A major banking organisation was recently in the news for its failure to prevent money laundering and criminal activity. A statement from prosecutors indicated that the bank’s procedures had deficiencies to such a level that making them public would incite further serious crime. While this example comes from the financial sector, it applies to enterprise security and business continuity in general. When cracks start to form, a natural reaction is try to paper over them instead of admitting that the structure itself is faulty and rebuilding it appropriately. But what happens if the cracks keep getting bigger?
Poor compliance of an organisation with directives, regulations or policies is a symptom, not a cause. As any good doctor will tell you, treating the symptom without dealing with the cause is a temporary solution at best. However, fame, glory and pay rises do not always accompany efforts to put problems right. In some cases, declaring that such a problem exists can be interpreted as automatically taking ownership and even admitting responsibility for the problem in the first place. It’s no wonder that poor compliance is sometimes passed around like a hot potato, leaving the organisation at risk.
When business continuity is endangered through poor compliance, business continuity managers have a duty to raise the issue. How the organisation deals with the problem is another matter, but BC managers will need to track proper resolution and continue to draw attention to the problem for as long as it continues to exist. That said, problems often present opportunities as well. A solution to one compliance problem can be extended to improve compliance elsewhere. Public relations can cite improvements and benefits for customers and stakeholders. Last, but not least, business continuity can score a point as a valuable part of organisational activity as well.