Business continuity and disaster recovery planning is a key governance responsibility of all organisations. Sadly there are still many organisations that have not yet addressed the basics. It is the board of directors who are accountable for ensuring that an organisation has developed and tested its business continuity management systems and taking all necessary actions to deal with the likely or potential risks that face the organisation.
Part of this responsibility derives from The UK Companies Act 2006 which gives statutory force to what has long been the worldwide common law duty of directors – to exercise due care in relation to their companies. Specifically, directors must “exercise reasonable care, skill and diligence.”
All organisations face business continuity risks of some kind or another including natural disasters, cyber threat, fire and flood, sabotage, disease, electrical failure and terrorism. So it’s important to have a business continuity management system in place. Setting out processes and procedures for the development, testing and maintenance of business continuity plans will enable any organisation to continue operating during and after a disaster. These systems are typically designed to cope with incidents affecting all the organisation’s business-critical processes and activities, from failure of a single server, or server room, all the way through to complete loss of a major facility.
Consider the facts: 80% of organisations with a tried and tested business continuity plan are likely to survive a major business discontinuity but only 20% of those without a business continuity plan are likely to survive, and more than 90% of organisations that suffer a significant data loss are not in business two years later.
Yet the Business Continuity Institute survey indicates that 30% of businesses still don’t have a business continuity plan and of those which do, many plans have not been updated and are no longer comprehensive enough. There are many internationally recognised standards that organisations can gain to ensure their business continuity management systems are adequate.
BS25999 helps organisations to develop the right systems and processes to prepare for the worst. And, for many companies, adherence to BS25999 gives both investors and stakeholders the confidence necessary to support a business through tough times.
ISO 22301, which will replace the second part of BS25999, specifies requirements for setting up and managing an effective Business Continuity Management System (BCMS). it details the requirements for a business continuity management system and will be auditable, which enables organizations to demonstrate compliance.
ISO/PAS 22399:2007 provides general guidance for an organisation — private, governmental, and non-governmental — to develop its own specific performance criteria for incident preparedness and operational continuity.
And finally, the loss of telecommunications, internet connectivity, physical premises, machinery and equipment or critical people are all possible continuity risks so ISO 27031 gives recommendations for information and communications technology (ICT) continuity management.
Every organisation should, for its own survival, have some form of business continuity management system in place, and have them externally audited and assessed. What is clear is that in the uncertain times we live in business continuity planning is no longer a luxury. It is a necessity.