By Andy Osborne, Consultancy Director, Acumen
Background - BS25999 overview
BS25999, published by the British Standards Institution, is the British Standard for business continuity management. Whilst other national business continuity standards exist, BS25999 has become the de facto standard internationally, and forms the basis of the international (ISO) standard, ISO22301, which is currently being developed.
BS25999 consists of two parts, with part 1 containing the code of practice for business continuity management (process and guidelines) and part 2 the specification (the process and benchmarks for achieving certification).
The introduction to BS25999 part 1 states that it “establishes the process, principles and terminology of business continuity management (BCM). The purpose of the Standard is to provide a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in the organization’s dealings with customers and other organizations. It also enables the organization to measure its BCM capability in a consistent and recognized manner.”
The business continuity management lifecycle outlined in BS25999 part 1comprises six elements, as illustrated in the following diagram :
Specific activities within each element of the lifecycle include :
● BCM programme management :
・Defining scope, roles and responsibilities
● Understanding the organization :
・Business impact analysis
・Identification of critical activities and recovery time objectives
・Determining continuity requirements
● Determining BCM strategy :
・Identifying and selecting strategy options (to include, as appropriate, people, premises,
technology, information, supplies and stakeholders)
● Developing and implementing the BCM response :
・Incident response structure
・Plan development (incident management and business continuity plans)
● Exercising, maintaining and review
・Developing an exercise programme
・Exercise planning and delivery
・Establishing a maintenance programme
・Reviewing BCM arrangements (internal/external audits and/or self-assessments)
● Embedding BCM in the organization’s culture
・Awareness and education
BS25999 - the roadmap to a robust, fit for purpose business continuity capability?
The business continuity world is currently showing significant interest in BS25999. There is a variety of reasons for this, including :
· A greater awareness and acceptance of the need for business continuity management;
· Supply chain pressure, with a growing number of large organizations, in both the public and the private sector, now demanding BS25999 certification of their suppliers;
· Regulatory pressure in some industries to adopt BS25999 or equivalent external standards;
· A desire to adopt (and be seen to adopt) best practice;
· Commercial advantage over competitors, particularly when tendering for new business;
· Marketing and PR opportunities.
Perhaps unsurprisingly, the strongest driver, at least in the UK, is coming from supply chain and regulatory pressures - in other words, many organizations are implementing BS25999 because they are being told to do so.
And why not? After all, gaining accreditation to the standard is guaranteed to result in a robust, fit for purpose business continuity strategy and plan isn’t it? The problem is that this is not necessarily the case.
Granted, BS25999 (or, for that matter, other similar standards) provides a sound framework, which covers all of the widely-accepted, best-practice steps in the business continuity process, which is a very good thing. And following the guidelines in the code of practice (BS25999 part 1) should help an organization to develop a reasonable business continuity management system (BCMS) – at least one that meets the requirements of the standard. But that in itself is not a guarantee of an effective BCMS – or, more importantly, an effective business continuity capability.
Certification to BS25999, as with any standard, merely confirms that the organization in question can provide sufficient evidence to satisfy the auditor that it has followed a recognized process. Whilst it is reasonable to suggest that following that recognized process will result in a quality end result, that is by no means a certainty.
Sticking with the word ‘quality’ for a moment, to illustrate the point, it is possible to draw a parallel with quality standards, such as ISO9001. Many readers will, I’m sure, have had experience of organizations that, whilst they may well have achieved formal certification against a recognized quality standard, spectacularly fail to deliver anything resembling quality in their products or services, or in the way they deal with their customers.
As with any system or process, the quality of the output depends on the quality of the input and, to a very large extent, on the experience and abilities of the people involved in it. And, sadly, there are many auditors who, whilst they may be very experienced and capable auditors, are not sufficiently qualified as BCM practitioners to be able to recognise what “good” looks like.
Worse still, it is, unfortunately, possible to ‘manufacture’ a BCMS, along with the required ‘evidence’, that meets the requirements of an audit. But does this result in a robust, fit for purpose business continuity capability?
The bottom line is that it depends how an organization applies the BS25999 process. A robust business continuity capability requires more than doing the minimum required to get a ‘tick in the box’ from an auditor.
To give just one example, one of the key elements of the BCM lifecycle is the business impact analysis (BIA) and a certification auditor will, quite rightly, want to see evidence that a BIA has been carried out. Often this evidence will be in the form of a BIA report. And, provided that the report contains data that meets the criteria set out in BS2599 part 2, it is reasonable to expect that the auditor will ‘tick the BIA box’. But any experienced BCM practitioner or consultant will tell you that there is more than one way to conduct a BIA; that some are more effective than others; and that the quality of a BIA’s output is at least as dependent on the quality, experience and seniority of the participants as it is on the process. So an experienced business continuity consultant performing a ‘health check’ audit (as opposed to a certification audit) will look for more than merely the existence of a documented process and a BIA report that contains the necessary headings. They will look to see who was involved - including their seniority, experience, knowledge of the business and ability to see ‘the bigger picture’; they will examine how the data was gathered, from whom and by whom - whether by questionnaires completed in isolation, or through one-to-one interviews or workshops, whether an experienced facilitator was involved, and so forth; they will look at whether and how the outputs were challenged and validated; and they will look at a number of other things that an auditor lacking in BCM experience might not consider. So, whilst the requirements of the standard may have been met, it is entirely possible that the BIA output is fundamentally flawed, in which case the resulting BCM strategy may be flawed too.
The scope of the certification is also extremely important. Some organizations have been known to choose a scope so narrow as to make certification almost meaningless. So it is crucial for an organization seeking assurance that a key supplier has an effective BCM capability to satisfy themselves that the scope covers the critical products or services supplied to them. In other words, to get the information they need, they need to ask the right questions - perhaps asking to see the certificate and check the scope of certification rather than merely taking any statements about certification at face value.
I am not suggesting for a moment that there is no value in an organization aligning their BCM efforts to the requirements of BS25999 or in seeking BS25999 certification - far from it. The guidelines and certification criteria contained in BS25999 were developed with significant input from a number of very experienced and able business continuity professionals and therefore provide a sound basis on which to develop a BCM programme.
What I am suggesting, however, is that it is very easy to confuse certification with capability, and that BS25999 certification does not necessarily guarantee a robust, fit for purpose business continuity capability.
So by all means use BS25999 as the benchmark for your business continuity programme and work towards certification if that’s important to you. And by all means ask your key suppliers about their BS25999 certification. But it might be wise to just take a step back and think about why you’re doing this to get a tick in a box, or to actually make your organization more resilient?
●This article was translated into Japanese and published on magazine "Risk-taisaku.com" vol.25.