CHAPTER 13: STANDARDS AND CODES OF PRACTICE
In the business continuity world, there are all sorts of references made to various standards, primarily by way of reasons to ‘do’ BCM.
This short chapter aims to set some of these standards in context, and to explain what the true relevance of each is.
The Combined Code on Corporate Governance (UK)
The Financial Services Authority’s (FSA) listing rules,1 which govern how listed companies should conduct various aspects of their affairs, refers to the Combined Code on Corporate Governance2 (the Combined Code), which was updated in 2006 and is issued by the Financial Reporting Council.
LR (listing rule)9.8.6(5) requires listed companies to include, in their annual report, a statement of how they have applied the principles set out in Section 1 of the Combined Code.
For full details, go to the FSA website at http://fsahandbook.info/FSA/html/handbook/D85.
Section C.2.1 of the Combined Code requires boards of listed companies to conduct a review of the effectiveness of internal controls, including risk management systems. It further suggests the Turnbull Guidance as an effective means of applying this section.
Turnbull
The Turnbull Guidance on Internal Control is about a wide range of governance issues, and suggests that the system of internal control should enable the company, or group, to respond appropriately to its operational risks, inter alia.
So there is a clear, though implicit, regulatory requirement for listed companies to have an appropriate system in place for managing operational risks which, by definition, includes the risks of business interruption.
Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002, issued by the Securities Exchange Commission of the United States of America, governs certain aspects of how listed companies in the United States conduct their affairs. It is predominantly connected with accounting, and the disclosure of financial information, in a similar way to the UK’s Listing Rules, and requires these companies to assess their internal control structure. It also requires them to disclose to the public on a ‘rapid and current’ basis, material changes in operations. Details at www.openpages.com/solutions/sarbanes-oxley/sarbanes-oxley-definitions.asp.
Clearly, this is only relevant to companies listed in the United States, or their subsidiaries, and it is significantly focused on financial information and performance. All the same, it does require these companies to have a system of internal controls, and, as a result, they have to measure and manage their risks (see Bibliography, Morrison, 2004).
As in the UK, these include, by definition, the risks of operational interruption that have a material impact upon performance.
Basel II
The Basel Accord,3 effectively a code of conduct for banks that operate internationally, is almost exclusively to do with financial risk. Whilst the Accord refers to this as ‘operational’ risk, it clearly does not fall within the scope of operational risk for BCM purposes, and can be ignored, as far as BCM is concerned.
ISO27031
ISO27031 formally replaces BS25777:2008
Information and communications technology continuity management. Code of practice.
A cynical view is that this is simply another version of ISO22301, but badged as part of the 27000 family, to make it appear necessary.
It is based upon a number of principles which are both common sense, especially for IT professionals, and generally the same as ISO22301.
When it comes to ICT readiness performance criteria (which ENISA has declared are inconsistent on an international footing), this standard simply says that the organisation should define criteria – not especially helpful!
ISO27001
ISO/IEC 27001:2005 is the international standard for information security management systems (ISMS). It includes limited references to BCM in Section 14 of Appendix A, which lists a total of 133 security controls. Section 14 contains five such controls, which effectively state that the organisations should have plans that address the information security aspects of business continuity;this requirement is entirely consistent with ISO22301.
This means that organisations which are not implementing an ISMS do not need to refer specifically to ISO27001 in order to meet the requirements of ISO22301;while those which are implementing one, need have no fear of conflict between the two standards.
1 The listing rules are part of the Financial Services Authority’s Handbook which sets out all of its procedures and rules. The FSA is an independent regulator with statutory powers under the Financial Services and Markets Act 2000.
2 The Combined Code on Corporate Governance was first introduced in 2003, and was reissued in 2006 by the Financial Reporting Council, the UK’s independent regulator for corporate reporting and governance.
3 The Basel Accord (Basel II) is issued by the Basel Committee on Banking Supervision which comprises banking representatives from a number of European countries, Japan, Canada and the United States of America. The committee’s secretariat is based at the Bank for International Settlements in Basel, Switzerland.