Business Continuity Standards: Go SlowBy Ericka Chickowski | Posted 2008-09-25 Email Print
Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
This case study on Repligen, a pharmaceutical company, takes a close look at the benefits and costs of applying business continuity and disaster recovery standards through a certified program. One expert in the field argues that companies should go slow with this process and examine all costs associated with it before deciding on a competing standard. Cerifications are a business, but real cost benefits can come in the form of customer loyalty and more efficient auditing, as well as streamlining business continuity processes.
Take it Slow, Experts Warn
Some disaster recovery specialists don’t expect BS2599 to snowball as the industry standard just yet, though.
That includes Al Berman, executive director of DRII, who says that while his interest has been piqued by the standard he has some definite misgivings about its viability in its current form. As it stands, BS2599 is currently under revision, a fact that he cautions businesses considering certification to take into account.
“I think standards in general are good for the industry and I think that anything that will lead us to being more prepared is a good thing,” Berman says. “(But) I'm always reluctant to deal with a standard that hasn't been finalized. BS25999 is going to undergo change, and if you use strict adherence to what it looked like when it first came out, well then you're going to have to change it.”
One of the most troubling problems he has with the standard right now is how it deals with the ‘corrective action plan.’ This plan prescripted by the standard is formed toward the end of the continuity planning process after an organization tests its disaster recovery plan, finds deficiencies and signs of on a list of corrective actions to mitigate them.
“I've been told that it is discoverable under litigation i.e., you’ve admitted to a deficiency. So, if you are going to go through this process and you're going to acknowledge you have deficiencies and something happens, that represents negligence at best, gross negligence at worst,” Berman says. “I've had this discussion with a number of large corporations and when we get to this point they actually call their general counsel into the discussion and literally turn white when they hear the ramifications.”
Berman also complains that BSI also needs to make the terms of certification more transparent to the outside world—he’s still trying to figure out the exact specifics of how audits and tests are conducted, something he believes is critical to establishing BS25999 as a solid external validation of an organization’s business continuity practices.
“I'm a little concerned about the fact that we haven’t peeled back the onion, if you would, to understand what certification means,” he says.
According to Berman, businesses need to take it slow with adoption and survey their options, because BS2599 isn’t the only holistic framework available and in coming years we should expect to see even more continuity standards emerge. For example, the National Fire Prevention Association 1600 standard has been the official standard in North American for over a decade. And others are coming—currently the American National Standards Institute is charged with overseeing efforts to come up with an even more comprehensive standard in response to lawmaker’s directives in the 9/11-spurred Private Sector Preparedness Act 11053.
Berman expects to see the fruits of those labors come into play in coming years, which may be more meaningful considering that such a standard would have not-for-profit roots.
“I know the BSI people and they are truly qualified dedicated professionals, but then again, it is a business,” Berman says. “If you look at the body who is overseeing Private Sector Preparedness Act 11053, well it is ANSI and ANSI is a not for profit standards organization, so there is a difference.”
So then, what would Berman recommend to organizations looking to improve their disaster recovery and continuity planning?
“My advice to anybody who has asked me about this is, one, go slowly there is no hurry to certify,” Berman says. “And number two is, while there is this confusion over standards and guidance coming out of the US and worldwide, is to make plans based on solid fundamentals. If you look at the structure and basis for most of them and if you use solid fundamentals then in the end you'll be fine.”