Business Continuity Management

Business Continuity Management

Background

Business continuity management (BCM) is a process that helps manage risks to the smooth running of an organisation or delivery of a service, ensuring continuity of critical functions in the event of a disruption, and effective recovery afterwards.The Government aims to ensure all organisations have a clear understanding of Business Continuity Management (BCM). This section outlines the importance of BCM, and discusses how best to achieve business continuity.

Good BCM helps organisations identify their key products and services and the threats to these. Planning and exercising minimises the impact of potential disruption. It also aids in the prompt resumption of service helping to protect market share, reputation and brand. In order to be successful, BCM must be regarded as an integral part of an organisation's normal ongoing management processes. To achieve this top-level buy-in is vital as it disseminates the importance of BCM throughout the organisation. Engaging senior staff is crucial to the success of any major programme because of the influence they have over resource allocation and the culture of an organisation.

Understanding the organisation

Before plans can be written you must understand the organisations BCM needs. There are several tools used to inform this process. It is important to first identify the key products and services that the organisation delivers. A Business Impact Analysis (BIA) identifies these crtitical activities and resources supporting the key products and services and helps identify the impact of a failure of these. Another useful tool is a risk assessment, which helps identify the potential threats to the organisation, and their likelihood. The Civil Contingencies Act requires the publication of all or part of a risk assesment for your local area (undertaken by local category 1 responders). This may be a useful point of reference for your own risk assessment.

Developing plans

Good BCM requires both incident management plans and business conitnuity plans, although these do not necessarily have to be separate documents. Incident management plans allow the organisation to manage the initial impact of an event, for example staff evacuation or media response. The business continuity plan allows the organisation to maintain or recover the delivery of the key products and services that the BIA identified.

Both generic and specific plans may be required. A generic plan is a core plan which enables an organisation to respond to a wide range of possible scenarios, setting out the common elements of the response to any disruption. These elements would include invocation procedures, command and control structures, access to financial resources etc. Within the framework of the generic plan, specific plans may be required in relation to specific risks, sites or services. Specific plans provide a detailed set of arrangements designed to go beyond the generic arrangements when these are unlikely to prove sufficient.

The Civil Contingencies Secretariat has developed, in partnership with stakeholders, a Business Continuity Management Toolkit [External PDF] to help the commercial and voluntary sector implement BCM.

Exercising plans

Plans cannot be considered reliable until they are exercised and have proved to be workable. Exercising should involve: validating plans; rehearsing key staff; and testing systems which are relied upon to deliver resilience (e.g. uninterrupted power supply). The frequency of exercises will depend on the organisation, but should take into account the rate of change (to the organisation or risk profile), and outcomes of previous exercises (if particular weaknesses have been identified and changes made).

Training and awareness

There is a need to train those responsible for implementing BCM, those responsible for acting in the event of disruption and those who will be impacted by the plans. This training and awareness can be elivered in many ways. Those involved in implementing BCM may require extensive training, whereas those with no direct responsibility may simply need to be made aware.

The Emergency Planning College [External website], which is part of the Civil Contingencies Secretariat, runs courses on risk assessment and business continuity management.

Reviewing and maintaining plans

Organisations should not only put plans in place, but should ensure they are reviewed regularly and kept up to date. Particular attention may need to be paid to: staff changes; changes in the organisation's functions or services; changes to the organisational structure; details of suppliers or contractors; and changes in the organisations strategic objectives.

The business continuity management standard (BS25999)

BS25999 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organisation and to provide confidence in business-to-business and business-to-customer dealings.

The British Standard on Business Continuity Management (BCM), BS25999, defines BCM as 'a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.'

It provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle, which is illustrated below.

The British Standard sets out six elements to the BCM process.

1. BCM programme management - Programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.
2. Understanding the organisation - The activities associated with "Understanding the organisation" provide information that enables prioritisation of an organisation's products and services, identification of critical supporting activities and the resources that are required to deliver them.
3. Determining business continuity strategies - This allows an appropriate response to be chosen for each product or service, such that the organisation can continue to deliver those products and services at the time of disruption.
4. Developing and implementing a BCM response - This involves developing incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.
5. BCM exercising, maintaining and reviewing BCM arrangements - This leads to the organisation being able to demonstrate the extent to which its strategies and plans are complete, current and accurate and identify opportunities for improvement.
6. Embedding BCM in the organisation's culture - This enables BCM to become part of the organisation's core values and instils confidence in all stakeholders in the ability of the organisation to cope with disruptions.

BS 25999 will be published in two parts. BS 25999-1:2006, the Code of practice for business continuity management was published in November 2006. This has been developed by practitioners throughout the global community, including the Civil Contingencies Secretariat. Copies of this can be purchased from the BSI website[External website]

BS 25999-2:2007 will specify the requirements for achieving certification which will help ensure that business continuity capability is appropriate to the size and complexity of an organisation. Publication of part 2 is expected in autumn 2007. Following this the UK Accreditation Service (UKAS) will work hard to ensure that there is an accreditation scheme available to those bodies offering third-party accreditation to Part 2. Usually the reason for obtaining an independent evaluation is to confirm that it meets specific requirements in order to reduce risks. Accreditation by UKAS means that certification bodies have been assessed against internationally recognised standards to demonstrate their competence, impartiality and performance capability.

Business Continuity under the Civil Contingencies Act

The Civil Contingencies Act requires Category 1 responders to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable.

The BCM duty in the Act relates to all the functions of a Category 1 responder, not just its civil protection functions. Hence the legislation requires Category 1 responders to maintain plans to deal with emergencies (see the Emergency planning section) and put in place arrangements to warn and inform the public in the event of an emergency (see the Warning and informing the public section). But it also requires them to make provision for ensuring that their ordinary functions can be continued to the extent required. The Regulations also require Category 1 responders to put in place a training programme for those directly involved in the execution of the BCP should it be invoked.

The risk assessment duty for Category 1 responders under the Act should inform the development of appropriate continuity strategies (see the Risk section for further detail on risk assessment).

The Act also requires local authorities to provide advice and assistance to businesses and voluntary organisations in relation to business continuity management. This duty is an integral part of the Act's wider contribution to building the UK's resilience to disruptive challenges. It should not be seen as a stand-alone duty, but rather in many ways is a logical extension of the work already undertaken to fulfil other duties under the act (e.g. working with commercial and voluntary organisations in the development and exercising of emergency plans).

The Preparing for Emergencies [External website] website provides information on business continuity for businesses  [External website] and for voluntary organisations [External website].

© Crown Copyright - Reproduced under the terms of the Click-Use Licence. (PSI licence no. C2006009514)