As governments try to grapple the spread of the virus, the question that applies to organizations of all sizes is, how can they effectively respond to such a situation? We are dealing with a threat to business operations or disruption of business. Since 2012 the ISO 22301 Business Continuity Management System standard, now in its revised version of 2019, describes requirements for implementing a management system to reduce the impact of disruptive events. This sleek requirements document is accompanied by a rich guidance document ISO 22313, which offers practical information on how to prepare for, respond to and recover from disruptions. The COVID-19 developments are unfolding at an accelerated pace and organizations may have a lot of gaps to cover in their Business Continuity Plan(s). Factors such as operational agility and employee morale are just some of the main points at play. Organizations of all sizes have a very significant role to play during a virus outbreak, especially when it comes to implementing good practices and communicating hygiene protocol advice, personal protective equipment, as well as behavioral changes (i.e., properly washing hands, social distancing and avoiding handshaking in meetings). Within organizations, the team responsible for the business continuity plan can use a variety of proactive strategies in order to try and take control of the virus outbreak within their organization.
As business continuity professionals, there are four main things that you can do to prepare your organization for the potential impacts caused as a result of the coronavirus:
- Talk to your organization’s leadership about the situation.
- Assess your dependence on China.
- Review and update plan documentation.
- Socialize precautionary and business continuity-related strategies and procedures.
Talk to your organization's leadership
It can be hard to have a conversation related to business practices when an incident threatens to affect the health and wellbeing of so many people. Common hesitations include coming off as crass and focusing on an issue that is not currently present. However, if your organization uses Chinese-based employees or suppliers or is dependent on global supply chains and the movement of people, it is critical to have this conversation.
Asses your dependence on China
It is important to work with your organization to determine areas with the highest risk of interruption due to the coronavirus. Major considerations include the risk of your suppliers (and their suppliers), personnel, customers, and supply chain systems being impacted. For each of these areas you should:
- Identify Current and Future Impacts: Consider how the previously mentioned stakeholders and systems are being impacted and where likely disruptions may occur in the future. These disruptions may be a direct result of the disease or as a result of government-imposed policies and regulations. Of note, the World Health Organization is tracking high-risk and affected areas, here.
- Communicate Impacts: After the current and potential threat of the disease is determined, the organization should draft communications regarding the impacts. These communications should be streamlined and approved by Human Resources and Legal. Messaging may contain information on how the organization has been impacted and what it is doing to respond effectively. Additionally, the designated team or individual that was identified with leadership should continue to track the spread and impacts of the coronavirus until the threat of the disease is mitigated.
Contingency planning and disaster recovery were largely information technology-led responses to natural disasters and terrorism that affected businesses during the 1980s and early 1990s.
There was a growing recognition, however, that this needed to become a business-led process and encompass preparing for many forms of disruption. In light of this, the discipline became known as business continuity management (BCM). As governments and regulators began to recognize the role of business continuity in mitigating the effects of disruptive incidents on society, they increasingly sought to gain assurance that key players had appropriate business continuity arrangements in place. Similarly, businesses recognized their dependence on each other and sought assurance that key suppliers and partners would continue to provide key products and services, even when incidents occurred.
ISO 22301 Explained
ISO 22301 is the second published management systems standard that has adopted the new high-level structure and standardized text agreed in ISO. This will ensure consistency with all future and revised management system standards and make integrated use easier with, for example, ISO 9001 (quality), ISO 14001 (environmental) and ISO/IEC 27001 (information security). The standard is divided into 10 main clauses, starting with scope, normative references, and terms and definitions. Following these are the standard’s requirements:
- Clause 4 – Context of the organization:
The first step involves getting to know the organization, both internal and external needs, and setting clear boundaries for the scope of the management system. In particular, this requires the organization to understand the requirements of relevant interested parties, such as regulators, customers, and staff. It must, in particular, understand the applicable legal and regulatory requirements. This enables it to determine the scope of the business continuity management system (BCMS).
- Clause 5 – Leadership:
ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. This is so that top management ensures appropriate resources are provided, establishes policy and appoints people to implement and maintain the BCMS.
- Clause 6 – Planning:
This requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success.
- Clause 7 – Support:
Since resources are required for implementation, Clause 7 introduces the important concept of competence. For business continuity to be successful, people with appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when they occur. It is also important that all staff are aware of their own role in responding to incidents and this clause deals with all of these areas. The need for communication about the BCMS – for instance in telling customers that the organization has appropriate BCM in place – and preparedness to communicate following an incident (when normal channels may be disrupted) is also covered here.
- Clause 8 – Operations:
This section contains the main body of business continuity-specific expertise. The organization must undertake business impact analysis to understand how its business is affected by disruption and how this changes over time. Risk assessment seeks to understand the risks to the business in a structured way and these inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur. As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all eventualities is complementary. It might be said, “hope for the best and plan for the worst."
ISO 22301 emphasizes the need for a well-defined incident response structure. This ensures that when incidents occur, responses are escalated in a timely manner and people are empowered to take the necessary actions to be effective. Life safety is emphasized and a particular point is made that the organization must communicate with external parties who may be affected, for instance, if an incident poses a noxious or explosive risk to surrounding public areas.
Exercises and tests are fundamental in ISO 22301: it is only through structured exercises – which should stretch the individuals and teams involved – that an organization can achieve objective assurance that its arrangements will work as anticipated and when required.
- Clause 9 – Evaluation:
For any management system, it is essential to evaluate performance against plan. ISO 22301, therefore, requires that the organization select and measure itself against appropriate performance metrics. Internal audits must be conducted and there is a requirement that management reviews the BCMS and act on these reviews.
- Clause 10 – Improvement:
No management system is perfect at the outset, and organizations and their environments are constantly changing. Clause 10 defines actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises and so on are addressed.
SUCCESSFUL IMPLEMENTATION?
To work well, ISO 22301 will need organizations to have thoroughly understood its requirements. Every line and word has meaning and the relative importance is not necessarily reflected by the number of words devoted to a topic. Rather than being simply about a project or developing “a plan”, BCM is an ongoing management process requiring competent people working with appropriate support and structures that will perform when needed.
Business continuity management standard ISO 22301 revision
The ability of an organization to continue operating during a disruption has never been more important. So it’s no surprise that ISO 22301, the internationally recognized standard for a business continuity management system (BCMS), is being updated to make sure it remains relevant to today’s business environment.
As the first ISO standard based on the High-Level Structure (HLS), it has a strong foundation that now aligns with many other internationally recognized management system standards such as ISO 9001 quality management and ISO/IEC 27001 information security management. However, there are areas of improvement highlighted by users, particularly around less prescriptive procedures and updated terms and definitions, that need considering to ensure it remains relevant in a changing business landscape.
Key changes to ISO/FDIS 22301
- Content in clause 8 has been reordered, duplication removed and terminology is simplified and more consistent.
- References to risk appetite have been removed.
- Introductory guidance information has been removed and placed in ISO 22313 the BCMS guidance document.
- More specific focus on planning for changes to the BCMS.
- Less prescriptive procedures and documentation requirements.
- Business continuity strategy is more clearly expressed as “Business continuity strategy and solutions.”
- Business continuity plans now clearly link to supporting the teams and people that will respond to a disruption.
So, why should you care about 22301?
Because of the additional benefits to your organization can be significant, including:
- Increased sales and business: Today, more and more business partners (customers, suppliers, subcontractors, etc.) are demanding proof that their partners are prepared for unforeseen events. In many cases this requirement is written into RFP’s and service contracts. Proof of a robust business continuity program can mean the difference between winning a bid and closing a deal, or not. I can speak from personal experience, having headed the business continuity program for a Fortune 100 international supplier, that our program continued to come under closer and closer scrutiny, and demonstrating its capability was a stipulated requirement to obtain many large business contracts.
- Time and Cost Savings: I can also speak from personal experience that the time, costs, and resources necessary to demonstrate to business partners that all of their business continuity requirements of our company were met became increasingly burdensome. Some wanted to see IT recovery capabilities. Some wanted to evaluate the emergency response and crisis management. Some wanted to look at logistics redundancies. Each of these individual requests took time and resources to address. Being able to point to single a standard became a hugely efficient mechanism to address all of these obligations.
- Enhanced Reputation: If you are reading this Newsletter, you probably already know the value of adhering to ISO standards in general. It immediately designates an organization as willing to do what is necessary to ensure superior quality and achievement against the highest measurements. In business continuity, adherence to a standard also shows a commitment to protect its employees, shareholders, and other stakeholders from unforeseen catastrophic events.
- Integration within the Business: If an organization has already become certified to other ISO standards, then they are familiar with and, presumably adept, at executing management systems. So, it is not as difficult as starting from scratch to implement an additional management system such as business continuity. Integrating business continuity into existing business systems gives the organization a simpler, more unified operation, such that various management systems work in harmony.
- Management Involvement: One of the “knocks” on business continuity programs is that they simply pay lip service to “checking the boxes,” and don’t really get to the heart of what is necessary to protect the organization and prepare to respond to catastrophic events. An indicator of such failure is when top management is not involved in setting strategies and following up on implementation. ISO management systems simply do not allow this to happen. Lack of management involvement is immediately flagged as a possible major non-conformity. So standards, particularly the ISO standards, have fail-safe mechanisms for ensuring management involvement.
ISO 22301 Consultation in Jordan
If you are looking for ISO 22301 consultation in Jordan, you are at the right place! AAC MENA is one of the best providers to obtain the ISO 22301 certificate for your industry in Jordan at an affordable price. AAC MENA is known for ensuring customer satisfaction and business improvement.
Conclusion
As a leader in consultation services, AAC MENA offers unrivaled experience and expertise in ISO 22301 requirements. Our presence in the Middle East and harmonized approach give you access to the largest independent network of consultants and advisory services in the region.
To discuss your ISO 22301 requirements, contact us today.