Tuesday October 30th is the world-wide launch of the British Standards Institute (BSI) new Business Continuity Management System standard BS 25999-2. The launch in the United States will take place in New York and over 200 people are expected to be in attendance. On the same day the standard will also be launched in London, England and Tokyo, Japan.
As a long time holder of a CBCP (Certified Business Continuity Professional) certificate and someone who follows the DRII (Disaster Recovery Institute International) Generally Accepted BC Practices, I was originally skeptical that this standard would do anything but further confuse everyone about how to develop, implement and maintain a business continuity plan. But I’ve become increasingly excited about this new standard. My excitement has increased because of 2 reasons:
1. The standard is auditable and a company, not a person will get certified. All previous recognized certifications have focused on the practitioner and not the organization. It will always be important to have organizations that certify a practitioner’s competency, to design, develop and implement sound Business Continuity Plans. However, increased scrutiny by not only regulatory agencies, but also within the supply chain has placed new emphasis on a companies ability to develop and sustain comprehensive Business Continuity Plans.
An increasing number of companies are being asked by their clients to provide documented, tested and maintained Business Continuity Plans. These requests are combined with the requirement to complete detailed questionnaires developed by each client. A general lack of consistency in these questionnaires has led to companies expending valuable resources to create responses to these requests instead of focusing on implementation of a management system to address the ‘real’ requirement of having a Business Continuity Plan which is tested and updated as the business grows and changes. Getting certified in this new standard gives a company a leg up in this environment by providing client companies with their internationally accepted certification.
2. The new standard places an emphasis on not only developing a plan, but on the management system surrounding the plan. Too many times I’ve seen companies develop a Business Continuity Plan and then just let it sit on a shelf. They quickly learn that this type of plan is no plan at all. But, not unlike ISO/IEC 27001:2005 and ISO/IEC 20000, the BS 25999-2 standard is based on the cyclical principle of ‘plan, do, check, act.’ The strength in using this principle is that a company will now have a set of processes to review, test and continuously improve a company’s business continuity plan. This coupled with regular auditing by an external party, in this case BSI can give a company piece of mind that they have a strong enough system in place to overcome most any contingency.
The launch should prove to be a great day with hopefully a cross-section of industry and governmental business continuity experts scheduled to attend. I’ll report to you next week with my thoughts from the launch.
Until then….be safe and remember to ‘Expect the Unexpected’