Today I will look at our predictions 5 and 6, which have some degree of overlap.
Firstly we predicted that “ISO 22301 will start to take off, with certificates issued in more than one country”. Hardly a difficult prediction I know, but still an opportunity to test the often argued premise that many companies had delayed certification to BS25999 because they were waiting for an ISO standard.
Whether this is true or not, we will start to find out in 2013, but indications from our research is that the vast majority of organizations will still opt for the nebulous concept of alignment, rather than full certification.
However, certification should be made easier by the release of ISO22313 which acts as a guidance for those wishing to follow the full certification route.
We would predict companies in Japan, Korea and India will be amongst those most eager to acquire certification if the pattern of other management systems certification schemes is repeated for BCMS.
Standards, of course, are only one way of validating how well you comply with a 3rd party expectation. For regulated industries a more powerful compliance mechanism is usually found in the demands of the regulators.
If a regulator specified that compliance with ISO22301 was mandatory, then take-up of the standard would be immediate and dramatic in that sector at least. This rarely happens, however, and regulations are normally purpose-made for the individual industry or sector considered such as financial services, energy or telecommunications.
This has led to our prediction number 6 which (perhaps optimistically) postulates that regulators begin to understand that resilience will not be improved just by more regulation.
Resilience is a journey, not a destination and that journey can only be started with the correct equipment in place (for which compliance can help monitor) and a suitably committed and capable driver.
In-depth understanding of whether a business model is fit for purpose in both good and bad times is a better way of assessing resilience than even the most sophisticated compliance questionnaire. No-one suggested that Northern Rock failed because it had poor conventional BCM or that Lehmann Brothers BCM was inadequate. In fact, the latter programmes won numerous industry awards.
In my view, BC needs to up its game and really do “what is on the tin” – protect business from all threats and hazards that can threaten continuity of service, not just treat specific risks that someone has packaged up for it.