The importance of business continuity cannot be emphasised enough. Whether disruptions are caused by civil disorder, crime, fire or environmental issues such as bad weather, without credible policies in place, businesses will suffer some form of loss. The publication of ISO 22313 delivers guidance. The BSI (British Standards Institution) has published a new guidance standard to help businesses and organisations take practical steps towards mitigating risk and improving their business continuity management. ‘ISO 22313 Societal Security” Business Continuity Management Systems” Guidance’ describes the steps that businesses and organisations need to take in order to become compliant with ‘ISO 22301 Societal Security” Business Continuity Management Systems” Requirements’, the international standard for business continuity management. Together, the two business continuity management documents seek to support businesses and organisations in the challenge to improve business resilience in the face of unforeseen circumstances. A recent survey by the Business Continuity Institute revealed that 73 per cent of businesses and organisations recorded at least one supply chain disruption in 2011. Many businesses are under constant pressure to manage disruptions to normal operations and supply chain arrangements. Such disruptions can include economic instability, environmental and social incidents, alongside a host of other unexpected risks. The business continuity management standards provide a framework and appropriate methodology for dealing with such disruptions. ISO 22313 is a complementary standard and guidance document to ISO 22301. It provides additional information relating to the requirements of ISO 22301, along with examples to help risk management professionals better understand what makes good business continuity management, and how it might be implemented in their organisations. Shirley Bailey-Wood, Director of Publishing at BSI, stated, ‘The publication of ISO 22313 represents BSI’s latest step towards helping organisations take proactive control of their futures. The standard brings together knowledge and experience from industry professionals, recognising that complacency in business processes is no longer an option.’ Rick Cudworth, partner at Deloitte and Chairman of BSI’s Committee BCM/1, added, ‘ISO 22313 and 22301 will be of tremendous value to those organisations that are considering business continuity management anew, as well as those that already have continuity arrangements in place. These standards provide clear, jargon-free material for all businesses that want to establish or improve their resilience.’ At present, 50 participating countries have supported the publication of ISO 22313. UK expertise has been received from a variety of parties including the Association of British Certification Bodies, Metropolitan Police Service, Business Continuity Institute, Securities Industry Business Continuity Management Group, United Kingdom Accreditation Services, British Damage Management Association, Emergency Planning Society, Welsh Government, Civil Aviation Authority, City of Edinburgh Council, Independent International Organisation for Certification, Corporation of London, Shetland Island Council, Intellect, Continuity Forum, Federation of Small Businesses, Surrey County Council, Essex County Council, Chartered Institute of Internal Auditors, Coventry University and University of Central Lancashire. The business continuity management standards use the PDCA (Plan-Do-Check-Act) model. The first stage” ‘Plan'” helps businesses to establish a continuity policy, as well as establishing any targets to be put in place, and implementing necessary controls and structures. The Plan stage also underlines the importance of top level management to be involved in, and offer leadership to, the continuity processes. Attention is also given to guiding principles of business continuity, along with structures to ensure and prove competence. The ‘Do’ stage addresses the implementation and operation of the policies, processes and controls created during the Plan stage. The ‘Check’ stage relates to monitoring and reviewing the performance and processes that have been put in place, alongside the policies created by the ‘Plan’ stage and the details of the International Standard. It also includes considerations about the expectations of management, and handling feedback regarding these expectations. The final element of the model” ‘Act'” is for many the key to business continuity management. This is where appropriate actions are taken to deal with any issues detected during the first three stages. This not only covers the need to take corrective action to eliminate any risk or to deal with any unexpected disruptions, but also includes a need to assess the causes of the risk or event, to adjust or adapt the Plan to eliminate such risks in the future, or to address circumstances that become evident as weaknesses or failures when the risk unfolds. Certainly, the various stages of the model should not be viewed as one-off elements which, once completed, do not need to be revisited. The documents put in place a structure that allows for continual improvement, based upon adapting due to experience and evolving risks, as well as the expectations of those involved with the continuity management process. By linking requirements with guidance, the two documents allow risk management professionals to evolve a culture of continuity, and implement best practice for all aspects of their business.
Latest ‘guidance’ standard assists with business continuity management
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.