INTRODUCTION

BS25999-2, the predecessor to ISO22301, was first published in November 2007, yet, after five years, business continuity continues to be something of a mystery to a great many people involved in running organisations today. The majority are not actually required, either by law or by anybody else, to demonstrate any form of business continuity arrangements, so business continuity management (BCM) has not, until recently, been seen as a priority for these organisations. The global economic recession has also reduced the emphasis, placed by many, upon operational risk management and supplier assurance.

Yet the world continues to change. There is an apparent growth in the number of threats to the ability of organisations to continue with their business activities. This is coupled with increasingly sophisticated approaches to corporate governance, risk management, and corporate and social responsibility. These factors fuel the growing need for organisations to demonstrate, and provide assurance that, should some interruptive incident occur, they have done everything reasonable to minimise disruption to the continued supply of products or services in which they are engaged.

The increasing levels of competition, not only in the UK and Europe, but from around the globe, mean that, in the commercial world, letting down customers as a result of what would have previously been seen as ‘not your fault’, carries increasingly higher penalties, as business can often be lost for good.

Before the introduction of BS25999, it was arguably not worthwhile for organisations to invest in a BCM programme, and whilst take up of this standard is encouraging, both in the UK and around the world, it is likely that many more organisations have held back in anticipation of what they may see as the ‘ultimate’, an international standard.

Now that this has arrived, it still remains for each national standards body to decide upon its formal introduction for certification purposes, and in the UK, and elsewhere, where BS25999 and other national standards are used, these bodies must decide upon the transition from one standard to the next.

It is likely to take at least 12 months for most organisations to develop and implement a worthwhile BCM system; with today’s competitive pressures, the only really sensible path is to have implemented such a system before it is formally demanded by customers, regulators, or even the law. As with international standards in many other management disciplines, ISO22301 will very soon become the only benchmark by which others can judge that an organisation’s BCM arrangements are fit for purpose.

Please note that, since the printed version of this book is produced in black and white, patterns have been used here to represent red, amber and green, colours which are widely employed in business continuity management to indicate levels of criticality.

The patterns in use are: