Compliance with a business continuity standard is a necessary but not sufficient condition for achieving true resilience. Organizations that want to be sure they can recover must go the extra mile and validate their readiness through stress testing.
Business Continuity: A Field in Transition
I shake my head when I think about how much our field has evolved since I started MHA Consulting some twenty-five years ago. In those days when we did client conferences, many of the people we worked with didn’t even know what business continuity (BC) was. Nowadays, our clients routinely bring up topics that show a highly sophisticated understanding of BC concepts and methodology.
It isn’t just awareness of BC that has grown. BC methodology and practice continues to evolve as well. (So do the threats our organizations face, but that’s a topic for another day.)
One example of the evolution of BC lies in the fact that the term business continuity itself is in the process of being superseded. Nowadays, you are just as likely to hear practitioners talk about the need to achieve operational resilience as about BC. (Operational resilience represents an evolution in our approach to protecting organizations; it reflects the modern expectation that companies and their systems function all the time.)
The Evolving Place of BC Standards
Another area where our field is a work in progress is in the area of standards.
Industry groups, regulatory agencies, and firms like ours routinely stress the benefits organizations can reap by aligning with one or more of the leading BC standards, such as FFIEC, NFPA 1600, or ISO 22301.
But all of those standards have changed over time in response to advances in our understanding and the changing threat environment. By the same token, our understanding of how far those standards, as currently written, can take an organization has evolved with experience.
We now recognize that while alignment with a leading BC standard is a necessary condition for an organization to be resilient, it is not the only one. It’s possible for an organization to have a high degree of alignment and still face challenges in recovering its operations after a disruption.
The Need to Validate Recoverability
Compliance establishes a sound foundation for resilience. But to make sure they can truly restore their operations following a disruption, compliant organizations need to address their “residual risks” and validate their recoverability through testing.
Residual risk is the amount of risk that remains in a process or organization after the implementation of mitigation controls such as business impact analyses (BIAs), recovery plans, recovery strategies, and recovery exercises.
Addressing residual risk involves collaborating with senior management to establish how much risk they are willing to tolerate. If the executives’ risk tolerance is high, the mitigating controls don’t have to be as strong. If it’s low, the controls must operate at a much higher level of capability (e.g., functional exercises vs. desktop). Even highly compliant organizations can harbor high amounts of residual risk, often not knowing it exists. This risk can impede their ability to recover. The lower the residual risk at an organization, the better its recovery capability.
To a large extent moving beyond compliance is about stress-testing your processes and systems to make sure you can truly recover. You might have sky-high compliance with an industry-leading BC standard, but until you demonstrate recoverability through rigorous testing of the mitigating controls, you don’t know for sure that you can bring your processes and systems back up in a timely manner.
Forming Realistic Expectations
Compliant organizations should have a realistic understanding of what their high alignment scores mean. It does mean they have worked hard at a critical endeavor and made substantial progress toward protecting the organization. However, it does not guarantee timely recoverability.
Compliant organizations that struggle in recovery tests should not be shocked or discouraged. Instead, they should address their residual risk, close the gaps in their mitigating controls, and continue testing while working toward the goal that matters most. This is not compliance but proven recoverability.
Proving Recoverability, Validating Resilience
An ongoing theme in our collective effort to protect our organizations from disruptions is evolution, in the threats we face and in our BC standards and methodologies. We now recognize that complying with a leading BC standard is a necessary but not sufficient condition for organizations to be truly resilient.
Organizations that have achieved a high level of compliance have reason to be proud: they have created a solid foundation for resilience. But to ensure they can truly restore their operations and systems in a timely manner, they must go the extra mile, addressing residual risk and validating execution through stress testing.
Expert Help in Going Beyond Compliance
We at MHA have seen a lot of changes in our firm’s twenty-five years. We’ve also learned a lot about how organizations can go beyond compliance to achieve true recoverability.
Do you work at an organization that is highly compliant with one of the leading standards but still faces challenges in recovering from disruptions? Chances are, we can help.
We have deep experience in helping organizations of all types and sizes determine their risk tolerance, implement mitigation controls, identify gaps, and bring down their residual risk. We are also seasoned testers who can help your organization with every aspect of the stress testing required to verify that your systems and processes are truly recoverable.
Contact MHA to see how our consultants can help your organization progress from compliance to resilience.
Organizations that prefer to verify their recoverability independently might be interested in Residual Risk, a component of the BCMMetrics tool suite. BCMMetrics was created by MHA for use in conducting client engagements, but it is available to other organizations by subscription. Residual Risk walks users through the process of gauging their risk tolerance, assessing their mitigating controls, and managing down their Residual Risk. To learn more, visit the BCMMetrics website or contact us to book a demonstration.
Further Reading
- Compliance and Residual Risk – It’s Not Just For Big Companies
- FFIEC: An Introduction to BCM’s Gold Standard
- Making the Grade: Navigating Compliance Challenges in Business Continuity Management
- Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
- In an Ancient Land, Glimpsing the Future of Business Continuity
- Blood, Sweat, and Tiers: The Benefits of Tiered BC Testing
- You Still Need to Drill: IT/DR Testing Is as Important as Ever