Our company has just merged with another larger company of the same type.

We are a chain of retail/wholesale auto parts stores.

I have been asked to determine the cost per downtime IT hour at the new corporate headquarters.

Could anyone make recommendations as to how to go about doing this?

I know there are average statistics for many types of companies available.

I know a lot more must go into this than just dividing the gross sales by the number of open hours for the business.

It seems that there would be so many variables it would be difficult to determine this.

Any help or direction would be greatly appreciated.

Thanks,

Bill Perschke

Governance/Business Continuity Coordinator

Bperschke@... 

----- Original Message -----

From: B C

To: discussbusinesscontinuity@yahoogroups.com

Sent: Thursday, December 18, 2008 11:01 AM

Subject: Re: [discussbusinesscontinuity] Downtime Costs

Good Morning Bill That is a difficult problem.  First, I suggest conducting a BIA to determine which applications directly impact/generate revenue, to include any sales made through your website.  Then you'll be able to prioritize all applications based on that impact to revenue, which will reap dividends when developing your plan.  Then I'd suggest working with the people that process sales through the applicable applications to see the sales volume.  (If you see ebbs and flows that would also be a good thing to know - so management can determine if/when RTOs can be extended because it's "that time of the year")  From the sales volume you should be able to determine the hourly revenue loss.  The bottom line is you can't do this by yourself or in a vacuum, talk to the experts.  After you get your bottom line figure, I suggest running this back through your experts so you have their buy-in when you brief management on your findings and can include that buy-in during your brief.  I hope this helps.  If you have any additional questions please feel free to contact me directly at bc2_llc@comcast.net Bob Cohen, CBCP, CCM, CBRM  --- On Thu, 12/18/08, Perschke, Bill <BPerschke@cskauto.com> wrote: From: Perschke, Bill <BPerschke@cskauto.com> Subject: [discussbusinesscontinuity] Downtime Costs To: discussbusinesscontinuity@yahoogroups.com Date: Thursday, December 18, 2008, 11:23 AM Our company has just merged with another larger company of the same type. We are a chain of retail/wholesale auto parts stores. I have been asked to determine the cost per downtime IT hour at the new corporate headquarters. Could anyone make recommendations as to how to go about doing this? I know there are average statistics for many types of companies available. I know a lot more must go into this than just dividing the gross sales by the number of open hours for the business. It seems that there would be so many variables it would be difficult to determine this. Any help or direction would be greatly appreciated. Thanks, Bill Perschke Governance/Business Continuity Coordinator Bperschke@cskauto. com

Thank you all for your responses to my request for help on this.

Your responses were great and extremely helpful.

Is anyone else in disbelief that we are closing out another year?

I truly hope 2009 will be the best year ever for all of you.

My best wishes for a Happy New Year.

Bill Perschke

CSK Auto/O’Reilly Auto Parts

Source : http://www.continuityforum.org/news/0906/ASIS 

 American Standard Body to produce Standard for Business Continuity

ASIS Online based in Virginia has now started the work to develop its American National Standards Institute (ANSI) project to produce a Business Continuity Management (BCM) standard, for approval by ANSI.

Close links have been developed over the past 6 months between the BSI and the BCM/1 committee and ASIS in order to share experience and help to build consistency between the key elements of BS25999 and the proposed ANSI standard.

Participation included key business continuity programme managers, service providers and other interested parties, and included representatives from Disaster Recovery Institute International, Association of Contingency Planners, the Business Continuity Institute and its U.S. Chapter BCI-USA and the Continuity Forum.

ASIS then followed initial conversations with further discussions and engagement in December with the first committee and working group meetings to be held in Virginia on 15/16th January. The Continuity Forum is represented on the Committee by Russell Price, the vice chairman of the group is Kevin Brear (a constant figure in the development of the British Standard) and its chaired by Marc Seigel.

Currently the scope of the ASIS-proposed Business Continuity Management American National Standard would include auditable criteria for preparedness, crisis management, business and operational continuity and disaster management, which covers more than BS25999 and crosses over into IT service Continuity (BS25777) and the working group that is addressing the developing issue of standards for Crisis Management.

The working group has shown commendable openness in establishing a diverse group with wide ranging experience. ASIS has also stated its goal was not to infringe on the credibility of current BCM practitioners or turn BCM into a subset of security management, but to utilize its position as an ANSI-accredited Standards Development Organization to lead the effort of the business continuity community towards a much needed standard.

The compelling need for a new standard that could be both auditable and scalable had previously been unanimously identified with most commentators stating that that while other standards, such as NFPA 1600, already existed and provided value to the business continuity community, the needs of the community were not being met since they were not auditable. In addition, there was a degree of separation in planning or were partial to certain industry segment distortion which did not promote a holistic view of BCM, addressing the wide range of disciplines today’s BCM programs have to consider.

Interested parties may contact ASIS directly at standards@....

Continuity Forum Comment

ASIS have seized an opportunity to try an establish international consistency for BCM by aligning with the excellent work of the BSI BCM/1 group which developed BS25999. The spread of specific and international experience contributing to the process of developing the standard is excellent. Importantly, through close cooperation and support the BSI and ASIS are helping broaden and enhance the international nature of BCM planning and sharing good practice effectively. This could well mean much greater efficiency and cost effective planning for all international operations.

In addition, better communication between ‘policy makers’ on both sides of the Atlantic will become a valuable driver in the growth and quality of Business Continuity Planning and Management. The current scope is very ambitious pulling together a wider mix of BCM topics than currently included in BS25999 and this we feel may need to be carefully managed to avoid too much complexity, but it is certainly worth the effort if we can establish a holistic usable standard.

About ASIS International
ASIS International is the preeminent organization for security professionals, with more than 36,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s No. 1 magazine—Security Management—ASIS leads the way for advanced and improved security performance.

What is it with this "one size fits all" mentality we are developing?



Like the organisations, and sub sections within these organisations,

that we service, there are very real differences that cannot, and

should not, be shoehorned into something that nearly fits. I'm all

for standards and standardisation - whre they fit and make sense. But

not when they become a hindrance or detract from what it is we are

trying to achieve and deliver. For instance, UK have risk as an

embodiment of BCM - Australia has BCM as a risk control under the Op

Risk framework. Not an issue in practice, but a major stumbling block

when trying to apply a standard that is fundamentally opposed!



The BCI got it right in developing the Good Practice Guidelines as a

high level, non prescriptive set of, well .... , good practices, that

can be easily adopted and adapted for the myriad different

environments that require good BC capability. Being any more

prescriptive that that is going to get messy and provide more

negatives than benefits.



To have a standard that works, it must be prescriptive. It requires

assessable and objective metrics. Stipulating things like "a recovery

site must be greater than 20KM from the primary production site"

and "if the impact to the businees NPAT is greater than 40% for any

given event, the business must provide alternative facilities for at

least 60% of production capability" would make the BCM practioners

job so much easier, but would any organisation adopt such a standard?

Would any regulator ever enforce such a standard? Would any BCM

practioner be happy working within these constraints? Would this

actually provide what we are looking for? My view is a definite no,

in all cases.



There is a great opportunity for collaborative effort in developing

some standard components for inclusion into a set of good/best

practice guidelines (not necessarily the BCI's) - things like

acronyms, terms and definitions. These can be standardised, and need

to be. Many of the basics are covered under many "standards" already

in use - regularity of BIA refresh, testing and exercising, basic

scenarios etc etc. These could be extrapolated and consolidated into

a standardised set of addendums to go with the GPG. But beyond that,

I see little to no benefit in trying to force a holistic

international, one size fits all standard that will have more chance

of making BCM irrelevant than it will provide any benefit.



In reality, we need to focus on the differences. To provide good,

cost effective and workable solutions that are deliverable,

supportable and maintainable and that provide risk mitigation and

security to the individual organisation's business objectives. Each

busines is different. Each solution will be different. There is no

right or wrong way of doing it. Just good, better, best - subject to

risk appetite and budget!



Let's get on with practicing the art and science of Business

Continuity Management and build a real value add proposition for

business, one that suits the business, not a set of unworkable or

inappropriate "standards".



Viva la difference!





Howard

_________________

Howard Kenny MBCI

Australia









--- In discussbusinesscontinuity@yahoogroups.com, "John Glenn, CRP"

<JGlennCRP@...> wrote:

>

> I read BSI 25999-1 and BSI 25999-2.

>  

> I found them both lacking in everything but price. For my money,

NFPA 1600 (and variations on that theme) do a better job and are more

appropriate in tone and presentation for North America.

>  

> John Glenn, MBCI

> Enterprise Risk Management/Business Continuity

>

>  

>

> --- On Tue, 1/6/09, john_fernandes@... <john_fernandes@...> wrote:

>

> From: john_fernandes@... <john_fernandes@...>

> Subject: [discussbusinesscontinuity] American Standard Body to

produce Standard for Business Continuity

> To: discussbusinesscontinuity@yahoogroups.com

> Date: Tuesday, January 6, 2009, 12:25 PM

>

>

>

>

>

>

>

> Source : http://www.continui tyforum.org/ news/0906/ ASIS 

>  American Standard Body to produce Standard for Business Continuity

>

>

> ASIS Online based in Virginia has now started the work to develop

its American National Standards Institute (ANSI) project to produce a

Business Continuity Management (BCM) standard, for approval by ANSI.

> Close links have been developed over the past 6 months between the

BSI and the BCM/1 committee and ASIS in order to share experience and

help to build consistency between the key elements of BS25999 and the

proposed ANSI standard.

> Participation included key business continuity programme managers,

service providers and other interested parties, and included

representatives from Disaster Recovery Institute International,

Association of Contingency Planners, the Business Continuity

Institute and its U.S. Chapter BCI-USA and the Continuity Forum.

> ASIS then followed initial conversations with further discussions

and engagement in December with the first committee and working group

meetings to be held in Virginia on 15/16th January. The Continuity

Forum is represented on the Committee by Russell Price, the vice

chairman of the group is Kevin Brear (a constant figure in the

development of the British Standard) and its chaired by Marc Seigel.

> Currently the scope of the ASIS-proposed Business Continuity

Management American National Standard would include auditable

criteria for preparedness, crisis management, business and

operational continuity and disaster management, which covers more

than BS25999 and crosses over into IT service Continuity (BS25777)

and the working group that is addressing the developing issue of

standards for Crisis Management.

> The working group has shown commendable openness in establishing a

diverse group with wide ranging experience. ASIS has also stated its

goal was not to infringe on the credibility of current BCM

practitioners or turn BCM into a subset of security management, but

to utilize its position as an ANSI-accredited Standards Development

Organization to lead the effort of the business continuity community

towards a much needed standard.

> The compelling need for a new standard that could be both auditable

and scalable had previously been unanimously identified with most

commentators stating that that while other standards, such as NFPA

1600, already existed and provided value to the business continuity

community, the needs of the community were not being met since they

were not auditable. In addition, there was a degree of separation in

planning or were partial to certain industry segment distortion which

did not promote a holistic view of BCM, addressing the wide range of

disciplines today's BCM programs have to consider.

> Interested parties may contact ASIS directly at standards@asisonlin

e.org.

> Continuity Forum Comment

> ASIS have seized an opportunity to try an establish international

consistency for BCM by aligning with the excellent work of the BSI

BCM/1 group which developed BS25999. The spread of specific and

international experience contributing to the process of developing

the standard is excellent. Importantly, through close cooperation and

support the BSI and ASIS are helping broaden and enhance the

international nature of BCM planning and sharing good practice

effectively. This could well mean much greater efficiency and cost

effective planning for all international operations.

> In addition, better communication between `policy makers' on both

sides of the Atlantic will become a valuable driver in the growth and

quality of Business Continuity Planning and Management. The current

scope is very ambitious pulling together a wider mix of BCM topics

than currently included in BS25999 and this we feel may need to be

carefully managed to avoid too much complexity, but it is certainly

worth the effort if we can establish a holistic usable standard.

> About ASIS International

> ASIS International is the preeminent organization for security

professionals, with more than 36,000 members worldwide. Founded in

1955, ASIS is dedicated to increasing the effectiveness and

productivity of security professionals by developing educational

programs and materials that address broad security interests, such as

the ASIS Annual Seminar and Exhibits, as well as specific security

topics. ASIS also advocates the role and value of the security

management profession to business, the media, government entities and

the public. By providing members and the security community with

access to a full range of programs and services, and by publishing

the industry's No. 1 magazine—Security Management—ASIS leads the way

for advanced and improved security performance.

>

A few questions I'd like to pose to the forum based on what others

think about the flurry of Standards being developed.



1 .. Will BCM become a better value proposition for business if

programs and solutions conform to a set of standards?

2 .. How prescriptive should a standard for BCM be?

3 .. Should there be a single holistic international standard, or

would we be better served by a set of standards, with a common

baseline, that acknowledges the differences between geographical

location, industry sector and size and scale of organisations?

4 .. Are we already well serviced by existing standards, guidelines

and regulatory requirements?

5 .. What, exactly, we will be looking to achieve in a single one

size fits all standard, if we were to go that way?

6 .. How much compromise will we be prepared to accept in how we do

things and what we deliver for the sake of meeting a standard?

7 .. Will a BCM standard be able to influence regulators and others

who may need to change their requirements / standards to suit to make

it useful anyway?



I'd really be interested in hearing the views of other BCM

professionals out there. In the end, we are the ones who will be

working to and implementing the standard, should any really become

the "one"!



Thanks







Howard



_________________

Howard Kenny MBCI

Australia







--- In discussbusinesscontinuity@yahoogroups.com, "Howard Kenny"

<howard@...> wrote:

>

> What is it with this "one size fits all" mentality we are

developing?

>

> Like the organisations, and sub sections within these

organisations,

> that we service, there are very real differences that cannot, and

> should not, be shoehorned into something that nearly fits. I'm all

> for standards and standardisation - whre they fit and make sense.

But

> not when they become a hindrance or detract from what it is we are

> trying to achieve and deliver. For instance, UK have risk as an

> embodiment of BCM - Australia has BCM as a risk control under the

Op

> Risk framework. Not an issue in practice, but a major stumbling

block

> when trying to apply a standard that is fundamentally opposed!

>

> The BCI got it right in developing the Good Practice Guidelines as

a

> high level, non prescriptive set of, well .... , good practices,

that

> can be easily adopted and adapted for the myriad different

> environments that require good BC capability. Being any more

> prescriptive that that is going to get messy and provide more

> negatives than benefits.

>

> To have a standard that works, it must be prescriptive. It requires

> assessable and objective metrics. Stipulating things like "a

recovery

> site must be greater than 20KM from the primary production site"

> and "if the impact to the businees NPAT is greater than 40% for any

> given event, the business must provide alternative facilities for

at

> least 60% of production capability" would make the BCM practioners

> job so much easier, but would any organisation adopt such a

standard?

> Would any regulator ever enforce such a standard? Would any BCM

> practioner be happy working within these constraints? Would this

> actually provide what we are looking for? My view is a definite no,

> in all cases.

>

> There is a great opportunity for collaborative effort in developing

> some standard components for inclusion into a set of good/best

> practice guidelines (not necessarily the BCI's) - things like

> acronyms, terms and definitions. These can be standardised, and

need

> to be. Many of the basics are covered under many "standards"

already

> in use - regularity of BIA refresh, testing and exercising, basic

> scenarios etc etc. These could be extrapolated and consolidated

into

> a standardised set of addendums to go with the GPG. But beyond

that,

> I see little to no benefit in trying to force a holistic

> international, one size fits all standard that will have more

chance

> of making BCM irrelevant than it will provide any benefit.

>

> In reality, we need to focus on the differences. To provide good,

> cost effective and workable solutions that are deliverable,

> supportable and maintainable and that provide risk mitigation and

> security to the individual organisation's business objectives. Each

> busines is different. Each solution will be different. There is no

> right or wrong way of doing it. Just good, better, best - subject

to

> risk appetite and budget!

>

> Let's get on with practicing the art and science of Business

> Continuity Management and build a real value add proposition for

> business, one that suits the business, not a set of unworkable or

> inappropriate "standards".

>

> Viva la difference!

>

>

> Howard

> _________________

> Howard Kenny MBCI

> Australia

>

>

>

>

> --- In discussbusinesscontinuity@yahoogroups.com, "John Glenn, CRP"

> <JGlennCRP@> wrote:

> >

> > I read BSI 25999-1 and BSI 25999-2.

> >  

> > I found them both lacking in everything but price. For my money,

> NFPA 1600 (and variations on that theme) do a better job and are

more

> appropriate in tone and presentation for North America.

> >  

> > John Glenn, MBCI

> > Enterprise Risk Management/Business Continuity

> >

> >  

> >

> > --- On Tue, 1/6/09, john_fernandes@ <john_fernandes@> wrote:

> >

> > From: john_fernandes@ <john_fernandes@>

> > Subject: [discussbusinesscontinuity] American Standard Body to

> produce Standard for Business Continuity

> > To: discussbusinesscontinuity@yahoogroups.com

> > Date: Tuesday, January 6, 2009, 12:25 PM

> >

> >

> >

> >

> >

> >

> >

> > Source : http://www.continui tyforum.org/ news/0906/ ASIS 

> >  American Standard Body to produce Standard for Business

Continuity

> >

> >

> > ASIS Online based in Virginia has now started the work to develop

> its American National Standards Institute (ANSI) project to produce

a

> Business Continuity Management (BCM) standard, for approval by

ANSI.

> > Close links have been developed over the past 6 months between

the

> BSI and the BCM/1 committee and ASIS in order to share experience

and

> help to build consistency between the key elements of BS25999 and

the

> proposed ANSI standard.

> > Participation included key business continuity programme

managers,

> service providers and other interested parties, and included

> representatives from Disaster Recovery Institute International,

> Association of Contingency Planners, the Business Continuity

> Institute and its U.S. Chapter BCI-USA and the Continuity Forum.

> > ASIS then followed initial conversations with further discussions

> and engagement in December with the first committee and working

group

> meetings to be held in Virginia on 15/16th January. The Continuity

> Forum is represented on the Committee by Russell Price, the vice

> chairman of the group is Kevin Brear (a constant figure in the

> development of the British Standard) and its chaired by Marc

Seigel.

> > Currently the scope of the ASIS-proposed Business Continuity

> Management American National Standard would include auditable

> criteria for preparedness, crisis management, business and

> operational continuity and disaster management, which covers more

> than BS25999 and crosses over into IT service Continuity (BS25777)

> and the working group that is addressing the developing issue of

> standards for Crisis Management.

> > The working group has shown commendable openness in establishing

a

> diverse group with wide ranging experience. ASIS has also stated

its

> goal was not to infringe on the credibility of current BCM

> practitioners or turn BCM into a subset of security management, but

> to utilize its position as an ANSI-accredited Standards Development

> Organization to lead the effort of the business continuity

community

> towards a much needed standard.

> > The compelling need for a new standard that could be both

auditable

> and scalable had previously been unanimously identified with most

> commentators stating that that while other standards, such as NFPA

> 1600, already existed and provided value to the business continuity

> community, the needs of the community were not being met since they

> were not auditable. In addition, there was a degree of separation

in

> planning or were partial to certain industry segment distortion

which

> did not promote a holistic view of BCM, addressing the wide range

of

> disciplines today's BCM programs have to consider.

> > Interested parties may contact ASIS directly at

standards@asisonlin

> e.org.

> > Continuity Forum Comment

> > ASIS have seized an opportunity to try an establish international

> consistency for BCM by aligning with the excellent work of the BSI

> BCM/1 group which developed BS25999. The spread of specific and

> international experience contributing to the process of developing

> the standard is excellent. Importantly, through close cooperation

and

> support the BSI and ASIS are helping broaden and enhance the

> international nature of BCM planning and sharing good practice

> effectively. This could well mean much greater efficiency and cost

> effective planning for all international operations.

> > In addition, better communication between `policy makers' on both

> sides of the Atlantic will become a valuable driver in the growth

and

> quality of Business Continuity Planning and Management. The current

> scope is very ambitious pulling together a wider mix of BCM topics

> than currently included in BS25999 and this we feel may need to be

> carefully managed to avoid too much complexity, but it is certainly

> worth the effort if we can establish a holistic usable standard.

> > About ASIS International

> > ASIS International is the preeminent organization for security

> professionals, with more than 36,000 members worldwide. Founded in

> 1955, ASIS is dedicated to increasing the effectiveness and

> productivity of security professionals by developing educational

> programs and materials that address broad security interests, such

as

> the ASIS Annual Seminar and Exhibits, as well as specific security

> topics. ASIS also advocates the role and value of the security

> management profession to business, the media, government entities

and

> the public. By providing members and the security community with

> access to a full range of programs and services, and by publishing

> the industry's No. 1 magazine—Security Management—ASIS leads the

way

> for advanced and improved security performance.

> >

>

Rather than a point by point response, I'd like to share my 2 cents

on the subject of BCP standards both as an auditor and as a

practitioner.

First of all, I've never met an external auditor I couldn't

bamboozle.  I've always worked for small or small-end medium sized

companies.  The big accounting firms send out their trainees to

conduct the audit.  It's not hard to pass an audit with or without

standards.

Second, each industry and/or country has its own regulatory agencies

and set of rules and laws.  They bear scant resemblance to each other

beyond the spelling of BCP.  They are not going to give up their turf

any time soon.  Some (maybe most) companies are not under BCP

regulations at all.

Third, these are very difficult economic times.  Most companies want

to know what they need to do to be in compliance with their

individual regulatory agency (if any).  There are industry regulators

that require a BC Plan, but don't know what that is.  Question: do

you have a plan?  Answer: yes.  Next question.

I have had my best success selling a solid mitigation and

preparedness plan including exercises not because a regulator said we

had to or because a standard said we had to, but because it makes

good business sense.  Standards may assist the BCP practitioner in

making good choices, but they will never lead to management

commitment.  For that, you have to know what you are talking about

and present a solid business case for spending the resources.  It has

to make sense.

Thanks to everyone who took the time to provide their views and input

into this discussion.



Obviously there are 3 sides - yes, standards are always a good thing;

no, standards provide little practical benefit; and maybe, depending

what they say and how good the content is and the ability for

benefits to be achieved for the business.



Let's hope those developing the current set of proposed standards are

experienced, competent and pragmatic enough to know the difference!



We must never lose sight of the fact that BCM is all about the

Business. It is never about making an auditors job easier, comparing

capabilities or satisfying pride through competition and nefarious

comparisons.



If, on the day of need, the Plan does not deliver what the Plan needs

to deliver, we have failed.





Howard

_________________

Howard Kenny MBCI

Australia



--- In discussbusinesscontinuity@yahoogroups.com, "Howard Kenny"

<howard@...> wrote:

>

> A few questions I'd like to pose to the forum based on what others

> think about the flurry of Standards being developed.

>

> 1 .. Will BCM become a better value proposition for business if

> programs and solutions conform to a set of standards?

> 2 .. How prescriptive should a standard for BCM be?

> 3 .. Should there be a single holistic international standard, or

> would we be better served by a set of standards, with a common

> baseline, that acknowledges the differences between geographical

> location, industry sector and size and scale of organisations?

> 4 .. Are we already well serviced by existing standards, guidelines

> and regulatory requirements?

> 5 .. What, exactly, we will be looking to achieve in a single one

> size fits all standard, if we were to go that way?

> 6 .. How much compromise will we be prepared to accept in how we do

> things and what we deliver for the sake of meeting a standard?

> 7 .. Will a BCM standard be able to influence regulators and others

> who may need to change their requirements / standards to suit to

make

> it useful anyway?

>

> I'd really be interested in hearing the views of other BCM

> professionals out there. In the end, we are the ones who will be

> working to and implementing the standard, should any really become

> the "one"!

>

> Thanks

>

>

>

> Howard

>

> _________________

> Howard Kenny MBCI

> Australia

>

>

>

> --- In discussbusinesscontinuity@yahoogroups.com, "Howard Kenny"

> <howard@> wrote:

> >

> > What is it with this "one size fits all" mentality we are

> developing?

> >

> > Like the organisations, and sub sections within these

> organisations,

> > that we service, there are very real differences that cannot, and

> > should not, be shoehorned into something that nearly fits. I'm

all

> > for standards and standardisation - whre they fit and make sense.

> But

> > not when they become a hindrance or detract from what it is we

are

> > trying to achieve and deliver. For instance, UK have risk as an

> > embodiment of BCM - Australia has BCM as a risk control under the

> Op

> > Risk framework. Not an issue in practice, but a major stumbling

> block

> > when trying to apply a standard that is fundamentally opposed!

> >

> > The BCI got it right in developing the Good Practice Guidelines

as

> a

> > high level, non prescriptive set of, well .... , good practices,

> that

> > can be easily adopted and adapted for the myriad different

> > environments that require good BC capability. Being any more

> > prescriptive that that is going to get messy and provide more

> > negatives than benefits.

> >

> > To have a standard that works, it must be prescriptive. It

requires

> > assessable and objective metrics. Stipulating things like "a

> recovery

> > site must be greater than 20KM from the primary production site"

> > and "if the impact to the businees NPAT is greater than 40% for

any

> > given event, the business must provide alternative facilities for

> at

> > least 60% of production capability" would make the BCM

practioners

> > job so much easier, but would any organisation adopt such a

> standard?

> > Would any regulator ever enforce such a standard? Would any BCM

> > practioner be happy working within these constraints? Would this

> > actually provide what we are looking for? My view is a definite

no,

> > in all cases.

> >

> > There is a great opportunity for collaborative effort in

developing

> > some standard components for inclusion into a set of good/best

> > practice guidelines (not necessarily the BCI's) - things like

> > acronyms, terms and definitions. These can be standardised, and

> need

> > to be. Many of the basics are covered under many "standards"

> already

> > in use - regularity of BIA refresh, testing and exercising, basic

> > scenarios etc etc. These could be extrapolated and consolidated

> into

> > a standardised set of addendums to go with the GPG. But beyond

> that,

> > I see little to no benefit in trying to force a holistic

> > international, one size fits all standard that will have more

> chance

> > of making BCM irrelevant than it will provide any benefit.

> >

> > In reality, we need to focus on the differences. To provide good,

> > cost effective and workable solutions that are deliverable,

> > supportable and maintainable and that provide risk mitigation and

> > security to the individual organisation's business objectives.

Each

> > busines is different. Each solution will be different. There is

no

> > right or wrong way of doing it. Just good, better, best - subject

> to

> > risk appetite and budget!

> >

> > Let's get on with practicing the art and science of Business

> > Continuity Management and build a real value add proposition for

> > business, one that suits the business, not a set of unworkable or

> > inappropriate "standards".

> >

> > Viva la difference!

> >

> >

> > Howard

> > _________________

> > Howard Kenny MBCI

> > Australia

> >

> >

> >

> >

> > --- In discussbusinesscontinuity@yahoogroups.com, "John Glenn,

CRP"

> > <JGlennCRP@> wrote:

> > >

> > > I read BSI 25999-1 and BSI 25999-2.

> > >  

> > > I found them both lacking in everything but price. For my

money,

> > NFPA 1600 (and variations on that theme) do a better job and are

> more

> > appropriate in tone and presentation for North America.

> > >  

> > > John Glenn, MBCI

> > > Enterprise Risk Management/Business Continuity

> > >

> > >  

> > >

> > > --- On Tue, 1/6/09, john_fernandes@ <john_fernandes@> wrote:

> > >

> > > From: john_fernandes@ <john_fernandes@>

> > > Subject: [discussbusinesscontinuity] American Standard Body to

> > produce Standard for Business Continuity

> > > To: discussbusinesscontinuity@yahoogroups.com

> > > Date: Tuesday, January 6, 2009, 12:25 PM

> > >

> > >

> > >

> > >

> > >

> > >

> > >

> > > Source : http://www.continui tyforum.org/ news/0906/ ASIS 

> > >  American Standard Body to produce Standard for Business

> Continuity

> > >

> > >

> > > ASIS Online based in Virginia has now started the work to

develop

> > its American National Standards Institute (ANSI) project to

produce

> a

> > Business Continuity Management (BCM) standard, for approval by

> ANSI.

> > > Close links have been developed over the past 6 months between

> the

> > BSI and the BCM/1 committee and ASIS in order to share experience

> and

> > help to build consistency between the key elements of BS25999 and

> the

> > proposed ANSI standard.

> > > Participation included key business continuity programme

> managers,

> > service providers and other interested parties, and included

> > representatives from Disaster Recovery Institute International,

> > Association of Contingency Planners, the Business Continuity

> > Institute and its U.S. Chapter BCI-USA and the Continuity Forum.

> > > ASIS then followed initial conversations with further

discussions

> > and engagement in December with the first committee and working

> group

> > meetings to be held in Virginia on 15/16th January. The

Continuity

> > Forum is represented on the Committee by Russell Price, the vice

> > chairman of the group is Kevin Brear (a constant figure in the

> > development of the British Standard) and its chaired by Marc

> Seigel.

> > > Currently the scope of the ASIS-proposed Business Continuity

> > Management American National Standard would include auditable

> > criteria for preparedness, crisis management, business and

> > operational continuity and disaster management, which covers more

> > than BS25999 and crosses over into IT service Continuity

(BS25777)

> > and the working group that is addressing the developing issue of

> > standards for Crisis Management.

> > > The working group has shown commendable openness in

establishing

> a

> > diverse group with wide ranging experience. ASIS has also stated

> its

> > goal was not to infringe on the credibility of current BCM

> > practitioners or turn BCM into a subset of security management,

but

> > to utilize its position as an ANSI-accredited Standards

Development

> > Organization to lead the effort of the business continuity

> community

> > towards a much needed standard.

> > > The compelling need for a new standard that could be both

> auditable

> > and scalable had previously been unanimously identified with most

> > commentators stating that that while other standards, such as

NFPA

> > 1600, already existed and provided value to the business

continuity

> > community, the needs of the community were not being met since

they

> > were not auditable. In addition, there was a degree of separation

> in

> > planning or were partial to certain industry segment distortion

> which

> > did not promote a holistic view of BCM, addressing the wide range

> of

> > disciplines today's BCM programs have to consider.

> > > Interested parties may contact ASIS directly at

> standards@asisonlin

> > e.org.

> > > Continuity Forum Comment

> > > ASIS have seized an opportunity to try an establish

international

> > consistency for BCM by aligning with the excellent work of the

BSI

> > BCM/1 group which developed BS25999. The spread of specific and

> > international experience contributing to the process of

developing

> > the standard is excellent. Importantly, through close cooperation

> and

> > support the BSI and ASIS are helping broaden and enhance the

> > international nature of BCM planning and sharing good practice

> > effectively. This could well mean much greater efficiency and

cost

> > effective planning for all international operations.

> > > In addition, better communication between `policy makers' on

both

> > sides of the Atlantic will become a valuable driver in the growth

> and

> > quality of Business Continuity Planning and Management. The

current

> > scope is very ambitious pulling together a wider mix of BCM

topics

> > than currently included in BS25999 and this we feel may need to

be

> > carefully managed to avoid too much complexity, but it is

certainly

> > worth the effort if we can establish a holistic usable standard.

> > > About ASIS International

> > > ASIS International is the preeminent organization for security

> > professionals, with more than 36,000 members worldwide. Founded

in

> > 1955, ASIS is dedicated to increasing the effectiveness and

> > productivity of security professionals by developing educational

> > programs and materials that address broad security interests,

such

> as

> > the ASIS Annual Seminar and Exhibits, as well as specific

security

> > topics. ASIS also advocates the role and value of the security

> > management profession to business, the media, government entities

> and

> > the public. By providing members and the security community with

> > access to a full range of programs and services, and by

publishing

> > the industry's No. 1 magazine—Security Management—ASIS leads the

> way

> > for advanced and improved security performance.

> > >

> >

>

--- In discussbusinesscontinuity@yahoogroups.com, "Bill Lang"

<wrlang@...> wrote:

> 1 .. Will BCM become a better value proposition for business if

> programs and solutions conform to a set of standards?

>



Not necessarily. If the standard is a good one, then it will improve

overall BCP efforts. However, just because something is a standard

doesn't make it a good value proposition.