White paper by Risk Quotient Consultancy Pvt. Ltd.
According to one 2019 survey, one-in-three organizations say that the cost of a single hour of downtime can reach $1 Million to $5 Million. This is not including lawsuits, penalties or fines arising due to legal or non-compliance issues.
Emergency response plans and disaster management, while necessary, are now obsolete controls to protect the continuous and unhampered flow of business. It is the need of the hour for all organizations to engage in a comprehensive and systematic process that focuses solely on business continuity and recovery. The focus, now, needs to be on proactively anticipating and minimizing any consequences caused by any sort of calamity. Organizations need to focus on protecting the operational integrity of their day-to-day business activities in times preceding, succeeding and during any disruptions.
ISO 23001 is the first international standard for Business Continuity Management. It has been developed specifically to help organizations minimize the risk of any such disruption.
ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
ISO 22301 has been developed by ISO Technical Committee 223. ISO/TC223 oversees a range of standards designed to protect society from incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures. It has a total of ten clauses which cover areas from process, context, planning and leadership to operation, evaluation and improvement.
ISO 22301 is a management systems standard for Business Continuity Management which can be used by organizations of all sizes and types. These organizations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in Business Continuity Management. ISO 22301 also enables businesses to show stakeholders that a recognized standard has been achieved.
Accreditation and compliance can bring reputational, motivational, and financial benefits to your organization, bringing customers who have greater confidence that you can deliver products and services at agreed performance levels, along with improvements in your supply chain. All of these elements are closely related to your organization’s ability to deliver satisfaction to your customers, and fulfill the expectations and wishes of your stakeholders, while protecting the organization’s capacity for doing business in the long run.
The following is the gist of benefits that an organization can get with an ISO 22301 certification:
With ISO 22301, you get a comprehensive approach on how to ensure continuity in your operations so that business keeps flowing.
With an effective BCMS, the crucial aspects of any organization- delivery of its services and products, is secured and maintained.
ISO 22301 enables organization to protect their income stream while reducing chances of further losses.
Your organization’s exposure is directly linked to your disaster preparedness. ISO 22301 based BCMS factors largely into your insurance premium’s cost effectiveness.
Having a ISO 22301 certification reassures stakeholder confidence in your organization's ability to respond to incidents.
ISO 22301 certification gives an easily recognisable security quality mark. It demonstrates credibility and trust.
RBI Guidelines for NBFCs specifically mention BIA and Contingency Plans in the Business Continuity Planning and Disaster Recovery section. The same are provided as deliverables specifically in Phase 2 of our methodology.
We have developed a unique and simple methodology to develop and implement business continuity as per the requirements of the ISO 22301 standard. This methodology is divided into four major stages with tangible results at the end of each stage. The stages are as follows:
The key part of this stage is to take a top down view for every BCM implementation. Business Continuity Management is an operational issue and deals with the organization being able to continue to deliver its key products and services to its customers.
In accordance with RBI regulations for NBFCs, this is a very critical phase. The goal of this phase is to list Business Impact Areas (BIA) in priority, identify key risks that affect delivery of critical business processes and mitigating actions for the same.
A critical stage in any business continuity life cycle is the response provided by an organization to an emergency scenario. This response can determine if the organization should invoke its business continuity plan. The overall objective of this stage is to ensure that the organization has plans at different stages of the disaster management process as well as for different products and services of the organization.
The crux of this phase is to ensure that business continuity plans are consistent with their objectives. In Testing, we play out multiple types of scenarios with varied complexities to ensure your organization's business continuity plans are robust and practical.
In this phase, we provide on-site assistance to organizations during the final external audit for BCMS. Our work is done only when corrective action plan for external audit is documented.
ISO 22301 is a certifiable compliance. There are specific accredited auditing bodies which conduct audits to check the level of implementation of ISO 22301. The audit is an exhaustive process, in which the auditors will perform a formal assessment. All the documents, checklists and other requirements mentioned in the ISO 22301 are verified during the audit. The auditors will complete a full audit of your business processes.
In case any gaps are observed in the audit, the auditors send the findings to organizations to close them. Once that is satisfactorily done, the certification body provides you with an ISO 22301 certification which is valid for 3 years.
Following are some of the internationally recognized auditing bodies:
1. British Standards Institution (BSI)
2. Det Norske Veritas (DNV)
3. Bureau Veritas (BV)
4. ISOQAR Alcumus
Organizations have limited control over some factors of the environment they exist in. It is a virtual guarantee that an organization will see some sort of disruption in its lifespan. 2 out of 5 organizations that are hit by major disruptions, cease to exist in the following 5 years of the disruption. An ISO 22301 certification puts back some measure of control in an organization’s hands in such a scenario
Apart from all the business benefits it provides an organisation can rest assured that they have taken positive steps towards protecting their business operations by implementing an exhaustive Business Continuity Management System.