developing a british standard for business continuity ... · • first british standard for...
TRANSCRIPT
Developing a British Standard for Business Continuity Management - BS 25999
Nicki DennisHead of Sector Development, British Standards InstitutionRisk, Quality, Health & Safety, Security & [email protected]
Scope of Presentation
• Information about BSI• Current drivers for doing business continuity
• History of BCM in UK
• Where we are now in BCM in UK• Where we are going
• How standards have helped• The standardization process
• From PAS 56 to BS 25999
• BS 25999 – the new British Standard• BS 25999 – what’s next
• Conclusion
Information about BSI British Standards
• One of 3 separate divisions in the BSI Group – Products and Services (Kitemark) and BSI Management Systems are the other two
• Non profit distributing status, any surplus made is fed back into standards development
• c.£42m annual turnover
• Partially government funded, but independently run
• Operates 3000 technical committees and subcommittees
• 2,000 new standards issued each year (approx 1,000 are ISO standards)
Drivers for Business Continuity in the UK
• Civil Contingencies Act / Homeland Security
• Corporate Governance & Compliance Agenda
• Insurance Industry
• Supply Chain & Outsourcing
• Customers
• Staff duty of care
• Protection of Corporate Value and Reputation
• Shareholders
15
5
-5
-15
-20
Shar
e pr
ice
ratio
10
0
-10
Companies with positive approach tobusiness continuity
Other companies
Time(250 days)
Recoverers
Nonrecoverers
Management skills and responseStakeholder communication
Insurance alone is inadequatePlans need to be implemented
Research showing share price movement after incident
Source: Knight & Pretty, 1998
History of BCM in UK
• Initially seen as part of IT sector
• Development of Organisations such as the BCI and Survive throughout 1980’s and 1990’s. They developed some agreed best practices
• Awareness of International growth of this topic –Japan, Australia, Singapore and Austria all ahead of the UK in developing National Guides or Standards in this area
• High profile business failures helped raise BCM up the corporate agenda
Where we are in BCM now
• Growing consensus around what is best practice, at least for larger organisations (and a willingness by big organisations to share this best practice)
• Better understanding of business benefits amongst increasing numbers of organisations (in public and private sectors)
• BCM seen as part of overall Risk Management profile rather a than part of IT
• Recognition that it can help reduce the amount of business interruption insurance purchased (in UK companies often buy extra insurance when they haven’t done a complete business impact analysis)
Where BCM is going
• No longer a fad but an integral part of the business management process
• Broader based agreement on what is best practice in the form of the new standard (BS 25999 part 1)
• Lifecycle model broadly agreed upon
• Integrated across all business functions, no longer seen as an IT specialty
• Probable progress towards an auditable process (BS25999 pt 2 will be the specification for this)
How Standards have helped
What is a Standard?
• A full consensus of all interested parties, so not imposed (includes government, business, trade association’s, NGO’s and consumers in the discussions) – NOT an individuals view
• Updated on a regular cycle
• Best practice not general practice, thus aspirational
• Back-up can be available through certification or audit if required
• If compliance is required then legislation can link to the standard
Standards Pyramid for UK
Company Codes of Practice
Private Standard
Publicly Available Specification
National Standard
European Standard
ISO
CONTROLCONS
ENSU
S
Marketing Potential Consumer Awareness Risk Management Credibility
The Standardization process
• Starts with formation of a Technical Committee (TC) after recognition of business ‘need’
• All interested stakeholders invited to nominate members to the TC
• Work programme agreed with input from the National or International standards body
• TC can operate purely for National Standards or can ‘mirror’ European and ISO committees
• Draft standards go for public consultation
• Emphasis is on building consensus amongst key stakeholders about what is best practice
From PAS 56 to BS25999
• First British Standard for Business continuity –BS25999 pt 1 Code of Practice for Business Continuity Management
• Follows on from PAS 56 which was a limited consensus document published by BSI in 2003 which sold over 5,000 copies worldwide
• Feedback collected by BSI over 18 months
• Decision made by BSI to start new technical committee (TC) on basis of comments and needs analysis survey
• UK Government (DTI) permission given to start a new TC
Committee Constitution• Association of British
Certification Bodies• Association of British Insurers• Association of Chief Police
Officers• Association of Insurance Risk
Managers
• Association of Local Authority Risk managers
• Business Continuity Institute• Cabinet Office• Continuity Forum• Department of Trade and
Industry• Emergency Planning Society• Federation of Small Businesses• Financial Services Authority
• Fire Officers Association• Institute of Directors• Institute of Emergency
Management• Institute of Internal Auditors• Institute of Risk Management• Intellect• Metropolitan Police
• Securities Industry Business Continuity Management Group
• Society of Industrial Emergency Services Officers (SIESO)
• Survive• Sector experts co-opted
Timeline
• BSI Market sector analysis and strategy Sept 03 - June 04
• PAS 56 promoted and feedback sought June 04 - June 05
• Committee establishment July 05
• Key milestones and dates:Work definition (Sept 05)Drafting (Dec 05 – July 06)Draft for public comment (July- Aug 06)Incorporation of comments (Sept – Oct 06)Launch (Nov 06)
• Next key eventsBS 25999 Pt 2, Risk BS 25799 and ISO 25700, online tool; evaluation of risk portal
BCMprogramme
management
Developing andimplementing
a BCM response
Determining BCM
strategy
Exercising, maintaining
and reviewing
Understandingthe organization
The Business Continuity Lifecycle (from BS25999)
Using the Standard
• Standard not intended as a beginners guide to BCM
• However some supporting material will be produced alongside which will help the less experienced user
• Can use the standard to get an idea of your current level of expertise and an idea of areas of weakness
• Can use the standard in Service Level Agreements or contracts
Sales and Marketing activities
• Publicity given to the fact that DPC would be made available by free download – new approach
• Names and e-mails of 4,000 plus collected – advance sales leads, minimal production costs
• Large PR campaign underway
• Published articles and Keynote presentations (4 in the month around publication, including this one)
• Standard to be available by individual download or colour hard copy
• Pricing - £90 (20,000 JPY); £45 BSI members and £60 for UK public sector price
• Download from bsi-global.com/bs25999 from November 29th (pay by credit card online)
BS Activities and Timescales
Built up anticipation in the sector that standard was coming
• Met with key stakeholders in gov’t (DTi, OGC, Cabinet Office) and small business representatives (IOD and FSB) to ensure they would be involved.
• Appointed Chairman of BCM TC who is well known in sector (Chris Green, BCM manager for HBOS) and wasn’t involved in PAS 56 –showed neutrality and brought 2 different factions in the sector together
• Sought international feedback throughout
• Broad advance messaging and BSI visibility in the market
– Wrote articles, spoke at conferences, visited large companies (Abbey, EDF, Barclays, Vodaphone, Sainsbury’s, Credit Suisse & many more) to collect widest range of buy-in
Supporting products and services
• Book – The Risk Management Universe published last December, placed BCM clearly on the growing ‘risk’ agenda
• BCM guidelines to support standard are under contract and due Q1 2007
• PAS 77 on IT service continuity published in Sept 06
• BCM launch conference – Dec 2007, London
• Training partnership being pursued with Survive
• Online assessment tool aimed at SME’s being developed in partnership with Survive (the business continuity national organisation)
– Subscription model, under £200 per year for small businesses
The online assessment tool
• Aim is to develop a web-based online self-assessment tool that enables users to see how closely they match the requirements of the new BS 25999.
• The business model is based on an annual subscription fee, updated regularly and sold on a rolling basis
• Gives the user unlimited access to a set of questions, reports, action lists and other BCM guidance
• The product will contain around 150 questions pertaining to an organisations business continuity capability.
• Each question will appear on a separate page with specific help available.
• The intended market for the product are SMEs
• Available by January 2007, further details on BSI web site
Visuals – Draft Product Page
Visuals – Sample question
BS25999 – where next?
There are several possibilities for the future of BS25999
• Move the standard to CEN and make it a European Standard
• Move the standard to ISO – Singapore have recently proposed their BCM standard to JCT1
• Decision will be based on the feedback that BSI receives and will be what the BCM community wants
Conclusion
• Business Continuity Management is a growing area of international business concern
• An agreed national (or international) standard will benefit all sizes of organisation as they seek to improve their resilience
• Standards evolve over time and feedback from users is essential to help and standards makers ensure that the standard is useful and relevant
• Anyone can get involved in standards, we welcome experts with a variety of views
• Thank you for your attention and I would welcome any questions