Passengers on the Titanic didn’t think it could sink. When it did, there wasn’t room for everyone in the lifeboats. By slavishly tying your BCM program to industry ‘standards’, you may find yourself adrift during a business disruption. Standards are only guidelines. They’re no substitute for the knowledge necessary when disruptions occur.
BCM industry standards (DRII and BCI) exist to fill two needs:
- To provide “professional practices” to which ‘certification’ can be linked
- To create a baseline against which auditors can intelligently review BCM plans and programs
Those are the valid reasons for the existence of standards, but neither promise that adherence will result in preparedness.
Many industries impose additional standards with which BCM programs must comply. Lay those over the BCM industry standards and many practitioners spend most of their resources constructing compliant – not incident-ready – programs.
- Barely completing this year’s BIA survey before embarking on the next.
- Performing risk assessments that divert resources from more valuable efforts.
- Wasting valuable time tracking, measuring and reporting on compliance.
Neither of our generally-accepted BCM industry standards touts their standard as the path to incident readiness. They simply provide checkpoints on the road to uniformity.
Industry standards can’t make your organization more prepared – because those standards don’t consider context. The standard knows nothing about your organization. It knows nothing about the availability of information within your organization (risks, criticalities or priorities). It urges that you conduct risk assessments –though your organization may have a Risk Management Department of its own. It advocates periodic BIA’s – even though your C-Suite already knows your organization’s critical products, services and supporting processes.
You should spend more time improving your organization’s preparedness, and less time checking off compliance boxes. Standards have a role; especially in organizations embarking on their maiden BCM voyage. But standards are meant as a one-size-fits-all. They’re not tailor made for your organization. Use them for guidance, but don’t follow them slavishly. They can only assure compliance, not preparedness.
Preparedness requires you row that lifeboat yourself – not sit on a deck chair while “standards” steer your ship through icy waters.
About the Author
A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.