Amongst ISO standard aficionados, ISO 22301 Security & Resilience - Business Continuity Management Systems holds a special place in our hearts.
It was the first management system to be built around what was known at the time as Annex SL (subsequently renamed Annex L). This defines a format for how standards should be written by the International Organisation for Standardisation. So, since ISO 22301 was first published back in 2012, all new and revised ISO standards have followed the same structure. This makes it much easier for businesses to write, implement and integrate their management systems. (And truth be told, a little easier for us Auditors to audit…)
Business Continuity Plans (BCP)
Many forward-thinking organisations who are on top of risk management have a Business Continuity Plan (BCP). They see this as the first step in building business resilience.
A BCP is simply a set of plans to help you manage disruptions in your business. In very few words, it enables you to:
prioritise activities in your organisation (or example, is keeping the Service Desk running more important than HR in the short term?)
identify risks to those activities and to the resources required to keep activities running (for example, how likely is it that a key supplier will let you down or that an important piece of equipment might fail?)
develop risk mitigation actions to prevent breaks in continuity - in other words, identify what you actually need to do
identify when to invoke BCP actions including what to do and who does it, possibly backed up with written procedures
There’s a bit more to it than that, and each of those elements can become quite detailed. You also need to think about what aspects of your organisation should fall within the ‘scope’ of your Business Continuity Plan. You’ve got to be sensible - you don’t necessarily need a plan for when the milk isn’t delivered. (Although woe betide anyone who gets in the way of me getting my cuppa in the morning…)
So, as you can see, a Business Continuity Plan is all about keeping your business running throughout a disruptive incident. And who wouldn’t have benefited from that throughout COVID-19? Did you have plans for when everyone was forced to work from home? Did you have plans for managing large scale absence? For all those staff with childcare problems? I can tell you that the ISO 22301 certified organisations that I work with did have such plans and have prospered.
By the way, don’t confuse business continuity with disaster recovery. Business continuity is about keeping your business running. That might be through a Disaster such as a fire, IT failure or pandemic or it might be through a lesser issue; short staffed, partial loss of facilities, transport disruption, shortage of materials. Disaster recovery is about restoring things to their optimal state and is often associated with IT failures or data loss (and ISO 27001 Information Security Management Systems).
Business continuity can also lead you into the area of contingency planning
Business Continuity Management System (BCMS)
So, if you’ve developed a BCP, is that all you need to get ISO 22301 certified? Well, not quite, but you’re well on the way. A Business Continuity Management System (BCMS) builds upon your BCP, which is at the heart of your BCMS.
As we saw earlier, all ISO standards are built around Annex L, so there are a few additional things you need to do to turn your BCP into a BCMS. The good news is that all of these things contribute to making your BCP more thorough and your organisation more resilient.
For example, ISO 22301 requires that you put your plan within the Context of the Organisation (clause 4). This means, for example, you have to dig deep to identify your organisation’s objectives, to ensure that your plan takes into account the needs of ‘interested parties’ (the people on whom you depend, and who depend on you) and that you pay heed to legal requirements. All this helps you define the scope of your system - what activities you want it to cover (remember the milkman?) - and ultimately defines the boundaries of your ISO 22301 certification.
You’re also going to need to think about Leadership (clause 5). If you’re the ultimate boss and reading this, then leadership won’t be a problem. But if you’re further down the structure, your BCP will never work without buy-in from top management. Identifying roles, responsibilities, and authorities, right from the top down, is really important. Who can authorise the evacuation of the building? Who can agree the purchase of emergency supplies? Who can make a statement to those media people phoning you up? Do you have an agreed statement to make to clients?
Chances are, without a certified BCMS you haven’t got all of this nailed. ISO 22301 is the driving force to you all play your part and resource the system properly (clause 7). So if you aren’t the ‘top management’, you should remind them of this. They’ll thank you for it later (or during a pandemic).
Think about these things first and you can save time and money that is wasted by making up policy on the fly.
Business Continuity doesn’t expect you to be fortune teller and predict every possible situation. But just thinking about what might happen and what is important to your organisation helps you prepare, even if you didn’t foresee the specific issue. With a good BCMS you might see the disaster coming and be able to react before it hits you. It’s easier to slam on the brakes on the car than recover from an accident.
The Value of Third Party Audits
The big difference between an ISO 22301 BCMS and a mere BCP is that the former surrounds the latter within a system of review and audit. Nearly all ISO systems are based on the principle of Plan-Do-Check-Act (PDCA). This means we learn from experience; we hold our hands up when things go wrong and make sure it doesn’t happen again.
If you’ve simply got a BCP and no BCMS, there’s a good chance you don’t have these disciplines embedded in your organisation. And you certainly won’t have Auditors from accredited certification bodies reviewing your system every year to ensure it is following best practice.
A report from the Business Continuity Institute in 2018 found that while 70% of respondents in their survey used ISO 22301, 54% of those who used it did not get certified. However, the numbers who are getting certified is rapidly increasing, and here’s the main reason why: they appreciate the value of a third party audit and getting their systems tested. It’s the only way to see how your system measures up to the best in class.
When you get your system audited, the chances are that Auditor has seen continuity systems in operation in dozens of other organisations. Why wouldn’t you want the benefit of their experience in finding opportunities to improve your BCP and the resilience of your business?
I chat with management system consultants all the time. They’re seeing a big rise in the number of clients speaking to them who were amongst those who half-heartedly implemented a BCP or BCMS without certification, have found their plans lacking during COVID-19 and are now looking to formalise their systems.
Once bitten, twice shy.
This might be easier than you think
I have good news for you.
We’ve established that a BCP on its own doesn’t quite cut the mustard. It needs to be couched in an all-encompassing BCMS. But this is where it gets interesting
Remember that geeky stuff earlier on about Annex L and how I said it makes life easier for you? I’d go so far as to say if you’ve got another system such as ISO 9001, ISO 27001, ISO 45001 or ISO 14001, you’ve possibly already done up to 60% of the work for ISO 22301. The disciplines, policies and procedures that support those systems can be placed on top of a Business Continuity Plan and you’ve effectively got an ISO 22301 Business Continuity Management System ready and wating to be certified.
And remember - you really do need to get it certified. It’s the only way to test your system against international best practice. ISO 22301 was written, after all, by the world’s leading experts on business continuity who have gone out of their way to make it as effective and easy as possible for you.
So what’s holding you back? Next time a crisis strikes, you’ll thank me for it.
Resources you may find useful
ISO 22301:2012 Gap Analysis
ISO 22301 webinar recording
ISO 22301 bitesize training video