The Rising Uptake of ISO 22301 Standard, Why?

Woman preparing documentsThe ISO 22301 is the international standard that helps organisations to protect against and recover from disruptive incidences when they happen. It provides a systematic approach to business continuity management. Essentially, ISO 22301 is about creating your business continuity programme, or what some may call your “business continuity management system.” This is designed to protect your business, your reputation, and to minimise financial loss in the case of an incident.

The standard is also industry agnostic and is applicable to any sized organisation. You can focus on alignment or certification of a selected part of the organisation. Hence, a specific site or operation for example. This makes the adoption of this standard easier.

The most obvious purpose of business continuity management can hardly be overstated. Thousands of businesses have saved time and money by getting back up and running quickly after a disruption. Some even owe their survival to it, so you can understand why the uptake of alignment to the standard is increasing.

In today’s fast-moving world, we see many threats from which we need to protect ourselves. This ranges from extreme weather, cyber-crime, terrorism, and complex supply chains. All of the aforementioned put demands on businesses to ensure that they have robust and resilient programmes in place to quickly recover from any kind of threat. Many see that having a systematic approach to business continuity management, which the ISO 22301 offers, provides the reassurance that their business is protected, reputation secured, and minimal financial loss in the case of an incident. Many see this standard as security that ensures that their business will not steer off course by the unexpected.

It is more commonplace that there are strict guidelines on business continuity management for vendor management. The ISO is a great stamp of approval that puts organisations at a competitive advantage and this differentiates you from your competitors.

Some of the main drivers for the uptake are to:

  • Strengthen your organization’s reputation
  • Create or mature your business continuity programme
  • Align to an internationally recognized standard
  • Identify gaps in your business continuity programme

We know that there is a growing uptake, but how can you translate this to ensure that your programme is ready and following the best practice? For more information, please view our joint webinar with Everbridge.

You will learn about:

  • The importance of building your internal BCMS
  • Aligning guidance to this
  • Simplifying the effort of your documentation to support this standard
  • The use of a relational database
  • Gap analysis and key quick communication at the time of an incident

To book a demonstration of the Fusion Framework System, please fill out our demo form.

The Fundamentals of Business Impact Management

Let’s start from the beginning: what is business impact management and what does it entail?

  • A process is a fundamental business function that provides a product or service as a benefit to the organization.
  • When the ability of a process is disabled, compromised, or lost, the organization experiences what is called a business impact.
  • Business impact management is the practice of understanding the risks your business processes face and mitigating, or formally accepting, the impact of those risks.

 

business team around table

Effective business impact management requires an avenue to understand your business processes and how to address potential impacts. It should allow you to go beyond simply understanding, by enabling you to determine gaps and ways to address them and improve your program over time. Your employees and colleagues have valuable information about how their processes’ work, and you need to extract that information in an objective, understandable manner. Begin with the end in sight – determine the information most crucial to keep your business up and running. Then, start with these five tips to better understand business impact management.

Determine What’s Best for You

Everyone wants a “best-in-class” program. You can get there, but first, take the time to look at what’s best for your organization, and then compare that to your desired end goal. Through knowing what information is important to your organization, you can leverage reporting to focus on key metrics and enable your data to drive answers.

Ask the Right Questions

Ensure your question format makes sense. Ask the right questions, in the right way, and determine what information is necessary rather than just “good-to-know.”

  • Keep questions concise and to the point
  • Use terminology familiar to the subject matter expert
  • Identify similar questions, and try to consolidate into similar fields to avoid user fatigue

Consider Dependencies

The practice of business impact management involves leveraging available tools to help address your organization’s potential impacts. It’s important to also consider processes’ dependencies and how they could affect recovery objectives. Ensuring your processes’ requirements are up and working when the dependent process needs them is crucial to avoiding additional disruptions. Business impact management also involves taking the information surrounding your process and its dependencies and using it to mitigate the potential Impacts.

Work Incrementally

Business impact management alleviates work through time by refreshing and improving data rather than starting from scratch. Mature your program incrementally – at a pace that works and as more data is needed. Consider how you will use your data and use the appropriate configuration. Manage your program year-round by utilizing reporting, gap analysis and metrics.

Review Feedback

Review feedback from subject matter experts to determine areas that need improvement:

  • What worked?
  • What was difficult to understand?
  • Is there anything missing?
  • What was overwhelming?

Sounds like a lot of work, right? Well, I am going to be honest: the first year can be painful, but it pays off tremendously in the subsequent years, which are mostly about updates. Business impact management helps you understand your business, learn more to leverage your data, and determine process priority. By doing so, it identifies gaps, allows you to mitigate potential impact, and structure your program to be iterative. Overall, managing data with this approach greatly reduces your organization’s exposure to risk.

Want to know more about business impact management? Fusion can help you! Learn more about our advisory team committee, Fuel.

You may be thinking, “What about a business impact analysis?” BIA’s are the traditional approach that is focused on a point in time. They can evaluate a process in terms of its impact, criticality, and mitigation factors. Business impact management is more holistic and evolving. BIAs are great when used in alignment with business impact management but will not give you a comprehensive approach for mitigating risk alone.

To better understand how to leverage BIAs, check out our blog post Identifying the Optimal Process and Department Level to Perform a Business Impact Analysis.

What to Expect at Solutions 2019!

Are you ready for the client summit of the year? We are! Over the course of the summit, attendees will hear inspiring stories from peers, participate in networking sessions, learn best practices that can transform their programs, and learn about what’s next at Fusion from our leadership team. Here is what you need to know about Solutions19.

Tailored Content

This year, Solutions features six tracks to ensure you get the most value out of your time in Chicago. Unsure which one is best for you? Here are some insights.

  • Business Continuity: From topics on optimizing BIAs to automating development and distribution of plans, you’re sure to come out with new ways to manage your program.
  • Risk Management: See how to extend Fusion into your risk program and better understand the convergence of risk and resiliency in the market.
  • IT Disaster Recovery: Learn how to better manage recoveries, conduct exercises, and improve outcomes.
  • Program Management: Strengthen the quality and resilience of your program. Gain insights on best practices and new trends to own your program.
  • Platform Administration: Master the fundamentals. Be a part of core platform sessions applicable to every discipline.
  • Possibilities: Discover something new! We’ll show you exciting and innovative new ways to use Fusion; the sky’s the limit.

Or you can mix and match! We’ve provided a variety of topics so you can choose the type of experience you want. Each program is different from the other, so we want to make sure you’re attending the sessions that are right for you. Manage your agenda on our new event app! You’ll also be able to give feedback on all the sessions and engage with other attendees at the summit!

Networking and More

Making new relationships, sharing stories, and learning are just a few things in store for you. In addition to the structured networking sessions, we’ve got some fun activities planned:

Punch Bowl Social

You can cozy up in a booth and pick the brain of someone new or stir up a little competition with some of your colleagues. From karaoke to games and dancing, Punch Bowl Social has it all.

Scavenger Hunt

Throughout the conference you can participate in our scavenger hunt. If you finish it and turn it in, you’ll be entered into a raffle. It’s also a great way to “stretch your legs” in between sessions.

Photo Opps

And of course, we’ll have some fun cutouts that you can take pose with and snap a picture. Be sure to share on social with #solutions19 and on the Solutions19 app. And, feel free to live tweet throughout the conference.

Keynotes

This year, we are welcoming John Iannarelli, retired FBI Special Agent Executive, as our keynote speaker! Hear his stories from more than 20 years of service in the FBI and his perspective on how to respond to new threats.

Get the scoop from Chief Product Officer Steve Richardson and Chief Technology Officer Cory Cowgill! They’ll share where we have come in the last year as well as the product roadmap for the next year and beyond. We’ve also got some special announcements! And of course, you’ll be the first to know all of the new and exciting developments happening at Fusion.

Partner Pavilion

Don’t forget to say hello to our sponsors, located in the Partner Pavilion. We’ve invited the best of the best to compliment your experience. Our community is stronger when we work together, so stop by the Pavilion and don’t forget to network with them during the Community Happy Hour.

Whether you’re new to your industry or have decades under your belt, Solutions19 will not only immerse you in the Fusion Community but also enhance your industry knowledge! For those registered, let us know what you’re most excited about for Solutions19 on social media. Follow us on LinkedIn and Twitter and use #solutions19.

Solutions is Fusion Risk Management’s annual customer success summit. Established in 2017, this summit gathers clients from all over the world for three days of networking, education, and innovation. At Solutions, you’ll interact with colleagues, strategic partners, and industry experts about topics including business continuity management, IT disaster recovery, integrated risk management, third-party management, and crisis and incident management. Learn more at solutions.fusionrm.com.

Business Continuity and Vendor Management: Better Together

In the Better Together blog series, we take a look at how business continuity can support other functional areas by creating an information foundation from the data that business continuity collects from multiple sources across the enterprise. Here, we explore how business continuity and vendor management are better together.

With enterprises increasing their reliance on vendors in support of critical business functions, the role and visibility of third-party or vendor management has grown substantially.

The production priorities of this function include:

  • Vendor qualification
  • Contract negotiation
  • Capability assessments
  • Service level agreement monitoring

Business continuity has worked with third-party or vendor management for many years to ensure that business continuity language is included in contractual agreements, thereby reducing operational risk. But can business continuity further assist third-party or vendor management with their priorities?

Absolutely! Take the scenario that an equipment supply vendor’s contract is coming up for renewal. Vendor management can access the information foundation to see that the vendor currently supports two business processes. Plus, vendor management can readily see if there is an alternative vendor already working with the company who may provide the same services. These factors can be taken into account in the upcoming contract renewal decisions.

For more real-world examples of the information foundation in action, read our whitepaper Creating the Foundation for Increased Business Resiliency and Efficiency.

Here’s How to Keep Your Programme Under Control

Vulnerabilities are endless — resources are not. Maintaining information from across your organisation and managing risks from internal and external sources is difficult. There are an endless number of risks, but only limited business continuity team resources. No matter what, the numbers don’t sound great.

Knowledge must be consolidated to even scratch the surface of being in control of your programme. Most enterprise companies – especially as they grow and expand — work in some sort of a silod environment. IT doesn’t know what sales is doing – sales doesn’t know enough about product development and so on. Peoples’ knowledge is limited to what they do on a daily basis, fighting their own fires. If their work requires perusing additional knowledge, they might do so, but often, people don’t even know where to start.

That can lead to a myriad of problems. If there is little to no interdepartmental communication or knowledge, what will happen when disaster strikes? Every department for itself isn’t going to work. Coordinating teams that don’t really understand what’s important to others also doesn’t work in crisis. Continuity efforts will either elongate or fail if there is a complete lack of coordination.

In order to have a streamlined operation that is secure, it is imperative that all stakeholders have full knowledge of operations, so they can respond to any need across the organisation with confidence. Historically, information consolidation wasn’t possible, but now with technological advances and digital transformation, you no longer have to file everything away on paper documents that become outdated almost immediately. There is no excuse for not having an information foundation. Especially during a crisis or disaster.

An information foundation consolidates and centralises data, so all of your information is in one location. It should be accessible to everyone that needs it, all while being secure. This allows for data over documents and knowledge over plans. Instead of having a binder of outdated plans, you have all of the organisational knowledge you need for decision making.

Organisational knowledge isn’t new – it’s always been critical for businesses to understand potential threats and determine the most effective ways to address them and to recover should they occur. What has changed is our ability to organise, share, access, and delegate information. Everything people need to know about contingency plans and business continuity should be contained in a virtual one-stop shop where data is constantly updated, redundancies are eliminated, and roles are clearly defined.

A good information foundation provides you with the organisational knowledge you need to:

  • Understand your business and its goals
  • Proactively plan
  • Adjust as things are constantly evolving
  • Empower executives to empower you
  • Break down silos

All of this enables wisdom and encourages collaboration. It makes interdepartmental communication easy. After that comes prioritization of the endless vulnerabilities. Proactive planning and a firm grasp on every piece of information needed makes for the best chance at a full recovery in the least amount of time possible. That’s why it’s important to possess something — probably a software solution — that pulls all of the necessary processes into that all-important information foundation. You can use your knowledge from the information foundation as power.

Because this information is so valuable, why let it stop with just being useful to the business continuity team and maybe the disaster recovery team? Once the knowledge base is assembled, organisations will find there are many ways to leverage this newfound asset, including:

  • Mergers, acquisitions, and divestitures
  • Investment banking
  • Personnel decisions
  • Vendor management
  • Budgeting
  • Procurement
  • Risk Management

Power comes to individual practitioners who embrace and execute on building an information foundation for organisational knowledge. People who are in the know and can help others make better decisions are more valuable to their organisations. Really, there isn’t anyone at your company that doesn’t benefit from a complete information foundation. Again, the emphasis becomes on who will come to you for information rather than you going out and collecting scraps of data when it’s time to update your BIA and plans. Think of what you already collect — adding in more information is a small effort that pays off in incredibly big ways.

By consolidating information, using data for decision making, and breaking down silos, you’re able to gain control of your programme and go beyond to create a business continuity and risk management focused approach in your organisation.

Company Engagement Series: Give Your Business Continuity Program a Wellness Check

Wellness checks are conducted every day for people who don’t feel sick to make sure there are no hidden problems which could impact their health, strength, and vitality. Giving your business continuity management program a wellness check is important for exactly the same reasons. Here are seven “diagnostics” you can use to determine the overall health and wellness of your company’s program:

1. How connected is business continuity to your company’s vision, mission, goals, and strategy?

If the answer is “not at all” or “not much,” your program has a systemic weakness. To strengthen it, you need to learn everything you can about your company so that you can connect and align business continuity management with your company’s “big picture.”

2. How does business continuity support what your company is selling?

The health of your company is directly related to its success in selling products or services. If business continuity is not actively engaged in supporting customer sales, satisfaction, and retention, the business as a whole will suffer.

3. Is your program focused on the company’s key priorities?

Businesses today are vitally concerned with maintaining business operations and avoiding or mitigating any impact a disruptive event might cause. Since that is a top organizational priority, it needs to be acclaimed as the top business continuity priority.

4. What is the general perception of business continuity management’s value to the company?

If its perceived by company staff in general as a cost center whose only value is loss avoidance, you have work to do. Create a new “elevator pitch” for business continuity management to clearly communicate all the ways in which it aligns with and supports the company’s vision, strategy, priorities, operations, and sales.

5. Do business continuity management personnel have a seat at the decision-making table?

As the central repository of a wealth of knowledge, business continuity can be a major contributor to business decisions on a day-to-day basis, not just when the company is in crisis mode. If you don’t have a seat at the table, it’s time to prove that you deserve one.

6. How informed and engaged are people across your organization with business continuity?

People take ownership for what they help create, so the more you involve people, the more business continuity will become the cultural norm for your enterprise. Ask for input, engage people in tests and exercises, provide training, and keep communication flowing!

7. How are you measuring the performance of your program?

Wherever your program and culture is today, you’ll never know if you’re getting better unless you measure. By measuring your performance, you will be able to make informed decisions and take targeted actions to improve that performance. Be sure to establish metrics that give you actionable data about what you are doing, what impact you are having, and what results you are getting.

If you would like to know more about how to ace your next BCM wellness check, read the white paper 8 Steps to Building an Engaging Business Continuity Management Culture.

Company Engagement Series: In BCM, Metrics Drive Behavior – and Improvement

Management thinker Peter Drucker affirmed, “If you can’t measure it, you can’t improve it.” Wherever your business continuity management program and culture is today, you’ll never know if you’re getting better unless you measure. But if you are measuring your performance, you will be able to make informed decisions and take targeted actions to improve that performance. Metrics drive behavior.

Here’s what you should be sure to measure!

Measure things that answer WHY business continuity is important, such as:

  • The number of single points of failure

  • The percentage of revenue exposed to single points of failure

  • The number of client contract requiring it

  • The percentage of new opportunities requiring business continuity

Measure WHAT you are doing, such as:

  • Plan coverage

  • Exercises conducted

  • Reduction in expected loss outage and outage duration

  • The number of contracts and revenues associated where business continuity was a criteria for winning business

Measure things that confirm HOW the program is doing, such as:

  • How efficient and effective it is

  • How current and complete it is

  • How reliable and cost-effective it is

  • How aligned with business objectives for revenues and profit it is

Think for a moment about all this information can for you. With measurements and metrics in hand, you can deliver reports that will help keep business continuity in front of the company executives. You can demonstrate how you are supporting business goals and objectives. You can track the percentage of plans that are completed, the updates that are being made, the improvements that are being executed, and other relevant data. You can continuously expand and enhance your program until you have established a true business continuity culture in your organization.

Find out more on how to build a business continuity culture by reading the white paper 8 Steps to Building an Engaging Business Continuity Management Culture.

Company Engagement Series: If You Want to Engage People in a BCM Culture … Engage Them!

A common lament of business continuity management professionals is that their leaders and fellow employees aren’t interested in business continuity. But if you ask, “What have you done to engage people in business continuity?” the answer is often a sheepish, “Well, nothing!”

If you want people to be engaged with your program, you have to take the initiative and engage them! Intentionally facilitate and inform people at every level about business continuity and the value that it delivers, as well as about how they can be involved and make a difference. Remember that people take ownership for what they help create, so the more you interact with people, the more business continuity management will become the cultural norm for your enterprise.

There are countless ways in which you can embed business continuity into your organization. For instance, you can:

  • Engage executives and department heads in tests and exercises. These tests and exercises can be designed to accomplish a variety of purposes, such as educating participants about critical components of business continuity management or testing participants’ abilities to respond appropriately to a completely unexpected “curve ball.”

  • Establish annual mandatory training for all employees. The training should explain what business continuity is, how the process works once an incident is declared, and what is required of employees.

  • Launch an internal business continuity website. The site can house the plans that are in place, provide additional resources, and instruct employees how to be prepared at work and at home for a disaster.

  • Disseminate information on a regular basis. Take advantage of departmental meetings, lunch-and-learn events, newsletters, social media, and more to keep business continuity in front of employees.

The key here is to be consistent so that the message is being transmitted constantly across the organization, and to be creative so that people want to listen to and engage with the message!

Find out more on how to build a business continuity culture by reading the white paper 8 Steps to Building an Engaging Business Continuity Management Culture.

Company Engagement Series: How to Get a Seat at the Table

Business continuity management tends to be perceived by leadership in general as a cost center whose only value is loss avoidance. It is no surprise, therefore, that business continuity rarely has a seat at the executive decision-making table.

It is time for that to change. Consider what business continuity has to offer at the strategic level! You centralize key data from all across the organization, you have relationships with every department, and you have mapped out all the critical processes of the organization including where they are located, what technologies they rely on, which people and vendors they involve, and how they are interdependent. With this wealth of information in hand, it is time to work your way into the strategic decision-making process.

You deserve a seat at the table because you have the data, knowledge, and insight – the information foundation – to be a major contributor to business decisions on a day-to-day basis, not just when the company is in crisis mode. For example:

  • If your company is closing down a facility, you can instantly provide information about what operations take place there, what technology is housed there, and what critical processes could be disrupted during the course of a move.

  • If your company is upgrading IT storage, you can identify which servers the old storage frame is connected to and which processes it supports, thereby avoiding a negative impact on enterprise operations.

  • If your company is considering a contract with a new vendor, you can provide information regarding the recovery time objectives and service level agreements that are needed for the various business processes the vendor would interact with, which will assist procurement in negotiating the best contract.

Remember, knowledge is power! Business continuity has immense knowledge at its fingertips through the information foundation it manages. That knowledge can be a game-changer for the company. Take or create opportunities to demonstrate that you can have a positive effect on other areas of the business, and you will win a seat at the table!

Find out more on how to build a business continuity culture by reading the white paper 8 Steps to Building an Engaging Business Continuity Management Culture.

Company Engagement Series: Get Your Priorities in Order – Fast!

What are your priorities as a business continuity management professional? Your to-do list might immediately spring to mind with tasks such as a business impact analysis or planning session blinking red. Yes, those things need to be done, but they do not answer the question. Forget what you have to do in the short term – what are your priorities for the long term?

Legacy thinking is that business continuity is driven by compliance first and foremost and that it seeks to avoid financial loss, protect brand and reputation, and – lastly – manage the impact to operations. While this model is not “incorrect” as such, it effectively undercuts any chance of driving cultural buy-in by putting compliance as the top priority. Compliance just does not motivate the average executive or employee.

It’s time to turn that model on its head! Businesses today are vitally concerned with maintaining business operations and avoiding or mitigating any impact a disruptive event might cause. Since that is a top organizational priority, it needs to be acclaimed as the top business continuity priority. Right underneath that should be the goal of protecting the company’s brand and reputation.

Then comes financial loss avoidance – after all, the bottom line is the bottom line and needs to be safeguarded. However, if the first two priorities are being met appropriately, financial loss will be avoided as a natural consequence.

Finally, compliance should be considered. But again, if business continuity is taking steps to minimize impact to operations, protect brand reputation, and avoid financial loss, it is highly likely that compliance demands are also being met or exceeded.

Reorganizing business continuity’s priorities in this way achieves alignment with the business’ overall goals and objectives. Find out more on how to build a business continuity culture by reading the white paper 8 Steps to Building an Engaging Business Continuity Management Culture.