Business Continuity is fast becoming a critical discipline that forward thinking organisations are putting in place to manage situations that could have disastrous effects on their ability to function.
The ISO 22301 standard sets out practical requirements, which, if they are in place will help an organisation to meet the growing number of challenges that are being faced. These five terms will give you an insight to the type of actions and processes you should aim to have in place.
These terms define actions and objectives that you should have in your business continuity plans, but remember that good forward planning and identification of potential risks will help you define these actions and objectives for each type of risk or threat relevant to your organisation.
The Minimum Business Continuity Objective (MBCO) defines the minimum level of services or production that should be achieved following disruption to achieve an acceptable proportion of the business objectives. In simple terms, if disruption occurs, what do you absolutely need to achieve in order to function as an organisation and service your customers?
The Maximum Tolerable Period of Disruption MTPD or Maximum Acceptable Outage (MAO) defines the time-period that could be endured as a result of disruption before being deemed unacceptable. From the point that disruption occurs, it may be possible to continue operating, but the service levels may not be as high as you normally operate. Understanding what the MTPD could be for your organisation will provide you a target time to get services back up and running without losing customer trust.
The Recovery Time Objective (RTO) defines the period of time following disruption that the organisation aims to recover or resume its activities, production or service provision. Having defined the MTPD or MAO, you should be able to set a Recovery target time (the RTO) to recover your operations; ideally, the Recovery Time should be shorter than the defined period of disruption. The RTO may be different for each threat or risk you foresee.
The Recovery Point Objective (RPO) defines the point to which information used by an activity must be restored to enable the activity to operate on resumption. In other words, what is the minimum level of information or data that you can have to operate a process. Sometimes the RPO is used in conjunction with ‘Maximum Data Loss’ (MDL). If your disruption is caused by data loss, this will help you identify the maximum amount that you can lose before your processes are lethally affected. Define this level, and you will be able to put appropriate safeguards in place with back-ups or recovery points.
For an example of how these might be applied see A retailer business continuity management system
Please refer to the ISO 22301 for definitive statements if you are seeking certification to the ISO standard.
Related Articles4 key questions for Business Continuity
Adam has been working on Quality and Environmental management systems for most of his career in small, medium and corporate organisations. A keen advocate of the ISO approach as a platform for improvement, Adam ensures that systems are practical and useful for Managers and Staff to use.
Following a number of years working on software development projects, Adam has diversified into Information Security and Business Continuity management. Keen to formalise his industry experience, he is currently undertaking a Diploma in Business Continuity Management at Buckingham University.
Adam has a PhD from Cranfield University and now supports the MSc Environmental Management programmes through the advisory panel and visiting lectures.
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:CONTACT US
Tel: 01908 255 525