Titled BS 25999–2:2007 Specification for business continuity management and includes…

* Documentation Requirements
* Management responsibility
* Internal BCMS Audit
* Management review of BCMS
* BCMS Improvement

The standard was published on November 20th 2007

How does an organisation seek compliance with the standard?

As with most management standards the process will be relatively standardised using the guidelines in ISO 17021

STEP 1 — Application

Apply to a certification body, certification bodies are organisations that are accredited to certify organisations, for example BSI or LRQA (although these two examples are not the only ones). An understanding of the scope of the BCMS will need to be made. The certification body will then create a proposal detailing the number of assessment days required and costs etc. If the organisation chooses to proceed the assessment should take place.

STEP 2 — Pre Assessment

A pre assessment may be used to provide a snap shot of readiness for the full assessment. Sampling and other techniques may be used in this pre assessment. Any areas of omission will be raised and an assessment of remedial work, should any be needed, would be made. The formal assessment may be delayed if it is thought that it would be unlikely that the organisation would pass.

STEP 3 — Assessment

The formal assessment is then made during which all areas of the Part 2 Specification will be covered. In line with ISO17021 and in a similar way to other management standards the formal assessment is done in two parts.

Stage 1: This stage will cover the Business Continuity Management System and will examine BCMS documentation, the management review/audit system and evaluation of readiness for stage 2. Planning for Stage 2 will also take place.

Stage 2: This stage examines the implementation of the BCMS i.e. objective evidence. It may involve inspection of records, interviews of personnel and physical inspections.

Any observations or non conformities will be formally recorded and a recommendation for certification or not made.

STEP 4 - Recommendation and Award

If client achieves recommendation for certification body this recommendation will be forwarded to the BS25999 Certification Manager for final review and issuing of certificates. If the client fails the audit a corrective action plan is usually agreed and a second audit arranged.

STEP 5 — Continued Assessment

When the certificate has been awarded surveillance audits will be planned, typically at yearly intervals. These surveillance visits will examine the effectiveness of the BCMS, management reviews/audit, progress of continual improvement actions, change review and possibly the use of the registration marks in publicity materials etc. A full reassessment will also be carried out at longer intervals, usually 3 years although this will depend on both the organisation and the certification body.

What are the benefits of certification?

As I have mentioned the standard comes in two parts. Splitting them is designed to make it easier to understand and deploy. Part 2 or the Specification sets out the minimum that an organisation should do in order that its business continuity systems are effective.

Implementing BS25999 Part 1 or the Code Practice will undoubtedly provide many benefits to an organisation but there is no doubt that achieving certification will require significant extra work, so what are the benefits?

In a word, demonstrability.

Having certification to a known and accepted management standard such as BS25999 Part 2 avoid saying to stakeholders ‘Trust Me’

Viewed most often as a pain, necessary evil, or at best a burden on the business, Compliance has become a word most often associated with a sigh of despair. But should this really be the case? The very reason many senior managers have to be dragged kicking and screaming into the Compliance arena is often the complexity of the subject and fear of the unknown.

At the end of the day most senior managers are focused on making money for the business, controlling costs and generating value for the shareholders so they view compliance issues as a distraction.

Now that is interesting in itself, particularly the latter two points.

Surely controlling costs and generating value for the shareholders should be really good drivers to understand what Compliance can mean to the business? Part of the problem, and the perception, is the plethora of different compliance issues that appear when the surface of the topic is scratched, e.g. Human Rights, Privacy, Data Protection, Freedom of Information, Taxation, Corporate Governance, Intellectual Property/Copyright, Health & Safety, Fraud & Corruption, Competitive Practice, Anti-trust, Money Laundering, Standards (e.g. ISO/IEC27001, COBIT, SAS70) and much more.

Is it any wonder why senior management would rather avoid getting embroiled in this as much as possible? The problem is — it is their responsibility, and they are accountable for Compliance so, in time, many will become to realise that they have no choice and even that Compliance can provide real benefits to the business.

How can this ever happen?

Surely the whole Compliance effort costs a fortune and bogs the business down in unnecessary procedure?

All many managers see is increasing red-tape, extra costs for controls, new or increasing compliance teams, personal liability and spiraling overheads.

But, is this a fair view? Sure there are additional costs to be carried for the compliance efforts, but it could be argued that these are more than balanced by factors such as:

* Increased Customer/Shareholder/Partner confidence and trust
* Improved analysis, documentation and efficiency of business processes
* Better business resilience
* Greater buy-in from management and staff
* The de-duplication of control efforts
* Faster audits with less hold points
* Reduced audit costs Reduced crisis/incident management and remedial action costs
* Avoidance of legal or regulatory sanctions or fines and more …

It is surprising how the very attempt to ensure Compliance can often become a catalyst for change. As a business grows often the development and documentation of sound business processes falls by the wayside and greater reliance is placed upon staff knowledge and expertise.

This can work for a while but we live in an ever changing world where the pace of life is increasing daily and a lack of sound business practice will mean trouble in the future. It only takes a key member of staff to leave, or say a disgruntled member of staff to ‘throw a spanner in the works’ and serious repercussions can ripple throughout the business.

Yes — we all know we should write procedures so that someone can take over if the worst should happen; but the ‘instant’ nature of the working environment today (e.g. the Internet, email, instant messaging, mobile connectivity) makes that very unlikely — we just do what we do!

This is where Compliance brings back some sanity to the workplace. An auditor is not satisfied by ‘hearsay’ evidence that a key business process is operating in line with legal or regulatory requirements — they want cold, hard documentary evidence!

The Compliance drive has a tendency therefore to underline the need for key controls, procedures and evidence, and to ensure that adequate funding is committed to their maintenance. What is often missed is the opportunity to develop one management system to control all aspects of compliance, regardless of law, regulation or standard.

Many organisation still approach Compliance from a piecemeal angle — HR do their bit, IT do their bit, Legal do their bit, etc. It is also common to see organisations creating separate teams, tasked with compliance to a particular piece of legislation. This is, at best, unwieldy, inefficient and expensive; a practice to be avoided. This can be due to the ‘siloed’ nature of many organisations, internal politics, expertise issues, or just plain stubbornness to get involved.

The problem is Compliance issues usually cut right across the business and a very strong lead is needed for any team that is going to co-ordinate all issues company wide. A competent Compliance team can build one management system that will provide co-ordination of the compliance effort, one repository and source of information for audit trails and associated evidence.

This avoids the ‘empire building’ that often happens when say a new piece of legislation comes along, containing and potentially reducing costs.

So, ‘Overhead or Business Benefit’?

Much depends on your viewpoint and the type of organisation you work for. Finance, Banking and Insurance are heavily regulated, and accept Compliance as just part of daily business, whereas for, say a manufacturing business, this is all just a cost they would prefer not to have.

Hopefully this will change in time, legislation may become simpler and easier to understand (eh .. possibly..), business practices and management systems will improve, and many will see how the Compliance effort can bring real dividends.Business

Clifford May, Consultancy Practice, Integralis Ltd UK