Skip navigation

When disaster strikes, it's time to implement business continuity plans

24 November 2010

We are living in dangerous and disruptive times. In only the last few months we've had mudslides in Jamaica, Guatemala, Mexico and Madeira, flooding in Pakistan, Brazil and central Europe, and major earthquakes in China, Chile and Haiti.

Earlier, in April 2010, an Icelandic Volcano erupted and severely impacted airlines flying over Europe for weeks on end. The International Air Travel Association (IATA) estimated that, at its worst, this incident affected up to 1.2 million passengers a day, and cost airlines US$1.7bn in the first six days alone. "The scale of the crisis eclipsed 9/11 when US airspace was closed for three days," said the organization's CEO, Giovanni Bisignani.[1]

More recently, the discovery of two bombs being carried on aircraft bound for the US, but intercepted in the UK and Dubai, is a chilling reminder of the persistent threat posed by terrorism. The UK's terrorist threat level was raised from "substantial" to "severe" in 2010, and cross-border efforts to contain the risk of attacks effectively continue to require the investment of substantial resources. For example, U.S. Customs and Border Protection's strategic plan to 2014 shows that it more than doubled the number of agents employed in the last decade - from around 9,000 in 2001 to an estimated 18,300 by the beginning of 2009.[2]

Other non-natural (or man-made) disasters potentially include civil unrest, war, organized crime and major engineering failures. All can both cost lives and severely damage business in the affected regions. For example, the tragic explosion at BP's Deepwater Horizon Rig in the Gulf of Mexico in April 2010 killed 11 of the 126 employees in the crew. To the end of September the cost of BP responding to the resulting oil spill had reached US$11.2bn, including the emergency drilling efforts, grants to the affected Gulf states and legal claims already paid.

Although it is usually only these bigger events that preoccupy the media, in truth disasters are also happening much more frequently. In 2007 The Global Platform for Disaster Risk Reduction reported [3] that the total number of natural disasters worldwide is now averaging 400-500 a year, up from an average of 125 in the early 1980s. Over the past two decades, the number of people affected by natural disasters has increased from an average of 174 to 254 million people a year.

Putting plans in place

Governments globally are understandably concerned with these human and economic costs, and consequently with robust disaster planning and 'preparedness'. Indeed 168 nations have signed up to an ambitious programme to reduce disaster risk globally called the Hyogo Framework for Action [4]. In tandem, several developed-country governments are also recognizing that the private sector has a large part to play.

In Japan for instance, companies are being prompted to prepare appropriate business-continuity planning which takes their supply chains into account. The Korean government has passed a 'Law of Enterprise Action for Disaster Reduction', and in China the government has produced guidance on how to develop emergency plans.

In the US, meanwhile, the Department of Homeland Security (DHS) has selected the internationally renowned BSI standard BS 25999 Business continuity management as one of only three standards for use in its new "Voluntary Private Sector Preparedness Accreditation and Certification Program" (PS-Prep). Following the tragic events of 11th September 2001 this landmark initiative has been devised to drive business continuity awareness and competency in companies right across the nation.[5]

BS 25999, the world's first business continuity management standard, enables any organization to effectively mitigate the risk posed by potential disaster scenarios. It is particularly relevant for organizations which operate in high risk environments such as telecommunications, transport, finance, health and the public sector, where the ability to continue operating is paramount for the organization itself, its customers and stakeholders, and the public. The standard provides a framework for managing business continuity and covers the identification of key risks, developing a plan for recovery, and rehearsing the plan in order to restore essential services with minimal downtime.

The 9/11 Commission Report highlighted that some 85 per cent of the US's "critical infrastructure" was actually in the hands of the private sector to protect. The US Congress therefore directed the DHS to designate one or more standards to which companies could seek certification for their business continuity planning and emergency management, and the two-part BS 25999 was one of those chosen. Prior to the PS-Prep program there was no comprehensive set of standards through which American businesses could assess their preparedness and develop a response plan in the event of a major hazard.

In the case of BS 25999, independent certification to the standard will effectively demonstrate to customers, regulators and other stakeholders that a business has a full and functioning business continuity management system (BCMS). It sets out the requirements for developing, maintaining and testing that system regularly - providing the ability to continue to operate if business is badly disrupted. For example, the system will require a thorough and ongoing method of assessing emerging risks, a consideration of emergency communication channels, and contingency planning in case a building becomes inaccessible. Business may have to move locations at very short notice, or direct their employees to work from home and monitor those arrangements. They may also need to recruit additional employees if a large part of the workforce is absent at any one time, or invest in extra training.

A business impact analysis (BIA) pinpoints and prioritizes the things that most matter. So the loss of a key supplier may not be critical if you have identified a number of alternative suppliers. However, if you only have one supplier that makes a specific product no other does, do you have adequate stock to carry you through the shortfall?

"Our internationally recognized standard, BS 25999, provides the business resilience and consumer confidence essential to rapidly overcome any unplanned interruption of commercial operations," said BSI CEO Howard Kerr.

Preparedness in practice

Meanwhile, global private equity company Altius Associates is just one to have seen the direct benefits of certification to BS 25999 with BSI. Following the completion of a "Business Impact Analysis" and design of a business continuity plan (BCP), the firm found its ability to respond to natural disasters were tested twice in quick succession.

First, the heavy snowfall, and then Iceland's volcanic eruption, in early 2010, led to many employees being stranded in cities around the world for weeks.

"Thanks to our business continuity plan, we had an IT infrastructure in place which allowed those members of staff to work as if they were still in the office," explains Adam Heaysman, partner and head of client services.

Then, when a flood later completely cut off all power to the London office, the firm was able to switch the servicing of all our clients to its office in Richmond in the US.

Heaysman adds that the major challenge for Altius in building a BCM system "was demonstrating that we had a fully functioning and integrated management system in place and not just a plan". One element of this was designing a new training programme to ensure the system was clear to all parts of the business.

Another business to achieve recent certification with BSI is European data centre service provider Interxion, operating 28 data centres in 11 countries. "My view is that certification to BS 25999 is becoming a must have," says John Shannon, ISO program manager at Intertexion. "By having BS 25999 we can demonstrate that we have dedicated the time and the resource to putting the necessary requirements in place and reassure our customers that we are delivering the highest level of business continuity."

For example, Shannon says that certification allows the company to back-up strict service level agreements with customers which are designed to enable business continuity in their own mission-critical applications.

Moreover, having already implemented ISO/IEC 27001 Information security management system, some of the BCM structure was already in place, which simplified the process.

"Business continuity is already part of 27001," notes lead assesor Aart Bitter. "They only had to be sure that they also fulfilled all the formal requirements of BS 25999 in relation to their BCMS."

Public service

In the UK, meanwhile, the Civil Contingencies Act 2004 absolutely requires frontline services to maintain internal BCM arrangements and local authorities are also required to promote BCM to business and voluntary organizations in their communities. The UK Government is advocating that local authorities align themselves to a minimum standard, and have suggested BS 25999 as a good indicator of best practice.

"To be honest with you it's a vital tool in the armoury of any modern organization to have it in place," says Kevin Smith, Surrey County Council's business continuity manager,

Surrey's planning starts with a hazard assessment. For instance, a reservoir that might flood, or an area where trees have been uprooted and a mudslide might occur. Next comes a risk assessment, which measures likelihood against impact. The Council knows, for instance, that the probability of localized flooding has risen. It assesses where flooding is likely to occur, and the likely impacts on the local population.

Following this business impact assessment, the Council then draws up incident-management plans (emergency plans). These could either be tailored to a specific hazard, or generic, to cover an overall incident response. For example, in order to deal with extreme winter weather at the beginning of 2010, a priority route network of roads were decided. These were the first to be targeted for gritting.

The Council has also developed teleconferencing provision, which was important when key staff couldn't travel due to heavy snowfall earlier in the year. However, this would be equally valuable in a flu pandemic, when reducing the amount of personal contact would help to slow the transfer of infection.

Finally, in the private and public sectors alike, it's important to keep stakeholders informed. Surrey plans how communications - both internal and external - will be managed in advance. "We need to think about how we inform and warn the public," says Smith. "In any incident, we want to help people to help themselves."

Conclusions

This systematic assessment can help businesses and other organizations prepare for the worst and prioritize, while the ongoing monitoring required by BS 2599 also helps them to improve those plans.

Of course, BS 25999 does not require a full-blown disaster to demonstrate its value. An effective BCMS can equally help to mitigate the risk of incidents that are not life threatening.

"BS 25999 is about trying to avoid disruptions to the business and, if they happen, to limit their impact by quickly reacting to the interruption, which comes with practice", says BSI product manager, Robert Whitcher. "That includes the everyday incidents that prevent a business from delivering its products and services to customers."

For some products, carrying the BSI Kitemark - the UK's premier quality and safety mark - is a further way for organizations to demonstrate that the products they use have been tested and meet high standards. For example, there are flood protection products that can be fitted to a variety of buildings that will reduce the damage caused by flooding and so allow a business to avoid large scale disruption.

BS 25999 reduces the length and cost of disruptions, mitigates risk, improves strategic decision making, safeguards brands and often results, surprisingly perhaps, in cost savings. In all of this it also prepares organizations for the worst that can happen.

Continuity management is a new and evolving discipline. In response to user feedback on where more guidance is needed, BSI has published or is publishing supplementary guidance on BCM as follows:

PD 25666 Business continuity management - Guidance on exercising and testing for continuity and contingency programmes

PD 25111 Business continuity management - Guidance on human aspects of business continuity

PD 25888 Business continuity management - Guidance on business recovery. This document is scheduled for publication at the end of 2010 or early 2011.

PAS 200 - Crisis management guidance and good practice. This document won't be published until the end of 2010/early 2011

BSI also has a new BS 25999 Self Assessment tool.

For more information on these documents see the BSI Shop.

----------------------------------------------------------------------

[1] http://www.iata.org/pressroom/pr/Pages/2010-04-21-01.aspx

[2]  http://www.cbp.gov/xp/cgov/about/mission/cbp_plans_reports.xml

[3]  According to the Global Platform for Disaster Risk Reduction in its Disaster Risk Reduction: 2007 Global Review (June 2007), using data from the CRED-CRUNCH EM-DAT emergency disaster database (www.cred.be or www.em-dat.net). The Centre for Research on the Epidemiology of Disasters (CRED) data are usually seen as the most comprehensive available, but they are based upon restricted criteria for what constitutes a disaster.

For CRED, a 'disaster' is when one of the following occurs: ten or more people are killed, 100 or more are affected, the declaration of a state of emergency, a call for international assistance. A 'small to medium sized disaster' involves up to 50 deaths, affects up to 150,000 people or causes up to $200 million in economic losses.

 [4] http://www.unisdr.org/eng/hfa/hfa.htm

 [5] http://www.bsigroup.com/en/About-BSI/News-Room/BSI-News-Content/Disciplines/Business-Continuity/US-Department-of-Homeland-Security-adopts-BSIs-Business-Continuity-Management-standard/

--------------------------------------------------------------------

This article first appeared on Business Standards 24 November 2010

Want to comment? Join us on our LinkedIn discussion group.

You'll find free BCM resources and links to publications in Useful Business Continuity Management resources. There are links to Business Continuity training courses and advice on getting certified to BS 25999, the internationally recognised standard for Business Continuity Management.

Email Newsletter

Subscribe to our newsletter Subscribe to our newsletter to receive the latest Business Continuity Management news and information.

Training courses

View our BCM training courses View our Business Continuity training courses offered worldwide. These cover every aspect of BS 25999, the world's first British standard for BCM.
Feedback Form