Business Continuity Management Standards—A Side-by-side Comparison

Brian Zawada, CBCP, and Jared Schwartz, CBCP

Whether an organization has begun a grassroots initiative to develop a business continuity plan or has started to wrap up the initial implementation of a continuity management process, the need to continually revisit and improve the business continuity management (BCM) process is critical to the development of successful and robust recovery strategies. In an effort to enhance business continuity management capabilities (and to comply with regulatory guidelines), some corporations have elected to adopt suggested best practices from industry-independent and industry-specific entities and regulatory agencies. Based on our experience and research, a significant (and growing) number of standards exist that are related to BCM. As such, the task of pinpointing best practice consistencies across the majority of these groups can be quite daunting.

After studying the various recommended and mandatory BCM guidelines, common themes and specific process steps that will help in the implementation of a successful BCM process were identified. Below is a list of BCM standards and the associated agencies that advocate each best practice.

Business Continuity Plan Component/Task	National Fire Protection Agency	Federal Emergency Management Association	Control Objectives for Information and related Technology	National Institute of Standards and Technology	Federal Financial Institutions Examination Council	Federal Reserve Board	Health Insurance Portability and Accountability Act	Federal Energy Regulatory Commission	Disaster Recovery Institute International
Process Management
Institute a BCM process that includes crisis management, business resumption planning and IT recovery.	X	X	X	X	X				X
Establish a BCM steering committee that includes a coordinator and others who have both operations and technology expertise.	X	X		X	X				X
Define BCM objectives.	X	X		X	X				X
Document a BCM mission statement.	X	X		X					X
Schedule and document BCM testing and maintenance events.		X		X	X				X
Conduct a Risk Assessment
Identify key legislation, insurance, regulations and industry codes of practice.	X	X	X		X	X	X		X
Define a formal risk assessment process with the objective of identifying the source, likelihood and vulnerability of specific threats that may affect operations.	X	X		X	X		X		X
Assess current mitigating controls.	X	X		X	X		X		X
Conduct a Business Impact Analysis
Identify key business processes and critical dependencies. The impacts of potential business interruptions should be identified and continually updated.	X	X		X	X	X	X		X
Identify process-specific recovery time objectives (RTO).	X	X	X	X	X	X			X
Identify minimum capacity requirements to restore business operations to an acceptable level.	X	X	X	X	X	X		X	X
Prioritize recovery efforts based on established RTOs.	X	X	X	X		X			X
Review service level agreements betweenthe organization and its external partners.	X	X	X		X	X	X		X
Identify and catalog critical resources, records, facilities, equipment, vital records, critical data and infrastructure.	X	X	X	X	X	X	X	X	X
Define Recovery Strategies
Establish a procedure for contracting with vendors to acquire critical resources in the event of a disaster.	X	X	X	X	X	X	X		X
Identify and document contact informationand procedures for local authorities.	X	X	X		X	X			X
Identify alternate recovery site(s) for all critical business processes.	X	X	X	X	X	X	X		X
Conduct a cost-benefit analysis to determine the location and costs associated with recovery site alternatives and the distance from the primary site.	X	X	X	X	X				X
Define Business Continuity Management Procedures
Define standard methods for documenting response, recovery and restoration procedures, communication plans, etc.	X	X	X	X	X			X	X
Develop and document procedures for relocating and recovering critical business processes based on management-approved recovery time objectives.	X	X	X	X	X	X	X		X
Document emergency response and business/IT process recovery procedures that are: Team-based Checklist-oriented Chronological	X	X	X	X					X
Define the names of emergency response and recovery team members, together with their contact information.	X	X	X	X	X	X		X	X
Create response, recovery and restoration activities that take into account personnel safety and physical and IT security.	X	X	X	X	X	X	X	X	X
Document crisis communication procedures.	X	X	X	X		X			X
Identify a crisis communications coordinator.	X	X		X					X
Training and Awareness Plan
Develop and document training plans. Training should occur on a regular, defined basis.	X	X	X	X	X	X	X		X
Plan Testing Procedures
Assign, document and communicate roles and responsibilities for BCP testing. Tests should involve all critical business units, departments and functions.	X	X	X	X	X	X	X	X	X
Utilize numerous types of testing approaches (table-top drills, disaster simulations and full plan tests).	X	X	X	X	X				X
Implement a post-test analysis report and review process.	X	X	X	X	X	X			X
Auditing and Maintaining the Plan
Define and document specific timelines for updating the business continuity plan.	X	X	X	X	X				X
Store the BCP both online and offsite.	X	X	X	X	X				X
Audit the BCM process on a periodic basis to ensure compliance with company standards.	X	X	X	X	X	X	X	X	X

Although these authorities agree on a majority of the recommendations, some best practices were omitted from a majority of the published regulations. To summarize, the following gaps should not be overlooked when developing and implementing a business continuity management process.

A BCP budget should be formalized and approved by senior management.
Formal disaster declaration authorities, which will be responsible for implementing the continuity strategies in the event of a disaster or business interruption, should be identified.
The organization should implement an incident management system or process for stabilizing, monitoring and recovering from a disaster or business interruption.
The plan should be reviewed periodically and benchmarked against industry regulations and other organizations' processes.

Regardless of the maturity of an organization's business continuity management process, regulations and guidelines are an excellent approach to ensure completeness and compliance with best practices. Through compliance with these guidelines, a company can help ensure a comprehensive business continuity management process.

Brian Zawada, CBCP
is a senior manager and the business continuity management product leader at Protiviti, a wholly owned subsidiary of Robert Half International Inc., which serves its clients through locations in 30 major markets in the US and Europe. He can be reached at . He specializes in the development and implementation of BCM solutions nationwide.

Jared Schwartz, CBCP
is a senior consultant at Protiviti. He can be reached at jared.schwartz@protiviti.com. He specializes in the development and implementation of BCM solutions nationwide.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?