In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses Business Continuity standards and how they can help you improve your business continuity and resiliency program.
Topics discussed include the ISO 22301 Standard for Organizational Resilience, NFPA 1600, and the ASIS Business Continuity & Crisis Management Standard.
Related Episode & Blog Posts
- Blog Post: ISO 27031: Looking at ISO’s Disaster Recovery Standard
- Blog Post: Business Continuity Standards: How each can help you
- Blog Post: An overview of the NFPA 1600 Standard
- Episode #24 – The Traditional Business Impact Analysis (BIA)
- Episode #123: Plan Do Check Act and your BC Program
Hello, and Welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, Principal and Chief Executive at Bryghtpath. And in today’s episode, I’d like to talk about business continuity standards and how each of those standards can help you improve your program of resiliency and business continuity in your organization. No matter how much business experience you have, or how long you have looked, or studied, or thought about risk and resilience in your business, creating a business continuity program can seem daunting. But there are internationally recognized guidelines that exist to help you build the right program for your organization’s unique solution. I want to talk through all the essentials you need to understand each of the internationally accepted guidelines and decide which one works the best for you. These standards and guidelines save you from reinventing the wheel when it comes to business continuity by describing what your program needs.
These guidelines share many common elements, such as calling for top leadership support, your board, your senior executives, assessing risk and business impact analysis. In general, these standards can be adapted to large and small organizations in any industry. They’re also not prescriptive. They describe what you need to do, but not how you need to go about doing it. All of them though, reinforce the same broad business continuity goals. And those are reducing the risk of disruption, supporting the continuity of your business, and reassuring customers and stakeholders that you can continue to operate. I want to start by describing the NFPA 1600 standard on continuity emergency and crisis management.
NFPA is the National Fire Protection Agency, NFPA. This is a U.S.-centric emergency planning specification that’s become globally accepted. NFPA was one of the first standards related to business continuity that appeared after September 11th. The United States Department of Homeland Security adopted this standard, calling it as a, they were describing it rather, as a voluntary consensus standard for emergency preparedness. Likewise, the September 11th Commission Report recognized NFPA 1600 as the national preparedness standard at the time. Despite these endorsements, NFPA 1600 is just a guideline. It’s not a regulatory requirement. It makes up nine chapters on business continuity and emergency management, program management, planning, implementation, training, exercises and tests, and program improvement. Then there’s an Annex B that includes checklists for ongoing self-evaluation.
With its focus more on emergency management and planning, NFPA 1600 includes guidelines for setting up emergency operations centers, or EOCs, and dealing with mass casualty events. It briefly outlines the need for employee assistance, such as temporary or long-term housing, food, and mental health support. In 2019, a revision was published that adds a discussion about the importance of crisis management communication, including securing a reliable emergency communication system or emergency notification system. And then Annex J discusses social media management and engagement in a crisis. One component not included in the other guidelines is Annex H of this NFPA 1600 standard, which covers personal and family preparedness. This annex acknowledges that worrying about the safety and wellbeing of family can distract your team from their work. The annex provides suggestions on how organizations can train their employees to ensure family safety.
For example, it says that a plan must ensure that employees, and their families, and their pets are prepared for self-sufficiency for a minimum of three days. The annex adds a comprehensive list of information and documents that every individual should then copy and store in a safe place and add to their emergency go-bag. And for reference, you can learn more about planning for three days and having a solid emergency plan and emergency kit for personal, family, and community preparedness at Ready.gov, a part of FEMA and the U.S. Department of Homeland Security.
Then there’s the ISO, the International Standards Organization. The ISO 22301 standard, which used to be called the Standard for Organizational Resilience. In its most recent iteration, in 2019, we describe this as the business continuity management system requirements in the security resilience area. ISO is a global institution that researches and creates industry and other standards. All of its specifications, like NFPA, are voluntary. ISO doesn’t enforce these or any other standards. They just provide guidelines for what you should do. In 2012, ISO released the first version of their business continuity standard ISO 22301. As with the NSPA 1600 standard, large and small for-profit and nonprofit organizations can all benefit from these guidelines.
In summary, this standard requires these elements for a business continuity program, working with company management, to get the whole team on the same page regarding business continuity. Identifying essential individuals, groups, teams, or employees for specific functions and roles in the program. Creating a communications plan, particularly for large companies’ stakeholders. Defining the primary responsibility and rules for business continuity. Assessing risks to the business, including ways to prevent or limit the damage for a specific risk. Conducting a business impact analysis for different scenarios. This is a key step to identifying the functions that a company needs to maintain in emergencies.
Developing a system and an approach for control of records and maintaining important documents in different emergencies, such as having backups or printing out physical copies of important documents. Evaluate information and then develop a business continuity plan. Creating a long-term, comprehensive business continuity program to implement different elements of the plan in preparing for potential disasters. Training employees or the management team to implement the program. Raising awareness about risk management. Maintaining important documentation or paperwork. Testing and reviewing the strategy or exercises. Internal auditing, or having a third party check the business continuity system. Adjusting the plan of action. And then finally, getting the management team involved to review the process.
In addition, ISO 22301 provides a voluntary certification component, a way to get accreditation that an organization’s business continuity program complies with the 22301 specifications. Again, certification is not mandatory, but in some instances, such as winning certain government contracts, certification might be a business condition that you need to achieve. At Bryghtpath we typically use ISO 22301 as the basis for our business continuity program evaluation offering. ISO also has the 22317 guidelines for Business Impact Analysis or BIA. This is the second document published in their security series. This guide is the how-to part of the ISO 22301’s commentary and specifications for the Business Impact Analysis. It describes step-by-step how to conduct a BIA and how disruptions can affect an organization’s proper functioning and profitability.
It includes the following steps for creating a BIA, identifying activities that support how a business provides products and services, assessing how not producing those products and performing those services will impact the organization over time, setting priorities and timeframes for resuming business at a minimally acceptable level, identifying the connection and dependencies between the supporting resources for impacted business activities, providing ongoing review to ensure continual improvement of the BIA, guiding the organization in planning, conducting and reporting on the BIA, assisting the organization and its BIA in a consistent manner that reflects good practices. The ISO standards are all about agreed and “good practice.” And then lastly, opening the door for proper coordination between the BIA process and the overarching business continuity program. You can use ISO 22317 as a standalone guide to manage your BIA or use it in conjunction with ISO 22301.
And then there’s the ASIS, the American Society for Industrial Security Business Continuity Guideline, which they describe as a practical approach for emergency preparedness, crisis management, and disaster recovery. ASIS International, which is an association of security practitioners, is as it describes itself, “A step-by-step detailed outline for approaching business continuity.” It’s perhaps less well-known and less commonly adapted, but the plain language of this guideline makes it a very accessible reference. One interesting assertion in the introductory paragraphs is that personnel used for crisis management should be assigned to perform those roles as a part of their normal duties and not be expected to perform them only on a voluntary basis. The ASIS Guide includes a section on common business continuity terminology, which you may find, if you’re a newbie, may find that you appreciate.
The document’s substance lies in its clearly numbered sections and subsections that succinctly detail what you need to do to plan, and execute, and evaluate a business continuity program. The major sections cover readiness, prevention, response, resumption and recovery, training and testing, evaluation, and maintenance. ASIS includes a high-level checklist that outlines their high-level steps for approaching business continuity planning. ASIS echoes other guidelines in calling for management support a clear policy and plan. It adds detail on how to conduct a risk assessment, includes an example assessment chart, and describes how you should determine risk from a continuity standpoint. There is also great discussion about how to calculate the maximum allowable outage and recovery times.
The recovery section includes good elaboration on how to recognize a crisis. Warnings about natural disasters seem obvious, but things like cash flow and legislative and regulatory changes are more subtle. A unique aspect of this guideline is an emphasis on crisis communications, both internally and externally. It discusses how to convey a message, being honest about what you know, and what you don’t know. It also emphasizes that you must prepare ahead of time for crisis communications, including creating templates and determining fast distribution means such as through the internet, your corporate intranet, or a telephone hotline.
The ASIS Guideline also highlights the human element, as they describe it, declaring that people are the most important aspect of any business continuity plan or program. That managing and caring for people in a crisis includes deciding before an emergency, how you will account for staff, notifying the next of kin of any issues, assigning a family representative to help families deal with severe injuries or death, and how to provide counseling, financial support, and more. Although the technical document formatting and frequent use of shall in ISO 22301 and NFPA 1600 might make you reluctant to consult them, all of these standards contain valuable, clearly expressed ideas on building a solid business continuity system.
But the layout and detail in the ASIS Guideline make it a good choice for those of you that might be completely new to business continuity. Depending on your industry, you may favor one of these guidelines over another, but each of them has unique resources that you can dip into as needed. The three standards we’ve described here all contain similar guidance for creating, researching, and writing policy and plans, and conducting business continuity training. It’s worth noting that except for the ISO 22317 standard, all of these guidelines are available for free right now, at least for the duration of the COVID-19 pandemic.
So that’s a little bit about the widely accepted industry standards for business continuity, crisis management, and emergency preparedness. If you need advice or guidance in your business continuity program or determining which industry standard might be the best fit for you, we’ve built the processes and programs here at Bryghtpath for many Fortune 500 complex, nonprofit, privately-held in public sector organizations. We can help you. Contact us at 612-235-6435 or at Bryghtpath.com/contact. That’s it for this edition of the Managing Uncertainty Podcast. We’ll have a new episode next week. We hope you’ll join us then. Be well.