Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

BS 25999 needs a continuity capability statement

By Robin Gaddum, MBCI.

The British Standard for Business Continuity Management is, like that famous strap-line used in a well-known beer commercial, "probably the best [business continuity standard] in the world." As a co-opted member of the British Standards Institution (BSI) BCM/1 committee, which was responsible for developing BS 25999 and continues to actively develop business continuity related advice and guidance, you might expect me to say that. I’m biased and you need to know of both my involvement with the BSI standards body and the fact that, whilst I share my views broadly, this article sets out my own opinion, which may not necessarily be shared by the BCM/1 committee.

BS 25999, in my view, continues to deliver a beneficial effect in terms of establishing a common language and framework for business continuity management, which is driving improvement in business continuity practice, arguably worldwide. When standards like BS 25999 are written, every effort is made to ensure they are broadly applicable and reflect industry good practice. The BSI process is open, consultative, inclusive and ultimately consensus-based and many experienced business continuity practitioners will proudly tell you they had a hand in writing BS 25999.

However, in any industry, good practice is a moving target and constantly evolves and improves. By their very nature, Standards take years to develop, tending to lag behind industry good practice. Part 1 of BS 25999 was published in 2006 and is fast approaching its fifth birthday. At some point it will need an update, so what’s the one big thing I would change?

Whilst Part 1 was in development five years ago, I’m not sure we all understood the significance of defining BS 25999 as a management system standard. Defining a management system means setting out what processes are needed to establish and continue to operate business continuity in an organization. It’s a lot like a quality management system in this regard. A quality management system may mean that a product is created to a consistent, and not necessarily high, quality standard. This is fine when you are making tins of baked beans where the quality is easily determined by the consumer, but is more problematic with business continuity.

You may be granted BS 25999 certification but how do you know if your business continuity is good enough, not just to enable your own organization’s survival but also to satisfy the continuity requirements of your customers? Where is the simple statement of capability that top management should review and sign off annually and customers should ask to see along with your certificate?

In June 2010 the Financial Reporting Council (www.frc.org.uk) introduced changes to the UK Corporate Governance Code (formerly the Combined Code) to enhance risk management, including the following accountability:

“The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.” [1]

Driven principally by regulators, it seems to me that the board, shareholders, customers and auditors are looking for a simple, standard means of identifying and communicating an organisation’s business continuity capability. This capability statement would also be of particular value in providing continuity assurance to supply chain partners. So why don’t we create a template and add the requirement to BS 25999 for its production and annual review by top management?

There is a precedent. The UK Tripartite Authorities’ (www.fsc.gov.uk) 2005 Resilience Benchmarking Project report called for more transparency between recovery site providers and their clients regarding syndication risk. The report included an example Voluntary Risk Declaration form to encourage suppliers of recovery facilities to submit syndication risk information to their customers. The Business Continuity Institute (BCI) made Voluntary Supplier Risk Declaration templates available to download from the Institute’s website and today you can obtain this information from your UK recovery site provider upon request.

Of course these things are often more complex than they seem and I imagine a high level continuity capability statement will have to be underpinned by more detailed information for each product or service. But all of the ingredients are there to make this happen. BS 25999 already delivers the basic information needed to populate a continuity capability statement and the BCI could engage volunteer practitioners to develop and publish a template. There is also a benefit to regulators are seeking to enhance risk management, reporting and transparency; to organisations looking for a more effective means of identifying and managing their supply chain continuity risk; and to business continuity professionals seeking to keep top management actively engaged and committed to sound business continuity management.

All it needs is a nudge in the right direction. Here I am, nudging...

[1] © The Financial Reporting Council Limited (2010). Reproduced with the kind permission of the Financial Reporting Council. All rights reserved.

Robin Gaddum, MBCI, is senior managing consultant, Business Continuity & Resiliency Services, IBM United Kingdom Limited. Read Robin’s regular blog at http://risky-thinking.blogspot.com

Make a comment

•Date: 20th Jan 2011 • Region: UK/World •Type: Article •Topic: BC general

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here