Whether you need a Business Continuity Management System (BCMS) depends on your risk appetite, but you could actually be breaking the law if you choose to ignore your business interruption risks.
The only organisations that are required by law to put formal arrangements in place specifically for are category 1 responders as defined by the Civil Contingencies Act – essentially local authorities
However, in addition:
- Solicitors and their firms are required by the solicitors’ code of conduct to make provisions for absences and emergencies
- Financial services firms regulated by the Financial Services Authority (FSA) are expected to have BC arrangements in place that bear some resemblance to the FSA’s business continuity practice guide.
There are also strongly implicit requirements for effective BCM arrangements on all limited companies:
Section 174 of the UK Companies Act (2006) places on every company director the duty to exercise reasonable care, skill and diligence with respect to both the general and specialised aspects of his or her position. This means that, for example, a sales director is expected to perform to the level that might reasonably be expected of a sales director in a similar type of company, but is not expected to have a similar knowledge of accounting as a finance director in a similar business. But for the general aspects of being a company director, that same sales director would be expected to at least raise concern if he or she is aware of, for example, some operational risk that appears not to have been addressed.
Companies listed on the UK Stock Exchange are required under the Listing Rules either to comply with the provisions of the Code or explain to investors in their next annual report why they have not done so. This requirement is overseen by the Financial Reporting Council (FRC) and refers to the combined code on corporate governance which, in turn, refers to the Turnbull guidance on internal controls. Turnbull doesn’t specifically mention ‘business continuity’ but it does include a requirement (of the combined code) for directors to conduct a review, at least annually, of the effectiveness of all internal controls, including operational controls and risk management.
When something goes wrong, this is the legislation that would be used to call directors to account.
So whilst there is no-one checking that most organisations have BC arrangements in place, the problems start to arise when, and if, an incident occurs and the outcome is worse than might reasonably be expected. Of course, by then it is too late to remedy the situation, whereas if there was someone checking before the event that we had BC arrangements in place, we might get away with a “slap on the wrist” and the opportunity to get our corporate houses in order.
The fact is that it often seems like a lot of effort and expense for something that will probably never happen. To the list of things that we will probably never need, we can add:
- Insurance of all types except life insurance
- Smoke alarms
- Burglar alarms
- Crash helmets & other personal protective equipment
- Car jack, warning triangle & spare bulbs
So what is it that makes many people feel that whilst some of the items in the above list are “essential”, BC arrangements are not?
Firstly, major interruptive incidents for most organisations are really quite unlikely, but however unlikely a “bad” event is, it doesn’t make it easier to bear when you haven’t got the policy in place that would have dramatically improved the outcome. Many people may think that their business insurance will take care of everything. For those organisations that have insurance for business interruptions, it will take care of quite a lot, but not everything.
There could be many other reasons and there will always be people who resist precautions and preparedness in all aspects of their lives.
The other big reason that you might “want” to do BC is that others may think you are a better prospect if you have arrangements in place. These others could be:
Having demonstrable BC arrangements in place can imply a better run organisation and is very likely to build confidence that your organisation is more likely to be unaffected by the growing range of incidents and threats that we see all around us today.
Create a Business Continuity Management System (BCMS) in line with ISO22301 – the international standard for BCMS – with our ISO22301 BCMS Implementation toolkit. This contains pre-written documentation to ensure your business is prepared in case of a disruptive incident to your business.