A new business continuity standard provides a refreshingly user-friendly way forward for businesses of all sizes and, for once, argues Julia Graham, putting theory into practice is a breeze
There are already more than 27,000 different British Standards in existence - and counting. Most people will be familiar with Corgi-approved gas installers but most will undoubtedly be unaware there are even rules governing plastic cups.
The new business continuity standard BS 25999 adds to this extensive list and was launched at the end of last year to deal with the vast and complex subject while attempting to avoid reader confusion through information overload. Instead, it is a genuinely user-friendly document that is valuable to businesses of all sizes.
The best BC plans, and thus the ones that work, are easy to understand, remember and implement. They set out the principles but do not prescribe in detail how they should be applied. Unfortunately, not all BC plans meet these criteria; a common mistake is to seek to cover every angle. Although a plan may look good in theory it can fall apart at times of crisis, causing individuals to spend too much time consulting the instructions and trying to recall what is in the detail when they should be thinking on their feet.
By contrast, BS 25999 is a truly modern document written in line with the most recent forms of corporate governance and regulation. It outlines what people should achieve through their planning and leaves individuals free to use their initiative. In this respect it builds on and improves the work that went into its predecessor, known as PAS 56.
BS 25999 is authoritative, being based on the expertise of many of the country's top practitioners while managing to be clear and useful to businesses of any size. People with no formal risk management or BC training should be able to understand and then adapt it to their own organisations. Yet even a highly experienced practitioner will find that it provides a useful reminder of the key steps, as well as offering a valuable teaching tool for other members of staff.
BC is an area in which insurance and enterprise risk management meet; both have an essential role to play but are insufficient on their own. As a discipline, BCP and management took off as a corporate priority in the mid-1990s. Insurers took some big hits, partly as a result of the increase in just-in-time production and a growing dependence on single-supply sources for components and raw materials. Both of these trends made firms more vulnerable to a sudden loss of supplies.
The resulting sharp increases in premiums came at a time when finance directors were already under intense pressure to reduce their costs. Business interruption cover, once just a minor component of many property policies, became a big item. As a consequence, firms looked increasingly at the option of retaining more risk.
In fact, BI has never been the type of risk firms can transfer to an insurer entirely. It is easy enough to find a policy that will cover the basics, such as making up the deficit of loss in turnover for an agreed period of recovery time, or providing for additional costs and overheads like overtime and the need to rent temporary locations.
But, it is just not practical to cover the hidden losses that are often most likely to make or break a business, including: damage to a firm's brand, reputation and share price; loss of customers and market share; loss of customer confidence; and loss of key employees that have sought work elsewhere.
For this reason, any enterprise should see continuity first and foremost as a planning challenge. Except in the cases of a few very large businesses, insurance is also necessary, but it should never be the main emphasis. Despite this, it is still far too common to hear chief executives saying words to the effect of "we don't need risk and business continuity management because we have insurance". This is one reason why the new standard could serve as an invaluable aid.
Preaching to the converted
Regrettably, there is a very real possibility that BS 25999 will preach to the converted, that it will be adopted overwhelmingly by those organisations that already have adequate BC capability. For this reason brokers are urged to view the British Standard as a prime opportunity to help their clients with wider risk management support, especially small to medium sized enterprises, which are least likely to embrace continuity planning.
BS 25999 provides a strategic framework for BC. It takes the reader through the processes of risk identification, evaluation and management necessary to minimise the chance that a crucial dependency might be destroyed by an incident, thus rendering the chances of recovery unachievable.
It addresses the key questions of responsibilities, internal communication, vulnerabilities and business impact analysis, all of which are vital to continuity planning. It also discusses the legal obligations that are all too often overlooked.
Crucially, the new standard recognises that actions outlined in a BC plan should not set out to cover every eventuality. As an incident unfolds and circumstances change, opportunities may open up or barriers may be created that render a pre-determined response no longer the most effective mechanism for recovery.
In short, BS 25999 is flexible and is much more than just a theoretical document. It is geared to meet the practical day-to-day requirements of real business people and to reflect what happens on the ground. Implemented intelligently, it will improve resilience and increase confidence among customers, shareholders, staff and other stakeholders.
- Julia Graham is deputy chairman of the Association of Insurance and Risk Managers, chief risk officer at DLA Piper UK and a member of the working party that produced BS 25999.
- Gallagher Bassett acquires claims management firm
- Finch and ICB owner on acquisition trail with sight set on €500m revenue by 2022
- Top 100 Insurtech: Quarter four update
- Green light for UK-US insurance trade deal
- Roundtable: Is a single customer view taking off in insurance?
- Analysis: The mystery of the missing Insurance Fraud Taskforce report
- Blog: You really need to listen before walking the walk