Value Generation SME-assist service

Overview of Business Continuity Management

Many of the early practices within the field of Business Continuity Management (BCM) emanated from an earlier technical discipline known as IT disaster recovery.

There is substantial publicly available information and guidance in regard to IT related BCM from the British Standard Institution (BSI), the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

For example, detailed guidance on IT security controls and information security management systems is contained in the 2005 ISO 17799 and 27001 which superseded British Standard (BS) 7799. A specification and code of practice for IT service management is contained in the 2005 ISO 20000 which replaced BS 15000. Guidance on IT Service Continuity Management is provided in the BSI 2006 Publicly Available Specification (PAS) 77.

However in more recent years BCM thinking has expanded to encompass a much broader set of principles. The Business Continuity Institute (BCI) founded in the UK in 1994 published its good BCM practice guidelines in 2002 (updated in June 2005). The guidelines provide a framework for BCM which is defined as:

“an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities”.

This definition tends to steer away from the concept that only a disastrous event is worthy of consideration from a business continuity perspective. Indeed this comprehensive definition has been of considerable assistance in widening the debate as to what are appropriate BCM strategies for business entities.

The BCI guidelines were a major influence on the BSI March 2003 guide to BCM known as PAS 56 which seeks to define business risk as:

“risk that internal and external factors, such as inability to provide a service or product, or a fall in demand for an organisations products or services, will result in unexpected loss”.

In November 2006 a new code of practice for BCM was published as British Standard BS 25999 Part 1. According to this Code, BCM involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall programme through training, exercises and reviews.

In keeping with the earlier work of the BCI, the Standard defined BCM as a:

“holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities”.

This has been followed in 2007 by a draft Part 2 specification to define requirements for a management systems approach to BCM based on good practice. It is for use by all sizes of organizations from large to small operating in industrial, commercial, public and voluntary sectors.

Various other forms of guidance that seek to mitigate business risk are readily available for example, best practice in Quality Management Systems and Environmental Management Systems can be found in ISO 9001 and 14001.

Requirements for Occupational Health and Safety Management Systems are detailed in Occupational Health and Safety Assessment Series (OHSAS) 18001. This was originally published in 1999 and incorporated aspects of BS8800. A new edition is due to be published in July 2007.