A few questions I'd like to pose to the forum based on what others
think about the flurry of Standards being developed.

1 .. Will BCM become a better value proposition for business if
programs and solutions conform to a set of standards?
2 .. How prescriptive should a standard for BCM be?
3 .. Should there be a single holistic international standard, or
would we be better served by a set of standards, with a common
baseline, that acknowledges the differences between geographical
location, industry sector and size and scale of organisations?
4 .. Are we already well serviced by existing standards, guidelines
and regulatory requirements?
5 .. What, exactly, we will be looking to achieve in a single one
size fits all standard, if we were to go that way?
6 .. How much compromise will we be prepared to accept in how we do
things and what we deliver for the sake of meeting a standard?
7 .. Will a BCM standard be able to influence regulators and others
who may need to change their requirements / standards to suit to make
it useful anyway?

I'd really be interested in hearing the views of other BCM
professionals out there. In the end, we are the ones who will be
working to and implementing the standard, should any really become
the "one"!

Thanks



Howard

_________________
Howard Kenny MBCI
Australia



--- In discussbusinesscontinuity@yahoogroups.com, "Howard Kenny"
<howard@...> wrote:
>
> What is it with this "one size fits all" mentality we are
developing?
>
> Like the organisations, and sub sections within these
organisations,
> that we service, there are very real differences that cannot, and
> should not, be shoehorned into something that nearly fits. I'm all
> for standards and standardisation - whre they fit and make sense.
But
> not when they become a hindrance or detract from what it is we are
> trying to achieve and deliver. For instance, UK have risk as an
> embodiment of BCM - Australia has BCM as a risk control under the
Op
> Risk framework. Not an issue in practice, but a major stumbling
block
> when trying to apply a standard that is fundamentally opposed!
>
> The BCI got it right in developing the Good Practice Guidelines as
a
> high level, non prescriptive set of, well .... , good practices,
that
> can be easily adopted and adapted for the myriad different
> environments that require good BC capability. Being any more
> prescriptive that that is going to get messy and provide more
> negatives than benefits.
>
> To have a standard that works, it must be prescriptive. It requires
> assessable and objective metrics. Stipulating things like "a
recovery
> site must be greater than 20KM from the primary production site"
> and "if the impact to the businees NPAT is greater than 40% for any
> given event, the business must provide alternative facilities for
at
> least 60% of production capability" would make the BCM practioners
> job so much easier, but would any organisation adopt such a
standard?
> Would any regulator ever enforce such a standard? Would any BCM
> practioner be happy working within these constraints? Would this
> actually provide what we are looking for? My view is a definite no,
> in all cases.
>
> There is a great opportunity for collaborative effort in developing
> some standard components for inclusion into a set of good/best
> practice guidelines (not necessarily the BCI's) - things like
> acronyms, terms and definitions. These can be standardised, and
need
> to be. Many of the basics are covered under many "standards"
already
> in use - regularity of BIA refresh, testing and exercising, basic
> scenarios etc etc. These could be extrapolated and consolidated
into
> a standardised set of addendums to go with the GPG. But beyond
that,
> I see little to no benefit in trying to force a holistic
> international, one size fits all standard that will have more
chance
> of making BCM irrelevant than it will provide any benefit.
>
> In reality, we need to focus on the differences. To provide good,
> cost effective and workable solutions that are deliverable,
> supportable and maintainable and that provide risk mitigation and
> security to the individual organisation's business objectives. Each
> busines is different. Each solution will be different. There is no
> right or wrong way of doing it. Just good, better, best - subject
to
> risk appetite and budget!
>
> Let's get on with practicing the art and science of Business
> Continuity Management and build a real value add proposition for
> business, one that suits the business, not a set of unworkable or
> inappropriate "standards".
>
> Viva la difference!
>
>
> Howard
> _________________
> Howard Kenny MBCI
> Australia
>
>
>
>
> --- In discussbusinesscontinuity@yahoogroups.com, "John Glenn, CRP"
> <JGlennCRP@> wrote:
> >
> > I read BSI 25999-1 and BSI 25999-2.
> >  
> > I found them both lacking in everything but price. For my money,
> NFPA 1600 (and variations on that theme) do a better job and are
more
> appropriate in tone and presentation for North America.
> >  
> > John Glenn, MBCI
> > Enterprise Risk Management/Business Continuity
> >
> >  
> >
> > --- On Tue, 1/6/09, john_fernandes@ <john_fernandes@> wrote:
> >
> > From: john_fernandes@ <john_fernandes@>
> > Subject: [discussbusinesscontinuity] American Standard Body to
> produce Standard for Business Continuity
> > To: discussbusinesscontinuity@yahoogroups.com
> > Date: Tuesday, January 6, 2009, 12:25 PM
> >
> >
> >
> >
> >
> >
> >
> > Source : http://www.continui tyforum.org/ news/0906/ ASIS 
> >  American Standard Body to produce Standard for Business
Continuity
> >
> >
> > ASIS Online based in Virginia has now started the work to develop
> its American National Standards Institute (ANSI) project to produce
a
> Business Continuity Management (BCM) standard, for approval by
ANSI.
> > Close links have been developed over the past 6 months between
the
> BSI and the BCM/1 committee and ASIS in order to share experience
and
> help to build consistency between the key elements of BS25999 and
the
> proposed ANSI standard.
> > Participation included key business continuity programme
managers,
> service providers and other interested parties, and included
> representatives from Disaster Recovery Institute International,
> Association of Contingency Planners, the Business Continuity
> Institute and its U.S. Chapter BCI-USA and the Continuity Forum.
> > ASIS then followed initial conversations with further discussions
> and engagement in December with the first committee and working
group
> meetings to be held in Virginia on 15/16th January. The Continuity
> Forum is represented on the Committee by Russell Price, the vice
> chairman of the group is Kevin Brear (a constant figure in the
> development of the British Standard) and its chaired by Marc
Seigel.
> > Currently the scope of the ASIS-proposed Business Continuity
> Management American National Standard would include auditable
> criteria for preparedness, crisis management, business and
> operational continuity and disaster management, which covers more
> than BS25999 and crosses over into IT service Continuity (BS25777)
> and the working group that is addressing the developing issue of
> standards for Crisis Management.
> > The working group has shown commendable openness in establishing
a
> diverse group with wide ranging experience. ASIS has also stated
its
> goal was not to infringe on the credibility of current BCM
> practitioners or turn BCM into a subset of security management, but
> to utilize its position as an ANSI-accredited Standards Development
> Organization to lead the effort of the business continuity
community
> towards a much needed standard.
> > The compelling need for a new standard that could be both
auditable
> and scalable had previously been unanimously identified with most
> commentators stating that that while other standards, such as NFPA
> 1600, already existed and provided value to the business continuity
> community, the needs of the community were not being met since they
> were not auditable. In addition, there was a degree of separation
in
> planning or were partial to certain industry segment distortion
which
> did not promote a holistic view of BCM, addressing the wide range
of
> disciplines today's BCM programs have to consider.
> > Interested parties may contact ASIS directly at
standards@asisonlin
> e.org.
> > Continuity Forum Comment
> > ASIS have seized an opportunity to try an establish international
> consistency for BCM by aligning with the excellent work of the BSI
> BCM/1 group which developed BS25999. The spread of specific and
> international experience contributing to the process of developing
> the standard is excellent. Importantly, through close cooperation
and
> support the BSI and ASIS are helping broaden and enhance the
> international nature of BCM planning and sharing good practice
> effectively. This could well mean much greater efficiency and cost
> effective planning for all international operations.
> > In addition, better communication between `policy makers' on both
> sides of the Atlantic will become a valuable driver in the growth
and
> quality of Business Continuity Planning and Management. The current
> scope is very ambitious pulling together a wider mix of BCM topics
> than currently included in BS25999 and this we feel may need to be
> carefully managed to avoid too much complexity, but it is certainly
> worth the effort if we can establish a holistic usable standard.
> > About ASIS International
> > ASIS International is the preeminent organization for security
> professionals, with more than 36,000 members worldwide. Founded in
> 1955, ASIS is dedicated to increasing the effectiveness and
> productivity of security professionals by developing educational
> programs and materials that address broad security interests, such
as
> the ASIS Annual Seminar and Exhibits, as well as specific security
> topics. ASIS also advocates the role and value of the security
> management profession to business, the media, government entities
and
> the public. By providing members and the security community with
> access to a full range of programs and services, and by publishing
> the industry's No. 1 magazine—Security Management—ASIS leads the
way
> for advanced and improved security performance.
> >
>