Everyone in the business continuity world (well, in the UK at any rate) is talking about BS25999, the new British standard for business continuity management.
And why not? After all, gaining accreditation to the standard is guaranteed to result in a robust, fit for purpose business continuity strategy and plan isn’t it? The problem is, in truth it’s not!
Granted, BS25999 (or, for that matter, a number of other standards of a similar ilk) provides a sound framework showing all the widely-accepted, best-practice steps in the business continuity process, which is a very good thing.
And following the guidelines in the code of practice should give you a fighting chance of ending up with a half-decent business continuity management system (or BCMS – as if we needed yet another acronym!). But it’s not a guarantee of an effective "BCMS" – or, more importantly, of a business continuity capability.
Accreditation merely confirms that you followed the process to the satisfaction of the auditor (who, incidentally, might not actually be a business continuity expert themselves), which is all well and good.
But, in the same way that you can get accreditation to a quality standard by producing naff doughnuts, as long as you always produce the same naff doughnuts in the same way, merely following a process doesn’t guarantee that the end result will be any good.
The bottom line is that it depends how you apply the process to your situation. A robust business continuity capability requires a tad more than doing the minimum required to get a tick from the auditor.
So by all means use BS25999 as the benchmark for your business continuity programme. And by all means go for accreditation if that’s what floats your boat. But just take a step back and think why you’re doing it – to get a tick in that particular box, or to actually make your organisation more resilient?