Lost in translation?
Written by Peter Davy
Peter Davy reviews the market’s reaction to the introduction of new international management systems standards for business continuity
Arguably the world’s best known business continuity management standard, BS 25999, was replaced this year by a new international standard, ISO 22301, Societal security – Preparedness and Continuity Management Systems – Requirements. The new standard draws heavily on the original text in specifying the requirements that must now be met to set up and manage an effective business continuity management system.
The updated standard is good news for supporters of BS 25999, says Hugh Leighton, senior consultant at Aon and part of the committee that put together the BS 25999 Part 1 code of practice, on which the specification (Part 2) is based. “It is a natural progression to develop it into an ISO,” he says. “It helps broaden the appeal outside the UK.”
How wide that appeal may be, though, is difficult to say. On the one hand, it is still very early days, but there are some early signs of encouragement. Earlier this year saw business continuity consultants Needhams 1834 become the first UK body to be certified, by LRQA. The British Standards Institution (BSI), meanwhile, announced in August its first certification of Spanish bank, Bankinter.
Many more are set to follow, according to the Business Continuity Institute. It surveyed 615 business continuity practitioners from 20 countries earlier this year along with LRQA, with the first set of findings published in July. These suggested certification levels were expected to treble over the next three years, with 142 of the 615 business continuity practitioners responding intending to be audited to the new standard – two thirds (95) of them not currently holding certification to any standard.
That should not be such a surprise, says Suzanne Fribbins from the BSI’s risk team, adding that “history shows” that when business standards go international, their take-up grows “exponentially”.
For a start, all those already certified to the British standard will have to transition to the new ISO over the next two years or lose certification. Most, since they’ve already decided certification is worthwhile, seem likely to do so.
Supporters also expect the arrival of the ISO standard will encourage new followers, for the logical reasons relating to geographical spread. Outside the UK, the BSI is already seeing particular interest in Japan, according to Fribbins. The BCI, meanwhile, found strong support in the Middle East and Africa in its survey.
Indeed, the new ISO is also likely to prove attractive to British businesses with international operations or customers. As Chris Needham-Bennett, founder of Needhams 1834, puts it: “I have a standard now that is recognised from Singapore to Buenos Ares.”
Steve Mellish, the former head of business continuity at Sainsbury’s and now director of his own consultancy, Mellish Risk and Resilience (as well as chairman of the BCI) adds that one of his clients keen on becoming an early adopter of the ISO is a small British company but deals with big international airlines. “The ISO helps provide a common language for businesses working internationally,” he explains.
At SunGard Availability Services, principal consultant, Ron Miller agrees. “If you are an organisation looking to guarantee your critical suppliers will be around, you want to look for an organisation that can prove it has resilience in place, and with the national standard disappearing, ISO 22301 is the only game in town.”
That common language provided by the new ISO is likely to be a big pull for British businesses with international operations or customers. Indeed, this is the first ISO drafted under a new format that will be applied to all the organisation’s future standards, with the aim of boosting consistency.
“It is written using a syntax that will be used for all future international standards for all management systems so it is groundbreaking in that respect,” says Deborah Higgins, technical and learning manager at the BCI.
This in itself will do no harm to the profile of business continuity as a discipline and could also mean the new standard may appeal more to companies certified by other codes.
One step at a time
Yet despite all that, certification to date remains limited. The BSI says it has certified just a “handful” so far; LRQA, another big certifier, has just nine, either approved or in the pipeline.
Moreover, the second half of the BCI’s report into its survey, published in November, paints a slightly less optimistic picture of the potential uptake. The respondents were business continuity practitioners (mostly BCI members). However, the analysis released in November shows that three quarters of them would have to convince someone in the organisation outside the discipline – often executive management – to go for certification. Almost half (48 per cent) said they would need to demonstrate a business case for adopting the ISO.
That won’t necessarily be easy. While at Sainsbury’s, for instance, Mellish put in place a system designed around BS 25999, and even went as far as working with the BSI to develop a route to certification around four components to cover the organisation: central operations, logistics and supply chains, the retail stores, and the IT system. But it never happened.
“We were a victim of our own success,” he explains. “We were successfully dealing with five or six serious incidents a year and the challenge that came back was that we already had a robust system the organisation had faith in, so what was the benefit in certification? It was very difficult to answer.”
Mellish reckons it is likely to be smaller firms wanting to reassure larger customers that will have the most use for the standard.
Those smaller firms, however, are likely to be most focused on cost, and for many the timing is not ideal. As Needham-Bennett says: “It is a distressed purchase being put out in the middle of a recession.”
The BCI survey, meanwhile, found small firms less likely to certify. In the absence of contractual pressure to do so, there are few other drivers. Regulatory pushes, at least in the UK, look unlikely, and the insurance industry seems as reluctant as ever to take much note of certification when writing business interruption cover. “The insurance industry has a vested interest in this, and there’s an opportunity for it to do much more to make it worthwhile,” complains one consultant. “They should be encouraging this.”
But, in truth, was ever thus. Needham says BS 25999, for all its popularity, was probably “the most downloaded but least implemented standard” available. As the BCI survey confirmed, most companies choose to align with standards rather than certify.
Moreover, even if businesses do choose to certify or even just align to a standard, they face a significant choice. Arguably partly as a result of BS 25999 standards have become increasingly popular in business continuity, and businesses have a range of options to choose from, both from other standards bodies, and from regulators.
Rod Ratsma, EMEA head of resilience advisory at Marsh, says, “The production of standards is an industry in its own right. “It is very hard to know what the authoritative global benchmark is.”
ISO 22301 certainly makes a pitch for that position. Whether it can legitimately claim the title, however, time will tell.
Spot the difference
As the BCI’s November report found, there are significant differences in opinion concerning the differences between ISO 22391 and BS 25999. At Needhams 1834 consultant Andrew Macleod, who led implementation of the standard, says there’s little difference. “The ISO is 24 pages and 25999 was 22 pages,” he says. “If you already have BS in place the changes are fairly minor.”
On the other hand, the ISO is a societal security standard, so is more widely focused, which can be seen in the attention it gives to business objectives, and a longer-term view of the aftermath of incidents – going beyond immediate recovery – to name just two of the differences.
At LRQA, technical services manager Phil Willoughby says there are essentially three types of change: changes in language, with British terms such as MTPoD (Maximum Tolerable Period of Disruption) replaced; enhanced requirements, with greater details required for communication strategies and more evidence of senior management buy-in, for example; and new requirements, such as independent audits of critical outsourced dependencies incorporated into monitoring and measurement.
Overall, though, he says that most with experience of the British Standard should cope. “You might have to do more than you are doing already but the differences are not that challenging.”
And in one respect, at least, ISO and BS 25999 Part 2 are identical: Both are primarily about creating robust management systems, and are not business continuity guidelines per se. Indeed, it is important to remember that the ISO standard replaces BS 25999 Part 2 – the 2007 specifications for compliance; Part 1 of the British standard, the 2006 Code of Practice remains a current document, stresses Leighton. And it is this part of the standard that has had, and will continue to have, the greatest take up, he says. “ISO 22301 does not provide a code of practice. It is the management system standard,” he explains. “It tells you how to build a management system for business continuity. It does not tell you how to do business continuity.”