ISO 22301 CONSULTANCY

On-site ISO Consultancy services to drive your Business Continuity Management System

Drive Continual Improvement

Use the ISO 22301 standard to drive a framework that protects against, reduces the likelihood of occurrence, and prepares your organisation to respond and recover from disruptive incidents when they arise.

ISO 22301

ISO 22301 is one of the most comprehensive and recognised international standards for Business Continuity management. Although relatively low in formal adoption by organisations, the principles and routines that are included in the Standard set out very useful requirements that an organisation can adopt to enhance its resilience.

Onsite Consultancy

Our onsite ISO Consultancy services provide you with the tailored support you need to achieve your goals for ISO Certification. Benefit from our insights to build a business continuity management system that delivers the outcomes you need. We bring clarity to ISO 22301 so that you develop your existing good practices into a highly effective business continuity management system.

What is the ISO 22301 Business Continuity Management Standard?

ISO 22301 is the internationally recognised standard for organisations that operate a business Continuity management System. The requirements in the ISO 22301:2012 Standard cover activities involved in planning for potential disruptive events and managing recovery operations to get organisations back to a normal operating state.

ISO 22301 is written as a generic standard, and its requirements can be applied as appropriate to an organisation. This ensures that it is accessible to all types of business.

Applying the 22301 Business Continuity Management standard to your management system will enable you to demonstrate:

There are tangible benefits to operating a Business Continuity management system to the requirements of the ISO 22301:2012 standard. As well as providing more effective and efficient processes, research has found that:

As far back as 2011, CA Technologies conducted a study where it showed that the average IT downtime for companies in Europe and North America is approximately 14 hours yearly. While this does not seem like an event which might have significant consequences, when calculated, it costs a staggering $26.5 billion, which is to say an average of $150,000 yearly for each company. The business case is further enhanced as some companies lose much more depending on their size and the nature of the products and services they offer.

Top 10 Situations that could lead to a Business Continuity Incident

The top 10 situations that could lead to a Business continuity incident have been reported in the BCI Horizon Scan report of 2018 as:

  1. Unplanned IT and telecom outages
  2. Adverse weather
  3. Interruption to utility supply
  4. Cyber Attack
  5. Availability of talent and skills
  6. Security incidents
  7. Transport network disruption
  8. New laws or regulations
  9. Fire
  10. Supply Chain disruption

The increase in likelihood of occurrence of these types of incidents is partly what is driving the adoption of business continuity management systems. Other drivers include a need to demonstrate resilience and the inclusion of the requirements in commercial contracts.

Scope of a Business Continuity Management system

ISO 22301 defines an incident as a ‘situation that might be, or could lead to, a disruption, loss, emergency or crisis’. These disruptive incidents are tangible threats to your organisation or business, so need a higher level of attention and planning in case they occur, compared to an incident of the type that could be managed through a quality or OHS system.

Therefore, it is important to differentiate between BC and other types of incidents in your own organisation, and how you want to manage them. In the scope of business continuity, the system helps you recover from the situation and get your activities up and running to an agreed service level and within a planned time frame.

‘Business Continuity Management’ is often defined as ‘a holistic process that ensure potential threats to an organisation are identified, as well as the impacts to business operations those threats, if realised, might cause’.

Business Continuity Management provides a framework for building organisational resilience and in addition, considers the interests of critical interested parties and stakeholders.

Business Continuity overlaps with conventional Occupational Health and Safety (OHS) systems, but where OHS ensures that emergency processes are in place to deal with issues of human health, the BCMS will focus on your service delivery and its recovery. Of course, in the event of some BC incidents, there is a higher risk of harm and hazards.

A key aim of a Business Continuity plan is that the organisation is protected because business performance is maintained, but negative impacts are minimised.

Plan-Do-Check-Act

Business Continuity, as all the ISO management systems, has adopted the PDCA cycle as the basis of continual improvement. Organisations don’t have to be perfect in order to have an effective BCMS, but the expectation of the ISO standard is that over time, your capabilities and effectiveness will improve if you critique your performance in order to improve.

In following the plan-do-check-act process, the management team will begin to improve their planning processes and develop their skills of critical assessment. Part of this improvement will be to crystallise business continuity objectives at both a strategic and operational level.

The Plan-Do-Check-Act process is a critical element of the management system, and each time the cycle is followed through, the capabilities of the team will get better. Tangible improvement arising will include:

Applying these skills to your organisation will enhance your Business Continuity performance and improve your brand reputation and skills.

Benefits of ISO 22301 Business Continuity

ISO 22301, as with other ISO standards also references the principles of ISO management. The table below sets out some examples of benefits against each principle

Process Approach
  • Implementing Business Continuity effectively influences the resilience of organisational processes against disruption
Leadership
  • Improvement in staff management and engagement
  • Gain competitive edge as competitors see you as a safe pair of hands
  • International recognition
  • Improved leadership discipline
Customer Focus
  • Organisations that implement Business continuity systems focus on providing reassurance for their customers
  • Customer focus and improved satisfaction leads to increased revenues because market advantage is gained
  • Potential for increased sales to new customers
  • Improved confidence and engagement with customers and interested parties
Continuous Improvement
  • Continuous improvement of processes leads to reduction in downtime
  • Continuous improvements can be gained across the organisation such as effective internal operations, better engagement with staff, reduced waste and more profit
Engagement with People
  • Human resources benefits; with a more engaged and committed work force leads to a reduction in staff turnover
  • Engagement with the local community leading to greater trust and less risk of complaints
Relationship management
  • Benefits gained with respect to subcontractor relations – subcontractors to become certified, better relations with subcontractors, more stringent control over subcontractors
  • Improved relationships with authorities and other stakeholders
Evidence-based decision-making
  • Decisions being more robust and focused on issues
  • Actions resulting from decisions being more effective
  • Clear decision-making processes

How do I get ISO 22301?

Many companies ask what they need to do to ‘get’ ISO 22301. The answer is to apply the requirements of the ISO 22301 Standard to their management systems. In many cases, a successful business will meet the requirements because they are successful.

Getting ISO 22301 is then a process of being certified. UKAS accredited Certification Bodies are the organisations that will carry out a series of audits of the business continuity management system against the ISO Standard. As a result of the audit (if the BCMS meets the Standard) the Organisation is then awarded an ISO 22301 Certificate.

How long does it take to get an ISO 22301 certificate?

If you are beginning your journey to certification, it is easiest to consider three phases:

  1. Developing the Business Continuity Management Systems
  2. Meeting the first phase of the ISO 22301 Audit Process
  3. Meeting the second phase of the ISO 22301 Audit Process

The process of developing a Business Continuity management system that meets the ISO 22301 standard can take anywhere from 3 to 12 months depending on the level of maturity of the organisation. In some cases, it is simply a case of introducing some new governance processes or developing documentation whereas in others, an organisation will need to start from scratch.

The first phase of the ISO 22301 audit process is a ‘Stage 1’ Audit, which will look at the readiness of the system, and check against the required documentation. The benefit of the Stage 1 audit is that the organisation can test out its ideas or identify gaps without risking failing. The audit will result in a report that defines the amount of work needed to be complete before the Stage 2 audit is completed.

Usually, there is a gap between the Stage 1 and Stage 2 audits of 4 weeks to 6 months, which allows the organisation to gather more data and increase its capabilities.

What does ISO 22301 cost?

Like any product or service that an organisation buys, it needs to apply a level of governance. Just because a Certification Body awards a Quality certificate doesn’t make them infallible. However, the UKAS accredited Certification Bodies are subjected to quality standards themselves and UKAS acts as Ombudsmen, which gives you assurance that any issues will be resolved appropriately.

Typically, direct audit costs are charged on a day-rate basis and the number of days will vary according to the size of the business. Companies up to 50 people can expect initial certification costs of approximately £7.5k, and ongoing costs of up to 3k per annum. You should note that ISO 22301 is more expensive than other ISO management standards as there are fewer auditors, and the skill sets required are very different.

Spedan Ltd are Associate Consultants to the major ISO Certification Bodies and can help clarify your costs before you commit to one supplier.

Unnecessary costs may harm companies, including their employees, departments and customers.

What others say:

Click to find out more about ISO 22301

4 key questions for Business Continuity
3 approaches to Business Continuity
3 approaches to Business Continuity

Talk to us about your ISO 22301 Business Continuity Management system.
We’ll give you beneficial insights, whether your system
is already certified or you're just starting out.