Total FM
A new British standard for BCM PDF Print E-mail
Written by Nicki Dennis, BSI, 2007   

Nicki Dennis, Head of Market Development - Risk Quality Assurance & Security, British Standards Institution (BSI), explains the need for organisations to implement business continuity management (BCM) and introduces the new Code of practice for business continuity management. 

Why is there a need for a standard?

What does the new standard cover?

Ensuring that your organisation is able to respond to any event that might cause disruption to normal operations or damage your reputation is all about being prepared. Examples of such events that affect facilities managers regularly include power failures, IT virus attacks, fires and strikes.

Business continuity management (BCM) is the term given to the process of looking after an organisation's resilience to such incidents. Resilience includes planning how to respond to the event, dealing with the incident as it happens and how to recover to business as usual afterwards. It also includes the rehearsing and testing that is so vital to ensure that everyone takes on board the continuity culture. It is clear that the FM community has a large part to play in this area.

But why is there a need for a standard?


A standard quite simply is an agreed way of doing things. It can be at any level, between any parties. It can be a specification, a code of practice, a set of guidelines, a process, even a glossary. In the UK, the National Standards Body is the British Standards Institution (BSI). We are independent of government and a non-profit distributing organisation.

The national standards produced through the BSI formal standards process, called British Standards (BS) have special attributes. For these BSI has to obey certain rules to ensure neutrality, transparency, integrity and fairness. In particular we have to reach a full consensus of all interested parties such as government, private and public sector bodies, trade associations and consumers. The intention is that standards are aspirational: a 'good' practice rather than a 'general' practice.

BS 25999-1:2006 Code of practice for business continuity management has been developed to assist organisations to make sure that they are prepared. It has been produced by a BSI technical committee made up of practitioners nominated by business, government, academia and professional bodies such as the Business Continuity Institute (BCI), Continuity Forum, Survive, Emergency Planning Society (EPS), Association of Local Authority Risk Managers (ALARM), Financial Services Agency (FSA), Confederation of British Industry (CBI), Institute of Directors (IOD), Association of British Insurers (ABI) and the Federation of Small Businesses (FSB). In addition, sector representatives were included from industries such as telecoms, IT, construction, retail, insurance and others to broaden the applicability of the standard.

Launched at the beginning of December last year, BS 25999-1:2006 has sold almost 3,000 copies at the end of March 2007. This is the most copies a new standard has sold in its first six months - confirming that this standard is of great interest and value to a wide variety of sectors and consumers.

The Chairman of the BSI committee on Business Continuity Management, Chris Green, Vice-Chair of the BCI, said that: "The response to BS 25999-1 is very encouraging. The committee members have worked very hard, drawing on their considerable academic, technical and practical experience, to produce a standard that would enable all organisations to make sure that they have good business continuity plans and practices in place. We were very pleased that we received input from a wide range of sectors.

"This standard has been produced to provide a system based on good practice for BCM. It is intended to serve as a single reference point for identifying the range of controls needed for situations where BCM is practised. It has been written with care to address the needs of all organisations, whether large, medium or small, in industrial, commercial, public and voluntary sectors."

BS 25999-1:2006 has therefore been created with feedback from users and is a simple and cost-effective way of finding out what is regarded as good or best practice in the area.

Why should organisations ensure they are using BCM?


Shareholder value: research shows that the share-price movement for firms that experienced a major incident split into two types - those whose share prices recovered and those whose didn't. The researchers found that the one uniting factor of those who recovered was the presence of a fully integrated crisis communication policy. Such a policy is an integral part of a business continuity programme.

Lower insurance premiums: demonstrating that you are taking business continuity seriously can lead to premiums stabilising. Indeed, the very exercise of embarking on a BCM programme may also mean that you become confident enough to buy less business interruption insurance, another common area of saving.

Other reasons for incorporating BCM in your organisation include:
  • Improving confidence in the ability of your business to survive an unexpected catastrophe;
  • Demonstrating a duty of care to your employees;
  • A visible method of meeting your customers' expectations in a wide range of circumstances, and showing due diligence to your company's other key stakeholders;
  • Perhaps most importantly, it helps safeguard your company's reputation.
Your organisation may also be affected by the Civil Contingencies Act - for example, if you are a supplier of goods and services to local authorities. The Act places certain duties around the continuity of supply of goods and services, and local authorities will want proof that you can continue to deliver after an incident affecting your organization.

So what does the standard cover?


BS 25999 is being published in two parts:
  • Part 1: Code of practice for business continuity management;
  • Part 2: Specification for business continuity management.
Part 1 derives from various sources, including the 2003 publication of PAS 56 Guide to business continuity management - a pre-standard that was published by a smaller group of experts and did not have full national consensus. This was the first such document to be available outside of the business continuity community and its publication served to lead the business continuity debate and provide BSI with valuable feedback that was later taken into account by the technical committee responsible for BS 25999-1.  
 
This part of BS 25999 is based on the BCM lifecycle (Figure 1). It establishes the process, principles and terminology of BCM and provides the basis for understanding, developing and implementing business continuity within an organisation. By following the guidance, organizations will have more confidence in their business-to-business and business-to-customer dealings. It will also enable organisations to measure their BCM capability in a consistent and recognised manner.

Image
Figure 1. The BCM lifecycle.

Part 2 will specify the process for achieving certification. It is currently in development by the same BSI technical committee and is expected to publish by the end of 2007. The draft for public comment should be available in June at which time BSI will welcome comments from all potential users in order to ensure that the standard is as useful and relevant as possible.

While the standard is not intended as a beginner's guide to business continuity management, it is for use by anyone with responsibility for business operations, from board directors and chief executives through all levels of the organisation; from those with a single site to those with a global presence; from sole traders and small-to-medium enterprises (SMEs) to organisations employing thousands of people. BS 25999 is applicable to anybody who holds responsibility for any operation, and thus the continuity of that operation so is an important document for facilities managers. The combination of responsibilities and experience of facilities managers make them a vital component of any business continuity planning process.

If we needed reminding, events ranging from the July bombings in London, extensive flooding, storm damage and the Buncefield fire illustrate the need for businesses to have robust business continuity plans in place. The statistics are alarming:    
  • 80 per cent of businesses affected by a major incident close within 18 months;
  • 90 per cent of businesses that lose data from a disaster are forced to shut within two years.1
BSI believes that by following the guidance in BS 25999-1 businesses will increase their business continuity capabilities dramatically.

Now that the UK has a full national standard on business continuity, BSI is encouraging the publication of supporting documents for specific sectors to help users get the most from the standard. It is also possible that future guidance on parts of business continuity such as testing and rehearsals, IT disaster recovery, and crisis communication may be developed by the committee. Facilities managers may feel that they require a specific guide to the standard as they have unique responsibilities for the premises they manage, if this is so we would be delighted to hear from them.

Further information

Nicki Dennis, Email: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it , www.bsonline.bsi-global.com

Reference

1. London Chamber of Commerce and Industry 2003.
 
< Prev   Next >
[ Back ]