Divergent Attitudes to Business Continuity Regulation and Recommendation

Should business continuity planning be a legal requirement? Should it be an option left to the discretion of an organisation? A school forced to close for a day because a heating pipe burst and flooded the ground floor is an inconvenience. An online shop that loses its e-commerce site for a day may be a disaster. An operating block in a hospital that loses all electrical power during an operation is a catastrophe. Perhaps the level of impact should determine whether BCP is a should or a must. But in that case why is there an apparent difference between the two attitudes in say America and Australia?

Both the US and Australia use business continuity standards, meaning documents that say what you should do. The US however also has a range of regulations that make BCM obligatory. In the general case, the Sarbanes-Oxley Act makes corporate officers responsible for business continuity. For healthcare in particular, the HIPAA (Health insurance Portability and Accountability Act) demands plans for data backup, disaster recovery and emergency mode operation. Government organisations are regulated by FISMA (Federal Information Security Act) that makes it a requirement for digital data to be available in crises. For finance, EFA (Expedited Funds Availability Act) means that financial institutions under federal charter must be able to show BC plans.

In Australia, the language and the legal impact are different. Business continuity is referred to via standards, guidelines or handbooks, rather than by acts of law. The Protective Security Framework for Australian Government Agencies is an exception in that it makes BC management mandatory for all agencies. Yet whether BC is encouraged via standards or enforced via laws, the consequences are the same. Maybe it comes down to that age-old question of whether people do a thing better if you oblige them to do it or if you leave it as “strong encouragement”.