Good morning/afternoon, my name is Suzanne Fribbins, and I am BSI’s EMEA Product Marketing Manager for the Risk Portfolio. 29/08/12
So what is business continuity? “ Business continuity is the capability of an organization to continue delivery of products or services at acceptable predefined levels following disruptive incident.” The plan is called a business continuity plan.
The business case for BCM – 81 per cent of managers whose organisations activated their Business Continuity Management (BCM) arrangements in the last 12 months agree that it effectively reduced disruption. The same number agree that the cost of developing BCM is justified by the benefits it brings their organisation. Adoption of BCM – adoption of BCM continues to rise cementing a sharp increase in uptake over the past two years. Overall 61 per cent of managers report that their organisation has BCM in place, up from 58 per cent last year and 49 per cent in 2010.
Drivers of BCM – corporate governance remains the biggest external driver of BCM, with 42 per cent of managers highlighting it as a catalyst for their organisation implementing or changing BCM. Demand from existing or potential customers makes up the second biggest driver (37 per cent), followed by regulation/legislation (33 per cent). Disruptive events of 2011 – almost four in ten managers report that the BlackBerry outage in 2011 caused their organisation some disruption, while 55 per cent of managers say their organisation was affected by public sector strikes. The riots last summer caused disruption for 26 per cent of managers, with the worst of the disruption felt by managers in central and local government and the emergency services. Disruptive weather – 49 per cent of managers report that severe weather conditions caused disruption to their organisation over the last year, making it the leading cause of business disruption for the third year running.
ISO 22301 is the new international standard for business continuity management (BCM). Its official title is ISO 22301 Societal Security - Business continuity management system - Requirements. ISO 22301 is an ISO requirements standard, which effectively means we can audit to it. All core business continuity elements in BS 25999-2 are present in ISO 22301 too.
ISO 22301 provides the requirements for a business continuity management system (BCMS) and is based on global BCM best practice. BSI is one of the pioneers of the original BCM best practice standard, BS 25999-2 and this has now been superseded by ISO 22301. Since its introduction in 2007, BS 25999-2 has grown in acceptance worldwide. Unlike BS 25999-2, ISO 22301 is an international standard, which will see greater international acceptance. For those certified to or aligned with BS 25999-2, the additional requirements are not onerous.
ISO 22301 now comes under a wider societal security remit, acknowledging the important role that BCM has to play in protecting society and ensuring our ability to respond to incidents, emergencies and disasters.
In comparing ISO 22301 with BS 25999-2 you will see that it includes all the core requirements of 25999-2. The ‘Plan Do Check Act’ cycle Business continuity policy Business impact analysis Risk assessment and risk treatments Exercising Business continuity plans and strategy Internal audit Management review Non conformity and corrective action Improvement actions
Notable shifts in emphasis from BS 25999-2:2007: First standard written in accordance with Guide 83 Change in the way an organization is defined Clearer expectations on management Preventive action has been replaced with “actions to address risks and opportunities” and features earlier ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics – aligning BC to top management strategic thinking
22301 requires more careful planning for and preparing the resources needed for ensuring business continuity Communication elements more demanding and there is a responsibility to the wider community defined BIA similar but with some changes to terminology There is a stronger link to the organizations approach to risk To reflect the Societal security approach some new terminology has been introduced, see ISO 22300
Even if organizations don’t intend to certify to these standards, they should strongly influence their BCM program. By adopting ISO 22301 organizations will benefit from global BCM best practice, regardless of whether they intend to certify or not. Standards provide a foundation and a common vocabulary for BCM best practices and processes. These standards represent the input and recommendations of hundreds of BC professionals and industry experts. Rather than reinvent the wheel, you can take advantage of years of expertise and the lessons learned from your peers.
Certification offers many advantages, including: It challenges your BCM program and your organization to reach a higher level of maturity and preparedness. You will also find that through the certification process, opportunities for improvement will be identified … and this is one of the greatest benefits of having a third party audit, having a fresh set of eyes on your business. All of our client managers not only understand the Standards, they understand your industry, and can make informed observations Partners may demand it of you anyway. It can allow you to meet the prequalification requirements for tenders, reducing the amount of time it takes to comply with external audits of your BCM program. It can provide a competitive advantage, opening up new markets and helping you to win new business, and finally It signifies a base level readiness and a commitment and seriousness about BCM An accredited certification can only be conducted by a certification body that is accredited with a recognised national body e.g. UKAS. At present there are no certification bodies in the UK able to offer accredited certifications, however BSI will be offering unaccredited certification until such a point as we are accredited to offer accredited certification to ISO 22301 and is already made arrangements to be first in line to be accredited by UKAS.