When we look back on 2020 in the history books, it will be viewed as one of the most challenging starts to a decade on a business, humanitarian and environmental front. COVID-19, the Australian bushfires, security events in the Middle East and natural disasters have all dominated the headlines on a global scale.
Each crisis has seen an impact on several organizations, and – when coming out the other side – the business world sees a change in some form or another. COVID-19, of course, has brought new challenges to businesses. However, pandemics are not the only significant threat businesses currently face. Cyber and physical security concerns, increasingly volatile weather patterns and terror threats continue to impact the way we run our businesses.
Businesses will always face challenges that pop up from seemingly nowhere. The phrase ‘hindsight is a wonderful thing’ is often circulated in moments of reflection when calculating the impact and ‘what might have been’ had things turned out differently. Yet, what if there were a way to have that foresight and prepare for events in advance?
Now more than ever, organizations need an effective business continuity management system (BCMS) which includes a robust business continuity plan. Within the BCP, essential people and resources are identified through a business impact analysis (BIA) and risk assessment.
Effective business continuity management is about organizations achieving their business objectives and customer outcomes no matter what life throws at them. An organization that commits to establishing a BCMS accepts that there are disruption events that either cannot be anticipated in nature or scale and therefore identifies strategies and designs management processes to maximize resilience or speed of recovery.
Should You Have a Business Continuity Management System in Place?
Some may say that COVID-19 is a prime example of a ‘black swan event.’ Money Observer defines the three characteristics of a black swan event as a “rarity; extreme impact and retrospective predictability.” In other words, unpredictable events beyond what is normally expected of a situation have potentially severe consequences. Black swan events seem obvious in hindsight but can often appear from nowhere and be perceived as challenging to manage.
Events under this category include cyber-attacks, pandemics, political uncertainty and volatile weather patterns, such as flooding or unexpected drought. We live in a world of black swan events – we can’t discount the rare or unpredictable and must accept that random events do happen. In fact, they’re happening more frequently, and it’s during these events that our ability to adapt and show immense resilience is well and truly put to the test.
An organization that commits to a certified BCMS accepts that there are disruption events that either cannot be anticipated in nature or scale. Therefore, it can identify strategies and design management processes to maximize resilience or recovery speed. Unfortunately, they are not a quick fix and do take time. Under normal circumstances, it can take up to 12 months to be in a position to have a business continuity management system audited. One thing is certain, though – if systems are not in place, businesses will be completely unprepared for future disruptions.
To build a successful BCMS, which ensures robust strategies are in place under varying circumstances, several elements must come together.
Firstly, management processes need to be assessed based on organizational context. Leadership appetite is also put to the test, while business impact analysis and risk assessments and business continuity strategies like cloud and homeworking are also critical. These components are brought together through a robust business continuity management system, which requires a team made up of members from across the organization.
If your organization isn’t certified to ISO 22301, you may be forgiven for thinking you will need to hire a specific person to control the process. While this is recommended for larger organizations, it is not essential, and assembling a team of existing employees is also effective. According to ISO 22301, a BCMS, like any other management system, includes “competent people with defined responsibilities.”
So, who should be in your business continuity team? The answer is different for every organization but having a representative from each department – and involvement from senior leadership – is a good starting point. This is important because it ensures that all business areas are considered when planning. As well as having an assembled team, top management must demonstrate leadership and commitment when delivering a BCMS.
Once the right team is in place, the next phase for a robust BCMS is to have it verified and assessed by an independent auditor. The assessment for ISO 22301, for example, takes place over two stages. The first stage sees an initial review of the documentation and a review of site risks, including a site visit. Once these checks are complete, the implementation assessment can take place. It may identify any nonconformities and determine whether the management system is recommended for approval for the assessment standard.
Without a certified BCMS in place, businesses leave themselves open to risk. While some crises seemingly spring out from nowhere – and therefore seem impossible to plan for – BCMSs provide a robust framework to work within, enabling a rapid response to any emergent event.
Learn More: https://info.lrqa.com/iso-22301-whitepaper
