Global surveys of small to medium-sized enterprises (SMEs) over the past few years candidly point to the fact the vast majority of SMEs are not prepared for a business disruption-related risk event. Over 50% do not have a Business Continuity Management (BCM) plan in place and of those that do have a BCM plan, only about a quarter have actually been tested.
This is a major concern given that the median cost of downtime for an SME in the Asia Pacific is $14,500 per day, and while 65% of businesses believe it would take them between 1 week and 1 month to recover from a major disruption, a return to normal trading can often take 12 months or more. Simply put, without the pre-planning involved in the BCM process, most organisations will not survive a major business disruption event.
For those new to BCM the concept is pretty simple. By anticipating what types of disruptions may occur (e.g. office fire, flood) a BCM Plan can be developed to ensure that, as far as possible, the likelihood of the disruption event happening is reduced, and if it does occur, critical functions can be maintained or restored in a timely fashion, thus minimising the operational, financial, legal, reputational and other consequences arising from the disruption.
On 28 June 2010 the new Australian Business Continuity Standard AS/NZS 5050:2010 was published, joining the North American NFPA 1600 and the British BS 25999 as one of three internationally recognised business continuity management standards. AS/NZS 5050 was released shortly after the International Risk Standard ISO AS/NZS 31000 (November 2009) and, for those familiar with ISO 31000, follows the same three part model – Principles, Framework and Process – all with a BCM focus.
While the “risk based” focus of AS/NZS 5050:2010 has raised a few eyebrows within the wider BCM community, the general consensus of opinion appears to be that it provides a quality contribution to BCM thinking. It certainly provides useful guidance for organisations that have already taken steps to implement an enterprise risk management framework based on ISO 31000, or its precedessor AS/NZ 4360.
In our view, one of the clear advantages of AS/NZS 5050 is the very fact that it is based firmly around the ISO 31000 international risk standard and, therefore, clearly establishes the link between enterprise risk management and business continuity management.
Too often in our experience, we see organisations that have engaged specialised BCM consultants to develop a business continuity plan, only to end up with a thick and complicated document unceremoniously uploaded as a PDF on the company’s intranet where it sits quietly, unread, waiting for trouble to strike. This is great for ticking regulatory boxes, but doesn’t help much if you can’t access your office and no one has been trained to deal with such a situation. In compliance speak this is known as “lip service”.
Given that a large number of Australian businesses are embracing the new International Risk Standard ISO 31000, either through commercial expediency, or as a result of legal and regulatory obligations, we believe that AS/NZS 5050 provides a good roadmap for effectively integrating business continuity management practices into existing corporate governance infrastructure. AS/NZS 5050 may not tick all the traditional business continuity boxes (and may ruffle the feathers of associations that have built their business model around other standards), however, there is no law that says that you can’t pick the best parts of the other BCM international standards and use them to your advantage.
In Australia 78% of managers are concerned that their data recovery operations would fail in the wake of a serious incident. This is a major concern given that IT Disaster Recovery tends to be dealt with well before most SMEs start to plan for other contingencies, such as loss of office access, or loss of a key supplier. If you have an out-of-date BCM plan, or have no such plan in place, you should seriously consider adopting the new Australian Business Continuity Management Standard.
As commercial due diligence standards continue to soar in the wake of the global financial crisis and recent natural disasters, and if you don’t think formal risk and BCM controls are necessary, you may be surprised when your marketing manager taps you on the shoulder, because your ability to clearly demonstrate your organisation’s commitment in this area may be the difference between winning or losing the next big deal.
Did you find this article helpful? If you did, and would like to receive more articles like it, sign up to CompliSpace’s email list to receive our tailored industry blog updates, and event and webinar invitations. Sign up here>>>
How Can CompliSpace Help?
CompliSpace combines specialist governance, risk and compliance (GRC) consulting services with practical, technology-enabled solutions. Our BCM module has been built in-line with AS/NZS 5050:2010 to ensure that clients are provided with a best practice solution.
If you have any questions about topics raised in this blog, or if you would like to find out how CompliSpace can assist you to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation please feel free to contact us on the details below.
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.