The COVID-19 pandemic has caused an unprecedented disruption forcing organisations to ponder their survival.
It is therefore proving crucial to put in place a formal proactive business continuity framework which can be relied on in times of crisis rather than have one on an ad hoc basis which is reactive in nature. This can be done using the ISO 22301 standard which specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptions.
ISO 22301:2019 defines Business Continuity as the capability of an organisation to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.
Business Continuity is underpinned by the customers’ expectations regardless of internal or external issues that may hinder the delivery of products or services. Hence there is a requirement for constant functioning of key pillars of the organisation like business functions, networks, ICT applications and people.
Business continuity is not restricted to any industry/sector. The use of the term “business” does not mean that it only refers to commercially driven organizations. The public sector can also readily benefit from adopting such practices as can the third sector, which incorporates voluntary and not-for-profit organizations.
Key elements of a Business Continuity Management System as contained in the ISO 22301 Standard include.
- Leadership and Commitment: Top management need to demonstrate leadership and commitment to the business continuity management system by ensuring the business continuity policy and objectives are established, ensuring that the responsibilities and authorities for relevant roles are assigned and communicated.
- Business Impact Assessment (BIA): The purpose of a Business Impact Assessment is to assess the impact of a disruption over time. The impacts could be financial, reputational, operational, legal etc. This will enable the organisation to identify and prioritise the activities that enable the provision of goods/services, determine the time frames for resuming disrupted activities at a specified minimum acceptable capacity, minimum operating requirements and the interdependencies within the organisation.
- Risk Assessments: There is a need for a systematic process to assess the likelihood and impact of risks. Even as we continue to adjust to our new normal the crisis may expose organisations to new threats and vulnerabilities. Risk management therefore provides a means to improve on decision making.
- Business Continuity Strategies and Solutions: Organisations should select strategies and solutions that consider options for before during and after disruptions.
- Crisis Management Team: Organisations should maintain a structure identifying the teams responsible for responding to disruptions. These teams can be split into workstreams that would focus on different aspects of the business e.g. employees, finance, legal. These teams are tasked to monitor progress of recovery actions and report back to the decision-making authority of the organisation.
- Business Continuity Plans and Procedures: Different scenario-based plans and procedures to follow in case of a disruption to recover prioritised activities and to return to normal after the disruption. These plans can be categorised into, Crisis Management Plans, Emergency Response plans and Disaster Recovery Plans for the ICT applications and infrastructure. These plans should have defined activation criteria.
- Documented Information: It is said that “the faintest ink is better than the best memory” thus emphasising the need to document different aspects of the BCMS. ISO 22301 requirements and information determined by the organisation as being necessary for the effectiveness of the BCMS shall be retained as documented information. The extent of documented information will depend on the size of the organisation, complexity of processes and the competency of persons.
- Exercising: Testing is essential for an effective business continuity programme because it helps to validate the plans, highlights weaknesses in the plans and provides critical hands-on training on how to react to different scenarios.
- Training and awareness: Training and awareness on business continuity should be conducted at planned intervals for staff to understand their contribution to the success of the programme and their responsibilities before, during and after disruptions.
- Performance Evaluation: Organisations should measure the effectiveness of the Business Continuity Management System through setting up Key Performance Indicators and through audit.
- Continual improvement: The results of the risk assessment, performance evaluation, internal audit, exercising should provide valuable insights into improvement opportunities for the Business Continuity Management System.
In conclusion, formalising your organisation’s Business Continuity using a management system where the requirements are integrated into the organisations business processes will greatly improve resilience and achievement of your organisational objectives.
You can check out our Training course information on ISO 22301 Business Continuity where you will be able to gain comprehensive knowledge on the best practice used to implement a Business Continuity Management Systems.