It's possible (and quite common) to create a business continuity plan (and a business continuity program) without standards.
Why then should you consider the use of a standard?
There are two major reasons:
- The supply chain may require it.
- Your lawyers may demand it.
The Supply Chain Reason
Let's imagine you are part of a complex supply chain. You produce a product critical to your company's operations, and in order to produce that product, you consume the products and services of ten other companies.
Naturally, you have a business continuity plan in place. It is (genuinely) a wonderful plan. You know it is a wonderful plan. It's been tested (as far as is possible), and you are completely happy with it.
But what you are less sure about is your suppliers. You know that there is a significant (if not large) risk that any company can suffer a major incident. From reading around, you have decided that this risk is about 5% a year. i.e. a company can expect to suffer a major incident about once in twenty years.
Now you start doing the math. If each of your ten suppliers has a 5% risk of an incident in a year, then the probability of you having a problem this year due to at least one supplier is 40%. [Not a misprint. If you thought it was 50% you either didn't read the previous sentence carefully or didn't pay enough attention at school.] That's significant. It 's considerably bigger than your own probability of having an incident. And it's not under your direct control.
So you write to each of your suppliers, asking them what Business Continuity Program they have in place.
They write back:
Of course we have a business continuity plan in place. It's an excellent plan, truly worthy of its place in the pantheon of business continuity plans."
You re not so sure, you ask to see the plan.
There's a little bit of hesitancy at this point. Some of the suppliers make excuses (probably "for confidentiality reasons") and some of those excuses sound a little dubious. But some let you look. And then you realize: even if you look at the plan you have no idea from a simple reading of their plan whether their plan will work or not
. What is more, you have to do this for all ten of your major suppliers.
It's at this point one of your key customers asks you the same question. You are (we hope) happy to share your plan with them, having removed any parts that contain personal data or confidential information. And they have exactly the same problem as you. Although you can assure them that the plan is wonderful and will work, they have no idea of whether your plan will work either.
Now each of the plans was truly wonderful and did everything a plan should do. But without standards nobody else can tell that without examining each plan and understanding each business. A business continuity program, certified as being in accordance with a standard solves the problem, in the same way that a quality program certified as being in accordance with ISO 9000 simplifies assessment of supplier quality procedures.
The Legal Reason
Imagine that a disaster has happened.
Your company lost millions of dollars due to a fire at the main office. Shareholders are angry, and launch a class action lawsuit. Customers are angry, and launch lawsuits for breech of contract. Employees are angry because they have been laid off. You are called to the stand to testify. The cross examination runs something like this:
So you were responsible for the company's business continuity program?
And did your company conduct a Business Impact Assessment warning of the losses that might occur if your operations at the main office were disrupted?
Well, no. We just created our plan assuming that...
An answer yes or no will do.
Did you have a Risk Register, identifying the risk of a fire at your head office and the associated losses?
And did you have a business continuity plan?
And was this plan built in accordance with any standards?
Well, we used what we considered to be good industry practice. But no specific standard...
So let me get this straight. You didn't do a business impact analysis to understand potential losses, you didn't have a risk register to identify potential risks, you didn't use any recognized standards, and when you put your plan into action your company lost millions of dollars. It can't have been a very good plan, can it?
No further questions.
* * * * *
As you can see, the problem is not that the plan wasn't good. It's that with perfect hindsight it demonstrably wasn't good enough.
This is not a problem unique to business continuity. It's a widespread problem in product design and civil engineering. One defense against negligence (applicable in many jurisdictions) is that the work done met generally accepted standards. If your plan is only based on your own standards, it's very hard to prove that it meets that criteria.
So you need a standard - but which?
So even though your plan may be excellent and comfortably exceed the expectations of any standard, there are important reasons to seek standards compliance.
If your plan's quality needs to be assessed by other companies in the supply chain, it will one day need to be certified to a recognized standard purely for market efficiency reasons. And if your plan is ever examined in retrospect, a plan which doesn't reference common standards is going to be unpleasant to defend in court.
For supply chain purposes, you need a standard you can be audited and certified against. This used to mean BS 25999-2, but now means ISO 22301.
For legal purposes, other standards are possible. You need a widely-accepted standard and preferably an external audit. The external audit is desirable because otherwise your will effectively be certifying yourself. Self-certification has a major problem. We are in a profession where things go wrong. Suppose you were a brain surgeon. Would you believe a self-certified brain surgeon was competent when the operation went wrong?