Managing a Business Continuity Management (BCM) Program can be like paddling an overweight canoe upstream against raging rapids. Things change so rapidly you often don’t even notice them because you’re so focused on one goal at a time. Because you can’t see the end of the journey, the best you can do is focus on the next milestone.
The multitude of ‘standards’ and regulatory compliance requirements that BCM programs face can make it difficult to keep the ultimate goal in perspective. Is your goal to meet a standard? Is your goal to assure that your program gets a passing grade from internal or regulatory auditors? If your answer to either of these questions is yes, are you really a Business Continuity Planner or a document pusher? Why isn’t your goal to assure your organization will be able to respond effectively to a disruption whose cause, timing and impact can’t be anticipated.
Compliance is a valid goal – but is it enough? You may have internal auditors looking over your shoulder. You may have Customers demanding to see copies of your Plans. You may have OSHA, the FDA, the FFIEC, the SEC, GLP or other requirements to meet. Your own Compliance Department may be applying SOX or GLBA rules, and your program may have adopted BS25999, NFPA1600, or ISO standards.
So of course your BCM program seems geared toward Compliance. After all, if you can’t meet those compliance requirements you probably won’t have a job for long. But, by assuring compliance with your organization’s industry & government standards or oversight requirements, are you keeping the ‘audit wolf’ at bay while ignoring the capability of your organization to recover from a disruption?
In a sense, assuring that your BCM program is fully compliant is like buying insurance. You’ve paid ‘premiums’ (in this case time and energy) to make sure your organization won’t suffer an adverse impact (fines, reprimands, lost customers or adverse publicity). When you have an audit, your ‘insurance policy’ is in place. And every year you review it and make any adjustments to assure that your program meets any new or expanded requirements (keeping your ‘insurance policy’ up-to-date, and your ‘premiums’ as low as possible).
All good; but is that enough? Should ‘compliance risk’ mitigation be your only objective, your primary objective – or a secondary (but nonetheless mandatory) goal?
If your milestones are audits and regulatory inspections, are you really a Planner – or a Compliance officer? If your primary goal isn’t recoverability, with a secondary goal of compliance, you probably are. Isn’t it time you got your priorities straight?
