What is business continuity – ISO 22301?
What is business continuity?
In a number of recent blogs, we have looked to step back and revert to ‘first principles’ on a
range of subjects before deep diving into the detail. That’s what we’re going to do here with
the topic of business continuity.
Let’s start by defining what is meant by business continuity:
ISO 22301, the International Standard for Business Continuity Management and widely
recognised as best practice defines business continuity as the ‘capability of the organization
to continue delivery of products or services at acceptable predefined levels following disruptive
There is a new version of ISO 22301 due out later this year. In the draft for public comment,
the definition has changed to the ‘capability of an organization to continue delivery of products
and services within acceptable time frames at predefined capacity relating to a disruption’.
The Business Continuity Institute (BCI) states that ‘Business continuity is about having a
plan to deal with difficult situations, so your organization can continue to function with as
little disruption as possible’.
Whilst there are differences in the above definitions, there is consensus over the need to
‘continue delivery of products/services’. So, for us, a central tenet of business continuity
is about proactively planning and preparing to ensure that should an incident/event occur,
your organisation can continue delivering its key products or services to a predefined level.
Couple of words to stress in that last sentence.
‘Key’ is important, because in a major incident you need to know where to prioritise your
recovery efforts. ‘Predefined’ is equally important as you need to understand what is and
isn’t achievable should an incident/event occur. That incident/event may cause an impact
on your whole organisation or it may just impact a part, such as one location or one
Understanding the impact of an incident/event and how you can best respond to and manage
your response is all part of your advanced planning.
So what sort of incident/event should you be planning for – fire, flood, pandemic, terrorist
attack, cyber incident, failure of a key supplier, loss of key member of staff, adverse publicity.
Effectively all of these and more! But don’t get hung up on planning for every possible threat
scenario. It isn’t about the incident/event itself – it is about the impact it has on your
organisation and your ability to continue to deliver business as usual (or your predefined level)
and how you manage your response.
So, for example, from a planning perspective, whether it is a fire, flood or burst gas main
which has rendered your office inaccessible is academic. The essential element is that you
have a plan in place to deal with the high-level scenario of not being able to access your
building for potentially different periods of time, i.e. for a number of months, a couple of
weeks, 48 hours, etc.
Your planning will have identified whether you can manage without that building for 24
hours, 48 hours or even longer, or, whether you need to redeploy staff to other locations,
use backup premises, or tell everyone to work from home.
So, business continuity is just that – planning and preparing to ensure your organisation
can continue to operate if impacted by an adverse event or incident.