It is the need of the hour for all organizations to engage in a comprehensive and systematic process that focuses solely on business continuity and recovery.

ISO 22301 (BCMS) Certification

White paper by Risk Quotient Consultancy Pvt. Ltd.

BACKGROUND

According to one 2019 survey, one-in-three organizations say that the cost of a single hour of downtime can reach $1 Million to $5 Million. This is not including lawsuits, penalties or fines arising due to legal or non-compliance issues.

Emergency response plans and disaster management, while necessary, are now obsolete controls to protect the continuous and unhampered flow of business. It is the need of the hour for all organizations to engage in a comprehensive and systematic process that focuses solely on business continuity and recovery. The focus, now, needs to be on proactively anticipating and minimizing any consequences caused by any sort of calamity. Organizations need to focus on protecting the operational integrity of their day-to-day business activities in times preceding, succeeding and during any disruptions.

ISO 23001 is the first international standard for Business Continuity Management. It has been developed specifically to help organizations minimize the risk of any such disruption.

ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

ISO 22301 CERTIFICATION & BENEFITS

ISO 22301 has been developed by ISO Technical Committee 223. ISO/TC223 oversees a range of standards designed to protect society from incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures. It has a total of ten clauses which cover areas from process, context, planning and leadership to operation, evaluation and improvement.

ISO 22301 is a management systems standard for Business Continuity Management which can be used by organizations of all sizes and types. These organizations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in Business Continuity Management. ISO 22301 also enables businesses to show stakeholders that a recognized standard has been achieved.

Accreditation and compliance can bring reputational, motivational, and financial benefits to your organization, bringing customers who have greater confidence that you can deliver products and services at agreed performance levels, along with improvements in your supply chain. All of these elements are closely related to your organization’s ability to deliver satisfaction to your customers, and fulfill the expectations and wishes of your stakeholders, while protecting the organization’s capacity for doing business in the long run.

The following is the gist of benefits that an organization can get with an ISO 22301 certification:

1. Ensure continuity of business operations during disruptions

With ISO 22301, you get a comprehensive approach on how to ensure continuity in your operations so that business keeps flowing.

2. Maintain delivery of products and services under all circumstances

With an effective BCMS, the crucial aspects of any organization- delivery of its services and products, is secured and maintained.

3. Safeguard your organization’s assets, turnover, profits and reputation

ISO 22301 enables organization to protect their income stream while reducing chances of further losses.

4. Enjoy cost benefits of reduced insurance premiums

Your organization’s exposure is directly linked to your disaster preparedness. ISO 22301 based BCMS factors largely into your insurance premium’s cost effectiveness.

5. Get a competitive edge in case of major industrial crisis

Having a ISO 22301 certification reassures stakeholder confidence in your organization's ability to respond to incidents.

6. Display your organization’s commitment to key stakeholders

ISO 22301 certification gives an easily recognisable security quality mark. It demonstrates credibility and trust.

7. Be compliant with RBI regulations for NBFCs

RBI Guidelines for NBFCs specifically mention BIA and Contingency Plans in the Business Continuity Planning and Disaster Recovery section. The same are provided as deliverables specifically in Phase 2 of our methodology.

OUR APPROACH TO BCMS

We have developed a unique and simple methodology to develop and implement business continuity as per the requirements of the ISO 22301 standard. This methodology is divided into four major stages with tangible results at the end of each stage. The stages are as follows:

Stage-1 BCM Framework

The key part of this stage is to take a top down view for every BCM implementation. Business Continuity Management is an operational issue and deals with the organization being able to continue to deliver its key products and services to its customers.

Activities:

• Frame legal and regulatory requirements relevant to organization
• Conduct contect workshop for top management
• Identify critical impact areas
• Rate products and services against identified impact areas

Deliverables :

• BCMS Context of the Organization document
• Updated BCM Organization structure

Stage 2: Impact Analysis, Risk Assessment and BCM Strategies

In accordance with RBI regulations for NBFCs, this is a very critical phase. The goal of this phase is to list Business Impact Areas (BIA) in priority, identify key risks that affect delivery of critical business processes and mitigating actions for the same.

Activities:

• BIA and Risk Assessment workshops with SPOCs
• Identify Maximum Acceptable Outage (MAO)
• Identify and define Recovery Time Objective (RTO) & Recovery Point Objective (RPO)
• Establish business continuity strategies within MTPD, RTO & RPO parameters
• List continuity options to stakeholders along with feasibility, advantages & disadvantages of each option.
• Strategies will be divided in terms of:

• People
• Premises
• Information
• Technology

• Finance
• Suppliers
• Stakeholders
• Communication systems

Deliverables:

• Business Impact Analysis (BIA) report
• Continuity Risk Management
• Business Continuity Strategy Report

Stage 3: Continuity Planning

A critical stage in any business continuity life cycle is the response provided by an organization to an emergency scenario. This response can determine if the organization should invoke its business continuity plan. The overall objective of this stage is to ensure that the organization has plans at different stages of the disaster management process as well as for different products and services of the organization.

Activities:

• Review documents such as- incident response plans, emergency evacuation plan, emergency response plan, damage assessment checklists, etc.
• Assist in developing organizations specific product/ service recovery plans. Deliverables:
• Business Continuity Plan templates
• Incident Management Plan
• Emergency Response Plan

Stage 4: Testing and Internal Audit

The crux of this phase is to ensure that business continuity plans are consistent with their objectives. In Testing, we play out multiple types of scenarios with varied complexities to ensure your organization's business continuity plans are robust and practical.

Activities:

• Create a calendar scheduling the various types of tests and exercises to be conducted.
• Conduct awareness program for:
• Users with business continuity responsibilities (disaster recovery team, incident management team, etc.) & End Users
• Assess understanding of users to check effectiveness
• Create training material for the implementation team explaining roles & responsibilities during a disaster
• Conduct an internal audit to ensure that an organization is prepared for the external certification audit.
• Help organizations close findings in the internal audit

Deliverables:

• Training Material
• Business Continuity test calendar
• Internal Audit and closures

Stage 5: External Audit and Certification

In this phase, we provide on-site assistance to organizations during the final external audit for BCMS. Our work is done only when corrective action plan for external audit is documented.

Deliverables:

• Assistance during audit
• Corrective action plan for external audit finding

Certification Process

ISO 22301 is a certifiable compliance. There are specific accredited auditing bodies which conduct audits to check the level of implementation of ISO 22301. The audit is an exhaustive process, in which the auditors will perform a formal assessment. All the documents, checklists and other requirements mentioned in the ISO 22301 are verified during the audit. The auditors will complete a full audit of your business processes.

In case any gaps are observed in the audit, the auditors send the findings to organizations to close them. Once that is satisfactorily done, the certification body provides you with an ISO 22301 certification which is valid for 3 years.

Following are some of the internationally recognized auditing bodies:

1. British Standards Institution (BSI)

2. Det Norske Veritas (DNV)

3. Bureau Veritas (BV)

4. ISOQAR Alcumus

Conclusion

Organizations have limited control over some factors of the environment they exist in. It is a virtual guarantee that an organization will see some sort of disruption in its lifespan. 2 out of 5 organizations that are hit by major disruptions, cease to exist in the following 5 years of the disruption. An ISO 22301 certification puts back some measure of control in an organization’s hands in such a scenario

Apart from all the business benefits it provides an organisation can rest assured that they have taken positive steps towards protecting their business operations by implementing an exhaustive Business Continuity Management System.