Business continuity management (BCM) has been around for some time now, roughly since the 1970s, according to most accounts. Back then, the field was a mere offshoot of crisis management. But now its scope has narrowed substantially to a holistic management process for identifying potential threats to an organization and the operational impacts those threats pose.
This narrowing of focus has been key to an upsurge in BCM popularity, though. And a testament to the widespread acceptance of the field across various industries and sectors is the number of jurisdictions who’ve intervened to mandate baseline business continuity practices, e.g. the maintenance of business continuity plans (BCP).
These policy moves put organizations in a bit of a bind, especially those transacting business across jurisdictional lines – remember, those jurisdictions can be local, state, or national. Without an agreed-upon limit to possible business continuity best practices, the question of whose baseline arose. Numerous standards emerged. But until there was a standard above all other standards, organizations risked being penalized if their BCM program wasn’t quite up to scratch.
Not so after the introduction of ISO 22301, the first and only, high-level international BCM standard. Flexible by design, ISO 22301 requirements are meant to fit the needs of the complying organization, which are of course shaped by that firm’s legal, regulatory, and larger business environment.
In essence, ISO 22301 applies to any and all organizations looking to establish, implement, maintain, or even just improve their business continuity management systems and structures. The standard offers a surefire way to ensure compliance with stated business continuity policies, whether those policies are internally or externally-mandated.
ISO 22301 consists of ten primary clauses, including the introduction, scope, normative references, and important terms and definitions sections. The remaining six clauses address the following:
- Context of the organization. Effective business continuity management depends on a thorough understanding of an organization’s internal and external needs. The task for business continuity professionals is to set clear boundaries for the scope of the eventual system, consonant with applicable legal and regulatory requirements.
- Leadership. BCM is not a back-office activity. It requires serious, senior management engagement throughout the business continuity lifecycle. Specifically, senior management engagement is necessary for ensuring adequate BCM resourcing and staffing.
- Planning. An effective BCP begins with a thorough risk assessment and a rigorous business impact analysis. Teams should also set out clear objectives and criteria to measure plan success.
- Support. BCM doesn’t happen in a vacuum. More than senior management engagement, organizations will need a stock of qualified professionals with relevant knowledge, skills, and experiences. Staff also needs to be apprised of their role in responding to incidents.
- Operations. This clause lays out many of the requirements for the BCP, including the mandate to establish disruption and continuity management procedures.
- Performance evaluation. Developing a business continuity management system isn’t enough. Organizations still have to monitor, measure, and evaluate their BCMS once it’s in place. ISO 22301 stipulates establishing internal audit programs to evaluate an organization’s BCMS.
- Improvement. Of course, organizations change, so does the business environment around them. BCMSs need to keep up with those changes. In additions, teams need also to identify nonconformities and take corrective actions to continue to enhance the overall performance of the BCMS.
Looking to protect your brand and bottom line by adopting business continuity best practices? Then, it’s well worth your while to delve deeper into to the ISO 22301 requirements. And you won’t need to look far to do it. Instead, download our guide to developing a best-practice business continuity plan.
International Organization for Standardization: ISO 2230: 2012
For more content on business continuity planning, follow @teamnoggin on Twitter