Business continuity and
societal resilience
argues that the future of business continuity lies in ensuring the resilience of societies rather than individual organizations
In modern society, it is rare that a lone organization addresses all the processes needed for the products and services it provides. Most processes are shared throughout a network of organizations or a supply chain with each organization adding value in the area or process for which it is responsible.
In such a networked society, ensuring resilience to disruptions such as natural disasters or terrorist attacks is difficult if each individual organization works independently on their business continuity management. In order to ensure societal resilience, it is essential for each organization to be aware of their interrelationship with other external organizations as well as influences such as government and the local community.
Responding to the need to reinforce societal resilience, various organizations have begun establishing a business continuity management system. This movement is expanding to encompass supply chains and local communities, both of which are stakeholders and generally demonstrate common risk factors.
Business continuity certification
Organizations that are aware of inter-dependencies are motivated to verify the resilience of their inter-dependent organizations and the status of their business continuity management structures. The concept of certification has come about in response to these needs.
For an individual organization to demonstrate the effectiveness of its business continuity management system externally, it could integrate this into contracts, for example through a service level agreement. This enables provisions for a determined level and quality of product inventory and a list of services to be organized in the event of a disaster or accident. The effectiveness of this approach can be limited by factors such as agreement being made to a certain number of items and only being effective to specified parties. These contracts are also usually more expensive.
Certification is the next step, whether first, second or third-party certification. For large-scale manufacturers with thousands of suppliers, second-party certification, even if limited to major suppliers, would prove ineffective due to substantial costs and time constraints. Third-party certification addresses such issues. However, the only third-party certification standard for business continuity currently available is BS 25999 (published in November 2007).
An increasing number of organizations outside the UK desire third-party certification, most noticeably the US and Japan. One of the reasons for the current slow growth rate in certification to this standard is that organizations are waiting to see whether ISO and the US are going to move toward the identical concepts and methodologies embraced within this standard. Moreover, there are few auditors globally who are competent to audit the technical areas relevant to business continuity.
Since September 11 the US has made efforts to reinforce the resilience of the entire country. Particular consideration has been given to safety assurance through an initiative of the US government. The US government has been developing the Voluntary Business Preparedness Certification Program since 2007 to help reinforce the resilience of non-governmental companies.
The main outline of this programme is nearing completion. It is different in its approach to BS 25999 as it acknowledges a variety of approaches that organizations can use to establish business continuity management systems and accepts the multiple options of standards and guidelines for third-party certification. In contrast, the UK approach toward standardization by a sole standard. At the moment, discussion in the US is progressing among interested parties to select four standards and guidelines from the areas of emergency response, business continuity management, security and risk management.
But some Japanese enterprises with contracts with organizations based in UK or the US, or those interested in business continuity management as a project for improving corporate value, have begun obtaining BS 25999-based certification. However, work on a Japanese business continuity certification system has also already begun.
The future
Although it is important to look at an individual organization’s business continuity management system, the resilience of the supply chain and the community to which the organization belongs should also be considered. This in turn will lead to the reinforcement of societal resilience by taking into consideration inter-dependency with external organizations and cooperation between organizations. Ensuring that an individual organization has a good business contiuity management system does not necessarily lead to reinforced resilience of society as a whole.
Programmes such as BS 25999 and those now under development in the US, Japan and other countries are looking at business continuity management standardization for individual organizations. However, what will be most important in the future is the standardization of the approaches used between organizations and their local communities to create societal resilience by ensuring they can work together. This would mean incidents between different organizations or different countries could be addressed.
About the author
Kenji Watanabe is an associate professor at the Graduate School of Management of Technology at Nagaoka University of Technology. He is the general manager of an ISO business continuity management working group and vice-principal of the NPO Business Continuity Advancement Organization.
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
