By Joaquim Pereira on April 23, 2014
Any organization needs a strategy for business continuity. No matter if it is an SME or a Large Enterprise, with one or more physical locations or if it operates on one or more business areas. For sure, some organizations develop more critical activities than others. In some cases, some of these activities may even be directly related with the core business or if not, at least support the major processes that make the chain of value of the business, and drives the organization forward.
Ensuring continuity of the business, if a major disaster occurs, it is not an option, is a need that every organization has to fulfill.
The need for a common approach was understood in 2006 in one of the international workshops, which took place in Florence, Italy. The theme was “Emergency Preparedness” where experts from all over the world have realized that each of them had his own national standard. At that time, they were convinced that its own standard was the one that should be followed.
To reach an agreement, ISO published a normative document representing the consensus of a working group, a guidance document for the incident preparedness and continuity management, ISO/PAS 22399:2007. This was the beginning of ISO 22301.
Many standards and approaches were analyzed and discussed however, only in 2012, as a result of this work was published in the form of the international standard, ISO 22301, “THE STANDARD of Business Continuity.”
From this international cooperation, one major agreement was reached: the need to manage Business Continuity as a Management System, including preparedness and resilience. It this way, it was guaranteed a fully managed system, which covers the whole PDCA cycle, and, like any system, meets the needs of interested parties, using the guidelines provided by a high-level Business Continuity Management Policy with the management commitment (leadership, refers the standard).
The system must include plans? Of course! One or more. It is a matter of responding to the needs of the business and use the “guidelines” of the standard (do not forget the recovery procedures and the phases of exercises and tests).
It should be considered the business impact analysis (BIA) and risk management? Definitely! If not considered, then for what purpose it is planned?
It should be considered document management? Sure! There are many documents and records to manage (we are talking about a management system).
Should also be considered evaluation, internal audit, management review and continuous improvement. Definitely! This is the aim: ensuring a higher and better level of response and resilience of the organization.
Well, there are many more steps to be implemented, but the main idea is to manage business continuity using a common and recognized approach.
The amount of supporting documentation and guidance is very broad, and can always support your implementation using one or more guidelines provided by ISO, BSI, BCI or any other recognized organization. The choice is yours, we are talking about your business! You may wonder how much effort and resources you should apply? Well, how valuable is your business to you?