BS 11200 is the new British Standards Institution Guidance and Good Practice on Crisis Management. Published in 2014, it supersedes PAS 200:2011. BS 11200 is aimed primarily at top managers and the development of the strategic crisis management capability within an organisation
A crisis management team draws together experts and those with specialist knowledge from various functions of an organisation, such as HR, legal, finance and corporate affairs. These are already experts in their 'technical domain'. However, responding effectively to a crisis relies on a range of general problem-solving and 'non' technical skills in addition to technical skills. Non-technical skills include both cognitive skills, such as situational awareness and decision-making, as well as social or interpersonal skills, such as leadership, team-working and communication. They are particularly important because the characteristics of crises (uncertain, complex, dynamic, pressured in terms of time and accountability) present a unique management environment that cannot be 'solved' by technical capability alone. Competence in the non-technical skills of crisis management is largely built through experience of operating in a simulated crisis environment.
These Published Documents (PDs) were created by BSI to provide additional guidance and insight to parts of BS 25999, the British Standard in Business Continuity Management. They are not British Standards and it is not possible to seek certification to a PD.
PD 25111 provides guidance on the human aspects of business continuity in terms of the pre-planning and development of human resources requirements and policies for the stages following an incident.
PD 25666 provides guidance on exercising and testing for continuity and contingency programmes.
PD 25888 provides guidance on how best to develop and implement an organization's recovery in response to a disruptive incident.
Awareness training is designed to create a basic understanding of business continuity and crisis management such that staff recognise issues and know how to react and who to contact. It is generally targeted at all staff in an organisation.
An exercise is an opportunity to practise putting your Business Continuity Plan or Crisis Management Procedures into action and is regarded as a learning opportunity. A test is also a learning opportunity, but success criteria are set and results are measured against these resulting in a pass/fail outcome. Tests are usually associated with ICT recovery when a component or system can definably pass or fail.
An organisation should have a programme approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur such as introduction of a new service line.
The most simple exercise is a Plan Walk Through, which allows a plan to be reviewed and staff to be familiarised with procedures and is usually conducted with no external pressures. Workshops use a more detailed scenario to define plans and outputs and focus on the response, but again with no external pressures. Simulation exercises allow one or more teams to respond to a scenario as it unfolds, providing a more vigorous means of validating plans and procedures under the increased pressure of time and realistic decision making cycles. Exercises can also focus on very specific areas of an organisation's response capability such as the crisis communications teams or crisis operations room staff, allowing them to rehearse their plans and responses in isolation, usually ahead of a much larger event. Exercises can range in scale from multi-agency, multi-national involvement or dealing with a National crisis response involving hundreds of players at all levels, through to specific exercises for strategic management teams of two or three key people. Steelhenge offers the full range of exercise options.
When setting the scope of an exercise, the objectives should be realistic and achievable. The complexity of the exercise and the ultimate objectives will depend on levels of preparedness and experience within the Crisis Management or Business Continuity teams. While exercises are used to validate plans and responses the level of pressure and stress imposed can be graduated from simple walk throughs of the plan to full scale simulation exercises. While exercises will highlight areas for improvement and further rehearsal, they should be seen as positive experiences and not negative "pass or fail tests" where every disaster imaginable occurs in a morning. Well conducted exercises will support the development of plans and procedures, support the embedding of business continuity within and organisations culture and most importantly ensure a level of preparedness should the worst case occur.
An exercise is an opportunity to practise or rehearse putting your Business Continuity Plan or Crisis Management Procedures into action. The exercise offers the opportunity to simulate the pressure and stress of a crisis event in order to rehearse your staff and validate your plans and responses in a controlled environment. The exercise can take many forms from a simple walk through of the plan to a full live "dress rehearsal" of your response to a simulated event.
SMEs are frequently more vulnerable to an unanticipated incident than larger organisations. Both resources, skills and knowledge tend to be concentrated leading to potentially business threatening 'single points of failure'. SMEs may also be less able to sustain periods of business interruption. Demonstration of business continuity planning is increasingly a requirement of supply chain resilience and it is a common prerequisite in the procurement process.
BS 25999 does not specify an interval for plan reviews, although it does recommend a deskcheck or walkthrough of each plan at least annually. An annual review should be a minimum schedule and should be complemented by proactive reviews driven by organisational changes.
Business Continuity and Crisis Management should not be separate from normal business processes, but should be in support of them, providing planning and preparation to ensure key value generating activities will continue in the event of a disruption. It has been found repeatedly that those organisations that are prepared for major crisis not only recover substantially faster, but with significantly less damage than organisations that are not prepared. Whilst plans will not protect you from crisis events occurring, the planning process and the consideration of how your organisation will deal with the potential impacts makes the recovery considerably smoother and faster.
to understand the risks to operations or business, and the consequences of those risks. Risk management seeks to manage risk around the key products and services that an organisation delivers. Product and service delivery can be disrupted by a wide variety of incidents, many of which are difficult to predict or analyse by cause. By focusing on the impact of disruption, BCM identifies those products and services on which the organisation depends for its survival, and can identify what is required for the organisation to continue to meet its obligations, whatever the cause of the disruption.
ISO 22301 is the International Standard on Societal Security - Business Continuity Management Systems, published in May 2012. It is the specification document against which organisations will seek certification.
ISO 22313 is the guidance document to support the specification document ie ISO 22301, published in December 2012.
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organisation's overall business risks. It is designed to be suitable for all types of organisation. Steelhenge is a member of the BSi's Associate Consultant Programme for ISO 27001.
BS25999 is the British Standard for Business Continuity Management first published in 2006 as a code of practice (BS25999-1:2006) and followed in 2007 by the specification (BS25999-2:2007). With the publication of ISO 22301 and ISO 22313, both BS25999-1 and BS25999-2 have been withdrawn.
Copyright © 2017 Steelhenge Consulting Ltd
2 New Street Square, London, EC4A 3BZ, United Kingdom
Steelhenge Consulting Ltd is now part of Deloitte LLP following
Deloitte’s acquisition of its parent company, Regester Larkin Ltd in December 2016.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see About Deloitte to learn more about our global network of member firms.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and registered office at 2 New Street Square, London, EC4A 3BZ.