BS 25999 and its Contribution to Business Continuity Management

It has been more than three years since BS 25999 part two was published and with a new International Standard (ISO) on the horizon; BSI’s scheme manager Lorna Anderson, a self-confessed “poacher turned gamekeeper”, takes a look back at what the British Standard has brought to Business Continuity Management (BCM) as a profession and an industry practice.

Looking backwards, BS 25999 was the vanguard; a brave step outside the closeted, cosy world of BCM and into the realm of management system standards. I recently heard the introduction of BS 25999 described as having ‘created a paradigm shift in the BCM industry’.

Many organisations across the globe have now invited external auditors in to provide external scrutiny where none had previously existed, and as a result, have bolstered their organisations’ approach to BCM via the knowledge and experience of these external assessors.  BS 25999 has brought with it a wider audience for BCM.
The standard has introduced BCM to those quality, health & safety and environmental managers who were already familiar with management systems. Business Continuity (BC) is now wider in its appeal and, indeed, visibility, interlinking with other standards to help organisations of all sizes manage sustainability and risk.

BS 25999 has brought a more structured approach to implementing the BCM lifecycle than practitioners were previously familiar with. It standardises the concepts of Business Impact Analysis (BIA) and incident management, not just in what it means as a discipline, but also standardising the minimum requirements that an organisation’s own approach must have.
It has also challenged the concept of competence in BCM roles, providing support to BC managers, enabling them to ensure those with BC responsibilities have their role recognised, competence assessed, training provided and, above all, records kept to prove it.

The flip-side is that some organisations find competence difficult to demonstrate and the rigour needed to meet the requirements of this clause can create waves within organisations if not handled delicately.
BS 25999 has opened the door for a new international standard to help us develop and grow our profession even further.  The ISO incorporates the learning from BS 25999, updating it to current practices and eliminating the universally questioned ‘maximum tolerable period of disruption’ requirement.

The new ISO will build upon BS 25999, facilitating a new uniform approach to implementing not just BCM but the rigor needed to ensure a sustainable, robust BCMS, cascading the importance of clarity and transparency further through the supply chain, particularly internationally.  Sustainability of international supply is such a key risk for those who have extended supply chains; the ISO will help bridge the understanding of BCM and promote global acceptance of terms and indeed of expectations.

In the world of BCM, where secrecy was common in the past, my preferred expectations of the ISO are that it promotes a standard playing field internationally, helping sustain organisations, jobs and even economies in our uncertain world. 
My hope is that there will be widespread adoption of the ISO beyond that already achieved by BS 25999 and that this will help bolster BCM to become a managed system within organisations, mirroring the cry from professionals that it is not a project but an ongoing, managed programme of interconnected elements. 

Ideally, BCM programmes will be audited, challenged and reviewed by organisational management. This will help more organisations become agile, lean and streamlined in this age of austerity, by focusing on what is critical. I would like to see the ISO become the basis for BC managers across the globe to speak the same language, bridging the cross-cultural gaps we currently see in place.

For the ISO to become the global BCM language, allowing BCM professionals to look beyond their own immediate world and help promote resilient global communities.
Although organisations are concerned about the ISO, its contents and requirements (which probably won’t be published until early next year), the key message is to keep calm and carry on. 

Use BS 25999 to shape your management system, strive for external certification if that is important to your organisation but more importantly, continue improving and developing. BCM has seen anacceleration in maturity since the publication of BS 25999 and I have no doubt that will continue in the future.

Written by Lorna Anderson, BSI 

Learn more about BS 25999 Certification or submit online inquiry.