We recently published a blog which provided a high level, non-technical, overview of the Australian Business Continuity Standard AS/NZS 5050:2010 and how it sits with other international business continuity standards. In that blog we argued that for organisations that have adopted the International Risk Management Standard ISO AS/NZS 31000, the Australian Business Continuity Management Standard AS/NZS 5050 provides a good roadmap for effectively integrating business continuity management practices into the organisation’s existing corporate governance infrastructure.
This blog is designed for those organisations that currently have an ISO AS/NZS 31000 risk management program in place and are looking for some direction has to how to integrate it with an AS/NZS 5050 business continuity program.
Basic Structure of AS/NZS 5050:2010
The good news for those who are familar with ISO AS/NZS 31000 is that the new AS/NZS 5050 Business Continuity Standard is firmly based on the International Risk Management Standard. It follows the same three part model – Principles, Framework and Process and is specifically designed to explain how to apply ISO 31000 to “disruption-related risks”.
Part 1 – Principles
AS/NZS 5050:2010 repeats the 11 eleven principles set out in ISO 31000 and adds a 12th principle at (b) – “Risk Management Enhances an Organisation’s Resilience and Creates Strategic and Tactical Advantage”.
Rather than simply regurgitating these principles within our on-line BCM module, we have upgraded the ISO 31000 Risk Module to include the 12th BCM principle and cross referenced them.
Part 2 – Framework
Once again AS/NZS 5050:2010 basically repeats the Framework as it appears in ISO 31000 with a few additional elements designed to reflect the need to operate in both routine and non-routine modes and therefore enable organisations to manage disruption related risk effectively.
By way of example, in the design phase there is additional emphasis on interdependencies and decision making processes. When considering allocation of resources there is additional emphasis on funding and the possibility of having to operate in non-routine modes. There are also lots of small language changes to reflect AS/NZS 5050’s focus on disruption-related risk and its integration with ISO AS/NZS 31000.
As with the Principles, rather than repeating the full framework within our BCM module we have upgraded the ISO 31000 Risk Module to reference BCM.
Part 3 – Process
Where ISO AS/NZS 31000 and AS/NZS 5050 substantially diverge, and AS/NZS 5050 starts to adopt more familiar BCM methodologies, is in the 7 Step Process that is designed for managing disruption related risks. A summary of the key parts of the BCM process are as follows. These should be documented within an organisation’s BCM Program.
Analysis of Disruption Related Risks
AS/NZS 5050 recommends that analysis of disruption-related risk be undertaken in two stages.
- Stage 1 – Initial Risk Analysis:
The initial analysis provides the understanding of an organisation’s business functions and processes and the extent of the contribution of each process to achieving organisational objectives. It is in this stage that an organisation should establish some metrics around the time required to restore the most important functions, and the availability of resources to facilitate a recovery.
AS/NZS 5050 suggests that it is only if the initial risk analysis does not provide sufficiently reliable information, or if after the initial treatment the residual risk is not tolerable, then a more detailed study called a Business Impact Analysis should be conducted.
- Stage 2: Business Impact Analysis
The Business Impact Analysis is aimed at building a very detailed understanding of those disruptive consequences that require treatment and, as such, are likely to exceed routine methods of management or require additional management capability. AS/NZS 5050 sets out a 5 step process for conducting a Business Impact Analysis.
The outputs from the Initial Risk Analysis and the Business Impact Analysis should be consolidated so that the overall consequences and associated likelihoods of disruption-related risk are recorded appropriately in the enterprise risk register.
Treatment of Disruption Related Risks
AS/NZS 5050 provides for the following two broad categories of treatments for disruption related risks;
- Prevention: Taking action that will directly reduce the likelihood of a disruption-related risk from occurring and potentially the scale of disruptive events; and
- Protection: Management of potential consequences by ensuring an organisation has effective contingency capablities and response plans in place. As with other BCM standards, AS/NZS 5050 provides for 3 major forms of response being stabilisation, continuity of critical functions and recovery.
The standard also goes into quite some detail as to suggested requirements for the development of response plans.
Maintenance and Testing of Recovery Plans
Because disruption-related risks by definition do not happen every day, two key aspects of AS/NZS 5050 are to ensure that Recovery Plans;
- are properly maintained through:
- routine training and testing of key personel;
- ensuring the availability of contingent resources, especially those that are not used on a routine basis; and
- ensuring the currency of information, such as contact lists; and
- are regularly tested so that they will work when deployed.
Communication and Consultation Strategy
A key part of managing any business disruption event is to develop a clear and effective communication and consultation strategy, which is capable of being deployed in a manner that reflects the magnitude of the impact of the business disruption event. AS/NZ 5050 provides a set of useful guidelines designed to promote effective communication and consultation in the event of a business disruption.
Designing Your BCM Program
This is a basic summary of how an organisation can integrate its AS/NZS 5050 Business Continuity Management Program with its AS/NZS 31000 Enterprise Risk Program. In our on-line program we have developed the following content categories with direct links to our AS/NZS 31000 Risk Program. We are happy to provide you with a demo. Let us know what you think?
- What is Business Continuity Management?
- Board & Management Commitment
- BCM Program Awareness & Training
- BCM Methodology, Scope, Objectives, Benefits & Assumptions
- Crisis Management Team & BCM Response Plan Activation
- Key Roles & Responsibilities For BCM
- Identification & Analysis of Disruption-Related Risks
- Treating Disruption-Related Risks
- BCM Contingency Response Plans
- Communication & Consultation Strategy
- Program Maintenance, Monitoring, Review & Testing
- BCM Forms And Documents
How Can CompliSpace Help?
CompliSpace combines specialist governance, risk and compliance (GRC) consulting services with practical, technology-enabled solutions. Our BCM module has been built in-line with AS/NZS 5050:2010 and is fully integrated with our AS/NZS 31000:2009 Enterprise Risk Program. These programs come together to ensure that clients are provided with a best practice solution.
CompliSpace will be running a series of workshops over the next few months to assist companies to implement and integrate their Risk and BCM programs. To register your interest, please click here.
If you have any questions about topics raised in this blog, or if you would like to find out how CompliSpace can assist you to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation, please feel free to contact James Field or James Cozens on the details below.
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.