Avalution continues to help a variety of organizations prepare for BS 25999 certification. Having successfully helped an organization achieve certification, as well as working with our clients during pre-assessments, our team is starting to see broad trends, including key success factors for certification as well as common roadblocks to certification.
Beyond the mechanics of becoming certified, we have seen the value associated with the certification process firsthand – the value that may not be obvious based strictly on reading and complying with the standard.
Are You Ready?
The number of North American-based organizations inquiring about BS 25999 certification is skyrocketing. Two points heard over and over are:
- We’ve seen the standard, we have a great program and we’re ready
- Certification would provide value to our stakeholders and help consolidate support for my program
Despite having a solid program, working toward compliance with BS 25999 will likely lead to program improvement and maturation, taking your business continuity management system to the next level. Why? Consider this question: Are you, or is your organization, familiar with quality management systems, as described in ISO 9000 / 14000, or does your organization have a background in another ISO certification? In the 1980s and 90s, quality methodology and processes introduced significant value to thousands of organizations. As a result, many of these organizations began working toward certification. In preparation for certification, these organizations fine-tuned their efforts, adding repeatability, engaging management and continuously working to improve existing processes. While these initial quality management programs provided business value, additional value was provided by the more robust and continuously improving processes that certification demanded. The same applies to business continuity certification today. In fact, BS 25999 references a number of concepts and ideas “borrowed” from these quality standards. Let’s discuss a few – defining each and describing the value introduced to business continuity.
1. Management System
A management system is defined as a set of policies, processes and procedures required for planning and execution in a core business area of the organization. A management system integrates the various internal processes within the organization and provides a process approach for execution. When applied to a business initiative like quality or business continuity, a management system enables the organization to identify, measure, control and improve the processes that will ultimately lead to improved business performance. Understanding how the organization plans for business continuity success, assessing strengths and weaknesses, documenting processes and associated roles and responsibilities, and creating program awareness are all cornerstones of a successful, repeatable business continuity management system.
2. Management Review
According to BS 25999-2, management shall review the organization’s business continuity management system at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the business continuity management system, including the business continuity management policy and business continuity management objectives. A management review sounds like a simple concept, and in reality, it is. It is also one of the most fundamental elements of the BS 25999 management system because it affords the organization’s leadership team the opportunity to understand current-state performance, offer feedback on program results, and set future-state priorities and objectives. Additionally, the outcomes from the management review are inputs to another critical business continuity process – corrective action / preventative action handling.
3. Corrective Action / Preventative Action
Corrective action / preventative action handling is defined as the systematic investigation of discrepancies (failures and / or deviations) in an attempt to prevent their recurrence. Taken one step further, this corrective and preventative actions handling may include the identification of risk management performance issues before a failure or disruptive event occurs. The sources of business continuity management system opportunities for improvement (known as corrective and preventative actions) vary. Corrective and preventative actions could be proactive risk treatments designed to decrease the likelihood of a disruptive event or possibly reactive strategies designed to enable the organization to respond or recover in a more timely and complete manner. Sources of corrective and preventative actions include internal audits, exercises, BIA or risk assessment results, plan reviews, change management meetings and management input (to name a few). An organization that collects, prioritizes, manages and reports on closing these improvement opportunities is more likely to improve the performance of the business continuity management system and thus meet management objectives.
Read Between the Lines
Avalution has observed that most organizations aren’t fully ready for certification – quite a few have some work to do. We know that “perfect” business continuity programs don’t exist – when compared to a standard or when compared to management expectations. However, the process for preparing for certification, and more importantly leveraging management system concepts, introduces immediate benefits. Three such benefits stand out – and you won’t be able to fully recognize them simply by reading BS 25999-2:
- Better Integration
A management system, by definition, integrates processes and activities toward a common set of goals and objectives. If your organization struggles with integration processes like business recovery and IT disaster recovery, for example, the framework required for BS 25999 can assist.
- Clarity Regarding Priorities
Scope, limitations, objectives, exclusions, expectations and feedback are all words found in BS 25999. Each is always associated with management review and involvement. A management system naturally mandates the involvement of management, and BS 25999 is very clear that the business continuity effort must closely align to the leadership team’s and the organization’s most pressing needs.
- A Focus on Continuous Improvement
Your business continuity program doesn’t need to be perfect to be granted BS 25999 certification. Rather, the program must strive toward meeting management’s expectations and a process to collect feedback from multiple sources, which is needed to deliver enhanced maturity, capability and alignment with the organization’s most strategic business objectives.
Understanding and internalizing BS 25999 results in business value. Organizations that truly implement BS 25999 demonstrate their programs as repeatable, management-involved, prioritized, and above all, focused on continuous improvement.