Http _click.bsi-global-email


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Http _click.bsi-global-email

  1. 1. Business continuity managementand risk managementThe role of standardswww.bsigroup.comraising standards worldwide™
  2. 2. Business continuity management (BCM) has become a crucialdiscipline for every organization. What originated alongside riskmanagement as a specialist activity in the information technologyfunction has broadened to encompass all aspects of a company’soperations. Many organizations increasingly take an enterprise-wide view of business continuity and risk management, andconsider the impact of disruption on every aspect of their business.Companies that have put in place effective BCM will be ableto recover more quickly from disruption and have a betterunderstanding of how a range of events might affect theiroperations. By building close links between BCM and riskmanagement, organizations will be well placed to understandtheir overall exposure to business interruption and be fullyprepared to respond should the unexpected occur. In many ways,good BCM and risk management is a proxy for good overallmanagement. It demonstrates to customers, partners and otherstakeholders that the organization takes a robust approach to risk,and provides reassurance that the business can keep going in theevent of a business interruption.In recent years, standards have become a vital part of BCM andrisk management, and are becoming more widely adopted both inthe UK and around the world. The development of internationalstandards is likely to strengthen this trend. By implementingstandards, organizations gain the assurance that they are adheringto best practice. Adoption of a BCM or risk management standardcan also provide assurance to trading partners that measures arein place to manage risk effectively and to deal with any disruptionthat may arise.Executive summaryContentsAn organization that puts in place sound business continuity management and riskmanagement is sending out a message that it can respond robustly to disruptionIntroduction 3The need to secure continuity 4Convergence of BCM and risk management 6The evolution of business continuity standards 8Implementation and assessment 10Business benefits of BCMand risk management standards 13Case Studies2 | Business continuity management and risk management – www.bsigroup.comPwC 12Interxion 7 Linklaters 15
  3. 3. Businesses operate in an increasingly riskyenvironment. Modern organizations are relianton large, inter-connected supply chains thatoften span continents. The recent growth inthe number of Western companies openingoffices in emerging markets, combined witha long-term trend towards offshoring, meansthat businesses are more vulnerable than everbefore to a variety of external disruptions.These can include adverse weather, such ashurricanes and floods, infrastructure problems,such as transport delays or electricity gridfluctuations, and supply chain failure.This increased exposure has led manyorganizations to develop business continuityprogrammes that enable them to keepoperating in the event of disruption. In a2011 survey published by the CharteredManagement Institute, entitled ManagingThreats in a Dangerous World, of which BSIwas a sponsor, 82% of respondents claimedbusiness continuity management (BCM) wasregarded as either “very important” or “quiteimportant” and 58% said that their companyhad BCM in place.Today, a successful BCM strategy will considerthe impact of disruption on all aspects ofthe business, from IT and manufacturingto human capital and logistics. At thesame time, awareness of the importanceof risk management is continuing to grow,partly driven by regulation and by thehigher expectations of investors and ratingagencies. Increasingly, it seems likely thatthe two disciplines will come to be seenas complementary, with the board takingresponsibility for both in the future underthe general rubric of governance, risk andcompliance.Companies that have implemented BCMsystems have found that they recover morequickly when hit by disruption, and that theprocess of implementation has enabled themto improve business processes throughoutthe organization. They may also benefit fromlower insurance premiums. Although there isno fixed discount rate on insurance to rewardcompanies for having a BCM programme inplace, the 2011 BCI Insurance Guide fromthe Business Continuity Institute Partnershipsuggests that savings of up to 15% have beenachieved by some organizations.Increasingly, companies that adopt BCMsystems want recognition that they aremeeting an appropriate performancebenchmark. They also want assurance thattheir partners and suppliers are making asimilar commitment. Until recently, therewas no satisfactory way of ensuring that anorganization had good BCM systems in place.But BS 25999, the British standard publishedin 2006 and 2007, has been influentialin addressing this problem. The standardconsists of two parts: a code of practice and aspecification against which organizations canbe certified. It will form the basis of a new ISOstandard on business continuity that will bepublished in late 2011/early 2012.“Standards give organizations the assurancethat their implementation of BCM hasbeen thorough, and allow them to reassuretheir customers and partners that theirBCM processes are sound,” says Mike Low,director of BSI Standards. “By requiring theirown suppliers to use the standard or obtaincertification, organizations can also havegreater confidence that they are minimizingrisks in the event of supply chain failure.”IntroductionWith the majority of organizations now viewing BCM and risk managementas critical, standards are central to providing a benchmark for management systemsStandardsgiveorganizationstheassurancethattheirimplementationofBCMhasbeenthorough,andallowthemtoreassuretheircustomersandpartners.Useful continuity management and risk management – | 3
  4. 4. The eruption of the Eyjafjallajökull volcano inApril 2010 took most people by surprise, andfew were prepared for the consequences.For several days, planes were unable to fly.Travellers were stranded in hotels and airports.Children were unable to start back at schoolfor the summer term.If the eruption proved an inconveniencefor travellers, for many businesses theconsequences were severe. Airlines lostmillions of pounds. Exporters were unable tofly their goods from one part of the world toanother. Businesses that were heavily relianton the global supply chain found themselveswithout essential components. In some cases,key members of staff were stranded on theother side of the world.The impact of the eruption highlighted thecomplexity and inter-dependency of modernbusiness. While many organizations nowunderstand the need to have plans in placeto cope with business disruption, whetherit is a power cut or a flu epidemic, few hadforeseen the problems that might arise inthe event of a lengthy period without accessto air travel. A 2010 Gartner report into theeffects of the disruption, Out of the Ashes:Business Continuity Management LessonsFrom Iceland’s Volcanic Eruption, found thatsome automobile manufacturers in Europehad to shut down operations after only a fewdays of disruption, while logistics companies,such as Fedex and UPS, became unable tohonour their service level agreements todeliver overnight.The modern business is increasingly susceptibleto disruption from outside sources. In thepast 10 years, we have seen the 9/11 terroristattacks, floods in Australia and Pakistan, andthe earthquake and tsunami in northernJapan. While events such as these may oncehave seemed remote, today their impact isfelt by businesses everywhere. The increasingdependency on offshore outsourcing, the useof just-in-time sourcing, the trend for Westernbusinesses to seek new opportunities in Asiaand the reliance on inter-connected supplychains that span the globe make businesseshighly vulnerable. One break in the link causesdisruption for every business further down thesupply chain. In many cases, a business maynot even be aware of all the other companieson which it relies. In a globalized economy, theneed to manage the risk and to put in placebusiness continuity plans to deal with potentialdisruption is paramount.A 2010 survey of resilience professionalsby the Business Continuity Institute (BCI),entitled Supply Chain Resilience 2010, foundthat 72% of respondents had experiencedat least one disruption to their supply chain.Companies using low-cost countries wereThe need to secure continuityThe shocking impact of natural disasters has made business wake up to the urgency ofprotecting supply chains and managing risk in today’s increasingly globalized economyWe’vegonefromthemodeloflowestriskatanycost,tothemodeloflowestcostatanyrisk–andit’sdawnedonorganizationsthatthey’vegonetoofar.4 | Business continuity management and risk management –
  5. 5. particularly likely to have been affected.Among this group, 83% had experienceddisruption, mainly as a result of transportnetwork problems or supplier insolvency. PaulHopkin, technical director at AIRMIC, pointsout that historically, businesses have beenso keen to minimise risk that they partneredwith only a few trusted organizations, andkept as many processes as possible in house.Ford, for example, not only made its own tyresbut also owned the rubber plantation thatprovided the raw material for the tyres. Now,the opposite is true. “We’ve gone from themodel of lowest risk at any cost to the modelof lowest cost at any risk,” says Mr Hopkin.“And it’s dawned on many organizations thatthey’ve probably gone too far.”Development of BCMBusiness continuity management has its originsin the IT department. Initially, companies wereconcerned with the need to recover data inthe event of an interruption, whether it was ahard disk crash, a power cut or a fire. In recentyears, organizations have come to understandthat the actions that are needed to keep abusiness running involve much more thanaccess to lost data. Because of the multiple,and often inter-connected, ways in whichexternal disruption can affect a business, manyorganizations now take an enterprise-wideview of business continuity. This means thatthey look at the impact of disruption on allfunctions, taking a holistic approach ratherthan leaving individual business units toformulate their own plans.In the initial stages, this requires strongleadership and a top-down approach toimplementing a BCM plan. “Without seniormanagement commitment, you’re nevergoing to have effective business continuity,”says Malcolm Cornish, managing director ofRecovery Management International (RMI).Regulatory frameworks have also played apart in bringing business continuity to theboard’s attention. A 2011 BCI report, entitledEngaging & Sustaining the Interest of theBoard in BCM, found that the primary driverin 50% of cases where BCM programmes hadbeen adopted was the need for companies tomeet regulatory requirements.Thedependencyonoffshoreoutsourcing,theuseofjust-in-timesourcing,andtherelianceonglobalsupplychainsmakebusinesseshighlyvulnerable.Business continuity management and risk management – | 5
  6. 6. This increased focus on BCM withinorganizations has coincided with therising importance of risk management onthe corporate agenda. Historically, somebusinesses have treated business continuityand risk management as separate disciplines,but there is a growing realization that the twoare closely connected. While risk managementis concerned with the likelihood of anadverse event occurring and the steps thatare required to prevent it, BCM looks at whatneeds to be done if such an adverse event hasalready occurred. In other words, BCM is lessconcerned with the cause of the disruptionand more with what needs to be done to keepthe business going.The historic separation of BCM and riskmanagement often meant that potentialareas of overlap or conflict were ignored.By building BCM and risk management intothe same wider governance framework,organizations get a much better pictureof the totality of their risk. They can alsoassess more clearly where the priorities foridentifying and mitigating risks should lie. “Ifyou don’t integrate your business continuityprocesses with your organization’s other riskmanagement processes, then you may findthat instead of complementing each other,they counteract each other,” says KevinBrear, chairman of BSI’s Societal SecurityManagement (SSM/1) committee.A top-level, holistic view of risk andgovernance is essential for an effective riskframework. Increasingly, corporates nowgroup governance, risk and compliancetogether, as a way of recognizing the overlap(and potential conflict) that exists betweenthose three disciplines. “In any organizationthat cares about good governance, businesscontinuity should register somewhere intheir strategic risk framework,” says MrBrear. “The business continuity team shouldbe answerable to the responsible executivedirector, the person on the governing boardwho controls that portfolio.”Lee Glendon, head of campaigns at theBusiness Continuity Institute, cites anexample of how the disciplines of businesscontinuity and risk management were broughttogether effectively. Euroclear, a financialservices organization, had separate businesscontinuity and risk management functions,with business continuity focusing principallyon IT, people and buildings. The firm decidedto bridge the two disciplines and carried outan exercise simulating the collapse of a majorcounterparty. Two months later, LehmanBrothers, one of the firm’s counterparties,collapsed. Because Euroclear had looked atrisk and BCM in tandem and put the necessarypreparations in place, the firm was able tocope.Convergence of BCM and risk managementBy linking the disciplines of business continuity and risk management, organizationsare able to gain a much clearer picture of their overall risk and plan accordinglyIfyoudon’tintegratebusinesscontinuitywithriskmanagement,youmayfindthattheycounteract,insteadofcomplement,eachother.6 | Business continuity management and risk management –
  7. 7. Interxion is a leading provider of carrier-neutral co-location data centreservices in Europe, serving more than 1,100 customers through 28data centres in 11 European countries (such as HP, ABN AMRO andLeasePlan). Interxion’s uniformly designed, energy-efficient data centresoffer customers extensive security and uptime for their mission-criticalapplications.Interxion took the decision to seek certification to BS 25999 for BCMbecause prospective customers were looking for proof that a robustBCM process was in place. “My view is that certification to BS 25999is becoming a must-have,” comments John Shannon, Interxion’s ISOprogram manager. “When we have customers coming in to do theirown audits they look heavily into business continuity. By having BS25999, we can demonstrate that we have dedicated the time and theresource into putting the necessary requirements in place, and reassurecustomers that we are delivering the highest level of business continuity.”In addition, the certification enables Interxion to deliver market-leadingservice level agreements (SLAs). “I think the whole reason for thecertification going forward is to support our SLAs, to guarantee to ourcustomers that we are committed to doing everything possible to ensurewe are state of the art in terms of BCM provision,” says Mr Shannon.With BSI, Interxion is able to get combined audits, which are “very easy,streamlined and efficient”, and to benefit from BSI’s expertise. “Workingalongside a BSI business continuity technical advisor, a review highlightedareas that otherwise may not have been addressed,” says Mr Shannon.“The guidance that was given was invaluable and can only add to thelong-term success of the BCM system.”Interxion’s implementation of BS 25999 was considerably acceleratedand simplified by using the pre-existing ISO/IEC 27001 informationsecurity management system. Aart Bitter, BSI’s lead assessor for Interxion,estimates that 60-80% of the structure already existed. “Businesscontinuity is already part of 27001,” he notes. “At a practical level,Interxion already had BC in place, including the framework, the riskassessments, the business impact assessments and the continuityplans. They only had to be sure that they also fulfilled all the formalrequirements of BS 25999 in relation to their BCM system.”The certification proves to customers that Interxion’s BCM systemmeets the most exacting requirements and moreover that Interxion iscommitted to providing the best possible service at all times, regardlessof interruption. Additionally, through having risk management and theimpact analysis process working together, Interxion has greater controlof the common business risks it faces across multiple locations. Finally,Interxion can set market-leading SLAs with confidence and credibility,giving it an important competitive advantage.InterxionCase StudyBusiness continuity management and risk management – | 7
  8. 8. As the value of business continuitymanagement has become more evident, andas more organizations have implemented BCMprogrammes, standards have become a vitalpart of the BCM approach.There were several factors behind the decisionto develop business continuity standards.First, there were calls from business andgovernment leaders for a standard thatcould help them carry out business continuityplanning in the event of disruption. The CivilContingencies Act 2004, which required thegovernment (and hence the private sector) tobe fully prepared to respond to emergencies,was a major driver, as was widespreadregulation in the financial services sector.High-profile disruptions, such as the Buncefieldoil explosion and the 7/7 bombings in 2005,also demonstrated the need for a standard toprovide businesses with a consistent approach.BS 25999-1, Part 1 of the business continuitystandard, which was published in 2006, isa code of practice that describes how anorganization can establish and maintaineffective business continuity arrangementsusing the BS 25999 Business ContinuityManagement Lifecycle.BS 25999-2, Part 2 of the business continuitystandard, published in 2007, is a specificationthat describes how an organization canimplement, maintain and improve aBusiness Continuity Management System(BCMS) based on the Plan, Do, Check, Act(PDCA) cycle. This approach is also used inmanagement standards, such as ISO 9001.The PDCA model forms part of an approachknown as systematic management, whichinvolves planning a change (or changes),making that change, checking whether thechange has had the desired effect and theninstitutionalizing the change. An organization’scompliance with the specification can beaudited, so organizations that comply with itcan receive certification.The standard, which is sector-neutral, has beenadopted in many different countries, not justthe UK. Other business continuity standardshave also been created in recent years.These include the US National Fire ProtectionAssociation standard NFPA 1600, which is anemergency management standard that alsoincludes a business continuity element.Although business continuity standards haveyet to achieve the reach of the very successfulISO 9001 quality standard, they have beensteadily gaining ground. In a 2010 surveyby the Chartered Management Institute(CMI), entitled Disruption and Resilience,14% of organizations said they used BS25999. Standards can also be a driver behinddeveloping a business continuity programme.According to the BCI survey, Engaging &Sustaining the Interest of the Board in BCM,the existence of standards acted as a driverfor implementing BCM among 19% oforganizations.Globalization demonstrates a growing needfor an international standard. While othercountries have developed standards relevantto local conditions, BS 25999 is already usedThe evolution of business continuity standardsStandards are now providing a structure for business continuity management, allowingcompanies to demonstrate that they have taken the necessary measuresThepublicationofthesestandardshasencouragedorganizationstotakeamorestructuredapproachtoriskmanagement.8 | Business continuity management and risk management –
  9. 9. worldwide. The new ISO standards on businesscontinuity, ISO 22301 (a requirement standard)and ISO 22313 (a guidance standard), availablefrom late 2011/early 2012, are to a large extentbased on BS 25999. For businesses hesitatingabout which of the various competingstandards to adopt, this makes a compellingcase for adopting the British standard now. “Iam confident that if organizations implementthe British standard they won’t have to dovery much different to comply with the ISOstandard, if anything at all,”says RMI’s MalcolmCornish.The recognition that suppliers need toprovide evidence of continuity planning hasgrown gradually over the past four years.“Organizations are now recognizing at boardlevel that if they go for lowest cost, they needto think about the risks this involves muchmore carefully,” says AIRMIC’s Paul Hopkin.“They need to talk to their suppliers aboutcontinuity of supply.”Publication of the ISO standard may easeany difficulties that UK companies have inpersuading businesses in other countriesto comply with BS 25999. “If you say to asupplier in China or India that you would likethem to comply with the requirements of BS25999, there will be an element of questioningwhy this British standard is relevant in China,”explains Mr Hopkin. “Whereas if you tellthem that you want them to comply with anISO standard, there is a completely differentresponse to that request, because the standardis identified as an international standard. It’s avery beneficial development.”Risk management standards are alsobecoming more widely adopted. In 2008, BSIpublished BS 31100, the risk managementcode of practice, and this was followed in2009 by the publication of the ISO 31000standard on risk management. Thesestandards are complementary, covering similarground. Indeed BS 31100 is being revised tobecome an implementation guide to BS ISO31000. BS 31100 in turn will enter the ISOprocess to become an ISO in future years. Theirpublication has encouraged organizationsto take a more structured approach to riskmanagement, although there is not yeta certification process in place for eitherstandard.Adherence to standards, whether requirementor guidance, demonstrates commitmentfrom a company to effective BCM or riskmanagement. It shows that the organizationhas put in place measures to minimise itsexposure to risk or the impact of businessdisruption. “Adherence to a businesscontinuity standard doesn’t necessarily delivercompetitive advantage directly, but if it helpsto deliver operational resilience then thatcan give a competitive advantage,” says LeeGlendon of BCI.Of course, the real test arises when abusiness disruption occurs. “Time spent [onimplementing a business continuity standard]is time well spent,” says Mr Hopkin. “Youend up with more robust processes andcompetitive advantage because you are inbusiness when your competitors are undertwo yards of water.”Adherencetoabusinesscontinuitystandarddoesn’tnecessarilydelivercompetitiveadvantagedirectly,butifithelpstodeliveroperationalresiliencethenthatcangiveanadvantage.Business continuity management and risk management – | 9
  10. 10. Implementation of BS 25999 involves severalsteps. The process of implementation willnormally take six to 12 months, but could varydepending on the size of the company or thelevel of implementation required. Certificationwill generally be much quicker, although againthis will depend on the assessment schedulethat is required.Workshops and trainingWorkshops and training play an important rolein embedding business continuity throughoutthe organization. BSI offers a number ofcourses, including one on business continuitybasics and another introducing BS 25999.There is also a more in-depth course coveringthe implementation of a business continuityprogramme that is compliant with BS 25999.Audit courses are also available, as are courseson specific aspects of BCM. The courses aredelivered face to face.Exercises – or rehearsals – of what to doin the event of a business disruption areanother essential part of implementing abusiness continuity programme and can helporganizations in three ways.First, making sure that staff understand,and are fully prepared for, the impact of abusiness disruption. “A BCM exercise shouldbe a pivotal tool in educating your workforceand helping them to understand how theprocesses should work,” says BSI’s Kevin Brear.Second, raising awareness of businesscontinuity planning throughout theorganization. As Lyndon Bird, BCI technicaldirector, explains, business continuity is aboutmore than creating a plan. “It’s about gettingeveryone involved in the process, including thetop management, and embedding it into thestrategy of the business, rather than someonesimply writing a document that may or maynot be effective.”Finally, identifying any gaps or failings in theplan. The CMI’s survey Managing Threatsin a Dangerous World found that 48% ofmanagers whose organizations have businesscontinuity plans undertake an exercise of theirplans at least once a year. Seventy per centof those who had rehearsed their businesscontinuity plan said that the rehearsal exposedshortcomings in their plan. This clearlyemphasizes the value of such rehearsals.The report gave the example shared by onehealth and social care manager, who said: “Inour rehearsal for electricity loss, the back-upgenerator did not operate. As a result, wewere able to replace the unit and preventfuture disruption.”Self-assessment toolsBSI has designed an online self-assessmenttool to enable organizations to evaluatetheir existing BCM arrangements in line withthe requirements of BS 25999-2. It can beused to assess a single site, or multiple sitesImplementation and assessmentOrganizations preparing to implement BS 25999 will find that BSI can help them to doso in many ways, such as internal audit training and business disruption rehearsalsABCMexerciseshouldbeapivotaltoolineducatingyourworkforceandhelpingthemtounderstandhowtheprocessesshouldwork.10 | Business continuity management and risk management –
  11. 11. with multiple users. The toolkit can guidean organization through the whole process,enabling it to plan, implement, operate,review, record and report on its BCM system.Once the self-assessment has been completed,organizations can put forward their BCM plansfor external review.Gap analysisGap analysis provides an independent reviewof an organization’s business continuitymanagement system to check its readiness forBS 25999 certification. Many organizationshave robust BCM programmes, but have notadopted the management systems approachused in BS 25999. A gap analysis conductedby a BSI auditor can help the organizationbridge this gap quickly and effectively.Independent assessmentCertification enables organizations todemonstrate to stakeholders that they arecompliant with BS 25999-2. BSI will carryout an audit to ensure that an organizationcomplies with BS 25999 and provides acertificate as proof of compliance.This offers public assurance that the businessis robust, resulting in a reduction in audits bycustomers or other partners, who will see thecertification as evidence that the business hasput best practice in place.Organizations that have implementedBS 25999 successfully will want to assessthe BCM strategies of businesses in theirsupply chain and help those organizationsto implement the standard. The BCI surveySupply Chain Resilience 2010 found that themajority of organizations (85%) reviewed theirbusiness continuity plans with key suppliers. Itfound that the financial sector was particularlyadvanced in its approach to supply chain BCM,in terms of key indicators such as “checkingthe supplier has a BCM programme in place,its scope and relevancy to the product orservice being purchased”.BSI’s Entropy software enables organizationsto measure their own compliance in BCM, butalso to manage, measure and compare supplychain compliance.OrganizationsthathaveimplementedBS25999successfullywillwanttoassesstheBCMstrategiesofbusinessesintheirsupplychain.Business continuity management and risk management – | 11
  12. 12. PwC is one of the world’s largest providers of professional servicesin assurance, tax and business consulting. A global network ofindependent firms, PwC operates in 154 countries. The UK firm, whichgained certification to BS 25999 for business continuity management inOctober 2009, operates around 40 offices with more than 16,000 staff,and turned over £2.33bn in the year to June 2010.The firm felt that an independent third-party certification to BS 25999would give clients compelling evidence that it takes continuity of servicedelivery very seriously. The firm often receives requests from clients forconfirmation that there are robust BC provisions in place. Certificationalso shows PwC’s insurers that the firm is acting to minimise the impactof business disruptions. “PwC wants our clients to have the best possiblelevel of assurance in every area,” says Andrew Mason, PwC’s head ofbusiness continuity.PwC’s BCM team undertook BS 25999 internal audit training to preparefor assessment. “I would recommend people do the training becauseit gives you a better understanding of what the MS is about and whatauditors will be looking for,” says Mr Mason. The business continuitymanagement system (BCMS) was developed based on PwC’s existingcertified ISO 14001 management system and PAS 99, the integratedframework for management systems. The implementation of the BCMStook around six months from gap analysis to certification.During implementation, PwC’s biggest task was formally documentingthe programmes that were already in place. This resulted in a dynamicmanagement system that meets the needs of PwC’s culture andstructure. “Everyone is trained and so knows what to do whensomething happens,” says Mr Mason. “We also have 500-600 peoplewho have specific BC roles and feature in dynamic plans. The corestrategy is to get the right people round the table – and it can be a virtualtable – with access to the right information. They will make the decisionsand we can escalate up and down and provide support as necessary.”Mason believes that certification will provide continued visibility –internally and externally – that PwC takes business continuity seriously.“At the end of the day, we want to continue to be able to service clients;that is what our business continuity is all about,” he says. “And thecertification ensures that you have a live, independently assessed, robustprogramme of activity that should continue to improve.”PwCCase Study12 | Business continuity management and risk management –
  13. 13. Standards play an important role in thedevelopment of BCM and risk management.Because they are created by industryprofessionals and experts, who have spenttime discussing and analyzing what does anddoesn’t work, they can distil the combinedwisdom of those with experience in thefield. In part, the benefit of standards can beattributed to the simple fact that they provideconsistency in approach and terminology, andprevent organizations from having to reinventthe wheel. As Kevin Brear puts it: “Standardshave brought some clarity of thought andconsensus of approach to the industry.”They also make it easier for stakeholders toassess whether a partner or supplier is fullyprepared for an interruption to business.A 2010 report from the BCI, entitled TheBusiness Case for BCM, found that thoseorganizations that had been independentlycertified against a standard such as BS 25999put “protecting brand/reputation” and“maintaining customer confidence” as thetwo key benefits to the organization of BCM.The knowledge that a business has met aBCM standard can be seen as a proxy of goodoverall management. It shows that it is activelytaking steps to protect its business, andreduces the likelihood that a major interruptionwill put it out of business altogether.This is particularly important for businessesthat are trading internationally and reliant ona number of suppliers. A supply chain is onlyas strong as its weakest link, and disruptionto one part of the chain will affect businessesin the rest of it. Some businesses are naturallycautious about using international partners forthis very reason. Adoption of a BCM or riskmanagement standard can provide assuranceto trading partners that measures are in placeto manage risk effectively and to deal with anydisruption that may arise.Standards supporting public policyBusiness continuity management and risk standards don’t justbenefit private business, they can also make a significant contributionto the success of local, regional and central government. Clearly,government organizations that adopt and use these standards will bemore prepared for managing risk in their operations. If governmentactively supports and promotes standards, this can also help it toachieve key public policy objectives.Standards are voluntary and can be an excellent alternative tolegislation, reducing the burden on business and helping underpinone of government’s goals – creating more efficient, less burdensomemarket-led regulation. Legislation such as the Civil Contingencies Actand regulations such as the UK Corporate Governance Code requireorganizations to put BCM and risk management in place. At thesame time, standards like BS 25999, BS ISO 31000 and BS 31100 canhelp organizations self-regulate and achieve desired outcomes.Kimberley Hart, corporate business continuity officer at ManchesterCity Council, says: “The council is focused on enhancing the city’sability to prepare for, respond to and recover from emergencies.Working with BSI on developing and promoting the use of standardslike BS 25999 is a valued and important part of delivering our policyobjectives. Standards now form an important part of the BCM andrisk management landscape and we view their use as part of a toolkitavailable to organizations to manage risk – and often that of theirsupply chains. It’s our aim to keep Manchester’s key public servicesrunning despite any disruptive events, and we also derive moreconfidence knowing these standards are being more widely used.”Business benefits of BCM andrisk management standardsThe consistency of approach provided by implementation of standards such asBS 25999 can help to increase business confidence throughout the supply chainBusiness continuity management and risk management – | 13
  14. 14. Perhaps even more importantly, anorganization that adopts both BCM and riskmanagement standards can be confident thatit will reduce the impact of adverse events andrecover more quickly. “If you are unable todeliver your products or services, especially inthe current economic environment, there are anumber of firms willing to jump into the voidand pick up the slack,” says Mr Brear.The process of implementing a standard initself raises awareness in the organizationabout risk and the importance of businesscontinuity. Historically, it has been very easyfor disciplines such as risk managementand business continuity to become siloed.Implementation of a standard by necessitymeans that the whole organization has tobecome involved, particularly if certificationis sought. “When an organization hasembraced the standard, and really recognizesthe principle behind the requirement, theenthusiasm that it generates for the subjectmatter is extraordinary, because they suddenlyrealize that it’s not about getting the piece ofpaper and showing it to potential customers,it’s all about doing things in a better way thatimproves the whole business,” says MalcolmCornish of RMI.By implementing a standard, an organizationcan be certain that its framework for dealingwith risks and business continuity is robust.Without the use of a standard, it is easy toleave gaps or to neglect particular areas. “Youlearn a lot about yourself as an organizationand find opportunities for doing things better,paying attention to some areas you mighthave otherwise thought were not quite asimportant,” says Mr Cornish.Certification will provide “proof of managedrisk” in your business. This can be particularlyuseful in industries where organizations mustdemonstrate continued adherence to theirlegal and regulatory obligations. For example,some insurers may reduce premiums fororganizations that have certification.The BCI’s survey The Business Case for BCMfound that 56% of BCM programmes enabledorganizations to recover in two-thirds of thetime, and in many cases in half the time, whencompared to an earlier situation where therewas no BCM programme in place. Similarly,55% of respondents said their organizationhad gained a tangible financial benefit fromimplementing a BCM programme.The time invested in implementing a standardreaps rewards in terms of greater operationalefficiency, as well as in confidence in thebusiness’s ability to recover from a disaster. “Ifyou become more efficient, you win businessnot just because you can give better assurancesto a potential customer, but because you aremost cost-effective in your quotation, in howyou deliver the service you hope they will putyour way,” concludes Paul Hopkin.Whenanorganizationhasembracedthestandard,andreallyrecognizestheprinciplebehindit,theenthusiasmthatitgeneratesisextraordinary.14 | Business continuity management and risk management –
  15. 15. The global law firm Linklaters, which has 26 offices in 19 countries,was awarded BS 2599 accreditation in 2009 and was one of the firstlaw firms in the country to receive the certification. Although the firmalready had good business continuity processes in place, the adoption ofthe standard offered added reassurance, says Simon Lowndes-Jones, riskreview manager. “Senior management want to ensure that the plansare effective and the business will be able to show resilience in any givensituation,” he explains.Accreditation is a good way of demonstrating the importance thefirm puts on continuity to the outside world. “It’s part of our widercommitment to deliver an outstanding and consistent service to ourclients. The codification of sound business continuity principles and theexistence of a clear standard gives comfort we are achieving this,” saysMr Lowndes-Jones.Linklaters is increasingly asked by clients to outline its business continuityplans and, at the same time, the firm now puts the same question toits own suppliers. “You’re starting a virtuous circle of ensuring thatbusiness continuity is thought about, not just from our perspective inensuring that we can deliver the services that clients expect, but acrossthe board,” he says.The implementation of the standard required Linklaters to adopt aseries of more structured measures for BCM activities, such as training,communications, management reviews, audit and exercises, as well astaking part in regular audit-style surveillance visits from BSI.Achieving the standard has raised the profile of business continuitywithin the firm and provided a strong framework and basis for achievinga coherent business continuity strategy. Because the accreditation bringswith it a management framework, the firm is able to focus on gettingthe quality and details of the plans right. This is backed up by regularvisits from BSI as part of the certification.Business continuity has, in the past year, been increasingly incorporatedinto the firm’s overall risk management function, and the frameworkand standards set by BS 25999 are used as a basis for BCM elsewherein Linklaters’ international offices. For a global law firm, it is essentialthat business can continue in the event of disruption, says Mr Lowndes-Jones: “We want to provide assurance to clients that, were the worst tohappen, they can still rely on us to provide our services,” he says.LinklatersCase StudyBusiness continuity management and risk management – | 15
  16. 16. Standards matter. They contribute at least £2.5bn each year to the UK economy and play a key role in enablinginnovation, improving competitiveness, increasing reliability, ensuring safety, improving accessibility, controlling quality,managing risk and improving business performance.As the world’s first national standards body, BSI British Standards has a globally recognized reputation forindependence, integrity and innovation. Part of the BSI Group operating in 86 markets worldwide, BSI BritishStandards serves the interests of a wide range of industry sectors, as well as government, consumers, employeesand society overall, to make sure not just British but European and international standards are useful, relevantand authoritative.BSI champions UK interests at home and abroad and is an incubator of many of the world’s leading standards.It is the national gateway to all the European and worldwide standards bodies, promoting fair trade, technologytransfer, economic prosperity and security.Several publications describe the benefits of using standardization to achieve broader organizational and nationalstrategic objectives. Information about these is available from BSI British Standards.To find out more about how BSI can help you, visit the website at or emailbritishstandards@bsigroup.comHow BSI can helpraising standards worldwide™BSI: Standards • Information • Training • Inspection • Testing • Assessment • CertificationBSI Headquarters389 Chiswick High Road, London W4 4AL UKTel +44 (0)20 8996 9001Fax +44 (0)20 8996© BSI copyrightPrinted responsibly on FSC material underchain of custody conditions by an FSCcertified printer. Please recycle after use.