No matter how much business experience you have or how long you’ve studied risk and resilience in your businesses, creating a business continuity program can seem daunting. But internationally recognized guidelines exist to help you build the right program for your organization’s unique situation.
This article provides you with all the essentials you need to understand each guideline to decide which one works best for you.
These guidelines save you from reinventing the business continuity program wheel by describing what your program needs. The guidelines share many common elements, such as calling for top leadership support, risk assessments, and business impact analyses. In general, these standards are adaptable to large and small organizations in any industry. They are also not prescriptive—they describe what you need to do, not how you should do it. All of them reinforce the same broad business continuity goals:
- Reduce the risk of disruption
- Support continuity of business
- Reassure customers and stakeholders
NFPA 1600 Standard on Continuity, Emergency, and Crisis Management
National Fire Protection Agency (NFPA) 1600 is a U.S. emergency planning specification that has also become globally accepted. NFPA was the first of the business continuity standards to appear after 9/11. The United States Department of Homeland Security adopted the standard that the NFPA site calls “as a voluntary consensus standard for emergency preparedness.” Likewise, the 9/11 Commission report recognized NFPA 1600 as the national preparedness standard.
Despite such endorsements, NFPA 1600 is still a guideline, not a requirement. It includes nine chapters on business continuity program management, planning, implementation, training, exercises and tests, and program improvement. Annex B provides checklists for ongoing self-evaluation.
With its emergency planning focus, 1600 includes guidelines for setting up emergency operations centers and dealing with casualties. It briefly outlines the need for employee assistance, such as temporary or long-term housing, food, and mental health support.
The 2019 version adds a discussion of the importance of crisis management communication, including securing a reliable emergency communication system, and Annex J discusses social media management in a crisis.
A component not included in other guidelines is Annex H, Personal and/or Family Preparedness. This annex acknowledges that worrying about the safety and wellbeing of family distracts people from their work. The annex provides suggestions for how organizations can train their employees to ensure family safety. “A plan must ensure employees and their families and pets are prepared for self-sufficiency for a minimum of three (3) days.” The annex adds a comprehensive list of important information and documents that every individual should copy and store in a safe place and add to their emergency go-bag.
ISO 22301 Security and resilience — Business continuity management systems — Requirements
The International Standards Organization or ISO is a global institution that researches and creates industry and other standards. All its specifications are voluntary. ISO can’t enforce these or any other standards. ISO simply provides guidelines for what you should do.
In 2012 ISO released the first document in its ISO 22300 societal security series, ISO 22301, the business continuity planning standard. As with NPFA, large and small, and for-profit and not–for-profit organizations can benefit from the guidelines. In summary, the guideline requires these elements for a business continuity program:
- Working with the company management to get the entire team on the same page regarding business continuity planning.
- Identifying essential individuals, groups, teams, or company employees for specific functions and roles in the program.
- Creating a communication plan, particularly for large company shareholders.
- Defining the primary responsibilities and rules for business continuity.
- Assessing risks to the business, including ways to prevent or limit the damage for specific risks.
- Conducting a business impact analysis for different scenarios. This step is key for identifying the functions that a company must maintain in emergencies.
- Developing a system for record control and maintaining important documents in different emergencies, such as setting up a backup system or printing out physical copies of important documents.
- Evaluating information and then developing a business continuity plan.
- Creating a long-term business continuity program to implement different elements of the plan and prepare for potential disasters.
- Training employees or the management team to implement the program.
- Raising awareness about risk management.
- Maintaining important documentation or paperwork.
- Testing and reviewing the strategy.
- Internal auditing or having a third party from the company check the system.
- Adjusting the plan of action.
- Getting the management team involved to review the process.
In addition, ISO 22301 provides a voluntary certification component, which offers accreditation that an organization’s business continuity program complies with the 22301 specifications. Again, certification is not mandatory, but in some instances, such as winning government contracts, certification may be a business condition.
At Bryghtpath, we typically utilize ISO 22301 as the basis for our Business Continuity Program Evaluations.
ISO 22317 Guidelines for Business Impact Analysis (BIA)
ISO 22317 is the second document published in the ISO 22300 societal security series. The guide is the “how-to” part of the ISO 22301 business impact analysis (BIA) specification. It describes step-by-step how to conduct a business impact analysis or how disruptions can affect an organization’s proper functioning and profitability. ISO 22317 includes these steps for creating a BIA:
- Identify activities that support how a business provides products and services.
- Assess how not producing those products and performing those services will impact the organization over time.
- Set priorities and timeframes for resuming business at a minimum acceptable level.
- Identify the connection and dependencies between the supporting resources for the impacted business activities.
- Provide ongoing review to ensure continual improvement of the organization’s BIA.
- Guide the organization in planning, conducting, and reporting on BIA.
- Assist the organization in its BIA in a consistent manner reflecting good practices. ISOs are all about agreed and “good” practices.
- Open the door to proper coordination between BIA and the overarching business continuity program.
You can use 22317 as a stand-alone guide for preparing a BIA or with ISO 22301.
ASIS Business Continuity Guideline – A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery
Published by ASIS International, an association of security practitioners, the ASIS Business Continuity Guideline is, as it says, a step-by-step, detailed outline for approaching business continuity. Although perhaps less well-known and therefore less commonly adapted, the plain language makes it an accessible reference.
One interesting assertion in the introductory paragraphs is that “Personnel used for crisis management should be assigned to perform these roles as part of their normal duties and not be expected to perform them on a voluntary basis.”
The ASIS guide includes a section on common business continuity terminology, which business continuity newbies may appreciate. The document’s substance lies in numbered sections and subsections that succinctly detail what you need to do to plan and execute a business continuity program. The major sections consist of Readiness, Prevention, Response, Resumption/Recovery, Training/Testing, and Evaluating and Maintenance. ASIS includes a high-level checklist outlining the high-level steps for approaching business continuity planning.
ASIS echoes other guidelines in calling for management support, a BC policy and a plan. It adds detail on how to conduct a risk assessment, includes an example assessment chart, and describes how to determine risk. There’s also a good discussion of how to calculate the maximum allowable outage and recovery times.
The Recovery section includes an interesting elaboration on how to recognize a crisis. Warnings about natural disasters seem obvious, but cash flow and legislative changes are more subtle.
A unique aspect is an emphasis on crisis communication, both internal and external. It discusses how to convey a message: be honest about what you know and what you don’t know. It also emphasizes that you must prepare ahead of time for crisis communications, including creating templates and determining fast distribution means, such as the internet, intranet, or telephone hotline.
The ASIS guideline also highlights the “Human Element,” as they call it, declaring that “[p]eople are the most important aspect of any BCP.” Managing and caring for people in a crisis includes deciding before an emergency how to account for staff, notify next-of-kin of any issues, assign a family representative to help families deal with severe injuries or death, provide counseling, financial support, and more.
Although the technical-document formatting and frequent use of “shall” in ISO 22301 and NFPA 1600 may make you reluctant to consult them, both standards contain valuable, clearly expressed ideas on building a solid business continuity system. However, the layout and detail in ASIS make it a good choice for someone completely new to business continuity. Depending on your industry, you might favor one of these guidelines over another. But each has unique resources that you can dip into as needed.
Unique Resources in Business Continuity Standards
ISO 22301, NFPA 1600, and the ASIS Business Continuity Guideline contain similar guidance for creating researching and writing policy and plans, and conducting business continuity training.
The table below lists some of the unique supplemental resources available in these documents.
|Resource Type||Guideline Document||Resource Type||Guideline Document|
|Business Continuity Planning Checklists||ASIS Business Continuity Guideline Appendix A; NFPA 1600 Annex B||Types of Risk That Could Impact a Business and sample risk matrix||ASIS Business Continuity Guideline Section 11.1.2a|
|Terminology||ASIS Business Continuity Guideline Section 10.0||Business Impact Analysis step-by-step||ASIS Business Continuity Guideline Section 11.1.3 to 11.1.3d|
|Small Business Preparedness Guide with Resources and Checklist||NFPA 1600 Annex C||Crisis Communication||ASIS Business Continuity Guideline Section 11.3.6|
|Personal and Family Preparedness||NFPA 1600 Annex H||Test and Exercise Scenarios, scenarios, roles and participants||ASIS Business Continuity Guideline Section 12.1.2g, hi, and i|
|Access and Functional Needs Guideline (including for non-native English-speaking populations, pregnant women, persons experiencing homelessness, and more).||NFPA 1600 Annex I|
|Social Media in Emergencies (case studies, planning guidelines, including staffing, content, demographic considerations)||NFPA 1600 Annex J|
|Emergency Communications: Public Alerts and Warnings in Disaster Response (including definitions of alerts and warnings, and different notification methods)||NFPA 1600 Annex K|
It’s worth noting that, except for ISO 22317, these guidelines are available for free online at the very least for the duration of the COVID-19 pandemic.
Can we help you?
Do you need advice or guidance in your business continuity program or determining which industry standard might be the best fit for you? We’ve built the processes and programs for many Fortune 500, complex non-profit, and public sector organizations.