What is it with this "one size fits all" mentality we are developing?

Like the organisations, and sub sections within these organisations,
that we service, there are very real differences that cannot, and
should not, be shoehorned into something that nearly fits. I'm all
for standards and standardisation - whre they fit and make sense. But
not when they become a hindrance or detract from what it is we are
trying to achieve and deliver. For instance, UK have risk as an
embodiment of BCM - Australia has BCM as a risk control under the Op
Risk framework. Not an issue in practice, but a major stumbling block
when trying to apply a standard that is fundamentally opposed!

The BCI got it right in developing the Good Practice Guidelines as a
high level, non prescriptive set of, well .... , good practices, that
can be easily adopted and adapted for the myriad different
environments that require good BC capability. Being any more
prescriptive that that is going to get messy and provide more
negatives than benefits.

To have a standard that works, it must be prescriptive. It requires
assessable and objective metrics. Stipulating things like "a recovery
site must be greater than 20KM from the primary production site"
and "if the impact to the businees NPAT is greater than 40% for any
given event, the business must provide alternative facilities for at
least 60% of production capability" would make the BCM practioners
job so much easier, but would any organisation adopt such a standard?
Would any regulator ever enforce such a standard? Would any BCM
practioner be happy working within these constraints? Would this
actually provide what we are looking for? My view is a definite no,
in all cases.

There is a great opportunity for collaborative effort in developing
some standard components for inclusion into a set of good/best
practice guidelines (not necessarily the BCI's) - things like
acronyms, terms and definitions. These can be standardised, and need
to be. Many of the basics are covered under many "standards" already
in use - regularity of BIA refresh, testing and exercising, basic
scenarios etc etc. These could be extrapolated and consolidated into
a standardised set of addendums to go with the GPG. But beyond that,
I see little to no benefit in trying to force a holistic
international, one size fits all standard that will have more chance
of making BCM irrelevant than it will provide any benefit.

In reality, we need to focus on the differences. To provide good,
cost effective and workable solutions that are deliverable,
supportable and maintainable and that provide risk mitigation and
security to the individual organisation's business objectives. Each
busines is different. Each solution will be different. There is no
right or wrong way of doing it. Just good, better, best - subject to
risk appetite and budget!

Let's get on with practicing the art and science of Business
Continuity Management and build a real value add proposition for
business, one that suits the business, not a set of unworkable or
inappropriate "standards".

Viva la difference!


Howard
_________________
Howard Kenny MBCI
Australia




--- In discussbusinesscontinuity@yahoogroups.com, "John Glenn, CRP"
<JGlennCRP@...> wrote:
>
> I read BSI 25999-1 and BSI 25999-2.
>  
> I found them both lacking in everything but price. For my money,
NFPA 1600 (and variations on that theme) do a better job and are more
appropriate in tone and presentation for North America.
>  
> John Glenn, MBCI
> Enterprise Risk Management/Business Continuity
>
>  
>
> --- On Tue, 1/6/09, john_fernandes@... <john_fernandes@...> wrote:
>
> From: john_fernandes@... <john_fernandes@...>
> Subject: [discussbusinesscontinuity] American Standard Body to
produce Standard for Business Continuity
> To: discussbusinesscontinuity@yahoogroups.com
> Date: Tuesday, January 6, 2009, 12:25 PM
>
>
>
>
>
>
>
> Source : http://www.continui tyforum.org/ news/0906/ ASIS 
>  American Standard Body to produce Standard for Business Continuity
>
>
> ASIS Online based in Virginia has now started the work to develop
its American National Standards Institute (ANSI) project to produce a
Business Continuity Management (BCM) standard, for approval by ANSI.
> Close links have been developed over the past 6 months between the
BSI and the BCM/1 committee and ASIS in order to share experience and
help to build consistency between the key elements of BS25999 and the
proposed ANSI standard.
> Participation included key business continuity programme managers,
service providers and other interested parties, and included
representatives from Disaster Recovery Institute International,
Association of Contingency Planners, the Business Continuity
Institute and its U.S. Chapter BCI-USA and the Continuity Forum.
> ASIS then followed initial conversations with further discussions
and engagement in December with the first committee and working group
meetings to be held in Virginia on 15/16th January. The Continuity
Forum is represented on the Committee by Russell Price, the vice
chairman of the group is Kevin Brear (a constant figure in the
development of the British Standard) and its chaired by Marc Seigel.
> Currently the scope of the ASIS-proposed Business Continuity
Management American National Standard would include auditable
criteria for preparedness, crisis management, business and
operational continuity and disaster management, which covers more
than BS25999 and crosses over into IT service Continuity (BS25777)
and the working group that is addressing the developing issue of
standards for Crisis Management.
> The working group has shown commendable openness in establishing a
diverse group with wide ranging experience. ASIS has also stated its
goal was not to infringe on the credibility of current BCM
practitioners or turn BCM into a subset of security management, but
to utilize its position as an ANSI-accredited Standards Development
Organization to lead the effort of the business continuity community
towards a much needed standard.
> The compelling need for a new standard that could be both auditable
and scalable had previously been unanimously identified with most
commentators stating that that while other standards, such as NFPA
1600, already existed and provided value to the business continuity
community, the needs of the community were not being met since they
were not auditable. In addition, there was a degree of separation in
planning or were partial to certain industry segment distortion which
did not promote a holistic view of BCM, addressing the wide range of
disciplines today's BCM programs have to consider.
> Interested parties may contact ASIS directly at standards@asisonlin
e.org.
> Continuity Forum Comment
> ASIS have seized an opportunity to try an establish international
consistency for BCM by aligning with the excellent work of the BSI
BCM/1 group which developed BS25999. The spread of specific and
international experience contributing to the process of developing
the standard is excellent. Importantly, through close cooperation and
support the BSI and ASIS are helping broaden and enhance the
international nature of BCM planning and sharing good practice
effectively. This could well mean much greater efficiency and cost
effective planning for all international operations.
> In addition, better communication between `policy makers' on both
sides of the Atlantic will become a valuable driver in the growth and
quality of Business Continuity Planning and Management. The current
scope is very ambitious pulling together a wider mix of BCM topics
than currently included in BS25999 and this we feel may need to be
carefully managed to avoid too much complexity, but it is certainly
worth the effort if we can establish a holistic usable standard.
> About ASIS International
> ASIS International is the preeminent organization for security
professionals, with more than 36,000 members worldwide. Founded in
1955, ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing educational
programs and materials that address broad security interests, such as
the ASIS Annual Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the security
management profession to business, the media, government entities and
the public. By providing members and the security community with
access to a full range of programs and services, and by publishing
the industry's No. 1 magazine—Security Management—ASIS leads the way
for advanced and improved security performance.
>