This website or its third-party tools use cookies which are necessary to its functioning and required to improve your experience. By clicking the consent button, you agree to allow the site to use, collect and/or store cookies.
I accept

Resilience Ninja

Coaching and ideas to help build agile and resilient practices.

You are here: Home / BC Practice / … review of AS/NZS 5050 (Pt 1)

Oct 04 2010

… review of AS/NZS 5050 (Pt 1)

This post is the first in a series looking at different standards in the Business Continuity and Resilience arena.

The obvious place to start is with the newest players in this space – the Australian Standard. This standard has had mixed response – the most extreme views coming form the Business Continuity Institute as I noted in my earlier post – BCM heresy.

AS5050 in Context

This standard is based on ISO 31000 – which places it primarily in the world (and thinking) of Risk Management. (for those who are new to risk management arena, ISO 31000 is the international standard for Risk Management).

It is not surprising that an Australian BC standard would start primarily from the approach of Risk Management. AS/4360 has been around for over 10 years and provided the basis for ISO 31000. There have also been a couple of previous BC Handbooks published by Standards Australia, and primarily authored by the same people who brought you AS/4360. HB 221 (there are 2003 and 2004 versions) and HB 292 & 293 (2006) provide additional indication of how this thinking has evolved over years.

Defining BC

You will not find a traditional definition of business continuity in this standard. It argues in the foreword that ensuring continuity of a business requires a variety of skills/techniques. These include strategic planning, product/service development, recruitment, quality, etc. BC is about continuity of the business, against all threats and risks.

This standard covers addressing “the risks that arise from the possibility of disruptive events.”(p4)

These disruption–related risks are deemed to be a special case as they may exceed “the capacity of routine management methods and structures”. (p5)

Similarities and Differences

Those who are familiar with the various different BC standards will find much that is the same. There is common language such as ‘Maximum Acceptable Outage’ and ‘Recovery Time Objective’ – there is also the use of the a ‘Business Impact Analysis’ to identify critical processes and requirements.

The ‘normal’ aspects of BC you would expect are included with both proactive and reactive elements. There are also techniques described to reduce both the probability and impact of a disruption. Some of the names are different but the idea is the same;

  • A single ‘proactive phase’ = Risk Treatment and Preparedness, under the auspices of ‘Routine Management’
  • 3 x Reactive phases, under the auspices of ‘Non-Routine Management’
    • Stabilize = activities to limit deterioration (Immediate Response)
    • Continue critical business functions = self explanatory
    • Recover

There are also some marked differences to the other standards. These probably start with the replacement of a process-oriented ‘lifecycle’ with the ISO31000 model in the graphic at the start of the post. It certainly continues with some of the language and concepts;

  • Contingency Plans – the action plans to respond to an event.
  • Contingent capability – “supplementary resources provided specifically to enable an organisation to respond to events should they occur.” (p9)
  • Routine and Non-Routine – relates to both risks and the mode of operations/management required to deal with these.
    • Non-Routine risk is the High Impact/Low Probability event
    • Non-Routine Management would be called Incident or Crisis Management in other standards
  • Resilience – “Adaptive capacity of an organization in a complex and changing environment.”
    • Resilience is not a process, system or framework – it is one of the outcomes of the risk management activity.
  • Using the risk vocabulary we have a range of different controls
    • Proactive Controls – Preventative to reduce likelihood and Protective to reduce the scale of an incident
    • Contingent Controls

The BIA is also a little different in that it is only required where the preliminary risk assessment does not provide adequate information – the BIA is the tool to provide a more detailed study.

That is probably enough for one post. I will provide more detail around the framework and process aspects in a subsequent post.

What do you think so far?

Can you see heresy, or just some different ideas and language that seek to align Risk Management and BCM?

Written by Coach K · Categorized: BC Practice, Risk Management · Tagged: AS/NZS 5050, BC Practice, BCM, Risk Management, Standards

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tags

Adaptability Agility Amy Lee AS/NZS 5050 BCAW BCI BCM BC Practice Charley Newnham Community Community Conferences Craft Craft Crisis Management Culture Cynefin Deepwater Horizon Disruption DRJ Frameworks Goals High Reliability ISACA Jan Husdal Learning Organisation LinkedIn Operational Risk Pandemic People Plans Practice Resilience Resilient Organisations Riskczar Risk Management Skills Standards Stone-Roads Supply Chain Risk Theory Tools/Technology Vulnerablity WCDM 2010 Weather

Search Form

Social Icons

  • Dribbble
  • Facebook
  • Google+
  • Instagram
  • Twitter

Post Categories

March 2023
M T W T F S S
« Jun    
 12345
6789101112
13141516171819
20212223242526
2728293031  

© 2023 Resilience Ninja · Rainmaker Platform