What is business continuity – ISO 22301?
In a number of recent blogs, we have looked to step back and revert to ‘first principles’ on a range of subjects before deep diving into the detail. That’s what we’re going to do here with the topic of business continuity.
Let’s start by defining what is meant by business continuity:
ISO 22301, the International Standard for Business Continuity Management and widely recognised as best practice defines business continuity as the ‘capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident’.
There is a new version of ISO 22301 due out later this year. In the draft for public comment, the definition has changed to the ‘capability of an organization to continue delivery of products and services within acceptable time frames at predefined capacity relating to a disruption’
The Business Continuity Institute (BCI) states that ‘Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible’.
Whilst there are differences in the above definitions, there is consensus over the need to ‘continue delivery of products/services’. So, for us, a central tenet of business continuity is about proactively planning and preparing to ensure that should an incident/event occur, your organisation can continue delivering its key products or services to a predefined level. Couple of words to stress in that last sentence. ‘Key’ is important, because in a major incident you need to know where to prioritise your recovery efforts. ‘Predefined’ is equally important as you need to understand what is and isn’t achievable should an incident/event occur. That incident/event may cause an impact on your whole organisation or it may just impact a part, such as one location or one product/service. Understanding the impact of an incident/event and how you can best respond to and manage your response is all part of your advanced planning.
So what sort of incident/event should you be planning for – fire, flood, pandemic, terrorist attack, cyber incident, failure of a key supplier, loss of key member of staff, adverse publicity. Effectively all of these and more! But don’t get hung up on planning for every possible threat scenario. It isn’t about the incident/event itself – it is about the impact it has on your organisation and your ability to continue to deliver business as usual (or your predefined level) and how you manage your response. So, for example, from a planning perspective, whether it is a fire, flood or burst gas main which has rendered your office inaccessible is academic. The essential element is that you have a plan in place to deal with the high-level scenario of not being able to access your building for potentially different periods of time, i.e. for a number of months, a couple of weeks, 48 hours, etc. Your planning will have identified whether you can manage without that building for 24 hours, 48 hours or even longer, or, whether you need to redeploy staff to other locations, use backup premises, or tell everyone to work from home.
So, business continuity is just that – planning and preparing to ensure your organisation can continue to operate if impacted by an adverse event or incident.