As the events of 2020 have shown us, the need for a business to plan and implement strategies to deal with disruptive events is crucial. In this article, we talk about the importance of business continuity, and the requirements of the standard for it; ISO 22301.
ISO’s definition of business continuity is:
“Capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.”
The standard places importance on the recognition of the business and its context within a supply chain, and showing other businesses across the supply chain that if something disruptive happens, the business can continue – or at least recover with minimal disruption to any contracts and agreements that are in place.
It is also about having a management system that will ensure society is protected if a disruptive incident occurs to your business. It’s similar to risk management in that where risk management is about protecting the business, and is internally focussed; business continuity is about protecting those external to the business, including customers, suppliers and society as a whole, and is externally focussed.
If the standard is about protecting those external to the organisation and not about protecting the actual organisation, why is it important?
Firstly, governments and regulators recognise the role of contingency planning, and how to mitigate the effect of a disruptive incident on society. They want assurance that the key players they engage with have adequate plans in place to recover from any disruption to their services or products.
Similarly in industry, good businesses understand the threat to them if a disruptive incident occurs within their supply chain. Therefore these businesses want real assurance from their key suppliers that they will be able to continue to supply and to meet contractual agreements when a serious event occurs.
How does a business show that its supply will survive a disruptive incident? One way to demonstrate this is through alignment to ISO 22301. This shows stakeholders (customers, regulators, top management, legislators and anyone else interested) that good business continuity management is in place, and that a certain benchmark has been achieved. Certification to the standard can also be achieved.
What exactly is a disruptive incident? Here are some scenarios, and the possible impacts they may have…
- A manufacturing plant suffers a major machine failure and is unable to continue supply to customers. The customers now can’t function.
- A pilot leaves a small airline. Some flights may have to be cancelled, leaving customers stranded.
- A severe weather event causes a workplace to flood. Important data is lost. The business is then unable to supply information to external parties.
- A medical outbreak occurs and a number of staff become sick and cannot work. The organisation has reduced service offerings to clients.
- A training provider fails to meet compliance requirements and is unable to issue certificates. Students are not able to complete courses.
- Civil unrest causes a food supply business to close. The local community suffers due to lack of food.
- A public transport failure prevents people reaching their workplaces on time. For many businesses, economic disruption occurs.
- A failure of EFTPOS facilities prevents customers from using this common payment method. Customers are unable to purchase goods and services.
- A wifi failure prevents staff and customers gaining access to information. Lack of information leads to poor service and incorrect decisions.
- A flash flood occurs, damaging roads between worker accommodation and the worksite. Workers are unable to access the worksite.
Disruptive incidents can be anything from intentional (or unintentional) human acts, natural hazards or disasters, or even technical failures.
These sort of incidents are covered by other standards – for example customers (ISO 9001), the environment (ISO 14001), your information (ISO 27001), your risks (ISO 31000), your assets (ISO 55001), and your people (ISO 45001). So where are the requirements of ISO 22301 different?
ISO 22301 is stronger for identifying, responding to, and overcoming disruptive events and uses different terminologies. For example:
- Business impact analysis – A formal documented evaluation process is required for determining continuity and recovery priorities, objectives and targets.Here you have to explain (in priority order) what you will do before the incident has happened, and specifically what you expect to happen and when during the period of recovery.
- Incident response structure – Procedures are to be documented to ensure continuity of activities and management despite a disruptive event. These procedures need to include the management structure for the incident and impact thresholds that justify the initiation of a formal response. Who does what during an incident may be quite different to the normal management structure of the organisation. Here you need to detail what those new structures will be – and they may be different for different event types.
- Business continuity plans – Documented procedures are required to respond to a disruptive incident, then to continue or recover activities within a determined timeframe after the incident. You will need written plans to show what, how and when things will happen in response to impacts on activities, then how the activities are eventually recovered. Importantly these need to include timelines.
- Recovery – Documented procedures are needed to restore and return the business to normal after an incident. Once the disruption has finished, you have to explain how the business will return to normal.
- Exercising and testing – The procedures that have been mentioned above need to be checked through exercises and testing to ensure they will work. It is interesting here to look at what differentiates an exercise from a test – and again the definitions help us.
- Exercise – process to train for, assess, practise, and improve performance in an organisation.
- Test – a unique and particular type of exercise, which incorporates an expectation of a pass or fail element with the goal or objectives of the exercise being planned. These exercises and tests are more than a group of people agreeing that what they have written down will work. They have to practice various scenarios to see if what they expected to happen goes according to plan.
As mentioned, these requirements are contained in other standards, yet in this standard they are more demanding and prescriptive. For example, both ISO 14001 and the ISO 45001 require emergency response procedures and the testing of them, however they don’t go into as much detail as ISO 22301. The responses you currently have may have been acceptable under those standards but they won’t be strong enough under ISO 22301.
We are re-launching our Business Continuity course in 2021 – to secure your place book now via the link below.