Embed Size (px)
Citation preview
Benchmarking Against International Standards
Brian Zawada (MBCI, MBCP)
June 10, 2014
Session Objectives
• Briefly introduce ISO 22301 as a source of international best practices
• Not only “sell” you on its use, but also describe how standards such as ISO 22301 are a source of content that you can use benchmark your preparedness efforts with and drive continual improvement
Agenda
• Overview and Value Proposition– ISO 22301 Overview
– Using Standards to Drive Performance (and Benchmark)
• Case Study: Pen Electronics Inc.– Company Overview
– Using the ISO 22301 Content
– Scenario: Responding to a Disruptive Incident (and driving continual improvement)
• Case Study Takeaways
• Conclusion and Questions
WHAT IS ISO 22301?
4
“This International Standard for business continuity management specifies requirements
to plan, establish, implement, operate, monitor, review, maintain and continually
improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and
recover from disruptive incidents when they arise.”
What is ISO 22301?
World’s First International Business Continuity Standard!
5
Replaced BS 25999-2, effective November 2012
What is ISO 22301?
• A “Requirements” document for a Business Continuity Management System (BCMS)
• Set up, operate and continuously improve a BCMS
– Alignment to PDCA
• Adaptive (“plug and play”)
• A resource to drive performance
• Minimal “jargon”
6
ISO 22301 Table of Contents
• Clause 1: Scope
• Clause 2: Normative References
• Clause 3: Terms and Definitions
Introduction
• Clause 4: Context of the Organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operations
• Clause 9: Performance Evaluation
• Clause 10: Improvement
Requirements
Plan-Do-Check-Act
Plan (4-7)
Do (8)
Check (9)
Act (10)
Value Proposition - Why ISO 22301?
• Aligning to ISO 22301 allows organizations (regardless of size and composition) to build a business continuity management system (BCMS) that incorporates internationally recognized business continuity and management systems best practices.
• ISO 22301 is built based on the Plan-Do-Check-Act model enabling organizations to build and continually improve a BCMS.
• ISO 22301 is written to enable organizations to embed and align their BC objectives with the strategic objectives of the parent organization.
• International standards are respected by customers and create a common language used across industries.
• ISO 22301 uses minimal jargon and is adaptive, rather than prescriptive.
• ISO 22301 is a comprehensive resource for setting up, operating and continually improving a BCMS, rather than just performing BC planning.
• A management system is a set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives.– Program = Methodology, BC Methodology
– Management System = Strategic Alignment, Methodology, Continuous Improvement Through Management Engagement (with tried and true activities designed for success)
• A management system is:– Built-In (consistent) executive involvement
– Scoped based on products and services
– Aligned to other disciplines
– Focused on continual improvement
Overview & Value Proposition: Why Management Systems?
Key Elements of a Management System
Documentation(Clause 7.5+)
Metrics(Clause 9.1)
Corrective Actions
(Clause 10.1)Objectives, Priorities,
Scope(Clause 4)
Obligations and Risk Appetite(Clause 4)
Leadership(Clause 5)
Management Review
(Clause 9.3)
Competencies(Clause 7.2)
Products and Services(Clause 4)
Internal Audit
(Clause 9.2)
Case Study – Pen Electronics Inc.(Company Overview)
Company Profile (Overview)
• Pen Electronics “Pen” is a $3B privately-held producer of advanced circuit boards
• Manufacturing is carried out exclusively in the United States at four separate locations in CA, TX, GA, and OH
• Distribution centers are co-located with manufacturing plants
• Pen’s headquarters and administration activities are carried out exclusively in CA (HR and Payroll outsourced)
• Pen ships its circuit boards to technology manufacturers in the United States, Asia, Canada and Europe (e.g. Lenovo, HP)
• Pen has ~4000 employees (1100 – CA; 950 – TX, GA & OH)
Company Profile (Overview)
CA Facility TX Facility
GA Facility
Pen’s Facilities
- Manufacturing / Distribution Center
- Administration / Primary Call Center
- Alternate Call Center
- Data Center
OH Facility
Company Profile (Organization Objectives)
• Deliver high quality, advanced circuit boards for domestic and international customers in accordance with contractual service level agreements (SLAs).
• Continually improve manufacturing operations to:
– Decrease cycle time
– Decrease errors and defects
– Improve overall performance and customer satisfaction
• Improve productivity, reduce costs and prevent employee injuries by complying with existing safety policies (leveraging JIT, LEAN and Six Sigma)
• Provide high quality, on-demand customer service through web and phone based platforms
Company Profile (“The Players”)
• CEO – Greg Donnelly
• Business Continuity Leader and Program Manager: Brian Zawada (former Internal Auditor)
• The Business Continuity Steering Committee (BCSC) assumes duties as the Corporate Crisis Management Team during a disruptive incident
– Program Sponsor: Tim Green (CFO)
– Information Technology: Maggie Campbell (CIO)
– Operations: Daniel Smith (COO)
– Human Resources: Garret Weber (VP)
– General Counsel: Juan Gonzales
Case Study – Pen Electronics Inc.(Clauses 4-7 – Plan)
It All Started on November 4, 2012…
• Greg Donnelly (CEO) participated in a meeting with Tim Green (CFO), Daniel Smith (COO) and Juan Gonzales (General Counsel) to discuss Pen’s continuity capabilities and any associated contractual obligations.
• Previously, Juan Gonzales had expressed concerns to the CEO regarding:
– Contractual clauses that require Pen to conduct business continuity planning
– Potential contractual penalties that could be imposed if the organization were to fail to meet SLAs due to a disruptive incident
• Based on the outcome of this meeting, Greg Donnelly directed the CFO to sponsor an effort to build and manage a comprehensive business continuity program
• Brian Zawada was selected during this meeting to assume the duties of the Business Continuity Leader due to prior experience with business continuity planning
It All Started on November 4, 2012…
• The drivers behind senior management’s decision to implement a business continuity program included:– The inability to meet contractual SLAs following a disruptive incident
that affected one or more manufacturing locations or distribution centers
– Existing contractual clauses that allowed companies to impose financial penalties should Pen failed to meet certain SLAs
– Several newly-signed contracts that required Pen to implement and show evidence of a business continuity program prior to the next contract renewal date (as early as December 2013)
Making the Decision: ISO 22301
• Pen decided to conform to ISO 22301 and the management system approach to business continuity– Pen’s existing experience with the management systems approach and
common language used in other ISO standards (ISO 9001)
– Name recognition among customers and industry / management respect for ISO standards
– An international customer base
– Certification wasn’t discussed although the company has experience in this area and it creates value (market differentiation and customer satisfaction)
The First Six Months(December 2012-June 2013)
• Brian Zawada worked with management to identify additional key players to participate in the planning effort; Brian identified two additional employees to serve as part-time members of the business continuity team
• The BCSC met for the first time on December 5, 2012 and directed the newly established business continuity team to define the scope and objectives of the BCMS
• The BCSC also established the following criteria to define the organization’s risk appetite:– Unacceptable to violate contractual SLAs
– Unacceptable to stop receiving and processing new customer orders
– Unacceptable to impair customer service levels or fail to address on demand customer inquiries
Pen’s Products and Services
• Throughout December and January, the business continuity team worked with management across the organization to define the following in-scope products and services:1. Provide Customer Support
2. Receive and Process Customer Orders
3. Manufacture Off the Shelf and Custom Circuit Boards
4. Ship Customer Orders (Nationally and Internationally)
5. Bill Customers
6. Perform Payroll (outsourced to third party)
• On February 1st, the business continuity team met to develop a proposed BCMS scope based on Pen’s products and services; the team defined the scope of the BCMS by evaluating each product and service and the potential impacts of downtime associated with each product and service in relation to:
– The organization’s strategic objectives
– Risk appetite guidance expressed by senior management
– Contractual requirements
• In addition, the team recommended a proposed maximum allowable downtime (MAD) value for each product and service
• The scope and associated MAD values were approved by the BCMS on February 20th
The First Six Months(December 2012-June 2013)
BCMS ScopeProduct and Service In Scope? Justification MAD
Provide Customer Service
Yes Contractual obligation to provide on-demand customer service; potentially severe reputational impacts and loss of market share due to an inability to deliver.
Immediate
Receive and Process Customer Orders
Yes Inability to receive and process new orders would result in contractual breaches, financial penalties, operational backlogs, and reputational loss.
Immediate
Manufacture of the Shelf and Custom Circuit Boards
Yes Inability to manufacture circuitry would result in contractual breaches, financial penalties, operational backlogs, and reputational loss.
24 hours
Ship Customer Orders (Nationally and Internationally)
Yes Inability to ship products would result in contractual breaches, financial penalties, operational backlogs, and reputational loss.
48-hours
Bill Customers No Not time sensitive within two weeks; customers can be billed retroactively without financial loss or operational impact
None noted.
Perform Payroll No Outsourced to 3rd Party None noted.
Identifying Activities and Departments(March-April 2014)
• Following approval of the BCMS scope, the business continuity team began the task of identifying the activities that contribute and the departments that manage those activities
• The business continuity team identified 32 in-scope departments during this process
Product and
Service
Department (Manages Activities)
Activity B
Activity A
Departments and Activities
Product and Service
Activity Department
Provide Customer Service
Respond to Inbound Customer Calls Call Center
Process Over the Phone Customer Orders Call Center
Respond to Customer Emails Web Services
Respond to Customer Web Inquiries Web Services
Receive and Process Customer Orders
Process Over the Phone Customer Orders Call Center
Monitor Automated Orders Ordering
Maintain and Support SAP IT Support
Manufacture off the Shelf and Custom Circuit Boards
Configure Automated Machinery Engineering
Troubleshoot / Repair Automated Machinery Engineering
Stage Inventory Inventory Management
Manage Inventory Levels Inventory Management
Operate Automated Machinery Manufacturing Operations
Perform Manual Assembly Manufacturing Operations
Transition Circuit Boards Between Stations Manufacturing Operations
Departments and Activities
Product and Service Activity Department
Manufacture Off the Shelf and Custom Circuit Boards
Transition Circuit Boards to Testing Team Manufacturing Operations
Test Circuit Boards for Functionality Testing
Label Circuit Boards Packing Operations
Package Circuit Boards (static free) Packing Operations
Create Custom Packaging Inserts Packing Operations
Package Circuit Boards for Shipping Packing Operations
Monitor Production Lines Quality Assurance
Perform Final Inspections Quality Assurance
Validate Labels and Packaging Quality Assurance
Perform Routine Machine Maintenance Maintenance
Conduct Daily Maintenance Checks Maintenance
Prepare Products for Shipping Transitions
Liaise with Distribution Transitions
Move Circuit Boards to Distribution Transitions
Roles, Responsibilities & Competencies
• In parallel to the scoping effort, the business continuity team defined roles and responsibilities for all participants in the BCMS
Role: Business Continuity Steering CommitteeResponsibilities: Review and approve the BCMS Policy and procedure on an annual basis. Ultimately accountable for the implementation and maintenance of the BCMS (in compliance with this
Policy), including ensuring:o The BCMS is independently reviewed and approved annually.o All employees are trained and aware of their role in the program.o Applicable BCMS elements (including strategies and plans) are regularly tested and matured.o Updating the BCMS to reflect the current operating environment.
Allocate sufficient staff and resources to properly implement the BCMS. Actively participate in the management review process. Engage the organization’s leadership, as necessary, to oversee, manage, and mature the BCMS.Competencies: Executive management experience. Detailed knowledge of Pen’s products and services in addition to strategic objectives. Complete understanding of the BCMS’ scope, objectives, and health.
Pen’s BCMS Program Objectives
• In parallel to the scoping effort, the business continuity team defined the BCMS program objectives:– Protect the safety of Pen’s employees and visitors.
– Manage the threats and impacts associated with an interruption to critical manufacturing operations, including a facility interruption or loss of resources (including personnel, technologies and suppliers).
– Reducing business continuity risk through four approaches:
1. An appropriate and proactive control environment designed to decrease the likelihood of a disruptive event
2. Strategies to effectively respond to a crisis
3. Plans to recover critical business activities within stakeholder expectations
4. The ability to maintain consistent communication with personnel and clients
Writing the Policy and Procedure
• Based on the approved scope, Pen developed business continuity policy and procedure documents that formally established:– Program objectives, scope and
associated MADs
– Roles, Responsibilities, and Competencies for the BSCS, BC Team and department representatives / owners
– Program Components (including the business continuity planning lifecycle and all management system components)
Case Study – Pen Electronics Inc.(Clause 8: Do)
Building the Foundation(June – October 2013 )
• Based on the activities that support in-scope products and services, Pen began performing a comprehensive business impact analysis (BIA) in June of 2013
• Pen conducted BIA data gathering at the department level, which identified the resources that each department relies on to continue performing in-scope activities, as well as the estimated impacts (overtime) of a disruptive incident. Impact categories included:– Financial, operational, reputational, contractual, customer
• In parallel to the BIA, Pen conducted a risk assessment that identified the likelihood and impact of resource loss (all resources that support in-scope activities).
Identifying Recovery Objectives
• Based on the results of the BIA, the business continuity team identified proposed recovery objectives including:
– RTOs for each activity (less than or equal to the corresponding product and service MAD)
– RTOs and RPOs for each technology dependency• Varies based on the viability of manual workarounds
– Identification of suppliers (internal and external) that are required to achieve proposed activity RTOs
– Identification of each department’s staffing and resource needs following a business disruption
Identifying Risk Treatment Opportunities
• Based on the results of the risk assessment, the business continuity team identified numerous risk treatment opportunities:
– Based upon the likelihood and impacts of resource loss
– Resources evaluated included:• People, technology, facilities, equipment and suppliers
– Recommended risk treatments were aligned with recovery objectives, program objectives and Pen’s risk appetite
– The risk assessment took into account existing formal and informal risk treatments (e.g. work from home capabilities)
Documenting Results
• The business continuity team documented the BIA and Risk Assessment results and findings in September of 2013 (BIA and Risk Assessment Summary Report)
– This document summarized the business continuity team’s findings and identified critical gaps (single points of failure) in the organization’s continuity capabilities
• The document also presented recovery objectives for approval by the BCSC
Pen’s Critical Gaps and Single Points of Failure
• Loss of the administration facility in CA would halt all customer service activities and telephone ordering activities (5% of all orders)
• While all facilities produce the same products and Pen could increase production to cover the loss of one facility, Pen would not have the shipping resources required to maintain SLAs following the loss of one distribution center
• Customers place a vast majority of orders (95%) through EDI to SAP; Pen could not recover SAP if the primary data center, located at the CA facility, was affected
• Pen could not recover critical communication tools (email, telephony) if the primary data center was affected
Addressing Gaps: Strategy Identification
• Based on the gaps identified in the BIA and Risk Assessment, the business continuity team created strategy options that would enable:– Customer service activities to be simultaneously executed by
independent teams in CA and TX
– 20% of customer service associates to work remotely via Citrix VPN connections
– Active/Active DR solutions for SAP, email, Citrix and telephony
– Formal allocation of the shipping and manufacturing resources needed to boost production at alternate facilities and maintain delivery SLAs following the onset of a disruptive incident
Implementing Strategies(November 2013 – February 2014)
• Pen developed multiple options to address these gaps and decided on the following strategies after conducting a cost benefit analysis:– Lease, equip and staff an alternate call center near the TX facility
– Balance call center staffing levels in CA and TX and provide 20% of call center employees with remote access capabilities
– Contract a a 3rd party data center provider in Dallas to build an active /active disaster recovery solution for SAP, email, telephony and Citrix
– Increase shipping resources by 10% at each distribution center and establish contracts with third party transportation vendors who can provide temporary drivers within 24 hours of notification
– Formalize increased manufacturing procedures at each manufacturing plant
• In parallel to the strategy implementation effort, each in-scope department documented a plan addressing:– Recovery strategies and procedures
– Plan activation criteria and an incident response structure
– Crisis communication procedures
– Return to normal procedures
• The business continuity team and BCSC also created corporate Crisis Management and Crisis Communication Plans, enabling Pen to strategically manage disruptive incidents:– Created the corporate CMT consisting of the BCSC, the BC leader,
facility leaders, and HR representatives (one per location)
– Also contracted with an emergency notification service
Documenting Plans(November 2013 – February 2014)
• Pen’s IT support team also worked to document disaster recovery plans
• Departments that identified SAP, email, Citrix and telephony as dependencies included an appendix in their BCP on how to access the DR environment during a disruptive incident
Documenting Plans(November 2013 – February 2014)
Exercising and Testing(February 2014 – May 2014)
• As noted in Pen’s policy, senior management established a requirement for each department to execute a table top exercise prior to the end of Q2 2014
• The business continuity team worked with each department representative and owner to plan, execute and document the results of table top exercises
• The team completed this effort ahead of schedule (May 2014) and several corrective actions based on exercise lessons learned
• The business continuity team also tested the newly acquired emergency notification system and performed a walkthrough of the crisis management plan
Case Study – Pen Electronics Inc.(Clause 9: Check)
Internal Audit
• As noted in Pen’s policy, senior management established a recurring internal audit of the BCMS
• Pen’s internal audit program requires the following:– Evaluation of business continuity capabilities compared to
requirements
– Evaluation of Pen’s compliance with internal policy and SOPs
• Internal audit identified opportunities for improvement specific to plan documentation and exercises, both of which are noted as corrective actions and tracked by the business continuity team
Metrics
• As noted in Pen’s policy, senior management established metrics designed to report on the performance and effectiveness of Pen’s BCMS
• Pen metrics were designed to report on both department preparedness and the overall performance and effectiveness of the BCMS
• The metrics are simple and easily understood while also providing management with a realistic picture of the BCMS’ health
Pen’s MetricsBCMS Metrics – Pen Electronics Inc.
Metric Description Current State
Provide Customer Service
Can this P&S be immediately recovered following a business disruption in CA or TX by transferring inbound calls to the alternate site?
Validated only through table top exercise.
Receive and Process Customer Orders
Can this P&S be immediately recovered following a business disruption in CA or TX by failing over to alternate SAP servers and transferring inbound calls to the alternate site?
Validated only through table top exercise.
Manufacture Advanced Circuitry
Can this P&S be recovered within 24-hours by increasing production at non-affected sites?
Validated only through table top exercise.
Ship Customer Orders
Can this P&S be recovered within 48-hours by increasing shipping levels and staffing at non-affected sites?
Validated only through table top exercise.
Status of corrective actions
Document the number of existing corrective actions by priority level.
12 Corrective Actions Open (see CAPA database here)
Overdue corrective actions
Document the number and priority level of corrective actions that have extended beyond the established resolution date
No overdue corrective actions
Departments with approved BIAs, RA & BCPs
Identify the percentage of departments with approved BCPs, RAs and BCPs. Maintain a full listing of departments and their statuses.
100% Compliance(a full listing of departments and applicable comments can be found here)
Departments with proven recovery objectives
The percentage of departments that have proven the ability to recover activities and resources in accordance with management approved recovery objectives
0%; to date only table top exercises have been completed.
Management Review
• Since January 2013, the business continuity team has been conducting management reviews with the BCSC monthly
• These management reviews have enabled the BCSC to stay informed of the program’s progress and give guidance to the business continuity team
Pen’s Management Review Agenda
• Program Scope and Objectives Review
• Maximum Allowable Downtime Review
• Internal Audit Results
• Risk Assessment Results
• Exercise Results
• Post-Incident Lessons Learned (if applicable)
• Training Results
• Corrective Actions Review and Feedback
• Metrics Review
• Special Topics / Next Steps
Case Study – Pen Electronics Inc.(Clause 10: Act)
Corrective Actions (“CAPA”)
• In accordance with ISO 22301, Pen’s policy and procedure documents directed the business continuity team to create and maintain a CAPA database
• This database is designed to address program gaps, non-conformities and improvement opportunities
• Corrective actions can be identified from a variety of sources including:– Tests/exercises, management reviews, post-incident reviews, risk
assessment results, etc.
• All corrective actions are assigned a priority status, owner and target resolution date.
Pen’s Corrective Actions Database
Item Root CauseProposedSolution
Source Owner PriorityTargetResolution Date
Status
Inability to communicate without internet or cellular connectivity.
Inadequatecommunication redundancies.
Acquire satellitephones and update Crisis Communication and Management Plans.
CrisisTable-top Exercise
Greg Hamm
High 5/1/14 Completed
Inability to contact third-parties.
Incorrect contact information in plans.
Department reps review / update all BC plans.
Exercise SteveJohns
Medium 6/31/14 Open
Pen’s Program Today
• As of June 2014, Pen documented business continuity plans for in-scope department and completed a table top exercise for each– Pen has strategies in place to address the loss of the key resources
that support in-scope products and services
• During the next management review, the business continuity team plans to revisit the BCMS scope and objectives with the BCSC to enable 2015 program updates
• Pen plans to conduct DR testing during Q3 2014; in addition, Pen will begin simulation exercises in Q4 of 2014
Case Study – Pen Electronics Inc.(June 10, 2014: The Disaster)
June 9, 2014 (The First Hours)
• Last night, at approximately 9 PM local time, a destructive earthquake damaged the CA administrative building, manufacturing plant and distribution center
• The earthquake also affected many of the local communities around Pen’s facilities, disrupting power, communications and roads
• Third-shift employees were able to safely exit and evacuate the manufacturing facility (several with minor injuries were brought to a local hospital)
• The Facilities Manager who was on duty at the time of disaster accounted for all employees and reported to the Site Leader in accordance with Pen’s Crisis Management Plan
• The Site Leader attempted to contact the BCSC (CMT) to initiate a conference (10:15 PM) but was unable to do so due to cellular, internet and land line interruptions
• The Site Leader was however able to use his satellite phone to successfully contact the CMT Coordinator and relay employee accountability and injury information as well as an initial status report
• The CMT Coordinator subsequently provided instruction to the remaining members of the Crisis Management Team to meet at a designated location for initial coordination
• The CMT directed CA-based employees to remain at home until a damage assessment could be conducted (emergency notification system, social media) and verified that SAP, email, telephony and Citrix were fully operational at the alternate data center in Dallas
June 9, 2014 (The First Hours)
• Leadership teams in TX, OH, and GA were notified of the disaster (emergency notification system) shortly after midnight; the CMT Coordinator also contacted TX-based leadership separately and directed them to take over all customer service activities until further notice
• The CMT Coordinator was also able to contact the telephony support team to verify that all calls would be directed to the TX-based call center
• At 6 AM, the CA-based HR representative was able to travel to local hospitals and verify the status of injured employees; in addition, the Site Leader was able to access the CA facilities to assess the extent of the damage
• At 9 AM, the site leader joined a conference call with the CMT and reported that all CA facilities would be inaccessible for at least one week due to repairs to critical infrastructure, utility outages and required safety inspections
• Based on this report, the CMT directed departments to activate their plans
June 10, 2014 (The Recovery)
• Business departments were notified of plan activations via the emergency notification system and follow-up calls from the CMT
• Customer orders were rerouted to TX, GA, and OH where business departments boosted production appropriately and contacted third-party transportation vendors to request additional support
• The CA Site Leader was able to connect with utilities companies and local authorities by 3 PM on June 10; the site leaders reported that utilities services and road access would be completely restored within 24 hours
• Based on this assessment, the Site Leader reinforced that the necessary repairs and inspections would be completed within one week
• The CMT issues a new emergency notification updating employees based on this report and conducted follow-up calls with leadership teams at each of Pen’s alternate facilities
June 10, 2014 (The Recovery)
Documenting Lessons Learned
• Following Pen’s return to normal, the business continuity team facilitated a post-incident review with the department owners the participated in the recovery
• The team followed the following outline during the review:1. Disruptive incident description and narrative
2. Response and recovery participation
3. Stakeholders affected (internal and external)• Qualitative and quantitative impacts – if any
4. Response and recovery results• Timeline, performance, strengths, and opportunities for improvements
5. Lessons learned and corrective actions (gaps)
6. Conclusions and next steps
New Corrective Actions
Item Root CauseProposedSolution
Source Owner PriorityTarget Res Date
Status
Modify Incident Response Structure
Plan activation authority too restrictive.
Adjust incident response structure and plans to authorize department owners to proactively activate plans.
June 2014 Incident
Brian Zawada
High 7/15/14 Open
Increase Social Media Awareness
Employees unaware of social media sites.
Conduct socialmedia awareness campaign.
June 2014 Incident
Jen McCain
Low 8/15/14 Open
Case Study – Pen Electronics Inc.(Takeaways)
• Based on the BCMS built over the past two years, Pen was able to effectively respond to and recover from the earthquake and continue to meet stakeholder expectations
• Without the BCMS, Pen would have been unable to resume customer service and ordering activities immediately, and would have likely been unable to meet shipping demands
• Aligning their BCMS to ISO 22301 further allowed Pen to benchmark their program against best practices and embed their objectives with those of the organization as a whole
Case Study Takeaways
Questions and Conclusions
