Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Business continuity management in the United States: where is it heading?

Have changes in the risks faced by both the public and private sectors increased the importance given to BCM? Lynnda Nelson comments.

The War on Terror, global economic collapse, cyber-attacks, and weather-related disasters (or lions, & tigers, & bears – oh my!)

Beginning as a response to the September 11, 2001, attacks in the US and continuing through most of the first decade of the 21st century, the world’s traditional concept of ‘war’ moved from the battlefield to defending our homelands from terrorists.

In the United States, this meant a change in focus from the ‘all-hazards’ approach seen in traditional emergency management and conducted by FEMA to the creation of the US Department of Homeland Security with a focus on defending the US from terrorists. In 2007, US Public Law 110-53, Title IX, Section 110-53 announced the creation of the ‘Voluntary Private Sector Preparedness (PS-Prep) Accreditation and Certification Program.’ The intention of this program was to improve private sector preparedness for disasters and emergencies.

The effects of the economic collapse of 2008 is still being felt in just about every country in the world as the world moves to a ‘global economy.’ New policy has been written for financial institutions in hopes to mitigate a repeat of this disaster.

If you follow the news feeds in almost any country in the world, you will see almost daily reports of cyber-attacks on financial institutions and other critical infrastructure. US federal agencies reported a nearly eight-fold increase in cyber-incidents over the past seven years.

On February 12, 2013, President Obama issued Presidential Policy Directive 21 which aims to improve the security of the US critical infrastructure. Also issued on the same day was an Executive Order entitled, ‘Improving Critical Infrastructure Cybersecurity.’ The Section 1 of the Policy states, “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”

And certainly no one can disagree that across the globe environmental or weather-related disasters have increased in both magnitude and frequency, causing huge economic impacts and significant loss of life in regions and sometimes impacting entire countries. Whether the cause is global warming or the impact magnified by over-population in regions of high risk can be argued.

One would imagine that these changes in the risks to both public and private sectors would have increased the importance of being prepared. Business continuity professionals world-wide are often heard saying that, “…if we could just have another ‘event’ perhaps that would give us the budget we need to successfully implement what we need…”

Even with the publishing in May 2012 of an international standard for business continuity management systems – ISO 22301 – the private sector response has been lackluster at best. Many nations have adopted ISO 22301 as their ‘national standard’ but the US has still not adopted ISO 22301 for the PS-Prep Program or as its national standard.

One question that comes to mind is what will be the impact of PPD-21 on PS-Prep or private sector preparedness in general? The Directive coordinates conceptually with the concept of resiliency as it relates to the ability of an organization to continue operations in the face of an emergency or disaster. However its focus is almost solely on cyber security.

The larger question that should be considered is, “Will cyber security replace traditional business continuity management because of our reliance on technology?”

We have seen recent trends to ‘house’ the business continuity function under risk management as ‘operational business continuity.’ What will be the long term effect of this move? Is business continuity management a subset of risk management or is risk management for operations a subset of BCM? In a recent LinkedIn discussion this question brought out some heated debate. What does this mean for the future of BCM?

Organizations now face terrorists, economic challenges, cyber-attacks, and an increasing number of weather-related disasters. If the importance of business continuity management has not been understood by corporate leadership as a way to reduce their vulnerability to these risks and to increase the probability of continuing operations at a pre-defined level, then BCM is at risk of being replaced by risk management and cyber security.

If BCM professionals believe that in order for corporate leadership to support ‘preparedness’ they need to have more ‘events,’ perhaps they need to re-think their approach.

Author: Lynnda Nelson is the President of the Board of The International Consortium for Organizational Resilience, a non-profit 501c3 education and credentialing organization in the disciplines that support resilience. Lynnda manages ICOR’s education program and serves on Working Group 4 of the Technical Committee for the development of the ISO 223 series of standards. www.theICOR.org


•Date: 19th Feb 2013 • US •Type: Article • Topic: BC general

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here