ISO 22301 – Planning for The Worst, Not Hoping For The Best
In my experience, most organisations don’t quite “get” ISO 22301 and the whole concept of a Business Continuity Management System (BCMS) when compared to Disaster Recovery. There is a significant and important difference.
I’d probably call it the ”aircraft safety card” approach.We’re all supposed to study the colourful illustrations on cardboard before we get airborne. We know where it is, we know what it does, but we hope that we don’t have to use it.
Compare and contrast with a friend with many years in the aviation industry, and much flying experience. He’ll study the card, check that his life jacket really is under his seat, and find out where the nearest exit is. Each safety briefing is a chance to add to his pool of knowledge, or brush up on his experience. He’s not scared, just aware that the time when he’s faced with a crisis is not the time to start learning how to cope. In short, survivability is part of his general outlook, a continual development process, in the same way that traffic awareness is to anyone on a busy street.
This is true “preparedness consciousness”. I hesitate to use such a phrase, but it sums up the holistic, practical, and business-relevant approach of an effective BCMS which actually makes ISO 22301 worth having. The ISO organisation defines the standard by ten “clauses”. I’ll save you from the academic and procedural detail and, hopefully, give you “the gist”, and common misconceptions.
Know Your Organisation. So, what is most likely to go horribly wrong and why? What are the points of exposure to legislation? What are the main basic risks, how are these assessed, and what level of risk can the company live with? This all sounds absurdly obvious, but many organisations want to plan for risks that are at best, highly unlikely, and seem to take the “more is better” approach. This will lead to a system which is bloated, discredited, irrelevant, and potentially misleading. Your airline safety card does not cover the escape of poisonous snakes from the cargo hold. Leave the unlikely risks for Hollywood Fiction, not a workable Business Continuity Management System..
Take a Lead. Like all standards, a clear lead needs to be taken by management. Perhaps above all standards,ISO 22301 needs to be embraced throughout the organisation, but certainly championed by key leaders. Clear, documented policy, and clear, visible ownership at the highest level is the key to success and effectiveness. Business calamities affect all levels and functions of an organisation, and a worthwhile BCMS cannot simply be the pet project of a key group, or even worse, “ghettoised” within the remit of a health and safety officer. One of the most admirable features of the typical pre-flight “this is your captain speaking” announcements is the request to pay attention to the cabin staff’s safety briefing. And the passengers tend to obey if someone else in higher authority asks them to. Clear leadership on major issues is remarkably effective, and sadly, quite scarce.
“Constant Change is Here To Stay”. What gets measured gets done. In my experience, the most benefit from a BCMS is gained when it is reviewed, tested, subject to management audit, given clear and “owned” Key Performance Indicators. A realistic management review, and regular internal audits are vital components of the system, not simply an annual “MOT Test”. A BCMS is a vital bespoke system, one that begins life incomplete, requires continual improvement, and can never be simply a document in a file acknowledged by a certificate on a wall. Business Continuity is a journey, not a destination. Many safety procedures were amended after the British Midland Incident at Kegworth in 1989. The most effective BCMS are never static, but are continually improved and amended.
So, back to my frequent flyer, studier of safety cards. I’ll follow him if I’m ever with him in an incident. Coping with a disruptive event is far more than sticking to a plan, and more a state of mind, be that in an individual or organisation.
Written by Colin Brown of ISO Consultants