Disruptive events to businesses are becoming increasingly frequent, and the ability for businesses to plan and implement strategies to deal with this events is important, not only from viability of their business, but for their employees, their supply chain and the role that organisation has within the community. In this article, we talk about the importance of business continuity, and the requirements of the standard for it; ISO 22301.
Are you a bit concerned about the point of this ISO standard for business continuity? Particularly when you consider there are management standards that already exist to look after your customers (ISO 9001), the environment (ISO 14001), your information (ISO 27001), your risks (ISO 31000), your assets (ISO 55001), and your people (ISO 45001).
If you’ve addressed the requirements in those other standards, you might ask yourself if this business continuity thing is just ISO trying to sell another standard and generate more revenue for themselves?
Actually, it is a bit more than that – and here we hope to explain the real point of ISO 22301. Firstly, the full title helps us…
Societal security – Business continuity management systems – Requirements
It’s the “societal security” bit that is interesting, because the ultimate purpose is not to protect the business so it can continue to make money, but to ensure that the business can continue to function to protect our society. Secondly, the definition of “business continuity” helps too…
Capability of the organisation to continue delivery of products or services at acceptable predefined levels following disruptive incident
This standard is about having a management system that will ensure “society” is protected if a disruptive incident occurs to your business. Now that sounds ever so much like risk management – and that’s exactly what it is! Normal risk management is about protecting the business, and it tends to be internally focussed; whereas this focus is on protecting those external to the business.
The standard is also about recognition of the business and its context within a supply chain, and proving to other businesses both up and down the supply chain that if something disastrous happens, the business can continue – or at least recover with minimal disruption to any contracts and agreements that are in place.
Now if the standard is about protecting those external to the organisation and not about protecting the actual organisation, why should business continuity be so important to the organisation itself?
First of all, governments and regulators recognise the role of contingency planning, and how to mitigate the effect of a disruptive incident on society. They want assurance that the key players they engage with have adequate plans in place to recover from any disruption to their services or products.
Similarly in industry, good businesses understand the threat to them if a disruptive incident occurs within their supply chain. Therefore these businesses want real assurance from their key suppliers that they will be able to continue to supply and to meet contractual agreements, if and when a serious event occurs.
So how does a business show that its supply will survive a disruptive incident? A sure way to demonstrate is through certification to ISO 22301 because this shows stakeholders (customers, regulators, top management, legislators and anyone else interested) that good business continuity management is in place, and that a certain benchmark has been achieved.
You’ve heard a lot so far about “disruptive incidents”, but what exactly what is a disruptive incident? Here are some scenarios, and the possible impacts they may have…
- A manufacturing plant suffers a major machine failure and is unable to continue supply to customers. The customers now can’t function.
- A pilot leaves a small airline. Some flights may have to be cancelled, leaving customers stranded.
- A severe weather event causes a workplace to flood. Important data is lost. The business is then unable to supply information to external parties.
- A medical outbreak occurs and a number of staff become sick and cannot work. The organisation has reduced service offerings to clients.
- A training provider fails to meet compliance requirements and is unable to issue certificates. Students are not able to complete courses.
- Civil unrest causes a food supply business to close. The local community suffers due to lack of food.
- A public transport failure prevents people reaching their workplaces on time. For many businesses, economic disruption occurs.
- A failure of EFTPOS facilities prevents customers from using this common payment method. Customers are unable to purchase goods and services.
- A WIFI failure prevents staff and customers gaining access to information. Lack of information leads to poor service and incorrect decisions.
As you can see, disruptive incidents can be anything from intentional (or unintentional) human acts, natural hazards or disasters, or even technical failures.
You may argue that all these “non-conformances” or “emergencies” are picked up in other standards – and you would be correct. So where are the requirements of ISO 22301 different?
While this is not the place to point out every single little difference, we will highlight key areas. And it’s not really that ISO 22301 is different – it’s just that it is stronger in these areas and uses different terminologies.
- Business impact analysis – A formal documented evaluation process is required for determining continuity and recovery priorities, objectives and targets.Here you have to explain (in priority order) what you will do before the incident has happened, and specifically what you expect to happen and when during the period of recovery.
- Incident response structure – Procedures are to be documented to ensure continuity of activities and management despite a disruptive event. These procedures need to include the management structure for the incident and impact thresholds that justify the initiation of a formal response. Who does what during an incident may be quite different to the normal management structure of the organisation. Here you need to detail what those new structures will be – and they may be different for different event types.
- Business continuity plans – Documented procedures are required to respond to a disruptive incident, then to continue or recover activities within a determined timeframe after the incident. You will need written plans to show what, how and when things will happen in response to impacts on activities, then how the activities are eventually recovered. Importantly these need to include timelines.
- Recovery – Documented procedures are needed to restore and return the business to normal after an incident. Once the disruption has finished, you have to explain how the business will return to normal.
- Exercising and testing – The procedures that have been mentioned above need to be checked through exercises and testing to ensure they will work. It is interesting here to look at what differentiates an exercise from a test – and again the definitions help us.
- Exercise – process to train for, assess, practise, and improve performance in an organisation.
- Test – a unique and particular type of exercise, which incorporates an expectation of a pass or fail element with the goal or objectives of the exercise being planned. These exercises and tests are far more than a group of people sitting around a table and agreeing that what they have written down will work. People actually have to roll their sleeves up, get their boots dirty, and go and see if what they expected to happen does go according to plan. And they have to test more than once – and they have to review – and they have to improve!
As mentioned, these requirements are contained in other standards, yet in this standard they are more demanding and prescriptive. For example, both ISO 14001 and the new ISO 45001 require emergency response procedures and the testing of them, but they don’t go into anywhere near as much detail as ISO 22301. So the responses you currently have may have been acceptable before, but they won’t be strong enough under ISO 22301.
What is also interesting is that when a nonconformity occurs in the other standards, you can decide what to do to correct it and prevent its recurrence. In ISO 222301, you have to determine what you will do before the nonconformity happens and be prepared even if it never happens (and of course hopefully it doesn’t!).
So is this business continuity a good thing? Absolutely! And is it already adequately covered in the other standards? No, we don’t think it is.