Part 4 Road to Resilience Series - Program Requirements
Understanding regulations to set minimums
In this fourth installment of the Road to Resilience Series – Program Requirements, we’ll touch on setting the guardrails for compliance. For many, this is the carrot and stick approach to program governance. If your organization uses a stick type of policy, and most do, the concept is that there is a downside to not compiling with program rules. Typically, the approach comes from authorities in the form of laws, regulations, or recommendations governing business continuity, resilience, cybersecurity, disaster recovery, or even crisis management.
Some programs leverage a carrot approach, where you persuade the client to align with requirements. For example, this is typical in the United States that does not have country-wide requirements for business continuity. Although this may be mundane, new practitioners must understand the required controls.
Why regulation adherence is important
Getting an organization to focus on business continuity is a challenge. It’s helpful when program owners can point to specific regulations to justify a program’s existence. Businesses need disaster recovery plans (D.R.), and business continuity plans to ensure that all critical parts of the organization’s I.T. systems, staffing, vendors, functions, and processes continue to operate when an emergency occurs.
For each country, outside influence is essential as well. Using the U.S. as an example, FINRA is a government-authorized not-for-profit organization that oversees U.S. broker-dealers. The governance body writes and enforces rules governing the ethical activities of all registered broker-dealer firms and registered brokers in the U.S. So if your organization plays a critical role in America’s financial system, FINRA’s influence can’t be overstated. OSHA plays a similar role for employee safety in the U.S., as standard 1910.38 lays out the workplace’s emergency action plans requirements. And, the Sarbanes-Oxley Act only officially applies to publicly traded companies. However, private companies’ adherence is helpful to safeguard them from potential future liabilities. For private companies, this applies to record-keeping and retention. Industries can be governed by specific requirements.
A few words on ISO - International Organization for Standardization
Next, let’s touch on the ISO standards. Over the past fifty years, ISO has worked towards providing guidance any organization can use to achieve industry excellence. Adopting a standard ensures improved consistency. In short, the purpose is to install controls for quality and security. However, ISO does not have the force of law, and businesses can choose adherence to them.
The benefit is that the standards are recognized internationally. By certifying this practice, you signal to others that you’ve adopted an accepted level of excellence. The ISO criteria that are most useful for resilience programs are:
- ISO 22301, Security and resilience – Business continuity management systems – Requirements. The standard was recently updated to support a resilient organization.
- ISO 31000:2018 – Risk management — Guidelines – provides guidelines on managing risk faced by organizations
- ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements
- ISO 22316, Security and resilience — Organizational resilience — Principles and attributes
Standards, regulations, legislation, and best practice guidelines
For this part of the series, I want you to have a high-level understanding of the alphabet soup that governs resilience today. As with many industries, there is not a single governance body that guides our work. Instead, there is a patchwork of requirements by country or local jurisdiction. Although many see this as a negative, I choose to see it giving us the flexibility to build programs that best suit our organization. If you want a reference guide by country of current regulations for Business Continuity Management, check out the Business Continuity Institutes’ BCM Legislations, Regulations, Standards, and Good Practice. It provides a comprehensive list by industry and country.
The Disaster Recovery Institute International (DRII) provides members with Professional Practices, and like the BCI, it is an accreditation body. Another resource I found helpful is the Business Continuity Management Institute (BCM Institute)’s BCMedia Wiki on Standards. The BCM Institute is headquartered in Singapore and established in 2005 to promote and develop the disciplines of Business Continuity Management (BCM) and Disaster Recovery Planning (DRP) for various industries and clients worldwide. You can build a solid framework to align program requirements with these sources. It can also be helpful to connect with your Public Affairs or Legal counsel to gain further insight.
The most regulated industry
Likely, the most regulated industry for resilience is Financial Services (FS). As I discussed in previous blogs, operational resilience is just one of the latest areas that authorities focus on to ensure economic stability. Understandably, FinTech is right in-line with that. According to Investopedia, Financial technology (Fintech) is used to describe new tech that seeks to improve and automate the delivery and use of financial services. … Fintech, the word, is a combination of “financial technology”.
From my vantage point, the banking sector is the most regulated in Financial Services. Admittedly, many of you are aware of PS6/21 | CP29/19 | DP1/18 Operational Resilience: Impact tolerances for important business services for the UK. Firms must understand and document impact tolerances for important business services. Regulatory authorities are working to ensure continuity in the face of a crisis. As I have mentioned blogs and webinars, I believe that ops resilience will expand as the Federal Reserve watches things unfold.
Public sector influences and overview
If you are entering Resilience from another industry, this might be your first introduction to these sources. Or, if you are moving from the public to the private sector, as I did, you may adhere to Continuity of Operations Planning (COOP) and FEMA’s National Incident Emergency Management (NIMS) or similar in your originating country. The U.S. public sector has its mishmash of rules and recommendations.
As part of the 9/11 Commission’s recommendations, PS-Prep, the Voluntary Private Sector Preparedness Program, was enacted to encourage businesses to align with federal COOP planning. Its goal was to improve Emergency management, Business Continuity, and Disaster Management planning. In 2010, the Department of Homeland Security announced the adoption of three standards:
- NFPA 1600 – Standard on Disaster / Emergency Management and Business Continuity Programs, “…a common set of criteria for preparedness, disaster management, emergency management, and business continuity.” (2007 and 2010 editions)
- BS 25999 – Business Continuity Management, “…defines requirements for
a management systems approach to business continuity and integrate risk
management disciplines and processes.
- ASIS SPC.1-2009 – Organizational Resilience: Security, Preparedness, and
Continuity Management Systems, “…defines requirements for a
a management systems approach to organizational Resilience.”
Starting from where you are
There are many ways to structure a program, as the Road To Resilience Series – Program Requirements outlines. You can choose to certify your program to the PS-Prep standards in the US. Another option globally is to align with ISO. I see both of these as a Good Housekeeping Seal of Approval. Any system that supports giving your business competitive advantage is a great way to enhance program value.
You can go down the rabbit hole with regulations, best practice recommendations, and rules. I suggest starting from where you are and conducting a review—highlighting adherence to country guidelines. The last step is to conduct a gap analysis to understand the program’s current state. You can bring recommendations to leadership and launch or update your schedule.
Thanks for continuing this journey with me. If you want to catch up, start from Part 1 of the series, which lays out the Resilience Map of the Future Next are my thoughts on creating a resilience program vision and strategy. Join me next time as I walk you through building a program plan.