Standards…ugh! Even though the business continuity profession appears to be paying some attention to the topics of standards development and organizational certification, you may be tempted to skip over these articles and ignore the opportunity to review new or revised standards when released (especially if you feel organizational certification isn’t right for your organization). However, many reasons exist as to why all organizations (and BC practitioners) should not only pay attention to standards, but also seek opportunities to incorporate applicable elements of them into their programs to improve performance and enhance credibility.
An Introduction to the Business Case
To some, it may seem like standards overcomplicate things or include requirements outside of what is necessary for your organization. In reality, they often serve as a “best practices” road map. Why? When developed correctly based on consensus-driven processes, standards help drive performance, as they list and describe key activities all organizations should perform to deliver value. “Requirements” standards (those that offer optional certification, such as ISO 22301) outline the program elements that should be included in a given preparedness effort, whereas “guidance” standards (those that are not available for certification, such as ISO 22313) clarify the intent of and expand upon program elements. By providing both a roadmap and instructions on how to implement key elements, standards make it much easier to understand what others are doing to improve performance, where your preparedness efforts may be lacking, and how to implement program elements to drive higher levels of performance – based on your unique objectives.
You Don’t HAVE to Align to Just One (or Completely Align to All Expectations)
When looking over the various standards, it may be difficult to determine which is right for your organization. However, there is no need to align to just one standard, or to align to all elements within a specific standard (especially if you are not seeking certification). Organizations can often get significant value from different standards, taking an “a la carte” approach to each standard and selecting whatever ideas or elements will best drive continual improvement specific to performance.
As each standard approaches element design, management, and execution differently, pulling from various standards can help ensure the approaches you use best fit the unique needs of your organization. If certain expectations within a standard do not make sense for your organization due to unique organizational attributes, skip them – instead, pick and choose what makes sense from each standard to help improve business continuity program operations without overcomplicating it.
Benchmarking Can Help Increase Management Support
For organizations struggling to get management buy-in or resources to support program design or maturation activities, standards can provide a great benchmark. Rather than just asking for additional budget or resource time, referencing standards recommendations and expectations to drive program growth helps management see where current activities may fall short of best practices. Executives often like to compare their organizations to others, so given that standards are often developed in a consensus-driven, international mindset, standards offer an easy method against which management can evaluate the organization’s current state and commit to a future state. Consulting standards in this manner can help executives understand how investing in new activities not only closes preparedness gaps, but also enables the organization to align to best practice recommendations and management to feel reassured that additional investment results in organizational value.
Reassure Your Customers
Given the news coverage and significant impacts of recent natural disasters, if customers or other stakeholders have not already started asking about your organization’s business continuity capabilities, they may soon. Even if customers are not proactively reaching out just yet, they will likely be interested in proactively hearing about your organization’s alignment to best practices and appreciate that your organization recognizes the importance of meeting its needs. While certification provides the most significant external validation that your organization meets expectations, even being able to state that your program conforms to one or more standards is a powerful statement that still gives comfort and reassurance.
Certification is Straightforward (If You Have the Business Case to Pursue It)
While certification may not be right for your organization at this point in time, there is no reason your organization cannot start aligning to a standard now, especially if the business case could change. Even if your organization does not reach a point where certification seems necessary, standards contributors included each requirement or recommendation because they felt very strongly that each program element offers organizations significant value, so taking steps to align to standards elements is not a wasted effort. It’s even possible to align to elements of multiple standards but only seek certification for one, as long as you meet all of a specific standard’s expectations. Going above and beyond to further incorporate other standards only strengthens your program.
As highlighted throughout this article, the primary purpose of standards is to introduce and summarize best practices that drive performance improvement, and the content is designed to be applicable to all organizations, regardless of location, size, purpose or industry. Though organizational certification can prove extremely valuable for those with a strong business case, any organization that takes the time to analyze available standards should be able to gain valuable ideas, insight, and direction.
Avalution has been a longtime proponent of aligning to standards, and, if there’s a business case to proceed, organizational certification. Our team has assisted numerous organizations in preparing for and successfully achieving certification, and, in May 2011, we successfully achieved our own organizational certification to BS 25999. We too had to evaluate the business case for taking such steps and realize certification isn’t for everyone. We encourage you to review the resources on our website and reach out to us if you have questions, as our team always welcomes a conversation about how certification or alignment to a standard can benefit your organization.
Stacy Gardner, Managing Consultant
Avalution Consulting: Business Continuity Consulting