BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.

Business Standards > Articles

Continuity doesn't change

02 Jun 2009
Topics: BS 25999, Business continuity

Businesses everywhere are being battered in the recessionary storm and their resilience to unexpected interruptions may be faltering as a result. Hector Nairn reviews the case for business continuity management (BCM) during the downturn.

With what felt like considerable speed, the bottom fell out of the economy in 2008 and it hasn't found the floor yet. Every day, headlines bring more news of redundancies and closures, and a significant proportion of businesses are feeling the strain: unpaid bills, layoffs, evaporating credit, less than full order books and increased uncertainty, all of which inhibits both planning and confidence.

Imagine what it would be like if those same businesses have a large fire this week, or a flood, or a cable is cut somewhere and there's no electricity for the next three days? Events that can and do happen in any economic climate are no less likely in a recession - the difference is the capacity to cope.

More not less

Arguably, some adverse events can become more likely in a recession, such as a supplier going to the wall - and if they are fundamental to your supply chain, it could de-rail your business. The often commercial advantage of relying upon one supplier should always be balanced against the risk that they will let you down.

For example, while the media focused its attention on Woolworths going into administration, few people noted that this included Entertainment UK Limited (EUK), a wholly-owned subsidiary of Woolworths Group plc. For entertainment retailer Zavvi, this was a fundamental disruption as EUK was their main supplier. Unable to do a favourable deal with other suppliers, Zavvi was forced to shut its doors as well.

And while some things may become more likely in a recession, some knee-jerk reactions can introduce greater potential for disruption. For example, businesses may be tempted to save money by cutting corners, such as stretching out the maintenance schedule, but that could have dire consequences. Cutting down on the frequency of facilities maintenance might save money today, but a later failure in the plumbing or climate control system in your organization could shut down the business for hours, if not days.

Trimming stock levels is another such example: it may also save on cost, but one lost delivery could bring production to a grinding halt. The same can be said for making blanket redundancies in order to salvage the bottom line: if you let people go indiscriminately, it may take months to notice that the one person who can recalibrate the machine or upgrade the software isn't around any more, causing delay and disruption.

Some disruptions may be overlooked when times are good but right now the business world has become more unforgiving. Customers are likely to be much more price-conscious because they too have to reduce operating costs. If a company lets down one of its customers temporarily, that customer may need to invest in finding an alternative, perhaps cheaper supplier, and might ultimately stay with them for good.

Knowledge is the key

"The key is to think about dependencies and to understand the situation," says Julian Thrussell, BSI's UK product manager for BCM standard BS 25999. "Look at the risks: if a supplier goes out of business and nothing you do would suffer an impact, do nothing. If the risk is high, then you do need to act. Business continuity management gives you the opportunity to understand. You don't necessarily have to do anything, but you do have to find that out."

Tony Drewitt is the principal of Continuity Associates and a leading practitioner in the implementation of BS 25999, on which he has published two books. He agrees on the value of thinking about business continuity in today's economic climate. "No one would go to a company that is struggling to remain solvent and say to them, ?Now start working on business continuity' - of course not," he says. "But many profitable organizations are horribly exposed to some risks of operational interruption and are less resilient now than a year ago. Doing something to at least check that they have some form of recovery capability is more important than ever."

It may be a question of what can be afforded, but there is broad agreement that a business continuity management system (BCMS) based on BS 25999 is the best route to effective BCM. The standard gives a structure within which to systematically analyse all the activity and dependencies within an organization in terms of the operational impact.

Organizations can then prioritize what matters most and develop specific plans with which to minimize disruption when the unexpected happens. BS 25999-1 is a guidance standard, giving a structure on how to approach BCM. BS 25999-2 is the world's first and only BCM requirements standard, against which organizations can choose to be assessed and certified. Since its publication in late 2007, BS 25999-2 is now active in 77 countries and the number of certifications is growing quickly. In effect, BS 25999 has now become the globally-recognized roadmap with which to implement a best practice BCMS.

Added value

Some of the benefits of a BCMS may be more important in a recession than at any other time. These include competitive advantage, eliminating inefficiencies and cost saving on disaster recovery.

Competitive advantage comes from the fact that times have changed. There was a time not so long ago that a customer might ask a potential supplier if it had business continuity plans, and sight of a folder marked "BCP" would suffice.

"Many times, I've seen people pull out sheets of paper with ?Business Continuity Plan' on the front, but on the inside there could be anything - stuff that made sense 15 years ago or a load of blank forms and templates," says Drewitt. "It's very common."

Today's customers are asking, "Is your plan any good?" because now, more than ever, they want suppliers that are resilient. Certainly for larger companies it has generally become policy to scrutinize the reliability of their suppliers in terms of operational continuity. If the potential supplier already has an independently verified BCMS that is by definition best practice, it will be one significant ingredient in getting the business.

Says Drewitt, "When everything else is equal in terms of value and quality, certification to BS 25999 is bound to give a competitive edge."

The competitive advantage of having BCM under control is amplified when something does go wrong. Thrussell points to a US financial report, which tracked the fortunes of businesses after major insurance claims arising from significant business interruptions. For those companies that recover quickly, the share price goes up considerably because the company is giving everyone confidence.

Drewitt concurs: "It's perfectly understandable. If a supplier really struggles with a power cut or a few inches of snow, they might continue to supply afterwards but it often makes the customer reflect on a close call. They'll be inclined to go looking for a better supplier, so competitors get the chance to seize market share.

"Conversely, those who proactively contact their customers when a problem arises and say, ?Our plans have swung into action, we discussed this, it's under control' - the customer knows in advance about the BCMS and doesn't feel exposed."

The BCMS process is also highly useful in uncovering inefficiencies - as Drewitt calls it "a not insignificant benefit."

"With the vast majority of clients I've worked with," he says, "they always discover some quite significant things about the way they operate when they engage in a BCM programme." This includes identifying all sorts of operational inefficiencies and activities that people can't justify. It often leads to changes and clear benefits.

Costs of recovery

Drewitt also argues that pretty much every company is currently spending money on "resilience", typically in the form of disaster recovery. This usually covers outsourced IT and sometimes things like facilities management and supply chain.

"Sometimes they may be spending more than necessary and sometimes they're not spending it well," he says. "If your house is worth £200,000, do you really want to pay for a policy giving you £1m worth of cover?

"I don't want to give the impression that every company is spending far more than it needs on IT disaster recovery contracts. Some are paying for a capability that is much less than they would actually need. But in principle, unless they've done the analysis, they can't optimize expenditure on resilience and ensure ROI. With a system based on BS 25999, you are more likely to make an appropriate investment than with guesswork."

All businesses have the option of adopting BS 25999, and the additional choice of becoming certified through a third-party audit. Drewitt believes that the incremental cost of moving from a best practice BCMS to a certified BCMS is relatively small and well worth it. "Independent certification", he says, "has a high level of credibility."

Where there is budgetary pressure, Drewitt advises that companies evaluate their level of exposure, and whatever they do should be in line with BS 25999.

"You might not develop a complete BCMS now, but whatever part you do develop, make it consistent with the standard so that it's not wasted later on." And in the short term it may make an important difference to your ability to ride out the storm.

For more information on business continuity management standards: www.bsigroup.com/bs25999

For more information on business continuity management certification: www.bsigroup.co.uk/bcm

CASE STUDY: Implementing BS 25999 at Airbus

Airbus, with facilities in Filton (Bristol) and Broughton (North Wales) is one of the world's leading aircraft manufacturers. The company is currently working towards implementing BS 25999, initially across the UK facilities' disaster recovery operation, and then perhaps across all the UK business programmes.

"Once Facilities Management is certified, we will then carry out a review of the advantages and write a proposal to extend the certification to other areas if we feel it's useful and worthwhile," says Paul Malfatti, Airbus in the UK's business risk and assurance manager. Ultimately, Airbus is looking to explore a wider implementation across all the European sites.

Why is it important for Airbus to become certified to BS 25999? Malfatti says that Airbus has had business continuity planning in place for a long time. However, the standard enables a common approach and galvanizes a greater level of engagement.

He adds: "BS 25999 is best practice. I would also argue it is good to have a standard which is not only robust and auditable, but also provides an approach which can be implemented by suppliers. In today's business climate, where we increasingly focus on core value-added activity, we depend more than ever on ?risk sharing' partners and suppliers. Having a common and standardized understanding of business continuity helps to strengthen the supply chain."

To achieve certification, Airbus has designed a database around the standard. When fully populated, the database will organize live data in one coherent system, including contact lists, asset locations and supplier analysis. In turn the database will automatically generate current, BS 25999 compliant, Business Continuity Plans.

"We already have BCP in all areas, what we need now is a rigid framework within which to harmonize and integrate the approach," says Malfatti. "We are using the standard as a vehicle for doing that."

CASE STUDY: BCM self-assessment online tool from BSI

BSI British Standards recently launched an online self-assessment tool around BS 25999-2. The toolkit guides the design of a business continuity management system (BCMS) against BS 25999-2. It provides the tools needed to plan, implement, operate, review, record and report on a BCMS, and takes organizations to a level where they are ready to undertake an external audit against BS 25999. It also ensures that the organization will be well prepared to deal with unexpected business interruptions.

For more, visit: www.bsigroup.com/bcmonline

Business Standards © 2009. Editorial produced by Caspian Publishing in association with the British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.

Question: Given the state of the environment, should issues like energy management in business be more regulated and closely monitored instead of voluntary?

Climate change is such an urgent issue that some might argue the only answer to this question is "Yes". However, creating laws that achieve their goals in precisely the right way is challenging and time consuming at the best of times. And when it comes to climate change, the factors involved are varied - too many for any one law or set of laws to cover adequately.

Read more

Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.