ICOR Partners
Member Sign-In

Not a member yet?
>click here
follow us:
Facebook Twitter LinkedIn
Facebook Twitter LinkedIn
LCA Discipline Chair

Don Byrne
A successful entrepreneur, former venture capitalist and investment banker, Don Byrne has been the CEO of several high technology and financial service companies. He is the founder and Managing Director of the consulting firm - North River Solutions, Inc. His industry experience includes financial services, manufacturing, healthcare, transportation/shipping, engineering/software development, and wholesale distributors.
His current area of interest is the interplay between regulatory compliance and business continuity planning.

   Legal, Compliance and Audit Review & Rate the Courses  
The Legal, Compliance and Audit discipline plays two roles in organizational resiliency (OR). First, it is a collection of best practices as determined by various industry groups, oversight organizations, and government agencies. Second, inspection procedures up to and including third-party audits are available to ensure alignment with the practices.

A common misnomer is that all compliance with laws, regulations, statues, rules, specifications, and other guidance documents is mandatory. Take for example, Public Law 110-53 “Implementing the Recommendations of the 9/11 Commission Act” of 2007. This landmark piece of United States legislation calls on all private sector businesses (that is non-government) in the United States to conduct a voluntary resiliency audit. There are no penalties associates with not holding an audit and the law is even vague on which standard to use. However, it is an attempt by the United States government to increase awareness around the general issue of business preparedness. In parallel, several organizations have extended this theme and are now working on similar efforts at the individual, family and community level. This effort reflects much of the vision articulate several years ago by ICOR’s Resilient Community concept.

Several groups (US Red Cross, the FSTC, Institute of Internal Auditors, Resilency1, RIMS, etc.) are actively pursuing research in this area and are developing indexes that measure community and business resiliency. It is conceivable that this research will form the basis of the next generation of guidelines from a legal and compliance standpoint.

Just as there are countries where mandatory organizational resiliency planning is demanded, there are industries that have made this topic a requirement of business operations. For example, in the United States, the banking industry is mandated to follow the guidelines published in the Federal Financial Institutions Examination Council (FFIEC) handbook. Similarly, the Financial Industry Regulatory Authority (formerly known as the National Association of Securities Dealers or NASD), mandates that securities broker/dealers create and maintain business continuity plans (NASD 3510 and 3520) as part of their operations. Failure to do so carries severe penalties and fines.

Healthcare, public utilities and any other industry groups have similar regulations that require businesses to develop organizational resiliency plans.

Again, drawing on the United States, one of the most regulated countries in the world, the National Fire Protection Association (NFPA) and the Occupational Safety and Health Administration have very broadly written health and safety regulations that deal with topics that fall under the Emergency Management discipline in ICOR’s model. For more information on these requirements consult OSHA 29 CFR: Section 1910, et al; and NFPA 101.

There are many types of auditing. In general the International Organization for Standardization (ISO) recognizes three types of audits:

First Party Declarations, which are tantamount to self assessments with a documented “attestation of compliance”, meaning a statement issued by the organization about its’ alignment with a standard.

Second Party Declarations, which are non-certified reviews by one organization of the OR plans of another. This often takes place between supply chain members. Usually, the enterprise that conducts the review will issue the “attestation of compliance.” For many organizations, successfully completing a second party review of their plan relieves them of the need to undergo a similar review by other trading parties under the theory that “what was good enough for the ABC Company is good enough for us.”

Third Party Certified Audits. In this case, an accredited and independent organization that has not provided consulting assistance to the firm (which would be a conflict of interest) AND that has been accredited by a National Accreditation Body conducts the audit. The cost of a audit against commonly recognized standards (e.g., NFPA 1600 British Standard 25999, or Australian/ New Zealand Standards DR 09013 through 09015) averages around $10,000 per year. This is similar in price to an ISO 9001 or ISO 27001 audit. While expensive, the advantage of a certified audit is that it is recognized worldwide. For more information accreditation and certification, reference ISO 19011 and ISO 17021. It is also interesting to note that ICOR Board Member, Donald Byrne is a member of the ANSI National Accreditation Body Committee of Experts which is the team developing accreditation standards around resiliency for the United States.

In summary, while there are many organizations that claim to offer auditing services, be careful to ask the questions “From which National Body do you have your accreditation?” If they can’t answer this question to your satisfaction, move on.

Looking Forward
Given the worldwide economic meltdown, the number and scope of regulations are expected to increase dramatically. One key benefit of your ICOR membership is that we will work to keep you informed of relevant developments and continue to make our team of subject matter experts available to you to answer questions in a timely manner.

Due to the large scope of this topic, only a few of the common resources are listed here. For more information or assistance with a specific subject contact the ICOR Chair for this Discipline.

Credentialing Organizations / Certifications / Education

ICOR recognizes the credentials offered by the organizations listed below as valid credentials.  ICOR offers credit for these credentials in the discipline of Business Continuity Management as part of our certification in Organizational Resilience.  To learn more visit:  ICOR Credentialing Program

Business Continuity Maturity Model Assessors Training
>click here

Business Resilience Certification Consortium International (BRCCI):
CBRA: Certified Business Resilience Auditor
>click here

Business Standards Institute (BSI):
BS 25999 Lead Auditor
>click here

Information Systems Audit & Control Association (ISACA):

CISA:  Certified Information Systems Auditor >click here

American Society for Quality (ASQ): >click here
CQA: Certified Quality Assessor

CMQ/OE:  Certified Manager of Quality Organizational Excellence

Institute of Internal Auditors (IIA): >click here
CIA: Certified Internal Auditor

Other Resources

ISO publications can be purchased at the ISO e-Store >click here

American Standards can be found at The US Standard Body >click here

A source for many OR standards >click here
A reference to NFPA 1600 >click here

A reference to the key OHSA site. >click here

British Standards can be found here >click here
A direct reference to BS 25999 >click here

Other national standards can be found through the use of various search engines.

Common Auditing Resources

International Register of Certified Auditors
>click here

Institute for Internal Auditing
>click here

The US accreditation body
>click here

The main Japanese accreditation body
>click here

The UK accreditation body. A least one such organization is active in every country
>click here

Conferences and Local Associationss
There are many organizations that are involved with the practice of auditing and compliance. The following are just a few of the hundreds of resources discoverable through the use of standard search engines.

AICPA: >click here
Annual conference of the Institute of Internal Auditors. Use this same resource to locate the nearest chapter of this organization.

IIA: >click here
Annual conference of the Institute of Internal Auditors. Use this same resource to locate the nearest chapter of this organization.

MISTI: >click here
Superstrategies and MIS Training Institute conference on auditing.


For more information, please contact us at:
The International Consortium of Organizational Resilience
email: info@theicor.org
phone: 1-866-765-8321 or +1630-705-0910
©2010 The ICOR