Risky business by Oliver Cann

However, in a year that saw the London terrorist bombings, hurricanes Katrina and Wilma and a major oil depot explosion just north of London, its hardly surprising that the broad subjects of risk management (RM), disaster recovery (DR) and business continuity management (BCM) have moved back onto the business pages of the nations media. Despite this heightened awareness, however, businesses are still putting themselves at unnecessary risk by failing to prepare thoroughly for IT or supply chain failure, according to a recent study commissioned by BSI in the UK.

Compiled from interviews with 100 senior decision makers at FTSE 250 companies, BSIs Business Barometer found that nearly one-third of respondents believed their business wasnt prepared for failure in the supply chain that could arise from a natural or man-made disaster.

In addition, 25 per cent did not believe their business was prepared for catastrophic failure of IT and nearly half 45 per cent believed they were unprepared for forced relocation due to unforeseen circumstances such as a terrorist strike, industrial incidents or natural disasters.

But the Business Barometer also revealed a marked contrast of preparedness for crises between businesses that widely adopt British standards and those that do not: 78 per cent of businesses that adopt standards feel prepared to handle catastrophic IT failure, compared to only 28 per cent that do not. Furthermore, 71 per cent of businesses that adopt standards feel prepared to deal with failure in the supply chain, compared to 43 per cent that do not adopt standards.

And yet the research showed that many businesses know that having standards could help, but fail to act accordingly: 87 per cent of senior business decision makers agreed that, with increased reliance on outsourcing, standards are more important than ever because they enable businesses to have confidence in the way sub-contractors work.

Nor do business-disrupting events necessarily provoke an urgent response. According to a recent survey from the Business Continuity Institute (BCI), only 40 per cent of City-based firms in London invoked a business continuity plan as a result of the attacks of July 7, 2005.

Overcoming corporate lethargy in this area will not be easy. Part of the challenge comes down to definitions there are various schools of thought where DR, RM and BCM are concerned. According to Chris Green, chair of the BSI BCM Technical Committee and Head of Business Continuity, HBOS, DR programmes evolved from the technology recovery programmes of the eighties, and were limited to IT. In recent years, that limited focus has evolved and expanded significantly.

BCM considers everything from staff to facilities and supplier issues, as well as preparing both legal and communication responses for virtually any contingency. Its effectively a subset of overall risk management, says Green. Some argue that RM is a subset of BCM (ie, every risk represents a threat to the continuity of business), but this is not a commonly held view.  There are many types of corporate and commercial risk theft of intellectual property, bad debts, changes in planning consents that I believe fall within a wider RM framework, but dont necessarily require a continuity response. They do, however, require a crisis or incident response, hence the reason for the two viewpoints.

While risk management covers a large and overlapping range of business areas for which there are already a number of existing standards, from corporate governance to corporate social responsibility and health and safety, BCM represents an effective starting point for companies concerned about interruptions to their business.

Risk management revolves around the critical activities that keep the business alive, and BCM is a vital component of this process. Through BCM, an organization seeks to identify what needs to be done before a disruption or incident occurs, to keep an organizations people, assets, systems and information secure. BCM also outlines the skills needed to manage situations if they occur, to protect the reputation of an organization and keep it up and running.

BCM is a holistic management process that creates a framework for defending against potentially negative incidents that a business could suffer. It is not limited to any individual department or supplier, but looks at the big picture, assessing potential disruption at all levels.

An integral part of any well-run organizations risk management strategy, a good BCM protects stakeholders interests, reputation and brand, and is a key element in any well-run organizations risk management strategy.

According to Nicki Dennis, head of risk market development at BSI British Standards, RM as an umbrella framework takes in disciplines as diverse as knowledge management, health and safety, crisis communications and PR. As such, it represents the ideal place to begin searching for common ground and build a risk-aware standard for the future.

Be prepared

BSI has taken all of these facts on board. It is considering tracking the shortcomings highlighted in the Business Barometer on a regular basis in the hope of prompting greater action. It also launched the UKs first Risk Management and Business Continuity Management Technical Standards committees in 2005. Their mutual task will be to develop two risk-relevant standards to provide guidance for business. One relates specifically to risk management while the second is dedicated to business continuity, both of which are at the committee stage.

Recent events have emphasized the need for companies to integrate business continuity and risk management into their corporate strategy, to minimize the instance of loss or damage to finances, staff or reputation in difficult times, Dennis pointed out at the launch of the committees. Leading BCM and RM experts as well as wider business and statutory bodies have been invited to contribute to the creation of the UKs first formal standards in both of these areas.

BSI introduced publicly available specification (PAS) 56 Guide to Business Continuity Management as part of this process back in 2003. PAS 56 has generated substantial interest since its publication, according to Dennis, and sparked a good deal of debate, giving the current drafting committees plenty of practical considerations to take into account for the standard proper.

Of the risk management standard, a framework is being created that mirrors work being co-ordinated at the international level by ISO, with a British flavour to make sure it is relevant to UK Plc.

The business continuity standard currently being authored is, according to Dennis, a more organic document, with BSI playing a leading international role in creating a framework template. According to Dennis, BCM is not just about disaster recovery, but about laying down the lifetime processes required to understand what continuity is all about.

IT recovery is a part of business continuity, she says. For example, the terrorist attacks in London had very little to do with computers and a lot to do with getting people to work to ensure disruption was kept to a minimum. The same can be said about the Buncefield oil depot explosion in Hemel Hempstead. 

Does BCM rely solely on averting disaster to get its message across, or does it bring other business benefits? Likewise, does it have longevity as a business discipline, or is it merely index-linked to the number of unhappy events that occur in a given year?

According to Dennis, there are many reasons why companies should consider RM and specifically BCM. The main one is corporate governance being able to demonstrate a good risk management process means you can show good governance. This is important, as many organizations (finance and listed companies aside) are regulated in this field. BCM has knock-on benefits when it comes to demonstrating a duty of care to all stakeholders, which generates good will, especially among employees.

And best of all for those companies focused on the bottom line, standards for BCM could actually save money. A well-designed methodology that makes full use of the experience of its authors represents a much more cost effective solution than trying to build a programme from scratch.

Such standards could also lead to lower insurance premiums, better relations with suppliers (confident that their supply wont be interrupted) and a more consistent share price. On this last point, research demonstrates a link between a good business recovery plan and improved share price in the aftermath of a business disruption.

Standards will help by providing some glue and context, says Green. As more firms particularly SMEs adopt BCM, they will need guidance and support, and a British Standard will provide that. It will help prevent companies from making unreasonable demands on suppliers and SMEs by defining an appropriate and measured BCM capability and response.

Failure: not an option

While a headline-grabbing event may put disaster recovery in the spotlight, the holistic approach required of BCM more concerned as it is with the implementation of lifetime processes doesnt always capture the imagination.

Nonetheless, the general public is growing less tolerant of bungled risk management in all its forms. Just look at the scorn poured on the Federal Emergency Management Agency (FEMA) in the aftermath of Hurricane Katrina in the US or the anger voiced by travellers toward British Airways over the industrial action of airline caterers Gate Gourmet.

Some disruptions that occur could have been prevented by a thorough risk assessment and impact analysis, but BCM is also about how quickly you can get things up and running again, says Dennis. Disasters can quite clearly happen to anyone and businesses need to start putting plans together that will help them cope: at BSI, we want to create a template so that people who want to minimize risk have the best means available to do so. This need not cost a lot, it will just require a little time to implement. 

Thankfully, business seems to be responding: Broadly speaking, both RM and BCM are still emerging subjects for business good practice is changing quite fast as companies try things out and realize what works and what doesnt, and learn from each other, says Dennis. Everyone that Ive met, across a wide range of businesses, is keen to learn from other sectors, from telecoms to financial services. Its a vibrant area. And with a full complement of stakeholders involved, the goal of combining international best practice tailored to the needs of UK business and consumer interests, should be assured.

Biometrics background

The UK governments risk management measure of introducing ID cards in the fight against terror has provided a subtle challenge to the international standards community. At the same time as organizations such as ISO and BSI have been actively working with the fledgling biometric industry to promote new standards in scanning and recognition technology, they must also protect the individual from the risk of identity inaccuracy and even false imprisonment.

Four new standards have just been published under the BS ISO/IEC 19794 series, covering identity management systems. These relate to fingerprints, facial recognition and iris scanning,anything from the information held on smart cards to the storage of biometric identification data in corporate databases.

These standards cover technologies already in everyday use and others that are yet to be rolled out. They also place equal emphasis on both who gets access to the information stored and how the information is gathered. In terms of deployment, their importance to product or service vendors, legislators and systems integrators will grow as government-led take-up of biometrics intensifies. Several governments across the EU and others, including Israel, have already specified that departments and their suppliers use of biometrics must conform to an international standard rather than vendor-specific solutions. Its not difficult to see this technology having other applications in areas such as forensic science, elections and penal policy. As such, checks and balances are essential for a smooth transition to mainstream use.

Managing Malaysias risks

Natural disasters and global terror, and the effect they could have
on business, were behind an initiative by the Malaysian government to draw up a business continuity plan framework for the whole country.

Authored by Shamsuddin Abdul Jalil, policy analyst with Malaysias National ICT Security and Emergency Response Centre, and an expert on cyber terror, the plan aimed to tackle a chronic lack of preparation in the region. For example, according to research from Gartner, two out of five Malaysian enterprises struck by disaster would not be in business five years after the event. Jalils plan is to change the way the country thinks about disaster and continuity planning, from developing a fast-track local BCM standard that would be easier for locals to understand to making BCM part of various courses, from MBA to on-the-job training modules. Malaysia is already an international force in the field of business continuity planning and this framework merely adds to that reputation.

Are you ready?

For more information on BSIs work in risk management, visit www.bsi-global.com/Risk, where you can download a copy of The Risk Management Universe: A Guided Tour, an information leaflet describing a new book that brings together leading experts from various risk management fields, to describe current best practice and point to future developments.

BSI is also hosting a Corporate Security Management Summit, a two-day summit (28 February 1 March) in London, to discuss the ways in which in-house security management roles are changing and how they will change in the future. The summit will provide a forum for debate and an opportunity to discuss and resolve the issues you have. To find out more or to book your place please visit www.bsi-global.com/corporatesec.