Developing a British Standard for Business Continuity Management - BS 25999

Nicki DennisHead of Sector Development, British Standards InstitutionRisk, Quality, Health & Safety, Security & Firenicki.dennis@bsi-global.com

Scope of Presentation

• Information about BSI• Current drivers for doing business continuity

• History of BCM in UK

• Where we are now in BCM in UK• Where we are going

• How standards have helped• The standardization process

• From PAS 56 to BS 25999

• BS 25999 – the new British Standard• BS 25999 – what’s next

• Conclusion

Information about BSI British Standards

• One of 3 separate divisions in the BSI Group – Products and Services (Kitemark) and BSI Management Systems are the other two

• Non profit distributing status, any surplus made is fed back into standards development

• c.£42m annual turnover

• Partially government funded, but independently run

• Operates 3000 technical committees and subcommittees

• 2,000 new standards issued each year (approx 1,000 are ISO standards)

Drivers for Business Continuity in the UK

• Civil Contingencies Act / Homeland Security

• Corporate Governance & Compliance Agenda

• Insurance Industry

• Supply Chain & Outsourcing

• Customers

• Staff duty of care

• Protection of Corporate Value and Reputation

• Shareholders

15

5

-5

-15

-20

Shar

e pr

ice

ratio

10

0

-10

Companies with positive approach tobusiness continuity

Other companies

Time(250 days)

Recoverers

Nonrecoverers

Management skills and responseStakeholder communication

Insurance alone is inadequatePlans need to be implemented

Research showing share price movement after incident

Source: Knight & Pretty, 1998

History of BCM in UK

• Initially seen as part of IT sector

• Development of Organisations such as the BCI and Survive throughout 1980’s and 1990’s. They developed some agreed best practices

• Awareness of International growth of this topic –Japan, Australia, Singapore and Austria all ahead of the UK in developing National Guides or Standards in this area

• High profile business failures helped raise BCM up the corporate agenda

Where we are in BCM now

• Growing consensus around what is best practice, at least for larger organisations (and a willingness by big organisations to share this best practice)

• Better understanding of business benefits amongst increasing numbers of organisations (in public and private sectors)

• BCM seen as part of overall Risk Management profile rather a than part of IT

• Recognition that it can help reduce the amount of business interruption insurance purchased (in UK companies often buy extra insurance when they haven’t done a complete business impact analysis)

Where BCM is going

• No longer a fad but an integral part of the business management process

• Broader based agreement on what is best practice in the form of the new standard (BS 25999 part 1)

• Lifecycle model broadly agreed upon

• Integrated across all business functions, no longer seen as an IT specialty

• Probable progress towards an auditable process (BS25999 pt 2 will be the specification for this)

How Standards have helped

What is a Standard?

• A full consensus of all interested parties, so not imposed (includes government, business, trade association’s, NGO’s and consumers in the discussions) – NOT an individuals view

• Updated on a regular cycle

• Best practice not general practice, thus aspirational

• Back-up can be available through certification or audit if required

• If compliance is required then legislation can link to the standard

Standards Pyramid for UK

Company Codes of Practice

Private Standard

Publicly Available Specification

National Standard

European Standard

ISO

CONTROLCONS

ENSU

S

Marketing Potential Consumer Awareness Risk Management Credibility

The Standardization process

• Starts with formation of a Technical Committee (TC) after recognition of business ‘need’

• All interested stakeholders invited to nominate members to the TC

• Work programme agreed with input from the National or International standards body

• TC can operate purely for National Standards or can ‘mirror’ European and ISO committees

• Draft standards go for public consultation

• Emphasis is on building consensus amongst key stakeholders about what is best practice

From PAS 56 to BS25999

• First British Standard for Business continuity –BS25999 pt 1 Code of Practice for Business Continuity Management

• Follows on from PAS 56 which was a limited consensus document published by BSI in 2003 which sold over 5,000 copies worldwide

• Feedback collected by BSI over 18 months

• Decision made by BSI to start new technical committee (TC) on basis of comments and needs analysis survey

• UK Government (DTI) permission given to start a new TC

Committee Constitution• Association of British

Certification Bodies• Association of British Insurers• Association of Chief Police

Officers• Association of Insurance Risk

Managers

• Association of Local Authority Risk managers

• Business Continuity Institute• Cabinet Office• Continuity Forum• Department of Trade and

Industry• Emergency Planning Society• Federation of Small Businesses• Financial Services Authority

• Fire Officers Association• Institute of Directors• Institute of Emergency

Management• Institute of Internal Auditors• Institute of Risk Management• Intellect• Metropolitan Police

• Securities Industry Business Continuity Management Group

• Society of Industrial Emergency Services Officers (SIESO)

• Survive• Sector experts co-opted

Timeline

• BSI Market sector analysis and strategy Sept 03 - June 04

• PAS 56 promoted and feedback sought June 04 - June 05

• Committee establishment July 05

• Key milestones and dates:Work definition (Sept 05)Drafting (Dec 05 – July 06)Draft for public comment (July- Aug 06)Incorporation of comments (Sept – Oct 06)Launch (Nov 06)

• Next key eventsBS 25999 Pt 2, Risk BS 25799 and ISO 25700, online tool; evaluation of risk portal

BCMprogramme

management

Developing andimplementing

a BCM response

Determining BCM

strategy

Exercising, maintaining

and reviewing

Understandingthe organization

The Business Continuity Lifecycle (from BS25999)

Using the Standard

• Standard not intended as a beginners guide to BCM

• However some supporting material will be produced alongside which will help the less experienced user

• Can use the standard to get an idea of your current level of expertise and an idea of areas of weakness

• Can use the standard in Service Level Agreements or contracts

Sales and Marketing activities

• Publicity given to the fact that DPC would be made available by free download – new approach

• Names and e-mails of 4,000 plus collected – advance sales leads, minimal production costs

• Large PR campaign underway

• Published articles and Keynote presentations (4 in the month around publication, including this one)

• Standard to be available by individual download or colour hard copy

• Pricing - £90 (20,000 JPY); £45 BSI members and £60 for UK public sector price

• Download from bsi-global.com/bs25999 from November 29th (pay by credit card online)

BS Activities and Timescales

Built up anticipation in the sector that standard was coming

• Met with key stakeholders in gov’t (DTi, OGC, Cabinet Office) and small business representatives (IOD and FSB) to ensure they would be involved.

• Appointed Chairman of BCM TC who is well known in sector (Chris Green, BCM manager for HBOS) and wasn’t involved in PAS 56 –showed neutrality and brought 2 different factions in the sector together

• Sought international feedback throughout

• Broad advance messaging and BSI visibility in the market

– Wrote articles, spoke at conferences, visited large companies (Abbey, EDF, Barclays, Vodaphone, Sainsbury’s, Credit Suisse & many more) to collect widest range of buy-in

Supporting products and services

• Book – The Risk Management Universe published last December, placed BCM clearly on the growing ‘risk’ agenda

• BCM guidelines to support standard are under contract and due Q1 2007

• PAS 77 on IT service continuity published in Sept 06

• BCM launch conference – Dec 2007, London

• Training partnership being pursued with Survive

• Online assessment tool aimed at SME’s being developed in partnership with Survive (the business continuity national organisation)

– Subscription model, under £200 per year for small businesses

The online assessment tool

• Aim is to develop a web-based online self-assessment tool that enables users to see how closely they match the requirements of the new BS 25999.

• The business model is based on an annual subscription fee, updated regularly and sold on a rolling basis

• Gives the user unlimited access to a set of questions, reports, action lists and other BCM guidance

• The product will contain around 150 questions pertaining to an organisations business continuity capability.

• Each question will appear on a separate page with specific help available.

• The intended market for the product are SMEs

• Available by January 2007, further details on BSI web site

Visuals – Draft Product Page

Visuals – Sample question

BS25999 – where next?

There are several possibilities for the future of BS25999

• Move the standard to CEN and make it a European Standard

• Move the standard to ISO – Singapore have recently proposed their BCM standard to JCT1

• Decision will be based on the feedback that BSI receives and will be what the BCM community wants

Conclusion

• Business Continuity Management is a growing area of international business concern

• An agreed national (or international) standard will benefit all sizes of organisation as they seek to improve their resilience

• Standards evolve over time and feedback from users is essential to help and standards makers ensure that the standard is useful and relevant

• Anyone can get involved in standards, we welcome experts with a variety of views

• Thank you for your attention and I would welcome any questions