Skip navigation

BCM implementation: using an external consultant – a case study

Background

Here we describe the case of a company implementing its Business Continuity Management (BCM) programme with the help of an external consultant. TalkingBusinessContinuity.com spoke with the company (who don’t want to be named) about their experience in implementing BCM and what their experiences were of using an external consultant.

Firstly please say something about the organisation – its size, where it operates etc. so that readers can get an idea of the scale if they aren’t familiar with the sector.

We are a food retailer operating in the south west of the UK, with over 75 stores and with annual turnover in excess of £160m.

What about the continuity solutions consultants? Tell us about them?

Back2business is the most South Westerly business continuity service provider in the UK. Based in Plymouth, they provide complete end to end services, solutions and consulting. Core offerings include the provision of Work area recovery with over 100 positions, and purpose built datacentre offering IT resilience solutions.

Why was back2business chosen?

  1. The ability to deliver all the required services
  2. Strength of existing relationship and trusted partner
  3. Well located from a location risk perspective

Mark Nicholas (MBCI), Head of Business Continuity & Resilience, was responsible for overall delivery of the business continuity management system and solutions. With experience of working for over 60 clients in a variety of global consulting roles, including FTSE 100 companies, he has been able to use his extensive knowledge to deliver cost effective, fit for purpose continuity capabilities that actually work.

What triggered the BCM programme in the client organisation? Was this an individual champion, an external event, a request from a large customer, advice from a consultant, a board level decision – or some combination of these?

This was driven by a combination of the Financial Director and the Chief Executive as part of their Board responsibility.

How will you measure success?

We will base this on the feedback and observations we receive from the continuity solutions and consulting firm following testing of our response and strategies.

What benefits did the client get from going through the implementation process – including any unexpected ones?

  1. Identified applications and systems which were no longer used or used very infrequently which saved on support and renewal
  2. By going through the BCM lifecycle, and understanding the business properly, we were able to arrive at a far more accurate figure for work area recovery than if we had taken an educated guess.
  3. In setting up the organisation and structure under the BCMS, we identified individuals who were better suited to public facing roles

What about downside – were there any problems or issues which you wish to share?

Probably the biggest downside was due to the current climate - it meant that the initial level of buy-in wasn’t as high as we’d have liked due to being interpreted as a cost saving, head count exercise.

Did you undertake a formal gap analysis between your organisation’s systems and the Standard? If so was this done internally or with the help of external consultants?

We did, and it was performed by both our external consultant and our internal Group co-ordinator. The findings were literally a few percentage points different at the end, which was a good indicator.

Did you use PAS 56 (this is the pre-standard that BSI published about 3 years before BS 25999)?

No

When did you become aware of BS 25999?

When we first engaged with our business continuity solutions provider.

How soon did you start to benchmark your processes against the standard internally?

When we completed our first pass at complying with the standard, we took the opportunity to revisit how well we had done.

How big was your project team for this?

In terms of direct project involvement, about 5; with ancillary input, it would have been about 12.

Within your organisation how much involvement was there with other departments and operational managers across the business?

All major streams or groups were consulted as a matter of course; however, based on needs, products and services; some contributed more time and resources as necessary.

Did you involve any of your supply chain in this process? Your main customers? Your biggest suppliers? Both?

Our customers are primarily the general public, so no on that front. However our key suppliers are critical in terms of supply chain and therefore we needed to interact and dovetail our crisis and continuity plans with them as a priority.

What is the BCM reporting line in your organization? Is it through the IT dept, Finance, Risk Management or direct to the Board?

Our primary project sponsor is the Financial Director, but overall it’s the Chief Executive as part of the overall executive management, who in turn report to the Board as part of Corporate Governance.

Have you considered going for certification to BS 25999? Is there any influence from customers or suppliers?

We are currently looking at certification; there is subtle influence coming from our central trading group. As a company there is a higher authority as to who we trade with in both products and supply – there is someone looking at wider group capability – they asked a set of questions which were linked to the standard and we measured ourselves against these.

Does your BCMS take into account all of your products and services?

Our group activities are quite wide and varied, so there are parts of our business which are not included in our BCMS, but the main revenue streams are included.

How did you carry out your Business Impact Assessment? Did you use external consultants? Have you any advice for somebody starting out?

Our BIA was performed by our external advisors using a combination of face to face, workshops with supplemental questionnaires and phone follow up. My advice would be for any organisation looking to take this seriously, using an external company will give you better buy in/sponsorship, plus the findings which are generated will not be tainted or influenced as they otherwise might be if run by an internal project manager. They are also able to adapt and educate along the way as part of this phase for those people in the business that don’t get it.

Were any new pieces of documentation developed for the implementation? If so what were they?

As part of our project we generated a number of documents, such as an overall BCMS, a crisis response team plan, a head office continuity plan, store plans, an IT requirements spreadsheet, strategy options, checklists and scenarios and guidance across the whole programme.

Does your organisation ensure that BC competency resides with the right people? Did you have to train anyone?

Our buy-in and understanding flows from the very top, from our Chief Executive and Finance Director, down to Group Co-ordinators and store plan owners. Where necessary, staff without prior experience are now aware of their additional role, as they’ve experienced degrees of knowledge transfer with our consultant.

Ensuring a BC culture is said to be one of the hardest aspects of BC to achieve. How did you go about doing this?

Our BC policy is available and distributed to all staff for their perusal which indicates how important it is for us as a company in delivering products and services. This must be read and acknowledged by all key staff.

We also placed materials on our staff intranet as well as making useful information, slide decks and websites available where appropriate. We also mention continuity related matters and incidents within our company communications, emails and newsletters.

We have also recognised the importance of continuity within staff job roles to ensure that the cultural significance isn’t lost, even if a member of staff leaves.

Describe any benefits that have happened, or that you expect to happen, after going through this process?

  • Proven meeting of legal requirements, especially the trading standards
  • Improved relationships with key suppliers – on various levels, (Strategic, tactical and operational)
  • Improved relationships between departments in the organisation (in particular between IT and everyone else!)
  • And potentially we will have improved our reputation for reliability.

Is there anything else that you’d like to say about your experiences going through this process (good or bad)?

Our only other comment would be that people view business continuity as something which is similar to insurance; our view is that it should be viewed as a complimentary part of a company’s overall risk management strategy, which includes both insurance and continuity management. We also believe that you only find out who is taking this seriously when you get to the Strategy Development phase, as this is where you invariably need to implement, invest most resources and spend money!

Want to comment? Join us on our LinkedIn discussion group.

Certification to BS 25999 can help you gain a competitive advantage.  Find out how your company could become certified to BS 25999, the internationally recognised standard for Business Continuity Management.

Email Newsletter

Subscribe to our newsletter Subscribe to our newsletter to receive the latest Business Continuity Management news and information.

Training courses

View our BCM training courses View our Business Continuity training courses offered worldwide. These cover every aspect of BS 25999, the world's first British standard for BCM.
Feedback Form