Certification vs. Compliance: A Chicken and Egg Problem?
John Hele, Global Product Manager, BSI Management Systems, recently was the keynote speaker at the Asia Business Continuity Conference in Singapore. He addressed a question that is often asked by companies new to certification and to BCM: What should I focus on, compliance or certification?
“Initially it pays to go back to basics and consider what this is all about – remember it’s about continuity – i.e., the continuing operations of the organization. It is necessary to establish which threats could impact the continuity of the organization and then to set up some controls. These will either minimize the probability of the threats occurring, or of their impacts affecting the continuity of the organization. Ensuring that the controls are adequate is the certification part, establishing those controls is the compliance part. Standards set a framework for the assurance of the controls. There are several standards that can be used; you should look at them all and decide which one best suits your organization.
“Another way to look at this is that you don’t get a choice about compliance – you have to set up some controls for the threats to your organization. The level to which you have to do this depends on which countries you are operating in and what sector you are in. How do you assure yourself that those controls are actually up to the task? Using the standards to develop a framework (or management system) will help you do this.
“Certification is when a third party confirms this assurance. So you can see how certification supports, and in many cases proves, compliance. Going through certification says something about how seriously you are taking compliance.”
To review Mr. Hele’s presentation slides, click here.
