Implementing Business Continuity Management
There is much written about Business Continuity Management and Risk Management, but probably the most succinct summary is the often cited quotation by Donald Rumsfeld in February 2002:
Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.
In terms of understanding Business Continuity Management, what better example could we use? Although initially the statement that Rumsfeld made was derided, gaining him the Plain English Campaign, Foot in Mouth award for 2003, in fact, what he said makes perfect sense. And in the context of Business Continuity Management, the pursuit of the unknown unknowns is key component of continuity management and the pursuit of continual improvement.
The aims of Business Continuity Management focus on two key measures when considering possible risks to the organisation:
- Recovery Point Objective - RPO
- Recovery Time Objective - RTO
Defining, establishing how to achieve them and communicating both core objectives are at the heart of a Business Continuity Management System. Other core elements of the system include the Business Impact Analysis (BIA) and risk management activities.
The introduction of ISO 22301:2012 as the world's first internationally recognised standard for Business Continuity Management acknowledges the importance of this process within an organisation's management system.
The standard requires an effective management system emphasising the importance of:
- understanding the organisation's needs and the necessity for establishing business continuity management policy and objectives
- implementing and operating controls and measures for managing an organisation's overall capability to manage disruptive incidents
- monitoring and reviewing the performance and effectiveness of the BCMS
- continual improvement based on objective measurement.
The requirements of the standard follow a similar structure to other ISO standards such as ISO 27001:2013 and are designed to be compatible with them. In this way both standards can be incorporated into an effective, documented and accredited management system designed for continual improvement to encourage the onward development and resilience of an organisation. As with ISO 9001:2008 and ISO 27001:2013, this standard also relies on the Plan, Do, Check, Act cycle for continuous improvement of the management system.
The introduction of ISO 22301:2012 into an organisation can be a significant challenge and will probably take around 12 months to complete, assuming that the organisation's leadership is fully committed to the project. NetGrowth can help you through the design and implementation process leading up to accreditation by a certified body. For more information about how NetGrowth can help you through the various phases of design and implementation please contact us at firstname.lastname@example.org