ISO 22301/2019

BUSINESS MANAGEMENT
CONTINUITY MANAGEMENT SYSTEMS
Course Objectives
• Introduction to ISO
• To develop an understanding of Business
Continuity

• To understand how to use the toolkit

• To understand how to undertake a business

impact analysis for your organisation

• To understand how to develop a business

continuity plan for your organisation
www.england.nhs.uk 2
Ice Breaker
Tell the group:

• Name
• Role and department you work in
• What role do you have in business
continuity
• Have you ever been involved in responding
to a business continuity incident
• Favourite sweet you had when you were
growing up!

www.england.nhs.uk 3
Introduction to ISO
• ISO is an international body that develops
international standards for over 160 countries
• Established in 1974
• It establishes international standards and operates as
an NGO
• It has developed over 22,000 standards

www.england.nhs.uk
ISO Certification process
• Develop a need (Why you need ISO certification)
• Training
• Pre-assessment – optional pre-assessment identifies
any omissions or weaknesses that need resolving.
• Assessment (Audit/Gap Analysis) – this comprises a
number of stages, depending on the chosen standard.
• Certification – 3 years
• Compliance – your client manager will carry out
ongoing assessments to support your continual
improvement activities.

www.england.nhs.uk
What is a Business Continuity?

ISO 22313/22301 - Business Continuity

Holistic management process that identifies potential threats to an organisation and the impacts to
business operations that those threats, if realized, might cause, and which provides a framework for
building organisational resilience with the capability for an effective response that safeguards the
interest of its key stakeholders, reputation, brand and value-creating activities.

• It enables an organization to have a more effective response and a quicker recovery, thereby reducing
any impact on people, products and the organization’s bottom line.

• ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review,
maintain and continually improve a documented management system to protect against, reduce
the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents
when they arise.

• First developed in 2012 and revised in 2019 (Business Continuity Institute)

• ISO 22301- Shall

• ISO 2231- Must

www.england.nhs.uk
 Step 1 Understand the Organisation
ABC Corp
May 2022

www.england.nhs.uk 7
 What is a
Business Continuity Management System?

A business continuity management system emphasises the

importance of;

• Understanding the organisations needs and the necessity

for establishing business continuity management policy
and objectives,
• Implementing and operating controls and measures for
managing an organisation’s overall capability to manage
disruptive incidents,
• Monitoring and reviewing the performance and
effectiveness of BCMS, and
• Continual improvement based on objective management
www.england.nhs.uk
8
What could cause an enterprise to fail?
• Any form of physical disaster which disables the operations,
• Fire
• Flood
• Earthquake
• Failure of internal controls,
• Theft
• Security breach
• Fraud
• Corrupt practices
• Failure of technology (Communications, computers, …)
• Failed Internal and external infrastructure (power, water, security, transport…),
• Governance or Compliance failure,
• Market forces,
• Failure of third parties (dependencies on facilities, services, suppliers…)
• …

www.england.nhs.uk 9
Some Impacts of a BC event
• Interruption of standard operating
procedures,
• Inability to meet service levels,
deadlines,
Any one of
• Cash flow issues,
• Financial losses,
these can
• Interruption of services to customers or result in the
stakeholders, failure of the
• Damaged reputation / credibility, enterprise!
• Market share,
• …

www.england.nhs.uk 10
 BENEFITSs a wise investment

• a) from a business perspective:

• • supporting its strategic objectives;

• • creating a competitive advantage;
• • protecting and enhancing its reputation and credibility;
• • contributing to organizational resilience;

• b) from a financial perspective:

• • reducing legal and financial exposure;

• • reducing direct and indirect costs of disruptions;

• c) from the perspective of interested parties:

• • protecting life, property and the environment;

• • considering the expectations of interested parties;
• • providing confidence in the organization’s ability to succeed;

• d) from an internal processes perspective:

• • improving its capability to remain effective during disruptions;
• • demonstrating proactive control of risks effectively and efficiently;
• • addressing operational vulnerabilities.

www.england.nhs.uk
 Optical Illusion

www.england.nhs.uk
Preparation
• Before, during and after

www.england.nhs.uk
 Monkey Business
Solution

www.england.nhs.uk
 International BCM Standard – ISO 22301

Clause 1 : Scope
Clause 2 : Normative references
Clause 3 : Terms and definitions
Clause 4 : Context of the organisation
Clause 5 : Leadership
Clause 6 : Planning
Clause 7 : Support
Clause 8 : Operation
Clause 9 : Performance evaluation
Clause 10 : Improvement

www.england.nhs.uk
 Please implement a BCMS – not just BCM

• “Part of the overall management system that establishes, implements,

operates, monitors, reviews, maintains and improves business continuity”–
ISO 22301

• Ensure continual improvement via the PDCA cycle

www.england.nhs.uk
 Business Continuity Implementation Roadmap

www.england.nhs.uk
Clause 4 :Context of the organisation

• The organization shall determine external and

internal issues that are relevant to its purpose and
that affect its ability to achieve the intended
outcome(s) of its BCMS.

• NOTE These issues will be influenced by the

organization’s overall objectives, its products and
services and the amount and type of risk that it may
or may not take.

www.england.nhs.uk
LOGO

Build culture across all Interested

Parties ..
Customers
THE ORGANIZATION
Competitors
Top Management
Citizens Media
Those who establish policies and
objectives for the BCMS
Distributors Commentators
Those who set up & manage BC
Shareholders Trade Groups
Those who maintain BC Procedures
Investors Owners of business Neighbours
continuity procedures
Owners Pressure Groups

Insurers Incident Response Personnel Emergency Services

Those with authority to
Government invoke Transport Services
Appropriate spokespeople Other Response
Regulators
Response Teams Agencies
Recovery Services
Suppliers Dependents of staff
Other Staff Contractors

*The relevant requirements of these interested parties.

Legal and regulatory requirements
• The organization shall:
a) implement and maintain a process to identify, have
access to, and assess the applicable legal and
regulatory requirements related to the continuity of
its products and services, activities and resources;
b) ensure that these applicable legal, regulatory and
other requirements are taken into account in
implementing and maintaining its BCMS;
c) document this information and keep it up to date.

www.england.nhs.uk 20
Determining the scope of the business
continuity management system (Extent)

• The organization shall determine the boundaries and

applicability of the BCMS to establish its scope.
• When determining this scope, the organization shall
consider:
• a) the external and internal issues referred to in 4.1;
• b) its mission, goals, and internal and external obligations.
• c) taking into account its location(s),
• d) size, nature and complexity;
• e) identify products and services to be included in the
BCMS. (Key Products)

www.england.nhs.uk
 Plan Do Check Act Cycle 2

www.england.nhs.uk
Determining the scope of the business
continuity management system (Extent)

• Taking into account its location(s),

• size, nature and complexity;
• b) identify products and services to be included in the
BCMS.

www.england.nhs.uk
Understanding the Organisation
Suppliers
Suppliers
&& Understanding
Understandingthe
theOrganisation
Organisation Internal
Internal
Partner
Partner Context
Context External
External
Organisations
Organisations Purpose
Purpose of of Organisation
Organisation Context
Context

Products
Products & Services
& Services Products
Products & Services
& Services Patients
Patients & Clients
& Clients
Products
Products &&
Services
Services

Activity
Activity Activity
Activity Activity
Activity Activity
Activity Activity
Activity Activity
Activity

Supporting
Supporting Dependencies
Dependencies andand
activity
activity supporting activities
supporting activities

Assets
Assets and
and
resources
resources Assets
Assets and
and resources
resources

www.england.nhs.uk 24
Business Impact Analysis

Effective Business Continuity Management (BCM) starts with

identifying all functions within and services delivered by the
organisation.
A business impact analysis (BIA) is the primary tool for
gathering this information and then assigning each with a
level of criticality.

www.england.nhs.uk 25
 Business Impact Analysis (BIA)
Template
• Risk assessment and treatment

• Prioritisation of activities including Recovery Time

Objectives (RTO) and Maximum Tolerable Period of
Disruption (MTPD)

• Identify resources required for maintenance of priority

services

www.england.nhs.uk
2
 Business Impact Analysis

Activities that cannot tolerate any disruption

Activities which can tolerate very short

periods of disruption

Activities which could be scaled down if

necessary for short periods of time

Activities which could be suspended if

necessary

Source: ISO 22313

www.england.nhs.uk
2
 Activity 2
• In your groups:

• Identify your organisations/departments essential

activity/service
• What are the resources required to deliver these?
• Are there any apparent risks to maintaining these
prioritised activities?
• How will you reorganise to maintain these prioritised
activities in the event of a disruptive incident?

www.england.nhs.uk
2
 Clause 5 : Leadership

Top management shall demonstrate leadership and commitment with respect to the BCMS by:
a) ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organization;
b) ensuring the integration of the BCMS requirements into the organization’s business processes;
c) ensuring that the resources needed for the BCMS are available;
d) communicating the importance of effective business continuityand of conforming to the BCMS requirements;
e) ensuring that the BCMS achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the BCMS;
g) promoting continual improvement;
h) supporting other relevant managerial roles to demonstrate their leadership and commitment as it applies to their areas of responsibility.

www.england.nhs.uk
LOGO

Best Practices

Choose Provide effective

the training in advance
right of the
people implementation

Implement the full

BCM lifecycle Right
Commitment of Competency of all
communication
Top Management resources
and tools

Clearly defined Continued

roles, management focus
responsibilities, on the BCM
and authorities Program
LOGO

Policy Development
• Top management shall establish a business continuity policy that:
• a) is appropriate to the purpose of the organization;
• b) provides a framework for setting business continuity objectives;
• c) includes a commitment to satisfy applicable requirements;
• d) includes a commitment to continual improvement of the BCMS.

Communicating the business continuity policy

The business continuity policy shall:
• a) be available as documented information;
• b) be communicated within the organization;
• c) be available to interested parties, as appropriate.
LOGO

POLICY IMPLIMENTATION

Top management shall assign the responsibility and

authority for:
• a) ensuring that the BCMS conforms to the
requirements of this document;
• b) reporting on the performance of the BCMS to top
management.

32
Elements of
Business Continuity Management 2
Business
impact
analysis
and risk
assessment

Operational Business
Exercising
and Testing planning Continuity
Strategy
and control

Establish
and
implement
BC
procedures
www.england.nhs.uk ISO22313 33
Business Continuity Strategy Options

Stakeholders
Technology
Information
Premises
Suppliers
People

Adapted from PAS 2015

www.england.nhs.uk 34
 Activity 3
In your groups discuss:

• Does your organisation have a business continuity strategy?

• What do you think a business continuity strategy should

contain and why?

• Who is the organisation’s senior business continuity

champion?

• Does your organisation have an agreed essential service

list?

www.england.nhs.uk
3
 Activity 3 Summary
• This is a senior management
responsibility that:
• Is appropriate to the organisation
• Provides a framework for setting
business continuity objectives
• To continual improvement of the
business continuity management
system

www.england.nhs.uk
3
Reviewing Business Continuity

• Plans should be reviewed and updated when:

• Changes to key staff or partners take place

• The organisation is restructured
• Prioritised activity is delivered differently
• Change to the external environment e.g.
statutory change, NHS England requirement
• Following lessons identified from an incident or
exercise

www.england.nhs.uk 37
Questions

www.england.nhs.uk
Next Steps……

www.england.nhs.uk
Clause 5 : Leadership

www.england.nhs.uk
Clause 6 : Planning

• C

www.england.nhs.uk
Clause 7 : Support

www.england.nhs.uk
Clause 8:Operation

www.england.nhs.uk
Clause 9 : Performance Evaluation

• C

www.england.nhs.uk
Clause 10 : Improvement

Clause 10: Improvement

www.england.nhs.uk