Briefly, certification under BS 25999-2 means that the company can demonstrate to its customers, shareholders, suppliers, employees and the local community that it has robust systems in place to cope with just about any crisis or disaster. So, certification is going to place a heavy burden on those people responsible for the organisation's fire safety. The Standard requires the organisation to examine closely its business and operational risks, to conduct impact analysis and develop effective response strategies to manage the risks, with the aim of ensuring the company's ability to continue to operate following a disruptive event.

But, do we need a business continuity British Standard and what, precisely, is BS 25999 and what does certification involve?

THE BUSINESS CONTINUITY CHALLENGE.
According to the Chartered Management Institute's BCM [Business Continuity Management] research series, the percentage of companies with a business continuity plan has barely changed over the past six years, rising from 45 percent in 2002 to 47 percent in 2008. It reached a peak of 51 percent in 2005, but has fallen back consistently year-on-year since then. Hardly surprising, the same study goes on to show that larger organisations are more likely to have a business continuity plan than smaller enterprises - 62 percent against 33 percent. Similarly, there is a wide divergence of uptake between the public and private sectors.

So, clearly, we have a long way to go before a business continuity culture is widely established in the UK. Interestingly though, the Chartered Management Institute's research shows that external pressure on companies is on the increase and is unlikely to abate. Pressure from existing customers was cited as a key driver by 54 percent of respondents in public organisations and 46 percent in private companies. Public sector procurement requirements are also having an impact on the private sector. This was identified by 16 percent of the research's respondents across private and publicly-listed companies, which is an increase of six percent in just one year.

The writing is, therefore, clearly on the wall. BS 25999-2 certification will soon become the hallmark of any company that takes its corporate governance seriously. Companies without a robust and demonstrable business continuity management regime will find it increasingly difficult to do business, as it becomes an ever-increasing customer expectation.

THE NEW STANDARD.
BS 25999 is in two parts - BS 25999-1:2006 (Code of Practice) and BS 25999-2:2007

(Specification).

Part 1, the Code of Practice, sets out how the organisation can establish and maintain an effective business continuity regime using what the Standard refers to as the "BCM Cycle". It highlights that the Code of Practice is not a set of prescriptive directives that have to be followed; rather it is a collection of best practice guidelines that should be tailored to suit the organisation's particular circumstances. An organisation cannot be audited against the Code of Practice and so they cannot achieve certification against Part 1.

Part 2, the Specification, details how the organisation can implement, maintain and improve a business continuity management system. It describes a number of specific actions that the business must undertake in order to comply with the standard; activities that are audited in order to certify compliance. Part 2 makes extensive use of the Plan - Do - Check - Act model that is already used in quality and environmental management standards such as ISO 9000 and ISO 14000.

The activities included in Part 2 require the organisation to delve into every factor that could jeopardise its ability to continue in business. These include, for example: the identification of critical activities that support key products and services - which means identifying business-critical assets that need dedicated fire protection; the identification of impacts resulting from disruption to these activities; and the establishment of a maximum tolerable period of disruption. Also included in Part 2 is: the identification of dependencies; the setting of recovery time objectives; and establishing estimates of resumption resources.

THE SEMBCORP BLUEPRINT.
This means taking on board a number of factors such as regulatory requirements, customer and business expectations, the nature of the products and services, production processes and storage and distribution logistics, and the size and structure of the organisation. This is certainly no mean feat and perhaps explains why so many businesses find it difficult to determine whether or not it is adequately prepared for disruptions.

Even with its track record in devising and implementing emergency preparedness and response programmes for some of Europe's most prominent high-hazard sites, it took Sembcorp over a year to achieve its BS 25999 certification. Indeed, Sembcorp UK is currently the only company in the world in its sector to secure BS 25999-2 certification, and one of fewer than 20 companies worldwide to gain the new British Standard.

This is why Sembcorp Protection Group is now offering to share its consultancy experience and expertise as a unique "blueprint" for other organisations anxious to gain BS 25999-2 certification, not just to help others achieve certification, but to ensure they are best prepared for any emergency that might threaten their business.

Certainly the Group is no stranger to the task. It is regarded as one of Europe's leading emergency response providers, currently responsible for safeguarding £14 billion worth of high-hazard industrial assets. Its core skills and offerings embrace the provision of outsourced emergency response services, high-hazard risk assessments, reviewing clients' emergency protocols or facilities, as well as devising and planning emergency training tailored to specific needs or circumstances. The Group also deploys the latest fire protection and engineering equipment to protect lives and assets as well as ensuring business continuity.

Bill Simpson led Sembcorp's BS 25999-2 certification programme. He can be reached at Sembcorp Protection Group by telephone on +44 (0) 1642 212102 or via email at protection@sembcorp.co.uk 

Go back »