Business Continuity Management

There are now three standards for Business Continuity Management:

• BSi 25999, for sale from the British Standards Institute
• ASIS BCM 1, for sale from ASIS (formerly American Society for Industrial Security)
• NFPA 1600, free download from National Fire Protection Association

This will change to two, as BSi and ASIS have combined their individual standards into one. The joint standard was approved by the writing committee on July 22, 2010, and is now out for public review before acceptance by ANSI (the American National Standards Institute). You can obtain a copy for review and provide your comments back to the committee, as described in the August 6 issue of ANSI's Standards Action:

BSR/ASIS/BSI BCM.01-201x, Business Continuity Management Systems - Requirements with Guidance for Use (Joint ASIS International and British Standards Institute (BSI) Standard) (new standard)

Specifies requirements for a business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs - taking into
account legal and other requirements to which the organization subscribes - to address disruptive events that might impact the organization and its stakeholders. This Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS within the context of managing an organization's risks.

Single copy price: $50.00

Obtain an electronic copy from: aivelis.opicka@asisonline.org
Order from: Aivelis Opicka, (703) 518-1400, aivelis.opicka@asisonline.org
Send comments (with copy to BSR) to: standards@asisonline.org

My personal opinion is that the BSi/ASIS document will become the one use by most businesses. It seems to focus on results more than bureaucracy. This is a hot topic right now, with climate change and international trade adding complexity to business (and government) operations.

Audit Sampling Plans

Whenever I conduct a public class on auditing, I encourage the participants to continue the conversations after the class via e-mail. I recently received a question asking about any accepted methods or standards for applying sampling plans to audits. Here is my reply.

For most management systems audits (quality, environment, safety, and security) today, rigorous sampling plans are rarely used.

These audits evaluate current compliance with approved requirements. Perhaps more importantly, they project future compliance with those requirements. Mature audits also test the effectiveness of requirements in achieving the objectives of the organization.

Unlike the past, audits are not a substitute for inspection. We are not accepting product. We use product characteristics as one of the many forms of data used to assess whether the processes and systems are working as planned. Unfortunately, some organizations continue to confuse the two necessary functions of audit and inspection.

When performing inspections, it is common to use scientific sampling plans. These were first made popular with the military standard 105E. When the military decided to get out of the standards business, they turned 105E over to the ANSI Z1.4 committee. Since then the ANSI Z1 committee has published a number of useful standards on sampling.

Most audit sampling is done using the discovery method. We examine a recent event, an ancient event, and something in the middle. If we find discrepancies, we expand our sample to include a few more events. We are trying to determine patterns here. We are also trying to determine linkages to other processes or conditions that might have caused the nonconforming condition.

Our reports tell the stakeholders if the designed systems and processes are working and will continue to work.