BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.
Public sector:
business as usual?
21 Oct 2008
Topics: Business continuity, BS 25999
Disasters, whether natural or manmade, make for attention-grabbing headlines. Reports of terrorist attacks, flu pandemics, floods, fire and pestilence have occupied the front pages enough times for them to have entered the business psyche and for many companies to have put in place emergency contingency plans.
Add to this threats posed by globalization, fear of loss of reputation, and negative brand associations, and it explains why the response to BS 25999, the British Standard on business continuity management, has seen unprecedented interest in certification for such a new standard.
What of the public sector? Often seen as unhindered by the same fears of brand reputation and globally disparate offices, one might think that the same drivers for business continuity do not apply. Not so, says BSI's business continuity product manager, Julian Thrussell.
"If anything, the stakes are higher in the public sector, where the consequences of failure to deliver any one of many services such as social care could be dire, if not life-threatening."
In addition to the need to deliver from a social context, the public sector is also legally mandated to deliver services, which adds another layer of expectation.
"For many businesses it could be argued that there wouldn't be any serious implications if some services didn't exist for a certain period, but local councils are legally mandated to deliver many of their services. This leaves them with the harshest of both worlds," explains Thrussell.
Considering contingencies
Business continuity was brought centre stage within the public sector by the Civil Contingencies Act 2004, legislation set up in response to the fuel crisis, flooding and foot and mouth scares in the early millennium. Under its terms, local authorities and the emergency services, among others, are obliged to put in place emergency and business continuity management arrangements, and share information and co-operate with other local responders. Local authorities are also obliged to provide advice and assistance on business continuity management to businesses and voluntary organizations.
It was hoped that the Act would put in place a consistent framework that could provide a coherent approach to business continuity and emergency planning across the public sector.
However, for the most part, the hope proved to be exactly that. With hindsight, in addition to the Act, there was clearly need for a uniformly accepted framework that would provide guidance and assessment for organizations implementing business continuity plans. There are strong indications from central government that BS 25999 will be the tool used.
The Cabinet Office has been heavily involved with the creation of BS 25999, seeing its relevance and importance for UK plc. It is now switching its attention to central and local government.
The standard has also been picked up and promoted by the Pitt Report, the formal, independent report into the flooding of 2007.
The floods of summer 2007 were some of the worst since records began. Thirteen people lost their lives and 55,000 homes and businesses were flooded. The Pitt Report identified that utility companies and local authorities were not delivering joined up business continuity for critical services such as electricity and water.
It emphasized that effective business continuity plans are an invaluable step in making sure services are maintained for as long as possible or that, if they are lost, that they can be recovered as quickly as possible.
It recommended that "Government introduce a duty on national infrastructure operators to undertake business continuity planning to more closely reflect that on category 1 responders [eg police, fire and rescue, ambulance and local authorities]," and that "BS 25999 be prescribed."
Similar reliance on the standard has been displayed by the Department of Health. In its report, NHS Resilience and Business Continuity Management Guidance, the department states that, "Through the use of BCM methods (in accordance with the British Standards Institution (BSI) standard for BCM - BS 25999 parts 1&2), the NHS Resilience Project is tasked with improving resilience throughout the NHS ensuring continuous operational delivery of healthcare services when faced with a range of disruptive challenges."
It goes on to state that, "following a BCM approach alongside the new BS 25999 - parts 1&2 will allow a unified and cohesive approach to BCM, and develop a resilient healthcare system which can be benchmarked against other similar sized organizations."
Thrussell points out that in fact, NHS trusts have generally been very good in this area, as they understand the high risk environment in which they operate.
"If there is an office fire, the first thing that a company would do, without thinking, is evacuate the building," he points out. "You cannot do that with a hospital as it could expose some patients to acute risk. There are things to be put in place before you can evacuate the building, which have to have been exceptionally thought through and exercised in advance."
Most, if not all, NHS Trusts have to a greater or lesser extent, and without particular guidance, put business continuity plans in place. But this has been done piecemeal without a coherent structure across the trusts.
When BS 25999 was published, the NHS saw it as a means of promoting best practice across trusts. The advantage of the standard is that it puts forward a uniform approach to business continuity, meaning that the trusts can interconnect far more successfully.
To date, five trusts have applied for certification to demonstrate what best practice they already have in place. More are sure to follow, with discussions ongoing between the Department of Health, BSI and the NHS as to how BS 25999 can best be implemented across the health sector.
Finding funding
Aside from legal and social obligations, there are other factors that differentiate the public sector from private in terms of service delivery. Most notable is funding. Hugh Kinsella was manufacturing director for Dawson International before switching to the public sector, where he is now senior risk management adviser for Scottish Borders Council.
"The private sector business plan is quite straightforward. It's a question of making as much money as you can and giving the shareholders a reasonable return," he says. "In the public sector, you must use the limited funds you're given as best you can. That's quite a tough call. It can make attempts to prioritize business continuity planning hard work.
"I call our project a grudge purchase because I am asking people to put money and resources towards developing and testing plans against something that might never happen," explains Kinsella.
Scottish Borders Council has taken its responsibilities extremely seriously. In the last 18 months it has identified threats, critical services and the associated timelines, then developed plans around incidents. The council is responsible for a large geographical area, as much as 20 per cent of the whole of Scotland, Kinsella estimates, despite only having around 120,000 customers.
The region has encountered fire, floods, even planes falling out of the sky, which had all helped to create an extensive knowledge base in terms of business continuity management, albeit on an informal basis. Now the council is intent on putting things on a more structured footing. Scottish Borders Council has plans in place for 300 locations, including schools and libraries, and has completed stage one of BS 25999 certification.
"We're now much more systematic," says Kinsella and uses an incident at a school in Coldstream by way of example. "A gas incident meant that we had to evacuate the children and staff. An automatic text system notified parents, and we had plans to accommodate children whose parents would not be able to come. The problem was repaired on day one, and on day two the school was back up and running. In all likelihood, before we had our plans, the staff and children would have been sent home, and on day two we would have had a management meeting, saying 'What are we going to do?'"
Throughout the public sector, there are examples of organizations benefiting from the structured business continuity planning BS 25999 brings, and increasingly it is becoming a matter of not "why?" but "how?". For those looking to convince any last doubters, it might be worth considering a slightly more hard-edged approach.
"The main photograph on the section of our intranet that houses the business continuity plans is of a local primary school that burnt down," says Kinsella. "It shows this is why we are doing it." It is a fairly compelling argument.
_________________________________________
CASE STUDY: Scottish Power: continuity is key
When a fire broke out in a tyre factory on the same business park as one of its sites last year, Scottish Power immediately put its displacement strategy into action.
The site was evacuated and staff relocated to the company's internal recovery centre and head office. Staff at the recovery centre were fully operational within 1hr and 40mins, while all relocated personnel were fully operational within 2hrs and 30mins.
Following deregulation and the growing commercialism of utility companies, Scottish Power was quick to see the strategic importance of a robust business continuity structure.
"In 2001, the chief executive was the sponsor of the programme, so it was a senior level initiative from the start, and remains so," says Gordon Irving, director of group security.
The company embraced PAS 56, the precursor to BS 25999, and was subsequently happy to become early adopters of its successor.
"We have put our business continuity plans into action on several occasions, and believe that our investment in business continuity has more than justified itself in terms of financial and non-financial impact mitigation," he continues.
The company is aware that business continuity is an ongoing process and has recently undertaken the management review of its existing systems to improve performance further.
The business continuity strategies within the company continue to be refined as part of the management system resulting in ever more focused business continuity based on the risks faced.
For more information on BCM standards and publications: www.bsigroup.com/en/Standards-and-Publications/Industry-Sectors/Risk
For more information on BCM certification: www.bsigroup.co.uk/en/Assessment-and-Certification-services/Management-systems/Standards-and-Schemes/BS-25999
______________________________________________
BS 25999 explained
BS 25999 is the standard for business continuity management (BCM). Business continuity is a management process that provides a framework to ensure the resilience of a business to any eventuality. It helps to ensure continuity of service to key customers and to protect a company's brand and reputation. Business continuity plans need to be clear, concise and specific to the needs of the business and should be an integral part of the way a business operates. Certification to BS 25999-2 covers the requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS).
To download a free copy of BSI's BCM White Paper: www.bsigroup.com/oct08BCMwhitepaper
To view a pre-recorded webinar on BS 25999: www.bsigroup.com/oct08BCMwebinar
Visit BSI's new BCM portal: www.TalkingBusinessContinuity.com
Business Standards © 2009. Editorial produced by Caspian Publishing in association with the British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
Integra ICT Hits environmental high
Integra ICT, the Bedfordshire-based telecoms provider, has achieved certification to ISO 14001 Environmental management from BSI.
Anglian Building Products (ABP), the business-to-business division of Anglian Windows Ltd, has achieved certification to ISO 14001 Environmental management systems following an audit by BSI.
BSI is planning an informal free lunchtime roundtable in central London on 10 December 2009 to explore how small businesses and their trade bodies can work more effectively with standards. Places are limited so to register your interest or request more information, please email bsi.survey@bsigroup.com or call +44 (0)20 8996 7750.
As part of its evolving governance, risk and compliance strategy, BSI has acquired the Supply Chain Security Division of First Advantage Corporation.
Sapphire earns a standards hat-trick
Sapphire Energy Recovery, the waste processing and resource recovery business owned by Lafarge Cement, has achieved certification to three management systems standards (ISO 9001 Quality management, ISO 14001 Environmental management and BS OHSAS 18001 Health and safety management) from BSI. Sapphire is the UK's leading processor of used tyres, and sources and manages the logistics of a range of waste-derived fuels and raw materials for the cement industry.
Question: Why is ISO 9001 still relevant?
This question has been raised before and at BSI, we make certain to ask the question as a matter of course. The forthcoming update to the standard - ISO 9001:2008 Quality management systems. Requirements - is the result of just such questioning.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
