CHAPTER 7: PERFORMANCE EVALUATION

ISO22301 introduces standard terminology, consistent with other international management system standards, and whilst it no longer includes the rather important term ‘review’ from BS25999, it replaces this with a requirement to evaluate the business continuity procedures, together with the requirement to take corrective action when anything no longer conforms to requirements.

Monitoring and measurement

The case for continuously reviewing and maintaining the BCMS, particularly the executable parts of it, is already made. However, to ensure that this actually happens, the majority of organisations will benefit from establishing a review body.

Depending upon the nature of the organisation, regular review and maintenance of individual components, such as plans, procedures and contact information, will be conducted by a variety of people. One of the tasks of the review body should be to monitor this ongoing process of monitoring and measuring performance of operation, and testing of the BCMS.

Every executable component of the system should have an owner and a review status. This should mean that the owner is responsible for monitoring the item according to the stipulated review schedule.

The timely and competent review and maintenance of plans and resources should become a KPI in the reporting and assurance process (see Chapter 11). This is achieved relatively easily by way of a document register (see Chapter 10) that includes information on ownership and review.

Criteria

The first step in the overall improvement process is to decide what needs to be measured and therefore monitored.

Some key parameters for measurement are likely to include:

  • Accuracy
  • Timeliness
  • Comprehensiveness
  • Meeting of objectives
  • Levels of awareness amongst staff and other stakeholders.

These are, of course, very general, but are likely to apply variously to features of the system, such as:

  • Documents
  • Contingency arrangements
  • Plans and scenarios
  • Measurement and monitoring activities, including exercises.

Meeting objectives is a measurement criterion that should probably always feature in a BCMS. Many certification auditors will expect to see some evaluation of whether the system is delivering what the Board have asked for; the objectives that are enshrined in, or referred to by, the policy.

Bearing in mind that BC arrangements generally only prove their ultimate worth in the event of an incident, demonstrating that all objectives are being met is, of course, a challenge.

This is where exercises may help; the report of an exercise may include an assessment of what the impact would have been had the incident, or scenario, been real; and this can then be compared with the impact limitation requirements within the BCM objectives.

Other objectives might include enhancing competitiveness, for example. Again, it is not easy to show that a new piece of business has been won, or lost, as a result of having a BCMS in place, and it will be for each organisation to work out how it can use the new resilience it has acquired as a competitiveness tool, and monitor its worth in that respect.

The BCMS

The BCMS itself should also be monitored, measured and evaluated on a regular basis, through internal audit and management review, as is common practice in other management systems. This process will typically include a mechanism for maintenance and improvement, through the recording and processing of preventive and corrective actions.

Internal audit

ISO22301 is not expansive on the requirements for internal audit. Those with knowledge or experience of other management systems will probably be familiar with procedures and systems in this area. Essentially, a documented procedure and audit plan will be required, setting out the criteria against which the BCMS should be audited, and a forward programme of audits, together with some evidence of previous planned audits having been completed.

The audit should focus on two aspects; that the BCMS continues to meet the organisation’s requirements and those of ISO22301:2012, and that it is being properly implemented and maintained.

There should be an audit programme that features:

  • Audit procedures, including criteria for judging conformance, reporting of non-conformance, and the resulting corrective action process.
  • An audit plan, setting out scheduled audits at frequencies commensurate with the importance of the organisation’s activities, and the BCM processes being audited.
  • Competencies of auditors.
  • Objectivity of auditors (auditors should not audit their own areas of responsibility).
  • Document management requirements; though this can easily be incorporated in the overall document management arrangements (see Chapter 10).

Management review

The principle behind management review is that the BCMS, in particular the executable parts of it, will be most reliable and useable if it is reviewed for these attributes by management, as opposed to individuals, with clear accountability to the governing body for doing so.

The review process is there to identify changes that are required as a result, for example, of:

  • Audits
  • Tests and exercises
  • ‘Whistle-blowing’ – discrepancies or inadequacies identified by staff
  • Feedback from internal awareness and education activities
  • Changes in regulatory or contractual requirements
  • Changes in the way that the organisation works
  • Changing, or new, good practice, emerging in the business continuity industry
  • Changes in policy decided by the governing body.

Ideally, this review will be conducted by the organisation’s senior management team, or otherwise, by the oversight body (committee).

Decisions taken as part of the management review should then become actions, or tasks, allocated to responsible individuals, for execution within a specified timescale. These actions should then be monitored and expedited by the senior management team, or the oversight body, as required.

ISO22301 lists both the inputs for the review process (‘…shall include consideration of:’), which include the reasons for change listed above, and the outputs, which are as one might expect, and include changes to resource requirements, including financial ones.

The frequency of these management reviews is, as always, a matter for the organisation. Those currently operating other management systems will have established similar management reviews, which should provide a yardstick for frequency.

Otherwise, a sensible, starting point might be to review quarterly, allowing the programme management executive, and others, time to execute actions and tasks. The level and rate of change experienced during the early reviews will then inform the frequency for future review.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.15.119