Fail to plan. Plan to fail

Benjamin Franklin once said “Fail to plan. Plan to fail.” 

Given the panic we witnessed over recent weeks, where organisations hastily put together ‘Contingency plans’ I think Benjamin Franklin was right.  But what about those organisations said had Business Continuity Plans (or claimed to), yet they still struggled to affect recovery and therefore continue to struggle. 

So what went wrong?

Of course, it’s too early to tell, and I’m sure there’ll be lots of analysis in the months and years to come, but there is a clear difference between those who understand the true nature of Business Continuity Management and those who ‘had a plan’.

I think in the months to come there will be a focus on supply chains to demonstrate that they have robust Business Continuity Management processes in place, not just ‘have a plan’. This isn’t as difficult as it sounds as there is a standard which can help you put in place a structured approach to developing plans that might actually work.

This standard has been around since 2012.

ISO22301; A Structured approach to Business Continuity Management

I think it’s reasonable to state that those organisations that ‘had a plan’ have fared better than those who didn’t have a plan at all. But it’s also reasonable to say that those who have previously implemented the standard for Business Continuity Management, ISO22301 have faired far better than those who simply ‘had a plan’.

Introducing ISO22301

ISO22301 helps you to understand the steps required to recover your business, in the event of disruptive events, but more importantly, it helps you understand what you will need in the event of a disruptive event.

If you’re familiar with standards like ISO27001, or ISO9001, you’ll be happy to know that ISO22301 was actually the first standard to adopt the new structure of standards. Meaning if you already have these standards, adopting ISO22301 isn’t too difficult.

What does it cover?

Rather than ‘having a plan’, ISO22301 requires organisations to complete a full ‘Business Impact Analysis’ and Risk Management process. Meaning that it requires deeper thinking about the potential impact of a disruptive event, over a given period of time (typically 24hrs, one week, two weeks, 1month, 3months+ etc).

Using ISO22301 as a framework allows me to ask you some difficult questions. Questions that we should have answered a long time ago. Such as;

• What functions are critical to your business?
• What is the minimum turnover you can sustain continued operation?
• How many people do you need in X team?
• What is the impact on Reputation, Financial stability, morale over X period?
• Which systems are critical to your business?
• How long could you last without X system?
• Who are the critical stakeholders you need to sustain your business?
• Who would you need in your Crisis Management Team?
• What manual workarounds do you have?

These are just some of the questions that can (and often are) asked when I perform a Business Impact Analysis, coupled with a Risk Assessment (where we discuss the likelihood and impact of an event occurring).

Organisations who take this structured approach to Business Continuity Management also benefit as they understand that this discipline is made up of three core components

• Crisis Management – The actions and teams required immediately following an ‘event.’
• Business Continuity – The processes you need to keep the business going
• Disaster Recovery – The actions and processes needed to recover the business.

This structure ensures people can move from ‘crisis’ through to recovery quickly and easily without ‘sitting’ on their Business Continuity Plan.

ISO22301 gives you the structure that allows you to put this in place.  But you need to learn how to read the map before it becomes useful.

Conclusion

In the months to follow this Pandemic, I believe we’ll see more and more organisations requiring evidence that your organisation has fully considered Business Continuity.

But there are additional benefits for implementing standards like ISO22301 as it provides you with the knowledge that, given a major event (like a Pandemic), you have all you need to recover in an effective and timely way.

Many organisations have already implemented the security standard, ISO27001 and are looking for further evidence that an organisation will be there when they need them.  ISO22301 is a great way to differentiate yourself from your competitors, but also gives you invaluable data about the strength and weaknesses in your business.

Just one component, the Business Impact Analysis, is reason enough to invest in the ISO22301. Having a clear understanding of where a breach or disruptive event comes from, and the impact it would have on your business is invaluable.

The standard requires that your organisation has considered the strategies you would employ, dependent upon key scenarios (who’d have thought ‘home working for three months’ would have been a strategy? Many of the people who implemented ISO22301 did). It’s a standard that provides a host of benefits, once implemented (correctly). Not least of which is the knowledge that you’ll know what to do if and when a disruptive event occurs.

Because as I said previously, ‘Having a plan’ and knowing what to do with it are two very different things.

It’s a bit like saying “I have a cookbook”, compared to saying “I know how to cook”.