BS 25999 and its Contribution to Business Continuity Management

It has been more than three years since BS 25999 part two was published and with a new International Standard (ISO) on the horizon; BSI’s scheme manager Lorna Anderson, a self-confessed “poacher turned gamekeeper”, takes a look back at what the British Standard has brought to Business Continuity Management (BCM) as a profession and an industry practice.

Looking backward, BS 25999 was the vanguard; a brave step outside the closeted, cosy world of BCM and into the realm of management system standards. I recently heard the introduction of BS 25999 described as having ‘created a paradigm shift in the BCM industry.

Many organizations across the globe have now invited external auditors in to provide external scrutiny where none had previously existed, and as a result, have bolstered their organizations’ approach to BCM via the knowledge and experience of these external assessors.  BS 25999 has brought with it a wider audience for BCM.
The standard has introduced BCM to those quality, health & safety and environmental managers who were already familiar with management systems. Business Continuity (BC) is now wider in its appeal and, indeed, visibility, interlinking with other standards to help organizations of all sizes manage sustainability and risk.

BS 25999 has brought a more structured approach to implementing the BCM lifecycle than practitioners were previously familiar with. It standardizes the concepts of Business Impact Analysis (BIA) and incident management, not just in what it means as a discipline, but also standardizing the minimum requirements that an organization’s own approach must-have.
It has also challenged the concept of competence in BCM roles, providing support to BC managers, enabling them to ensure those with BC responsibilities have their role recognized, competence assessed, training provided and, above all, records kept to prove it.

The flip-side is that some organizations find competence difficult to demonstrate and the rigor needed to meet the requirements of this clause can create waves within organizations if not handled delicately.
BS 25999 has opened the door for a new international standard to help us develop and grow our profession even further.  The ISO incorporates the learning from BS 25999, updating it to current practices and eliminating the universally questioned ‘maximum tolerable period of disruption’ requirement.

The new ISO will build upon BS 25999, facilitating a new uniform approach to implementing not just BCM but the rigor needed to ensure a sustainable, robust BCMS, cascading the importance of clarity and transparency further through the supply chain, particularly internationally.  Sustainability of international supply is such a key risk for those who have extended supply chains; the ISO will help bridge the understanding of BCM and promote global acceptance of terms and indeed of expectations.

In the world of BCM, where secrecy was common in the past, my preferred expectations of the ISO are that it promotes a standard playing field internationally, helping sustain organizations, jobs and even economies in our uncertain world. 
My hope is that there will be widespread adoption of the ISO beyond that already achieved by BS 25999 and that this will help bolster BCM to become a managed system within organizations, mirroring the cry from professionals that it is not a project but an ongoing, managed programme of interconnected elements. 

Ideally, BCM programmes will be audited, challenged and reviewed by organizational management. This will help more organizations become agile, lean and streamlined in this age of austerity, by focusing on what is critical. I would like to see the ISO become the basis for BC managers across the globe to speak the same language, bridging the cross-cultural gaps we currently see in place.

For the ISO to become the global BCM language, allowing BCM professionals to look beyond their own immediate world and help promote resilient global communities.
Although organizations are concerned about the ISO, its contents and requirements (which probably won’t be published until early next year), the key message is to keep calm and carry on. 

Use BS 25999 to shape your management system, strive for external certification if that is important to your organization but more importantly, continue improving and developing. BCM has seen an acceleration in maturity since the publication of BS 25999 and I have no doubt that will continue in the future.

Written by Lorna Anderson, BSI 

Learn more about BS 25999 Certification or submit online inquiry.