Insurance Post

High standards

pst-070125-supp-03-gif

Lynn Rouse interviews John Sharp of the Continuity Forum about the new universal Kitemark BS 25999 and how key organisations can help certification levels soar

When it comes to evaluating whether a business continuity management system would be effective in the event of a disruption, the clue is in the question: Is there inherent continuity and consistency with the plans put in place by parties above and below the organisation itself? After all, you are only as good as the capability of your suppliers.

For this reason alone, the imminent launch of a universal standard in BCM - BS 25999 - is to be warmly welcomed. But the journey has been long and the final product represents a gradual six-year evolution.

John Sharp, now policy and development director with not-for-profit organisation the Continuity Forum, was formerly chairman of the Business Continuity Institute. If anyone can explain how the standard developed, and answer the crucial question of whether firms will rush to become certified, it is him.

"Back in 1999, in preparation for Y2K, customers had begun sending out questionnaires on business continuity to their suppliers, but with no consistency," he explains, when asked about the standard's origins. "It became absolutely chaotic and no one could answer the questions being asked because they were all different.

"Consequently, work was undertaken by the BCI, the insurance industry, the Department of Trade and Industry and others to create an approach to BC that would achieve uniform agreement across all the different bodies. Later, the Financial Services Authority looked at this issue and said it needed something to assess what good BCM practice was." With this call coming during Mr Sharp's tenure as chairman of the BCI, he explains that the body volunteered to write a good-practice guide to BC, which was published in 2002.

"The following year we discovered that British Standards was looking to create a specification for BCM software, but we persuaded them instead to create a specification for BCM - Publicly Available Specification 56 - which was based on the good-practice guide that had been produced. Later, when the Civil Contingencies Act was put together with the aim of making our local authorities and emergency services more resilient, I was one of the practitioners involved in writing the guidance to support the Act for BC planning and promotion, and we insisted that it followed PAS 56."

The move to certification

The upshot of this persistence has been the creation of different pieces of guidance that nonetheless all run in parallel and adopt a consistent approach. "This was absolutely critical because when it comes to the public sector delivering vital services, it relies on key suppliers that are commercial companies which also supply to others, as well as relying on the voluntary sector."

BS 25999 will replace PAS 56, which itself has been widely adopted, and not just in the UK. More than 6000 copies of it have been sold worldwide, making it the biggest-ever seller. And that enthusiasm has continued: 5000 downloads were made of BS 25999 when it was out for consultation - again, the highest-recorded figure for such a consultation document.

From the beginning, there have always been two parts to BS 25999: the code of practice, produced in November, and the second part - specification - due out in June or July this year. Mr Sharp succinctly explains the difference: "A code of practice tells you what you should do and may do, whereas a specification tells you what you shall do. For example, when you are audited against this specification, which demands you have a BCM champion, the auditor will want to see details of who that person is. You have to meet all the criteria to become certified."

However, the process will not end with the publication of the specification - any company wanting to operate as an independent auditor has to obtain the stamp of approval from the UK's Accreditation Service. It will probably take 18 months before anyone is accredited by UKAS and ready to certify others. "The right people have got to be trained to audit the standard, and this is not something that can happen overnight," points out Mr Sharp.

Nevertheless, he is confident that BS 25999 will rapidly achieve large-scale adoption for one very simple reason - the power of the supply chain. Without it, vital contracts may become impossible to secure.

"In the UK, 40% of our economy is based in the public sector - a sector that now has a formal requirement to demonstrate that BC plans are in place to protect its ability to deliver critical services, so it has to insist on its critical suppliers having it too. This factor alone will drive BC through organisations of all sizes."

However, Mr Sharp stresses that there is a second, more important question for major customers to ask their suppliers over and above 'Are you certified to BS 25999?': "If a company has three divisions, have all those divisions and all the operations within those divisions been certified? Or is it only one division or even only one operation within a single division?

"The key questions going forward, therefore, will be: 'Are you certified?' and 'What is the scope of your certification?' After all, a company may decide only to seek certification for the parts of their business that provide for the public sector or for a single customer, and that will be their choice."

Visible 'carrots'

The fact remains, however, that many companies are still failing to devise and implement effective BC plans. And the Continuity Forum has itself recently stated that: "Unfortunately, just relying on the compelling value of BCM alone has proved ineffective in motivating organisations to act responsibly." Why is this the case?

"Although business continuity is plain common sense, many don't do it simply because no one is asking them to," says Mr Sharp. He adds that many people remain slightly perplexed by the term itself, making it essential to paint pictures of the 'what if?' scenario.

"I was recently talking to a group of small retailers and asked them what they would do if they lost their database. One retailer admitted that he had already fallen foul of this issue by failing to back up his database and lost six months' worth of accounts - something that took him weeks to reinstate. Another retailer present was a high-class bespoke jeweller who revealed that she didn't currently back up her data despite the firm's client list being vital to the business."

Mr Sharp is also a firm believer that the major economically influential organisations in the UK have a duty to demand the effective implementation of BCM by way of powerful incentives. "In marketing speak, you refer to 'push and pull'. For example, you can push your product or service, by touting it as the best thing since sliced bread, or you can get it pulled. If you push a product, you may convince one or two about its value, but the vast majority will not take it up because they don't have to.

"Therefore, the success of BS 25999 will be higher if we work with the people and organisations that can drive the 'pull' - the influencers in the shape of the business-interruption insurers, banks and regulators that can say, 'We won't trade with you unless you have BC' or 'We won't lend you money or insure you unless you have this in place'."

Without such demands or highly visible 'carrots', Mr Sharp is convinced the 'It won't happen to me' mentality and concerns about costs will continue to impede the adoption of BCM or certification to BS 25999. But it is not insurers he is most concerned about - the greatest challenge, he reports, lies with the banks: "If their systems fail, the losses banks sustain within a few hours can be catastrophic, let alone if they are down for a few days. Consequently, the banks themselves invest heavily in BC," he explains. "However, what they are not doing is demanding the same of their customers whenever they lend money. We really do need the banks to wake up. We keep telling them they can minimise their risk exposure by demanding BC. A certain failure rate is always factored into financial loans, for which the banks must set aside capital to cover off these failures. What we are saying is that, if they minimise business failures due to disruptions, by demanding evidence of effective BC planning before loaning money, they can also reduce the amount of capital they need to set aside."

Insurers' example

Back in 2005, Charles Philipps, chief executive of Amlin, hailed the launch of PAS 56 as a "significant UK milestone in risk-management terms" (Post, 25 August 2005, p11). Yet, at the same time, he pointed out that Amlin remained one of only a handful of UK insurers to have successfully complied with the standard via independent audit. So should certification to BS 25999 be a priority for insurers themselves, otherwise they may risk allegations of hypocrisy from the corporate customers they demand evidence of compliance from?

"Yes, they should - if for no other reason than because they are now all regulated by the FSA, which is looking for evidence of best practice," says Mr Sharp. "Equally, if the insurance industry is going to be preaching about the need for BCM among its customers, then they must be seen to be following best practice themselves - although I do not believe there will be a problem on this front with UK-based insurance companies."

However, he does predict potential issues with those based across the Atlantic: "At the moment, US companies do not tend to recognise standards that have been developed outside of the US, unless they are specifically required for trading in other jurisdictions."

The BC standard in the US has been developed by the National Fire Protection Agency - NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.

"NFPA 1600 does not go into the same depth or follow the same parameters as PAS 56 and BS 25999 - it is more akin to emergency management," explains Mr Sharp. "Generally speaking, the US tends to be more geared up around natural disasters, massive computer failure and terrorism, whereas we have always preached that it does not have to be a major disaster that results in significant disruption and, frequently, it can be a small internal issue that ultimately causes a company to fail.

"In fact, one of the problems with the CCA is that BC is defined in terms of an 'emergency' - that is, a major incident in the community - but we have managed to get the issue and importance of day-to-day protection written into the guidance that accompanies it."

Putting BC plans in place

When Post published an article last August focused on the forthcoming British standard, one commentator expressed their concern that take-up could be poor - after all, if firms don't have time to put a BC plan in place, what chance they will have time to seek a new kitemark? Others voiced their belief that SMEs in particular will struggle to achieve certification because of resource scarcity, while its predecessor PAS 56 came in for criticism as 'over-complicated'. But Mr Sharp is adamant that BS 25999 will be attainable for all.

"When the new standard was written, we were very conscious that the chief problem with PAS 56 was that it was written from the point of view of large organisations. Consequently, in developing BS 25999, we continually applied the test of a mythical small company, by asking: What does this mean? Will it be understood? Is this applicable? These questions were asked throughout."

He emphasises that a smaller company's BC plan may only need to be a couple of sheets of paper detailing who will deal with an interruption or crisis and how the business can continue. "For example, one bakery that suffered a fire had organised a reciprocal arrangement with another bakery that was outside of its own customer base but near enough to supply. The deal was that if something happened to one of them, the other would bake for it, and vice versa. Something like that is not expensive to put in place, neither is backing up your data, keeping it off site and testing the plan."

Testing may not be expensive, but the fact remains that for those that do have BC plans in place, the need for rehearsals and subsequent updating is often overlooked - and there are signs this problem may be getting worse rather than better. Figures from the last Chartered Management Institute survey, carried out in conjunction with the Continuity Forum and the Cabinet Office and published in May 2006, reveal a worrying development: in 2005, 52% of those that did have plans tested them at least once a year, but this percentage fell to only 37% in 2006.

"This is cause for concern," admits Mr Sharp, "but it also highlights the need for customers to ask different questions of their suppliers. Rather than just asking 'Have you got a BC plan?' they should be asking when it was last rehearsed and what the results were." The need to rehearse plans, learn the lessons and ensure their plans have been updated as a result, as well as audited, are all now built into the new standard's specification.

"These are fundamental principles that we have always championed and have now got them embedded into BS 25999. Simply put, if a plan is not rehearsed, you will not get certification."

CONTACT

For more information, visit: www.continuityforum.org or contact John Sharp at: [email protected].

  • LinkedIn  
  • Save this article
  • Print this page  

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: