BCM and BS 25999: A consultant’s view

There is currently an unprecedented level of interest in the subject of business continuity management (BCM).  This article focuses on some of the factors behind that interest along with benefits to be gained from having an effective business continuity management system (BCMS).  The article also focuses on the significance and importance of the launch in October 2007 of the first British certification Standard dedicated solely to BCM i.e. BS 25999-2.

Recent growth in BCM

The increasing awareness of the need for BCM can be partly explained by the recent occurrence of a number of high profile catastrophic events along with concerns over potentially catastrophic events.  Falling into the former category are the global terrorist attacks particularly in New York and London as well as the Buncefield oil depot fire and the floods during Summer 2007.  Falling into the latter category we have had the Y2K bug meltdown scenario and more recently we have had national concerns over a flu pandemic.  All have served to prompt the question in the minds of senior executives “Would our organisation survive?” 

There has been considerable debate over the percentage survival rates of organisations with and without business continuity plans following a major incident.  It has been quoted, for example, that following the 1993 Bishopsgate bomb, 92% of the organisations who did not  have a business continuity plan in place did not survive long term.  A much used (or abused!) statistic in BC circles is that “80% of businesses affected by a major incident close within 18 months”. In my opinion, these statistics can be quite misleading as so much depends on the nature of the event and the organisations involved.  One thing is for certain, those organisations which have plans in place are more likely to survive a major incident than those that don’t!

There are a couple of other points worth noting at this point.  Firstly, while these high profile disasters attract significant public attention, organisations are at far greater risk from less ‘headline-grabbing’ incidents such as loss of power, internal plumbing leaking, loss of key personnel and breaches of security.  Secondly, whilst the source of a disruption may vary, the management of the consequences relies on a set of principles that are largely the same, regardless of cause.  This set of principles is commonly referred to as business continuity management (BCM)

Benefits of robust Business Continuity Management

Apart from the obvious benefits of being able to survive a major incident, there are a number of tangible organisational benefits which derive from having strong BCM in place.  These include:

• Proactively improving the resilience of the organisation to achieve its key objectives when faced by a disruption
• Delivering a proven capability for managing a disruption
• Providing a rehearsed method for restoring the ability to supply critical products and services to an agreed level and timeframe following a disruption
• Providing confidence to stakeholders (including staff and customers) of the organisation’s resilience to disruption.

By establishing a strong BCM response capability, an organisation can ensure it meets its corporate governance, legislative and regulatory requirements as well as protecting and enhancing the organisational brand and reputation.  A key question though is how does the organisation demonstrate the effectiveness of its BCM System?  The answer has come with the launch in October 2007 of BS 25999-2, the first certification Standard for BCM.

First | Previous | Next | Last

The significance of BS 25999

For some time there has been a lack of consensus, both across disciplines and between countries of the term ‘business continuity management’.  Many of its original practices emerged from an earlier technical discipline i.e. IT Disaster Recovery.  The significance of BS 25999 is that it is the first national Standard for BCM to which organisations can be certified.  It has been developed by a broad based group of world class experts representing a cross section of industry sectors and provides a unified approach to defining processes, principles and terminology surrounding BCM. 

BS 25999 provides a basis for understanding, developing and implementing a risk based BCM approach within an organisation so providing reassurance to both internal and external stakeholders.  It contains a comprehensive set of BCM best practice and covers the whole BCM lifecycle.  It is not merely about ensuring that organisations have a contingency plan in place should a disaster occur, it is about understanding the business imperatives of an organisation, recognising where its critical activities are and designing availability in to them to avoid damaging disruptions in the first place.

6 Stages of the BS 25999 BCM lifecycle
The BS 25999 Standard advocates a 6 stage lifecycle incorporating:  

• BCM programme management
• Understanding the organisation
• Determining the BCM strategy
• Developing and implementing BCM response
• Exercising, maintaining and reviewing
• Embedding BCM in the organisational culture.

BS 25999 recommends that in order to deliver effective and efficient BCM every organisation wraps its activities into a Programme Management function to ensure focus, management and maintenance.  BCM Programme Management facilitates the establishment of the business continuity capability and its maintenance in a manner appropriate to the size and complexity of the organisation.

Understanding the organisation activities (including the compulsory risk assessment) provide information to enable an organisation to prioritise its products and services, and identify the criticality of the activities that are required to deliver them.  Outputs from these activities will determine the selection of appropriate BCM strategies.  Since BCM requirements should be based on actual business requirements “understanding the organisation” is arguably the most important activity to get right.  Failure to identify the actual critical activities of an organisation can mean that the rest of the BCM Programme is based on inaccurate information with the result that key processes fail to receive the priority required should a disruption occur.  It can also mean that unnecessary costs are incurred by focussing on non-critical activities.

First | Previous | Next | Last

BCM strategy

Determining the BCM strategy enables a range of strategies to be evaluated thus allowing an appropriate response to be chosen for each product or service.  The choice made will take account of the resilience and controls within the organisation and ensure an acceptable level of operation within an acceptable timeframe.

Developing and implementing a BCM response will deliver a management framework, and structures of incident (crisis) management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.

BCM exercising, maintenance, review and audit enable an organisation to demonstrate the extent to which its strategies and plans are complete, current and accurate, and to identify opportunities for improvement.

Embedding BCM in the organisation’s culture helps BCM to become an integral element of an organisation’s core values and gives confidence to stakeholders in the ability of the organisation to cope with disruptions.  Within BS 25999 this stage is represented as embracing all of the other stages. With the publication of part 2 of BS 25999 in October 2007 organisations can now establish its BCM formally using an industry recognised Management System (BCMS).

Benefits of certification
BS 25999 certification is particularly suited to those organisations which operate in high risk environments where the continued availability of critical products or services is paramount.  As such, BS 25999 is relevant to both public and private organisations and organisations of different sizes.  Due to the interdependence and intricacies of some many supply chains, we are likely to see a domino effect where organisations at the top of supply chains dictating certification to key suppliers who will pass on a similar requirement on their suppliers.  For those organisations which are providing services or products which are critical to their customers, early certification not only provides customer reassurance but can provide competitive advantage. 

Certification also creates an opportunity to reduce the burdens of internal and external audits and may lead to a reduction in insurance premiums.

Written by Mike Softley
msoftley@ultimariskmanagement.com

Mike is a Senior Consultant at Ultima Risk Management (URM).  URM is one of the UK’s leading independent consultancies and training organisations specialising in information security and business continuity. 

First | Previous | Next | Last