LRQA: Helping ensure business as usual.
“Organisations that chose not to certify to BS 25999 – for whatever reason – should look at
ISO 22301.” Andrew Macleod, BCM Consultant.
Business continuity consultancy, Needhams 1834 became the first in the UK to gain certification to ‘ISO 22301:2012 Societal security: Business continuity management systems’ following the standard’s release in May. This case study looks at the process the organisation followed and the reasons for external certification.
As an international player in the business continuity management (BCM) consultancy field, Needhams felt it important to gain the competitive advantage that external certification from LRQA would bring.
The organisation therefore decided in 2011 to become certified to the BCM standard as soon as possible following its release this year and with little change between the final draft and the published ISO standard, there were few changes to be made to its implemented management system.
The decision to become an early adopter was an interesting one as this was a new certification and not a transition from BS 25999, the British Standard on which the ISO is largely based. Andrew Macleod, BCM Consultant at Needhams explains the thinking behind becoming an early adopter of the new standard.
“As you would expect from the nature of our business, we have always had a business continuity management system in place. However, it was felt that certification to BS 25999 wouldn’t give us the competitive advantage, particularly within the overseas markets.
“BS 25999 was published in 2007 and the business continuity environment has changed since. The revision of the standard has made it more meaningful, precise and relevant to today’s organisations and there are now better ways to conduct your BCMS than previously thought.
“From our experience, we found that while many companies chose to align their BCM systems to BS 25999, many also saw it as something of an administrative burden. With the introduction of ISO 22301 however, I think many will reconsider this position.
“Certainly, when the ISO standard was approaching publication, we felt that we needed to become an early adopter of external certification. And now we are certified, we can approach our clients from a position of first-hand knowledge of the process – it’s a strong position to be in.”
Implementation
The nature of the consultancy’s work meant the organisation had the in-house knowledge and expertise to quickly make the changes it needed to its existing BCMS in order to comply with ISO 22301.
As a first step, the organisation carried out an internal audit of the system against the requirements of the new standard. They identified a team member who had a detailed knowledge of business continuity but who hadn’t been involved in either the development, or the on-going maintenance, of the management system. This allowed the audit to be as ‘independent’ and thorough as possible. The audit also helped serve as a gap analysis identifying any weaknesses and potential non-conformities.
However, with little significant difference between the two standards, there were minimal changes to be made and these in the most part were procedural. A plan was developed to capture the work that was needed.
One of the key changes that were made, although not required by the new standard, was to reorder its management system to follow the ISO chapter headings. This was carried out with a view to making the job of the external certifying body easier.
A change which was required under ISO 22301 was the need to split the Corrective Action and Preventive Action log. The former now sits on its own in Section 10 with the latter having morphed into the Risk and Opportunity log. While similar to the Preventive Action, this has given rise to a wider scope that addresses opportunities that could arise from the BCMS.
To better improve the accountability of its third party suppliers, the consultancy took the decision to carry out an independent audit of its critical outsourced suppliers and include these within Monitoring and Measurement.
Andrew explains further. “We decided to audit our critical supplier as we only have one. We have also planned to include our supplier in our exercise and testing regime. Clearly if you have dozens of critical suppliers, the idea of auditing them all is simply not realistic. The standard simply requires organisations to know who its critical suppliers are and to show how they are going to meet their recovery time objectives (RTOs).”
The sum of the changes needed to make ready for certification against the new standard took surprisingly little resource.
“We found that the time taken in making the changes needed was minimal. We would say that for those organisations with a robust BCMS aligned to BS 25999, it is around 3 days work to make the necessary changes obviously depending on the size and complexity of the organisation. After all, the standard is about evolution, not revolution,” comments Andrew.
“We have discussed the new standard with companies who have said ‘it is too much work.’ However we would argue that the benefits of being an early adopter outweigh the effort. The new standard is more relevant and precise. It is internationally recognised, and gives competitive advantage on a world stage. We think that those organisations that chose not to certify to BS 25999 – for whatever reason – should look at ISO 22301.”
Certification
“Now we are certified, we can approach our clients from a position of first-hand knowledge of the process – it’s a strong position to be in.” Andrew Macleod, BCM Consultant.
The thought of an external assessor arriving on site can leave some feeling apprehensive, particularly those employees that haven’t before been through an external assessment. In the case of Needhams, its Managing Director and BC Lead Auditors all clearly understood the external assessment process and what was required of them however it wasn’t the same for all staff. Their recently appointed Office Manager was nervous about the assessment as she felt that she hadn’t the in-depth knowledge of business continuity shared by colleagues.
To alleviate the apprehension felt by some, the company held a training session to ensure that all employees had appropriate knowledge of the company’s Business Continuity plans and additionally, were fully prepared for the assessment. When the LRQA assessor did arrive it was clear that he was seeking proof of a depth of knowledge appropriate to the role that the individual played within the organisation.
Needhams had initially chosen to work with LRQA because of its practical approach to the assessment. “We chose to work with LRQA as we found them the most helpful in enabling the certification to happen. Our LRQA Account Manager came to visit to talk us through the process and we liked the approach,” comments Andrew.
“And this was borne out by the nature of the assessment itself. We found it a valuable experience and have learned some pointers from the assessment that we will be able to use with our own clients. For example, our plan was designed to give the structure to enable the Recovery Time Objectives (RTO) of critical activities identified in the Business Impact Analysis to be met. We had taken the view that specific plans for critical activities were not required. Our shortest RTO is 18 hours giving us time to develop a response to any disruption.
“However, this did cause some issues with our assessor. We had the practical challenge of being able to show that the business continuity plan can achieve what we expect it to do.
“We recognise from this that there is a direct correlation between the recovery time objective of a critical activity and whether you then need a Business Continuity plan, that is, a set operating instruction or contingency procedures that allow you to deal with a specific incident. So, if your RTO is 4 hours you simply don’t have time to go through the thought process of designing a solution, it is therefore important to have a set procedure to follow.
“Our assessor’s approach of structuring plans to enable RTOs is an excellent demonstration of the required detail in the plan that we can use to highlight to organisations when they have restrictive RTOs,” concludes Andrew.
Learning Points
In this section, Andrew Macleod offers tips for those organisations thinking of implementing a system or going for certification to ISO 22301.
Read the standard: It is important to read the standard yourself because then you are not getting the information second-hand. The document is around 15 pages of content and reasonably easy to understand.
Don’t believe the hype: There seems to be a perception among some Business Continuity Managers that the transition is more onerous than it actually is. This may be a case of ‘creeping excellence’ with some reading more into the standard than is written. Bear in mind that this standard is about evolution, not revolution.
First steps: Start with an internal audit which will then drive a gap analysis. Make sure this is carried out by an individual not responsible for the BCMS within the organisation. The ideal person will be someone with a level of knowledge of Business Continuity but not responsible for the plan itself.
Top management: Ensure they have an active role in the BCMS. This is more than simply providing resources, but giving real direction.
Staff Awareness: It’s important that all employees have had sufficient training so they know what to do in the event of a crisis. Secondly, they need to feel comfortable about the reasons, and need for, external assessment. Training works best when employees are actively involved in the process. While this could take many forms, suggestions include creating a fictional scenario requiring people to role play. Physically leaving the building and being ‘walked through’ a situation will also help show people what is expected of them. In this way, they can clearly understand their own responsibilities, the roles that colleagues play and how other members of staff are involved in the process.
Gaining value from the assessment: Engage in dialogue with the external assessor. They are not there to catch you out but they need to be sure that you understand what is expected of you under the management system.
Authored by the LRQA in conjunction with a Needhams Consultant.
Comments