A common misnomer is that all compliance with laws, regulations, statues, rules, specifications, and other guidance documents is mandatory. Take for example, Public Law 110-53 “Implementing the Recommendations of the 9/11 Commission Act” of 2007. This landmark piece of United States legislation calls on all private sector businesses (that is non-government) in the United States to conduct a voluntary resiliency audit. There are no penalties associates with not holding an audit and the law is even vague on which standard to use. However, it is an attempt by the United States government to increase awareness around the general issue of business preparedness. In parallel, several organizations have extended this theme and are now working on similar efforts at the individual, family and community level. This effort reflects much of the vision articulate several years ago by ICOR’s Resilient Community concept.

Several groups (US Red Cross, the FSTC, Institute of Internal Auditors, Resilency1, RIMS, etc.) are actively pursuing research in this area and are developing indexes that measure community and business resiliency. It is conceivable that this research will form the basis of the next generation of guidelines from a legal and compliance standpoint.

Just as there are countries where mandatory organizational resiliency planning is demanded, there are industries that have made this topic a requirement of business operations. For example, in the United States, the banking industry is mandated to follow the guidelines published in the Federal Financial Institutions Examination Council (FFIEC) handbook. Similarly, the Financial Industry Regulatory Authority (formerly known as the National Association of Securities Dealers or NASD), mandates that securities broker/dealers create and maintain business continuity plans (NASD 3510 and 3520) as part of their operations. Failure to do so carries severe penalties and fines.

Healthcare, public utilities and any other industry groups have similar regulations that require businesses to develop organizational resiliency plans.

Again, drawing on the United States, one of the most regulated countries in the world, the National Fire Protection Association (NFPA) and the Occupational Safety and Health Administration have very broadly written health and safety regulations that deal with topics that fall under the Emergency Management discipline in ICOR’s model. For more information on these requirements consult OSHA 29 CFR: Section 1910, et al; and NFPA 101.

Auditing
There are many types of auditing. In general the International Organization for Standardization (ISO) recognizes three types of audits:

• First Party Declarations, which are tantamount to self assessments with a documented “attestation of compliance”, meaning a statement issued by the organization about its’ alignment with a standard.

• Second Party Declarations, which are non-certified reviews by one organization of the OR plans of another. This often takes place between supply chain members. Usually, the enterprise that conducts the review will issue the “attestation of compliance.” For many organizations, successfully completing a second party review of their plan relieves them of the need to undergo a similar review by other trading parties under the theory that “what was good enough for the ABC Company is good enough for us.”

• Third Party Certified Audits. In this case, an accredited and independent organization that has not provided consulting assistance to the firm (which would be a conflict of interest) AND that has been accredited by a National Accreditation Body conducts the audit. The cost of a audit against commonly recognized standards (e.g., NFPA 1600 British Standard 25999, or Australian/ New Zealand Standards DR 09013 through 09015) averages around $10,000 per year. This is similar in price to an ISO 9001 or ISO 27001 audit. While expensive, the advantage of a certified audit is that it is recognized worldwide. For more information accreditation and certification, reference ISO 19011 and ISO 17021. It is also interesting to note that ICOR Board Member, Donald Byrne is a member of the ANSI National Accreditation Body Committee of Experts which is the team developing accreditation standards around resiliency for the United States.

In summary, while there are many organizations that claim to offer auditing services, be careful to ask the questions “From which National Body do you have your accreditation?” If they can’t answer this question to your satisfaction, move on.

Looking Forward
Given the worldwide economic meltdown, the number and scope of regulations are expected to increase dramatically. One key benefit of you ICOR membership is that we will work to keep you informed of relevant developments and continue to make our team of subject matter experts available to you to answer questions in a timely manner.

Due to the large scope of this topic, only a few of the common resources are listed here. For more information or assistance with a specific subject contact the ICOR Chair for this Discipline.

Common Auditing Resources

IRCA:
A good collection of web resources on auditing >click here

IRCA:
International Register of Certified Auditors >click here

IIA:
Institute for Internal Auditing >click here

AICPA:
American Institute for Certified Public Accountants >click here

ACCA:
Association of Chartered Certified Accountants >click here

ANAB:
The US accreditation body >click here

JAB:
The main Japanese accreditation body >click here

UKAS:
The UK accreditation body. A least one such organization is active in every country >click here

Other Resources

ISO:
ISO publications can be purchased at the ISO e-Store >click here

ANSI:
American Standards can be found at The US Standard Body >click here

NFPA:
A source for many OR standards >click here
A reference to NFPA 1600 >click here

OSHA:
A reference to the key OHSA site. >click here

BSI:
British Standards can be found here >click here
A direct reference to BS 25999 >click here

Other national standard can be found through the use of various search engines.

Certifications

CISA certification information: >click here

IRCA Certification: >click here

Articles

Watch this space for articles and announcements on this topic

Conferences and Local Associationss
There are many organizations that are involved with the practice of auditing and compliance. The following are just a few of the hundreds of resources discoverable through the use of standard search engines. Please refer specific questions to the Chair o this Discipline.

AICPA: >click here
Annual conference of the Institute of Internal Auditors. Use this same resource to locate the nearest chapter of this organization.

IIA: >click here
Annual conference of the Institute of Internal Auditors. Use this same resource to locate the nearest chapter of this organization.

MISTI: >click here
Superstrategies and MIS Training Institute conference on auditing.

LCA Discipline Chair

Don Byrne
A successful entrepreneur, former venture capitalist and investment banker, Don Byrne has been the CEO of several high technology and financial service companies. He is the founder and Managing Director of the consulting firm - North River Solutions, Inc. His industry experience includes financial services, manufacturing, healthcare, transportation/shipping, engineering/software development, and wholesale distributors. His current area of interest is the interplay between regulatory compliance and business continuity planning.

Click here for specific questions regarding Legal Compliance and Audit.

Click here for information about North River Solutions.

Levels of Certification and Credentialing
There are five levels of ICOR certification

1. Certified Organizational Resilience Executive (CORE)

2. Certified Organizational Resilience Professional (CORP)

3. Certified Organizational Resilience Manager (CORM)

4. Certified Organizational Resilience Specialist (CORS)

5. Certified Organizational Resilience Associate (CORA)