Post-crisis business closures weigh heavily towards companies that fail to develop business continuity plans (BCPs) before major incidents. But the length and depth of the COVID-19 crisis suggest that not just any BCP will do.
Instead, it’s absolutely essential that your client’s BCP accurately identifies, quantifies, and minimises potential interruptions and risks before a crisis happens. And to that end, best-practice certifications, like ISO 22301, help clients bolster their business continuity planning risk mitigation strategy as they adjust to the new normal.
The sole, high-level, international BCM standard using recognised best practices, ISO (International Standard Organization) 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented business continuity management system (BCMS).
Generic in nature, the standard applies to any organisation looking to establish, implement, maintain, or even just improve its BCMS. As such, it’s a sure-fire way for your clients to ensure compliance with their stated business continuity policies, whether those policies are internally mandated or dictated by regulators, insurers, customers, or others.
The standard itself includes ten primary clauses, including the introduction, scope, normative references, and important terms and definitions sections. Compliance entails full adherence with all these specifications, not just a representative handful. And so, all main sections are detailed below:
Context of the organisation. Effective business continuity management depends on a thorough understanding of an organisation’s internal and external needs. The task for business continuity professionals and consulting partners is to set clear boundaries for the scope of the eventual system, consonant with applicable legal and regulatory requirements. Main components, here, include establishing and documenting the following:
- What the organisation does and the potential impact of disruptions
- Relationship with other policies and wider risk management
- Contractual and other requirements
- Interested parties
- Scope of the management system
Leadership. BCM is not a back-office activity. It requires serious, senior management engagement throughout the business continuity lifecycle to ensure adequate resourcing and staffing. Main components, here, include establishing and documenting the following:
- Leadership and commitment with respect to Business Continuity Management
- A business continuity management policy
- Roles, responsibilities, and authorities
Planning. An effective BCP begins with a thorough risk assessment and a rigorous business impact analysis. Your clients should also set out clear objectives and criteria to measure plan success. Main components, here, include determining and documenting the following:
- Risks and opportunities presented by the objectives and requirements
- Business continuity objectives and plans to achieve them
- Minimum acceptable levels of output
- Project plan
Support. Business continuity management doesn’t happen in a vacuum. More than senior management engagement, your clients will need a stock of qualified professionals with relevant knowledge, skills, and experiences. Staff also needs to be apprised of their role in responding to incidents. Main components, here, include establishing the following resources to support the BCMS:
- A competence system
- An awareness program
- A communications plan
Operation. This clause lays out many of the requirements for the BCP, including the mandate to establish disruption and continuity management procedures. Main components, here, include planning and implementing processes to deliver the following:
- Business impact analysis and risk assessment
- (Contingency) resources
- Impact mitigation
- Incident response structure and plans
- Exercise and test arrangements
Performance evaluation. Developing a business continuity management system isn’t enough. Your clients still have to monitor, measure, and evaluate their BCMS once it’s in place. The standard, therefore, calls out the necessity of internal audit programs. Main components, here, include determining and documenting arrangements for the following:
- Monitoring, measurement, analysis, and evaluation
- Internal audit
- Management review
Improvement. Your clients change. And with the COVID-19 crisis, so too does the wider business environment around them. The BCMS needs to keep up with those changes. What’s more, business continuity teams must also identify non-conformities and take corrective actions to continue to enhance the overall performance of the BCMS. Main components, here, include establishing procedures for the following:
- Non-conformance identification, reporting, and consequence control
- Corrective actions (system changes)
- Continual improvement
A best-practice standard, ISO 22301 helps your clients identity what functions are essential, and then prioritise and develop mitigating controls. But having a BCP is one thing, executing that plan during a disaster is quite another. And here, our Noggin integrated safety and security software, in tandem with your consulting services, can solve your client’s thorniest paint point. To learn more, contact us at firstname.lastname@example.org.