Why follow a Standard?
There’s a lot of buzz around about standards in the industry right now. So I thought it may be worthwhile to take a closer look at what we have in Canada. I may be bias as I was a member of the technical committee for Canadian Standards Association (CSA) Z1600, a standard for Emergency Management and Business Continuity Program, but I have spent many years in this industry attempting to follow ‘some form of a methodology’ that could help get business continuity plans into place. Plus I saw what it took to get this standard ready for publication, and it was quite amazing.
Imagine this… take about 30 +- seasoned professionals in emergency management and business continuity field and put them in a room and ask them to define “emergency management” or “business continuity”. Depending on what side of the fence you were on, I suspect you would get quite a few different answers. Well that is what happened with this standard. Let me explain.
First of all, the Canadian contingent took the NFPA 1600 Standards as the basis for the Canadian Standard, and there was a lot of debate about this as some organizations were international in nature, and would have to comply with other standards in the countries they had operations. However since we are so closely attached to the United States, it didn’t make sense to start for scratch to develop another standard. So we thought we would just “Canadianized” it by putting a few “eh”s at the end of sentences, and a couple of “u”s in certain words.
NOT happening … as we started to review the NFPA 1600 Standard we realized that there were some fundamental elements missing. We also knew that there was an effort happening internationally through ISO (International Organization for Standardization) to create a similar standard on what was known as “ISO/PAS 22399 Societal security – Guideline for incident preparedness and operational continuity management”. As a result of much discussion, the CSA Technical Committee for Z1600 decided to create a framework based on the ISO methodology and integrate the contents from NFPA 1600 into this framework. This was a tremendous undertaking, but looking back very well worth the effort.
We also reviewed in great detail every single line and discussed how this would affect the typical ‘business’ across Canada. This Standard had to apply to not only large corporations or governments, but to small and medium sized businesses so it had to be flexible, workable and concise. We knew that some organizations would have great difficulties in meeting some of these statements within the Standard, so a lot of attention went into the wording and building a supporting annex section which would provide some background to assist the average company.
There was a lot of debate regarding how you take two very distinct disciplines, emergency management and business continuity, that have worked separately in the past, and bring them together into one standard.
Let me tell you there were a lot of ‘heated’ discussions in this area. However I am very proud of the work that came out of those discussions because we have enhanced the standard, for example business impact analysis, and allowed an organization the liberty to create one or many plans depending on the size and complexity by providing common plan requirements.
We also agreed that any program required certain elements:
- Planning,
- Implementation,
- Exercises, evaluations and corrective actions, and
- Management review.
Finally the overall program management to ensure the organization is prepared with appropriate resources, and the plans are current and executable. So that’s how we developed the CSA Z1600:2008 version.
I, personally, have used the Standard to assess the readiness of many organizations through my consulting practice since its released, and I am very happy to see many of them have done substantial work to achieve a good majority of the Standard. Surprisingly most of my clients were very pleased to see that they were very close to being compliant.
The other benefit of using the Standard is that this has been a great marketing tool to move some gaps/shortcomings forward with an organization’s management. Especially if your management is not totally sold on why you need so much time and money to build an emergency management and business continuity program.
In closing, I would ask that if you are stuck with getting activities going to develop a plan or plans for emergency management and business continuity, then get a copy of the CSA Z1600 Standard and assess where your organization is. Use a traffic light concept to determine whether you are ‘green’, ‘yellow’ or ‘red’. Show your Management the results and I bet that will get them going… best of luck.
Here’s the website for CSA Z1600 Standard for Emergency Management and Business Continuity Program.