The implementation of ISO 22301 – Business Continuity Management System (BCMS), ISO 22316 – Security and Resilience and Organizational Resilience (OR), can be adapted into any type of organization, regardless of the size or line of business, and it is imperative for an organization to prosper in the long term. Every organization must aim to be more resilient. Considering that currently every organization operates in a more demanding environment, organizations must obtain competitive advantages by offering services or products continuously, and controlling disruptions in their production or business chain.
Said standards provide the guidelines, in order for organizations to grant their services or products continuously, with a focus on preventing disruption events in critical business processes.
Currently, there are companies that have not implemented a BCMS or Organizational Resilience, therefore, having an impact caused by a disruptive event may not leave them in a good economic position, meaning that the recovery capacity often occurs with excessive time. That is why the establishment of BCMS and OR must be a priority.
Important points that the organization must take into account when implementing ISO 22301 – BCMS and ISO 22316 – OR:
- Analyze the needs of the organization (analysis in the internal and external context), as an important pillar to establish the direction of BCMS and OR within the organization.
- Analyze the needs of the interested parties.
- Emphasize establishing policies, which will allow the organization’s collaborators to align them towards the same path, granted that they are established by the strategic direction of the organization.
- Emphasize defining its processes and structuring how the organization will support and maintain the BCMS and the OR. Likewise, establishing a team of collaborators that will fulfill certain roles and responsibilities within the scope of BCMS.
- Leadership focused on all collaborators of the organization as support to the BCMS. Similarly, resources must be allocated to maintain BCMS and OR on an ongoing basis.
- More effective communication between all collaborators and interested parties.
- Define objectives, goals, and indicators, which must be monitored and evaluated in the performance of BCMS.
- Additionally, when implementing ISO 22316 – OR, the following must be taken into account:
- Organizations must define an agile and flexible corporate governance and communication scheme, defining clear communication channels, and responsibilities, and work under a process approach. In this context, an adequate level of resilience contributes to the ability to anticipate and address risks and vulnerabilities.
- Maintain organizational resilience holistically. Carrying out a risk assessment from a holistic approach, consolidating a culture of resilience, and having as its main axis the context analysis of the organization.
- Establish a Strategic Organizational Resilience Committee, responsible for analyzing and making decisions at the highest level, they identify the most resilient scenarios, determine the most critical actions and initiatives, and the ability to adapt with the least negative impact.
Incorporation of BCMS in the organization
BCMS and OR are adaptable and scalable to all management systems that the organization implements, considering that all management systems aim at prevention, based on the risk analysis integrated into business risk management. Under this scheme, business continuity is reinforced, considering profitability for the organization’s shareholders as a premise.
For this adaptability of BCMS and OR, the organization can use the methodology based on the Deming Cycle (PDCA).
Business Impact Analysis (BIA) role in organizations
The first action is to carry out a good context analysis of the organization. Aligned with said analysis, the organization must determine the types of impact in relation to certain risks identified in its critical processes. Likewise, implementing BCMS and OR implies the development of specific plans and procedures to control the types of incidents, impacts, and the respective levels of risks.
The preparation of BIA must establish:
- Criteria that determines the maximum acceptable recovery time (MTPD – Maximum Tolerable Period to Disruption), in order to provide continuity to services and products to customers.
- Define the recovery time objective (RTO – Recovery Time Objective).
- Business continuity plans, based on the recovery of critical activities defined by the organization. Said plans must be flexible in the face of any eventuality and must allow continuity of service in an objective recovery time.
Organizational Resilience and Risk Management
The vast majority of organizations have an implemented risk management system, therefore, the adaptation to a new framework defined in the ISO standards has to be compliant with the principles or models of the Organizational Resilience, and must be adopted and adjusted as strategic support in the recovery plan of the organization, in order to provide continuity of operations and critical activities of the organization.
Based on the resilience model implemented by the organization and the maturity level of the risk management system, gaps and activities or actions must be determined to consolidate the resilience model within the organization. As such, to achieve greater integration of resilience in the organization, it is imperative to adopt crisis management, business continuity, risk management, and change management, hence why we must periodically analyze our context, taking into account technological advances, demographic changes in the organization’s operations, political framework, etc., and thus, be able to preventively identify improvement actions to address the various situations or scenarios in order to establish controls that avoid disruptive events.
Benefits of implementing BCMS and OR
- Generate trust and positive expectations for your stakeholders, customers, and shareholders
- Help meet the strategic objectives of the organization
- Increase your reputation with your stakeholders and customers
- The organization remains resilient in the context of the organization
- Helps to meet business objectives, supported by BCMS and OR
- Protects the entire financial system, by identifying benefits and being prepared for any disruption that occurs in the process
- Identifies vulnerabilities and threats to the critical processes of the organization and is able to control them proactively
- A BCMS seeks to determine the threats that could affect or generate a disruptive event, with which the organization must implement continuity plans to continue operating.
- In a BCMS, plans or procedures must be developed in line with the context analysis of the organization.
- Launch ongoing exercises to validate business continuity plans and measure their performance within the scope of BCMS.
- In order for business continuity and operations to be maintained over time, it is necessary for the organization to incorporate business continuity into its organizational culture.
- The organization should benefit from a structured approach to resilience, based on the competitive environment that currently unfolds.
- Organizational resilience is closely linked to BCMS, where continuity plans and disaster recovery plans are established, all supported by the development of the BIA, risk analysis, and strategy development.