Thanks to everyone who took the time to provide their views and input
into this discussion.

Obviously there are 3 sides - yes, standards are always a good thing;
no, standards provide little practical benefit; and maybe, depending
what they say and how good the content is and the ability for
benefits to be achieved for the business.

Let's hope those developing the current set of proposed standards are
experienced, competent and pragmatic enough to know the difference!

We must never lose sight of the fact that BCM is all about the
Business. It is never about making an auditors job easier, comparing
capabilities or satisfying pride through competition and nefarious
comparisons.

If, on the day of need, the Plan does not deliver what the Plan needs
to deliver, we have failed.


Howard
_________________
Howard Kenny MBCI
Australia

--- In discussbusinesscontinuity@yahoogroups.com, "Howard Kenny"
<howard@...> wrote:
>
> A few questions I'd like to pose to the forum based on what others
> think about the flurry of Standards being developed.
>
> 1 .. Will BCM become a better value proposition for business if
> programs and solutions conform to a set of standards?
> 2 .. How prescriptive should a standard for BCM be?
> 3 .. Should there be a single holistic international standard, or
> would we be better served by a set of standards, with a common
> baseline, that acknowledges the differences between geographical
> location, industry sector and size and scale of organisations?
> 4 .. Are we already well serviced by existing standards, guidelines
> and regulatory requirements?
> 5 .. What, exactly, we will be looking to achieve in a single one
> size fits all standard, if we were to go that way?
> 6 .. How much compromise will we be prepared to accept in how we do
> things and what we deliver for the sake of meeting a standard?
> 7 .. Will a BCM standard be able to influence regulators and others
> who may need to change their requirements / standards to suit to
make
> it useful anyway?
>
> I'd really be interested in hearing the views of other BCM
> professionals out there. In the end, we are the ones who will be
> working to and implementing the standard, should any really become
> the "one"!
>
> Thanks
>
>
>
> Howard
>
> _________________
> Howard Kenny MBCI
> Australia
>
>
>
> --- In discussbusinesscontinuity@yahoogroups.com, "Howard Kenny"
> <howard@> wrote:
> >
> > What is it with this "one size fits all" mentality we are
> developing?
> >
> > Like the organisations, and sub sections within these
> organisations,
> > that we service, there are very real differences that cannot, and
> > should not, be shoehorned into something that nearly fits. I'm
all
> > for standards and standardisation - whre they fit and make sense.
> But
> > not when they become a hindrance or detract from what it is we
are
> > trying to achieve and deliver. For instance, UK have risk as an
> > embodiment of BCM - Australia has BCM as a risk control under the
> Op
> > Risk framework. Not an issue in practice, but a major stumbling
> block
> > when trying to apply a standard that is fundamentally opposed!
> >
> > The BCI got it right in developing the Good Practice Guidelines
as
> a
> > high level, non prescriptive set of, well .... , good practices,
> that
> > can be easily adopted and adapted for the myriad different
> > environments that require good BC capability. Being any more
> > prescriptive that that is going to get messy and provide more
> > negatives than benefits.
> >
> > To have a standard that works, it must be prescriptive. It
requires
> > assessable and objective metrics. Stipulating things like "a
> recovery
> > site must be greater than 20KM from the primary production site"
> > and "if the impact to the businees NPAT is greater than 40% for
any
> > given event, the business must provide alternative facilities for
> at
> > least 60% of production capability" would make the BCM
practioners
> > job so much easier, but would any organisation adopt such a
> standard?
> > Would any regulator ever enforce such a standard? Would any BCM
> > practioner be happy working within these constraints? Would this
> > actually provide what we are looking for? My view is a definite
no,
> > in all cases.
> >
> > There is a great opportunity for collaborative effort in
developing
> > some standard components for inclusion into a set of good/best
> > practice guidelines (not necessarily the BCI's) - things like
> > acronyms, terms and definitions. These can be standardised, and
> need
> > to be. Many of the basics are covered under many "standards"
> already
> > in use - regularity of BIA refresh, testing and exercising, basic
> > scenarios etc etc. These could be extrapolated and consolidated
> into
> > a standardised set of addendums to go with the GPG. But beyond
> that,
> > I see little to no benefit in trying to force a holistic
> > international, one size fits all standard that will have more
> chance
> > of making BCM irrelevant than it will provide any benefit.
> >
> > In reality, we need to focus on the differences. To provide good,
> > cost effective and workable solutions that are deliverable,
> > supportable and maintainable and that provide risk mitigation and
> > security to the individual organisation's business objectives.
Each
> > busines is different. Each solution will be different. There is
no
> > right or wrong way of doing it. Just good, better, best - subject
> to
> > risk appetite and budget!
> >
> > Let's get on with practicing the art and science of Business
> > Continuity Management and build a real value add proposition for
> > business, one that suits the business, not a set of unworkable or
> > inappropriate "standards".
> >
> > Viva la difference!
> >
> >
> > Howard
> > _________________
> > Howard Kenny MBCI
> > Australia
> >
> >
> >
> >
> > --- In discussbusinesscontinuity@yahoogroups.com, "John Glenn,
CRP"
> > <JGlennCRP@> wrote:
> > >
> > > I read BSI 25999-1 and BSI 25999-2.
> > >  
> > > I found them both lacking in everything but price. For my
money,
> > NFPA 1600 (and variations on that theme) do a better job and are
> more
> > appropriate in tone and presentation for North America.
> > >  
> > > John Glenn, MBCI
> > > Enterprise Risk Management/Business Continuity
> > >
> > >  
> > >
> > > --- On Tue, 1/6/09, john_fernandes@ <john_fernandes@> wrote:
> > >
> > > From: john_fernandes@ <john_fernandes@>
> > > Subject: [discussbusinesscontinuity] American Standard Body to
> > produce Standard for Business Continuity
> > > To: discussbusinesscontinuity@yahoogroups.com
> > > Date: Tuesday, January 6, 2009, 12:25 PM
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Source : http://www.continui tyforum.org/ news/0906/ ASIS 
> > >  American Standard Body to produce Standard for Business
> Continuity
> > >
> > >
> > > ASIS Online based in Virginia has now started the work to
develop
> > its American National Standards Institute (ANSI) project to
produce
> a
> > Business Continuity Management (BCM) standard, for approval by
> ANSI.
> > > Close links have been developed over the past 6 months between
> the
> > BSI and the BCM/1 committee and ASIS in order to share experience
> and
> > help to build consistency between the key elements of BS25999 and
> the
> > proposed ANSI standard.
> > > Participation included key business continuity programme
> managers,
> > service providers and other interested parties, and included
> > representatives from Disaster Recovery Institute International,
> > Association of Contingency Planners, the Business Continuity
> > Institute and its U.S. Chapter BCI-USA and the Continuity Forum.
> > > ASIS then followed initial conversations with further
discussions
> > and engagement in December with the first committee and working
> group
> > meetings to be held in Virginia on 15/16th January. The
Continuity
> > Forum is represented on the Committee by Russell Price, the vice
> > chairman of the group is Kevin Brear (a constant figure in the
> > development of the British Standard) and its chaired by Marc
> Seigel.
> > > Currently the scope of the ASIS-proposed Business Continuity
> > Management American National Standard would include auditable
> > criteria for preparedness, crisis management, business and
> > operational continuity and disaster management, which covers more
> > than BS25999 and crosses over into IT service Continuity
(BS25777)
> > and the working group that is addressing the developing issue of
> > standards for Crisis Management.
> > > The working group has shown commendable openness in
establishing
> a
> > diverse group with wide ranging experience. ASIS has also stated
> its
> > goal was not to infringe on the credibility of current BCM
> > practitioners or turn BCM into a subset of security management,
but
> > to utilize its position as an ANSI-accredited Standards
Development
> > Organization to lead the effort of the business continuity
> community
> > towards a much needed standard.
> > > The compelling need for a new standard that could be both
> auditable
> > and scalable had previously been unanimously identified with most
> > commentators stating that that while other standards, such as
NFPA
> > 1600, already existed and provided value to the business
continuity
> > community, the needs of the community were not being met since
they
> > were not auditable. In addition, there was a degree of separation
> in
> > planning or were partial to certain industry segment distortion
> which
> > did not promote a holistic view of BCM, addressing the wide range
> of
> > disciplines today's BCM programs have to consider.
> > > Interested parties may contact ASIS directly at
> standards@asisonlin
> > e.org.
> > > Continuity Forum Comment
> > > ASIS have seized an opportunity to try an establish
international
> > consistency for BCM by aligning with the excellent work of the
BSI
> > BCM/1 group which developed BS25999. The spread of specific and
> > international experience contributing to the process of
developing
> > the standard is excellent. Importantly, through close cooperation
> and
> > support the BSI and ASIS are helping broaden and enhance the
> > international nature of BCM planning and sharing good practice
> > effectively. This could well mean much greater efficiency and
cost
> > effective planning for all international operations.
> > > In addition, better communication between `policy makers' on
both
> > sides of the Atlantic will become a valuable driver in the growth
> and
> > quality of Business Continuity Planning and Management. The
current
> > scope is very ambitious pulling together a wider mix of BCM
topics
> > than currently included in BS25999 and this we feel may need to
be
> > carefully managed to avoid too much complexity, but it is
certainly
> > worth the effort if we can establish a holistic usable standard.
> > > About ASIS International
> > > ASIS International is the preeminent organization for security
> > professionals, with more than 36,000 members worldwide. Founded
in
> > 1955, ASIS is dedicated to increasing the effectiveness and
> > productivity of security professionals by developing educational
> > programs and materials that address broad security interests,
such
> as
> > the ASIS Annual Seminar and Exhibits, as well as specific
security
> > topics. ASIS also advocates the role and value of the security
> > management profession to business, the media, government entities
> and
> > the public. By providing members and the security community with
> > access to a full range of programs and services, and by
publishing
> > the industry's No. 1 magazine—Security Management—ASIS leads the
> way
> > for advanced and improved security performance.
> > >
> >
>