signing document
Our Business Continuity Lead, Kelly Blakeley looks at some of the more practical applications of ISO22301: 2019.

Although standards are often referred to for audit purposes or structuring for certification, thinking adaptively, they can also provide a framework that can be helpful for us to ensure we have a management system in place. In this paper, I am going to try to draw out some key elements that are particularly relevant during response to help us health check our systems.

The definition of business continuity according to ISO22300: 2018 (Vocabulary), is:

'capability of an organisation to continue the delivery of products and service within acceptable time frames at predefined capacity during a disruption.'

In clause 4 of ISO22301: 2019, we cover requirements for 'Understanding the Organisation'. Crucially here, is understanding the context of the organisation and interested parties. We can use these to determine what the scope of the organisation is, and therefore, what should be prioritised during times of crisis. Do you think this is currently in line with the internal and external issues you (and we are all) are experiencing? Are there any legal and regulatory requirements that need to be considered? Considering a decision-making model such as the JESIP Joint Decision-making Model (JDM) can be helpful to ensure that there is a consistent approach to these considerations.

In clause 5 we cover 'Leadership and Commitment'. If there was a time for strong leadership in business continuity, then it is during difficult times. This involves providing direction for the organisation, but also ensuring resource requirements for business continuity are available and providing a commitment to continual improvement. This is particularly relevant when we are facing a longer-term disruption.

In clause 7.5, the ISO covers 'Documented Information'. Many organisations are dealing with receipt and management of increased amounts of sensitive data, such as commercial or personal data of vulnerable people. It is important that there is appropriate protection of this documentation and that information security measures are upheld. Many of us are working remotely from workplace structures and opportunists can take advantage of this. NCSC have released some guidance to support us here.

Clause 8.2.2 covers 'Business Impact Analysis' (BIA). Although this time may not be an ideal time to review our BIAs, at least check that your prioritisation of activities is robust and working for your organisation. Similarly, we may find that we need to consider if our “Strategies and Solutions” (clause 8.3) are supporting our prioritised activities. Is your remote working strategy working well? Or does it need improvement or simplification? As time moves forward during this long-term disruption, we may need to consider a review our BCMS documentation.

Also, in clause 8, we cover business continuity plans and the associated response structure.  You may want to consider whether your structures are working as anticipated and adaptable to the nature and extent of this crisis. Are you able to effectively monitor the impacts?

Crucially, we also need to consider 'Warning and Communication' (clause 8.4.3). If you didn’t already have a crisis communications plan, is there currently a process that is being used and could it be captured to assist procedures? If you already have one, are you ensuring that it is being reviewed as lessons are learned? Are you receiving the latest situation reports from relevant national risk advisory services? Additionally, are the details of the crisis being recorded?

On 'Recovery' (clause 8.4.5), dare we look to the future just yet? Well we certainly need to consider that any decisions made in response are likely to impact recovery. In unprecedented times, we are urged to consider a possible new normal, as different as that may be. BS65000 (Organisational Resilience) references Innovation which links to our commitment to continuous improvement (clause 10.2, ISO22301) of our business continuity management system.

In summary, during this highly challenging event, we will understandably be focused on the response.  But we must also ensure that we manage, protect and enhance our BC structures in order to keep them match-fit.