CHAPTER 10
Business Continuity Standards, Regulations, and Requirements

AS BUSINESS CONTINUITY planning further matures, the search continues for improvements and methods to measure levels of continuity competency. Any inclusive discussion of business continuity today requires addressing the rapidly changing regulations, guidelines, and standards that directly and indirectly impact how the sufficiency of a continuity program is measured.

Specific guidance is invaluable when a new continuity program is being developed and in the continuing efforts to identify ways to improve an existing program. There is a need to know that steps being taken will result in the organization being better prepared and more capable and that stakeholders can be assured that current best practices are used to maintain an acceptable level of continuity competency.

There is an accompanying business need by organizations for an objective method to assess the continuity capability of suppliers, outsourcing companies, and other groups that support time-critical functions that are essential to the core operations of the organization. Equally important is that organizations have a way of determining that the companies and individuals with whom they contract for continuity services and planning assistance are qualified.

Regulations, Planning Guidelines, and Standards

With enterprise risk management increasingly seen as a core business practice, there has been an upsurge of interest and new developments around continuity regulations, guidelines, and standards. After almost twenty-five years of slowly increasing activity, the events of 9/11 and the increasing interest in and need for business continuity standards has resulted in a significant increase in the volume and frequency of actions in these areas.

Regulations

Some organizations must follow regulations, created and enforced by recognized regulatory bodies, that include business continuity requirements. Regulations require compliance, and failure to meet them can result in fines, penalties, or sanctions. At the federal level in the United States, some of the agencies that have regulations are the Government Accountability Office (GAO), Securities and Exchange Commission (SEC), Federal Reserve, Federal Electric Reliability Council (FERC), North American Electric Reliability Council (NERC), Joint Commission on Accreditation of Healthcare Organizations (JCAHO), and the Food and Drug Administration (FDA). Typically, the regulations are very specific in nature and are usually mandated and punitive. They require organizations to develop and maintain continuity capability. Many state and local authorities have the same requirements. Recently, a partial list of U.S. regulations that included business continuity implications numbered over 120, and it is highly unlikely that the list will ever stop growing—at least as long as there are lawmakers and public officials. New regulations and laws will almost certainly be frequently added to the list.

For companies with global operations, the requirements in the country where they are based may be only the tip of the iceberg. Every country in which they conduct business may have its own set of regulations that must also be followed.

Planning Guidelines

Guidelines are produced by professional organizations and set best practices for operations and controls. They are non-punitive and provide program guidance and criteria. Some include guidance for a self-audit. Many trade groups and other professional organizations have developed a range of guidelines and best practices for building organizational resilience. While best practices usually have superior results when applied and used as benchmarks, no one set of guidelines is always best for every organization.

To be truly effective, guidelines must be regularly revised to include newly improved practices. Here are some organizations that have developed guidelines:

image   The Disaster Recovery Institute International (DRII) developed Professional Practices for Business Continuity Planners, a set of ten best professional practices for business continuity and disaster recovery planning that provide a benchmark for business continuity practitioners. It is available for downloading at the DRII website: www.drii.org

image   The Disaster Recovery Journal (DRJ)—in collaboration with the Association of Records Management Administration (ARMA), DRII, the Financial Services Technology Consortium (FSTC), and the National Fire Protection Association (NFPA)— created the Generally Accepted Practices for Business Continuity Practitioners (GAP). The effort also involved input from practitioners in all industries. GAP takes the best practice areas and adds definition and detail to the widely accepted ten professional competencies—BCP project initiation and management; risk evaluation and control; business impact analysis; developing BCP strategies; emergency response; developing and implementing the BCP; awareness and training; maintaining and exercising the BCP; public relations and crisis communications; and coordination with public authorities It is available for downloading at the DRJ website: www.drj.com

image   The Federal Financial Institutions Examination Council’s (FFIEC)’s booklet Business Continuity Planning provides business continuity operating guidelines and guidance for examiners, financial institutions, and technology service providers to identify business continuity risks and evaluate controls and risk management practices for effective business continuity planning. It is available for downloading at the FFIEC website: www.ffiec.gov

image   The American Society for Industrial Security (ASIS) International publishes Organizational Resilience: Security, Preparedness and Continuity Management Systems, which provides auditable criteria to establish, check, maintain, and improve a program to manage disruptive events. It is available for purchase at the ASIS website: www.asisonline.org

image   The British Standards Institution (BSI), the national standards body of the United Kingdom, publishes BS-25999-Part 1, which provides best practice recommendations. A generic framework for continuity management and assistance in understanding the principles, process, and terminology of the business continuity management lifecycle, it is a guidance document only. It is available for purchase at the BSI website: bsigroup.com

image   The International Organization for Standardization (ISO) has published a new standard, ISO 31000-2009, which may result in looking at all risk management efforts, including business continuity, in a more inclusive way. ISO 31000-2009 was created by a working group representing twenty-eight countries and is a new international consensus standard that provides a broad framework for risk management. This framework is sufficiently generic to establish a common set of processes to manage risks throughout an organization. It is intended for use by all industries and business sectors and can be used by any public, private, or community enterprise, association, or group. The goal of the new voluntary standard is to make risk management fundamental to all key processes, including planning, management, and governance. It is intended to integrate and coordinate risk management processes in existing and future standards by providing a common approach in support of standards dealing with specific risks and/or business sectors. It is not intended to replace other standards. Though referred to as a standard, ISO 31000-2009 is really a set of guidelines and is not an accreditation or certification standard. It is available for purchase at the ISO website: www.iso.org

Standards

There is also increasing interest in establishing and using standards as guidance in developing and maintaining effective business continuity competency as well as to serve as a standardized guide in determining the quality and effectiveness of an organization’s business continuity program. In this context, standards are typically formally approved precise criteria—policies, procedures, and instructions from recognized standards bodies such as the American National Standards Institute (ANSI) or the International Organization for Standardization (ISO). If an organization meets these voluntary standards, the reward is often in the form of a certification issued as evidence.

There has been somewhat of a rush to meet the need for standards. This has resulted in multiple sets of standards and benchmarks that have been or are currently being developed around the world—often with some accompanying turf wars. These are in addition to existing industry-specific standards. The new standards have the potential to be far-reaching in all business sectors. As a result, while sorting through the various voluntary guidelines and certification programs and mandatory regulations, there can be uncertainty in determining which to apply as the official yardstick in measuring internal efforts to develop and maintain an effective continuity program and in determining the continuity capability of the links in the supply chain.

Multiple standards that specifically detail or imply the need for business continuity planning have been developed by organizations throughout the world. These organizations and their published standards include:

image   The British Standards Institution (BSI): BS-25999-2, 2007: Business Continuity Standards, Guidelines, and Voluntary Audit and Certification

image   The National Fire Protection Association: NFPA 1600-2010: Standard on Disaster/Emergency Management and Business Continuity Programs

image   The International Organization for Standardization (ISO): ISO/PAS 22399-2007, Societal Security: Guidelines for Incident Preparedness and Operational Continuity Management, among other ISO standards that directly or indirectly address business continuity–related requirements

image   The Canadian Standards Association: CSA Z1600, Standard for Emergency Management and Business Continuity Programs

image   The Singapore Business Federation: Singapore Standard SS540: 2008, revised from Technical Reference for Business Continuity

image   The Private Sector–Department of Homeland Security Partnership: Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep)

Standards apply a carrot rather than a stick by conferring a certification on organizations that successfully meet the standards.

Voluntary Accreditation and Certification

The importance and influence of certification programs has increased significantly over the past several years. This creates the potential for the eventual development of a universal set of standards that can be applied when creating a business continuity program and to use in assessing the continuity capability of current critical supply chain partners as well as those under consideration for future contracts.

Today, organizations can voluntarily be audited and accredited against a choice of standards. As with any nonmanda-tory certification process, there are likely advantages for those who elect to utilize a certification standard. It behooves all businesses and organizations to stay informed and to consider which certification is of the greatest benefit to them, as well as which standard may be preferred in their industry or by their customers and clients. Two of the certification programs that are currently drawing significant attention are the British Standard BS-25999-2 and the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep).

BS-25999-2 details specific requirements for developing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a business continuity management system, taking into account an organization’s overall business risks. The intent of the generic requirements is that they be applicable to all organizations, regardless of type or size. Application of the standards can be tailored to meet the needs of an organization, its customers, regulatory agencies, and all business and stakeholder requirements. They can be used within the organization or by external entities to assess the organization’s capability to meet its internal continuity needs, as well as those of customers and other external stakeholders or other interested parties.

A successful audit by a third party enables an organization to demonstrate its compliance to the standard and be granted a certificate. Periodic monitoring and surveillance audits are required to validate continuing conformity to the requirements.

PS-Prep is among the newest standards. PS-Prep was mandated by Title IX of the Implementing Recommendations of the 9/11 Commission Act of 2007, directing the Department of Homeland Security (DHS) to develop and implement a voluntary program of accreditation and certification of private entities that promote private sector preparedness, including disaster management, emergency management, and business continuity programs. In July 2008, DHS announced an agreement with the ANSI-ASQ National Accreditation Board (ANAB). (The ANSI is the American National Standards Institute and the ASQ is the American Society for Quality.) The ANAB had been charged by DHS with developing, implementing, and administering an accreditation and certification program to meet the requirements of Title IX. The overriding goal is to improve private sector preparedness performance in disaster management, emergency management, and business continuity in order to enhance nationwide resilience. PS-Prep provides private entities with a methodology that will assist in effectively assessing the resilience of any organization, including critical supply chain links, as well as providing specific direction for developing an internal program.

Standards developed by the National Fire Protection Association (NFPA), the British Standards Institution (BSI), and the American Society for Industrial Security (ASIS) were selected as the basis for PS-Prep based on their scalability, balance of interest, and relevance to PS-Prep objectives. Under PS-Prep, recognition will be given to companies that have already completed preparedness measures as part of their regulatory audit process, to companies that have used existing recognized standards (such as NFPA 1600 and DRII’s Ten Professional Practices) around which they have built their programs, and to companies that have used other accepted standards.

The aim of the voluntary program, intended for all businesses and organizations in the United States, is to allow for self-certification. A company that meets PS-Prep standards can issue a first-party attestation, a declaration certifying that the company is PS-Prep compliant. Organizations may be certified by an accredited third party establishing that the private sector entity conforms to one or more preparedness standards adopted by DHS. Expectations are that if PS-Prep is widely adopted as a business continuity standard, it can play a significant role in advancing supply chain resilience by providing a widely accepted vehicle for measuring continuity capability.

Weighing the Options

Certification is awarded to an organization that has adhered to a formal process and been assessed by an independent accredited third party that validates that the organization follows the principles set out in a standard and is therefore following industry best practices. Certification involves a comprehensive, documented validation of conformity to the requirements of a given standard and demonstrates that all elements of the standard have been addressed and met. Beyond the original certification process, there is a requirement for ongoing review to ensure that standard requirements are met in order to retain the certification.

For supply chain managers and procurement professionals, certifications can:

image   Simplify the process of validating suppliers’ business continuity capability.

image   Provide a standard measure to compare potential suppliers and other business partners.

image   Serve as a supplier assessment program for organizations that have not yet developed one internally.

When an organization is the supplier or other business partner and needs to validate its capability to customers, or when an organization wants to establish and maintain a high level of continuity competency because it’s good business to do so, a certification can:

image   Demonstrate the organization’s commitment to business continuity.

image   Provide a means to provide all stakeholders and potential customers with a standardized validation of the continuity program.

image   Serve as a guide for developing and maintaining the internal business continuity program.

image   Result in possible insurance premium savings and credit rating enhancements.

While voluntary accreditation and certification programs can have significant benefits, there can be issues. If a supplier has multiple customers requesting certifications from different entities, the resulting need to be audited by and complete the paperwork required by multiple entities can become time-and cost-prohibitive. For example, PS-Prep is a U.S. standard, BS-25999 is a British standard, and neither is as yet a globally accepted standard. A global enterprise may find it difficult to determine which will better serve its needs.

There is also some pushback from businesses that believe that the last thing needed is an additional audit, even when it is associated with a voluntary program. In light of the expense and effort U.S. businesses experienced surrounding the Sarbanes-Oxley Act of 2002, this is perhaps understandable. (The Sarbanes-Oxley Act established a broad range of standards for public companies, their boards, and accounting firms.)

Organizations may hesitate to adopt any standard-based voluntary certification program until the dust has settled and there is full consensus, or at least a reasonable level of agreement, as to which of the available standards (or one yet to be released) will be the most widely accepted. As these are voluntary standards, there is no penalty for not complying, allowing leeway to wait and see how the situation unfolds and to more fully measure the value and acceptance of the available certification programs. Yet once customers begin mandating that current suppliers show continuity competency by means of a certification, or once certification becomes a requirement to submit a proposal, it is no longer truly voluntary. The marketplace becomes the driver.

There are potential gains and losses for all the entities involved. Individuals can be certified to audit programs for certification, companies can develop and deliver related training, and certifying bodies with the most widely accepted accreditation and certification programs can gain greater control and income. Accreditation should not serve as a stimulus package for consultants, trainers, publishers, and certifying organizations. The focus should be on how all organizations can become better prepared to face the challenges of operational disruptions and disasters.

Ultimately, it must be understood that even fully meeting the requirements for certification does not necessarily spell success for a business continuity program. To succeed in the real world and not just on paper, business continuity must be incorporated into the organization’s policies, day-to-day operations, and culture.

Professional Certification

Certification as a means of credentialing individuals involved in a given profession has been around since the 1920s. It is a widely accepted way to validate knowledge and skills in a given profession or activity and serves multiple purposes. For employers and clients, certification validates the individual’s professional quality standards, knowledge, and experience, as well as ongoing efforts to update skills and access the most current ideas through continuing education. Certifying organizations prescribe both a code of professional ethics and the use of approved methodologies that provide guidance to the practitioner and confidence to the employer. For the individual, certification offers recognition of professional achievement and the possibility of career enhancement.

Options for certifications to validate skills and experience in the field have increased, and each certification has an accompanying acronym. Chief among the organizations awarding certifications are:

image   The Disaster Recovery Institute International (DRII), which awards several levels of business continuity and disaster recovery planning certification

image   The International Association of Emergency Managers (IAEM), which confers the Certified Emergency Manager (CEM) and Associate Emergency Manager (AEM) designations

image   The Business Continuity Institute (BCI), which has a multiple-level certification program

There are both similarities and significant differences in the certification philosophy and methodology for measuring competency and awarding a credential:

image   DRII provides multiple levels of professional certifications. These certifications, which acknowledge an effort to achieve a professional level of competence in the industry, include an Associate Business Continuity Professional (ABCP), a Certified Business Continuity Professional (CBCP), and a Master Business Continuity Professional (MBCP). More recently, other classifications have been added to certify business continuity vendors as well as audit options. Certification is a two-part process: (1) verification of knowledge by a grade of 75 percent or higher on a written examination, and (2) an extensive written application that outlines professional experience that is reviewed by a panel of professionals and confirmed. Maintaining certification requires the submission of approved continuing education activity points every two years.

image   IAEM offers an Associate Emergency Manager (AEM) and a Certified Emergency Manager (CEM) designation for qualified professionals with comprehensive emergency management experience in the areas of mitigation, preparedness, response, and recovery for all risks. Applicants for the CEM designation must validate a minimum of three years of relevant experience, have earned a college degree, demonstrate contributions to the profession, write an essay, and pass a multiple-choice examination. While AEM certification requires passing an exam and writing an essay, the professional experience and education requirements are less rigorous. Certification maintenance includes documented points in three categories: education and instruction, professional participation, and service and leadership.

image   The BCI bases its certification on the knowledge gained through professional experience. All applicants for professional-certified grades—such as the Associate Member (AMBCI), Specialist Member (SBCI), and Member (MBCI)—are required to pass an examination that verifies the applicant’s knowledge of the BCI’s Good Practice Guidelines and to complete a scored-assessment matrix, listing their applicable experience in each of ten business continuity disciplines. This information is validated by the applicant’s references. A recently added BCI program extends eligibility for BCI membership to professionals who hold certain certifications from other industry associations (such as the DRII’s MBCP, CBCP, or ABCP), and have the required length of business continuity management experience. Under this program, there is no requirement to pass the BCI’s official exam. The BCI Fellow certification—leading to the designation of FBCI—is reserved for those with a minimum of six years experience as a business continuity practitioner. Candidates for the Fellow designation must demonstrate that they have made a significant contribution to the advancement of the profession beyond performing a job—such as sharing their knowledge and experience with others through writing, teaching, or public speaking—or in some other way furthered the profession. The BCI requires no recertification as long as the certified professional continues to work in business continuity and adheres to the BCI Code of Practice, the professional standards required by the Institute as a condition of membership.

Employers or clients are assured that the credentialed individual has the education, training, knowledge base, experience, and dedication to the profession to qualify him or her to perform at a specified level of competency. Consideration of a candidate’s certification is a valuable component in the overall selection process when you are hiring an employee to assume business continuity responsibilities or contracting with a consultant to assist with a continuity planning project.

Going Forward

Business continuity reflects a concern for improving the capacity to respond to, recover from, and fully resume operations after extreme events. Any set of guidelines or standards has a rather broad charge when seeking to establish one way for all organizations to approach business continuity planning and perhaps overlapping disaster recovery and emergency preparedness. There will always be disagreement about which organization provides the most effective benchmark and which standard gives the most accurate measurement of an organization’s capability to meet the challenges of disasters that disrupt operations.

It behooves each business and organization to be informed of the evolving situation with continuity guidelines and standards and to consider whether following a set of accepted standards meets the company’s needs. When making the decision, continue to evaluate what will result in the greatest benefit and whether the selected standards or certification is the best vehicle for continually improving continuity capability.

image   Research to learn whether there are any government regulations that require your organization to maintain a business continuity program.

image   Determine whether there is a business continuity standard that is preferred or recommended by your organization’s industry or profession.

image   Ascertain whether key customers or clients have selected guidelines or a standard to apply to their continuity planning.

image   Explore the pluses and minuses of obtaining accreditation and certification through one of the currently available voluntary programs.

image   Determine whether it is in the best interests of your organization to request that your suppliers and other business partners obtain certification.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.53.139