The ISO standard ISO 22301:2012 was published in May 2012. It is the world’s first international standard for Business Continuity Management (BCM) to help organizations reduce the risk of business interruption from any source. The International Standard replaces the British Standard BS 25999.
ISO Standard 22301 specifies the requirements for planning, establishing, implementing, operating, monitoring, checking, maintaining and continuously improving a documented continuity management system in order to prepare for, react to and recover from business interruptions.
The requirements specified in ISO 22301 are general, analogous to ISO 31000, because they should be applicable to organisations (or parts thereof) of any kind, regardless of size or industry. The scope of applicability of the defined requirements depends on the operating environment and complexity of the organisation.
ISO 22301 is applicable to all organizations that:
- want to set up, implement, maintain and improve a BCM;
- want to ensure compliance with the organization’s business continuity strategy;
- demonstrate compliance to third parties, such as suppliers;
- seek certification/registration of their business continuity management by/with an accredited certification body; or
- want to declare their own conformity with this international standard.
The ISO standard defines a number of building blocks for the successful implementation of operational continuity management. A first module concentrates on the organization.
It is therefore important to analyse the external and internal circumstances that are important for the success of the organisation (success potentials) and that may be endangered by an interruption. This includes, for example, the analysis:
- The analysis includes the analysis of activities, tasks, services, products, partnerships, supply chains, other stakeholders and the potential impact of a business interruption;
- the links between the organisation’s business continuity strategy and policy and corporate objectives, and its dependence on other regulatory frameworks. This also includes an analysis of the cross-company risk management strategy;
- the risk appetite and risk-bearing capacity of the organization;
- the needs and expectations of relevant stakeholders;
- compliance requirements, i.e. relevant legal, regulatory and other requirements.
Another part of this module is the determination of the scope of application of operational continuity management. It must take into account the strategic objectives, key products and services, risk tolerance and any regulatory and contractual obligations or obligations to stakeholders of the organisation.
The next module of ISO 22301 deals with leadership. Analogous to operational risk management, a role model function of top management is crucial for successful implementation (“set the tone from the top”).
Top management must continuously demonstrate the relevance and commitment of a BCM. Through leadership, management can create a risk culture so that all actors and employees are involved in the process.
Management is responsible:
- Ensure that the BCM is compatible with the strategic direction of the organization;
- Integrate the BCM requirements into the organization’s business processes;
- Provide the necessary resources for the BCM;
- Communicate the importance of effective BCM;
- Ensure that the BCM achieves the expected results;
- Manage and support the Continuous Improvement Process (CIP) of BCM;
- Develop and communicate a business continuity strategy or policy;
- Ensure that BCM objectives and plans are established;
- Ensure that clear responsibilities and powers are assigned for relevant roles.
The next module deals with business continuity management planning. This phase is considered critical because the definition of strategic objectives and guiding principles is the foundation of BCM. The Business Continuity goals must include
- be consistent with the business continuity strategy or policy;
- be measurable;
- observe applicable requirements;
- be monitored and, if necessary, updated.
The next module deals with the support of the BCM by adequate resources. The successful and continuous management of an effective BCM is based on a solid foundation of adequate resources. These include qualified personnel, support services, risk awareness and adequate communication.
In this context, internal and external communication play a particularly important role. The requirements for creating, updating and monitoring the BCM documentation are also part of this module.
After planning operational continuity management, an organization must put the BCM system into operation. The Operations module comprises:
Business Impact Analysis (BIA): This is a method of collecting and identifying processes and functions within an organization in order to capture the resources underlying the processes. In addition, a BIA can reveal interdependencies between processes and/or business units, the impact of process failures, the criticality of each process for the entire organization, and the required recovery time.
Risk assessment: ISO 22301 refers to the international risk management standard ISO 31000. ISO 31000 has three specific characteristics: The first is a comprehensive top-down approach, the second is that risk management is presented as a management task (not just a process) and the third is that it is a general basic standard.
Business Continuity Strategy: Once the requirements have been captured through BIA and risk assessment, strategies need to be developed to identify measures that will allow the organization to protect and restore critical activities based on its risk tolerance and risk-bearing capacity and within defined recovery time objectives. Practical experience clearly shows that the early availability of a comprehensive BCM strategy ensures that BCM activities are aligned with and support the overall business strategy. The business continuity strategy should be an integral part of the business strategy.
Business Continuity Procedure: The organization must document procedures to ensure the continuity of activities and the management of business interruptions. These procedures must:
- Establish an appropriate plan for internal and external communications;
- be specific as to the concrete steps to be taken in the event of a business interruption;
- be flexible to respond to unexpected threats and changing internal and external conditions;
- Focus on the impact of events that could potentially interrupt operations;
- developed on the basis of the analysis of interactions; and
- Be effective in minimizing consequences by implementing appropriate mitigation strategies.
Practice and Testing: To ensure that business continuity procedures and processes are consistent with business continuity objectives, the organization must test them regularly. Practice and Testing are the processes used to confirm business continuity plans to ensure that the chosen strategies ensure that responses and recovery results are delivered within the time windows defined by management.
Once the BCMS is implemented, ISO 22301 requires the system to be continuously monitored and periodically reviewed (performance evaluation) to improve its operation:
- Measuring the performance of processes, procedures and functions that protect prioritized activities;
- Monitoring compliance with the standard and business continuity objectives;
- Monitoring the historical experience of poor operational continuity management performance;
- Perform regular internal audits.
Continuous Improvement Process (CIP) is the name given to all measures taken throughout the organization to increase the effectiveness (achievement of objectives) and efficiency (optimum cost/benefit ratio) of security processes and measures.
Further references:
International Organization for Standardization (2012): ISO 22301:2012 (Societal security – Business continuity management systems – Requirements), 2012 Romeike, Frank/Hager, Peter (2009): Success Factor Risk Management 2.0 – Methods, Examples, Checklists – Praxishandbuch für Industrie und Handel, Wiesbaden 2009. von Rössing, Rolf (2005): Betriebliches Kontinuitätsmanagement, Bonn 2005. Wieczorek, Martin/Naujoks, Uwe/Bartlett, Bob [ed.] (2002): Business Continuity. Emergency planning for business processes, Berlin et al. 2002.