BS25999-2, the predecessor to ISO22301, was first published in November 2007, yet, after five years, business continuity continues to be something of a mystery to a great many people involved in running organisations today. The majority are not actually required, either by law or by anybody else, to demonstrate any form of business continuity arrangements, so business continuity management (BCM) has not, until recently, been seen as a priority for these organisations. The global economic recession has also reduced the emphasis, placed by many, upon operational risk management and supplier assurance.

Yet the world continues to change. There is an...

Business continuity management (BCM), or business continuity (BC) as it is more commonly named, is essentially a form of risk management that deals with the risk of business activities, or processes, being interrupted by external factors, as distinct from business or commercial risks, such as, for example, the loss of a supplier or foreign exchange losses.

All organisations conduct risk management in connection with many, or even all, of their activities; however, this is often done intuitively and is un unlikely to cover all aspects of the organisation’s operations.

Organisations of all types carry a variety of risks, both operational...

This chapter provides an overview of the BCM process and an introduction toChapters 3to9of this book.

Unlike its predecessor, ISO22301 doesn’t include a ‘model’ for the BCM process – something the former called ‘the BCM Lifecycle’, which was, in fact, quite similar to the ‘Plan-Do-Check-Act’ (PDCA) cycle which does form part of the basis of the Standard.

Whilst the resulting BC plans, and the organisation’s ability to prevent or withstand interruptive incidents should ultimately be the same, the mechanism by which an ISO22301 compliant management system delivers these is distinctly different from BS25999.

This book’s predecessor...

These elements are really pivotal in a good BCMS. Without them, there can be no assurance that all potential interruption scenarios have been taken into account, nor that the resilience, response and recovery capabilities are comprehensive, and based on the true priorities of the organisation.

The simple premise of business impact analysis (BIA) is that the BCM arrangements for each activity should be commensurate with the impact of interrupting that activity. This section looks at what BIA is for, and how to conduct it.

As its name suggests, BIA involves the analysis of the impacts sustained when activities are interrupted....

BC strategy essentially means the identification of how the organisation is going to continue to meet the needs, and expectations, of its customers, clients or other stakeholders, in the event of some interruptive situation.

ISO22301 focuses on the protection, stabilisation and resumption of prioritised activities, which is fine if the direct resumption of an activity is a viable strategy, however, where the nature of the activity(ies) is such that meeting customers’ needs in the shorter term is best done in other ways, then some interpretation of the Standard’s requirements will be necessary.

In some respects, this chapter is an extension...

BC procedures were referred to by BS25999 as BCM response, and in many respects, this is what BCM is all about. The response that is executed in the event that something goes wrong, is based upon all of the analysis, preparation and planning that we have looked at so far.

The quality of the response will determine whether the impact actually sustained is within the limits that the governing body has accepted.

The requirements of the Standard are:

An incident response structure (referred to at the beginning ofChapter 5), including communication mechanisms

Business continuity and incident management plans

Plans...

A classic failing of a great many business continuity plans, is that they are written and then left on the shelf. People are usually amazed at how quickly their organisation changes and thus how quickly their plan becomes no longer operable as intended. There are also plenty of examples of organisations attempting to use plans in earnest, only to find that they are too difficult to follow, with the result that the leadership resorts to ‘making it up as they go along’. This inevitably means that poor decisions are taken, and that the overall impact sustained is worse than expected....

ISO22301 introduces standard terminology, consistent with other international management system standards, and whilst it no longer includes the rather important term ‘review’ from BS25999, it replaces this with a requirement to evaluate the business continuity procedures, together with the requirement to take corrective action when anything no longer conforms to requirements.

The case for continuously reviewing and maintaining the BCMS, particularly the executable parts of it, is already made. However, to ensure that this actually happens, the majority of organisations will benefit from establishing a review body.

Depending upon the nature of the organisation, regular review and maintenance of individual...

BS25999 made a distinction between corrective and preventative (using the form: preventive) actions, however, ISO22301 only states the requirement for corrective action whenever some non-conformity is discovered, which simply removes the need to decide whether something has gone wrong, or could go wrong.

Consistent with other management system standards, there is a requirement for a system to record, and track, anything that is potentially wrong, and to ensure that both the symptoms (usually corrective action) and root cause (usually preventative action) are addressed.

This is another opportunity for organisations with other management systems in place to integrate BCM with them;...

As with any set of activities in an organisation, if BCM is seen as someone else’s responsibility and is not a part of every-day life, then it is not likely to be understood; nor will it work well when needed.

A key difference between BS25999 and ISO22301 is that the previous Standard required organisations: ‘to ensure that BCM becomes a part of its core values and effective management … ’. In other words, everybody in the organisation must have some awareness of what BCM is, what it is for, how it works, and what it means for them.

This is...

Ultimately, a BCMS is comprised largely of documents. The physical, contractual and financial contingencies that support it may not be documentsper se, but it is usually the case that their availability and specification are defined and assured by documents. These documents must be accurate, available and secure.

ISO22301 does not stipulate any standard or protocol for document control, but it does set out the following requirements for BCMS records, which are drawn from those contained in ISO9001.

Whilst the wording of ISO22301 is a little different from that of BS25999, its requirements are effectively the same; that all documents...

The buck stops, legally, with directors or governors. They are responsible, whether they like it or not, for ensuring that their organisation’s risks are appropriately managed.

But, in the majority of cases, members of the governing body are unlikely to routinely ask how the BCM programme is coming on, or whether all the documents due for review that month have been reviewed.

Directors of limited companies generally feel that they are protected from any personal liability if things go wrong. There is an exception to every rule, however, and if those directors choose to ignore the risks of interruption to...

One could be forgiven for thinking that there is not much point in developing and implementing a BCMS, unless certification is achieved. Certainly, a potential customer or client is more likely to be swayed by an organisation that has been awarded a certificate, than by one that simply claims that its BCMS meets the requirements of ISO22301. In some organisations, the competitiveness and due diligence drivers may not be as important as in others, yet they may still have the assurance that they have developed and implemented a BCMS according to good, or even best, practice.

But for many, certification...

In the business continuity world, there are all sorts of references made to various standards, primarily by way of reasons to ‘do’ BCM.

This short chapter aims to set some of these standards in context, and to explain what the true relevance of each is.

The Financial Services Authority’s (FSA) listing rules,¹ which govern how listed companies should conduct various aspects of their affairs, refers to the Combined Code on Corporate Governance² (the Combined Code), which was updated in 2006 and is issued by the Financial Reporting Council.

LR (listing rule) 9.8.6(5) requires listed companies to include, in their annual...