| PAS 56 – defining a standard Phil Carter discusses the strengths and weaknesses of PAS 56.
With downtime costs so high and the real threat of terrorism, it is not surprising that companies are gravitating to business continuity for protection. Publicly Available Specification 56 (PAS 56) is the first step in the process towards a standard for business continuity provision and aims to set our guidelines for best practice, to help businesses improve business continuity planning and management. At this stage PAS 56 is an informal standard, and the British Standards Institution (BSI) is currently brokering the process for it to become a full British Standard. Driving demand In the UK regulatory pressures are a key driver for a business continuity standard, with Basel II, FSA regulations and the Civil Contingencies Act all requiring various organisations to have business continuity plans in place. However such regulations state that organisations must make business continuity provision but do not give any detail on what this should entail or how comprehensive it must be, leaving it up to individual organisations to deem what is appropriate. The emergence of PAS 56 goes some way towards setting a benchmark for businesses on what planning they should have in place, making it easier for them to achieve compliance with the raft of existing and future regulations. The prevalence among businesses to outsource key business functions to cut costs, and the reliance on supply chain processes to provide good and services, also highlights a key area where business continuity provision must be made. Businesses are increasingly demanding that their suppliers or outsourced partners have appropriate business continuity plans in place because if they fail to deliver a service or can’t access data due to an incident, the potential to have a huge impact on others in the supply chain exists. Working with a supplier who has achieved a recognised standard for business continuity provision will give organisations peace of mind that the supply chain won’t fall over in the event of a disaster. Insurers are also advising businesses to have contingency plans in place to benefit from lower premiums as a result of reduced risk. A British Standard will enable companies to meet this requirement and prove to insurers that the appropriate plans are in place. Setting the standard PAS 56 advises how to implement good business continuity management which it outlines as: linking to corporate governance, having board level endorsement and accountability, clearly defining and documenting accountabilities and responsibilities, and making it a ‘business as usual’ process. The guidelines are intended for use by those charged with defining, developing, implementing and managing a business continuity management programme. PAS 56 is a precursor to a full British Standard for business continuity. It must be based on a legal framework for it to become a national standard, be auditable and advise a consistent approach to business continuity. To become a national standard it must firstly have the full backing of all interested parties including government, businesses, trade associations and consumers, a process which can take up to six months. If the consensus is to make it a standard then the BSI will facilitate a full British Standard for business continuity. The next step in the process is for BSI to set up a national committee for risk management and a sub-committee for business continuity. These groups will be tasked with drafting the standard, which can take up to nine months. It is then made available for public consultation for between three and six months at which time all interested parties can offer feedback and comments before the standard is approved. Making the grade For example, the current document recommends live testing twice a year. Testing is a crucial part of business continuity as it supports, matures and develops the plan. A business continuity plan is no good sitting on a shelf – it has to be useful and usable and must reflect the fact that organisations are dynamic entities where the only constant is change. Regular testing ensures that the plan is fit for purpose and in step with the recovery needs of the business. With live testing, organisations would need to close down all applications as if a disaster had occurred and invoke their BCP. But running this type of test could have disastrous effects in itself, by putting businesses at risk and tempting fate. Testing the business continuity plan is designed to spot oversights and omissions such as holes in vital processes or to determine where upgrades are needed; but with live testing it’s too late if your plan is not up to scratch and could result in lost business and customers not being able to access staff or services. The other advantage of testing is to engender staff confidence and competence in the BCP and how they will utilise it in an emergency. To ensure that business continuity plan testing has the desired effect in this respect requires careful planning and preparation and a live approach may be counter-productive. A better approach would be to suggest carrying out testing out of normal office hours, at the weekend or in the evenings, to minimise potential disruption to staff and critical business processes; but with a realistic scenario to put them through their paces with a degree of rigour. The guidelines are intended for businesses of all sizes and types, but to be applicable to a larger number of organisations the guidelines would benefit from being more flexible. They need to take into account that small businesses and large enterprises have different needs and recommend suitable planning strategies accordingly. What will be appropriate for a global organisation won’t necessarily suit a smaller operation. This flexibility also applies to different industry sectors which have different needs, both in the daily running of their business and in regulatory requirements which govern specific industries. Although a framework suitable for all businesses would be hard to achieve, the standard needs to be as flexible as possible to enable all businesses to apply for certification, if they wish. Delivering the goods For businesses, a formal British Standard will provide a valuable tool to putting appropriate BC plans in place. For the industry, it is recognition that business continuity is a necessary part of doing business: it is no longer appropriate to be satisfied with IT-centric reactive disaster recovery only – though this will always have its place; we need the resilience, continuity and availability of the business to be regarded as a proactive management concern and PAS 56 provides a framework for this to happen. Not only this, PAS 56 is indicative of the movement towards information availability – the process of keeping your people and information connected. In the ‘always-on’ environment of today’s business and consumer world, where 24/7 and on-demand are par for the course, business continuity and information availability should no longer be considered optional or specialist concerns; they actually are - and should be perceived as - part and parcel of the way we live today. Business as usual – no matter what! Phil Carter is head of professional services at SunGard Availability
Services. What do you think of PAS 56? Make a comment
•Date:
30th November 2004 •Region: UK •Type:
Article •Topic: BC
general |
