So you're in the mood for soup again? Then let's get cookin!
If you remember from my last blog on the subject, our goal is to turn the vast number of Business Continuity Management (BCM) related regulations, methodologies and best practices you have to consider (aka, your regulatory alphabet soup) into a scrumptious recipe you can enjoy (ok, at least a list you can digest and actually do something with...).
Remember, the first step is to make a good list of those sources that may apply to your business (refer to my earlier blog about how to do that). This is an important starting point since you don't want to leave anything critical out. What you do next is outlined in the recipe below...
Eliminate What Doesn’t Apply To You
This step is to understand enough about these sources that you can begin eliminating the ones that don’t apply to you. Once you are comfortable with the list of regulations, methodologies, maturity models and laws you can begin reducing the list. Here are some ways to do that.
Laws and Regulations – If a law or regulation applies to your business – follow it! If you have questions or need advice, talk to your legal department.
Your Industry – Many of these sources apply to specific industries, such as the Federal Financial Institutions Examination Council (FFIEC) for the financial services industry. Eliminate those that don’t apply to your industry. Although some of these may have great ideas, chances are they are replicated in another source.
Where You Do Business – This might be obvious, but include those authoritative sources that apply to the part of the world where your company does business. If the Australian Commonwealth Criminal Code (1994) doesn’t apply to where you do business, that’s a good one to take off your list!
Good Practices – This speaks mostly to the methodologies and best practices out there, such as the Carnegie Mellon Resilience Management Model. These models strive to represent best practices or give you a roadmap on how to mature your program. Implement what works for your company – it could be the best practices out there, or maybe it’s just the practice that’s best for you.
Business Continuity/Disaster Recovery (BC/DR) Program Maturity Level – Something to consider, especially when you’re determining which best practices or methodologies to adopt, is the maturity of your BC/DR program. Do not eat the elephant all at once; instead, adopt those methodologies that coincide with the maturity level of your program and it will give you good practical advice and steps to help you continue to develop your program in a way that doesn’t outstep your company’s ability to progress along with you.
Once you’ve determined you have the right list of sources your company needs to comply with, now you have to determine a few things such as what’s the priority order of the sources that apply to my company? How do I ensure I coordinate compliance across the sources without duplicating or missing something? How will I prove compliance if my program is audited?
Now Get Organized
Prioritize First – Of the sources you’ve selected, you’ll now want to prioritize what’s most important to comply with. Come up with a prioritization approach that makes sense for your company. Laws and regulations are typically pretty important, so consider these first. Then you may want to look at industry guidance, then regional guidance, and finally methodologies or best practices that make sense for your business.
Coordinate the Sources – This can be a real challenge and requires an organized effort to match up the sources you’re going to comply with to identify where they overlap or differ. Put a comprehensive list together to help you match up those duplicate requirements and consolidate them. Once you have a good list of requirements spanning all your authoritative sources, take it a step further and prioritize the requirements so you can start with what’s most important.
Use Your Resources – If you’re thinking about this, chances are that there are others in your company that are too. Work to coordinate your plans with other departments that may have a similar interest in the program – specifically legal, compliance and audit departments. Let them know your intentions and approach and leverage what they’ve done or are doing. If your company uses automated methods, such as a tool suite to manage governance, risk or compliance, leverage that too.
Measure and Evaluate – Remember, everything we do in the business world – even compliance – is a cost benefit decision. More and more, BC/DR is not only becoming an executive strategic imperative but also a discipline that must show proven results – quantitative and qualitative. So, it’s important to set goals, measure your progress, self-evaluate and report your results. Be proactive and vocal too! We practitioners know BC/DR is an invaluable discipline, but to the executive or business partner that has many priorities, it’s often just another one on the list. You have to prove how critical BC/DR is and that you’re reducing risk to the company. An automated tool suite can be a great way to track your plan, measure your results and evaluate it all.
A word about audits – Now, I don’t speak for all auditors out there, but having been one for 15 years, here’s my perspective. There are always those audits (or auditors) that will evaluate each and every requirement of the audit subject to the ‘t’. If this type of authoritative source, or others like it, is a requirement for your program, make sure you build it into your compliance approach. Additionally, I performed audits across many companies, industries, organizations and topics and I always appreciated the group that had a logical, well-organized, justifiable, documented plan and program. Be organized, show and prove what you’ve done and this will go a long way. It may not be perfect or prevent any and all findings, but some feedback is always good.
Keep Your Eyes Open – In today’s global business world, one thing is for certain and that’s change. Be aware of changes in the authoritative sources you follow, as well as new sources that emerge and their implications on your business and program. Also be aware of changes to your business, such as acquisitions (that may require additional authoritative sources), divestitures (that may reduce sources you have to comply with), or other business changes that may have downstream effects on your program.
So, back to that bowl of soup – is it looking more palatable now? There's still alot of work to do, but hopefully this approach will give you some food for thought to help you organize your soup into something that makes sense. Another great source is your BC/DR colleagues in your industry or location. Ask them how they've done it – our industry is filled with people that are a wealth of knowledge and experience. I’m also interested in your feedback, and if I can ever help in any way, send me a note.
Good luck and bon appétit!