Features at proSecurizine

BS 25999 may have Little Impact on Business

The recent announcement of the BS 25999-1 (code of practice) comes after a number of high profile incidents around the world have raised awareness of what can go wrong. In addition, regulatory, environmental and organisational drivers have all underlined the case for a standard for Business Continuity Management (BCM). There are high expectations for this standard and its potential to support businesses in their business continuity planning. However, a standards driven approach (BS 25999) to business continuity planning will have little impact on business resilience unless it becomes embedded in business practices.

The published code of practice (BS 25999-1) and the anticipated publication of the requirements specification (BS 25999-2) later this year is to be welcomed. However, its implementation raises a number of challenges and questions including the following:

• The application of the standard needs to build in flexibility, rather than force adherence to a rigid structure. It is important that currency of data, resources and expertise can be maintained in a changing environment.
• It is questionable whether the standard is applicable to all businesses, particularly for those classified as micro businesses (1-9 employees). For these cases, the standard may be seen as too complex and burdensome.
• Implementing the standard will not necessarily result in a more resilient business, if implementation is based on a prescriptive or 'tick box' mentality.
• There is a danger that business continuity will become seen as a project and therefore not necessarily linked to management disciplines, systems and procedures.

The implementation of BS 25999 is only the first stage in an evolutionary process. George Hall, Director of Jermyn Consulting, said: 'Business continuity should not be seen as a project, or a specialist activity dealt with solely by consultants. Rather, it should be embedded within the business so that everyone within the business carries out business continuity, as part of their day-to-day activities. These challenges need to be addressed to ensure that standards implementation makes a difference and does not become a paper exercise'

There has been a considerable momentum gathering behind the need for a standard for business continuity management. A number of high profile incidents around the world have raised awareness of what can go wrong, elevating the profile and importance of business continuity as part of corporate governance and social responsibility. However, few organisations can claim to be prepared for the worst, with a recent survey from the Chartered Management Institute (CMI Report) identifying that only 48% of organisations have a business continuity plan covering critical activities.

A business continuity standard should provide guidance to organisations and help to build resilience. It also needs to provide a route for organisations to respond to a number of additional pressures, such as environmental, regulatory, organisational and supply chain drivers. The absence of a recognised standard is viewed as a significant contributor to the low proportion of organisations with business continuity plans in place.

The introduction of a standard provides an opportunity for many organisations to approach business continuity from a different angle. After all, how many organisations that now claim ISO 14001 certification, would have embarked on proactive environmental management, if the only knowledge they had of the issues was Greenpeace leafleting?
With the support of the BSI, the new British Standard will bring a pervasive approach to BCM. This will enable organisations currently practising and those yet to embark on a programme, to generate benefit.

Regulatory bodies such as the Financial Services Authority (FSA) ensure that organisations within their remit have business continuity management in place by requiring that regulated firms '... should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.'

In other countries, such as Australia, the FSA's counterpart has taken a more structured approach, by providing rules for compliance through APS 232. This approach removes the potential for an apathetic response to compliance.

A regulator can insist that organisations comply with their rules, but this does not always achieve the desired result. There are two general outcomes from organisations under their remit:

• Best practice adoption - Organisations accept that the regulator is best placed to create rules and seek full compliance.
• Shortest route compliance - Organisations review the information, identify the shortest route to compliance and take it, even if this does not represent the best long-term option for the business.

A similar position exists for organisations that are subject to the business continuity requirements of the Civil Contingencies Act 2004 (CCA). Whilst the documentation to accompany this Act provides high-level advice on the processes involved, little is provided in terms of a road map to follow. Jermyn Consulting's discussions with a number of responders who are subject to the CCA, suggest that clarity is still required if compliance is also to bring about a resilient organisation.

It is not evident at this stage whether the standard will meet the challenge of compliance with the Act, but it will at least allow an organisation to benchmark its capability against an accepted baseline.

Absolute compliance with a standard will often only occur for legal reasons and if the regulators insist upon it. Interestingly, in the recent CMI Report, 20% of respondents in the regulated financial sector admitted to not having a business continuity plan.

There are however many 'softer' organisational drivers that can 'influence' the adoption of standards. A lot of these can be classified as market driven which improve the external perception of the company such as the adoption of best practice, or implementing a quality standard. For instance, recently both HBoS and Scottish Power have stated that they will seek BS 25999 certification for reasons of differentiation and competitiveness.

Although the business continuity standard is very different, in that it relates to business critical management processes and capabilities in a dynamic organisation, it is still influenced by external perceptions. The market's view of BS 25999 will therefore provide a key influence on establishing it as a 'must have' standard.

Supply chains are also a key driver for compliance. Many large organisations demand that their smaller partners achieve certain standards, which align with their policies and ethics. There can be no more important question to ask key suppliers than - 'How will you ensure that you will still be able to provide your products / services to me following a disaster?'

Over time, we will inevitably see the standard being driven down the supply chain as a pre-contract qualification. Organisations that can claim certification will have a competitive advantage in this market, over those that have not achieved it.

The existing code of practice (BS 25999-1) and the soon to be released requirements specification (BS 25999-2) provide a good starting point for business continuity planning.

However, they are challenged by a business environment that is constantly evolving and where rapid change can produce large gains or losses for any organisation. The key issue for the business continuity manager is to maintain the currency of data, resources and expertise when change occurs - and to ensure that the organisation retains its resilient status.

The addition of standards compliance complicates the issue further. If the standard is applied appropriately, and compliance can be gained where the organisation needs it, the business continuity manager has a valuable tool at his or her disposal. However, if compliance can only be achieved by rigid adherence to a structure, a different set of challenges emerge for day-to-day operations.

Still, it is questionable whether it is possible to gain full compliance with a single business continuity standard across the full spectrum of organisations. Also standards do not necessarily deliver business continuity capability. A negative aspect of standards is the inevitable rash of organisations and consultants who will find a shortcut to compliance in order to gain competitive advantage. The outcome could be deeply embarrassing for all concerned if a BS 25999 certified business fails to recover following a disaster, because its certification was merely a paper exercise.

A standard should provide a positive benefit to business continuity. However, only by embedding the standard in the ethos, management disciplines and procedures of an organisation will the 'paradigm shift' be generated, to make a noticeable difference in approach.

Given the elevated nature of risk in our environment and workplaces, and the inherent riskiness of certain locations (e.g. the City of London) and industries (petro-chemical), crisis management and business continuity need to be seen as a core management skill. Individual managers and staff need the skills and expertise to manage business interruptions - it can't be left entirely to specialists or paper plans.

The transition from a project driven approach, to one that embeds business continuity planning, requires 'enablers' that the application of standards alone will not deliver. The move towards a standard for business continuity is just the starting point in ensuring that businesses have a viable approach.

What is also required to ensure business continuity becomes embedded within the organisation is:

• A corporate policy on business continuity that is built into systems and procedures.
• Ownership of business continuity at board level and every level of management.
• Setting of annual objectives with specific ownership for each objective and associated budget.
• Training on how to achieve business continuity objectives.
• Independent oversight and control (e.g. through the internal audit function).
• An understanding of the commercial drivers for business continuity.