Hi Peter, I was the only one copied, so I'm forwarding it with your good
comments and some of my own of course.

I think there's a difference of opinion on what a standard is compared to
a guideline. The guideline is a non-authoritative way of expressing good
practices while a standard is authoritative and generally accepted as the
basis for every program. Standards use auditor speak as in shall and
should while guidelines are more of an opinion piece based on
vast experience. The trick is to design the standard so it is flexible
enough to allow all users the ability to work things their own way while
still providing a way to measure results.




----- Original Message -----
From: "peterbarnes101" <peterbarnes101@...>
To: "Bill Lang" <wrlang@...>
Sent: Monday, January 12, 2009 11:22 AM
Subject: Re: American Standard Body to produce Standard for Business
Continuity


I have a rather more "contrary" (perhaps cynical) response to
Howard's questions...included below with Bill's input...


--- In discussbusinesscontinuity@yahoogroups.com, "Bill Lang"
<wrlang@...> wrote:
>
> Hi Howard. Comments below.
>
>
> A few questions I'd like to pose to the forum based on what others
> think about the flurry of Standards being developed.
>
> 1 .. Will BCM become a better value proposition for business if
> programs and solutions conform to a set of standards?
>
> Yes, like ISO certifications, some businesses and customers and
auditors will value the standards as a way to quickly determine and
advertise compitence.

PB - I'm not so convinced. I have a concern that efforts to conform
to a standard often detract from the real issues that should be
addressed if BCM is to be effective. In my view it is a similar
issue to relying on a software tool to produce your BIA - the tool
(aka standard) measures and reports according to standard principles -
the fact is most businesses have unique nuances that you only
discover through applying experience, care and attention. For me - a
standard is a stepping stone for those implementing BCM for the first
time and needing a structure - but less useful to the firm that is
mature in BCM.

BL: I hear ya. Agreed that the tool is not important, but rather that in
your example the BIA fits the business not the tool. The trick is to design
the standard so it is flexible enough to allow all users the ability to
work things their own way while still providing a way to measure results.


>
>
> 2 .. How prescriptive should a standard for BCM be?
>
> As prescriptive as is practical including globally required
considerations.
> For example it wouldn't tell you how far away your recovery site
should be, but it would tell you to document that the distance was
considered and how the distance was determined.

PB: Bill - surely that's a guideline and not a standard. To that
extent I fully align myself with an earlier argument in this string
that the BCI good practice guidelines are of tremendous value (and I
reconcile myself to the GPG much more easiy than to any of the
standards attempted to date).

BL: I'll rephrase. In the example the actual distance could be obtained
from guidelines, but the requirement that a logical process for determining
distance should be a standard.

>
>
> 3 .. Should there be a single holistic international standard, or
> would we be better served by a set of standards, with a common
> baseline, that acknowledges the differences between geographical
> location, industry sector and size and scale of organisations?
>
> A single standard eliminates confusion and reduces the cost and
effort from having to meet multiple standards in all locations or
different standards in multiple locations.


PB: I broadly agree that a single holistic "something" would be
great. However, if it is holistic - it tends to suggest to me that
it will have the effect of being a guideline rather than a
specifically measureable and auditable standard. But my earlier
thought that newcomers will benefit still holds - and to this extent
I agree with Bill that a single standard is beneficial.

BL: I liken a standard to a recepie. Good cooks may all use the
same basic ingredients for the same dish, but in slightly different
quantities and may add a few secret ingredients of their own for
style or taste. Like you say, a beginner will follow the recipie to
the letter and should be able to make at least an edible dish.

>
>
> 4 .. Are we already well serviced by existing standards, guidelines
> and regulatory requirements?
>
> Yes, but we need a certifying body.

PB: Agreed - subject to my contextual caveats above.

>
>
> 5 .. What, exactly, we will be looking to achieve in a single one
> size fits all standard, if we were to go that way?
>
> A authoritative consensus on what is necessary in a good program.

PB: A one size fits all will not work except at a very high level -
if its high-level we're back to guidelines - not something that can
be achieved with a standard.

BL: Perhaps its a mincing of words, but to me a guideline is a recipe
generally describing ingredients and preparation while a standard is a
universally
accepted list of ingredients that can be prepared in a unique manner.


>
>
> 6 .. How much compromise will we be prepared to accept in how we do
> things and what we deliver for the sake of meeting a standard?
>
> If a standard includes the minimum requirements for a good program,
then the compromise would be to use the standard to create a good
program.
> The inference is that if it doesn't meet the standard, then its not
a good program.

PB: Further to my remark in response to the opening question - this
is the key danger! The risk is that people WILL compromise the
program to meet the standard.

BL: The standard must contain the integral parts, so there should be
no need to compromise. I guess I'm thinking that if someone would
compromise their program by doing a BIA, then how good could their
program really be if a BIA is a compromise?


>
>
> 7 .. Will a BCM standard be able to influence regulators and others
> who may need to change their requirements / standards to suit to
make
> it useful anyway?
>
> Yes, regulators and auditors look for guidelines to help them
ensure the practices are good.
> If the business is BCM certified, the regulator's or auditor's job
in that area is more quickly completed.

PB: Sorry again - the risk is that auditing to a standard certifies
that the program has been developed in accordance with a specified
methodology - it does not necessarily verify that a program that is
right for the organization has been implemented. The key goal for
auditors should always be to seek evidence that the program delivers
to the level required and expected by management / executives -
simply assessing whether or not it complies with (any) standard will
not necessarily address this question - but I concede that it will
help to some extent.

BL: Agreed that if a standard is used then an auditor can use that standard
to audit the organizations program, but if another authoritative body has
already certified the organization as using the standard the audit can
be viewed as redundant. Mincing words again, the methods used to
meet the standard can also be audited. Most standards are a list of
ingredients and seldom include the methods used to collect the
ingredients or make the dish.