ISO 22301 - BUSINESS CONTINUITY MANAGEMENT
Business Continuity Management (BCM) provides the framework for determining an organization's risk of being exposed to internal and/or external threats. The objective of implementing and operating a Business Continuity Management System (BCMS) is to enable an organization and its managers to respond effectively to threats such as natural disasters or data breaches, but also to raw material shortages or sudden market fluctuations. Read more in an interview with BCM expert Frank Machhalz.
To protect the business interests of a company and to increase security in a crisis situation, a BCMS comprises the following areas:
- Disaster recovery
- Business recovery
- Crisis Management
- Incident management
- Emergency management and emergency planning
In keeping with international standard ISO 22301, a Business Continuity Management System emphasizes the importance of
- Understanding the requirements for continuity and readiness and the need to establish policies and objectives for managing business continuity
- Implementation and operation of controls and measures to manage the general continuity risks of a company
- Monitoring and reviewing the performance and effectiveness of the BCMS
- Continuous improvement based on objective measurements
The current corona pandemic would appear to be a real boost to the debate on the subject. DQS talked to BCM expert and DQS auditor Frank Machalz (Mr.) about aspects of risk management and the purpose of BCM certification.
A SOMEWHAT PROVOCATIVE QUESTION, MR. MACHALZ: BCM - JUST A HYPE?
Of course in the current situation, organizations are certainly more sensitive than before to the need to maintain their business operations under various external and internal influences. And if there is a temporary need to suspend them, logically, also to resume business operations as quickly as possible. The topic itself, however, is not new. It has always been part of appropriate risk management for any company and even any person. After all, none of us actively take life-shortening measures in our daily lives. Rather, we try to stay alive as long as possible and, above all, healthy.
This is no different with regard to organisations or legal entities. However, here such measures are not at the discretion of the respective top executive or other managers, who are usually "only" employed by the respective company. Rather, they have a direct obligation to avert damages due to the legal environment in which the organization operates. This duty also includes appropriate risk prevention, also taking into account changing environments.
DOES THIS MAKE ISO-CERTIFICATION MANDATORY FOR BCM?
No, of course not. ISO standards and certifications based on them are and remain voluntary standards. No organization is necessarily expected to be certified according to ISO 22301.
Independent of a certification of their Business Continuity Management, however, many companies are currently finding that up to now they have always had to deal with the issue of maintaining or resuming their business operations as quickly as possible in a rather academic and theoretical manner.
This realization is often followed by a search for extant solutions, where ISO 22301 can be a real eye-opener. It is after all a good guide for every organization as to which aspects should be sensibly considered when implementing and maintaining BCM in business processes.
To what extent an assessment and certification of the implemented BCMS by an independent third party is necessary is something that each organization decides for itself. Currently, however, there is a clear trend on the market that, due to the strong networking of companies, mutual proof of an existing, ISO 22301-certified BCMS is expected as the basis for initiating or continuing business relationships.
CAN THE CERTIFICATE BE USED IN THE DEFENCE AGAINST CLAIMS IN CONNECTION WITH NEGATIVE BUSINESS DEVELOPMENT?
Yes, definitely. Usually, the top management of a company is not also one of its stakeholders. For example, the managing director of a German limited liability company (GmbH) is not at the same time also its shareholder, who "only" holds a stake in the company with capital. In company law, the term "foreign body" is also commonly used in this context.
This creates constant pressure for managers - or top management, to use a term from the ISO world - to justify the way they deal with the tangible and intangible assets of their shareholders. And: which measures of profit maximization and risk minimization - including the loss of capital up to insolvency - they have taken. So, as already mentioned, there is an obligation to avert damage.
With a certified management system and its proven and confirmed practical implementation, the accusation of deliberate misconduct and possibly even general misconduct towards this group of people is not applicable. Possible claims for compensation by the stakeholders due to negligent and wrongful management and insufficient risk prevention will have no further basis.
Such a certification can also be advantageous in connection with directors and officers insurance policies, so-called D&O insurance or liability insurance for financial loss, both for the insurance cover provided and for the premium structure, and can contribute to the trust of institutions in the company and its managers.
WHAT REASONABLE EXPENSES SHOULD AN ORGANISATION EXPECT?
This depends on the maturity level of its management system. And of course this is also influenced by the existence of ISO certifications. ISO standards, which meanwhile also means High Level Structure (HLS). And since a Business Continuity Management System is also HLS-capable, there are good prerequisites because one can build on already existing structures and organizational knowledge in this regard.
WHAT ARE THE SPECIAL FEATURES OF BCMS COMPARED TO OTHER ISO MANAGEMENT SYSTEM STANDARDS?
When compared to other ISO standards, we see that BCMS has a specific focus on entrepreneurial processes:
- Which processes of the organization are relevant for the maintenance of business processes or for their resumption as soon as possible?
- Which measures are necessary to make these processes as trouble-free as possible?
Many ISO standards also have a separate chapter "Emergency planning / emergency precautions". Here, the Business Continuity Management System has the role and task of a kind of sub-management, in that these parts of the ISO standard are then examined and evaluated in greater depth under BCMS aspects. This would also be possible, by the way, if one did not immediately decide on a further certification according to ISO 22301.
Management systems according to ISO 27001 (information security management) also contain some partial aspects of a BCMS. For example, the protection requirements analysis (SBA) for IT applications is comparable with the Business Impact Analysis (BIA) according to ISO 22301 in terms of its methodological approach. An existant BA can therefore be part of the BIA.
MR. MACHALZ, THANK YOU VERY MUCH FOR THE INTERVIEW.
Article and interview by DQS GmbH, excerpt translated and published by DQS Holding's Corporate Marketing Team
To contact one of our international offices for TAPA or any other audit and certification needs, please see their contact data on this website.
If you want to continue to read about the latest developments in the world of standards, and what's new at DQS Group, please visit our social media channels: