Recent times have proven to be exceptionally challenging for all those involved with disasters, emergencies, security and business continuity. Starting with the Asian tsunami, the world has experienced a seemingly endless stream of catastrophic events. Hurricanes in the US, earthquakes in Pakistan and global terrorism, including the London bombings of July 7, meant that disasters were never out of the headlines. The impression given was that despite our technological sophistication we were effectively powerless to prevent acts of God and only marginally better to deal with those deliberately wishing to wreak havoc on our lives and businesses.

Even on a more local scale, the explosion at the Buncefield oil depot, one of the UK's biggest, created what was described as "the largest fire fighting exercise in peace-time Europe". Many local businesses were badly affected. The first to signal problems was Asos, an on-line fashion retailer whose warehouse was badly damaged by the fire. Asos suspended its shares on December 23 and had to refund 19,000 customers who had ordered online goods for Christmas.

Clearly, the growth of online businesses gives the potential for a better response to certain threats than traditional methods ever allowed. Public health scares, such as flu pandemics, are best contained by people not going out and contaminating each other. Buying your food and other goods online is the obvious solution. Increasing the number of home workers by providing enhanced technical capability for them to work online is also an obvious business continuity strategy.

Many people ask what the connection is between diverse types of risks - natural disasters, terrorism, fire, accidents, computer failures and health scares. The answer is that, although they arise from entirely different sources, the management of the consequences relies on a set of principles that are largely the same regardless of cause. This set of principles is now generally defined under the subject name "business continuity management".

What is BCM?

BCM has suffered from not having a clear, legal definition that is accepted by all. Many of its original practices emerged from an earlier technical discipline, "IT disaster recovery". Other concepts seemed to overlap with different fields, such as emergency management, crisis management, operational risk and security. Exact understanding of the terminology varied across the English-speaking world, which confused other countries and made it difficult to spread internationally.

The Business Continuity Institute was founded in 1994 and has actively worked to address these issues. It published jointly, with the US-based Disaster Recovery Institute, a set of ten standards for professional practitioners back in the 1990s. These are regularly reviewed and updated. Although the standards gave definition to the boundaries of BCM, they were often misunderstood. The standards were created to satisfy the institute's membership requirements and vet candidates for professional recognition. They were not a methodology or statement of BCM best practice.

First, there are the analytical skills, which are particularly evident in the standards' business impact analysis and risk evaluation sections. Secondly, the ability to think strategically and develop original ideas is tested in the sections on business continuity strategies and emergency response. The standards also check the practical skills involved in the sections on programme management and awareness training. Continuous professional development is needed to ensure that changing standards are applied in maintenance and exercising. Finally the broader perspective is assessed in the fields of crisis communications and coordination with external agencies. Only a person who can combine analytical, strategic, and practical skills with a wide understanding of the body of knowledge is certified as a BCI member

The BCI did recognise that although this give a general definition of what is involved in BCM, it did not provide much help in terms of actually getting good BCM practice implemented. In an attempt to rectify this, the institute published its good practice guidelines in 2002. The guidelines were built in conjunction with many industry experts, mainly from large financial institutions. Although not directly comparable, this did prove to be a major influence on the Financial Services Authority's own guidelines for the UK financial sector.

The institute's guide defined BCM as: "an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities."

The success of this guide was also seen in the British Standards Institute's PAS 56 (a publicly available specification for BCM). In 2005, the guide was re-written to take into account the following:

·         the comments received in response to the original guidelines

·         the BSI's publication of PAS 56 2003

·        legislation, regulatory guidelines and practices that have spread business continuity implementation into all industrial, public and not-for-profit sectors around the world

Standards and regulation

Apart from the professional certification standards, much work is currently being undertaken around the world to get a clearer and more standardised acceptance for BCM. This is difficult because what is applicable in one industry is alien in another.

I believe the UK leads the debate, with PAS 56. This has been purchased by many thousands of interested parties around the world. It is now being developed into a full British standard for business continuity - an activity that is being driven by the BCI. It is almost certainly going to become the EU standard and, hopefully, become the International Organisation for Standardisation.

In the US, the National Fire Protection Association appears to be the leader in gaining a wider acceptance for a standard in this field. NFPA has been working on its emergency preparedness standard since 2004, although it is still in draft form. It covers emergency management and business continuity programs and currently runs to 50 pages. It lacks the focus on BCM that the European approach is taking, however, and concentrates heavily on physical incidents.

There are also many advisory guidelines for business continuity. These are often industry and country specific, although the new BCI GPG is crosses industries and regions.

What this is all leading to is more control on how organisations operate and how they guarantee continuity of business. In particular, the financial sector should expect much stricter regulatory control in the future. In the UK for example, the FSA has, for some years, been moving its regulated firms towards BCM standards which, although non-mandatory, are still required for compliance. In the US, the Federal Reserve has taken a similar but more powerful approach with some mandatory elements. Other initiatives have taken place in many areas of the world, including Standards, Productivity and Innovation Board directives in Singapore and EU guidelines from Brussels.

High profile events have inevitably led to government involvement. The US Sarbanes-Oxley Act has created a situation in which directors and officers of companies are personal responsible for control failures within their organisations. This Act not only applies to US companies but also to non-US companies that operate within US markets and, of course, to the foreign subsidiaries of US domiciled corporations.

So all of this should, ultimately, lead to improvements in the quality and consistency of business continuity and the business continuity professional. It will go a long way towards bridging the gap in business continuity maturity levels. Another real benefit will be the ability to benchmark business continuity capabilities between industries, companies and regions. All of this will enable a move towards best practice. It should also help to breakdown the silo mentality and approach by integrating the disciplines of business continuity with security, emergency and crisis management.

The FSA has undertaken the largest benchmarking exercise in the world, asking 70 leading firms 1,000 questions on all aspects of BCM. I will come back to the results of this exercise in future editions.

Conclusions
BCM is no longer an optional activity in major organisations. The increased perceived level of threat, the documented consequences of not planning and the pressure put on management by corporate governance compliance has pushed BCM well up the business agenda since 9/11. The main purpose of BCM is to ensure that organisations have a response to major disruptions that threaten their survival. Although this must be worthwhile in itself, there are other benefits that can be gained by embracing BCM as a management discipline.

Some organisations have statutory and regulatory requirements, either specifically for BCM or more generally for risk management, as part of their corporate governance requirements. An appropriate BCM plan will satisfy the specific requirements and contribute a response to both specific risks and to the overall risk awareness of an organisation. The primary reason for BCM, however, should always be that it is undertaken because it adds value to an organisation rather than for governance or regulatory considerations.

 
Organisations that sell to other businesses have used BCM as a competitive advantage to gain new customers and to improve margins. A thorough review of the business through business impact analysis can highlight inefficiencies and focus on priorities that would not otherwise have been recognised.
Nigel Turnbull, chairman of the Turnbull committee on UK corporate governance, has stated: "For many companies, BCM will address key risks and help them achieve compliance".

Eliza Manningham-Buller, director-general of MI5, went even further at a Confederation of British Industry conference in November 2004. She said "I am often asked what single piece of advice I can recommend that would be most helpful to the business community. My answer is a simple, but effective business continuity plan that is regularly reviewed and tested."