Managing Business Continuity
Business Continuity Management (BCM) - and its implications for the business community
Senior civil servants and Government officials are increasingly supporting the case for effective continuity planning amongst UK businesses.
Ever since the World Trade disaster and the London bombings, the UK has been acutely aware of the economic impact of large or small interruptions to business caused by physical disasters. As a result, the DTI, the Bank of England and Financial Services Authority (FSA) are all promoting, and increasingly insisting upon, testable, effective continuity planning.
Requiring evidence of a testable plan is enshrined for example in the FSA Working Paper on Business Continuity Management:
5 - At the narrowest level, any significant disruption to firms operations may prevent them from satisfying the FSA’s threshold conditions and compliance with the Principles for Business. More broadly, significant disruption may directly challenge at least two of the FSA’s strategy objectives – those referring to market confidence and consumer protection.’
It is important to note in this context that the range of forms that such disruption might take – as a result of terrorism or any other cause – is unimaginably broad.
6 – Ultimately, effective BCM is part of good risk management. As such, the FSA already expects all authorised financial institutions to consider the need for a risk-based BCM framework including an appropriate business continuity plan. This expectation is reflected in SYSC 3.2.19G of the Senior Management arrangements, systems and controls module of the FSA Handbook, which states:
"A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness”.
It is likely that other regulators will take the same view.
A second factor also now looms that will significantly place the focus upon practical, testable continuity planning – the arrival of the Civil Contingency Act.
The Civil Contingency Act is a clear indicator of how seriously the Government takes the lessons and aftermath of the World Trade disaster.
The Act itself is relatively unspecific but it is addressed in Schedule 1 to local government, the NHS and the utilities that make up the local support infrastructure and places a duty upon these organisations to ensure they will be able to continue to function in the event of a disaster locally, or indeed happening to their premises.
Many specialists in continuity planning have commented that this inevitably means entering into contracts for the provision of alternative premises that are capable of handling an emergency level of communication as a minimum.
Equally, a prudent public service or utility will need satisfaction that it is not exposed to collapse of a key service provider if they suffer a disaster.
In practice the ripple effect from the utility requiring evidence of continuity planning of its suppliers could pass on and on down the line touching many more businesses than the Government originally envisaged.
This new pressure also reflects an increasing awareness that Directors owe a fiduciary duty of care to stakeholders to prove they have a viable plan to minimise disruption and maintain the revenue stream.
Auditors and solicitors are in particular becoming concerned that client management are able to provide evidence that continuity planning is a Board issue, and is testable (and tested!)
It is possible that shareholders would seek redress from auditors and Directors if they fail to report inadequate planning for physical disaster.
Hence the level of interest in Business Continuity Planning as enshrined in BS25999 (part 1 & 2), but also for premises available to take staff and IT infrastructure at short notice to continue to run the business seamlessly.
"A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness”.