Is there a risk that some can fall into the trap of thinking they are resilient if they align/comply with ISO 22301 – Business Continuity Management Standard?
Absolutely! You may have a perfect plan, but if it’s sitting on a shelf and nobody reads it then your level of resilience has not changed at all.
Feedback on Resilience Definition
Here is some feedback on the above question from BCP Builder Community on LinkedIn:
- Even if I have MBCI and FBCI (Business Continuity qualifications), it doesn’t mean that I have the best Business Continuity Management knowledge among all my peers. It is a continuous learning and improvement process, personally and for an organization.
- There will always be organizations that take a naive ‘project’ view of Business Continuity. This is where the production of ‘the plan’ is the last box to be ticked before placing it on the dusty shelf.
- Whilst it is right to challenge various assumptions made about the value of standards, it often appears to have negative inferences or is dismissive about the benefits a certified management system can bring to an organization.
- Having actively implemented and maintained an ISO 22301 certified Business Continuity Management system across the UK, Africa and the Middle East over 10 years (including BS 25999), I can vouch for its worth in an organization that takes an ongoing ‘programme’ view of Business Continuity.
- This kind of organization uses the standard as a good practice framework to support its Business Continuity activities through:
- Gaining buy-in, commitment and investment in certification.
- Being happy to be constantly and independently assessed.
- Using the standard to drive continuous improvement in its Business Continuity programme.
- Is certification the be all and end all of increasing or building resilience? No! Does it guarantee the survival of your organization? No!
- However, it does actively contribute towards increasing and building resilience when done properly, and in conjunction with other disciplines.
Alternative Management Standards
- What if you are certified to ISO22301? Can you claim resilience? Or would you also need to align with other resiliency standards as well? Being certified in Business Continuity Management doesn’t mean you are automatically resilient. There are other standards that are equally important.
- The ISO22301 certification does not validate that the relevant disruption risks to the organization have been correctly identified, assessed and mitigated. A requirements based or certification review only validates that the appropriate management system process has occurred at each requirement point. However, this issue is not specific to ISO22301 and equally applies to other Management System standards where a risk assessment process is a requirement, such as ISO 27001, for example. Once the relevant issues are understood, it’s quite a simple process to then gain appropriate assurance.
- I would go a step further and say that Business Continuity Management is one of a number of business disciplines which, when working collaboratively, create a resilient organization. Resilience Definition is the sum of a number of parts working together delivering a coordinated response.
- This is the same with any form of governance – only as strong as the underlying corporate culture. I’m sure we’ve all heard the stories of companies facing inspection for – say – an ISO standard where all the problematic folders get to go and have a rest in car boots in the company car park.
- A Plan without involvement from top to bottom clearly indicates ignorance of the management. You can have a perfect ISO standard documentation but will fail in its implementation. This is especially true when implementation success is defined as meeting audit compliance and obtaining third party certification.
- This assumes that the plan is the most important part of the process. Of course a plan on the shelf is not good. But the organization may be a lot more resilient having gone through a Business Impact Analysis, gap analysis and agreed number of actions to increase Resilience.
- The more that Business Continuity Management is part of the organizational discipline, the more it becomes part of the organization’s DNA. An organization that continuously improves and refines itself has less detail needed in a plan but can still be certified.
- But if the organization is already compliant with ISO22301, would that not mean that sufficient awareness of the recovery plans would have been delivered to all stakeholders? Otherwise it would fall into non-compliance and hence the risk would have been addressed? This depends on who audited the system.
- However if an organisation is certified it would be unlikely that the plan would remain on the shelf due to the audit visits.
- Most businesses over estimate their resilience, especially when it comes to impacts on human resources. Disability, especially cognitive impacts, have an astounding impact everyone underestimates. This is why appropriate insurance is important.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.