is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment - delivering ROI, saving costs, improving quality and mitigating risk. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
Public sector:
business as usual?
21 Oct 2008
Topics: Business continuity, BS 25999
Disasters, whether natural or manmade, make for attention-grabbing headlines. Reports of terrorist attacks, flu pandemics, floods, fire and pestilence have occupied the front pages enough times for them to have entered the business psyche and for many companies to have put in place emergency contingency plans.
Add to this threats posed by globalization, fear of loss of reputation, and negative brand associations, and it explains why the response to BS 25999, the British Standard on business continuity management, has seen unprecedented interest in certification for such a new standard.
What of the public sector? Often seen as unhindered by the same fears of brand reputation and globally disparate offices, one might think that the same drivers for business continuity do not apply. Not so, says BSI's business continuity product manager, Julian Thrussell.
"If anything, the stakes are higher in the public sector, where the consequences of failure to deliver any one of many services such as social care could be dire, if not life-threatening."
In addition to the need to deliver from a social context, the public sector is also legally mandated to deliver services, which adds another layer of expectation.
"For many businesses it could be argued that there wouldn't be any serious implications if some services didn't exist for a certain period, but local councils are legally mandated to deliver many of their services. This leaves them with the harshest of both worlds," explains Thrussell.
Considering contingencies
Business continuity was brought centre stage within the public sector by the Civil Contingencies Act 2004, legislation set up in response to the fuel crisis, flooding and foot and mouth scares in the early millennium. Under its terms, local authorities and the emergency services, among others, are obliged to put in place emergency and business continuity management arrangements, and share information and co-operate with other local responders. Local authorities are also obliged to provide advice and assistance on business continuity management to businesses and voluntary organizations.
It was hoped that the Act would put in place a consistent framework that could provide a coherent approach to business continuity and emergency planning across the public sector.
However, for the most part, the hope proved to be exactly that. With hindsight, in addition to the Act, there was clearly need for a uniformly accepted framework that would provide guidance and assessment for organizations implementing business continuity plans. There are strong indications from central government that BS 25999 will be the tool used.
The Cabinet Office has been heavily involved with the creation of BS 25999, seeing its relevance and importance for UK plc. It is now switching its attention to central and local government.
The standard has also been picked up and promoted by the Pitt Report, the formal, independent report into the flooding of 2007.
The floods of summer 2007 were some of the worst since records began. Thirteen people lost their lives and 55,000 homes and businesses were flooded. The Pitt Report identified that utility companies and local authorities were not delivering joined up business continuity for critical services such as electricity and water.
It emphasized that effective business continuity plans are an invaluable step in making sure services are maintained for as long as possible or that, if they are lost, that they can be recovered as quickly as possible.
It recommended that "Government introduce a duty on national infrastructure operators to undertake business continuity planning to more closely reflect that on category 1 responders [eg police, fire and rescue, ambulance and local authorities]," and that "BS 25999 be prescribed."
Similar reliance on the standard has been displayed by the Department of Health. In its report, NHS Resilience and Business Continuity Management Guidance, the department states that, "Through the use of BCM methods (in accordance with the British Standards Institution (BSI) standard for BCM - BS 25999 parts 1&2), the NHS Resilience Project is tasked with improving resilience throughout the NHS ensuring continuous operational delivery of healthcare services when faced with a range of disruptive challenges."
It goes on to state that, "following a BCM approach alongside the new BS 25999 - parts 1&2 will allow a unified and cohesive approach to BCM, and develop a resilient healthcare system which can be benchmarked against other similar sized organizations."
Thrussell points out that in fact, NHS trusts have generally been very good in this area, as they understand the high risk environment in which they operate.
"If there is an office fire, the first thing that a company would do, without thinking, is evacuate the building," he points out. "You cannot do that with a hospital as it could expose some patients to acute risk. There are things to be put in place before you can evacuate the building, which have to have been exceptionally thought through and exercised in advance."
Most, if not all, NHS Trusts have to a greater or lesser extent, and without particular guidance, put business continuity plans in place. But this has been done piecemeal without a coherent structure across the trusts.
When BS 25999 was published, the NHS saw it as a means of promoting best practice across trusts. The advantage of the standard is that it puts forward a uniform approach to business continuity, meaning that the trusts can interconnect far more successfully.
To date, five trusts have applied for certification to demonstrate what best practice they already have in place. More are sure to follow, with discussions ongoing between the Department of Health, BSI and the NHS as to how BS 25999 can best be implemented across the health sector.
Finding funding
Aside from legal and social obligations, there are other factors that differentiate the public sector from private in terms of service delivery. Most notable is funding. Hugh Kinsella was manufacturing director for Dawson International before switching to the public sector, where he is now senior risk management adviser for Scottish Borders Council.
"The private sector business plan is quite straightforward. It's a question of making as much money as you can and giving the shareholders a reasonable return," he says. "In the public sector, you must use the limited funds you're given as best you can. That's quite a tough call. It can make attempts to prioritize business continuity planning hard work.
"I call our project a grudge purchase because I am asking people to put money and resources towards developing and testing plans against something that might never happen," explains Kinsella.
Scottish Borders Council has taken its responsibilities extremely seriously. In the last 18 months it has identified threats, critical services and the associated timelines, then developed plans around incidents. The council is responsible for a large geographical area, as much as 20 per cent of the whole of Scotland, Kinsella estimates, despite only having around 120,000 customers.
The region has encountered fire, floods, even planes falling out of the sky, which had all helped to create an extensive knowledge base in terms of business continuity management, albeit on an informal basis. Now the council is intent on putting things on a more structured footing. Scottish Borders Council has plans in place for 300 locations, including schools and libraries, and has completed stage one of BS 25999 certification.
"We're now much more systematic," says Kinsella and uses an incident at a school in Coldstream by way of example. "A gas incident meant that we had to evacuate the children and staff. An automatic text system notified parents, and we had plans to accommodate children whose parents would not be able to come. The problem was repaired on day one, and on day two the school was back up and running. In all likelihood, before we had our plans, the staff and children would have been sent home, and on day two we would have had a management meeting, saying 'What are we going to do?'"
Throughout the public sector, there are examples of organizations benefiting from the structured business continuity planning BS 25999 brings, and increasingly it is becoming a matter of not "why?" but "how?". For those looking to convince any last doubters, it might be worth considering a slightly more hard-edged approach.
"The main photograph on the section of our intranet that houses the business continuity plans is of a local primary school that burnt down," says Kinsella. "It shows this is why we are doing it." It is a fairly compelling argument.
_________________________________________
CASE STUDY: Scottish Power: continuity is key
When a fire broke out in a tyre factory on the same business park as one of its sites last year, Scottish Power immediately put its displacement strategy into action.
The site was evacuated and staff relocated to the company's internal recovery centre and head office. Staff at the recovery centre were fully operational within 1hr and 40mins, while all relocated personnel were fully operational within 2hrs and 30mins.
Following deregulation and the growing commercialism of utility companies, Scottish Power was quick to see the strategic importance of a robust business continuity structure.
"In 2001, the chief executive was the sponsor of the programme, so it was a senior level initiative from the start, and remains so," says Gordon Irving, director of group security.
The company embraced PAS 56, the precursor to BS 25999, and was subsequently happy to become early adopters of its successor.
"We have put our business continuity plans into action on several occasions, and believe that our investment in business continuity has more than justified itself in terms of financial and non-financial impact mitigation," he continues.
The company is aware that business continuity is an ongoing process and has recently undertaken the management review of its existing systems to improve performance further.
The business continuity strategies within the company continue to be refined as part of the management system resulting in ever more focused business continuity based on the risks faced.
For more information on BCM standards and publications: www.bsigroup.com/en/Standards-and-Publications/Industry-Sectors/Risk
For more information on BCM certification: www.bsigroup.co.uk/en/Assessment-and-Certification-services/Management-systems/Standards-and-Schemes/BS-25999
______________________________________________
BS 25999 explained
BS 25999 is the standard for business continuity management (BCM). Business continuity is a management process that provides a framework to ensure the resilience of a business to any eventuality. It helps to ensure continuity of service to key customers and to protect a company's brand and reputation. Business continuity plans need to be clear, concise and specific to the needs of the business and should be an integral part of the way a business operates. Certification to BS 25999-2 covers the requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS).
To download a free copy of BSI's BCM White Paper: www.bsigroup.com/oct08BCMwhitepaper
To view a pre-recorded webinar on BS 25999: www.bsigroup.com/oct08BCMwebinar
Visit BSI's new BCM portal: www.TalkingBusinessContinuity.com
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
Security is a challenge at the best of times for a retail bank. If you offer services via the internet, security becomes even more complicated. For Barclays UK Retail Online Banking, information security is at the core of their business, which is one of the main reasons the organization pursued and achieved certification to ISO/IEC 27001 Information security from BSI.
How do you put a price on a brand? An international standard in the making will provide a consistent, reliable approach to brand valuation.
Gerda, a leading developer and manufacturer of products for the security industry, has become the first company to be awarded the Kitemark for thief-resistant lock assemblies, in line with BS 10621:2007 Thief resistant dual-mode lock assembly.
Rising waters: revising PAS 1188
For those living in areas that are prone to flooding, having the right protection resources available is essential. While images of emergency sandbags holding back rivers of water may fill the media, there is a much wider range of products available for flood protection.
A little bit extra for Kitemark® bodyshops and garages
It's all well and good for an automotive bodyshop to earn the Thatcham BSI Kitemark® for Vehicle Body Repair, but it won't have as much impact if potential clients don't know about it. As a consequence, BSI decided to offer an Extras marketing toolkit to bodyshops and garages that have earned the Kitemark.
Question: What impact do you think BCM could have on business insurance in the future?
It is essential that any business suffering a disaster is able to continue as near normal trading in the shortest possible time period to survive. To achieve this, an organization should implement a comprehensive well-tested business continuity plan (BCP) as a first step. Insurance should be viewed as an extension to the BCP process, not an alternative.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
