Archives
DMM I Quarterly
 
 
Current Issue
 
Issue: Sep-Oct 2007
  ANALYSIS
 
   
 
 
 
 
 
 
 
 
 
 
The Importance of
Managing Business Continuity
By Priti Sikdar

Business Continuity has long been a lurking issue for most organizations. It is often a neglected issue as far as precedents go. This is due to the fact that organizations have a false sense of security that once they get their assets insured, they are protected. Also till date there is no mandatory standard in force to move organizations towards planning their business continuity. Though incidents like the 9/11, the tsunami, natural calamities like Katrina are eye openers towards the need to assure security and continuity. Now BSI has launched the world's first British standard for managing business continuity.

The new BS 25999 Code of Practice will help organizations to minimize disruptions and demonstrate their ability to cope with major threats to their operation. By helping to put the fundamentals of Business Continuity Management in place, BS 25999 is designed to keep organizations going during even the most difficult and unexpected circumstances while protecting staff, preserving reputation and providing a license to trade. BS 25999 establishes the process, principles and terminology of Business Continuity Management. It also provides a comprehensive set of controls based on "best practice" that will help organizations to develop and implement a business continuity plan. The standard can be used as a framework, so that those organizations without business continuity plan can quickly establish one, and those that already have a plan can ensure it meets best practice.
BS 25999 is being developed in two parts with Part One, the Code of Practice being followed by a Specification which is targeted for publication in the middle of 2007. The Specification will detail requirements for a Business Continuity Management System and will provide organizations with a mechanism to ensure that their partners and suppliers also have the correct BCM procedures in place. Currently it is difficult to determine whether organizations are adequately prepared for disruptions but the Specification will allow for an audit process and certification - meaning that organizations will be able to clearly demonstrate to others that they are meeting the standard and therefore BCM best practice.
There is little doubt that using standards enhances productivity and competitiveness. Robust BCM standards such as BS 25999 can make supply chains more robust, improve enterprise stability, increase job security and ensure the flow of money into communities. Without this there is a significant risk to economic growth and employment, let alone the fortunes of individual companies. Regulation & legislation has been a motivator for spurring action on standards. The major obstacle in the implementation of Business Continuity Management has been a lack of guidance towards how to implement continuity measures. The evolution of Emergency Planning, IT Disaster Recovery, Security, Risk Management and Civil Contingencies has contributed to the professional practice of Business Continuity Management. BS25999 is intended for those responsible for "business operations and the continuity of such operations"
Before the design of this standard, PAS56, was a publicly available paper published in 2003, partly for comment. Now the development of BS 25999 will bring into force two standards:
1. BS25999-1 Code of Practice; it is a code or best practices and recommendations.- BS 25999-1:2006 Code of Practice for BCM. It provides a basis for understanding, developing and implementing business continuity within an organization; it provides confidence in B2B and B2C relationships
2. BS25999-2 Specification for business continuity management is a part against which certification will eventually be available. It specifies the requirements for "establishing, operating, monitoring, reviewing, maintaining and improving a documented BCM system within the context of an organization's overall business risks", and for the implementation of continuity controls customized to the needs of specific organization. - BS 25999-2:2006 A Specification for BCM.
The BCM lifecycle is viewed as follows (from PAS56):
Resilience to disaster and disruption is the true goal of every organization. A resilient organization is one that is culturally and operationally able to predict and avoid disruptions, or if disruptions do occur, to minimize their impact. Obtaining certification to BS 25999 will be effective only if it is embedded in business practices. The first link is to understand your own business needs and to weave business strategies closely with business continuity strategies so as to enable them to evolve along with business and give the status of going concern to the organization. Business continuity should not be seen as a project, or a separate activity dealt with by consultants or specialist managers. Rather, it should be 'embedded' within the business so that everyone in it carries out business continuity as part of their day-to-day activities.

Whilst the standard is to be welcomed, effective implementation raises a number of challenges and questions. They are as follows:
• How can the application of the standard incorporate the flexibility needed to support a changing environment? Adherence to a rigid structure will not support currency of data, resources and expertise.
• If the standard is applicable to all businesses; particularly those classified as micro businesses (1-9 employees) where the standard may be seen as too complex and burdensome.
• Implementing the standard will not necessarily result in a more resilient organization, since implementation may encourage a prescriptive or 'tick box' mentality.
• Business continuity is often seen as a 'project' and therefore not necessarily linked to management disciplines systems and procedures.
In spite of the myths and complexities surrounded round the standard, we have to enlist the manifold benefits on account of implementation of the standard:
• It provides a common framework, based on international best practices, to manage business continuity.
• It proactively improves your resilience when faced with disruptions to your ability to achieve key objectives.
• It provides a planned and tested method of restoring your ability to supply critical products and services to an agreed level and time frame following a disruption.
• It delivers a proven response for managing a disruption.
• It helps protect and enhance your reputation and brand.
• It gives a competitive edge by opening new markets and helping you win new business.
• It enables a clearer understanding of how your whole organization works and can help identify opportunities for improvement.
• It demonstrates that applicable laws and regulations are being observed.
• It creates an opportunity to reduce the burden of internal and external BCM audits and may reduce business interruption insurance premiums.

While you are planning and implementing the BCM, there is need to study the requirement of the standard and use it as a measure to examine the current health of your organization. Gap Analysis can help you understand to what extent you must adhere to BS 25999 as well as help identify those areas where there is variance. You can do this by a structured interview process or combined workshop. The identification of gaps by examining current policies and procedures will enable you to identify areas where you can focus your efforts to meet the requirements of BS 25999. It will identify the key issues and activities that will form the basis of your implementation strategy, and begin to build the business case for adopting BS 25999.
Adopting a business continuity plan suitable to your business and nature of organization and making it a part of the organizational culture is a mammoth responsibility. While the major responsibility of introducing the plan lies with the Board and executive management, the rolling out of the plan is the individual duty of every member of the organization and this philosophy needs to be entwined with the day-to-day operations routine of the individual employees. The concept of business continuity is not limited to IT and data issues; it is an enterprise wide initiative! Business continuity should not be seen as a project, or a separate activity dealt with by consultants or specialist managers. Rather, it should be 'embedded' within the business so that everyone in it carries out business continuity as part of their day-to-day activities. Also there are a series of interdependencies as given in the diagram above.
When we talk of organizing business continuity, issues of loss of telecommunications, internet connectivity, physical premises, machinery and equipment or critical people - all of which is possible continuity risks come to mind. And while business continuity planning is not the same as disaster recovery planning, the two are closely related. Hence the commencement of the initiative must be in the form of a business impact analysis (BIA) where individual assets would be matched against the exposed risks, the probabilities of occurrence and the impact on occurrence would be listed. A process of prioritization of risks based on business impact analysis would enable you to arrive at an acceptable level of risk and to ensure that strategic risks for which you do not want to accept a gamble would be covered either by mitigation measures or by transfer of that risk through proper and adequate insurance.
Redundancy is a desired characteristic especially in the context of data and telecom continuity. Adoption of different carriers, redundant servers, offsite transfer of backup data electronically are some of the means of ensuring that data is available and availability of telecommunication networks is unhampered by failures or disruptions. Planning restore measures in times of failure forms part of ensuring telecommunications continuity planning. Organizations such as National Stock Exchange (NSE) have a fully ready and redundant mirror site to start functioning, if any failure is experienced at the primary site.
When we plan continuity for business operations, the most critical aspect we most commonly overlook is planning for human resource continuity. Many times we observe that the most critical functions is carried out by one key employee and no one else is trained to do that job. Obviously in the event of the person not available, things just do not work, people get confused and there are inordinate delays. Cross training is an integral part of the human resource continuity planning so that proper assurance is there that the activity will be carried out without interruption.
For the last stage in the BCM lifecycle, there has to be good testing strategies and a proactive approach to moulding the BCM strategies in response to changing environment and business requirements. Regular audit of Business Continuity plan and testing of the efficacy of the BCP are vital to the success of operation in the event of disaster. Keeping the plan current is most important as an outdated plan may foil the business continuity planning and fail in the face of disaster.
A sound risk management will ensure that risks are covered by appropriate controls and you have successfully reduced the extent of acceptable risk to a bare minimum. BCM is considered right from planning business location, housing of information assets, their safeguarding measures, and the security of the data, to the proper backup plans to support successful storage, retrieval and archiving of data. Business Continuity being wider in scope than Disaster Recovery have to provide for financial risks, operational risks, IT risks and all other risks that hit the business and the failure of which may affect the very existence of the business. Resilience is the desired way to achieve the objective of perpetual existence.

The BS 25999 standard provides a good reason for companies to adopt it and go for certification. The method to achieve this certification would be as follows:
1 A Client seeking certification to BS 25999 Standard will apply to a Certification Body (CB);
2. The application will be reviewed to ensure that it is within the scope of the CB's accreditation. The CB will assemble an audit team to match the Client's industry specific and technological environment;
3. If the proposed certification is within the CB's scope of accreditation and an Audit Team matching the Client's requirements can be fielded, the CB will submit aquotation to the Client;
4. If the quotation is accepted, the CB will carry out the Stage 1 audit (also called the initial assessment or desktop review) of the documented BCP(s) and IMP to determining whether they meet the requirements of the standard. If the documentation fails to meet the required standard, the Client will be required to address the outstanding matters before the next stage, a Stage 2 (also called the Conformance Audit or Certification Audit), can start;
5. When the outstanding matters have been addressed successfully, a date for the Stage 2 Audit will be arranged with the Client.
6. The Stage 2 Audit will examine evidence that the implemented BCP(s) and IMP conforms to the Client's documented BCP(s) and IMP. The Client will be advised of the findings and outcome of the audit.
7. If the results of the Stage 2 Audit indicate that the requirements of BS 25999 Standard have not been met, the Client will be required to agree to a Corrective Action Plan (CAP) to address the weaknesses. Once the client has addressed the weaknesses a further Conformance Audit will be carried out;
8. If the outcome of the further Stage 2 Audit is successful, a recommendation will be made for certification. The audit report will be forwarded to the BS 25999 Certification Manager for final review and subsequent issue of the certificate.
9 Even after the certificate is obtained by client, there is a system of periodic monitoring of the BCP(s) and IMP, known as Surveillance Audits. This process is designed to ensure that the Client Organization's BCP(s) and IMP continue to conform to the requirements of BS 25999.
Continuous resilience is to be certified and building a robust infrastructure is primary concern for every organization. Operational risks, financial risks, natural disasters, internet related risks are to be addressed in the planning process since they all can affect business continuity of an enterprise. Security measures have to be interlinked into the culture and routine activities performed by the employees. Prioritizing on critical processes and risk mitigation measures helps reduce extent of risk and promotes the going concern ideology.
(Author belongs to Business Risk Services division of Grant Thornton.
E-mail pts@wc-gt.com)