Disaster planning: what does it take to reach the gold standard?

It is easier to restore activities after a catastrophe event if best practice is followed. Cue ISO 22301, the independent standard prized by businesses and government departments
Gettyimages 1297966446

Among those responsible for business continuity and risk management, the saying “forewarned is forearmed” is apposite. Some choose to go the extra mile to prove their company’s level of preparedness by obtaining independent certification of it. 

The British Standards Institution’s ISO 22301 mark is often hailed as the gold standard of robust business continuity management systems (BCMS) in the event of catastrophes such as natural disasters, terrorist attacks or power blackouts.

Samsung recently announced that its chip-manufacturing campus in Hwaseong, South Korea, had gained the coveted certification – a particularly important step, given the disruptions experienced by the semiconductor industry over the past couple of years. After a stringent audit, Microsoft also became the first hyperscale cloud service to receive certification, describing it on its website as the “highest available international standard” for enterprises and governmental organisations.

But reaching ISO 22301, introduced in 2012, is not just for tech giants. It usually takes more than a year for those large organisations to go through the process from start to finish, but smaller companies can earn it in three to six months.

Former Army officer Chris Butler is head of resilience and continuity consulting at Databarracks and has expertise in the UK’s high-hazard energy sector, supporting those on the front line in nuclear power plants. Butler’s view is that ISO 22301 is appropriate for everyone, from those in regulated sectors such as finance, healthcare and national infrastructure, to those providing critical business services to organisations in complex supply chains.

Accreditation is rarely – or shouldn’t be – a tick-box exercise. It will require a dedicated, trained team, preferably led internally

“To earn certification, you have to show how business continuity fits in with other wider business practices, such as risk management, information security and disaster recovery,” he explains. 

“These other disciplines also have their own BC requirements, and it means accreditation is rarely – or shouldn’t be – a tick-box exercise. It will require a dedicated, trained team, preferably led internally, but supported by external consultants if needed, to implement the necessary actions to become certified.”

Butler warns, though, that leaders must “be clear” on why they need such certification. For instance, is it to prove resilience to customers, to win contracts, or simply the feeling that it would be a good idea to have it? “The leadership team needs to fully embrace the reason why, the concept and the approach, otherwise the resource will likely be wasted and diluted. There needs to be a board-level champion with the support of execs,” he advises.

How to safely maintain operations

Graham Brown has worked with government departments to manage crisis events and major incidents. He is now the owner and director of Strategic Continuity, a consultancy that guides clients through ISO 22301 certification and managing their business continuity management systems.

“It is becoming increasingly important for companies to have an ISO 22301-certified BCMS,” he says. “It helps them identify and mitigate key risks, reducing the threat of an incident before it even occurs. 

“Certification ensures controls and processes are implemented to enable organisations to effectively manage the disruption caused by major incidents. It enables organisations to safely maintain operations, ensuring their customers receive the level of service they expect.”

Such best practice frameworks are especially effective in terms of unexpected threats, Brown suggests, helping to aid a more rapid recovery. “Companies are so invested in ISO 22301, especially following the pandemic, since they recognise the importance of implementing a robust BCMS that helps deliver customer and stakeholder confidence, thereby improving brand reputation and providing a competitive advantage.”

Both Brown and Butler believe the most effective business continuity comes through a focus on ensuring cross-functional business relationships within teams to manage risks. “Companies need to build a solid community of practice across their organisation in order to create, develop and maintain staff familiar with and competent in the practices of BC,” Butler suggests.

“These staff do not by any means need to be dedicated BC staff, but familiarisation and training will very much help the overall efforts to embed BC. Embedding is a key feature of ISO 22301 certification.”

Update your continuity plans regularly

The process of achieving ISO 22301 often starts with an internal alignment check. This will be focused on 22301 for the specific requirements of the standard, but also, Butler says, on 22313, which provides further guidance. Taking these together helps identify gaps in the business’s BC provisions. 

Certification can sometimes be the easy bit. The organisation will need to review and, if required, update its plans

But he warns there is as much work to be done after certification as before, adding that it’s crucial not to overlook the danger of a company’s attention and priorities moving on after gaining certification. He explains: “If you don’t keep your BC management system up to date, you won’t pass the next audit. It needs a continuous commitment, which implies resources and capabilities – trained people, procedures, facilities, structures, exercises – and of course the management commitment to keep this on board-level agendas for monitoring, review and improvement.”

Such C-suite buy-in is critical, according to Andrew Pattison of IT Governance Europe. Certification can “sometimes be the easy bit”, he says, arguing that the real work only starts when it comes to maintaining the business continuity plans. “This means the organisation will need to review and, if required, update its plans, and then ensure there is a comprehensive testing schedule in place,” he warns.

“This requires commitment across the organisation, but it bears fruit when you need to invoke the plan. It’s at that point you realise all the effort was worth it, as disruption to your critical services is minimised to a level that the organisation and its interested parties are comfortable with.”

Of course, the level of effort required to get to that stage will vary. At workplace safety experts EcoOnline, the crisis management division is run by Morten Køpke, a former fighter pilot and airline captain. The company he founded, Pilotech, was acquired by EcoOnline in 2021. 

He suggests that for some companies there can be big variations in terms of how difficult it is to have proper business continuity planning procedures in place, and to keep the documents in order. But that’s not a challenge to shy away from. 

“Revision of plans, training and exercising is what makes an organisation confident and gives them a culture in which they can handle anything,” Køpke says. “In my mind, this is true BCP and in essence, it is what ISO 22301 is all about.”