• Home /
• BCM News and Events /
• BCM news /
• Confident in a crisis - BS 25999: Business continuity management

Confident in a crisis - BS 25999: Business continuity management

12 October 2010

If the past few years of economic pain have taught us anything, it is to plan for the unexpected. Disasters can cause critical financial damage if practical contingency plans are not in place, and international ambitions add an extra layer of complexity. BS 25999 Business continuity management has been helping organizations to cope for the last four years.

One lesson must certainly be taken away from the fallout of the financial crisis - that no business is too large or successful to fail. The collapse of investment bank Lehman Brothers in Autumn 2008 came as a severe shock, but it also serves as a strong warning for 21st century business. In a world of rapidly maturing markets, globalization and multiple mutual dependencies, no business or government can afford to be complacent with its management.

Instead the basics of business continuity and understanding of an organization's risk profile now need to be at the very top of the agenda. Companies need to be asking difficult questions. How would the loss of critical assets, products or services affect business? How are external threats in the real world changing? And what evidence has been gathered to suggest emergency-response arrangements will actually work?

Business blow

In recent years, for example, we have had the very real possibility of a new global flu pandemic, while the eruption of an Icelandic volcano in April 2010 had a huge impact on a large number of businesses. The resulting cloud of ash meant that European airspace was shut down for up to 18 days in some countries, with some 100,000 European flights cancelled in six days alone.

The repercussions stretched far and wide, impacting business profitability and productivity across many sectors, from aviation and tourism to retail. Companies had a duty of care to assist their employees, but they also had to cope without core workers while they waited for them to make their long way home.

Business development was also disrupted as a result. "Meetings were cancelled, clients were not met, hands were not shaken, and deals were not made," said Michael W. McCormick, chief operating officer of the US-based National Business Travel Association (NBTA).[1]

And retail supply chains were ruptured as imports of everything from fruit to jewellery and manufacturing parts all but seized up. This problem was truly global, hitting the exporters even harder than the European shops and hotels to which they routinely send their produce. Christopher Snelling, head of global supply chain policy at the UK's Freight Transport Association, said that producers in Africa were especially badly impacted. "In some areas of the continent 90 per cent of fruit, flowers and vegetable exports to Europe are delivered by air," he explained.[2]

Ill prepared

The incident clearly demonstrated the importance of preparing for the worst and having a business continuity plan (BCP) in place. Risk was mitigated if employees could work effectively from other locations for example.

However, less than a year earlier business continuity capability had also been called into serious question when the World Health Organisation (WHO) declared an official global flu pandemic. Swine Flu (H1N1) was spreading in at least two regions of the world, and businesses were understandably concerned that they might need to cope without significant swathes of their workforce for weeks at a time. As with the ash cloud, this was also coming at a deeply uncertain time for the economy.

The UK's Business Continuity Institute (BCI) warned that the business world was poorly prepared. It estimated that under a third of UK organizations had a plan in place to deal with such absences, and called on organizations that did have a plan to review them. It explained that they might need to recruit temporary staff quickly, or even move premises entirely.

In the event swine flu was far less catastrophic than it could have been and the pandemic label has now been lifted.

However, last year the BCI also put a figure on the total cost of major disruptions owing to a lack of business continuity planning. It estimated that these incidents cost the UK economy approximately £11.1bn a year.[3] That's around 0.8 per cent of the country's GDP.

Standards response

BSI developed BS 25999 Business continuity management to help organizations plan for such business-threatening predicaments - protecting staff, preserving their reputations and allowing them to continue operating even if disaster strikes on their doorsteps. Launched in 2006, it was the world's first business continuity standard.

"BS 25999 does not differentiate between a crisis and an incident, instead focusing on the response," says Tim McGarr, BSI sector content manager for risk. "Intrinsic to BS 25999 is that the organization has the plans, processes and procedures in place prior to the incident, and regardless of scale, to ensure that the organization gets back to normal as soon as possible."

The standard sets out the fundamental principles and processes behind a reliable BCP - both the design and testing.

There are two parts: recommendations outlined in a Code of Practice, and a set of specific requirements to qualify as having a full business continuity management system (BCMS). An online self-assessment tool developed by BSI also helps organizations check their progress towards forming a BCMS, regularly assessing and reporting their BCPs as they stand and identifying possible improvements. Richard Taylor, BSI Group's global product manager for risk, says his organization has trained some 2,000 individuals worldwide on its BCMS-related courses to date.

In order to help organizations in the testing of a BCMS, BSI has also recently published PD 25666 Business continuity management - Guidance on exercising and testing for continuity and contingency programmes, authored by the same committee that is behind BS 25999.

Meanwhile, independent certification to BS 25999 can be a clear sign to potential clients or partners that a company is always looking and planning ahead. This can offer competitive advantage, especially when bidding for contracts. Purchasers of services will be more secure that those services can be resumed to an agreed level and within a certain timeframe.

An example is Vodafone UK's decision to seek certification of its 3G voice and mobile broadband networks in April 2009. All organizations rely on fluid communications to remain cost effective and competitive. Indeed, they are a crucial part of business continuity capability when confronted with a crisis. One of the first priorities in a BCP must be to trigger the appropriate chains of communication, alerting people to unfolding events and relaying the actions to be prioritized.

Vodafone UK was audited by BSI again in June 2010 and retained certification for both its 2G and 3G networks.

"More customers are asking for evidence of their partners' business continuity credentials," confirmed Vodafone UK's enterprise director, Peter Kelly "BS 25999 certification sends a clear signal that we are going the extra mile to support our customers' needs."[4]

The company Airbus has also recently achieved certification to BS 25999 following a BSI audit for a site in North Wales. The manufacturer becomes the first aerospace business to demonstrate compliance to the standard, and this included the development of a data-management system to monitor BCPs in its supply chain. Head of facilities management, Dave Micklewright, said the certification showed its processes "take into account all aspects of the business, including people, premises, suppliers and assets".[5]

Meanwhile, in June 2010, BS 25999 was adopted as one of three standards by the US Department of Homeland Security (DHS), following a recommendation from the 9/11 Commission to improve private sector emergency response. The Commission had calculated the private sector controlled as much as 85 per cent of all US critical infrastructure, making business continuity a clear priority. The DHS therefore launched the Voluntary Private Sector Preparedness Accreditation and Certification Program (or PS-Prep), which draws on BS 25999.

BSI estimates that well in excess of 100 certificates have now been issued in the market. BSI alone has issued certificates in over 14 countries and 10 vertical sectors.

"BS 25999 is one of the fastest-growing standards in BSI's history and a global success," Taylor says.

He explains that sectors showing especially high levels of interest include IT, telecoms, business process outsourcing, financial services, energy, and a "wide range of manufacturing and service sector organizations". In addition to Vodafone, notable international clients include IBM Taiwan, Accenture Services India, Satyam India, Fujitsu Japan and Citigroup.

BS 25999 has also proved popular in Korea, where both Industrial Bank of Korea (IBK) and Samsung Life Insurance (SLI) have achieved certification. The latter became the first insurance company to prove its best practice in this way when it decided to define and document the gap between its own BCMS and BS 25999. An audit and report from BSI Korea led to the creation of a "Corrective Action Plan", with many staff interviewed in a bid to identify key points of weakness in the existing BCMS. These were found to include inadequate interaction between different key departments and the need for a mechanism for reviewing suppliers' capabilities.[6]

Implementation of a new BCMS at IBK, meanwhile, involved analyzing more than 700 work processes, prioritizing critical actions, establishing target recovery times and drawing together a policy manual with training documents for each department. The bank was awarded certification to the standard in March 2008.

Putting people first

The standard is equally relevant to the work of the public sector. The UK Civil Contingencies Act 2004 obliges UK local authorities to build BCPs in any case, but in 2009 West Sussex County Council became the first to achieve certification to BS 25999. It also undertook BSI Training's Internal Auditor Course to become capable of conducting its own self-assessment. Peter Evans, County Council Member for Public Protection, said it showed the council was "determined to safeguard citizens and services during any kind of emergency".

King's College Hospital NHS Foundation Trust, meanwhile, is in the business of actually saving lives itself. Its Emergency Department saw 124,638 people pass through its doors in 2009, an average of 340 patients every day. Certification to BS 25999 has allowed the hospital to prioritize resources under extreme pressure.

"As a result of implementing the management system our business continuity plans are far more accessible," says Lynne Watkins, joint divisional head of nursing. "There are fewer words, but far greater clarity and accuracy as to who should do what, broadly how and when.

"Another key outcome of the implementation has been the acquisition of more battery-operated equipment to allow the treatment of critically-ill patients in the event of lost infrastructure."

Business buy in

Many organizations still have work to do to ensure business continuity is treated as seriously as this clearly suggests it should be. In a recent survey conducted by BSI, for example, McGarr says the main challenge mentioned by respondents (42 per cent) was "getting senior management buy in" for the concept.

"In practical terms the main issue that organizations face is the same as with many initiatives - getting the right level of support throughout the process," he explains.

"Although business continuity has been a common business term for well over a decade, many of those who are newly responsible for it have not encountered the full scope of the topic or the standards before."

Issues such as these certainly need to be addressed urgently. Business continuity not only protects individuals and profits and in the worst crisis scenarios - financial shocks or natural disasters - it may be part of what keeps the whole world working.

[1] http://www2.nbta.org/usa/pressreleases/Pages/rls042110.aspx

[2] http://www.fta.co.uk/news/item/business-on-hold-as-ash-cloud-casts-its-shadow

[3] http://www.continuitycentral.com/news04470.html

[4] http://www.bsigroup.com/en/About-BSI/News-Room/BSI-News-Content/Disciplines/Business-Continuity/Vodafone-UK-maintains-global-leadership-in-Business-Continuity-Management-of-2G-and-3G-networks/

[5] http://www.bsigroup.com/en/About-BSI/News-Room/BSI-News-Content/Disciplines/Business-Continuity/Airbus-in-the-UK-is-first-aerospace-company-to-gain-BS-25999-Business-Continuity-Management-certification-from-BSI/

[6] http://www.bsigroup.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/Case-studies/