Business Continuity Appetite
Best practice guidance is exactly that, best practice which can, and is allowed to be tweaked.
We were discussing the requirements of this in a meeting and the topic came of auditing our BCM Programme. Do we do it internally or externally?
Do external auditors understand our organisations risk appetite which essentially leads the Programme?; or, are they going to come in, look at what we have, and then make a bunch of recommendations based on an ISO standard where no appetite for that is relevant or desired? (As we have seen this happen before)
So what am I trying to say here?
A BCM Programme should link back to your organisations Risk Profile; we should be using our headline risks to determine our BC appetite to ensure that we can continue to deliver our ‘time’ critical activities in line with the big risks relevant to our organisation. It makes sense, Is there value in implementing various systems, databases, certification which even big corporations like banks struggle to get? You’ll end up with a list of fifty actions to take when only a dozen are actually linked to what the organisation really consider essential.
I am not saying that ISO standards are pointless; they are great if your organisation has the appetite for it. I have seen many legal firms who are ISO 22301 accredited proudly advertise this to their clients. Automotive industries value this as they need to have that certified resilience and client assurance. If I was investing in both I would want to see this. Flip this back to non-profits, do supporters really care about this or are they more concerned about how their valuable money is going to protect the vulnerable people they are giving to?
I am in no way saying non-profit are excused from resiliency and have no duty to provide assurance but the requirements are different. If I am personally researching a non -profit I will not first go and find their BC certifications. I would want to know what was happening with my money. I wonder how many supporters of charities think about these things.
On reflection post meeting, I feel that too often we get hung up on embedding 'text book examples' to fit a standard. (I have even tried to do this) In reality, we as BC consultants and even risk experts need to take a step back, look at the bigger picture, see how defining BC appetite is really helping deliver our organizations mission/objective/goal and be flexible in adapting best practices. This in turn will mean greater business resiliency.