We’re seeing big increases in the number of organizations certified to ISO 22301. Your clients are likely to figure among those ranks. But even if they are, there’s still work left to be done to drive best practice.
What exactly? Read these business continuity best-practice guidelines to find out.
Good practice guidelines for business continuity
No doubt about it, ISO 22301 provides a great starting point to building a business continuity management system (BCMS).
Not being prescriptive, though, the standard will likely have to be supplemented by industry best practice.
Where to turn?
Fortunately, last year, our partner, BCI came out with a set of good practice guidelines.
The guidelines themselves touch on all aspects of business continuity. Given the scope, we’ll just summarize one of the most important elements, the business continuity plan (BCP).
A best-practice BCP begins with a best-practice BIA
However, the BCP doesn’t just fall out of thin air. It’s an integral part of a larger business continuity management system (BCMS).
That BCMS uses two organizational analysis techniques, the business impact analysis (BIA) and the risk assessment (RA).
The BIA, for its part, defines the impacts of disruption over time to determine the organization’s response, recovery priorities, and resource requirements. Meanwhile, the RA identifies the disruption risks to the organization’s prioritized activities and required resources.
The outcomes of the BIA process – those activities that determine prioritized activities and recovery timeframes and resource requirements – are dependent on the organization’s understanding of both its external and internal operating environments.
The latter is inclusive of business processes, activities, and resources, as well as the potential impacts caused by disruptions to the delivery of products and services.
Developing and managing business continuity plans
The contents of the BIA eventually get fed into the BCP.
The BCP on its own documents information that guides an organization to respond to a disruption and resume, recover, and restore the delivery of products and services consistent with its business continuity objectives.
Types of Business Continuity Plans
BCPs come in several varieties, including:
Strategic
Defines how strategic issues resulting from an incident should be addressed and managed.
Tactical
Facilitates the coordination of response activities when several operational teams are involved.
Processes for returning to BAU
Outlines possible options and processes for returning to BAU.
Scenario
Deals with specific situations, e.g., cyber incident, disease outbreak, or product recall.
As a general principle, the BCP is intended to be used in high-pressure, time-limited situations. That means your client’s plans should be user-friendly, concise, and easy to read.
Often forgotten, though, the plan itself should include activation criteria, as well. Plan activation and team mobilization procedures will likely include details of meeting locations as well as response team roles and responsibilities.
How can clients ensure timely activation?
Business continuity management software, for its part, can help replace paper-based, static business continuity plans with dynamic, digitized BCPs that ensure your client’s plans are always up-to-date and quickly available for all their users, on any device.
In close, rates of certification to ISO 22301 are going up after a COVID downtick. But certification alone won’t guarantee adoption of best practice for your clients.
What are some other tips, then, for developing an effective BCP for your clients? Download our Guide to Developing an Effective Business Continuity Plan to find out.