This post is the first in a series looking at different standards in the Business Continuity and Resilience arena.
The obvious place to start is with the newest players in this space – the Australian Standard. This standard has had mixed response – the most extreme views coming form the Business Continuity Institute as I noted in my earlier post – BCM heresy.
AS5050 in Context
This standard is based on ISO 31000 – which places it primarily in the world (and thinking) of Risk Management. (for those who are new to risk management arena, ISO 31000 is the international standard for Risk Management).
It is not surprising that an Australian BC standard would start primarily from the approach of Risk Management. AS/4360 has been around for over 10 years and provided the basis for ISO 31000. There have also been a couple of previous BC Handbooks published by Standards Australia, and primarily authored by the same people who brought you AS/4360. HB 221 (there are 2003 and 2004 versions) and HB 292 & 293 (2006) provide additional indication of how this thinking has evolved over years.
You will not find a traditional definition of business continuity in this standard. It argues in the foreword that ensuring continuity of a business requires a variety of skills/techniques. These include strategic planning, product/service development, recruitment, quality, etc. BC is about continuity of the business, against all threats and risks.
This standard covers addressing “the risks that arise from the possibility of disruptive events.”(p4)
These disruption–related risks are deemed to be a special case as they may exceed “the capacity of routine management methods and structures”. (p5)
Similarities and Differences
Those who are familiar with the various different BC standards will find much that is the same. There is common language such as ‘Maximum Acceptable Outage’ and ‘Recovery Time Objective’ – there is also the use of the a ‘Business Impact Analysis’ to identify critical processes and requirements.
The ‘normal’ aspects of BC you would expect are included with both proactive and reactive elements. There are also techniques described to reduce both the probability and impact of a disruption. Some of the names are different but the idea is the same;
- A single ‘proactive phase’ = Risk Treatment and Preparedness, under the auspices of ‘Routine Management’
- 3 x Reactive phases, under the auspices of ‘Non-Routine Management’
- Stabilize = activities to limit deterioration (Immediate Response)
- Continue critical business functions = self explanatory
There are also some marked differences to the other standards. These probably start with the replacement of a process-oriented ‘lifecycle’ with the ISO31000 model in the graphic at the start of the post. It certainly continues with some of the language and concepts;
- Contingency Plans – the action plans to respond to an event.
- Contingent capability – “supplementary resources provided specifically to enable an organisation to respond to events should they occur.” (p9)
- Routine and Non-Routine – relates to both risks and the mode of operations/management required to deal with these.
- Non-Routine risk is the High Impact/Low Probability event
- Non-Routine Management would be called Incident or Crisis Management in other standards
- Resilience – “Adaptive capacity of an organization in a complex and changing environment.”
- Resilience is not a process, system or framework – it is one of the outcomes of the risk management activity.
- Using the risk vocabulary we have a range of different controls
- Proactive Controls – Preventative to reduce likelihood and Protective to reduce the scale of an incident
- Contingent Controls
The BIA is also a little different in that it is only required where the preliminary risk assessment does not provide adequate information – the BIA is the tool to provide a more detailed study.
That is probably enough for one post. I will provide more detail around the framework and process aspects in a subsequent post.
What do you think so far?
Can you see heresy, or just some different ideas and language that seek to align Risk Management and BCM?