A View from the Trenches - Incorporating Legal & Regulatory requirements in a BCMS
Join Agnidipta at this year's India Conference in March, where he will be expanding on the topic of operationalising top management vision: a journey towards building resilience. View the programme here.
"The organization shall:
a) implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, processes, activities, and resources, as well as the interests of relevant interested parties;
b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS;
c) document this information and keep it up-to-date."
This is the expectation of the new draft ISO22301 standard when considering Legal and Regulatory requirements when setting the Context of a Business Continuity Management System, a BCMS. According to the ISO website, ISO's TC 223, which is pursuing international standardization in the area of societal security, has aimed the development of the ISO22301 at improving crisis management and business continuity capabilities, through enhanced technical, human, organizational, and functional interoperability as well as shared situational awareness, among all stakeholders (called as "interested parties" in ISO parlance). Most stakeholders would be very interested to understand how organizations communicate the activities and procedures within a BCMS so they are aware of its impact and relevance to them.
In fact, amongst all kinds of requirements expressed by stakeholders, the Legal and Regulatory requirements are probably most essential for a BCMS to ensure that all the implications that the ever-changing legal and regulatory stakeholders have been considered when a BCMS is being designed, to ensure that actions for risks and opportunities are designed as is best suited to the risk appetite of the business.
The main purpose of a BCMS is to ensure that service levels and commitments to its customers are maintained. It also helps business leaders to assess the potential impacts of operational disruption, make the right decisions quickly, deploy an effective response and minimize the overall impact. Unaddressed legal and regulatory requirements usually result in unwanted penalties, breach of contracts and loss of reputation, defeating the intended objective of a BCMS.
However, implementing and maintaining a process to identify, have access to, and assess the applicable legal and regulatory requirements is easier said than done. While it is probably feasible for organizations in a single country to keep track of most changing laws, multi-country organizations are struggling to keep up. The complexity multiplies when regulations affect not only the “covered entity”, but also all the “business associates” in the entire supply chain. Such regulations are quite widespread...geopolitical changes (BREXIT), privacy protection (GDPR/CCPA/PDPA), environmental protection, corporate governance, healthcare, energy management. Aligning a BCMS to all these will keep most BCMS practitioners on tenterhooks in most of 2019.
The challenges include -
a) Continuously changing legal and regulatory landscape -
In 2016, the media group Thomson Reuters found that more than 50,000 regulatory changes existed worldwide. In the United States alone, companies need to adhere to a wide range of regulations, including antitrust and competition laws, environmental regulations, healthcare laws, employment and labor laws, privacy and security laws, political activities and contribution laws, and regulations regarding trade secrets and confidential information.
Geopolitical changes are at an all-time high. Laws and regulations are forever catching up, and when they do, the impact is post facto. The result of this increased liability is problematic. Business litigation has skyrocketed. Corporate reputations are constantly being assaulted. And the gap between the ability to identify and track ever changing laws and regulations to incorporating their impact into a BCMS is forever growing.
b) Gaps in competency -
Most BCM professionals are not legal experts and hence usually approach legal teams for guidance. While many legal teams are extremely aware of applicable laws, they remain unaware of which laws specifically apply to a BCMS. Consultative and collaborative approaches seldom yield results.
Some organizations are creating the right competency to understand laws and regulations that impact continuity in a supply chain. However, to be competitive, organizations are trimming teams, outsourcing activities, expanding into newer vistas and re-organizing operational activities. Business strategies are forever shifting. Organization changes sometimes end up losing such competencies.
Those organizations that are able to address this challenge are increasingly leveraging process frameworks to address this. The key lies within ISO22301 itself. Since 2012, ISO22301 has stressed upon the relevance of defining and improving competencies of specific roles and responsibilities within a BCMS. A clearly defined process framework explicitly supported by leadership should be able to -
a) Establish a collaborative forum containing BCM experts, contracting teams and legal teams
b) Get the legal and the contracting teams to document the identified applicable laws and regulations and determine their impact on business (such a document may be used in many other areas)
c) Get the BCM experts to review the impacts and determine if they affect the continuity of products and services.
d) Where applicable engage and build continuity strategies and recovery plans to address risks.
e) Ensure that the forum meeting periodically or upon changes in legislation and regulation.
Many organizations built "privacy protection programs", as GDPR was announced in 2016, and are probably some of the most mature towards handling privacy not only for GDPR but for lawas changing in other geographies too. Incorporating legal and regulatory requirements into the BCMS enhances organizational resilience to changing regulations.
As early as 2015, speaking in the opening keynote at the Gartner Security & Risk Management Summit in National Harbor, MD, Peter Firstbrook, research director at Gartner, said, “...resilience isn’t only about catastrophic threats…It’s about absorbing the punches and bouncing back from the big things while accepting certain risks for the achievement of success”, and presented Six Principles of Resilience that are probably valid till date. These are -
a) Move from checkbox compliance to risk-based thinking
b) Move from protecting the infrastructure to supporting organizational outcomes
c) Move from being the righteous defenders of the organization to acting as the facilitators of balance
d) Move from controlling the flow of information to understanding how information flows
e) Move from a technology focus to a people focus
f) Move from protection only, to detect and respond
This is a view from the trenches and addressing legal and regulatory requirements in a BCMS helps organizations move from Continuity to Resilience.
About the Author
Agnidipta Sarkar is the Global Information Risk & Continuity Officer at DXC Technology. He is a lead auditor for ISO27001, ISO22301, ISO3100 and ISO14001, and a contributor to ISO standards in development.
Agnidipta will be expanding on the topic of 'Operationalising Top Management Vision: A Journey Towards Building Resilience' at the year's India Conference. Find out more here.
About the author
Global Information Risk & Continuity Officer at DXC Technology