BS 25999 will have little impact on business resilience unless it becomes embedded in business practices

(22/05/2007)

The recent announcement of the BS 25999-1 (code of practice) comes after a number of high profile incidents around the world have raised awareness of what can go wrong. In addition, regulatory, environmental and organisational drivers have all underlined the case for a standard for Business Continuity Management (BCM). There are high expectations for this standard and its potential to support businesses in their business continuity planning. However, a standards driven approach (BS 25999) to business continuity planning will have little impact on business resilience unless it becomes embedded in business practices.

The published code of practice (BS 25999-1) and the anticipated publication of the requirements specification (BS 25999-2) later this year is to be welcomed. However, its implementation raises a number of challenges and questions including the following:

• The application of the standard needs to build in flexibility, rather than force adherence to a rigid structure. It is important that currency of data, resources and expertise can be maintained in a changing environment.

• It is questionable whether the standard is applicable to all businesses, particularly for those classified as micro businesses (1-9 employees). For these cases, the standard may be seen as too complex and burdensome.

• Implementing the standard will not necessarily result in a more resilient business, if implementation is based on a prescriptive or “tick box” mentality.

• There is a danger that business continuity will become seen as a project and therefore not necessarily linked to management disciplines, systems and procedures.

The implementation of BS 25999 is only the first stage in an evolutionary process. George Hall, Director of Jermyn Consulting, said: “Business continuity should not be seen as a project, or a specialist activity dealt with solely by consultants. Rather, it should be embedded within the business so that everyone within the business carries out business continuity, as part of their day-to-day activities. These challenges need to be addressed to ensure that standards implementation makes a difference and does not become a paper exercise"

There has been a considerable momentum gathering behind the need for a standard for business continuity management. A number of high profile incidents around the world have raised awareness of what can go wrong, elevating the profile and importance of business continuity as part of corporate governance and social responsibility. However, few organisations can claim to be prepared for the worst, with a recent survey from the Chartered Management Institute (CMI Report) identifying that only 48% of organisations have a business continuity plan covering critical activities.

A business continuity standard should provide guidance to organisations and help to build resilience. It also needs to provide a route for organisations to respond to a number of additional pressures, such as environmental, regulatory, organisational and supply chain drivers. The absence of a recognised standard is viewed as a significant contributor to the low proportion of organisations with business continuity plans in place.

The introduction of a standard provides an opportunity for many organisations to approach business continuity from a different angle. After all, how many organisations that now claim ISO 14001 certification, would have embarked on proactive environmental management, if the only knowledge they had of the issues was Greenpeace leafleting? With the support of the BSI, the new British Standard will bring a pervasive approach to BCM. This will enable organisations currently practising and those yet to embark on a programme, to generate benefit.

Regulatory bodies such as the Financial Services Authority (FSA) ensure that organisations within their remit have business continuity management in place by requiring that regulated firms “... should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.”

In other countries, such as Australia, the FSA’s counterpart has taken a more structured approach, by providing rules for compliance through APS 232. This approach removes the potential for an apathetic response to compliance.

A regulator can insist that organisations comply with their rules, but this does not always achieve the desired result. There are two general outcomes from organisations under their remit:
• Best practice adoption – Organisations accept that the regulator is best placed to create rules and seek full compliance.
• Shortest route compliance – Organisations review the information, identify the shortest route to compliance and take it, even if this does not represent the best long-term option for the business.

A similar position exists for organisations that are subject to the business continuity requirements of the Civil Contingencies Act 2004 (CCA). Whilst the documentation to accompany this Act provides high-level advice on the processes involved, little is provided in terms of a road map to follow. Jermyn Consulting’s discussions with a number of responders who are subject to the CCA, suggest that clarity is still required if compliance is also to bring about a resilient organisation.

It is not evident at this stage whether the standard will meet the challenge of compliance with the Act, but it will at least allow an organisation to benchmark its capability against an accepted baseline.

Absolute compliance with a standard will often only occur for legal reasons and if the regulators insist upon it. Interestingly, in the recent CMI Report, 20% of respondents in the regulated financial sector admitted to not having a business continuity plan.

There are however many ‘softer’ organisational drivers that can ‘influence’ the adoption of standards. A lot of these can be classified as market driven which improve the external perception of the company such as the adoption of best practice, or implementing a quality standard. For instance, recently both HBoS and Scottish Power have stated that they will seek BS 25999 certification for reasons of differentiation and competitiveness.

Although the business continuity standard is very different, in that it relates to business critical management processes and capabilities in a dynamic organisation, it is still influenced by external perceptions. The market’s view of BS 25999 will therefore provide a key influence on establishing it as a ‘must have’ standard.

Supply chains are also a key driver for compliance. Many large organisations demand that their smaller partners achieve certain standards, which align with their policies and ethics. There can be no more important question to ask key suppliers than - “How will you ensure that you will still be able to provide your products / services to me following a disaster?”

Over time, we will inevitably see the standard being driven down the supply chain as a pre-contract qualification. Organisations that can claim certification will have a competitive advantage in this market, over those that have not achieved it.

The existing code of practice (BS 25999-1) and the soon to be released requirements specification (BS 25999-2) provide a good starting point for business continuity planning. However, they are challenged by a business environment that is constantly evolving and where rapid change can produce large gains or losses for any organisation. The key issue for the business contin

Related topics:  IT Network and Computer Security   Security industry   Security market sectors 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources