A year after the BSI's article introducing the standard for business continuity management, BS25999 parts 1 and 2, the standards are becoming established and firms are applying for certification. Mina Patria and Nicki Dennis take a follow-up look at the scheme and its importance.
- What are the advantages of certifying to BS25999?
- What does the certification process involve?
A year ago BSI contributed an article to Facilities Manager on the status of the then-new standard for business continuity management, BS25999 parts 1 and 2.
It briefly outlined why the standard was developed (overwhelming need from both public and private sectors) and how (through the consensus basis of a National Standard involving as many interested parties as possible).
Now, one year further on, as the standard beds down and as the first firms apply for certification to the new standard, it is appropriate to reflect on why the certification scheme was set up, who was involved and what benefits they expected it to bring.
Then your firm can decide if this is an avenue that will be worth pursuing.
So why is business continuity management (BCM) so important that you should consider certifying to the standard?
Well the annual BSI Business Barometer survey on the current ability of firms to withstand a serious incident gave results that showed that whilst 61 per cent recognised the business benefits of BCM in terms of reducing risk, satisfying customer requirements, remaining competitive and winning new business, many firms still have more to do to ensure their preparedness:
- Eighty per cent would expect to last no more than a week before feeling serious detrimental effects of a disruption or disaster;
- Less than half (45 per cent) have comprehensive supply chain failure plans;
- Just 41 per cent are fully prepared for business relocation;
- Only half (51 per cent) are very well prepared for IT systems failure.
While these results show improvement from the previous year, the findings reveal many companies are still putting themselves at unnecessary risk despite feeling a high level of vulnerability at the prospect of a crisis: Nearly half (46 per cent) said it would take less than a day for a serious disruption to impact significantly on their business.
The FTSE 250 has a market value of more than £260bn, so the scale of the risk and the opportunity is enormous.
It is encouraging, therefore, that the companies are improving their thinking about continuity management, but concerning that they can be complacent when it comes to being fully prepared.
By helping to put the fundamentals of a BCM system in place, BS 25999 is designed to keep businesses going during even the most challenging and unexpected circumstances - protecting staff, preserving reputation and providing a licence to operate.
Over the past years, companies report being better prepared to manage risks such as IT failure (51 per cent compared to 27 per cent in 2005), supply chain failure (45 per cent compared to 18 per cent in 2005) and forced business relocation (41 per cent compared to 15 per cent in 2005), and that having standards in place not only helps with the management of their current operations but also with future growth.
Interestingly, 40 per cent of businesses who are already committed to applying standards agree strongly that compliance with business continuity standards is likely to play an important role in staying competitive and winning new business in future, compared with only 26 per cent of businesses overall.
By choosing to certify to this Standard you are getting the assurance that comes from knowing that you are operating amongst the top performers.
This will increase your customers' confidence in you and perhaps more importantly it will increase self-confidence in your own abilities.
There are many reasons to become certified to BS25999 and they all amount to the same thing - it gives you a competitive advantage.
Certification helps you to demonstrate to your stakeholders that your business is run effectively and that it will continue to do so in the event of a disruption.
The process of achieving and maintaining the certification also helps ensure that you are continually improving and refining your BCM activities.
The regular assessment process will also improve staff responsibility, commitment and motivation.
Certification usually improves overall performance, removes uncertainty and widens market opportunities.
It will prove to your customers that you can be trusted to deliver.
Certification to BS 25999 creates an opportunity to reduce the burdens of internal and external audits from your key customers and may even lead to a reduction in insurance premiums.
Despite all these internal reasons, the reason for many companies will be that a major customer requires some evidence of competent BCM performance - if this is your reason then don't panic!
BCM isn't as complicated or as difficult as you might think. Also you don't have to be an expert in any of the other management systems such as ISO 9001 (the quality management system) or ISO 14001 (the environmental management system) - the BCM system can be implemented alone.
However, because it follows the simple 'plan, do, check, act' cycle of other management systems, if you are already a user of ISO 9001 and/or ISO 14001 then getting started with the BCM system will be very familiar to you.
Some of you may want to know what certification is exactly. Third party certification is when an accredited third party visits an organisation, assesses their BCM system and issues a certificate to show that the organisation abides by the principles set out in the standard, so following industry best practice.
Typical steps in the certification process will include an optional gap analysis.
Just how robust is your BCM system? If you're unsure, choosing to have an assessor or a consultant look over your system before the formal visit could save you time and money.
Or there are some online assurance tools (such as BS25999 online available through BSI) that will give you a quicker and cheaper idea of where you stand against the requirements in BS 25999-2.
Such a gap analysis will help identify those areas you need to spend more time on and give you confidence that your systems are ready for formal assessment. The next step is the actual assessment.
Usually conducted on site at your premises, this visit is undertaken to check that what you say you do meets the requirements of BS25999-2.
Once approved, the auditors will return at defined intervals to make sure your management system continues to meet the requirements of BS25999.
The stages of the assessment are usually as follows:
- Proposal/quotation prepared;
- Application accepted, auditor assigned;
- Documentation reviewed;
- Certification audit completed;
- Non-conformances cleared (if applicable);
- Certification reviewed and certificate issued;
- Maintenance audits held at agreed periods and re-certification audits performed as required.
Self-certification is when an organisation certifies itself that it believes it has met the requirements of the standard.
It may take the form of a statement in your annual report or as part of your overall policies.
It probably won't carry as much weight as a third party certification but for many organisations it is enough.
Either type of certification demonstrates to your customers, competitors, suppliers, staff and investors that you use the industry-respected best practices laid down in BS25999 part 2 (the BCM specification).
It shows that you believe you have reached a level of competence in BCM that can be called 'best practice'.
It would be unwise to attempt to go for certification unless you are reasonably confident that your BCM practices are at least close to those outlined in the standard.
Typically companies might work towards certification for a period of time and then, as mentioned above, use some sort of pre-assurance or gap analysis to see how closely they measure up.
This needn't be expensive or time-consuming; it will however require some careful planning. There are plenty of organisations offering training and other support materials that will be willing to help.
There is no doubt that most organisations will benefit from having a full BCM programme in place.
How you choose to advertise that you have such a system is a matter of choice, but having an accredited certification is clearly a powerful way of letting all your stakeholders know that you are taking this area seriously and are performing at a high level.
For more on the standard, hints and tips on implementing the programme and advice on moving towards certification, please visit the BSI website www.bsigroup.com or www.talkingbusinesscontinuity.com
Mina Patria is Risk and Sustainability Market Development Manager at the British Standards Institution, and Nicki Dennis is a Standards and Information Consultant.
|< Prev||Next >|
Building & Maintenance
Fire, Health & Safety
Latest News from Facilities Manager
- Preserving documents, preserving business
- DDA legislation - are you affected by these new changes?
- The case for facilities management
- Filling the information gap
- Service solutions - a multitude of options
- Developing FM on an international stage
- Standards in facilities management
- The future of the services sector in Europe
- Service delivery - the 'real' asset
- Believers and cynics