Overview

Organisational resilience or the ability to plan for, withstand, manage and recover from the impact of a potential disruption to service/product delivery is critical for effective ongoing operations, contractual obligations and brand reputation.

This article focuses on how organisations can become more resilient by implementing a Business Continuity Management System (BCMS) This involves using a systematic approach to identifying potential organisational threats and related impacts in order to develop the framework for increased resilience in line with the organisation’s environment and risk appetite.

To provide structure and aid implementation in this, a relatively new standard, BS 25999, was published at the end of 2007 with the aim of providing a good practice framework for business continuity management.

The following sections of this article explains key features of business continuity (BC) as seen from the organisation’s point-of-view, including the difficulty of determining the scope, issues regarding implementing key requirements of the standard’s core requirements, and hot-tips for effectiveness and integration into the existing management system. There is also a section on certification, which is intended to be read in conjunction with the associated LRQA viewpoint article.

This article has been written by Mike McDonald, an independent management system Consultant and Trainer specialising in business continuity. Mike is also a CQI Principal Examiner, and helps manage an IT company where his duties include strategic management and business continuity. Previously he spent 15 years working overseas in Engineering and was Managing Director for an international management consultancy group.

Next | Last

Business continuity - Why bother?

Despite all the amazing advances in knowledge, technology and management thinking in recent years, organisations seem more exposed to disruption than ever. Whilst the headline-grabbing incidents: whether natural, man-made or accidental, have raised general awareness on this issue; there are several others influences, including some that originate within the organisation itself:

• Heightened business risk due to the outsourcing of key processes
• Increased dependence on the supply-chain, with goods being shipped in from other countries through increasingly concentrated transportation hubs
• Heightened instability caused by the current economic downturn
• Continued evolution of IT solution-based business processes such as the move to cloud-computing
• Greater focus on communications based around mobile phones, email and the internet
• A trend for critical corporate knowledge to reside with fewer individuals
• Increased desire to preserve intangible assets such as an organisation’s brand image and reputation

Accordingly, pressures to make the organisation more robust may come from several sources:

• Within the organisation itself, such as from top management
• Greater Corporate Governance requirements from regulators and stakeholders
• Increasing assurance requirements from customers often demanded right at the start of the tender invitation process
• A legal requirement (such as those effected by the Civil Contingencies Act 2004)
• Insurers, who may have such requirements before cover is granted (and even then not all risks, such as denial-of building access are automatically covered)
  

One of the key issues when embarking on a journey to increased resilience is to decide which parts of the organisation to focus on, which I look at in the next section.

First | Previous | Next | Last

Scope is everything

All management systems need a clearly-defined scope but defining it for business continuity (BC) can be quite difficult. While defining your organisation’s key products and services is fairly simple; to fully understand what activities support these, and then the related dependencies (which may well include suppliers and outsourced activities) may be a little harder.

Further, it can take time to identify, clarify and reach consensus. For example, a haulage depot may rely on the Human Resources function at its head office for personnel management and several main agencies for the actual provision of competent relief drivers if there is a need to draft in additional staff, in the event of an incident.

An added complication is the need to align the scope to the overarching organisation’s strategies and it is difficult to define it without this knowledge. nfortunately, for many larger organisations (and some smaller ones), those directly involved in the development of the business continuity management system (BCMS) may not be aware of their own organisation’s current business plans. Further, such plans may well contain confidential information, such as the intention to close a particular location, off-shore part of the process, or merge with a competitor etc.

The same difficulty is ever-present when the BCMS becomes ‘live’ For example, an organisation making products that depend on critical components bought in from a certain supplier may have initially selected a supplier with robust continuity plans, resulting in the BCM development team having confidence that this risk was under-control. Later however, due to cost pressure brought about by subsequent currency fluctuations, the procurement function switched to using another supplier, which had much less robust plans in place. Of course in any organisation such changes do happen, often in a discrete way; so it is absolutely vital that BCM is organisational-wide, involves top-management and is an ongoing activity.

Having said that, the scope also needs to capture those aspects of the organisation that supports its objectives, its obligations to stakeholders as well as its legal requirements. So for example, an engineering support business may have a contractual obligation to deliver on-site support within a certain response time – but cannot break the law in order to achieve that!

First | Previous | Next | Last

BS25999 core components

In line with other management standards, a Plan-Do-Check-Act approach is used for BS 25999’s structure, based around the BCM lifecycle, as follows:

i. Programme management

This drives and pulls the whole thing together, providing the over-arching approach to the BCMS development and implementation.

If your organisation already has a formal management system (and maybe certified to a standard such as ISO 9001), a practical approach in planning for integration right from the start is to use existing documentation and change controls. Various types will need to be developed, such as:

• The policy document
• The Business Impact Assessment
• Various risk assessments and accompanying strategies/options
• Various plans
• Test, exercise and audit documentations
• Lessons learned, corrective action etc.
• Other records such as management review

ii. Understanding your organisation    

Once it is clear what is strategically important to your organisation, you can figure out what activities are critical to the provision of your key products/services. And importantly, the subsequent effects if they cannot be provided. This analytical step is referred to as the Business Impact Analysis (BIA). It includes the determination for how long you can accept being without each activity, and the restoration levels and times that will be required to bring you back to normal operations in an acceptable manner whilst preserving organisational obligations as much as practicable.

From this, an appropriate Risk Assessment can be conducted, which may throw up risk hotspots within the system. If you do not already have a risk management framework in place, refer to ISO 31000:2009 Risk Management: Principles and Guidelines. While there is considerable debate about the subject of risk - including its definition - this is a useful starting point.

To be meaningful, this stage needs to be done in a structured approach and a collaborative manner and so can take time.

iii. Determining Business Continuity strategy

Once the risks have been defined, the actual options determined are very process-dependent and need top management buy-in. For example, a manufacturing operation might decide that holding a month’s buffer stock of both key incoming components and finished products is the right short-term decision (despite it having an adverse impact on storage space and working capital); supplemented by a longer-term desire to move to a duel-sourcing policy.

Selected strategies need harmonising to ensure minimal resource conflict. For example, if an office building is out-of-action (say due to a roof-top water tank flood) and personnel are relocating to an alternative site, there might be a need for key IT staff to support the restart at the second site. This in turn could conflict with their need to stay at the original office to repair the damage to the IT systems. So since they cannot be in two places at once, this needs to be agreed and priorities decided in advance.

It is important that such issues are clear and signed-off in advance by top management. This is both to ensure their buy-in, but also to avoid internal conflict and added confusion arising should an incident actually occur. Resource conflicts and clashes are often the result of departmental recovery plans being drawn up in isolation.

iv. Developing BCM response

This is the ‘visible part’ of your BCMS as it comprises the various plans for incident management, operational resumption, continuity etc. In a small organisation these may well fit into one compact folder, whereas for a larger, more complex business such as a multi-site operation – these plans might be in several locations – each customised with the relevant local information (such as site plans, contact details, etc.). Whichever structure is selected, the key points are to keep them:

• as simple as possible, so they be used effectively when people are under stress
• flexible, so they can be referred to but adapted as necessary
• up-to-date, so they are always pertinent
• action-oriented, to avoid cluttering them with the planning stuff such as BIA’s, risk assessments, etc.
• Modular, so key sections can be easily found

As well as being paper-based, it might be useful to replicate part of the plans on the internet. So for example, a back-up copy of current work activity, customer/staff contact details, recovery procedures etc. could be stored on a separate website with relevant staff given password access. This also makes maintaining the live information much easier, but commercial confidence and data security safeguards need to be adequate.

Thirdly, most organisations may need some physical items to either manage an incident or recovery. This varies, but could include items such as:

• Company cheque book; to pay suppliers, staff, etc. if systems are down
• Keys to alternative sites/back-up premises
• Stand-by PAYG mobile phones, to be issued to the Incident Management Team for undisturbed communications
• An encrypted hard-drive, containing critical organisational data that may be needed
• Copies of insurance certificates

These items, together with (current) copies of the various plans, can be placed into a secure ‘grab-bag’ which is either in the possession of a duty-officer, kept in a senior manager’s office or securely in a reception lobby; with the intention that this is the last thing that is grabbed as a building is evacuated. Of course, in a denial-of-access situation if it is not possible to get into the building (such as an incident occurring at night-time) the bag may not be accessible; therefore, consideration may be given to holding a separate one at a Director’s home, or at an alternative site.

v. Exercising, maintaining and reviewing BCM arrangements

The very fact that plans are being rehearsed and systems tested, builds on the basic employee awareness programmes and allows them to become familiar by practice, so helping to validate this part of the BCMS.

There are several approaches and methods depending on what is trying to be achieved. A newly-developed BCMS might exercise at the simplest level, by conducting a desk-top check which is useful to test the logic and flow of the early version of the plans. This might be then supported by the addition of specific drills to test a specific component, eg, testing to see if:

• the bandwidth of the remote access point can cope with the anticipated traffic
• a server can be rebuilt, configured and reloaded within the allotted time
• the mobile/home numbers on the employee call list are still valid, etc.

Simulations may be conducted where realistic but more complex scenarios are devised to give the participants experience of the situation in a safe setting, thus gaining valuable insight into whether the process would actually work. For example, staying in a meeting room but working through a scenario that replicates a real situation, such as pretending the office is physically inaccessible for a time.

Live exercises take this to the highest level of complexity and realism, by including the physical aspect in the exercise; e.g. actually declaring the office is ‘out-of-bounds’ and practicing relocating to a sister office at another location.

Despite these latter examples feeling almost ‘real’ to the participants, the potential of actual business disruption clearly increases dramatically. Care must be taken that the exercise itself does not cause an adverse reaction, or even trigger a real incident, and so outweigh the benefits gained.

As your organisation and the landscape it operates within changes, the BCMS must reflect and capture this. Accordingly, the exercises designed should be reviewed to ensure they are current and valid. A ‘tick-box’ approach as sometimes seen with immature quality management systems is definitely of no use here.

Consideration may be given to include the organisation’s partners in appropriate exercises, especially of course when they contribute directly to its critical product/services such as main contractors, key suppliers etc.

Supporting these plan-based exercises will be a programme of internal audits which will cover aspects of the BCMS that the exercising cannot. This includes the maintenance of your BIA/RA’s, robustness of the employee awareness programme, corrective/preventive action and lessons learnt, the management review process and so forth.

This is the ideal opportunity to review issues such as current BIA assumptions, risk appetite, resource availability, document and record control etc.

It is pragmatic to utilise any existing internal audit activity by extending the scope, allowing more time and providing appropriate BC cross-training to the audit team.

vi. Embedding

As the implementation stage draws to a close and is superseded by the on-going maintenance phase, methods need to be developed to ensure the progress made so far does not die off and activity left with a single individual. This can be aided by devising a suitable reporting method, such as reporting effectiveness on an approach/deployment maturity model. Regular BC awareness reviews can be included in annual Training Needs Analysis (TNA) studies. Relevant articles in internal magazines and on the intranet are invaluable, focussing on the positive news, such as lessons learned or improvements made as a result of exercises (or real incidents!). An excellent method of raising awareness is by involving as many staff as possible in the exercises; not necessarily en-masse (such as in an office evacuation test) but in small groups on lower profile exercises.

Management are often the biggest hurdle at this phase, as during normal working life it can be hard to see the link to the bottom line or operational efficiency. Further, once plans are written, there is great temptation to assume that all is OK and move onto the next project!

First | Previous | Next | Last

Integration

Once the new BCMS has stabilised, integration is a valuable step. This is to avoid it being seen as something extra and make the existing management system more robust.

There are numerous opportunities for alignment and, with care duplication can be avoided so saving considerable effort and time in the areas of:

• Document control – by changing the revision status of plans after each test
• Role and responsibility/job description statements – by adding to them
• Policy/objective setting and deployment – by aligning and following
• Impact analysis (by using existing QMS process maps as a starting point)
• Risk assessments (by using the same risk definitions, templates and mitigation strategies)
• Plans – by using existing template formats
• Exercising and testing – by building into the internal audit systems
• Lessons learnt – by inputting into the corrective action process
• Management review – by including in the existing ones

First | Previous | Next | Last

Hot tips

Some ideas to help make it more effective and get you started:

• Keep the scope narrow at first; perhaps even to one (key) customer, location or product. This focuses attention and once this ‘pilot run’ is proven, the scope can be expanded in phases
• Run the development stage with project management techniques until it has bedded-in and can be fully integrated
• BIA’s can be a nightmare to get started – use existing QMS process maps as a starting point
• Although it is the major disasters than grab the headlines, it is the more mundane issues that cause most continuity issues
• The closer the BC strategies are to normal operations, the more likely they are to be accepted and implemented
• Resource conflicts are very likely when priorities are being determined, so performing this around budget-preparation time can highlight the issue quickly straight to top management
• When many plans are being developed, alignment is just as vital as individual plan content
• A well thought-out plan structure makes future updating simple and not a chore
• Utilise the existing internal audit resource to lead the plan testing and exercising
• Devise a smart way of reporting BC deployment, by aligning to top management needs

First | Previous | Next | Last

Certification

If the decision to go for BS 25999 certification is already determined (whether by customer pressure or top management determination) the most logical approach is to conduct an initial gap-analysis. This can either be carried out by a certification body – such as LRQA – or by a consultant. This then forms an input into a scoped-out project plan with all gaps fully addressed, and is advisable if business continuity knowledge is limited within the organisation or if ‘fresh eyes’ are needed.

Certification is conducted in a two stage process:

• Stage 1 looks for evidence of the BCMS existence, by interviewing top level management, as well as those involved in the impact analysis and risk assessment, plan owners, incident plan and recovery team members etc. Essentially, this is reviewing your organisation’s approach to BCM and whether the main components are satisfactory.
• Stage 2 looks for evidence that the BCMS is operating, looking for evidence that plans are being exercised and whether appropriate lessons are being learnt, corrective action is being taken and whether the BCMS is embedding as expected.

However, once certification is achieved, great care must be taken to ensure the ‘living documents’ continue to stay live! With documents related to daily operating processes, it is fairly easy to see when the two drift apart; but the majority of the BC documentation does not relate to normal operations and so can quickly get neglected:

• Processes get modified, new ones introduced, new products get launched, contracts get modified – do all the changes get captured in updated impact analyses and risk assessments?
• Organisational risk can vary depending on outside influences – does this align with internal risk assessments?
• Details within plans, such as telephone contact lists, may change regularly and it doesn’t take much unaccounted-for change to make such a plan pretty useless

The ongoing exercise programme needs clever design to ensure it covers all such matters.

Many organisations who are thinking about certification of their BCMS usually already have a mature management system in place certified to a standard such as ISO 9001:2008. LRQA offers a transition programme for such situations called PRiSM (Progressive Route into Systems Management) which allows the additional of certification to BS25999 onto such existing management systems; simplifying the process and making best use of existing internal management processes such as management review, documentation management, internal auditing, corrective/preventive action etc.

First | Previous | Next | Last

Future developments

Work is already underway on the development of the next step in the evolution of this rapidly-moving aspect of management and an international standard, “ISO 22301 Societal security - Preparedness and continuity management systems (PCMS)” is due for 2011 release.

Whilst BS 25999 will form a major input into this new ISO standard, its title reveals the wider scope that it will cover and its relationship to an existing complementary standard, ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management.

First | Previous | Next | Last