The Compliance Challenge: 6 Hurdles Companies Face in Meeting BC Standards

Coming into alignment with a recognized business continuity (BC) standard is the best way an organization can ensure it is ready for the disruptions it will face in our increasingly unpredictable world. In today’s blog, we’ll look at the top six challenges companies face in coming into alignment with BC standards and share tips on how to surmount them.

The Power of Standards

For any organization trying to reach the promised land of true resilience, the leading business continuity standards are map and compass, sword and shield. Developed by individuals and organizations who have learned through study and experience exactly what it takes to allow organizations to flow through disruptions, the major BC standards provide guidance on such critical areas such as risk assessment, business impact analysis, crisis response, recovery strategies, exercises, and ongoing program improvement.

Every organization has the option of learning about resilience the easy way or the hard way. The easy way is benefiting from the experience of others and choosing and coming into alignment with one more or more of the major BC standards. The hard way is by undergoing costly failures of its own. 

By following a recognized BC standard, organizations can strengthen their operations, safeguard stakeholders, and protect their revenue and reputation from the consequences of unexpected disruptions.

Top 6 BC Compliance Challenges

None of this is to suggest that coming into alignment with a BC standard is easy. In fact, it is a major undertaking and one fraught with challenges. Here is a list of the top six challenges companies face in coming into compliance with BC standards along with our tips on how to overcome them.

1. Choosing a BC standard that makes sense for your organization

The first challenge organizations face in coming into compliance with BC standards is choosing which standard to follow. For organizations in heavily regulated industries, the choice is made for you. In the U.S., banks are required by law to comply with FFIEC, for example. For organizations outside regulatory control, deciding which standard(s) to follow can be a major obstacle. We often see organizations whose BC programs stall out because they are unable to pick a standard or they choose one that is a poor fit for their organizations. For an overview of the leading BC standards, see our post, “Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now.” The important thing in selecting a standard is to choose one that makes sense for your industry, goals, resources, and regulatory situation. Ambitious organizations might even decide to hold themselves to more than one standard, an excellent way to ensure your organization is truly resilient, provided the decision is followed up by the appropriate actions.

2. Mastering the content of your chosen BC standard

The second biggest stumbling block we see in organizations’ attempts to come into compliance with a BC standard is that, all too often, even after an organization selects a standard, the members of the BC office have little to no idea what is in it. Almost all BC practitioners can rattle off the names of the leading standards. If you try to talk to them about their substance, you find many have little idea what the standards actually say—and that’s true more often than you might think about the standard their own company has elected to follow. The people responsible for implementing the standard need to read and understand it, it’s as simple as that. They need to know what the organization has to do, strategically and tactically, to meet the standard’s requirements. 

3. Devising a realistic roadmap for coming into compliance with your chosen standard

Another common challenge companies face in complying with a BC standard is coming up with a plan to help them get from here to there. Achieving compliance is a major undertaking. It needs to be broken into steps, each with its own meaningful but realistic deadline for completion. Organizations that try to do everything at once (we call it “trying to boil the ocean”) generally do not accomplish much of anything. The same goes for organizations that set hazy, lazy deadlines far off in the future. The key is to divide the journey to compliance into logical steps and set challenging but achievable deadlines for the completion of each. Another aspect of being realistic is abandoning any idea  you might have of achieving 100 percent compliance. The struggle to achieve compliance is inherently messy, incomplete, and ongoing. Some aspects of the standards are more critical than others. A smart roadmap focuses on achieving the highest-priority items first. For most organizations, an effort to achieve total compliance would be a waste of resources. At a certain point, the additional effort required for full compliance will likely outweigh the benefits. 

4. Knowing which aspects of the standard are the most important

One of the biggest challenges in complying with a BC standard is figuring out where to focus. Not all requirements carry the same weight, but standards don’t typically specify which elements matter most. Priorities vary by industry, business model, and regulatory environment, making it crucial for organizations to determine what’s most critical for their resilience. The most important aspects of a standard are those tied to major risks, regulatory obligations, and operational resilience. Instead of treating all requirements as equal, organizations should focus on core resilience-building elements like risk assessment, business impact analysis (BIA), crisis communications, and testing. The key is to use the standard as a framework, not a checklist, and to prioritize efforts that deliver the greatest value in strengthening the organization’s ability to withstand disruptions.

5. Measuring the organization’s compliance with its chosen standard

Once a BC standard is selected, the next challenge is assessing how well the organization is actually meeting its requirements. Here again the standards are of little help. Many companies either assume they are more compliant than they really are or get lost in the complexity of measuring progress. A clear, objective approach is essential. Organizations need to break down the standard into specific, measurable components and assess whether those elements are in place and effective. A maturity model or scoring system can help, but the focus should be on meaningful progress rather than chasing numbers. Internal assessments should be as objective as possible, and external evaluations can provide a more realistic picture. Ultimately, the goal isn’t just to meet compliance requirements—it’s to ensure that those requirements translate into real-world resilience.

6. Having productive discussions about compliance with management

This issue is last but certainly not least. An organization’s success in achieving compliance with a BC standard often hinges on how management perceives the effort. The BC team’s challenge is learning to frame compliance discussions in a way that resonates with leadership. If management understands how compliance strengthens resilience, protects the business, and aligns with strategic goals, they’re more likely to champion the effort. A common misstep in talking with management about compliance is leading with a number. Suppose your organization receives a compliance score of 70 out of 100—management may fixate on why the score is not a 71 rather than focusing on what the number actually represents. If you anticipate this reaction, it may be better to steer the conversation toward real vulnerabilities, key strengths, and the most immediate opportunities for improvement. The key is to meet management where they are, helping them see compliance not as a regulatory burden but as a business enabler—one that strengthens operations, protects revenue, and enhances reputation.

Turning Compliance Into Strategic Advantage

Compliance with a BC standard isn’t just about meeting requirements—it’s about building a foundation for long-term resilience. The most successful organizations don’t just check boxes; they use compliance as a tool to drive meaningful improvements in preparedness.

By prioritizing key aspects of their chosen standard and engaging leadership effectively, companies can turn compliance into a strategic advantage. A strong BC program ensures not only survival in a crisis but also long-term stability and trust from customers, employees, and partners.

Your Partner in Meeting the Compliance Challenge

The BCMMetrics tool suite can help your organization meet the compliance challenge. Compliance Confidence can track your alignment with any or all of the leading standards and advise you on which aspects of the standards are most critical. BIA On-Demand assists in completing quality business impact analyses, a cornerstone of resilience under every standard. BCM Planner can help in the crafting and storage of recovery strategies and plans, and BCM One provides map-based access to plans and facility information for your locations around the globe. 

In addition, the experts at BCMMetrics’ sister company, MHA Consulting, can help you navigate such compliance challenges as determining which standard is right for your organization and devising a roadmap to help you implement it. 

Further Reading

• Exploring DORA: The EU’s Excellent New Digital Resilience Standard
• Compliance and Residual Risk – It’s Not Just For Big Companies
• FFIEC: An Introduction to BCM’s Gold Standard
• Making the Grade: Navigating Compliance Challenges in Business Continuity Management
• Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now