Between a rock and a hard place
The final version of part one of BS25999, the British Standard for Business Continuity Management, has now emerged. The principal of a formal standard has generally been supported by business continuity professionals, with BS25999 providing a combination of a best practice framework, generally accepted principles and a common standard to aim for. However the emergence of BS25999, together with recent legislation, creates some interesting interactions that business continuity managers need to be aware of. Perhaps the most well known piece of legislation relating to a statutory requirement for business continuity arrangements is the Civil Contingencies Act 2004 (CCA). Many business continuity managers, particularly those in the public sector, will be aware of the implications of the CCA as its implementation directly affected their organisations. Nevertheless as the CCA now beds down and organisations have implemented the required business continuity and emergency plans, there is an interesting trend emerging; many of the organisations who were required to implement business continuity plans have now turned to look at their key commercial relationships and the dependencies they represent. Consequently, suppliers to organisations ‘regulated’ by the CCA are being asked questions about their business continuity arrangements and in some cases are being asked to demonstrate both their existence and effectiveness. So, even though many organisations were not directly affected by the CCA, they are feeling the effects of ‘secondary regulation’ by virtue of their commercial relationships with organisations that are directly affected by the Act. By virtue of this secondary regulation effect, quality business continuity plans are becoming an important factor in securing and retaining commercial relationships with organisations affected by the CCA. A further piece of legislation, The Companies Act 2006, found its way onto the UK statute books during November 2006. The Act is primarily concerned with changes to company law and, through transitional arrangements, will become fully effective during October 2007. (http://www.dti.gov.uk/bbf/co-law-reform-bill/) Although it’s relevance to business continuity management is not immediately obvious the devil is in the detail and there are two particular aspects of the Act that do have relevance to business continuity management: Business Review: the Act mandates that the Directors Report must now contain a ‘Business Review’ and that the Business Review must contain “a description of the principle risks and uncertainties facing the company” Clearly some narrative regarding the measures that are in place to manage and mitigate those risks will also be relevant. Will business continuity figure in the business review? – Probably. According to the a recent survey conducted by FM Global, excluding general economic conditions, CFOs and CEOs rated physical assets (including manufacturing plant, equipment, delivery & logistics, IT & telecommunication systems and raw materials & inventory) formed the top drivers that contribute most to their companies’ ability to generate revenue. Given that consensus, the absence of some comment and narrative in the Business Review regarding a firm’s principle business continuity risks and associated arrangements might be considered to be a glaring omission. A further implication for anything relating to assertions made in the Business Review regarding risk management arrangements is that they will need to be demonstrable. Any comments made regarding business continuity arrangements in the Business Review should therefore be supportable or ‘auditable’, which points to the existence of an effective plan governance system for business continuity risks. The potential relevance of this clause to business continuity is this; if a major business interruption occurred at a company and significant financial losses were sustained, there is a chance that the directors of the company could be sued under the Companies Act if its business continuity plans were suspect in some way. The basis for the case would be that the management of the company should have been aware of the possibility of a major interruption event (particularly if it figured in the risks section of the Business Review) and should have had appropriate, proven, business continuity plans in place. Nevertheless, a degree of circumspection is necessary here; whether or not this clause could be used as a basis for successful litigation against a board of directors will depend on test cases and as the 2006 Act is so new there are no case histories to draw from. Nevertheless, the Barings case, which was brought under the same clause in the previous Act, emphatically demonstrates that directors can be litigated against if major losses are incurred due to lax internal controls. A further signal of the potential litigation risk has been given by a number of specialist insurers who voiced their intent to raise Directors Liability insurance - demonstrating their view of the potential for increased litigation risk under the Act. So where does BS25999 figure in all of this? The majority of business continuity practitioners have welcomed the introduction of the standard as a basis for codifying generally accepted best practice and for providing comprehensive terms of reference with regard to plan governance and content. But the BS25999 standard within the back-drop of the legislation discussed above could become used as a rather heavy stick to beat people with: * Firstly the Civil Contingencies Act. As a senior manager in a ‘regulated’ organisation I would want assurance that my key business partners had sufficiently robust plans, I would now expect them to be BS25999 compliant. If they are not, I might recommend that my management go elsewhere to source the required goods and services; * The Companies Act. If we accept the importance of business interruption as a major ‘risk & uncertainty’, then there will need to be comment and assertions made about business continuity arrangements in the Business Review section company’s annual report. Furthermore, users of the report would read it with the expectation that where standards exist with regard to risk management (i.e. BS25999) the company is compliant with these standards and has processes in place to ensure that compliance is maintained. The combined effect of the Civil Contingencies Act, The Companies Act and BS25999 have raised the bar with regard to business continuity planning for many organisations. Consequently compliance with BS25999 will become a major factor in maintaining commercial relationships and for meeting the expectations of users of company reports. Steve Dance is Head of Consulting in London and South England for Glen Abbot Ltd. During the first quarter of 2007 Glen Abbot will be conducting a series of briefings relating to the above issues and their implications for business continuity managers and senior management. To pre-register your interest in attending one of these briefings, please follow the link below and complete the registration form, using the ‘General Enquiry’ option. http://www.glenabbot.co.uk/contact_us.htm
•Date: 1st Dec 2006• Region: UK •Type: Article •Topic: BC general |
