Business Continuity Management, ISO 22301, and a Common Error

Mar 25, 2014

Archived Blog & News

The content in this blog was accurate at time of publishing, however as standards (and the understanding of their application) change, some of this information may no longer be applicable.
If you have any questions on this or the other topics we’ve covered; please get in touch and we can discuss any queries you may have.

I asked an MD recently if he had a Business Continuity Plan. He said “no, but I know 999 by heart”.

He added “So, Business Continuity Management, that’s Disaster Recovery, right?”. His highly successful company did not hold ISO 22301 .

But obviously needed to.

That rare thing, an ISO Consultants-related joke, may have focussed his attention:-

Question: What does a Business Continuity Plan have in common with a parachute?

Answer: When you find out that either doesn’t work, it may be too late.

The funny thing about my MD friend was that he’d just bought a nice house. A very nice house indeed, with a lovely 25 year mortgage. When his business premises caught fire and he called 999, I’m sure some very brave guys would come and put the fire out. And maybe, his insurance company might (eventually) pay out and give him enough money to build another nice shiny factory.

So, all would be well.

Well, on one level, yes. But that’s not the whole story

How  would he pay his mortgage in the meantime ? And in the 12-18 months it takes to get the insurance payment, then build another factory, what would his customers do ?  (Probably not wait…)

Business Continuity Management is a lot more than Disaster Recovery, although the latter does play a small part. It’s about how you keep your business running after a disaster, and not just barely coping through poorly-conceived “recovery” plans.

So how do you keep your customers coming to you when all their stock has gone up in smoke and their delivery targets are under threat? When your outsourced IT team goes into receivership, and their servers, (containing your data) have been repossessed, or floated off in “The Cloud”, how is your business to continue trading ?

A Business Continuity Management system involves a systematic, structured review of your business identifying the threats to it under emergency or unusual circumstances, and establishing a specific plan to ensure that contingencies are in place to address any foreseeable risks or short comings. There’s no mystery, just realistic and logical analysis on what will keep you “on the air”.

A few years ago, two mobile phone manufacturers were buying their custom chips from the same supplier. A fire destroyed the chip making factory leaving both without the “brains” to their best selling products. One had a Business Continuity Plan, put it into action, and had only a minor dip in its shipments and maintained their market share.

The other had no plan at all, took weeks to find an alternative supply, and by the time their products were back in the market, they’d lost their share, and were too far behind the competition to catch up. The company concerned, an international telecoms company with vast resources, are no longer in the mobile phone market, but I understand they now have very good Business Continuity Plans.

BS 25999, now ISO 22301, gives a structured approach to developing an effective Business Continuity Plan for your business and is quickly becoming accepted by large procurement organisations as a mandatory requirement for suppliers. So you’ll be ruled out of major bids if you don’t have it. Even the government consider it important enough to now publish a Business Continuity Toolkit.

My industrial background, as well as 25 years in the quality and standards industry, has shown me many examples of situations where things have gone very wrong indeed. So I’d like to think that I bring a pragmatic, experienced, and practical approach to the topic, and not one I acquired from a three-day course in Milton Keynes..

So, I’ll start where you are, most definitely in the real world, with what will work for your business. You may be able to obtain basic information from a variety of sources, but it’s the application of this will make the difference between something theoretical and ineffective, and a plan based around ISO22301 that will get you (and keep you) out of trouble.

I’m here when you want to talk.

Written by Colin Brown of ISO Consultants