• Home /
• Case studies BCM /
• Moving from BC Planning to BC Management – a case study

Moving from BC Planning to BC Management – a case study

Equens SE is a pan-European full-service payment processor, specializing in future-proof payments and card processing solutions. Their services cover the entire payments value chain for cards, payments, e-commerce and m-commerce. They already had excellent BC planning in place and then decided to make the move to BC management in order to be more proactive and better integrated.

Talkingbusinesscontinuity.com spoke with Carol Meeuwisse and Eric Luijks who are Equens’  Risk Consultant and General Manager 'Risk Management' about how Equens made this change and what the benefits to them were.

What triggered the BCM programme in your organization?

It was a Board level decision to implement a BCM programme in 2005 to replace the BCP programme. The Board saw that doing merely reactive BC planning wasn’t going to be enough for an organization that wanted to be seen as highly competent in the area.

How do you measure the success of this process?

Success is measured using key performance indicators like the number of incidents and also from the results of periodically held exercises.

What benefits did you get from going through the implementation process – including any unexpected ones?

It improved the awareness of business continuity management throughout the organization and we think also improved decision making across the organization.

What about downside – were there any problems or issues which you wish to share (they can be general)?

Changing from BCP to BCM is asking your people to move to a different way of thinking and living business continuity. This change was an issue in the beginning as people were trained in responding to crises but not in thinking about BC all the time. You shouldn’t underestimate how big a change this is for your people as it’s always hard to get people to change. However we don’t see this as a downside, instead we see it as more of an investment. It’s not like an action that can be done in one day. If you have a certain maturity level it is very important to firstly maintain that level and then to reach for another level. The company understands this and so did support the changes.

Did you undertake a formal gap analysis between your organization's systems and the Standard?  If so was this done internally or with the help of external consultants?

Yes, we did this internally. Equens has invested in staff training right up to lead auditor level for BS 25999. In 2005 Equens used the PAS56 for gap analysis, and then we updated the analysis in 2007 based on the then new BS 25999.

How big was your project team for this?

2 full time employees worked on this project.

Within your organization how much involvement was there with other departments and operational managers across the business?

Besides the Board of Directors (4) all of the centre management team were involved plus all of the team managers. Board approval is vital. It was a much more inclusive process than before as the BCP process was led by the IT department.

Did you involve any of your supply chain in this process?

All our main customers and core suppliers were involved. We have recognized from undertaking our BIA that we are not alone – we are like the spider in the middle of a web, we have strong interdependencies on others. We can be the best but we need to have customers and suppliers at a minimum level in order to make ourselves more resilient.  We work with both in order for us all to improve.

What is the BCM reporting line in your organization?

The overall responsibility for BCM lies within the Operations Centre and reports directly into the Board of Directors.

What made you decide to go for certification to BS 25999? Was there any influence from customers or suppliers?

It was our own decision to obtain certifications such as ISO 27001 and BS 25999 for the business we are in. It showcases our strengths in these important areas to our customers.

How did you go about deciding and limiting the scope of BCM for certification purposes?  And was this decision informed by mainly external or internal factors (or both)?

The scope of BCM certification is the same as the scope for ISO 27001, which for us is our core business of cards and payments processing. This decision was made internally.

Does your BCMS take into account all of your products and services?

All of our core services are in scope.

How did you carry out your Business Impact Assessment? Did you use external consultants? Have you any advice for somebody starting out?

The BIA was undertaken internally. Our advice to companies starting on this journey is to invest in BS 25999 knowledge and training.

What was your impression of the final audit – any comments or things that you would have liked to have either done differently or had done differently?

Equens is the first company in the Netherlands to be certified to BS 25999 and thus  BSI Nederland didn’t have experience in certifying to this standard. We worked together as a learning experience; Equens learnt about the auditing side and BSI Nederland learnt about how implementing BCM throughout an organization looks. It has resulted in a strong relationship. There were some issues around document review as our internal documents are all in Dutch and the lead auditor was British, but we all worked together well and this wasn’t a big problem.

How does your organization ensure that BC competency resides with the right people? Did you have to train anyone?

Yes, Equens keeps on investing in training on BCM. Besides that, Equens has business continuity officers in place. BC is a part of job descriptions throughout the organization.

Ensuring a BC culture is said to be one of the hardest aspects of BC to achieve. How did you go about doing this?

BC is part of our regular security awareness programme. Besides that Equens actively undertakes exercises in BC in which all staff are involved. Also the move to BCM has helped to ingrain BC thinking into staff.

Finally can you state some of the benefits to Equens of going through this process?

Yes, the following are the benefits we feel have come about as a result of implementing BCM at Equens:

• Improved customer satisfaction
• Meeting legal requirements
• Improved relationships with key customers
• Improved relationships between departments in our organization
• Reduction in costs
• Improved reputation for reliability.

Want to comment? Join us on our LinkedIn discussion group.

Certification to BS 25999 can help you gain a competitive advantage.  Find out how your company could become certified to BS 25999, the internationally recognised standard for Business Continuity Management.