The new British Standard for business continuity is welcome, but there is more to be done, says Nick Chown
Business continuity, falling as it does under the risk management umbrella, has become one of the mantras of the modern age. We all agree it is a good thing, and virtually every organisation of any size claims to be on top of the issue. Unfortunately, many are not as good at it as they think they are.August's blackout in the US north-east vividly illustrated the way inadequate risk management procedures can cause business continuity failure on a grand and well-publicised scale. Generally speaking, however, incidents of business continuity failure are "quiet catastrophes" and go largely unreported, even though they can be devastating for those involved. The trigger may be a product recall, the collapse of a supplier or a computer crash. Alternatively, it could be something that fatally undermines your brand or your reputation. Whatever the cause of the crisis, the speed and scale of events can overwhelm the normal operational and management systems. The inevitable result is that an organisation is either forced to close or it suffers disproportionate damage because its business continuity measures are found wanting. The cost to British industry is estimated to run to billions of pounds annually.Risk management enables your organisation to anticipate an event and seek to prevent it or minimise its impact. A fit-for-purpose business continuity plan enables you to deal with the immediate aftermath, provide a contingency plan to maintain operations, and facilitate the recovery and rebuilding of the organisation and win back customer confidence. Sometimes business continuity failure is self-inflicted - management has adopted an `it won't happen to us' attitude that leaves them totally unprepared. More often, however, firms have made a genuine effort to put contingency measures in place, and they are shocked when they do not perform as well as they had expected. A common response when told what they should have done is "why didn't someone tell us?" That is one of the reasons why Airmic welcomes and supports a new guide, drawn up by the British Standards Institution (BSI), the Business Continuity Institute (BCI) and others, known as BSI PAS (publicly available specification) 56. It may not be the catchiest of titles, but it is the work of leading practitioners in this field and it answers the frequent complaint that there is no benchmark of good practice.
Good practicePAS 56 is not yet a fully-fledged British standard, partly because the BCI and BSI wanted to get something out quickly rather than go through a much lengthier process. Perhaps as a result it represents good rather than best practice, and in our view still requires some work. Nonetheless, it is rapidly gaining acceptance both in the UK and overseas. From an Airmic perspective, PAS 56 has the potential to do for business continuity what the risk management standard already does for risk management by providing an agreed framework in which to operate. PAS 56 sets out a process for any organisation, large or small, commercial or non-commercial, that wants to do all it reasonably can to ensure business continuity. Airmic considers that the document should do more to strengthen the framework in the areas of crisis management, crisis communications and supply chain continuity. We would also like to see more information on how crisis teams should be selected, the skills required of them and how they should be initiated into the organisation. And, as with any programme of self-assessment, the testing of conclusions by an independent third party would be desirable as it can provide valuable additional reassurance. With these qualifications, PAS 56 will enable any organisation to develop its own strategy and framework for managing business continuity risks, including gaining an understanding of its business continuity strengths and weaknesses, of which there are bound to be some. Although the main reason for adopting PAS 56 is the protection it will give your organisation, there are other important benefits. It will make it easier to negotiate with your insurers because you will be able to demonstrate an ability to return to normal working in the event of a crisis. Indeed, it is likely that in future, underwriters will increasingly ask for evidence of PAS 56 compliance when they renew policies. With the increased emphasis on corporate governance, compliance with PAS 56 may also provide valuable protection in the eyes of regulators, shareholders and the courts.
Hard testingAnd, as with any major corporate-wide initiative, board-level sponsorship of PAS 56 is essential to successful implementation. Unless it is driven at a high level the temptation will be to cut corners. When it comes to hard testing the plans, for example, the very things that most need testing are so operationally critical that they are sometimes left out, which devalues the exercise. Once in place, business continuity plans must then be regularly updated to reflect operational and other changes within the organisation.Setting new standards is the current Airmic theme, and BSI PAS 56 is an excellent illustration of what this can mean in practice. It does not, of course, guarantee that your organisation will be able to continue operating under all circumstances; no document could ever do that. It does, though, enable risk managers and others to plug into the mainstream of good practice in an area that is critical to long-term success.
What is BSI PAS 56?BSI PAS 56 is a fully risk-based approach to developing a business continuity plan that utilises risk analysis and impact assessment. It does not require an organisation to identify absolutely every possible cause of loss, sensibly preferring to address generic situations, such as the total loss of premises, partial loss of a few floors or denial of access. The standard covers the following 15 key areas:Business continuity management (BCM) policyBCM programme management PlanningBCM assurance Crisis managementBusiness impact assessment Training/awarenessRisk assessment ExercisingOrganisation (corporate) strategy MaintenanceProcess strategy AuditResource recovery strategy SolutionsThe Business Continuity Institute (BCI) has developed an interactive Excel spreadsheet which enables an organisation to benchmark against PAS 56. This tool is available free of charge from the BCI and can be downloaded from its website. You can obtain more information about PAS 56 from the Business Continuity Institute website, www.thebci.org .