standard Making Things Worse?
BCM Standards in Brief
A business continuity standard is a collection of actions, benchmarks and documentation that provide guidance and verification for creating an effective BCM program. Standards are devised by experts working for standards-making organizations, such as the Business Continuity Institute or the International Organization for Standardization. Many standards have BCM related components.
There are several main standards used for BCM:
- National Fire Protection Act (NFPA) 1600
- International Organization for Standardization ISO 22301
- Federal Financial Institution Examination Council (FFIEC) IT Examination Handbook
- Business Continuity Institute (BCI) Good Practice Guidelines
- National Institute Standards Technology (NIST) 800
For a description of each standard, see this post by MHA Consulting CEO Michael Herrera.
To a comply with a given standard means to follow its provisions, in a provable, verifiable manner.
Let’s look at each scenario under which a company might be required to-or choose to-comply with a particular BCM standard.
Complying with BCM Standards for Regulatory or Legal Reasons
The first of the three scenarios for complying with a BC standard is for regulatory or legal reasons: It’s mandated by the regulations governing your industry. If a company is found to be out of compliance with a required BC standard, it can face fines and other sanctions. In severe cases or long term lack of compliance, the business or its ability to perform services can be shut down.
Compliance with a BC standard is commonly required in highly regulated industries such as finance and healthcare.
If you work in a BCM office in such a company, your obligation is to understand what standard(s) your company must follow and bring your BCM program into compliance with that standard’s provisions and benchmarks.
If you are audited, whether internally or by an external regulating authority such as FINRA, you need to be able to prove that you are following the required standard components.
The purpose of such standards is to ensure that your organization, most likely part of a critical sector of the economy, will be resilient, if and when a disaster occurs.
Complying for Contractual Reasons
The second scenario in which a company might strive to comply with a BCM standard is for contractual reasons.
This situation is becoming increasingly common in today’s world.
In this scenario, the organization must comply with a BC standard in order to meet the terms of a contract to which it is a signatory, often a contract to supply a critical good or service to another organization that must itself comply with a BC standard for legal reasons. Alternately, the customer company might simply insist on proof of compliance by the supplier to protect its operations, as part of a non-mandated commitment to resiliency.
Moving forward, two factors are likely to increase the use of contractual language requiring a supplier to comply with a certain BC standard: The increasing intricacy of companies’ supply chains, and the growing awareness on the part of customer companies that their operations are only as secure as those of their critical suppliers.
Voluntary Compliance
The third scenario under which a company might commit itself to following a BC standard is that of voluntary compliance, where the company decides to follow a standard not because it has to but because it wants to.
Why would a company voluntarily undertake such a rigorous and challenging project?
The answer is, because its leaders want an objective and best practices guide to ensure it is in a position to ride through the inevitable shocks and impacts of contemporary business life. And who understand that complying with a good BC standard is one of the best ways of doing that.
Moreover, savvy executives understand that in today’s world, being able to truthfully claim that one’s company is ISO 22301–certified, or whatever it might be, is a strong selling point. It demonstrates a level of preparedness and resilience that can make the difference to potential customers, even in the absence of contractual language requiring such certification.
However, a company doesn’t have to go “all the way” with a BC standard to derive significant value from it. The main BCM standards are repositories of great advice. They provide a framework any organization can leverage to strengthen its BC position. Even following only a portion of their provisions can make a make a big difference in a company’s resilience.
Following the law, meeting one’s contractual obligations, and creating a selling point are all compelling reasons to comply with a BC standard.
Just as compelling—if not more so—is the simple motive of corporate self-care: the company looking after itself to protect its operations, its stakeholders, and its future. One of the best ways of doing this is by voluntarily complying with a BC standard, to whatever degree makes sense.
Three Scenarios But a Single Purpose
There are five main business continuity standards: NFPA 1600, ISO 22301, FFIEC, the BCI Good Practice Guidelines, and NIST 800. There are three scenarios under which a company might commit itself to complying with one of these standards: because it is has to in order to meet a government regulation, because it is required to in order to fulfill a contract with a customer, or because it does so voluntarily, to make itself more resilient.
Whatever the motive for complying with a standard, the underlying purpose is the same: meeting benchmarks laid out by experts in order to make the organization more resilient, more robust, more capable of weathering the disasters and impacts that are an inevitable part of business life.
Further Reading
For more information on complying with BCM standards and compliance and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
- How to Go from Adopting a BC Standard to Knowing What to Do to Comply with It
- Beyond Compliance: Other Good Reasons to Gather Your BC Program Metrics
- BCM by the Numbers: The Metrics That Matter Most
- Rating Your BC Skills: Little White Lies Can Create Ticking Time Bombs
- Standard Issue: Is Your BCM Standard Making Things Worse?
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
