UK Resilience

Business Continuity

Background

Business continuity management (BCM) is a process that helps manage risks to the smooth running of an organisation or delivery of a service, ensuring continuity of critical functions in the event of a disruption, and effective recovery afterwards.The Government aims to ensure all organisations have a clear understanding of Business Continuity Management (BCM). This section outlines the importance of BCM, and discusses how best to achieve business continuity.

Good BCM helps organisations identify their key products and services and the threats to these. Planning and exercising minimises the impact of potential disruption. It also aids in the prompt resumption of service helping to protect market share, reputation and brand. In order to be successful, BCM must be regarded as an integral part of an organisation's normal ongoing management processes. To achieve this top-level buy-in is vital as it disseminates the importance of BCM throughout the organisation. Engaging senior staff is crucial to the success of any major programme because of the influence they have over resource allocation and the culture of an organisation.

Understanding the organisation

Before plans can be written you must understand the organisations BCM needs. There are several tools used to inform this process. It is important to first identify the key products and services that the organisation delivers. A Business Impact Analysis (BIA) identifies these crtitical activities and resources supporting the key products and services and helps identify the impact of a failure of these. Another useful tool is a risk assessment, which helps identify the potential threats to the organisation, and their likelihood. The Civil Contingencies Act requires the publication of all or part of a risk assesment for your local area (undertaken by local category 1 responders). This may be a useful point of reference for your own risk assessment.

Developing plans

Good BCM requires both incident management plans and business conitnuity plans, although these do not necessarily have to be separate documents. Incident management plans allow the organisation to manage the initial impact of an event, for example staff evacuation or media response. The business continuity plan allows the organisation to maintain or recover the delivery of the key products and services that the BIA identified.

Both generic and specific plans may be required. A generic plan is a core plan which enables an organisation to respond to a wide range of possible scenarios, setting out the common elements of the response to any disruption. These elements would include invocation procedures, command and control structures, access to financial resources etc. Within the framework of the generic plan, specific plans may be required in relation to specific risks, sites or services. Specific plans provide a detailed set of arrangements designed to go beyond the generic arrangements when these are unlikely to prove sufficient.

The Civil Contingencies Secretariat has developed, in partnership with stakeholders, a Business Continuity Management Toolkit[External PDF] to help the commercial and voluntary sector implement BCM.

Exercising plans

Plans cannot be considered reliable until they are exercised and have proved to be workable. Exercising should involve: validating plans; rehearsing key staff; and testing systems which are relied upon to deliver resilience (e.g. uninterrupted power supply). The frequency of exercises will depend on the organisation, but should take into account the rate of change (to the organisation or risk profile), and outcomes of previous exercises (if particular weaknesses have been identified and changes made).

Training and awareness

There is a need to train those responsible for implementing BCM, those responsible for acting in the event of disruption and those who will be impacted by the plans. This training and awareness can be elivered in many ways. Those involved in implementing BCM may require extensive training, whereas those with no direct responsibility may simply need to be made aware.

The Emergency Planning College [External website], which is part of the Civil Contingencies Secretariat, runs courses on risk assessment and business continuity management.

Reviewing and maintaining plans

Organisations should not only put plans in place, but should ensure they are reviewed regularly and kept up to date. Particular attention may need to be paid to: staff changes; changes in the organisation's functions or services; changes to the organisational structure; details of suppliers or contractors; and changes in the organisations strategic objectives.

The business continuity management standard (BS25999)

BS25999 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organisation and to provide confidence in business-to-business and business-to-customer dealings.

The British Standard on Business Continuity Management (BCM), BS25999, defines BCM as 'a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.'

It provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle, which is illustrated below.

The British Standard sets out six elements to the BCM process.

1. BCM programme management - Programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.
2. Understanding the organisation - The activities associated with "Understanding the organisation" provide information that enables prioritisation of an organisation's products and services, identification of critical supporting activities and the resources that are required to deliver them.
3. Determining business continuity strategies - This allows an appropriate response to be chosen for each product or service, such that the organisation can continue to deliver those products and services at the time of disruption.
4. Developing and implementing a BCM response - This involves developing incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.
5. BCM exercising, maintaining and reviewing BCM arrangements - This leads to the organisation being able to demonstrate the extent to which its strategies and plans are complete, current and accurate and identify opportunities for improvement.
6. Embedding BCM in the organisation's culture - This enables BCM to become part of the organisation's core values and instils confidence in all stakeholders in the ability of the organisation to cope with disruptions.

BS 25999 will be published in two parts. BS 25999-1:2006, the Code of practice for business continuity management was published in November 2006. This has been developed by practitioners throughout the global community, including the Civil Contingencies Secretariat. Copies of this can be purchased from the BSI website[External website]

BS 25999-2:2007 will specify the requirements for achieving certification which will help ensure that business continuity capability is appropriate to the size and complexity of an organisation. Publication of part 2 is expected in autumn 2007. Following this the UK Accreditation Service (UKAS) will work hard to ensure that there is an accreditation scheme available to those bodies offering third-party accreditation to Part 2. Usually the reason for obtaining an independent evaluation is to confirm that it meets specific requirements in order to reduce risks. Accreditation by UKAS means that certification bodies have been assessed against internationally recognised standards to demonstrate their competence, impartiality and performance capability.

Business Continuity under the Civil Contingencies Act

The Civil Contingencies Act requires Category 1 responders to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable.

The BCM duty in the Act relates to all the functions of a Category 1 responder, not just its civil protection functions. Hence the legislation requires Category 1 responders to maintain plans to deal with emergencies (see the Emergency planning section) and put in place arrangements to warn and inform the public in the event of an emergency (see the Warning and informing the public section). But it also requires them to make provision for ensuring that their ordinary functions can be continued to the extent required. The Regulations also require Category 1 responders to put in place a training programme for those directly involved in the execution of the BCP should it be invoked.

The risk assessment duty for Category 1 responders under the Act should inform the development of appropriate continuity strategies (see the Risk section for further detail on risk assessment).

The Act also requires local authorities to provide advice and assistance to businesses and voluntary organisations in relation to business continuity management. This duty is an integral part of the Act's wider contribution to building the UK's resilience to disruptive challenges. It should not be seen as a stand-alone duty, but rather in many ways is a logical extension of the work already undertaken to fulfil other duties under the act (e.g. working with commercial and voluntary organisations in the development and exercising of emergency plans).

The Preparing for Emergencies [External website] website provides information on business continuity for businesses  [External website] and for voluntary organisations [External website].

Key Documents

You should refer to:

• Copies of BS25999 can be purchased from the BSI website[External website]

• Civil Contingencies Act 2004 - Identifying and Disseminating Good Practice - Article by Dan Greaves, Head of the Local Response and Civil Contingencies Act Team, CCS. Originally published in Blueprint, the magazine of the Emergency Planning Society [PDF 123KB, 5 pages].

• Business Continuity - Frameworks for Support at Local and National Levels - Article by Bruce Mann, Head of the CCS, published by Continuity Forum [PDF 197KB, 6 pages].

• Pandemic Influenza Checklist for Businesses: to assist businesses and other organisations in developing and reviewing plans for a flu pandemic, the Government has published a checklist identifying important and specific activities which organisations can do to prepare [PDF 129KB, 4 pages].

• The Cabinet Office REVISED - Guidance: Contingency Planning for a Possible Influenza Pandemic [PDF, 16 pages, 260KB] provides guidance for all organisations. Updated in July 2006.

• The Chartered Management Institute (CMI) Business Continuity Survey 2008 Report [PDF 429KB, 20 pages]. The CMI's survey report, which was again supported this year by CCS in the Cabinet Office. Although the report shows a situation where organisations are taking steps to improve their business continuity arrangements, for example in relation to the impact of an influenza pandemic and supply chain resilience, it also shows that there is much more to be done.
  • Archive copies of The 2007 CMI Survey are available here [PDF 561KB, 20 pages]
  • Archive copies of The 2006 CMI Survey are available here [PDF 539KB, 16 pages]

• CPNI: Good Practice Guide to Telecommunications Resilience It is vital that an organisation understands which of its telecommunications systems are critical to the business, and how to provide the appropriate level of resilience for these systems. This guide is for those people who have to commission, specify, audit or procure resilient Services. It has a series of recommendations aimed at helping an organisation understand why resilience is an issue, what resilience is needed and how it can be delivered. [External PDF, 35 pages, 267KB]

• Emergency Preparedness, Chapter 6: "Business continuity management" [PDF, 19 pages, 121KB] (pp74-92)
• Emergency Preparedness, Chapter 8: "Advice and assistance to business and voluntary organisations" [PDF, 19 pages, 107KB] (pp109-127)

Key Links

• On Preparing for Emergencies [External website]:
  • business continuity advice for businesses [External website]
  • Business Continuity Guidance for Businesses [External website]
  • Business Continuity Advice for Businesses [External website]
  • Business Continuity Management Toolkit[External PDF]
  • business continuity advice for voluntary and community organisations [External website].

• The Business Continuity Institute [External website]
• London Prepared [External website] - includes sections with advice to businesses, including on business continuity and risk management
• British Standards Institute website - [External website]
• The Continuity Forum [External website] - was established to support and develop a range of resources for Continuity Professionals within the Business Community.
• Continuity Central [External website] - business continuity information resource website.
• MI5 Security Advice [External website]

Training

• The Emergency Planning College (EPC) [External website] is the leading provider of training for emergency preparedness, attracting delegates with responsibility for preventing, planning for, responding to or recovering from a major incident. The EPC runs courses on business continuity as well as other aspects of civil protection:
  • Business Continuity Management 1 - Awareness of the Process and Planning for BCM [External website]
  • Business Continuity Management 2 - Developing & Embedding Your BCM Programme [External website]
  • Business Continuity Management 3 - Maintaining a BCM Culture & Addressing the Complexity Issues of Supply Chains [External website]

Other documents

You may also wish to refer to:

• OGC Successful Delivery Toolkit [External website] - Describes proven good practice for procurement, programmes, projects, risk and service management.
• Secure in the Knowledge: Building a Secure Business [PDF, 48 pages, 2.63MB] London First and ACPO booklet.
• Expecting the Unexpected: Business Continuity in an Uncertain World [PDF, 32 pages, 522KB] - Joint publication from the National Counter Terrorism Security Office, London First and the Business Continuity Institute.
• How resilient is your business to disaster

Other Links

You may also wish to refer to:

• British Bankers' Association [External website] - contains section on business continuity planning.
• OfGem website [External website] - contains details of domestic & business gas and electricity suppliers
• Energy Watch website [External website] - with emergency contact details for gas and electricity suppliers
• Northern Ireland Electricity plc [External website]
• Electricity Supply Board Ireland [External website]
• Water UK [External website] - details of Water Companies
• BT Emergency Preparedness website [External website]
• Local Government Association (LGA) website [External website] - The LGA promotes the interests of English and Welsh local authorities.

[return to top]