Good practice on business continuity management against the likely adoption of a British Standard on the subject
There is no getting away from it: one way or another all our businesses are vulnerable to risk, whether from an act of terrorism, unusual weather conditions, unreliable service providers or thoughtless or careless employees. Our work can be brought to a standstill, our clients disappointed and at worst we lose income and reputation. Forget the headline events. As has been pointed out before, it is the simple things that tend to go wrong: 90% of all catastrophes are “quiet catastrophes”, for example failures in heating causing staff to walk out, or air conditioning faults leading to computer crashes.
Business is becoming more alert to these issues and consequently they have led companies and organisations to consider introducing more formal planning and processes to what is, essentially, business continuity management (BCM). “Corporate governance” is today’s buzz phrase; good corporate governance is proactive and presumes business as usual, whatever happens.
What’s driving it?
Similarly customers and clients are showing an interest in whether companies can sustain business and maintain levels of service when the unexpected happens. They are now beginning to seek reassurance in the way of formal, visible BCM processes. Insurers are also playing an active role, wanting to keep their awards as low as possible, and indeed one of the major insurers has publicly confirmed that they are actively reducing premiums for businesses and companies with good BCM plans.
Not surprisingly, government too takes an active interest in trying to ensure that companies minimise vulnerability and act responsibly. Health and safety, and disability access legislation are other aspects of this. Other regulations stemming from the Enron debacle affect the financial services industry and then spill into our own business lives. Mitigation of risk from whatever source has become a hot topic and there is now a real push in the commercial world to manage “disaster”.
A British Standard
It was against this background that in late 2003 and as a precursor to a full British Standard, the British Standards Institution (BSI) in association with a team of experts in BCM published Publicly Available Specification 56 – PAS 56. At the moment this is an informal standard providing a consistent approach for businesses to follow to ensure that their continuity plans are fit for purpose, but it looks set to become a full British Standard before long.
A British Standard is a published document containing technical specification or other precise criteria designed to be used consistently as a rule, guideline or definition. Standards are designed for voluntary use and do not impose any regulations. However, enactments and regulations may refer to certain standards and make compliance with them compulsory (ref The British Standards Institution). To become a national standard, PAS 56 must achieve backing from government, business, trade associations and customers amongst others. It must be auditable and advise of a consistent approach. As the Office of Government Commerce, insurers and others were closely involved in drafting the specification with the BSI, it is highly unlikely to stall and in reality it is anticipated that a full British Standard for business continuity will be introduced at the end of this year or the beginning of next.
As drafted, PAS 56 establishes the process, principles and terminology of BCM. It describes the activities and outcomes involved, provides recommendations for good practice and outlines evaluation criteria. It is applicable to all organisations, regardless of size or industry sector. A movement towards a full British Standard in BCM is recognition that business continuity is a necessary part of doing business today. Risk can come from anywhere and PAS 56 provides comprehensive guidelines enabling companies to benchmark on what planning should be in place, making it easier to achieve compliance with the raft of existing and future regulation.
Such management is not reactive; it encourages planning, assessment, evaluation and mitigation in the event of disruption. Effective BCM demonstrates a company’s competence and resilience, together with the ability to get back to normal in as short a time as possible. These days all organisations, even professional practices, depend on others to enable them to deliver their services. More and more frequently, non-core processes are being outsourced to specialist companies and it is no longer unusual to store files off site. But are you confident that your contractual partners could demonstrate that their premises and processes are resilient? Do you know whether you are getting value for money and that they are doing what they say they will do, when they say they will do it?
Property and property services
After people, property is often a company’s greatest asset, but all too often, little consideration is given to potential risk coming from property and property services. Yet those “quiet catastrophes” that are likely to cause harm to your company’s business resilience, threatening your supply chain or crashing your IT or telephone systems, are the things that are actually relatively simple to address.
PAS 56 recommends that an audit process should play a key role in ensuring that organisations have robust, fit-for-purpose BCM systems in place. Independent audit of property and property services has the rigour to identify weakness, or alternatively give comfort. It enables strengths to be acknowledged and weaknesses to be seen as opportunities for improvement rather than criticism. By examining basic matters like the condition of mechanical services (for instance air conditioning units, their fitness for purpose and their likely future maintenance costs), electrical services (the mains supply, lighting, fire and leak detection etc) and the building fabric (fire escape routes, fire compartmentation, legislative compliance etc), companies can address the majority of sources of risk. It is also important to look at the elements of the supply chain and where services are outsourced in exactly the same way. More and more, clients will be requiring businesses to demonstrate that they have gone to significant lengths to protect the provision of service, and it seems eminently sensible to check out the simple things first. It is no excuse to say that insurance will cover any problems. Insurance is unable to deal with damaged reputations and it is worth remembering that 43% of companies that experience a disaster never recover – regardless of the type of event (source: London Chamber of Commerce).
So what should you do now?
Of course, as you would expect, I suggest that you start to look at your own businesses now, in advance of the standard being implemented, to get them into good resilient condition by addressing all those sources of the “quiet catastrophe”. You should also be advising your clients that this new British Standard is on the horizon and that they too should be considering the issues. More and more frequently companies will be asked to show independent verification that they have good BCM in place, so address the simple things first. Look at your property and property services and ensure that your supply chain can perform regardless.
Will you take the risk?
Of course, as with anything else, there are a number of options open to any business. You could decide to do nothing and take the risk that problems will not arise. However, I believe there are real incentives in applying PAS 56 now, as at the very least you will get to know your business better and you could reduce your insurance premiums. For a relatively small cost, potential problems could be quickly addressed, improving the general ability of your business to withstand the threat of disruption. The information achieved while undertaking this process would allow you to make clear, informed decisions about your property, your service providers and value for money. You would also steal a march on your competitors, not least in giving advice to clients because, no doubt about it, a new British Standard for business continuity management is going to be introduced and as every Boy Scout knows, it pays to be prepared.
Eileen Masterman is former Director of RICS Scotland and Chief Executive of Homes for Scotland. She now works with Medron Ltd, the building fabric and building services audit consultancy. She can be contacted at email@example.com
The information contained in this article is a general overview. Full details of PAS 56 can be obtained from BSI at www.bsi-global.com.