Welcome to the first part of our ISO 22301 Steps to Success series. Business continuity provides a basis for planning to ensure your long-term survivability following a disruptive event. ISO 22301 identifies the fundamentals of business continuity management and provides a basis for understanding, developing and implementing business continuity management within your organisation.
Rachel Churchman explains the process of creating a Business Continuity Management system, here are some highlights:-
Understanding what’s in place already from a resilience perspective. A gap analysis also helps us to understand the business and the different activities and aspects that need to be considered as part of the wider BCP. Also, a great opportunity to meet the team and look to identify key ‘Champions’ in the business. Look to source these from different levels and areas – Top Management, Finance, HR, Legal, Comms/Marketing, Customer support, Operations, Procurement etc.
Undertaking a Context Review enables us to understand the wider internal and external issues that can impact the business – positively and negatively. It also starts to review these interested parties that may need to get involved with our BCP – for example Key Suppliers on whom we may have a dependency.
Risks and opportunities identified here can then be captured and progressed through the development of key BCP objectives and improvement plans.
Business Impact Assessment and risk assessment is at the heart of the BCP. It requires us to look at the activities we undertake that enable us to effectively run our business. By reviewing these key activities, and then fully understanding what the potential risks are that may disrupt our ability to perform, we can start to understand where we may need a ‘Plan B’ – effectively our Business Continuity strategy and plans.
An effective BIA will look at activities and what they support in terms of services and other departments, what the impact of disruption will have on the business (i.e. reputation, financial penalties, legal compliance, revenue etc), and look to define what our maximum period of disruption may be. It also looks to understand what we need to recover our position is a disaster struck – e.g. Back up data.
It also gets us look at our dependencies – internally and externally. Understanding our supply chain and where they fit into our BCP is fundamental to effective BCP response. If we rely on a key supplier – are we checking whet Their BCP arrangements are?
lastly – we need to understand any contractual obligations we have that are linked to BCP. We need to ensure our own BCP can support these.
Once we have undertaken our BIA and risk assessment, we are then in a position to develop our Business Continuity Management system to include our Business Continuity Plan and supporting response plans.
Response plans will look to cover any assumptions made in the plan, responsibilities (including who can invoke and stand down a response), the business recovery objectives (including Recovery Time Objective and Recovery Point Objectives), Who/What is impacted (directly and indirectly), Recovery Strategy at a high level, communication requirements. It will then ideally walk through the plan for the following stages – Emergency Phase (incident reported), Recovery Phase (response strategy and plan), and Restoration Phase (return to normal operations).
We also need to consider communication procedures and mechanisms that will be invoked during a BCP incident. For instance, who might be responsible for speaking to the media?
Join us next week in part 2 of the Steps to Success series as we discuss how to communicate your BCP effectively.
Need assistance with ISO 22301? We’d be happy to help!
We’d love to hear your views and comments about the ISO Show, here’s how:
Subscribe to keep up-to-date with our latest episodes: