Getting Ready for ISO 22301:2012 Certification, Part 2

Posted on: September 18, 2019

Our two-part blog series Getting Ready for ISO 22301 will give you a comprehensive approach when preparing for your certification. Part one focused on the general steps needed to take and provide the background you need to fully understand the certification. This part will provide a deeper dive into what the typical internal challenges are and their solutions.

Biggest Challenges to Implementation

Getting Management Buy-in

A group of people talking

Getting management buy-in isn’t always easy, especially when there is a cost associated. You must demonstrate the business value in the business terms they value most (lost revenue, reputation, market share, waste). It is key that they understand how important this is for them and the company. Here are some reasons to justify this project:

Prevent large scale damage to operations: Reduce the impact of large incidents, recover faster, and minimize impact, or prevent the incident from occurring in the first place.
Sharpen marketing edge: Use as unique positioning to give you the edge over competitors.
Demonstrate compliance: Avoid penalties due to contract breaches and comply with market norms in specific regions (specifically CCPA and GDPR). Disaster Recovery Journal maintains a comprehensive list of applicable rules and regulations that require formal business continuity programs.
Reduce dependencies on key individuals: Reduce dependency on specific key people with unpredictable availability.
Integrate risk management activities: Drive an integrated data-centric system to track all impacts, risks, controls, audits, and metrics to enable the right business decisions to be made at the right time. Emphasize the importance of data accuracy confidentiality, integrity, and availability (CIA).

Ensuring Participation of Key Process Owners

People have a lot to do and don’t like to complete mundane tasks such as filling out business impact analysis information. The best way to avoid apathy is to automate the collection of this data and make it easy for users to populate this information in an easy-to-use system. Then, make sure they understand how they can use this information. Sell the benefits of the business impact analysis to the process owner by helping them find ways to improve their program.

Getting Management Buy-in and Providing the Necessary Resources

Demonstrate the business value in business terms they value (days sales outstanding creep, revenue loss, delay penalties, premium freight cost, reputational risk, and ultimate loss of the business).

Making Sure Everything is Covered in the Risk Analysis and Business Impact Analysis

Utilize a structured methodology to compile risk analysis and their relationship to the BIA.

Linking Risk Assessment and Business Impact Analysis

The sequence of risk analysis and BIA is not specified by ISO 22301. We suggest you execute a risk analysis first and then BIA to avoid silos by effectively aligning risk, BIA, and planning.

Making the Program Easy to Understand

There is no need to dissect each clause to each staff member. Keep the focus on the 15 steps to the project implementation team.

Avoiding Pitfalls to Ensure Success

1. Lack of Executive Commitment – Appoint Champion and Provide Access to Senior Leadership

Appoint a business continuity champion and give them access to senior leadership to evangelize.
Examine case studies of similar organizations in crisis and those that are thriving. Use evidence of non-compliance supported by corporate audits.
Align business continuity management to the organization’s strategic direction and objectives and relate to corporate priorities.
Use drivers such as corporate governance, compliance, stakeholder, and regulatory requirements.
Include senior management in high-level business continuity management awareness events and desktop exercises.

2. Lack of Necessary Skills and Human Resources – Seek External Support

Seek external support.
Network professionally, leverage peers, obtain knowledge, attend conferences and meetings.
Consider automation systems to Collect, Automate, Aggregate, and Report on data, ideally within a single pane of glass. Think CAAR! Set direction and drive.

3. Lack of Financial Resources – Staged Implementation, Align and Merge

Use staged implementation.
Prioritize corporate projects.
Integrate with other management systems (quality, environmental, safety, IT security). All of these must follow ISO Annex L (2019) based management system standards.
Incorporate into existing resiliency systems, created for other regulations.

4. Lack of Communication – Roundtable and Improvement Circles

Hold roundtable meetings, staff meetings, bulletin boards, improvement circles, simplify the message – 5W messaging and awareness (what, why, who, when, where, how)

5. Lack of Awareness and Perceived Value – Create Awareness and Value

Create a business continuity awareness program – 5W messaging and awareness
Emphasize business continuity benefits for the workplace and the workforce.
Develop simple messaging into all staff communications, text alerts, memos, posters, videos, and town hall meetings, as well as emails and voicemails from leadership.

Through the ISO 22301 Certification Process You Will:

Obtain a better understanding of your organization.
Implement a business continuity strategy with proper response tactics.
Maintain the business continuity management plan through exercises and deep reviews into the organizational culture.
Learn how to engrain the business continuity discipline across enterprise.
Foster a spirit of continual improvement that complements other management programs (ISO 9001, ISO 14001, ISO 45001, ISO 27001, et al.)
Drive alignment of resilience capabilities in parallel with key management initiatives and business digital transformation.
Join a unique group of companies committed to business continuity and resiliency.

The latest ISO 22301:2012 can be purchased from ANSI, New York NY or Document Center, Belmont CA