It was the first management system to be built around what was known at the time as Annex SL (subsequently renamed Annex L). This defines a format for how standards should be written by the International Organisation for Standardisation. So, since ISO 22301 was first published back in 2012, all new and revisedΒ ISO standards have followed the same structure. This makes it much easier for businesses to write, implement and integrate their management systems. (And truth be told, a little easier for us Auditors to auditβ¦)
Business Continuity Plans (BCP)
Many forward-thinking organisations who are on top of risk management have a Business Continuity Plan (BCP). They see this as the first step in building business resilience.
A BCP is simply a set of plans to help you manage disruptions in your business. In very few words, it enables you to:
- prioritise activities in your organisation (or example, is keeping the Service Desk running more important than HR in the short term?)
- identify risks to those activities and to the resources required to keep activities running (for example, how likely is it that a key supplier will let you down or that an important piece of equipment might fail?)
- develop risk mitigation actions to prevent breaks in continuity – in other words, identify what you actually need to do
- identify when to invoke BCP actions including what to do and who does it, possibly backed up with written procedures
Thereβs a bit more to it than that, and each of those elements can become quite detailed. You also need to think about what aspects of your organisation should fall within the βscopeβ of your Business Continuity Plan. Youβve got to be sensible – you donβt necessarily need a plan for when the milk isnβt delivered. (Although woe betide anyone who gets in the way of me getting my cuppa in the morningβ¦)
Β
So, as you can see, a Business Continuity Plan is all aboutΒ keeping your business running throughout a disruptive incident. And who wouldnβt have benefited from that throughout COVID-19? Did you have plans for when everyone was forced to work from home? Did you have plans for managing large scale absence? For all those staff with childcare problems? I can tell you that the ISO 22301 certified organisations that I work withΒ didΒ have such plans and have prospered.
Β
By the way, donβt confuseΒ business continuityΒ withΒ disaster recovery. Business continuity is about keeping your business running. That might be through a Disaster such as a fire, IT failure or pandemic or it might be through a lesser issue; short staffed, partial loss of facilities, transport disruption, shortage of materials. Disaster recovery is about restoring things to their optimal state and is often associated with IT failures or data loss (andΒ ISO 27001 Information Security Management Systems).
Β
Business continuity can also lead you into the area of contingency planning.
Business Continuity Management System (BCMS)
So, if youβve developed a BCP, is that all you need to get ISO 22301 certified? Well, not quite, but youβre well on the way. A Business Continuity Management System (BCMS) builds upon your BCP, which is at the heart of your BCMS.
As we saw earlier, all ISO standards are built around Annex L, so there are a few additional things you need to do to turn your BCP into a BCMS. The good news is that all of these things contribute to making your BCP more thorough and your organisation more resilient.
For example, ISO 22301 requires that you put your plan within the Context of the Organisation (clause 4). This means, for example, you have to dig deep to identify your organisationβs objectives, to ensure that your plan takes into account the needs of βinterested partiesβ (the people on whom you depend, and who depend on you) and that you pay heed to legal requirements. All this helps you define the scope of your system – what activities you want it to cover (remember the milkman?) – and ultimately defines the boundaries of your ISO 22301 certification.
Youβre also going to need to think about Leadership (clause 5). If youβre the ultimate boss and reading this, then leadership wonβt be a problem. But if youβre further down the structure, your BCP will never work without buy-in from top management. Identifying roles, responsibilities, and authorities, right from the top down, is really important. Who can authorise the evacuation of the building? Who can agree the purchase of emergency supplies? Who can make a statement to those media people phoning you up? Do you have an agreed statement to make to clients?
Chances are, without a certified BCMS you havenβt got all of this nailed. ISO 22301 is the driving force to you all play your part and resource the system properly (clause 7). So if you arenβt the βtop managementβ, you should remind them of this. Theyβll thank you for it later (or during a pandemic).
Think about these things first and you can save time and money that is wasted by making up policy on the fly.
Business Continuity doesnβt expect you to be fortune teller and predict every possible situation. But just thinking about what might happen and what is important to your organisation helps you prepare, even if you didnβt foresee the specific issue. With a good BCMS you might see the disaster coming and be able to react before it hits you. Itβs easier to slam on the brakes on the car than recover from an accident.
The Value of Third Party Audits
The big difference between an ISO 22301 BCMS and a mere BCP is that the former surrounds the latter within a system of review and audit. Nearly all ISO systems are based on the principle of Plan-Do-Check-Act (PDCA). This means we learn from experience; we hold our hands up when things go wrong and make sure it doesnβt happen again.
If youβve simply got a BCP and no BCMS, thereβs a good chance you donβt have these disciplines embedded in your organisation. And you certainly wonβt have Auditors from accredited certification bodies reviewing your system every year to ensure it is following best practice.
A report from the Business Continuity Institute in 2018 found that while 70% of respondents in their survey used ISO 22301, 54% of those who used it did not get certified. However, the numbers who are getting certified is rapidly increasing, and hereβs the main reason why: they appreciate the value of a third party audit and getting their systems tested. Itβs the only way to see how your system measures up to the best in class.
When you get your system audited, the chances are that Auditor has seen continuity systems in operation in dozens of other organisations. Why wouldnβt you want the benefit of their experience in finding opportunities to improve your BCP and the resilience of your business?
I chat with management system consultants all the time. Theyβre seeing a big rise in the number of clients speaking to them who were amongst those who half-heartedly implemented a BCP or BCMS without certification, have found their plans lacking during COVID-19 and are now looking to formalise their systems.
Once bitten, twice shy.
This might be easier than you think
I have good news for you.
Weβve established that a BCP on its own doesnβt quite cut the mustard. It needs to be couched in an all-encompassing BCMS. But this is where it gets interesting
Remember that geeky stuff earlier on about Annex L and how I said it makes life easier for you? Iβd go so far as to say if youβve got another system such asΒ ISO 9001,Β ISO 27001,Β ISO 45001Β orΒ ISO 14001, youβve possibly already done up to 60% of the work for ISO 22301. The disciplines, policies and procedures that support those systems can be placed on top of a Business Continuity Plan and youβve effectively got an ISO 22301 Business Continuity Management System ready and wating to be certified.
And remember – you really do need to get it certified. Itβs the only way to test your system against international best practice. ISO 22301 was written, after all, by the worldβs leading experts on business continuity who have gone out of their way to make it as effective and easy as possible for you.
So whatβs holding you back? Next time a crisis strikes, youβll thank me for it.
