Oil & Gas Exploration & Production Company
Our client is an oil & gas exploration and production company with multiple locations in the UK, Europe and North America operating within the portfolio of a global energy provider.
Teed has been working with the client since 2005 when the client’s Business Continuity Management (BCM) programme was initiated. As the organisation has grown and changed, so the BCM system has become more mature. Business continuity and disaster recovery planning remains core, but the wider scope now includes supplier continuity, pandemic planning and continuity of operations offshore. A number of regional offices have also been brought into scope.
In 2011, the client wanted to be able to prove to stakeholders that the methods used and solutions in place were not only effective, but complied with best practice, BS 25999 (the British Standard for BCM). By achieving certification, the client would be the first in their industry sector and region to have done this. Subsequently work was done to effect the transition to the international standard for BCM, ISO 22301.
In addition, as part of a large global organisation, the client recognised that direction would come from group to conform to their BC standards and methodology. Therefore, in undertaking this project to achieve compliance, there could be no argument that the BCM system was compliant as it had been independently audited.
With plans and strategies in place that were regularly reviewed, tested and updated to maintain currency, it could be safe to assume that everything was in place to fulfil the requirements of the standard, although there was more to be done to ensure full compliance.
Teed’s consultants worked with the client and independent standards’ authority to understand the standard’s criteria and referencing them against existing processes and procedures. Where gaps were identified, our consultants were on hand to assist the client with the additional work that was needed, for example, documentation describing BCM methodology, scope and objectives, etc.
Successful in achieving certification and confident in the ability to prove full compliance, a further challenge ensued for the client when the standard was withdrawn and superseded by ISO 22301 (Societal Security – Business Continuity Management Systems). The benefits of certification to BS 25999 were already recognised by the client and therefore it was felt that the transition should be made to ISO 22301, otherwise certification would have lapsed with the cessation of BS 25999.
ISO 22301 presented a range of differing expectations of what should be in place; these needed to be resolved to enable the client to achieve successful transition to the new standard and maintain a compliant BCM system.
The biggest issue to be addressed was raising awareness of BCM across the business to ensure that all 600 individuals had knowledge of BCM appropriate to their level of responsibility. Auditors have a habit of selecting people at random and quizzing them on their knowledge which can lead to an organisation’s downfall in achieving certification. In addition, what worked in practice had to be backed up with documented processes, for example, business impact analysis, BC risk assessment, competencies, etc.
Prior to bringing in the external auditor, Teed’s consultants reviewed all existing BS 25999 documentation against ISO 22301 to identify where there were gaps and where additional material was required to meet the new criteria. It was necessary to produce a range of documentation to provide both theoretical and practical solutions – these were brought together into a BCM system overview which proved to be an auditor’s dream as it allowed them to fully understand all the processes that were involved and these aligned to the standard. In addition, diagrams were designed to show how BCM elements were satisfied by processes which were in turn satisfied by documentation.
Significant new criteria required clear identification of all interested parties, not only key suppliers, but other key stakeholders that would have an interest, both pre- and post-incident. The legal and regulatory requirements of the business also had to be clearly stated and how BCM helps ensure these are satisfied at all times. The focus on these wider implications helped achieved buy-in with management.
Teed successfully took the client through the process of certification to both BS 25999 in 2011 and the subsequent transition to ISO 22301 in 2013.
The client’s focus on achieving and maintaining certification has helped BCM to be taken more seriously throughout the organisation and actually helped justify the time given by managers and personnel to obtain sufficient awareness, which may not have been achievable if there had not been the goal of certification.
Subsequent to the project and following annual audits to maintain the ISO status, our client has now been successful in achieving a three year renewal, the scope of certification has been extended to cover an additional regional location and is being considered for rolling out to others, and the organisation is seen as a leader of BCM in the industry as they are independently verified.
Throughout this process and at each stage of achieving certification to BS 25999 and ISO 22301, Teed’s consultants have worked with the client and auditors, attending audit meetings, producing documentation, implementing processes and providing continuity of personnel to oversee the project at a time when the organisation went through several internal changes.
The client’s objectives were satisfied whilst at the same time creating an increased awareness of BCM in the organisation and a greater level of buy-in contributing to a higher degree of resilience overall.
This was a learning experience for all involved requiring ongoing commitment and understanding of the numerous intricacies of the standards. There were some things that surprised us and many learning points, all of which we have been able to take forward as we work with other organisations with similar objectives