Business Continuity is an issue that affects all organizations whether small or large, domestic or multinational. The extent of impact however may vary from organization to organization. Recently, we have witnessed a global pandemic which has disrupt almost all type of businesses. Natural disasters, environmental accidents, technology mishaps, and man-made crises have demonstrated that severe incidents can and will happen, impacting the public and private sectors alike. The challenge goes beyond providing an emergency response plan or using disaster management strategies that were previously used. Hence, maintaining business continuity and managing disruptive events has become central for the survival of business houses.
ISO 22301:2019 is the international Business Continuity Management Standard (BCMS) developed by ISO Technical Committee specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptions when they arise. An organization should develop business continuity that is appropriate to the magnitude and type of impact that it may or may not accept following a disruption. The outcomes of maintaining a BCMS are shaped by the organization’s legal, regulatory, organizational and industry requirements, products and services provided, processes employed, size and structure of the organization, and the requirements of its interested parties.
What are the benefits of BCMS?
The BCMS helps to prepare the organizations in providing and maintaining controls and capabilities for managing overall ability to continue to operate during disruptions.
Fig. Benefits of BCMS
Which approach does ISO 22301 implies?
The ISO 22301:2019 applies the “Plan-Do-Check-Act” (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization’s BCMS. In the PDCA model, Clause 4 through Clause 10 cover the following components:
ISO 22301:2019 requirements for setting up and managing a business continuity Management system |
|
Clause | Topic |
4 | Context of the organization |
5 | Leadership |
6 | Planning |
7 | Support |
8 | Operation |
9 | Performance Evaluation |
10 | Improvement |
Fig: PDCA approach including the various components
The above-mentioned clauses are summarized as following:
Clause 4: Context of the Organization
Understand your organization, its purpose, and objectives context while understanding the needs and expectations of interested parties in light of legal and regulatory requirements. Organizations should consider how disruptive incidents could impact the organization.
Clause 5: Leadership
Provide leadership and support for your organization and ensure that managers demonstrate their commitment and support and encourage employee involvement. Allocate responsibility and authority for carrying out business continuity roles to the appropriate people within your organization.
Clause 6: Planning
Identify and determine the risks and opportunities that could influence the effectiveness of your organization or disrupt its operation. Define actions and prepare plan to address the risk and opportunities that could influence the effectiveness of your organization or disrupt its operation.
Clause 7: Support
Identify and provide the resources that your organization needs, including procedures and communication tools. Determine the competence requirements of the people under your organization’s control who have an impact on its performance, and ensure that people are aware of their responsibilities.
Clause 8: Operation
Plan and develop your BCMS process by studying potential disruptions and analyzing business risks, and set your priorities. Establish a formal process that your organization can use to evaluate and set business continuity and recovery priorities, objectives, and targets; document, and maintain your priority-setting process.
Clause 9: Performance Evaluation
Determine how you will monitor and measure that performance and effectiveness of your organization. Make sure that your audit program is capable of determining whether your system conforms to requirements.
Clause 10: Improvement
Identify, react to, and evaluate nonconformities when occur. Implement corrective actions to address causes, and review the effectiveness of your corrective actions. Continuously improve the performance, suitability, adequacy, and effectiveness of your system.
Reference: