Telecoms company, Cable&Wireless Worldwide had a well developed approach to business continuity throughout its business and took the decision to gain certification to the business continuity management system standard, BS 25999. This case study looks at why the organisation decided on the formal certification route and the difference that is now visible three years on.
With over 6,000 organisations relying on their services, Cable&Wireless Worldwide have long recognised the need to put in place arrangements to make sure that in the event of a serious incident it could continue to provide a service wherever practicable.
The company had a mature business continuity approach with processes and procedures in place to ensure a pre-planned response to any situation that could disrupt normal business operations. A dedicated business continuity team were in place and the management system was in line with PAS 56:2003, the forerunner to the business continuity management system (BCMS) standard, BS 25999.
However, the marketplace was beginning to recognise the need for a verifiable approach to business continuity and as Dhiru Parmar, Business Continuity Manager explained it was changing customer expectations that prompted the decision to formalise its systems.
“More of our customers were enquiring about our business continuity plans during the bidding process. We deal with a wide range of sectors including government and they in particular were beginning to demand compliance and expect certification. We had already decided to certify our system as we wanted to retain a competitive edge. Importantly we wanted to assure our customers that we took business continuity (BC) seriously.
“I recall that in 2009 as we were going through formal assessment by LRQA, we were also going through a large bid process. Where you would normally expect business continuity to be some way down the list of requirements, it was now third, a clear indicator of the priority now being attached to the issue. It was a clear signal of what the market was demanding,” comments Dhiru.
Dhiru Parmar, Business Continuity Manager
The first question was to decide on the scope of the business continuity management system. In initial discussions with their LRQA Account Manager, Ken Roberts and assessor, Rob Acker, the feasibility of having a company wide scope across all UK activities was explored.
“We decided very early on that we didn’t want just one area of the business certified which would have been to admit that one function or process was more or less critical than another. A customer may use 6 or 7 services and it wasn’t appropriate to cover just one or two specific activities,” comments Dhiru.
As the company already had well developed processes and templates for Business Impact Analysis, and Business Continuity Planning together with testing and maintenance plans, it was felt that there was sufficient documentation in place to prove that a management system was already operating. In addition, business continuity formed part of a mandatory online course that every member of staff – existing and inductees - had to take.
A critical part of reinforcing the risk management culture is the role of the subject matter expert or ‘plan manager’. These key individuals initially engage with the business impact analysis by helping determine the potential impact of any disruption, by recommending suitable alternatives and identifying resource that will be needed. They then continue to carry out a vital BC role by maintaining the documentation on a day to day basis, looking after the plan and then promoting and updating their teams.
The framework was therefore in place and all staff were aware of their business continuity responsibilities.
However, there were still some areas that were unclear as Dhiru explains. “There were some clauses of the standard that were unclear and it was here that LRQA were able to guide us in the right direction. We had to have something that was robust enough to show during the formal certification. It was both in the very early stages and then following certification that the advice and support from the LRQA assessor was critical in us building a clearer understanding, for example of the internal audit process.”
The complexity of the business and the reach of the scope has made the BCMS tough to maintain but it has been a successful approach and importantly, it sends a clear signal that all staff work to the same processes and procedures.”
Dhiru Parmar, Business Continuity Manager
The BCMS was certified by LRQA in September 2009 and the company has now had the time to evaluate the benefits. An obvious early benefit has been the savings made in insurance premiums from having an externally verified BCMS. In addition, there have been significant commercial benefits in both retaining existing business and attracting new business as Dhiru explains.
“There are many organisations that now ask for information on BCM. The standard has now built up enough momentum to be a form of shorthand for organisational resilience. A lot of our clients, particularly those in the financial sector, send annual questionnaires from their BC departments which borrow from the standard. That is, the structure of the questionnaires follows the key areas of the standard - whether we have a business impact analysis, do we review this, do we exercise this and so forth.
“Certification means we have been recognised as taking business continuity seriously. We can demonstrate that we have a well established and robust BCMS in place and that we are looking to continually improve” Dhiru concludes.
Are you considering implementing a BCMS or certifying an existing system? In this section, Dhiru Parmar offers advice from the Cable&Wireless Worldwide perspective.
Status of your system – ensure that you have a system that gives a quick reflection on the status of business continuity in your organisation, ie what plans do you have? When do they need testing and reviewing? We have an internal audit template a tick sheet to complete once all the key elements are in place for new and existing plans. This at a glance lets us know whether all the critical elements are in place such as details of the plan manager, alternative plan manager, recovery time objective, supplier details, system applications and so forth, in place.
Involve your people – it can be a dry subject to communicate and difficult to get buy-in from all staff. We introduced BC as part of mandatory training to ensure that all staff had a basic understanding of the rationale. We explain it in commercial terms so they understand that it is an expectation of our customers and the marketplace. Our plan managers are key in updating their teams on a regular basis through briefings and workshops.
Keeping them updated - We recognise that people move into other roles or out of the company and like any company we have staff turnover. It is part of our role to keep the plan manager up to date to ensure they have the latest information to brief their teams. We have recently introduced regular workshops to ensure BC is kept front of mind.
Exercise to ensure fit for purpose – it is important to remember that plans are not worth the paper they are written on unless tested. It has enabled us to understand the pitfalls in our plans. We aim to test every year as a minimum.
The devil is in the detail – it is important not to lose sight of the small things such as document control, dates of review. Look to do what you say you’re going to do in a timely manner. Well established plans can almost run themselves but document control is equally important.About Cable & Wireless Worldwide
A global telecoms company providing a wide range of managed voice, data, hosting and IP-based services and applications, Cable&Wireless Worldwide helps more than 6,000 organisations deliver their products and services.
Its network uses the latest technologies to deliver the bandwidth and business applications that customers need. Its Multi-Service Platform runs across its next-generation network offering customers a single environment for all their telecommunications requirements. Customers can have their voice, data and other IP based services delivered by this single network.