Steps for implementing Business Continuity Management System based on FDIS ISO 22301:2019

  1. Business Case

Consider why you want to implement Business Continuity Management System, what are the benefits that your organization can derive from it. Consider how Business Continuity Management system will support your organization’s strategic objectives, create a competitive advantage, protect and enhance its reputation and credibility, contributing to organizational resilience, improving confidence in the business, reduce legal and financial exposure,  reduce direct and indirect costs of disruptions, protect life, property and environment, promote inclusivity by considering the expectations of interested parties, demonstrating proactive control of risks effectively and efficiently, addressing operational vulnerabilities. Investment, both financial and human resources will be required and getting management buy in is essential.

  1. Identification of Internal and external context

Before taking any concrete steps you want to understand who your stakeholders are, what do they require from your business continuity program, consider your internal environment and external environment including the legal, regulatory and contractual requirements.

  1. BCMS Scope

The scoping has to be done carefully. Consider a) the mission, goals, and internal and external obligations; b) establish the parts of the organization to be included in the BCMS, taking into account its location(s), size, nature and complexity; c) identify the products and services and their related processes, activities and resources to be included in the BCMS; d) take into account interested parties’ needs.

  1. Business continuity policy & objectives

Top management needs to define some of the main responsibilities and rules for business continuity, and this is what a business continuity policy is used for, but top management also needs to define exactly what is expected from business continuity – by setting measurable objectives. This is not easy but is certainly necessary if you want to measure whether business continuity has fulfilled its purpose.

  1. Accountabilities

Establish the BC Organization structure including rights, responsibilities and accountabilities. Define roles for emergency response, crisis management as well as business continuity.

  1. Risks & Opportunities

Now you have to consider the risks and opportunities to your management system considering your internal and external context (Step 2) as well as your stakeholder’s requirements. Internal risks could be related to absence of budget or competent personnel ( if that is positive it could be an opportunity) and external risks could be related to the absence of alternative suppliers.  Here do not consider the risks related to disruptive incident which shall be considered in Step 12.

  1. Changes to BCMS (New)

Whenever you plan changes to your BCMS, you have to formalise the process. Consider the purpose of the changes and their potential consequences, the integrity of the BCMS as a consequence of the change, the availability of resources and  the allocation or reallocation of responsibilities and authorities.

  1. Training & Awareness

Training is to be provided to people who have roles in Business Continuity Plans as having plans in place is not enough – if no one knows how to implement them (or where to find them!), you can rest assure that in case of a real incident they certainly wouldn’t work. Therefore, you need to explain to your employees (and third parties who have a role in your plans) not only how to perform certain steps in your plan, but also why this is important in the first place. Awareness is to be provided to all employees.

  1. Communication with interested parties

Business continuity heavily depends on regulatory bodies, authorities, owners, employee’s families, media, etc., and you need to keep these interested parties informed as early as when you write your policy and set the objectives, all the way to when an incident actually occurs. Both internal as well as communication plans have to include what to  communicate, when to communicate, with whom to communicate, how to communicate and who will communicate.

  1. Documented Information

Managements systems, whether business continuity, information security, all have in common a set of procedures upon which such systems rely. These procedures are not prescriptive and would depend on the maturity of the organization.  However all documented information has to be controlled and specify who it can be distributed to, accessed by, retrieved by and used for. Additionally,  thought has to be provided to the storage and preservation of the documents, including preservation of legibility; control of changes (e.g. version control) and retention and disposition of documented information.

  1. Business impact analysis

You need to establish what criteria you will consider for measuring the impact of disruptive incident – it could be financial, operational, reputational etc. and determine how the impact will be measured. Then for the each activity supporting your products and services determine (1) how quickly you need to recover (before you go bankrupt or you have to close your business), and (2) what you need in order to succeed with such recovery. Therefore, the purpose of business impact analysis is to define the recovery time objective (RTO) and required resources and determine the dependencies and interdependencies of prioritized activities.

  1. Risk Assessment

Would you like to be prepared for disruptive incidents to your prioritized activities as determined in the previous step?  Perhaps even prevent some of them? First you need to find out which incidents can happen, and then analyse and evaluate them .

  1. Business continuity strategies and solutions

Given the inputs (various requirements, RTO, resources (from Business Impact Analysis) and risk assessment) you need to figure out how to treat them. You can consider the costs associated with strategies and solutions for response and resumption and recovery of business. You must take into account the resources required for these strategies.

  1. Business continuity plan

Actually there are several types of BC plans – as a minimum there are incident response plans (they define the initial reaction to an incident), warnings and communications plan, business continuity plans ( to resume and recover the business at an accepted predefined level) and recovery plans (for full recovery). All of these need to be based on strategy, because otherwise they would lack the resources (information, technology, people, etc.) to enable such plans.

  1. Exercising & testing

However necessary, training is not going to be enough – if you don’t try the plans to discover how they perform in (almost) real situations, you’ll never know where they are deficient. So performing regular exercising and testing is of paramount importance, and such testing shouldn’t be limited to IT only – everyone, including top management and outsourcing partners and suppliers, must be included. Formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements must be recorded.

  1. Post-incident reviews & KPIs

No matter how hard you try, you’ll never be able to prevent incidents from happening; what you can do, however, is learn from such incidents. And you can learn quite a lot – how people react, how ready they are, what improvements are needed in the plans, etc., and most importantly – did you achieve your recovery time objective? The basic idea here is – it doesn’t make sense to do something unless you know whether you’ve achieved what you wanted or not. In the case of business continuity, the objectives are set in step #3, while finding out if you achieved those objectives must be done through some kind of metrics. It could be something sophisticated like Balanced Scorecard, but could also be as basic as measuring the achievement of RTO during exercising & testing.

  1. Internal audit

It is impossible to be 100% objective about your own work. Therefore, someone who is less subjective than you should review your work and suggest improvements – that is what an internal audit is all about. Though it is often considered as overhead, an internal audit is actually very useful when it comes to facing reality.

  1. Management Review

Once all of these steps are performed, top management needs to evaluate them and reach some crucial decisions – like updating the objectives, providing the funding, making larger improvements, etc. After all, it is their ultimate responsibility that the company survives larger incidents.

  1. Independent Review

If you are going for certification by a third party the initial audit, like any other management system audit is divided into two phases – Stage 1 – Documentation Audit  (which is primarily the audit of the intent of your management system) and Stage 2 – Implementation and Effectiveness audit.

  1. Update context, policy, objectives

This step is not where your business continuity management stops – you need to maintain and improve your system on an ongoing basis as you are in a dynamic environment with changing issues facing your BCMS. Policy is to be reviewed along with the objectives.

  1. Improvement

All of us are making daily improvements in the things we are doing, but ISO 22301 wants us to do it systematically – it forces an organization to find out why the problem has happened, and to make sure it never happens again. Or, as the standard says, “ensure that nonconformities do not recur” – it needs to be done systematically, and in a transparent way.