… the new BCM process (AS/NZS 5050 Pt3)

In this final part of the review of AS/NZS 5050 I will look at the third key part of the model – the Process.

The process is essentially the risk management process derived from AS/4360 and ISO-31000.

While this may seem to be contrary to conventional BCM approaches (or those espoused by other competitors in the Standards Industry) – when you delve into what is behind this process you find a lot of similarity.

The model includes core and support components.

1. Establish context
   • This includes setting scope, purpose and responsibility. Fairly common approach across different standards.
   • It also includes addressing both the internal and external context, which is again a common method.
2. Risk Identification
   • All BCM standards include some form of risk identification and assessment. This one puts it in a more central position and uses the vocabulary of Risk Management which makes the risk branding much stronger.
   • Like most approaches in the RM world, this standard requires that all possible risks be identified in this step.
     • This is the part of all RM that I believe limits its credibility – as you can never know everything that could happen.
3. Risk Analysis
   • This part also includes a BIA, as would be promoted in all BCM models.
   • Perhaps the big difference here is that the BIA is suggested as the second step, not the first.
     • RA is suggested as being an iterative approach. The initial analysis will provide the understanding of the the business functions and processes and the extent of the contribution of each process to achievement of organisational objectives.
       • The initial analysis could establish some metrics around time required to recover, and the extent of resources currently available to facilitate a recovery
       • The output from the initial analysis could also be used in an initial evaluation and treatment plan.
       • The initial Maximum Acceptabel Outage is determined in this phase.
     • The BIA is suggested as a second form of analysis, where a more detailed analysis is required and where further treatments are suggested.
     • Confirming the business functions may see some function removed from the analysis and others added as the detailed criticality is determined
     • Process review is the detailed exploration of each process and its dependencies.
     • Inventory of Controls includes identification of workarounds, redundant capacity amongst other things
     • The last step includes setting the estimate of recovery time. Again there is a different form of terminology used.
     • This standard uses the term Recovery Time Estimate (RTE) rather than Recovery Time Objective (RTO).
       • In some ways this is a better label, as too often you find an RTO stated that is not backed by resources – and is just a Recovery Dream.
4. Risk Evaluation
   • This is where the decision to apply further treatments to a risk is made (an investment decision perhaps) or just to accept with current controls.
   • With a different name this is a standard process to get Executive endorsement of BC strategies.
5. Risk Treatment
   • In line with the overall RM language, implementing BC strategies and plans is called treatment of risk. The concept is still mainstream BC.
   • There are two general classes of treatment
     • Proactive
       • Prevention Controls are intended to reduce the likelihood of the risk
       • Protection Controls come into play when the prevention control has failed.
         • These are intended to reduce the intensity, duration or spread of the impact (the scale of the incident)
     • Contingent
       • Contingency Plans address what needs to be done across the three major forms of contingent treatment, and need to be based on available capacity
         • Stabilization
         • Continue Critical Functions
         • Recovery
         • This section also includes a suggested content/outline for these plans.
       • Contingent Capability describes the resources that need to be made available to support these plans.
         • This could also include treatments such as building redundancy and diversification into your operations.
       • Like all BCM standards the need to maintain plans and exercise are included and described.
6. Communication and Consultation
7. Monitor and Review
   • These last two are fairly self-explanatory and not that different to what you find in other standards.

The last part of the standard contains a checklist to enable you to verify your program against the standard.

I have not been a big fan of BCM as a subset of RM in the past. I have to admit that I like the way this standard has presented BCM as a special form of RM. This is a promoting synergy rather than demanding convergence.

Perhaps this is the reality of what Enterprise Risk Management may turn out to be – the appropriate (and customised) application of general risk management techniques to a range of specialised risk areas.

This is a good standard to work with, and presents some challenges to other standard bodies to broaden their thinking and adopt common vocabulary.

John Glenn has long promoted the similarity of RM and BCM, it would seem that this standard endorses that view.

What do you think?

Are you motivated to buy the standard?