Why you should care about ISO 22301?
Authored by: Michael E. Anzis
Business Continuity is the term now given to mean the strategies and planning by which an organization prepares to respond to catastrophic events such as fires, floods, cyber-attacks, or more common human errors and accidents.
Business Continuity Management System (BCMS) puts such a program in the context of an ISO Management Systems, and ISO 22301:2012 sets a certifiable standard for a BCMS. It is the first and most recognized international standard for business continuity.
Several other standards, particularly BS 25999 have had wide international acceptance, however, they are now largely supplanted by 22301.
The obvious benefits to an organization having a robust, mature business continuity program have been outlined in this Newsletter previously (April, 2015). They center on being able to respond to disruptions so an organization stays in business and meets its obligations and commitments to all stakeholders.
However, there are additional ways that an organization can benefit from adhering to a business continuity standard, particularly 22301. These benefits can accrue from obtaining certification to the Standard, and also from formally aligning to the Standard without actual certification.
By alignment, I mean when an organization declares their intention to conform to a standard, conducts a Gap Assessment or Pre-Audit to determine what potential non-conformities or deficiencies the organization has, and develops and implements a program to address and remediate these.
So, why should you care about 22301?
Because the additional benefits to your organization can be significant, including:
1. Increased sales and business. Today, more and more business partners (customers, suppliers, subcontractors, etc.) are demanding proof that their partners are prepared for unforeseen events. In many cases this requirement is written into RFP’s and service contracts. Proof of a robust business continuity program can mean the difference between winning a bid and closing a deal, or not. I can speak from personal experience, having headed the business continuity program for a Fortune 100 international supplier, that our program continued to come under closer and closer scrutiny, and demonstrating its capability was a stipulated requirement to obtain many large business contracts.
2. Time and Cost Savings. I can also speak from personal experience that the time, costs, and resources necessary to demonstrate to business partners that all of their business continuity requirements of our company were met became increasingly burdensome. Some wanted to see IT recovery capabilities. Some wanted to evaluate emergency response and crisis management. Some wanted to look at logistics redundancies. Each of these individual requests took time and resources to address. Being able to point to single a standard became a hugely efficient mechanism to address all of these obligations.
3. Enhanced Reputation. If you are reading this Newsletter, you probably already know the value of adhering to ISO standards in general. It immediately designates an organization as willing to do what is necessary to ensure superior quality and achievement against the highest measurements. In business continuity, adherence to a standard also shows a commitment to protect its employees, shareholders, and other stakeholders from unforeseen catastrophic events.
4. Integration within the Business. If an organization has already become certified to other ISO standards, then they are familiar with and, presumably adept, at executing management systems. So, it is not as difficult as starting from scratch to implement an additional management system such as business continuity. Integrating business continuity into existing business systems gives the organization a simpler, more unified operation, such that various management systems work in harmony.
5. Management Involvement. One of the “knocks” on business continuity programs is that they simply pay lip service to “checking the boxes,” and don’t really get to the heart of what is necessary to protect the organization and prepare to respond to catastrophic events. An indicator of such failure is when top management is not involved in setting strategies and following up on implementation. ISO management systems simply do not allow this to happen. Lack of management involvement is immediately flagged as a possible major non-conformity. So standards, particularly the ISO standards, have fail-safe mechanisms for ensuring management involvement.
Why ISO 22301?
There are many business continuity standards throughout the world. In the U.S., the three standards designated by Homeland Security’s PS Prep program are NFPA 1600, ASIS SPC.1, and ISO 22301.
Certain heavily regulated industries have their own standards and regulating bodies that set standards for business continuity.
These standards often overlap with other areas, such as information security and privacy. Examples are HIPAA regulations in healthcare, Sarbanes-Oxley for publicly traded companies, and FFIEC regulations and the Comptroller of the Currency in banking and finance. These specialized standards are usually only national in their application, and limited in their scope.
ISO 22301 is the only fully international standard, and the only standard that covers the full scope of business continuity concerns. Especially for companies operating internationally, it is the logical choice to satisfy both the needs of the organization, and the demands of international business partners and stakeholders.
How to use alignment
Many organizations choose alignment as their first step to adhere to a standard. I found in my previous experience that performing a formal GAP Assessment with a qualified organization and documenting remediation measures for any non-conformities, satisfied the requests of most outside parties.
This was whether the requests were part of a formal RFP, or just business partner due diligence, as long as there was evidence of a continuous improvement program addressing the non-conformities. Such an Assessment is significantly less expensive and involved that a formal certification audit.
It then becomes the obvious vehicle to move toward eventual certification, and establishment of a truly robust and effective business continuity program.
Michael E. (Mike) Anzis is a Business Continuity and Information Technology Management professional, with a background as an IT manager and Chief Information Officer, a senior consultant, and a global director of business continuity. He now specializes in Disaster Recovery and Business Continuity Management consulting. He holds a bachelor’s degree from U.C., Berkeley and a master’s degree from UCLA in Business Information Systems, and has achieved Certification as a Business Continuity Professional by the Disaster Recovery Institute International and as an ISO 22301 Lead Auditor.