Business Continuity & Disaster Recovery: Too Many Standards?

I finally got around to reading a past issue of Continuity Magazine published by the Business Continuity Institute (BCI).  Somehow it fell behind a book shelf I was cleaning a few months ago and only found it the other day as I was looking for something else.  Anyway, it had a small article about ASIS International announcing that its “America National Standard for Organizational Resiliency” was being adopted by Netherlands as Dutch National Standard NEN 7131.  It got me thinking about all the various standards out there.

Now, I know you might think I’ve written about this subject before – <LINK> but this is a bit different.  I was wondering what’s wrong with the standards we have.  Why something new again and why so many?  It seems that new standards are being introduced on a monthly basis (OK, a bit of an exaggeration there…).  I’ve captured just a few of them below – each with their own characteristics.

Sample Standards

1. BSi 25999 – Along the lines of DRI/BCI good practice guidelines
2. ISO 17799 – Security but has a component for technology or rather “Disaster” recovery
3. AS/NZS 5050:2010 – Australia & New Zealand’s Business Continuity standard, which seems to focus on auditing BC according to a recent Continuity Magazine article
4. NFPA 1600 – Standard on Disaster/Emergency Management and Business Continuity Programs
5. SS540 – Singapore Standard for Business Continuity
6. Canadian Standards Association (CSA) Z1600 – Emergency Management & Business Continuity Standard
7. ITIL™ – Exclusively IT focused (IT Service Continuity Management) (I have my v3 ITIL Foundations certification)
8. BS 25777 – Information and communications technology continuity management
9. ISO 27000 – Security — is an international standard entitled: Information technology — Security techniques — Information security management systems — Overview and vocabulary.
10. Malaysia Standard MS1970:2007 – A Business Continuity Management Framework

Are there too many standards? Quite possibly, yes. 

Can each provide something new or a new tidbit of information to help corporation move their programs forward?  Oh yes. 

Can so many standards cause problems for corporations?  You bet. 

If a corporation does choose to follow a standard it may be missing out on another perspective and have an area that is lacking.

 Why So Many?

I often wonder why there are so many differing variations of standards and differing perspectives all around the world.  Why isn’t one single all-encompassing standard for Business Continuity good enough?  Is it necessary to include Business Continuity at the end of every standard?  For instance, Emergency Management in a community is different that Business Continuity but there’s a standard to address both. They are different in my opinion but can be related (I already have an article ready to go on that one so stay tuned). 

1. Doesn’t Meet My Needs – As with every other product or service out there – regardless of industry – sometimes you just can’t find something that meets you needs. So, you either go without or you create it yourself.  That’s how products grow and develop over years – their life cycle.  It may be that an issue or a specific focus is identified by isn’t addressed by any existing standard and the result is a new one is created. 
2. I Can Do It Better – This one speaks for itself to a large degree.  When someone puts something out there – an idea, a product or service, a book, a movie or anything else – there are going to be people who don’t like it.  They’ll believe – rightly or wrongly – that they can do better and before you know it, another standard begins.  I think it would be easier to contribute to the development of standards when the ‘call is made for assistance’ and put forth ideas that way, rather than starting again and creating something new.
3. Personal Perspectives & Focus – This is a bit of a continuation of points 1 and 2.  If there is something missing from one standard, instead of trying to get it incorporated, they move on to create something new.  The problem then becomes that the missing point of an older standard becomes the main focal point for the new standard and the entire focus of the standard gets build around that single idea.  Then you end up with “Business Continuity Standards” that seem to address specific components rather than as an overall program standard. For example, you have Audit focused BC standards, Technology focused BC standards and Emergency Response BC standards; yet they are all Business Continuity related so why not joint together? 
4. Don’t Want to be Told How to do Something by Others – Really, who does?  Just like point 2.  But when it comes to politics no country or organization wants to be seen as following the pack, they all want to be leaders so they’ll create their own standard to stand out from the herd.  But I’ve got news for you – not everyone can be a leader.  You’re only a leader if you have followers.  Will creating a new standard create followers or more confusion in the BC industry? 
5. Cultural Differences – Might be a bit touchy here but it is true.  Though the DRII and BCI are the relatively the same organization – figuratively, not literally – because they both have the same 10 practice domains for BC/DR, yet there are slight wording changes between the two.  It is because one is North American based and the other European (UK) based?  I know of other examples (non-DRII or BCI) where Business Continuity for one organization seems to mean Technology Recovery and for another like-minded organization, Business Continuity means Crisis Management, Business (department) Continuity Plans, Emergency Response and also includes IT. 
6. Industry Specific – Could be that a manufacturer needs different standards than, let’s say, a financial institution.  I can understand that but still, they both need many of the same components in their programs no matter what; communications, people safety plans, continuation of processes, supply chain (or vendor management) plans.  Communication is communication regardless of the industry.  A manufacturer still uses a call tree as does a Financial Institution, regardless of how it’s executed and the tools it might use.  The standard is the same; a method to contact your employees during off-hours (as an example). 
7. Profit – This one will get me into trouble (again…).  I know of an organization – and you probably do too – that created a standard for BC and then spent lots of time promoting it trying to drive up sales.  I know because I was called by a company trying to get me to buy their ‘new’ service based on this new standard.  The ones that are out there are just fine (depending on how you use them) but by doing this they were able to pump up sales (Note: I have no idea if it did or not) and that was the reason for investing in the strategy and developing their new standard.  They even changed the name of their unit to reflect the new strategy, which, if you knew the old one or rather, their old product, was the same thing, just with new colours, wording and graphics (oh, and higher prices).  OK, let the arrows fly after that one…

 Moving Forward With Wishful Thinking…

It would be a dream but it would be nice to have a single standard for Business Continuity, a single standard for Emergency Response, information Security and many others.  However, they can all link to each other so that up to a point they are strictly focused on their one area of expertise (incorporated the variations required for each industry) and then when it reaches a specific point, oh, let’s say backups, it directs you to the appropriate standard.  It would bring things together and all industries and corporations will have the same guidance available to them.  Still, that’s a dream and I doubt it will happen and we’ll probably see more standards coming out over the years.  Each on contradicting the other or trying to out-do the other.  It’s this that causes confusion in the BCM/DR/ERM/IT fields and caused confusion for corporations.  But at least this would bring the ‘best’ of each standard together to create a better global standard – it would raise the bar so-to-speak. 

 So who do we follow?  I say follow what helps you most.  It’s like making a cake and adding different ingredients.  Take bit of this and a bit of that to make your program work for you – make the cake to your recipe (I’ve never followed a recipe in my life; I always add my own touch).  I’ve yet to find a standard that completely addresses every aspect.   Maybe that’s why others develop new ones.  Business Continuity – in simple terms, how you keep your business going when interruptions of any scale occur – covers the entire organization.  It’s like a shadow that moves with you.  As you move, so too does your shadow. 

 Can’t we all just get along and play together?  There’s too many and I’m getting confused…

 **NOW AVAILABLE**

The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.”  Available at www.stone-road.com **