Spring World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 27, Issue 4

Full Contents Now Available!

Two New Challenges for BCM Software - Delivering BCMS Management Process and Management System Auditing

Written by  Christopher Alvord & Robin Craib December 8, 2010

The new international business continuity standard ISO 22301 due in 2011 has referenced BS 25999 and other documents, including ISO 31000 on risk, NFPA 1600 on disaster/emergency management, and ANSI/ASIS SPC 1 on organizational resilience.

As BCM practices mature, driven by the new ISO standard ISO 22301 due in 2011, many professionals are looking to organize their programs into a business continuity management system (BCMS). Related methodology changes require adjustment and realignment from typical BC program management. The best source of leadership to enable this change is to look at best practices in the implementation and design of other ISO and BC management systems in order to adopt these best practices for the structures of a BCMS.

BCMS Manual
The first challenge is to establish a BCMS manual, a consolidated and accessible guide to governing required management processes. The value of these types of manuals has been demonstrated with other key ISO types, e.g., IS09001 and other leading management systems. An endorsement of such an approach is in the introductory section in BS25999-2 (precursor to the new ISO BCM standard), where specifications for key components are listed. Alongside responsibilities listed, are the requirements for management processes, e.g., policy, planning, implementation, operations, performance assessment management review and improvement. Clause 3.3 sets out the precise documentation required by the BCMS.

It is typical for manuals to follow the structure of 3.3 and to clearly define the control documents needed to form part of the BCMS. Note that the use of the term manual is an adoption from other management systems and not found in BS25999. It is used here to describe the general requirement for procedures and management processes. It assumes that an organization has interpreted BS25999 and authored the necessary procedures.

Maintenance of this BCMS manual and delivery to its intended audience creates complexity for practitioners, especially for decentralized organizations. Unfortunately, there has been little technological innovation from most BCM software providers, often with rigid environments that reflect their proprietary interpretation of the BCM lifecycle. They are left without a suitable peg on which to hang a BCMS. A typical approach is to have environments for planning and BIA. Unfortunately these are often too inflexible to effectively deliver a BCMS manual for the intended audience with different conditions required for its maintenance.

How can software help? Useful innovations would include the development of dynamic living manuals allowing the relevant management process to be associated with user interfaces. Examples include:

  • The BIA interface allows for the BIA manual details to be available. The system is then able to track and register those who have read the information and will notify them upon any changes.

  • Maintenance and customized workflows can be set against manual(s) to reflect the different conditions maintenance requirements, distinct from the changes required for a plan or BIA.

  • Users can make critical improvements to the BIA without leaving their native workspace.

Software providers interested in taking this approach further could make the content of the manual more accessible and dynamic, e.g., use of FLASH animations to visualize BIA management processes. This approach would heighten understanding and ensure that, as the BCMS matures and staff changes occur, new players can come up to speed quickly. An added benefit is that organizations investing in certification could renew at a lower cost.

Auditing
The second challenge for any management system needing a BCMS structure is the challenge of auditing. Again, the introduction to BS25999 requires that audit documentation is present and correct. Under Clause 5 there is the requirement to carry out audits with a defined purpose and scope and at set frequencies, examining each area of the BCMS.

Management system auditing requires identification and recording of CAR’s (Corrective Action Records) and CAPA (Corrective Actions/Preventative Actions). A typical audit will document observations and possible minor non-conformities and major non-conformities. Although many BCM software providers include functionality for tracking item level audit changes, they do not supply organization-specific customized environments for carrying out true management system audits.

Mature organizations may already have well-developed BCMS principles specific to their enterprise. Using simple configuration commands, myCOOP allows highly customized approaches to capture existing CAR and CAPA workflows. For less mature organizations, pre-done sets of templates provide support in these areas.

To be sure, this is a challenging and developing area. As COOP Systems continues to support evolving standards-based assessments, there will be more work to do. However, our goal is for clients to need no off-system or separate audit records or documentation. New efforts include developing customized reports for areas such as management review, focusing on inputs and outputs listed in Clause 5.2.

Closely Related Standards
Some ISO standards share similarities with the management system approach taken by the BCMS. Organizations can extend their BCMS to create an integrated management system (IMS) by creating documentation and management processes to support ISOs in complementary areas. ISO27001 (IT security) and ISO9001 would be candidates. COOP Systems is paying particular attention to these areas as we look to ensure we are providing excellence in software and interface leadership in all areas.

Summary
For BCM programs looking for an industry-standard approach, a BCMS approach has great promise, especially when combined with strategic set of global ISO standards, it is the only practical way to plan for and manage wide-ranging BCM activities with the quality and consistency needed.

About the Authors
Christopher Alvord, CBCP, MBCI
, is the founder and CEO of COOP Systems. Alvord is a senior executive in the consulting and technology businesses for more than 25 years in the government, telecom, energy and finance sectors. Alvord has designed an industry-leading, Web-based BCM software package, led numerous large scale projects, certified teacher, has achieved CBCP and MBCI status with DRI International and the Business Continuity Institute, and publishes, as well as and presents widely. He co-developed an extensive continuity planning curriculum and was named an Adjunct Professor at NYU. Alvord has a BA from Harvard College, MBA from Harvard Business School, and has done doctoral course work at Virginia Polytechnic Institute.

Robin Craib, is a senior consultant, BS2599 lead auditor and PRINCE 2 practitioner with COOP Systems. Craib is a BCM practitioner with seven years experience in the industry working with organizations across a variety of sectors in both the UK and abroad. Craib has significance experience designing and implementing management systems for clients looking to certify to BS25999 and other leading ISO standards. Craib is a qualified lead auditor in BS25999 and currently works for COOP Systems as leading BCM practitioner and the UK’s senior advisor.