Business Continuity Management (according to ISO 22301), as a weapon against unforeseen circumstances

/ Dutch / Door

The coronavirus has gripped Belgium and just about the entire world. This unexpected and initially unprecedented disruptor has drastically shaken the daily lives of people and companies. These uncertain and turbulent times of crisis bring with them a host of concerns and challenges. We realize now more than ever that we need to be better provisioned and armed against unforeseen circumstances to ensure continuity in our business operations. Indeed, such unexpected situations and disruptions in the market can have serious consequences for an organization's results and reputation. Like Covid-19, there are many other threats that can disrupt our business, such as failure of IT infrastructure due to cyber attack, prolonged power outages, terrorism, prolonged strikes, floods, and so on.

Business Continuity Management involves a proactive approach that enables an organization to prepare for and respond to potential incidents and interruptions to its business activities. The goal is to minimize the impact of business disruption and provide continuity to meet the demands of customers and other stakeholders at an acceptable level at all times.

For the structured establishment and organization of Business Continuity Management, an International standard has been established by ISO, viz. ISO 22301:2019. This standard includes concrete requirements and is therefore certifiable. Several thousand certificates of this are already in circulation worldwide. After this, an additional guideline was written (ISO 22313:2020) with some clarifications. ISO 22301 is based on the High Level Structure, and thus has the same format and look and feel as we know from ISO 9001 and ISO 14001. In other words, a Plan-Do-Check-Act approach and identical format (context, leadership, planning, support, implementation, evaluation and improvement). The specific and essential elements are included in the implementation chapter (chapter 8 of the standard).

These can be summarized in a 5-step plan:

Step 1 - Business impact analysis

An analysis should be made of the potential qualitative and quantitative impact that an organization may incur as a result of a particular event or incident. This includes impact on financial results and other business objectives, impact on its reputation, impact on operations and lead times as well as compliance with legal and contractual requirements. Based on this analysis, it is possible to estimate which products, services, processes and functions are critical and prioritized, as well as the most important dependencies (e.g., complete dependence on one supplier for a critical commodity). This analysis phase also determines what the timeframes are or should be. Examples include determining the maximum tolerated period of disruption (after this period the impact becomes unacceptable) and the necessary recovery period to be back up and running.

Step 2 - Risk assessment

The purpose of the risk assessment is to enable the organization to identify, analyze and evaluate its risks related to the potential disruption of its priority activities (as determined in the impact analysis).

Risk assessment is a structured process that attempts to answer some basic questions, such as:

  • What could happen?
  • How likely is this to happen?
  • What could be the consequences?
  • Is there anything that could reduce the probability of occurrences (preventive) or mitigate the consequences (curative)?

Step 3 - Determining the continuity strategy

Based on the previous two steps, determine what strategies will be selected and what options will be considered before, during and after the incident or adverse event. This includes determining specific work methods, procedures, backup arrangements, third-party agreements, splitting or de-duplicating activities and locations, knowledge management, establishing buffer stocks, ...

For each of the strategies, it should be determined what resources it requires (people, financial resources, ICT systems, partners, material,...). The chosen methods should be implemented and maintained so that they can be activated when needed.

Step 4 - Responding to incidents and emergencies

It should be determined what to do in case an incident actually occurs. In other words, business continuity plans should be drawn up that describe how the organization will respond to the circumstances and what measures will be taken to ensure business continuity.

This includes what needs to be done, how it needs to be done, who does what, who communicates about what and with which stakeholders, ...

Step 5 - Organize exercises and make adjustments as needed

Exercise programs should be established and implemented to periodically test and validate whether the defined strategies and plans are working and actually effective.

And last but not least, the necessary adjustments must be made to ensure that the system and the accompanying documents are kept alive. A Business Continuity Plan that does not evolve or is not practiced enough is soon outdated and has little added value.

So we better be prepared, just in case a new virus gets us.

Author: Joerdi Roels

Related Posts