This week's bulletin has been written by guest author, and consultant at PlanB Consulting, Gordon Brown.
Implementing a BCMS which meets and exceeds ISO 22301 is a challenging, but important undertaking for an organisation committed to Business Continuity. I have recently been leading a project for PlanB, where we helped a marketing/logistics firm achieve ISO 22301 (with one minor non-conformity!). This was achieved in a period of five months, and some lessons learned are shared below.
I would consider a good BCMS to operate like an octopus. It sits at the heart of the organisation, but reaches into each and every function of the business. This of course requires collaboration from different parts of the organisation.
Ultimately, embedding is key and this doesn’t just come from conducting awareness training, or ensuring that the policy and plan(s) are visible to employees and interested parties. Embedding comes from the octopus, connecting each function or department, back to the BCMS. Information should flow along the connectors (tentacles - if we follow the octopus theme!).
I will explain how this should operate below:
1. Key to embedding is how your staff interacts with the BCMS. Are they passively involved, or do they understand as much as possible? Staff may be instructed to attend a training session. However, you should consider involving as many staff as possible. This includes involving non-management staff at the Analysis (BIA) phase up to Validation, where deputies should be included in exercising and tests.
2. The BCMS must interact with departmental functions. Critically, it should embrace and involve IT, not only with regards to Disaster Recovery, but also day-to-day operations. Related disciplines of Cyber Security and Information Security dovetail closely with the BCMS. Risk Management is also crucial, with consideration given to how BC risks are considered in line with corporate risk registers. Lastly, the BCP should be written with the approval of Health and Safety, particularly with regard to site evacuation and incident notifications.
3. Externally, the octopus should reach to supply chain and critical suppliers. This can often be an afterthought for BC professionals, and seen as a more ‘mature’ element of Business Continuity. However, there will likely be huge dependency on suppliers if a BC incident occurs, therefore you must understand what suppliers can provide by way of continuity of operations. Raising awareness to interested parties of your BC arrangements can also help build resilience.
4. Post-incident acquisition is still possible as strategy; it is not always hot data centres and Work Area Recovery. However, exercising of post-incident acquisition is essential. And this strategy should complement other recovery strategies, which have been exercised and tested. Unless exercising occurs, we are working with untested assumption, which is the last thing you want in an incident!
The above is a brief overview of the observations I noted whilst proceeding through the ISO 22301 certification process. I have tried to keep the observations high-level, to ensure these are a starting point for others implementing a BCMS. So, when implementing a BCMS for the first time, remember the Business Continuity Octopus!