Featured Product
This Week in Quality Digest Live
Standards Features
Master Gage and Tool Co.
Why it matters for accurate measurements
Etienne Nichols
It’s not the job that’s the problem. It’s the tools you have to do it with.
Jón Bergsteinsson
Understanding the standard is essential
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Aymen Saidane
Addressing modern manufacturing challenges with advanced software

More Features

Standards News
Providing practical interpretation of the EU AI Act
Advanced Swiss CNC machining delivers precision for the tightest tolerances and specifications
Oct. 24–25, 2023, 8 a.m.–5 p.m. Eastern
Greater accuracy in under 3 seconds of inspection time
Showcasing the latest in digital transformation for validation professionals in life sciences

More News

David Muil


What Is Business Continuity Management?

Ask the Boy Scouts about ISO 22301

Published: Wednesday, February 19, 2014 - 10:25

The Boy Scouts of America have a timeless motto: “Be prepared.” These are words to live by. In the wilderness, if an individual has a pocket knife, a length of string, and some matches, he can deal with most emergencies that may arise. In business, however, a Swiss Army knife is going to do little good when a natural disaster or massive IT meltdown disrupts your operations, your people, and your financial results.

Interruptions in the supply chain, damage to inventory or property, temporary or permanent loss of critical personnel, and information security breaches are all major challenges to continued business operations. Fortunately, a framework exists to help organizations address and alleviate the most damaging repercussions stemming from these disruptions. ISO 22301—“Societal security—Business continuity management systems—Requirements,” was created by the International Organization for Standardization (ISO) to address these operational challenges. It can be an effective tool, but like any tool, it only functions well if you use it properly.

Information technology security breaches

Unfortunately, business disruptions are not just hypothetical. Check the news on any given day, and there are dozens of examples to drive home the “when—not if” reality.

Take retail, for example. It is among the most predictive of all industries. Top managers in this sector must constantly analyze and predict customer tastes for products, which can hinge on elements as far-flung as the weather, advertising, macro-economic trends, and celebrity endorsements.

As difficult as it may be to make stocking and pricing plans within this environment, it is even harder to predict the timing and business impacts when something like massive credit card information theft occurs.

Recently, several major retail companies had their computers and point-of-sale systems hacked, and the information of millions of customers was stolen. “Massive” is a term that keeps coming up in describing the scope of these crimes. Massive amounts of information. Massive holes in IT security. Massive financial liability. Massive loss of customer trust and lost revenue.

Although it is not prescriptive in nature, ISO 22301 helps organizations develop protocols to rapidly respond to such breaches in information security. In clause 8, “Operation,” the standard addresses the need for a business impact analysis so that the far-reaching effects of a security breach, for example, can be fully understood and plans put into place to mitigate the damage for customers as well as the organization itself. ISO 22301 also addresses business continuity strategies and procedures as a means to understand exactly how, when, and what will be done, and by whom, to cover this eventuality and any others that stakeholders might envision.

The business impact analysis needs to include unimaginable, “black swan” type events. Security breaches of this nature are, sadly, no longer black swans and should therefore be part of a top-of-the-list business continuity plan, especially for large customer-facing enterprises such as retailers.

Natural disasters

The class EF 5 tornado that ripped last year through Moore, Oklahoma, is a quintessential example of disruption via natural disaster. Carving a 17-mile path of devastation, the 200-mph monster pounded schools, businesses, and homes, leaving scores of people dead and hundreds more injured. In the face of such human suffering, business disruption may seem insignificant, but the reality is that survivors depended on local businesses as well as federal disaster response to recover.

So how can any organization be prepared to deal with something so random and destructive as a tornado, an earthquake, or a hurricane? When it comes to preparedness in dealing with such “acts of God,” the burden falls squarely on top management.

In clause 5, “Leadership,” ISO 22301 assigns to management a series of tasks to ensure that the organization is prepared to continue in the face of the significant disruptions that might arise from natural disasters. These include, but are not limited to:
• Ensuring compatibility between the business continuity plan and the overall strategic plan of the organization
• Providing adequate resources for continuity planning and fulfillment
• Seeing that continuity plans are executed appropriately in any emergency
• Assigning roles and responsibilities, and confirming that those responsible parties carry out their assignments with speed and diligence

In the face of a horrific natural disaster, the human reaction to do something—anything—can often be overpowering. An organization whose leadership has properly thought through as many contingencies as possible beforehand will help avoid random actions that may make things worse. Business continuity is all about staying ahead of unforeseen curves, and then executing quickly (but not hastily) according to plan. Management can make it happen.

Avoiding communication breakdown

Prompt and proper communication to stakeholders both within and outside of the organization is crucial in the event of a significant disruption in normal working operations. Depending on the type of disruption, a business continuity plan must also address when the media and the public should be promptly informed.

Organizational spokespeople need to tell the public what happened and what they are doing to minimize the damage immediately. The media is a conduit for this information, yet management often does not consider how to interact with the media during the critical early stages of a developing event.

ISO 22301 speaks clearly to these issues and permits affected organizations to plan out these important initial responses. In clause 7, “Support,” the standard addresses the steps necessary for adequate communication in case of emergency. The clause directs organizations to pre-plan the timing, format, and even to a certain extent the content of internal as well as external communication.

The underlying value of ISO 22301

Although the standard was introduced several years ago, it continues to be misunderstood and therefore underrated. Too often ISO 22301 is dismissed as a glorified emergency response plan, but that is incorrect. The true value of the standard is that it provides the framework for assessing, analyzing, and prioritizing risk. Furthermore, the entire approach is comprehensive and proactive—holistic in nature. As defined by subclause 3.4: “Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.“

Promoting a proactive approach based on creative thinking and capabilities for foreseeing the trends of business development, ISO 22301 focuses on:
• Reducing the vulnerabilities
• Identifying and proactively targeting the causes and circumstances for the contemporary threats and challenges
• Focusing on implementing preventive measures
• Reducing the likelihood and the consequences of negative impact

As a simple illustration, let’s consider potentially losing your wallet or purse or having it stolen. How many issues would need to be addressed before you could resume “life as usual?” Which issues would be highest priority? How exactly would you go about rectifying those issues? And how could you have prevented the loss and how can you minimize the risk of a repeat?

Now what if you are responsible for a company employing hundreds of people and doing several million dollars’ worth of business every week? How many risk issues are at stake now? How does a company that large even begin to catalogue all its risk factors? How does it prioritize those myriad risks, let alone create preventive and recovery procedures?

Therein lies the true value of ISO 22301. It provides the framework to:
• Catalogue risk
• Prioritize risk
• Assess risk aversion
• Develop processes to mitigate risk, and assign resources for the prevention of, and recovery from, disruption events from highest to lowest priority

The business case for business continuity management

In a perfect world, business runs smoothly every time, all the time. But in the world that we all actually inhabit, technological complexity, malevolent humans, and capricious weather can combine to disrupt even the best plans. That’s why the truly best-laid plans expect the unexpected. Business continuity management helps organizations:
• Conform to policies, even in the worst of times
• Prepare, establish, and implement systems to “restart” the company under all conceivable circumstances
• Focus on proper acts to mitigate risk
• Prove to internal and external stakeholders that the organization takes seriously its responsibility to continue after major disruption

This last point is proven by certification to ISO 22301, but all are made possible by close attention to the language and intent of the standard itself. An organization that is serious about managing risk and business continuity should consider this standard. Boy Scouts everywhere will applaud you for it.

David Muil is the director of business development for Intertek’s Business Assurance group, a Quality Digest content partner.


About The Author

David Muil’s picture

David Muil

David Muil is the director of business development for Intertek’s Business Assurance group. He has more than 18 years of experience in the third-party certification business, having held previous positions with several global organizations. His background also includes practical time spent in the aerospace and automotive industries, where he held various positions within quality and management. Muil holds a degree in business and economics from McMaster University, and continued post-graduate studies in business at the Henley Management College in London, England. He has also attained a Green Belt designation in Six Sigma.