How to Determine Risk Appetite in the Context of Business Continuity

The introduction of ISO 22301 (Societal security – Requirements – Business continuity management system) more closely aligns business continuity to the broader risk management discipline.  A major contributor to this alignment is the standard’s requirement to understand the organization’s “risk appetite” (a term not used in BS 25999).  Continue reading

Organizational Resilience: What it could, or should, mean in the standards landscape

As Posted in the Digital Edition of Continuity Insights Magazine

Admittedly, I wrote this article to better get my mind around the swirling debate regarding the concept of organizational resilience and what it means – or better yet, what it should mean – to business continuity, risk management and security professionals.  I am a member of the US Technical Advisory Group to ISO Technical Committee (TC) 223, which is charged with developing the ISO 22323 standard (Societal Security — Management system for resilience in organizations — requirements and guidance for use). Continue reading

An Update on TC 223 and ISO 22301

Online Exclusive – as published on  | Updated June 2012

[EDITOR’S NOTE – Brian Zawada is a member of the US Technical Advisory Group to ISO Technical Committee 223. Zawada participated in the 2011 and 2012 meetings as a member of Working Group 4, the team charged with developing ISO 22301, 22313 and 22323.]

There are numerous articles and conversations currently taking place regarding ISO 22301 and ISO Technical Committee (TC) 223 in general – some based on fact, but many based on assumption and rumor. So, what’s the real story on ISO 22301 and the work being performed related to societal security?

The purpose of this article is to provide updated information to help business continuity professionals better understand the ISO TC 223 standards development efforts underway and when to expect final work product that can help your organization better prepare for disruption. Continue reading

The Basics of ISO 31000 – Risk Management

ISO 31000 perspectiveAfter approval by the ISO member bodies, the ISO Technical Management Board Working Group on risk management released ISO 31000:2009, Risk Management – Principles and Guidelines in November of 2009. The authors designed the standard to be applicable for any organization and any risk type, but, unlike the familiar ISO quality standards, ISO 31000 is not certifiable.

For those familiar with the AS/NZS 4360:2004 standard on risk management, this ISO standard should be easily recognizable. With the exception of wording changes, ISO 31000 is essentially the same standard. Continue reading

Standards: It’s Time to Get Off the Sidelines

StandardsWhen speaking about business continuity standards, we frequently hear the following feedback:

“I am waiting for the ‘dust to settle’ on the development of the standards and for one to be chosen by the industry as the front-runner.”

“We are not interested in complying and being audited against another regulation.”

Unfortunately, it’s these types of opinions that are causing many organizations to miss the value that standards can provide. Continue reading

PS-Prep – Myth or Fact

PS-PrepHaving attended a number of conferences recently – many of which were focused on topics other than business continuity and disaster recovery – I’ve found that the amount of discussion regarding PS-PREP has increased substantially over the past 2+ years. In addition, as more and more professionals and organizational disciplines are being made aware of PS-PREP-related developments, concern and skepticism increases. And, unfortunately, because of the unknowns that remain – as well as the raw emotion on display by those adamantly opposed to this effort – few people walk away from presentations understanding what this effort is all about. The purpose of this article is to not only describe what PS-PREP is today and where we think it’s headed, but most importantly, to dispel (or possibly confirm) some of the rumors out there that may be getting in the way of organizations carefully evaluating the possible benefit that may result. Continue reading

NFPA 1600 2010 Edition: What You Need to Know

nfpa perspectiveNFPA 1600 is a “Disaster / Emergency Management and Business Continuity” standard published by the National Fire Protection Association that was originally released in 1995.  The original iteration focused on tactical issues associated with disaster management.  However, beginning in 2000, the standard matured to include “total program planning”, which included common business continuity program elements, techniques and processes.

In late 2007, the concept of “management systems” was formally introduced to the business continuity profession and quickly gained a significant amount of support due to its acceptance and success in other business disciplines (quality, environmental management and security, to name a few).  Since the introduction of business continuity management systems concepts, NFPA has been working to better align its standard to the “Plan, Do, Check, Act” (PDCA) model, which is at the heart of management systems.  In January 2010, NFPA announced the release of its triennial edition of the NFPA 1600 standard.  The 2010 edition has changed significantly – organizationally and in its content. Continue reading

Why is DRI Speaking Out Against Organizational Certification?

DRIOver the last few months, DRI has spent a lot of time spreading a message of caution with regard to organizational certification. Their article on this topic was published in the last issue of DRJ (Are You Really Prepared? Who Says So?), it was the topic of a recent webinar (October 29th), and has also been the message delivered by their executive director in several small group meetings.

What’s interesting about this PR blitz is that the only business continuity standard currently available for organizational certification in the US is British Standard (BS) 25999.  The federal government is developing a voluntary certification program (as mandated in law PS 110-53), but that won’t be available for some time.  As a result, DRI’s motivation to encourage the status quo is unclear. Continue reading

BS 25999 Certification: 4 Myths and a Truth

bs perspectiveOver the last year and a half we have met a number of organizations that thought they were prepared for BS 25999 certification, only to find key issues when BSI’s auditors arrived.  As a result, we have compiled the following four myths and an important truth regarding BS 25999 certification. Continue reading

Considering Certification?

considering_cert_pic (1)Avalution continues to help a variety of organizations prepare for BS 25999 certification.  Having successfully helped an organization achieve certification, as well as working with our clients during pre-assessments, our team is starting to see broad trends, including key success factors for certification as well as common roadblocks to certification. Continue reading