The Civil Contingencies Act review and implications for Category 1 Responders
As we all know, the process of reviewing the Civil Contingencies Act is well underway and all the indications are that the Civil Contingencies Secretariat of the Cabinet Office is keen that the new version should include a requirement that Category 1 responders should have a Business Continuity Management System (BCMS) aligned to the British Standard in Business Continuity Management (BS 25999). It is not thought that BS25999 certification will be required, simply conformance which would be reviewed by the current public sector audit bodies.
The trend towards adoption of BS 25999 in the public sector
The Department of Health and the BSI jointly announced their initiative to encourage widespread adoption of BS 25999 Parts 1 and 2 (the code of practice and specification on business continuity management) across the UK National Health Service through a specially adapted Standard, BS NHS 25999. The Department sees BS 25999 as an ideal business continuity benchmark for organisations throughout the NHS.
The Government also accepted all of the recommendations of the Pitt Report into the heavy flooding in 2007, reinforced in its Sector Resilience Plan for Critical Infrastructure 2010, which includes the conclusion that a duty should be introduced on critical infrastructure operators to have business continuity planning to BS 25999 to more closely reflect the duty on Category 1 responders. This should include minimising the loss of supply as far as practicable in the event of a serious emergency resulting from flooding.
Pre-empting the need for BS25999 conformance by reviewing BCM programmes now
All this suggests very strongly that the trend in the public sector is towards the BS 25999 standard and public sector bodies who want to stay ahead of the game should be looking to pre-empt these requirements by starting to review their BCM programmes now. We are working with a number who are doing so and have noticed that many seem to approach this with a degree of trepidation. The good news is that there is no reason to, even if you are starting with little in place.
Benchmarking current business continuity management arrangements
Our recommended first step is to benchmark current BCM arrangements against the control set in BS 25999-2 and to identify where gaps exist. For organisations with mature, maintained and exercised business continuity programmes in place, the gaps should be few. BS25999 did not introduce anything new in terms of BCM good practice, it mainly codified what already existed in business continuity management and formalised some of the vaguer definitions. However, almost certainly, there will be some work to be done to bring the programme into full conformity, typically around the documentation sets and evidential requirements to demonstrate that BCM is truly embedded within your organisation.
Where, for a variety of reasons, the BCM programme has either not reached, or has slipped back from, full maturity and where maintenance through review, training and exercising regimes do not exist, a schedule of works may be required to establish the appropriate controls. Most organisations in this sector already have elements of incident response and escalation as a result of Emergency Planning requirements, but many are concerned about the potential resource demands (personnel and infrastructure) and costs (both overhead and capital) which may be incurred in developing BS25999-aligned BCM processes.
Common factors that reduce the cost of adopting BS25999
Working with a wide variety of public sector organisations and major infrastructure providers, including local authorities, hospital and care trusts, Emergency Services and utilities operators, we have discovered some interesting common factors which tend to reduce the cost and difficulty of achieving BS25999 conformity.
Previously existing incident response mechanisms
Firstly, as already mentioned, most of these organisations will already have comprehensive and well-designed incident response mechanisms. These can frequently be modified to provide an almost ready-made front end to the continuity and recovery processes. This removes the need for a significant part of the work normally required to develop this element of a BCM programme aligned to BS 25999.
Lower ICT dependency requires less ICT continuity planning
Secondly, many may also be less dependent upon Information and Communications Technology than the majority of private sector companies, as many of their most critical services are involved with direct interaction with the public, whether in terms of the provision of physical services or pastoral care.
Existing resilience against infrastructure-related incidents
Third, most public sector organisations, whether local authorities, NHS trusts or Emergency Services tend to be located on large campuses or across widely dispersed estates which provides a significant degree of built-in resilience against infrastructure-related incidents.
Working towards a BS25999 aligned BCMS
If starting from scratch, the first thing you need is a business continuity policy, a business impact assessment and risk assessment. Equipped with this knowledge of your organisation, you will be able to determine your strategic approaches to business continuity and commence planning. Using your existing Emergency Planning incident response and escalation procedures will speed up this planning phase. What you will need to do then is develop a schedule of BCM training and awareness for staff and BCM exercising to validate your plans and rehearse staff in their BC roles. Then to complete the lifecycle and continuously improve your business continuity management system, you will need a schedule for auditing, reviewing and maintaining your programme.
Possibly, if looking at BCM for the first time, this may seem daunting, but it is relatively straightforward to benchmark against the standard, whether you do it yourself or have it done by BCM consultants. In terms of implementing a programme, the business continuity policy outlines your approach to BCM, the scope of your BCM programme, roles and responsibilities and the requirements for exercising, maintenance and training schedules. The business impact assessment defines critical functions, objectives, resources and timescales and the risk assessment is looking at threats to continuity of critical functions with a view to increasing operational resilience. Plans effectively set out who goes where and does what, by when, with what resources. A large number of the controls in the standard are concerned with ensuring that the effectiveness and currency of the programme is maintained through reviewing maintaining, exercising and training and much of this can be integrated with existing committees, protocols and practices such as ISO 9001.
In summary, BS 25999 does not need to add to the cost or complexity of implementing business continuity
BS2599 does provide a useful and consistent business continuity benchmark that can actually make it simpler to implement by setting out what a good BCM programme looks like (Part 1) and offering advice on appropriate controls (Part 2). You will already have much of this in place and if you base your strategy on existing resilience, implementation costs should be minimised.
Start preparing for BS25999 conformity now
Of course, the less time you have to achieve something, the more resource it requires and the higher the cost. So, knowing that Category 1 responders will soon be expected to have a Business Continuity Management System aligned to BS 25999, the time to prepare for it is now.
No comments:
Post a Comment