Business Continuity Management Guidelines – Are there any requirements or best practices for implementing Business Continuity Management in public traded companies?
- Compliance with ISO 22301
- The culture needs to change, people need to be living and breathing Business Continuity best practice and exercising and learning at every possible opportunity.
Feedback from BCP Builder Community on LinkedIn:
Public trading companies are more regulated and may be required to evidence an active and effective operational resilience programme. If you are new to Business Continuity Management then adopting existing standards and practices will not cause any harm. However, you will very quickly realize a generic one size fits all approach might not capture everything your business is about. So definitely follow the thrust of these standards to meet your regulatory requirements. Then use the principles within them to extend and modify your approach to fit your individual business.
In the United States there are some [minimal] industry specific requirements, but no universal requirement. ISO 22301 is not widely adopted in the United States. Organizations can follow what they want. International organizations may want to base things on international standards.
Business Continuity Management Guidelines
Business Continuity requirements is a phrase used in the Business Continuity Institute Good Practice Guidelines 2018 in a slightly different context. It is a phrase used to express the connection between analysis outputs in Professional Practice Three (Analysis) connecting them to design solutions in Professional Practice Four. So requirements are, in this context, time objectives, minimum service objectives, resources and so on. Rather than programme objectives, referred to as key performance indicators in the current Good Practice Guidelines.
The Key Performance Indicators for public companies are the same, the ISO Standard and Good Practice Guidelines can be adapted in any industry sector or business type.
Based on the industry there may be certain guidelines that the companies need to comply with. For example, in Banking there is FFIEC, SIFMA, and other governing bodies.
Third Party Risk
You may be requested to include third party risk/ continuity as part of your Business Continuity Management System. Your customers may be asking about it as part of their audit/ due diligence reviews.
You should be cautious with the use of the phrase third party risk, now removed from Good Practice Guidelines 2018. Research if your country has a third parties act as in the UK to fully understand the implications of using this in contracts. ISO22318 uses, outsourced service providers and bought in services as does the Good Practice Guidelines 2018. Ask yourself, who is this mystery third party to a two party contract? Your supply chain forms part of your interested parties, so include it in your Business Continuity Management System scope.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.