Business Continuity Management: What ISO 22301 says?
What is the value of protection? That depends, probably, on who or what one is protecting. What if the item that needs protection is likely to support many over an extended period? There would be great value in protecting that, indeed. This is what makes Business Continuity Management (BCM) a pivotal element in the panoply of management tools that make up Enterprise Risk Management (ERM). As organisations grow in size and complexity, even small events may escalate into major disasters. It pays to be prepared.
Under ISO 22301 and ISO 22313, the essence of Business Continuity is the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. This is imperative if the business wants to continue being perceived as a going concern and sustainable despite its setbacks. If it fails to respond or is unable to demonstrate that it can implement mitigative measures when an incident occurs, this can damage its reputation and affect investor confidence. BCM is vital because all organisations are likely to face a crisis and/or operational disruptions at some point in time. The ability to manage these crisis/operational disruptions is an indication of good management and good corporate governance.
Business continuity involves three general phases. When an incident occurs, the organisation must respond, then act, then recover; it’s about being prepared before things happen. Hence, how the organisation plans and prepares beforehand is of the utmost importance. But how does the organisation prepare? How does it determine what plans need to be put in place? How does it know what, where, when, why and how to mitigate? And how does it operationalise all this, when time is the most pressing constraint? There are really two parts to business continuity: practical and theoretical. The theoretical part is encapsulated in the ISO 22301 but the practical part is not easily executable.
BCM is an ongoing management and governance process that ensures the necessary steps are taken to identify the impact of potential losses, manage risk, develop resiliency, maintain viable recovery strategies and plans to ensure the continuity of products and services of the organisation, through exercising, rehearsal, testing, training, maintenance and assurance. It’s a tall order but when it is the livelihood of many that it affects, the effort is worthwhile, especially when the focus of BCM is to keep the business operating regardless of what happens, with as little disruption to the “business as usual” routine as possible.
Because of that, BCM involves developing and documenting arrangements and procedures that enable an organisation to respond to an event that lasts more than what is deemed acceptable by customers, shareholders and stakeholders, and facilitate its return to normal operations, after the disruption. BCM has grown in importance in recent years because of many factors. Technology is one; it has proved to be both a blessing and a curse. Human talent – or the lack of it – is another, as is changing regulations and with it a dynamic environment that produces uncertainty in many areas. Another factor may have increasing influence: stakeholder expectations.
The newly issued ISO 22301:2019 requires companies to consider “impact categories” in their BIA and when evaluating effects/impacts on their processes or value streams end-to-end; the firm needs to understand how many people are involved and who is dependent on whom, and where staff expertise is located. A holistic perspective is necessary, and risks, threats and opportunities need to be identified within the macro picture. Many companies take a relaxed approach to BCM, believing that being insured covers all risks but while insurance may cover some of the purely financial parts of disaster recovery, it cannot help recover the intangible parts such as damage to reputation, the loss of talent and other skilled labour, for instance. Also, insurance may not cover the post-incident period, when the company may still experience down-time losses.
Besides wrong assumptions, there are other common pitfalls when it comes to BCM. These include outdated or incomplete business recovery plans, a lack of testing, the lack of back-up utilities and facilities for critical operations, insufficient verification and validation of systems, and insufficient resources for recovery. Organisations that want to implement BCM would do well to focus on the factors critical to its success, which have a lot to do with gathering information, understanding and analysing it, getting buy-in from the various stakeholders involved, and communicating intentions in a structured, orderly manner.
At the top of the list is a complete understanding of the risks that face the business, followed by the identification of what is required to keep it going in the event of disruption, and what the impact of the problem will be. Next, look further – at third parties such as suppliers and service providers – and determine as far as possible, how they will react and respond if an incident occurs. BCM objectives should always be clearly stated, and be consistent with company policy and objectives. Far from being applied exclusively to mitigate risks, BCM should also be an opportunity for the firm to identify its weaknesses, and improve its performance.