ISO22301 introduces standard terminology, consistent with other international management system standards, and whilst it no longer includes the rather important term ‘review’ from BS25999, it replaces this with a requirement to evaluate the business continuity procedures, together with the requirement to take corrective action when anything no longer conforms to requirements.
The case for continuously reviewing and maintaining the BCMS, particularly the executable parts of it, is already made. However, to ensure that this actually happens, the majority of organisations will benefit from establishing a review body.
Depending upon the nature of the organisation, regular review and maintenance of individual components, such as plans, procedures and contact information, will be conducted by a variety of people. One of the tasks of the review body should be to monitor this ongoing process of monitoring and measuring performance of operation, and testing of the BCMS.
Every executable component of the system should have an owner and a review status. This should mean that the owner is responsible for monitoring the item according to the stipulated review schedule.
The timely and competent review and maintenance of plans and resources should become a KPI in the reporting and assurance process (see Chapter 11). This is achieved relatively easily by way of a document register (see Chapter 10) that includes information on ownership and review.
The first step in the overall improvement process is to decide what needs to be measured and therefore monitored.
Some key parameters for measurement are likely to include:
These are, of course, very general, but are likely to apply variously to features of the system, such as:
Meeting objectives is a measurement criterion that should probably always feature in a BCMS. Many certification auditors will expect to see some evaluation of whether the system is delivering what the Board have asked for; the objectives that are enshrined in, or referred to by, the policy.
Bearing in mind that BC arrangements generally only prove their ultimate worth in the event of an incident, demonstrating that all objectives are being met is, of course, a challenge.
This is where exercises may help; the report of an exercise may include an assessment of what the impact would have been had the incident, or scenario, been real; and this can then be compared with the impact limitation requirements within the BCM objectives.
Other objectives might include enhancing competitiveness, for example. Again, it is not easy to show that a new piece of business has been won, or lost, as a result of having a BCMS in place, and it will be for each organisation to work out how it can use the new resilience it has acquired as a competitiveness tool, and monitor its worth in that respect.
The BCMS itself should also be monitored, measured and evaluated on a regular basis, through internal audit and management review, as is common practice in other management systems. This process will typically include a mechanism for maintenance and improvement, through the recording and processing of preventive and corrective actions.
ISO22301 is not expansive on the requirements for internal audit. Those with knowledge or experience of other management systems will probably be familiar with procedures and systems in this area. Essentially, a documented procedure and audit plan will be required, setting out the criteria against which the BCMS should be audited, and a forward programme of audits, together with some evidence of previous planned audits having been completed.
The audit should focus on two aspects; that the BCMS continues to meet the organisation’s requirements and those of ISO22301:2012, and that it is being properly implemented and maintained.
There should be an audit programme that features:
The principle behind management review is that the BCMS, in particular the executable parts of it, will be most reliable and useable if it is reviewed for these attributes by management, as opposed to individuals, with clear accountability to the governing body for doing so.
The review process is there to identify changes that are required as a result, for example, of:
Ideally, this review will be conducted by the organisation’s senior management team, or otherwise, by the oversight body (committee).
Decisions taken as part of the management review should then become actions, or tasks, allocated to responsible individuals, for execution within a specified timescale. These actions should then be monitored and expedited by the senior management team, or the oversight body, as required.
ISO22301 lists both the inputs for the review process (‘…shall include consideration of:’), which include the reasons for change listed above, and the outputs, which are as one might expect, and include changes to resource requirements, including financial ones.
The frequency of these management reviews is, as always, a matter for the organisation. Those currently operating other management systems will have established similar management reviews, which should provide a yardstick for frequency.
Otherwise, a sensible, starting point might be to review quarterly, allowing the programme management executive, and others, time to execute actions and tasks. The level and rate of change experienced during the early reviews will then inform the frequency for future review.
3.141.15.119