Skip navigation

Newton IT describe the benefits of adding BCM to their Integrated Management System

Background

Newton IT Limited is a part of Newton IT Holdings group which has a total staff of approximately 40 (20 staff for Newton IT Ltd, 15 staff for Newton IT solutions, and 5 for Newton IT Holding). The services that Newton IT provides are IT Infrastructure support and maintenance; IT Infrastructure Design and Implementation; Consultancy, including business continuity, information security, and management system development and Software Development.

The company is certified to ISO 9001, ISO 27001 and BS 25999, and is an ISO 17799 Associate Consultant of British Standard Institute (BSI) Japan and a member of the Business Continuity Institute (BCI) Japan. Their main office is in North London; it operates mainly in UK and Europe.

As a company that was familiar with management systems, Newton IT didn’t face the steep learning curve that others new to MS have described. Instead they were pioneers in adding Business Continuity Management (BCM) to an already integrated management system. This brought its own issues.

TalkingBusinessContinuity.com interviewed the project leader at Newton IT Ltd, Aki Sudo. Aki is an experienced Business Continuity and Risk Specialist with more than 10 years experience in a variety of sectors including the financial services arena. Aki is a Certified Information System Auditor (CISA), a BCI Business Continuity Professional member (MBCI), ISO 27001 specialist and BS 25999 specialist. Aki described to TalkingBusinessContinuity.com how a small specialist company in the IT services field got ahead of its competitors by integrating a BC management system with its integrated management system.

What triggered the BCM programme in your organisation? Was this an individual champion, an external event, a request from a large customer, advice from a consultant, a board level decision – or some combination of these?

Basically it was a board level decision based on the following points:

  • Newton IT is committed to delivering IT maintenance and consultancy services to our customers at an agreed level of quality and timeliness. There is little tolerance for any IT system downtime or associated suspension of business. Therefore, it was vital to have a proven business continuity arrangement which enabled us to maintain business operations should a catastrophic event occur.
  • Over the years through our consulting services with customers we have developed knowledge and experiences related to BCM. In addition Newton IT was already registered to ISO 9001 and ISO 27001, and operated an integrated management system. Therefore, we hoped that we could implement BCM relatively easily as a part of the existing integrated management system.
  • Developing the BCM programme and going on to achieve BS 25999 certification was seen as bringing competitive advantage.

How will you measure success?

Success is measured by following the steps below:

First we define our business continuity policy by performing a high level business impact analysis (i.e. stakeholder analysis, sales and GP comparison analysis). Next we define the recovery time objectives (RTO) and recovery point objectives (RPO) through the Business Impact Analysis (BIA) and risk assessment (RA).

Then we define the BC strategy which will achieve RTO and RPO and the process of documentation, communication and exercising is addressed. The BCM plans are regularly tested based on schedule, scope, objectives etc. and any issues encountered during testing are recorded at the time. Review meetings are undertaken with each user area after every test to evaluate the results against the objectives. Any issues or difficulties identified during the test are discussed, remedial actions are identified and any other issues are highlighted. All issues are followed up to resolution either by the BCP Manager for organisational or procedural matters, or the IT Infrastructure Team for issues relating to systems/applications. Test reports are produced and circulated to top management. Additional IT specific (DR) testing is undertaken by the IT Infrastructure Team at the recovery sites. Top management continuously review the BCM arrangements to ensure their continuing suitability, adequacy and effectiveness, and also to ensure Newton IT’s business continuity capability and appropriateness is maintained.

What benefits did you get from going through the implementation process – including any unexpected ones?

We have gained a lot of benefits through the implementation process. They include:

  • An improved understanding of the business has been gained through the various analyses (e.g. BIA, RA),
  • Reducing our exposure to risks through the risk analysis
  • An improved resilience to business interruption
  • Reduction of down time by setting up alternative processes and workarounds
  • An increase in staff confidence about handling a catastrophic event.

What about downside – were there any problems or issues which you wish to share?

It was hard to always get the full attention of our holding company despite a lot of effort. They provide HR, Accounts and PR functions and so had to be involved. It took a lot of persuasion from our part but we got through in the end!

Did you undertake a formal gap analysis between your organisation’s systems and the Standard? If so was this done internally or with the help of external consultants?

We did an internal formal gap analysis.

Did you use PAS 56 (this is the pre-standard that BSI published about 3 years before BS 25999)?

Yes, we used to use PAS 56 as a reference document when we provided business continuity consultancy services to customers.

When did you become aware of BS 25999?

When BS 25999 part 1(draft) was released for public comments.

How soon did you start to benchmark your processes against the standard internally?

As soon as BSI announced BS 25999 part 2 would be released and that this would allow third party certification for BCM. We were keen to be seen as leaders in this field.

How big was your project team for this?

Approximately 5 staff was involved through all the project phases.

Within your organisation how much involvement was there with other departments and operational managers across the business?

The Managing Director, IT Infrastructure team manager, consulting team manager, software development team manager and HR/Facility manager (from Newton IT holding) were all heavily involved in the project.

In the past been difficult to get commitment from the holding company when we implemented both the information security MS and the quality MS. However the HR/Facility manager was more involved this time, particularly as business continuity is also highly relevant to the health and safety area which he is also in charge of.

Did you involve any of your supply chain in this process? Your main customers? Your biggest suppliers? Both?

We did - through informal communication with key customers; we identified their expectations and needs, and set RTO and RPO.

What is the BCM reporting line in your organisation? Is it through the IT dept, Finance, Risk Management or direct to the Board?

If the event is relevant to IT, then it is through the IT department, otherwise, it is through top management.

What made you decide to go for certification to BS 25999? Was there any influence from customers or suppliers?

We did this mainly to appeal to third parties (e.g. customers, competitors) as we provide business continuity services, including assisting organisations to achieve BS 25999 certification.

How did you go about deciding and limiting the scope of BCM for certification purposes? And was this decision informed by mainly external or internal factors (or both)?

Based on the high level business impact analysis (i.e. stakeholder analysis, sales and GP comparison analysis), top management agreed the scope of Newton IT’s BCM as follows;

  1. Staff within the Scope
    All staff, including part-time employees, who are involved in delivering the services defined below in (3);
  2. Site within the Scope
    The Newton main office, which is 1 Central Business Centre, Great Central Way, Neasden, London NW10 0UR;
  3. Services within the Scope
    • IT Infrastructure support and maintenance
    • IT Infrastructure design and implementation
    • Consultancy, including security policy, management system development
    • Software development
  4. Other significant issues
    As we already operated an integrated management system we wanted to add BCM to this.

Does your BCMS take into account all of your products and services?

As described above, our BSMS covers all of our services to customers.

How did you carry out your Business Impact assessment? Did you use external consultants? Have you any advice for somebody starting out?

We did not use any external consultants. We have a business continuity professional (MBCI) internally with BCM experience and she (actually it’s me!) led the overall project.

What was your impression of the final audit – any comments or things that you would have liked to have either done differently or had done differently?

The final audit went very well but we believe we could have done better to integrate the business impact analysis and risk assessment processes for BCM into the risk assessment processes for the existing integrated management system. In the future we believe we can improve the comprehensive risk assessment process to cover all aspects of risks related to our business, such as information security, service quality, business continuity and internal controls.

Were any new pieces of documentation developed for the certification? If so what were they?

Not really. Basically all we had to do was add business continuity specific aspects to the existing documentations (e.g. management review, internal audit).

How does your organisation ensure that BC competency resides with the right people? Did you have to train anyone?

Key staff attends relevant business continuity training courses, conferences, workshops etc. We provide awareness training to all staff regularly. Also through the BCM consultancy services we offer our customers we find that our consultants accumulate experiences and skills that they are happy to share with other staff.

Ensuring a BC culture is said to be one of the hardest aspects of BC to achieve. How did you go about doing this?

Through ongoing awareness training given to all staff and performing BC exercises regularly (each business unit within scope is subject to exercise at least once a year).

How do you ensure that you, your system and staff are kept up-to-date with the latest relevant BC developments? Any conferences, newsletters, and websites you routinely use?

I mainly gather information relevant to BCM via the BCI website, the BSI website and their newsletters. Also, as a MBCI, I am regularly updated by the BCI.

Finally could you tell us some of the benefits you have achieved by going through this process?

We have had the following benefits:-

  • Improved customer satisfaction
  • Improved relationships with key customers
  • Improved relationships between departments in our organisation
  • Improved reputation for reliability.

Want to comment? Join us on our LinkedIn discussion group.

Certification to BS 25999 can help you gain a competitive advantage.  Find out how your company could become certified to BS 25999, the internationally recognised standard for Business Continuity Management.

Email Newsletter

Subscribe to our newsletter Subscribe to our newsletter to receive the latest Business Continuity Management news and information.

Training courses

View our BCM training courses View our Business Continuity training courses offered worldwide. These cover every aspect of BS 25999, the world's first British standard for BCM.
Feedback Form