In that curious enclave between business, government, professional institutes, trade organisations and academia sit the National and International Standards bodies. They are not normally noted for generating excessive enthusiasm in the business community; often being perceived as worthy rather than exciting, more bureaucrat than entrepreneur. By Lyndon Bird of the Business Continuity Institute.
Nevertheless the latest British Standards Institution (BSI) foray into the world of Management Systems - BS 25999 - seems to be not only creating much debate, excitement and energy in Business Continuity Management (BCM) circles, but also amongst real-life managers. Not since the emergence of Total Quality Management systems has a formal standards-based approach to a management discipline made such an impact.
To put it in perspective, when the initial draft of the Code of Practice was released for public consultation there were 5000 downloads from all around the world. Previously the BSI in its 100- plus year history had never had more than 250. There were enormous volumes of comment to absorb and incorporate before the Code could be released. Much of the feedback was positive, but some of it was violently opposed to any form of standard in this field.
Currently BS25999- Part 2 is out for consultation and a similar phenomenon is being experienced. This is perhaps more understandable as this does set out to be stronger in its demands on organisations. Part 1 suggested how you should do BCM, Part 2 tells you what you must do if you want to comply with its guidelines. The BSI Technical Committee, which has put the standard together, is braced for a massive amount of feedback. All comments will be grouped, rated, reviewed and considered; nothing will be ignored. However, at some point in late 2007, BS25999-2 will be published and companies will at last be able to submit their BCM Programmes for real scrutiny.
However, why would they want to? That is the key question. Perhaps the answer is simply because the topic is quite difficult to ignore, with ever-increasing legislation and regulation being forced upon organisations. It is easy to imagine what the press could do to the directors of a company that goes out of business leaving employees, pensioners, customers and shareholders stranded and publicly admitting that they had inadequate BCM provisions.
Imagine a future in which regulated firms had their licences revoked as a result of having inadequate internal controls or weak corporate governance. It is difficult to defend having no BCM in place when you talk about control or governance; but until now what you need to do has been relatively vague. After BS25999 failure will be much harder to justify, to your auditors, insurers or (after a disaster) to the court of public opinion.
As with all initiatives of this type, there will people deriding it as anti-business in that it imposes another layer of cost and compliance. This does not really need to be the case; the standard is very much principle-based and not rulebook-driven. It is about appropriateness and scalability. And is not a ‘one-size fits all’ approach. The Technical Committee has around 40 members who represent various constituencies, not only from traditional Business Continuity but also from Risk Management, Emergency Planning, Security and the Media.
The Government, Financial Regulators, auditors and most business sectors have also been involved heavily. Like any large committee of this nature. This one has had to accommodate many different views and philosophies, so the emergence of a consensus view from such a disparate group is particularly unusual and encouraging.
When Part 2 is published you might think the standard is in place and will be taken up widely by business. Actually, however, acceptance gets even more problematic. The professional perception of the standards tends to be based upon their earlier successes with quality and is about a methodology for continuous improvement rather than the actual subject matter. This can make the text look bland and somewhat simplistic. Frankly, I don’t see many CEOs choosing it for an inspiring late night read.
However, what might it mean to companies at a practical level? Both suppliers of products and services as well as consumers of those goods have different expectations for BS25999 - but will it meet them? Steve Mellish, Head of Business Continuity at J.Sainsbury, thinks it will make an enormous difference. He told me recently that "We are already having initial conversations with our critical suppliers to decide how we can best use BS25999 to benefit both parties. These are early days but we see it as a positive tool in helping our critical suppliers develop their own business resilience as well as supporting Sainsbury’s specific needs”.
If you take Mellish’s view at face value, he appears to be saying that the process that BS25999 encourages is more important than the certification document itself. Although auditors and consultants might argue the point, that is essentially the purpose of all Management System Standards – they promote the concept of the PDCA model (Plan, Do, Check, Act). They are not about detailed technical specification but about creating a virtuous circle of continuous improvement. In BCM terms they don’t tell you how to do a Business Impact Analysis but they do tell you that you need to put in train an acceptable way of understanding your business, its threats, vulnerabilities, impacts and priorities. Part 2 also will tell you that you must have documentation to prove the above.
What this is all really leading to is more control on how organisations operate and how they guarantee continuity of business operations. In particular there is much stricter regulatory control in the financial sector. In the UK for example, the FSA (Financial Services Authority) has for some years been moving regulated firms towards BCM standards, which although not very specific are still required for compliance. In the US the Federal Reserve has taken a similar but more powerful approach, with some mandatory elements. Other powerful if not legally enforced directives have been issued in many areas of the world including Singapore, Korea and Australia.
There is clear evidence that there is a coming together of BCM thinking amongst the various financial regulators, which is likely to be a strong driver for more consistency. The Basel Committee on Banking Supervision, Joint Forum has issued seven high-level principles in a document for BCM that individual country regulators will look to enforce. The countries represented were: the US, UK, Canada, France, Netherlands, Hong Kong, and Japan; so although not universal the document does represents most of the major players in financial markets.
Governments have also started to become engaged in the BCM debate. The Sarbannes Oxley Act (SOX) in the US has created a situation in which directors and officers of companies are personally responsible for control failures within their organisations. This Act not only applies to US companies but also to non-US companies operating within US markets, and of course to the foreign subsidiaries of US-domiciled corporations. There is now a Japanese version of SOX and talk of a European SOX.
The UK Government has linked its support for Business Continuity to its general strategy to upgrade its Public Protection capability. The Civil Contingencies Act has defined a group of Category 1 Responders (Police, Emergency Services, Local Authorities, Hospitals) and Category 2 Responders (Government Agencies, and utility providers). All of these organisations must have full BCM capability in place. From May 2006, the law also puts a duty of care on local authorities to promote the concept of BCM to firms in their locality.
Perhaps the real benefit of having standards is demonstrated by the old adage ‘If you can’t measure it, you can’t manage it’. Standards do give the ability to measure business continuity capabilities between regions, countries, sectors and companies. BS25999 will not guarantee that you have got it right, but it will give you a good route map, a clear view of your current position and reliable signposts to help on the journey.
Lyndon Bird is Technical Services Director of the Business Continuity Institute, which has 3,500 members in over 80 countries promoting the art and science of Business Continuity Management Worldwide.
The articles published here in the Thinking CEO are internet updates of the latest management knowledge and practice, which have been commissioned by Sovereign Publications for their bi-annual magazine, CEO Today, and will appear later in the first 2007 issue of this publication. To contact Sovereign and CEO Today, go to:
http://www.sovereign-publications.com/ceo-art.htm
read all 70 gurus with one feed read all Read all media
