Australian Business Continuity Management Standard AS/NZS 5050:2010 – A Risk Perspective

Global surveys of small to medium sized enterprises (SME) over the past few years candidly point to the fact the vast majority of SMEs are not prepared for a business disruption-related risk event.  Over 50% do not have a Business Continuity Management (BCM) plan in place and of those that do have a BMC plan only about ¼ have actually been tested. This is a major concern given that the median cost of downtime for an SME in Asia Pacific is $14,500 per day and whilst 65% of businesses believe it would take them between 1 week and 1 month to recover from a major disruption, a return to normal trading can often take 12 months or more. Simply put, without the preplanning involved in the BCM process, most organisations will not survive a major business disruption event.

For those new to BCM the concept is pretty simple. By anticipating what types of disruptions may occur (e.g. office fire, flood) a BCM Plan can be developed to ensure that, as far as possible, the likelihood of the disruption event happening is reduced, and it if does occur critical functions can be maintained or restored in a timely fashion, thus minimising the operational, financial, legal, reputational and other consequences arising from the disruption.

On 28 June 2010 the new Australian Business Continuity Standard AS/NZS 5050:2010 was published, joining the North American NFPA 1600 and the British BS 25999 as one of three internationally recognised business continuity management standards. AS/NZS 5050 was released shortly after the International Risk Standard ISO AS/NZ 31000 (November 2009) and, for those familiar with ISO 31000 follows the same three part model – Principles, Framework and Process – all with a BCM focus.

Whilst the “risk based” focus of AS/NZS 5050:2010 has raised a few eyebrows within the wider BCM community the general consensus of opinion appears to be that it provides a quality contribution to BCM thinking. It is certainly provides useful guidance  for organisations that have already taken steps to implement an enterprise risk management framework based on ISO 31000, or its precedessor AS/NZ 4360.

In our view one of the clear advantages of AS/NZS 5050 is the very fact that it is based firmly around the ISO 31000 international risk standard and therefore clearly establishes the link between enterprise risk management and business continuity management.

Too often in our experience, we see organisations that have engaged specialised BCM consultants to develop a business continuity plan, only to end up with a thick and complicated document uncerimoniously uploaded as a PDF on the company’s intranet where it sits quietly, unread, waiting for trouble to strike. This is great for ticking regulatory boxes but doesn’t help much if you can’t access your office and no one has been trained to deal such a situation.  In compliance speak this is known as “lip service”.

Given that a large number of Australian businesses are embracing the new International Risk Standard ISO 31000, either through commercial expediency, or as a result of legal and regulatory obligations, we believe that AS/NZS 5050 provides a good roadmap for effectively integrating business continuity management practices into existing corporate governance infrastructure. AS/NZS 5050 may not tick all the traditional business continuity boxes (and may ruffle the feathers of associations that have built their business model around other standards), however there is no law that says that you can’t pick the best parts of the other BCM international standards and use them to your advantage.

In Australia 78% of managers are concerned that their data recovery operations would fail in the wake of a serious incident.  This is a major concern given that IT Disaster Recovery tends to be dealt with well before most SMEs start to plan for other contingencies such as loss of office access, or loss of a key supplier. If you have an out-of-date BCM plan, or have no such plan in place, you should seriously consider adopting the new Australian Business Continuity Management Standard.

As commercial due diligence standards continue to soar in the wake of the global financial crisis, and recent natural disasters, if you don’t think formal Risk and BCM controls are necessary, you may be surprised when your marketing manager taps you on the shoulder, because your ability to clearly demonstrate your organisation’s commitment in this area may be the difference between winning or loosing the next big deal.

How Can CompliSpace Help?

CompliSpace combines specialist governance, risk and compliance (GRC) consulting services with practical, technology-enabled solutions. Our BCM module has been built in-line with AS/NZS 5050:2010 to ensure that clients are provided with a best practice solution.

CompliSpace will be running a series of workshops over the next few months to assist companies to implement and integrate their Risk and BCM programs. To register your interest, please click here.

If you have any questions about topics raised in this blog, or if you would like to find out how CompliSpace can assist you to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation please feel free to contact us on the details below.

Contact Details

P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)

E:  contactus@complispace.com.au

W: www.complispace.com.au

This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.