Planning for the unexpected: BS25999

There’s nothing new in planning for the unexpected. But how would your business manage if the unexpected should turn into reality, either for you or your supply chain? And how would it impact on your reputation long term? In this article, Denis Ives of LRQA argues why you should be considering certification to BS25999.

In what seems to be an increasingly turbulent world, business continuity management has risen sharply up the corporate agenda in recent years and nowhere is this more evident than within the financial services sector. As the backbone to the UK economy, any major operational disruption to a part or all of the UK financial systems would have a significant impact both at home and on the global financial markets.

Whether for reasons of corporate governance, supply chain pressure through public sector procurement contracts or customers demanding evidence of BCM from business-critical suppliers, there is increasing pressure on organisations to take a more holistic approach to business continuity.

FSA Guidance: Resilience Benchmarking Report ¹

The importance of business continuity management (BCM) within the financial sector is recognised by the Tripartite Authorities (Bank of England, HM Treasury and the FSA). Their recent Resilience Benchmarking Project discussion paper published in June 2008 looked at the sector’s resilience in the face of major operational disruption such as a terrorist attack or pandemic flu.

From a sample of 58 regulated bodies, the report paints a positive picture of a financial system appearing to be highly resilient. This was the second report published by the Tripartite Authorities, the first having been issued in 2005. In the intervening three years, the report shows the greatest gains have been made in those areas directly within the remit and scope of the Business Continuity manager particularly within the areas of planning, testing and resiliency.

However, the report did note that further improvements could be made in those areas that fell outside of the direct influence of the Business Continuity teams, ie, within HR with the vetting and management of staff and with the need to empower crisis management teams.

The report’s authors also noted the need for top management to continue their support of the BCM process, not only in making adequate resources available to the team but importantly in establishing policies and in embedding business continuity within the corporate culture. And it is here that a management system approach to business continuity can play such an important role, particularly where this is opened up to independent scrutiny.

BS25999: A tool for compliance

As the understanding of business continuity continues to grow from the generation of a series of disaster recovery plans to a more formalised system, it has become apparent that it makes sound economic sense to base any BCM system on a recognised and trusted framework – such as the BS25999 series of British Standards – which then in turn can be independently audited.

The standard comes in two parts. Part one forms the best practice guidelines, designed as a single reference point aimed at those with responsibility for business operations. As useful for the sole trader and smaller business as a multi-site organisation, it became the fastest selling standard on publication in 2006. This is undoubtedly indicative of the interest surrounding the issue of business continuity, particularly as it followed in the wake of the London bombings.

Part two is the specification against which the organisation can be independently assessed. It is useful to stress at this point that the aim of the specification is not to offer a ‘one size fits all’ but to provide a framework and defined requirements for a management system approach to business continuity which is based on best practice.

And there could be significant rewards on offer for early adopters of the standard particularly for those trading overseas. Work has already begun on the development of an international (ISO) BCM standard which will have BS25999 forming a significant part of its basis. This is a similar development path taken for many other standards such as ISO 27001 Information Security and ISO 9001 Quality Management which came from British Standards, BS7799 and BS5750.

Based on historic evidence from these examples and many more, we know that companies adopting and gaining certification to BS25999 will gain early competitive advantage and are likely to have to do much less work later in order to achieve certification to the ISO standard when available. Past evidence shows us that even before international standards are issued, British Standards are widely accepted around the world. Early indications suggest this is already the case with BS25999 with interest being shown from within the major developed countries of Asia and also North America. 

Certification: an independent eye

There is little doubt that the certification process with its subsequent programme of regular visits by an accredited provider – such as LRQA – provides valuable assurance. An organisation’s stakeholders can be confident that the ongoing management of the BCM system continues to be effective.

At LRQA, we have noticed a sharp rise in enquiries from organisations seeking certification to BS25999 part 2. And it isn’t just the certification bodies that have noticed a change. Recent industry surveys, such as the Chartered Management Institute in its 2008 Business Continuity survey showed a greater proportion of people with responsibility for business continuity were both aware of BS25999 than in previous annual surveys and of these one in four intended to comply with the standard or seek certification. 2

The high demand for BCM certification is likely to attract a number of companies offering certificates. Its here where we would urge organisations to be careful. Not all certification bodies are made the same. A certificate at all costs will not necessarily add the value that organisations are looking for or their stakeholders expect.

Organisations seeking a partner for certification should take a careful look at the quality and expertise of their assessors. It goes without saying that having the right people deliver the service is critical. Surveys the world over always highlight the most important part of the certification body’s service is the knowledge, skill and approach of the assessor and how effectively they understand the organisations with which they work.

Assessor knowledge cannot be gained by reading a book or a one-day briefing. It requires a robust combination of experience, training and practical application to make sure an assessor can provide valuable feedback to help an organisation improve their BCM system.

Being able to field appropriately trained assessors who have all undergone rigorous BCI-accredited training is a crucial element in LRQA’s ability in providing a high quality service, that is, people who are able to add real value through meaningful assessments.

In addition, organisations seeking certification within the UK need to make sure they’re talking to a certification body accredited by the United Kingdom Accreditation Service (UKAS). LRQA is currently the only organisation able to offer UKAS-accredited certification in any industry for quality, environmental, health and safety and since June this year, business continuity management systems.

A case in point: Link Associates

Link Associates became LRQA’s first certified client to BS25999-2 earlier this year. It made sense for the company, which offers consultancy and training in business continuity, crisis, risk and emergency management, to become an early convert to the standard.

Martin Haines, Consultant takes up this point. “We are in the business of business continuity, so it made sound economic sense to take the certification route. It’s only right we put into practice the principles and programmes that we offer our own clients.”

The nature of its business meant the company already had existing BC plans and the basis for an assessable system. With this in mind, the company opted for a gap analysis to test for areas requiring additional work as a starting point for preparing for the formal assessment.

Armed with a list of actions following the gap analysis, Link worked on its business continuity programme to further strengthen and widen existing control documentation, ensuring it met the full requirements of the standard.

“Having been through the process of becoming certified, we can say with certainty that it was a good learning experience although more resource intensive than initially anticipated. While still early days, we are already feeling the benefits from certification. Internally, this has seen us continue and consolidate business continuity within the working culture and this is partly because of the management system structure of the standard. Externally, as the first in our industry to become certified it has given us a clear market differentiator particularly during any tendering process. So, when prospective clients ask us how we manage our own business continuity, we can show them our LRQA certificate. This includes our scope of assessment which clearly shows the full extent of our system,” he concluded.

For the full case study please visit the LRQA UK website at: www.lrqa.co.uk.

For Sales Enquiries call 0800 783 2179.

Footnote: References

1. Resilience Benchmarking Project, Discussion Paper. FSA, H M Treasury, The Bank of England. June 2008.

2. Business Continuity Management Survey. Chartered Management Institute, Cabinet Office, Continuity Forum. March 2008.