BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.
Staying on track
14 Feb 2007
Topics: Business continuity, BS 25999
Like other disciplines such as quality and environmental management, the progress of business continuity management (BCM) from theory to corporate currency has not been without trial. Attempts at improving business robustness in the event of crises have tended to concentrate either on large organizations or too heavily on disaster recovery rather than the day to day business of managing disruptive incidents.
With the publication in November 2006 of Part 1 of BS 25999, the new British Standard for BCM is set to redress this imbalance. Conceived as a development of PAS 56, the previous BCM standard published by BSI in 2003, BS 25999 is a code of good practice concerned with highlighting what organizations need to do in order to ensure their BCM systems are running effectively on a day to day basis.
The Part 1 code of practice will be followed in the summer of 2007 by Part 2, which will provide a set of criteria and guidelines that are measurable and against which BCM strategies can be assessed, audited and for the first time certified by third party certification bodies such as BSI Management Systems.
"There were two broad challenges associated with the drafting of BS 25999," explains David Lloyd, technical adviser to Survive, a business continuity specialist organization, who sat on the drafting committee of the standard. "First, PAS 56 had been criticised for being too orientated towards large organizations so the BS 25999 committee had to make sure the new national standard met the needs of the whole business spectrum, across different sizes and different risk profiles.
"The other specific issue was to simplify the language and terminology so it was readable and not impenetrable technical jargon. As a result, the new standard makes sense, is easy to follow through and is practical."
John Sharp, policy & development director at the Continuity Forum, who participated in drafting both BS 25999 and PAS 56, agrees that the new standard is a timely enjoinder to the business continuity movement.
"As a set of guidelines, PAS 56 was extremely challenging for smaller organizations, whereas BS 25999 is a more comprehensible document and more applicable to a broader range of organizations," he says.
"For example, PAS 56 required organizations to operate one week every six months out of a recovery centre: this would have made compliance impossible for SMEs that couldn't afford one."
A timely response
The growing awareness of and interest in making sure organizations are ready to face the increasing uncertainties around them suggests BS 25999 will become a vital business tool. It not only addresses strong demand caused by current concerns over potential major disruptions - flu pandemic or terror strikes are certainly topical at the moment - but it also provides a coherent set of principles and guidelines that are applicable at any time.
"One of the lessons we learned in 2001 when we drew up PAS 56 was that companies were asking suppliers for details of their business continuity plans, but everybody was asking for a different perspective and suppliers needed a uniform approach that worked not just for big business but for the whole supply chain. There were lots of questionnaires lying around and SMEs, for the most part, came to see BCM as a cost, a grudge purchase, rather than a part of the overall value chain," says Sharp.
With BSI Management Systems and other third parties already working on self-assessment tools for the standard, and the launch of BS 25999 Part 2 (the Specification) scheduled for 2007, there will be for the first time a spectrum of compliance solutions that should fit the needs of any organization, large or small.
For example, to answer a request from the board about a company's business continuity preparedness, a relatively straightforward self-assessment should suffice.
For more in-depth investigations, the Specification (Part 2) will detail requirements for a Business Continuity Management System and will provide organizations with a mechanism to ensure that their partners and suppliers also have the correct BCM procedures in place. Currently, it is difficult to determine whether organizations are adequately prepared for disruptions, but the Specification will allow for an audit process and certification - meaning that organizations will be able to clearly demonstrate to others that they are meeting the standard and therefore BCM best practice.
This ability to structure levels of compliance according to the level of need within an organization makes the process more cost effective as well as more practical. For example, one comment from a major high street bank at BSI's recent conference to launch BS 25999 was that it would push for full accreditation for mission critical functions on which its customers and stakeholders depended while for individual branches, a lighter compliance level, most likely self assessment, would be deemed to suffice.
Where now for BS 25999?
A large number of varied organizations in a wide range of sectors are taking up the opportunities of BS 25999 to ensure strong business continuity.
Local authorities, for example, are required by the UK's Civil Contingencies Act, which came into force in 2004, not only to ensure BCM is employed in category 1 and category 2 emergency services but also to promote the concept to the wider business community.
Likewise, various industry regulators, most notably the FSA, are taking a proactive approach to getting the standard adopted in their jurisdictions while pressure from those at the top of the corporate food chain is helping drive adoption in the SME community.
The standard's developers are confident that BS 25999 Part 1 (the Code of Practice) and Part 2 (the Specification, due to be published in the middle of 2007), will encourage greater take up.
"Being a formal British Standard now means that for those for whom BCM is their discipline, it raises their professional standing. This means more status and more ability to get things done," says Lloyd.
"We want to see business continuity become part of general management training in the same way finance, HR and project management is, and now is the time for us to take the standard to the MBA schools and get them to build the code into their courses: this will help us raise critical awareness in the investment community.
"The issue is not about promoting BS 25999, which is just something you can hang your hat on: what we're trying to do is build a more resilient business community."
Julian Thrussell, BSI Management Systems UK's product manager for BS 25999 agrees.
"This standard is an important step towards helping organizations prepare for the unknown and to gain confidence from suppliers that they are prepared for disruptions," he says.
"Above all, BS 25999 will help organizations survive. This is an exciting first step and in the future, third party certification by an independent certification body, such as BSI Management Systems, will provide the assurance that organizations meet BCM best practice."
>CASE STUDY: Challenges of implementing a BCM strategy
According to Sally Edwards, a principal advisor in the IT Advisory - Business Continuity Management team at KPMG who was involved in the drafting of BS 25999, the biggest challenge facing the BCM movement is giving the new standard time to establish itself: "We've been helped by regulatory developments and the prevalence of BCM issues in the media but, like many other British standards, it's going to take a while to bed in: it's not a tick-the-box style audit and it's not a common skill. It's going to take time for people to get to know it properly." BSI is helping to fill these gaps with further conferences and training on BS 25999 in the pipeline for 2007.
And while it may take time to become embedded in the UK, BS 25999 is proving a hit internationally: "BS 25999 is going to count as a good benchmark for the rest of Europe. It's already aiding dialogue between other governments who want to pitch in ideas of their own, but it really is ahead of the game."
>CASE STUDY:Buy-in throughout the organization
Getting the resources to implement a BCM strategy can be a challenge, but a new generation of boardroom BCM champions is emerging.
"These days, this board-level buy-in is the general rule rather than the exception," says KPMG's Sally Edwards.
Speaking at the recent BS 25999 launch conference organized by BSI British Standards, Gordon Irving, director of Group Security at Scottish Power, said that by getting emergency managers and risk managers to work together against a common point of reference, effective BCM programme management can be put in place: "The implementation of the standard allows us to build on our expertise within emergency management and move to a holistic management system covering all areas of business continuity practice within integrated risk management."
In the public sector, the Continuity Forum's John Sharp reports that BS 25999 and other measures are having a positive effect: "Responsibility for BCM can be carried out by various functions depending on the organization but in the public sector, where the role is usually carried out by emergency planners, the signs are that BCM is beginning to be seen as more than just drawing up a plan. Local authorities are now beginning to recruit BCM managers and provide training for staff."
For more information on the standard, visit:
www.bsi-global.com/feb07bs25999
For more information on certification, visit:
www.bsi-global.com/feb07BCMcert
For more information on future BCM-related conferences and training, visit:
www.bsi-global.com/feb07BCMseminars
Business Standards © 2009. Editorial produced by Caspian Publishing in association with the British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
Anglian Building Products (ABP), the business-to-business division of Anglian Windows Ltd, has achieved certification to ISO 14001 Environmental management systems following an audit by BSI.
BSI is planning an informal free lunchtime roundtable in central London on 10 December 2009 to explore how small businesses and their trade bodies can work more effectively with standards. Places are limited so to register your interest or request more information, please email bsi.survey@bsigroup.com or call +44 (0)20 8996 7750.
How do you put a price on a brand? An international standard in the making will provide a consistent, reliable approach to brand valuation.
Until now, there has been no strict guidance in the UK relating to how audiovisual (AV) installations are carried out. This includes everything from computers and projectors to interactive whiteboards, plasma screens and loud speakers. For AV installation companies, processes can vary significantly.
As part of its evolving governance, risk and compliance strategy, BSI has acquired the Supply Chain Security Division of First Advantage Corporation.
Question: What impact do you think BCM could have on business insurance in the future?
It is essential that any business suffering a disaster is able to continue as near normal trading in the shortest possible time period to survive. To achieve this, an organization should implement a comprehensive well-tested business continuity plan (BCP) as a first step. Insurance should be viewed as an extension to the BCP process, not an alternative.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
