BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.

Business Standards > Articles

Untangling the
continuity web

26 Oct 2007
Topics: Business continuity, BS 25999

Imagine you work in one the world's largest media conglomerates, one that stretches from Australia to the UK and the US. Now imagine you have to ensure business continuity across all branches of the organization - from books and newspapers to television and movies. For John Beattie, director of business continuity for News Corporation, this is his daily bread.

"I oversee the development of the business continuity programmes in all the business units across News Corporation," Beattie explains. "My role is to assess and adjust what they have in place, or help them launch new business continuity programmes and make sure that they comply with standards that we've set at the corporate level for these programmes. We defined a baseline approach to business continuity, and those organizations without a formal programme were asked to follow our guidelines, and use our tools and standards. The foundation of those standards is BS 25999-1 Business continuity management. Code of practice and BS 25999-2 Specification for business continuity management.

While admirable, News Corporation's commitment to business continuity seems to be the exception rather than the rule - for the moment at least. For many businesses, formal BCM can still seem like a management discipline too far. For example, of the 10,600 members of the Chartered Management Institute surveyed earlier in the year by the Civil Contingencies Secretariat of the UK Cabinet Office, only 1,257 responded, of whom less than half (48 per cent) actually have a specific business continuity plan (BCP) in place.

Furthermore, only half of those with plans ever carry out regular rehearsals, despite strong evidence that rehearsals are vital to ensure effectiveness.

Nonetheless, it feels as though BS 25999 is a standard whose time has come. The impetus behind it came from the public and private sector in the wake of the publication of BSI's PAS 56 Guide to Business Continuity Management in 2003. Thereafter, the results of a 2005 BSI national consultation were overwhelmingly supportive of a standard. A BSI committee was formed to include all interested parties: from the BCM industry and the Financial Services Authority (FSA), to the Metropolitan Police and the Fire Officers Association. The Cabinet Office and the then Department of Trade and Industry (DTI, now DBER) were also represented.

"We involved ourselves in work on the British Standard because we regard business continuity, in the private and public sectors, as one of the keys to resilience," explains Bruce Mann, director of the Civil Contingencies Secretariat at the Cabinet Office. "The survey we have done this year suggests that the degree of preparedness is mixed. A British Standard would, for the first time, offer a benchmark against which organizations can enhance their business continuity."

Moreover, now that the certifiable part of the standard - BS 25999-2 - is ready for publication, BSI is experiencing unprecedented demand. The Draft for Public Comment garnered a record-breaking 3,000 responses and dozens of companies are queuing to obtain certification. Meanwhile, BSI has never before received so many advance orders for a new standard.

Good timing

What makes the timing so right is the world we live in now, according to the experts. Though terrorism, flooding and other extreme weather events make flashy headlines, the underlying drivers are more profound and can probably be summed up in one word: globalization. That covers the global dispersion of big organizations, the fragmentation of manufacturing, ever extending supply chains, ever increasing interconnectivity, the growth of outsourcing and the rise of franchises and subcontracts.

Marsh Risk Consulting is the largest risk advising company in the world. Its head of BCM, Martin Caddick, takes the analysis a step further. In his view, part of the executive management's job is looking at "volatility", which is to say opportunities and risk: "All these things reduce operational costs and resilience, and increase risk - but it's about how you manage and plan change so that damage is limited and opportunities exploited," he says. "If you understand and manage how the risk changes, then you are much more likely to make a success of it." Businesses must not only be prepared to respond to risk, but to actively embrace it, which is why BCM is becoming a much bigger deal.

News Corporation understands this better than most. Its many well known holdings include the Fox TV network, 20th Century Fox (film and television), BSkyB, HarperCollins, and The Times, The Sun and The New York Post newspapers. When you're in the business of delivering content across virtually all forms of media around the world, both risk and business continuity are your lifeblood.

"For News Corporation, BCM is all about protecting the content of the organization, protecting its intellectual property and assuring that we can get the news out and get the TV shows on the air," Beattie says. "It's down to the detail, things like making sure you have extra make-up on hand for the people going on air in a secondary studio.

"We also have people in harm's way, covering the news in war zones and other high risk regions. As such, while we have people running from disaster in some parts of our business, we have people running towards it in others - and this needs to be taken into account in our business continuity plans.

"By having a standard such as BS 25999 in place, it gives people specific practices to focus on. It takes away any debate over what should be done in a business continuity programme," Beattie adds. "It also adds credibility because we can draw upon this standard for direction. It was created by a diverse group of people who are knowledgeable about business continuity - the standard is larger than we are. It makes it easier to let the organization know and understand the practices we want to follow."

Why implement?

Another major driver prompting adoption of the standard is regulation - bodies like the FSA and the Law Society are already looking for demonstrably fit-for-purpose BCM systems to be in place. Next come local authorities, whose obligations under the Civil Contingencies Act require their suppliers to demonstrate a BCP is in place. The Act doesn't prescribe how to implement continuity planning but it is believed that certification to BS 25999-2 would adequately demonstrate compliance. As a result, BSI is already talking to local authorities about certification.

"Certification demonstrates competence and reliability to customers, provides assurance regarding the level of service being provided and is a significant factor in reducing overall business risks," explains Julian Thrussell, business continuity management product manager at BSI Management Systems UK.

"It also helps differentiate a company's products and services from the competition, a vital issue in today's global marketplace. And more customers are demanding the standard as proof that the supplier is taking business continuity seriously."

According to Thrussell, businesses are also turning to the standard to ensure greater stability along the supply chain, as a major disruption to the chain can be a survival issue for some companies. As a result, organizations with significant commercial muscle are starting to promote the standard among suppliers in order to safeguard continuity of supply. Those with less commercial muscle will ask for proof of a BCP in their supplier selection criteria.

In the long term, says Thrussell, it is possible that BS 25999 could become the price of doing business, in much the same way as ISO 9001.

Putting into practice

If BS 25999 is indeed set to become a reality for many, what in practice does that mean? Ron Miller is managing consultant at SunGard Availability Services UK, part of SunGard Inc, a global leader in disaster recovery services. He is also a member of the BS 25999 technical committee where he represents the IT industry. As such, he emphasizes that organizations must start thinking of business continuity as an organization-wide activity: "It needs to be a holistic process that involves everybody, otherwise you won't be embarking on continuity management very well. You need to see the dependencies within the organization and realize the key points of failure. It's a great way to highlight vulnerabilities and, in the same way, potentially seeing that there is a better way of doing things. It really enables you to get into the DNA of your business and find out exactly what makes it tick. And that's what BS 25999 does - it holds your hand through that process."

"As an organization, we haven't previously had a common approach to BCM across all of our operations," says Simon Beesley, responsible for "Operations Excellence" at TDG plc, one of Europe's leading supply chain management companies. "We have used the launch of BS 25999 to give us a template against which to develop a consistent approach on our sites.

"In developing a BCM system from the bottom up, BS 25999 is a fantastic guide to the process," Beesley continues. "We've had input from many different sources, but we've always found that by returning to the standard and following it in a logical sequence we have overcome any issues faced. It is also good to see the application of the Plan, Do, Check and Act (PDCA) model in the standard. Our Operations Excellence team has used the PDCA model over the last three years as the basis of our approach to continuous improvement.

"With the increasing media focus and awareness of the threats faced by businesses today, we're more aware than ever of the need for continuity of service to our customers. I'd recommend that anyone embarking on the BCM journey follow the standard in developing their project plans and should look to integrate BCM capability into the organization's existing management systems as much as possible."

In truth, while there has been no shortage of disaster headlines in recent months, most businesses are likely to fall foul of less newsworthy disruptions. Loss of IT and loss of people are the most common disruptions in the Cabinet Office survey, although there has been a sharp rise in extreme weather disruptions, and with climate change these are likely to increase.

"For smaller businesses, it's important to keep things in perspective and not go overboard in protecting yourself against things that are unlikely," says Caddick. "Decide what's important to you and keep it under review."

"It's really not something that should cost too much time, effort or money in terms of putting things in place, because for most SMEs, as long as you have a plan in place to respond to disruption, it's simply common sense," says Miller. "If the police come knocking at your door at 3.00am to say your industrial unit is burnt to the ground, what do you do first? Who do you contact, what are the key things to do in order to get the business back up and running again? And that, in essence, is what sits at the core of your business continuity plan."

For larger organizations, Beattie of News Corporation has some straightforward advice: "We kept it simple and focused on activities that generate revenue or support employee well being," he explains. "If it doesn't have a direct impact on either of these, we don't worry about it. Staying focused has been at the heart of this being accepted in the business."

For multi-site organizations, BSI's Entropy Software™ (www.bsi-entropy.com) is designed to run existing BCM processes, with a built-in methodology of continuous improvement.

"If something does go wrong, it's a very tactical issue to notify people in relevant roles in say 25 sites, with the right information at the right time," says Paul Stanfield, Entropy Software? product manager at BSI Management Systems. "The more sites you have, the more difficult it becomes, unless you use an effective multi-site, multipurpose system."

And finally, BCM doesn't stand still. The soon to be published BS 25999-2, says Martin Caddick, captures best practice as it stands today. But, he adds, "what might have been acceptable in 1999 would be an unacceptable response to a disruption in 2004, and even less so in 2007 - because people expect you to learn and the bar rises. Customers have become less tolerant of delay." He also cites research, which demonstrates that if you're hit by crisis or disaster and your response is good, then your valuation actually rises in the eyes of your stakeholders. Conversely, if you respond poorly, your valuation goes sharply down.

But for Caddick there's now no defence: "If you have continuity plans in place along the lines of the standard, you'll be able to respond effectively in most situations and have an excellent chance of survival. The standard is there, it's not expensive to buy, and it's not difficult to apply to your business. If you do get caught out, you've got no excuse."

For more information on BSI British Standards? online self-assessment BCM tool www.bsigroup.com/oct07BCMtool

CASE STUDY: BS 25999-2 in a nutshell

Business continuity is a management process that provides a framework to ensure the resilience of your business to any eventuality. It helps to ensure continuity of service to your key customers and to protect your brand and reputation. Business continuity plans need to be clear, concise and specific to the needs of your business and should be an integral part of the way you operate. Certification to BS 25999-2 covers the requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS).
For more information: www.bsigroup.com/oct07BCMcert

CASE STUDY: The Fujitsu Experience

Before the publication of BS 25999-2, Fujitsu Services - a leading IT services company, which designs, builds and operates IT systems for large-scale clients in Europe, the Middle East and Africa - agreed to be one of a handful of organizations to "trial" the standard, by running a gap analysis against its established BCMS.

As a provider of IT services, Fujitsu's biggest issue is that its ability to continue business has such a significant impact on the business continuity of its customers, many of whom have a direct impact on the population of the UK. Fujitsu takes this very seriously.

Fujitsu felt the greatest benefit of the standard was that it demonstrates a level of capability in BCM that meets customers' needs.

"Compliance with the standard gives our customers added confidence in our ability to meet their business needs and serves to underpin good practice within our own organization," says Alan Clapson, Fujitsu Services' head of quality. "It also provides a common language and common approach, based upon years of experience across the world." Adopting, or at least referencing the standard would also help Fujitsu be more effective in achieving alignment of preparedness for business interruptions all the way through the supply chain.

For Fujitsu, BS 25999 is a standard for business-wide continuity - and not just about IT. To emphasize this point, Fujitsu recommends involving people in your organization who have good business knowledge, across the breadth of the organization.

Fujitsu also found the standard helpful in prompting it to take a structured approach: understanding its business in terms of business processes, key people, supporting and enabling IT systems, and building services. And it is important to consider the potential impact on the surrounding environment. As with any standard, Fujitsu recommends you ensure from the outset that you capture documentary evidence of planning, doing, checking and acting. Without records you can't seek assessment against the standard, nor can you demonstrate improvement.

Finally, Clapson warns that while we would all hope that external assessment of our business continuity management system will be the only way our plans will ever be tested, experience suggests that life throws up situations where the plans have to be invoked.

It is a lot less stressful to be prepared - and might just ensure business survival.

Find out how Fujitsu is using BCM in Japan in our story Better safe than sorry.

Business Standards © 2009. Editorial produced by Caspian Publishing in association with the British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.

Question: what is the value of a "non-
standard" standard, such as a PAS?

The PAS, or Publicly Available Specification, forms part of our spectrum of standards information ranging from full international consensus to bespoke individual company advice.

Read more

Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.