Our two-part blog series Getting Ready for ISO 22301 will give you a comprehensive approach when preparing for your certification. Part one focused on the general steps needed to take and provide the background you need to fully understand the certification. This part will provide a deeper dive into what the typical internal challenges are and their solutions.
Biggest Challenges to Implementation
Getting Management Buy-in
Getting management buy-in isn’t always easy, especially when there is a cost associated. You must demonstrate the business value in the business terms they value most (lost revenue, reputation, market share, waste). It is key that they understand how important this is for them and the company. Here are some reasons to justify this project:
Prevent large scale damage to operations: Reduce the impact of large incidents, recover faster, and minimize impact, or prevent the incident from occurring in the first place.
Sharpen marketing edge: Use as unique positioning to give you the edge over competitors.
Demonstrate compliance: Avoid penalties due to contract breaches and comply with market norms in specific regions (specifically CCPA and GDPR). Disaster Recovery Journal maintains a comprehensive list of applicable rules and regulations that require formal business continuity programs.
Reduce dependencies on key individuals: Reduce dependency on specific key people with unpredictable availability.
Integrate risk management activities: Drive an integrated data-centric system to track all impacts, risks, controls, audits, and metrics to enable the right business decisions to be made at the right time. Emphasize the importance of data accuracy confidentiality, integrity, and availability (CIA).
Ensuring Participation of Key Process Owners
People have a lot to do and don’t like to complete mundane tasks such as filling out business impact analysis information. The best way to avoid apathy is to automate the collection of this data and make it easy for users to populate this information in an easy-to-use system. Then, make sure they understand how they can use this information. Sell the benefits of the business impact analysis to the process owner by helping them find ways to improve their program.
Getting Management Buy-in and Providing the Necessary Resources
Demonstrate the business value in business terms they value (days sales outstanding creep, revenue loss, delay penalties, premium freight cost, reputational risk, and ultimate loss of the business).
Making Sure Everything is Covered in the Risk Analysis and Business Impact Analysis
Utilize a structured methodology to compile risk analysis and their relationship to the BIA.
Linking Risk Assessment and Business Impact Analysis
The sequence of risk analysis and BIA is not specified by ISO 22301. We suggest you execute a risk analysis first and then BIA to avoid silos by effectively aligning risk, BIA, and planning.
Making the Program Easy to Understand
There is no need to dissect each clause to each staff member. Keep the focus on the 15 steps to the project implementation team.
Avoiding Pitfalls to Ensure Success
1. Lack of Executive Commitment – Appoint Champion and Provide Access to Senior Leadership
Appoint a business continuity champion and give them access to senior leadership to evangelize.
Examine case studies of similar organizations in crisis and those that are thriving. Use evidence of non-compliance supported by corporate audits.