Qualityworld

• Knowledge portal
• FAQs
• Information
• Qualityworld
  • Current issue
  • Reader survey
  • Editorial comment
  • Free Qualityworld
  • Past articles
  • Advertisers
  • Subscribe to Qualityworld
  • Advertise in Qualityworld
• Journal of Quality
• Jobs
• Press
• Links

Planning for disaster?

Defining what business continuity management (BCM) involves has always been a subjective business. With the issue of a new British Standard on business continuity, Helen Stokes looks at the current thinking on BCM

Disasters can and will happen. Continued operation in the event of any kind of disruption, from an IT meltdown to a terrorist incident, is vital for any organisation. If a retail web-site has a systems failure, it risks losing customers and damaging its brand and reputation. If flooding affects a major hospital, there are risks to the health of patients and staff, damage to equipment and supplies and potentially a period of inactivity while repairs are made.

Business continuity management (BCM) is the discipline that has evolved to cover this key business area. BCM is a process providing a framework to ensure a business can continue to operate in any eventuality, ensuring continuity of service to customers and therefore the protection of an organisation's brand and reputation. BC allows companies to plan for incidents, which might affect the smooth running of their business, rather than having to suddenly swing into action when a problem occurs.

But in a 2007 survey of members of the Chartered Management Institute (CMI), carried out by the Civil Contingencies Secretariat of the UK Cabinet Office, only 48 per cent confirmed having a specific BC plan (BCP) in place, and only half of these said their company actually rehearses and reviews plans. This is a strong indication that many organisations do not see BC as a priority – so why should they change their mind?

The need for BCM

When looking at the drivers for BCM, the endless media headlines on natural disasters such as floods and earthquakes as well as terrorist incidents spring immediately to mind, but essentially the key reason for BCM comes from globalisation. Increasingly, organisations are extending supply chains globally, outsourcing activities all over the world and splitting out their manufacturing activities. This dispersion of business activities makes it ever more difficult to get a company back up and running when problems arise.

Regulation is another key driver with bodies such as the Financial Services Authority and the Law Society in the UK already looking for BCM systems to be operational. Sarbanes-Oxley is also a consideration for business operating in the US. Local authorities also require their suppliers to have a BCP in place under the UK Civil Contingencies Act. However, natural incidents and threats to our national security have always been the most prominent reason for looking at BC. Incidents continue to dominate the news, and since the events of September 11 in New York and July 7 in London, it could be argued that there is heightened awareness of the risks to business.

The UK government has taken action to address such threats, including via the Civil Contingencies Act, which received Royal Assent in 2004. It is in two parts; the first covers local arrangements for civil protection and the second covers the conditions and scope of the necessary emergency powers. However, the government is clear that businesses must take responsibility for their own BC planning.

Bruce Mann, director of civil contingencies at the Cabinet Office, says:

'We are expecting all those involved in the critical national infrastructure to ensure that their continued operations are covered by robust BC arrangements. But much of this is not in the hands of government. We cannot now direct private businesses and others who have their priorities dictated other than by government, like the voluntary sector, to invest in BC. Our approach is to enable and to encourage.'

A new British standard

As part of the government's remit to help companies to work on their BC planning, the Cabinet Office was one of the organisations which participated in the committee which developed the new British Standard: BS 25999. Other contributors included the Business Continuity Institute, the FSA, the Institute of Directors and the Ministry of Defence.

The forerunner to BS 25999, PAS 56, was published in 2003. However, PAS 56 came in for criticism as it was felt it concentrated too much on larger companies, with not enough relevance to small businesses or the public sector. BS 25999 has therefore been designed to apply to businesses ranging in size from small to large and with good reason as small businesses make up 99 per cent of all businesses in the UK. And how many of them have a BCP?

The first part of BS 25999 was launched in 2006 and it gives a definition for BC as: 'A strategic and tactical capability of the organisation to plan for and respond to incidents and business interruptions in order to continue business operations at an acceptable pre-defined level.'

The second part of BS 25999 consists of a specification for a BC management system. It is applicable to all sizes of organisation, having taken account of the feedback on PAS 56, and it uses the plan-do-check-act system in common with other management systems standards.

It particularly emphasises:

• policy and objectives
• controls and measures
• performance
• continual improvement

One of the first companies to achieve certification to BS 25999-2, following publication of the standard in 2007, was TDG, a UK-owned European supply chain specialist. Simon Beesley of TDG said:

'Our major clients such as supermarket retailers have long insisted that we prove we have solid plans in place to provide BC and thus assurance of supply. Now that we have the certificate, proving that fact is significantly easier. We will now be insisting on it from our suppliers and expect it to be widely adopted throughout our industry.'

Case study

Scottish Power

Scottish Power is one of the largest utilities companies in the world, supplying around 60 per cent of the generating capacity in Scotland and exporting to the rest of the UK, with a turnover of £7bn.The company employs over 14,000 people and has over 5.1m customers.

Utility companies are diverse organisations, with activities ranging from trading (electricity, gas, coal, etc), generation (power stations), transmission and supply to customers. It can be a challenge to implement meaningful and lasting BC management and so the decision was taken by the company to install a BCM system.

The company worked to establish a BC policy and standards. Senior team leaders, business unit forums and plan leaders have BC built into their objectives. BC advisers are also employed by the company.

'Urgent and critical activities were analysed, resource needs established and resource risk assessments carried out'

The first step was to arrange a business impact analysis. Scottish Power looked at the key drivers for BC within the organisation, defined the scope of BC and established key products and services for the company. Urgent and critical activities were analysed, resource needs established and resource risk assessments carried out.

Activities were analysed according to whether a hiatus in activity would:

• cause death or injury to customers or staff
• cause any customers to be without power
• breach legal or regulatory requirements
• lead to financial impact
• lead to unacceptable levels of customer service
• lead to trading exposure This approach was beneficial as it focused on urgent and critical activities, prioritised activities and provided a focus for risk assessment. BCPs were then developed based on the resumption of critical activities and their resources, ie plans are only developed where loss of activities impacts on key products and services. There is a group plan template and the same documents are used company-wide.

Exercise of the plan is carried out via a range of methods. Desktop walk-throughs are carried out annually within all business units to review BCPs. Three major call tree exercises were performed which enabled the company to contact 4,000 staff in less than five minutes. Scenario exercises to exercise recovery teams and validate the BCP are carried out several times a year including within the generation stations. 18 were performed in 2007.

The BC policy is embedded and reviewed annually and key performance indicators to meet BC objectives are controlled within a two-year plan. BC objectives are set for senior managers, BC manager and plan leaders within their personal performance targets. Continuous improvement is ensured by using policy and standards company-wide and ensuring training and development to meet agreed BC initiatives and plan development.

Scottish Power is now working towards BS 25999 certification and will work with the company's key suppliers towards the standard to ensure they too have robust BCPs.