Can Business Continuity Standards Help Your Business?
When big pharma needs a specialized ingredient called recombinant Protein A, chances are that they’ll be counting Waltham, Mass-based Repligen to provide it. “We are essentially a sole source provider for our customers,” says Laura Whitehouse, Vice President of Market Development for Repligen.
That’s good for Repligen’s business, but it also puts a tremendous amount of responsibility on company leaders’ shoulders. They must ensure their IT and general operations never suffer a blip that would cause that supply of Protein A to be cut off lest customers and patients suffer.
Over the past couple of years, Repligen had been feeling increasing pressure from its wary customer base to not only improve its business continuity planning, but offer solid proof of these improvements. In recent years, Repligen had been working on ways to hammer out its disaster recovery and business continuity program on its own—but those efforts were less than organized.
Which is why, when the company heard about the upstart business continuity certification standard from the British Standards Institute (BSI) Management Group called that BS 25999 standard not only offered a framework of practices to hang its policies on, but also a certification to provide customers with external validation, Repligen jumped to action.
“When the option became available to have our business continuity management certified we made the determination to move forward and really revamp our entire business continuity program,” Whitehouse says. “Which essentially meant, for the most part, starting from ground zero to build a new business continuity management system consistent with BS 25999. We decided to move forward with certification to have that external validation from a third party that would then communicate to our customers a level of confidence and trust in our business continuity management practices.”
The New Standard
One of the biggest problems organizations face in disaster recovery and business continuity management (BCM) is maintaining consistency. Most enterprises typically have some kind of BCM policies in place, but whether they could actually confidently depend on them is another matter altogether.
“Studies that were done show that even in Europe and the United States, 50 percent of companies that were surveyed showed that they weren't in a readiness state in terms of business continuity,” says John DiMaria, product manager for business continuity for the American arm of BSI. “This was mostly due to lack of consistency, lack of follow up, lack of improvement of plans. And people who had plans, hadn't proved them or updated them or even exercised them.”
One of the preeminent global standards bodies, BSI introduced BS 25999 less than two years ago and is making baby steps toward wooing the disaster recovery and continuity community into accepting the standard as a codification of a best practices framework that seems to have eluded the typical enterprise thus far.
Currently there are dozens of standards and certifications floating around the industry that deal with disaster recovery, preparedness or contingency planning in some way or another. There are certifications for business continuity professionals such as those offered by Disaster Recovery Institute International (DRII), lots of punitive and non-punitive guidance from regulatory bodies such as the FDA, FFIEC and SEC, and overarching standards such as ISO 17799 cover business continuity in parts.
Where BS25999 hopes to fill the gap is with a holistic, certifiable framework that cuts across industries, DiMaria suggests. “The BS25999 was created in answer to the international community’s cry out really for a consistent holistic management system approach to business continuity,” DiMaria says. The certification process takes some time, so BSI is just now starting to see its first crop of BS25999 adherents surface, including Repligen, its first North American company to be certified.
Take it Slow, Experts Warn
Some disaster recovery specialists don’t expect BS2599 to snowball as the industry standard just yet, though.
That includes Al Berman, executive director of DRII, who says that while his interest has been piqued by the standard he has some definite misgivings about its viability in its current form. As it stands, BS2599 is currently under revision, a fact that he cautions businesses considering certification to take into account.
“I think standards in general are good for the industry and I think that anything that will lead us to being more prepared is a good thing,” Berman says. “(But) I'm always reluctant to deal with a standard that hasn't been finalized. BS25999 is going to undergo change, and if you use strict adherence to what it looked like when it first came out, well then you're going to have to change it.”
One of the most troubling problems he has with the standard right now is how it deals with the ‘corrective action plan.’ This plan prescripted by the standard is formed toward the end of the continuity planning process after an organization tests its disaster recovery plan, finds deficiencies and signs of on a list of corrective actions to mitigate them.
“I've been told that it is discoverable under litigation i.e., you’ve admitted to a deficiency. So, if you are going to go through this process and you're going to acknowledge you have deficiencies and something happens, that represents negligence at best, gross negligence at worst,” Berman says. “I've had this discussion with a number of large corporations and when we get to this point they actually call their general counsel into the discussion and literally turn white when they hear the ramifications.”
Berman also complains that BSI also needs to make the terms of certification more transparent to the outside world—he’s still trying to figure out the exact specifics of how audits and tests are conducted, something he believes is critical to establishing BS25999 as a solid external validation of an organization’s business continuity practices.
“I'm a little concerned about the fact that we haven’t peeled back the onion, if you would, to understand what certification means,” he says.
According to Berman, businesses need to take it slow with adoption and survey their options, because BS2599 isn’t the only holistic framework available and in coming years we should expect to see even more continuity standards emerge. For example, the National Fire Prevention Association 1600 standard has been the official standard in North American for over a decade. And others are coming—currently the American National Standards Institute is charged with overseeing efforts to come up with an even more comprehensive standard in response to lawmaker’s directives in the 9/11-spurred Private Sector Preparedness Act 11053.
Berman expects to see the fruits of those labors come into play in coming years, which may be more meaningful considering that such a standard would have not-for-profit roots.
“I know the BSI people and they are truly qualified dedicated professionals, but then again, it is a business,” Berman says. “If you look at the body who is overseeing Private Sector Preparedness Act 11053, well it is ANSI and ANSI is a not for profit standards organization, so there is a difference.”
So then, what would Berman recommend to organizations looking to improve their disaster recovery and continuity planning?
“My advice to anybody who has asked me about this is, one, go slowly there is no hurry to certify,” Berman says. “And number two is, while there is this confusion over standards and guidance coming out of the US and worldwide, is to make plans based on solid fundamentals. If you look at the structure and basis for most of them and if you use solid fundamentals then in the end you'll be fine.”
Not an Insignificant Investment
Repligen chose to go with BS2599 because not only did that piece of paper at the end of the tunnel gave them the means to reassuring customers, but it also gave them the direction and tools to implement those solid fundamentals that Berman emphasizes—an overarching strategy that includes all of the usual disaster recovery homework such as business impact analysis, gap analysis, and proper testing and maintenance of plans.
“What the standard requires you to do is to put in place a living, breathing business continuity management system that incorporates a number of tools to assess the risks that might impact your business,” Whitehouse says. “There's a strong aspect of focusing on identification of risks, prioritizing the risk impact and severity on your business and then working to try to put things in place to mitigate those risks you’ve identified.”
The certification process made Repligen put in more robust recovery mechanisms, open a new secondary facility and generally increase redundancy of operations, and ramp up additional stock of their supplies to see customers through a transition between sites in the event that the primary site goes out of service. And the process is ongoing, even after certification.
“The system really is very focused on continuous improvement as you mitigate the highest risks that maybe on your list early on, new risks have come to the top of the list,” she explains, “so you are continually refreshing the system and continually improving in the area of risk mitigation.”
Most importantly, the system they’ve developed through the BS25999 framework makes it possible to fly on autopilot when business leaders are likely to need direction most, during disasters.
“Makes it easy just to react to emergency rather than coming up with things on the fly,” she says. “There's so much thought that goes into everything and preparation that goes into everything so that if something happens you don't have be reacting on the spot you've already got a lot of tools in place to help you make good decisions at the time.”
Creating the BCM system was “not an insignificant investment,” Whitehouse says. These processes cost money to not only be put into place, but also to maintain. And yet, she says that it didn’t require them to spend every last dollar they could have possibly spent on disaster recovery. That’s the beauty of BS25999, DiMaria believes.
“It takes a very common sense approach as well in that you have to analyze through risk assessment and business impact analysis what risk you have, what these risks mean to your organization if they happen, what's the possible impact and then ascertain what level of mitigation has to be there,” he says. “Clearly you could overspend in mitigating a risk that would cost you a lot less if you just let it happen and rely on an insurance policy or something like that."
Whitehouse says that it was easy to get executive buy-in to the project, though, because they felt the returns justify the spend.
“We feel it is really important to protect our piece of the supply chain because ultimately it could impact patients getting drugs,” Whitehouse says. “There are just so many business and human reasons why we feel the investment is really appropriate.”
Because BS25999 was built to integrate with ISO standards, Whitehouse says that Repligen is seeing that integration work between the processes they put in place for BS25999 certification and those quality control processes enacted for their long-standing ISO 90012000 certification.
“There are a number of synergies between ISO and BS25999, so we have some cost savings there,” she says.
The company also hopes that they will see cost savings in the auditing department. Once outside auditors recognize what goes into a BS25999 certification, the company believes it will be much easier and cheaper for it to go through that process.
“I think this first audit will be in part an education about as to what the BS25999 is, but in general, if I think about other standards like ISO, if a company like ourselves is certified to ISO, the industry knows what that means so they know what to expect of our quality management system,” she says, “so when they come here, their level of steps in audits is very different than if we just had a homegrown quality management system.”
Plus, Repligen is really reaping the benefits of introspection necessary to implement a fully fleshed out BCM system. “As you learn more of the details of the business you identify not only ways to protect it, but you identify ways to do things better as well,” Whitehouse says. “It’s a very valuable tool.”
Most importantly, though, is the return in customer goodwill that Repligen hopes to see as a result of its efforts. Repligen is already leveraging the work it has done to really communicate its commitment to BCM and really get some bang for its buck by sending out memos to customers and including the certification information in its investment prospectus.
“We hope that it’s going to be a differentiating factor with potential competitors,” Whitehouse says. “We feel that it’s the right investment to make to continue to satisfy our customers, to continue to maintain the position that we have in the marketplace.”
Which goes to show, Berman of DRII says, that no matter what framework or standard an organization uses the biggest benefit besides overall preparedness is customer satisfaction.
“It is part of what the US government has been trying to find out—what is the reward at the end of the rainbow for companies to do this?” Berman says. “I've been preaching for a long time that, besides being more prepared, the only reward is it will make your customers happy.”