1

© 2013 Avalution Consulting, LLC | All Rights Reserved

DRJ Spring World 2014

Build an ISO 22301 Management System to Capture Executive Attention

Workshop Objectives

• Introduce ISO 22301 as a Source of Best Practices

• Define the Management System Concept (and the value behind it)

• Discuss the Key Elements of a Business Continuity Management System (10)

• Outline Implementation Strategies

• Present Case Studies to Demonstrate Value

2

2

Workshop Agenda

• ISO 22301 Introduction

• Management Systems – What/Why

• Key Elements of a Management System

• Implementation Strategies and Case Studies

• Conclusions

3

What is ISO 22301?

4

3

ISO 22301

World’s First International Business Continuity Standard!

5

Replaced BS 25999-2, effective November 2012

What is ISO 22301?• A “Requirements” document for

a Business Continuity Management System (BCMS)

• Set up, operate and continuously improve a BCMS

– Alignment to PDCA

• Adaptive (“plug and play”)

• A resource to drive performance

• Minimal “jargon”

6

4

Technical Committee 223 Projects

ISO 22301Business Continuity

Management Systems –Requirements

ISO 22313Business Continuity

Management Systems –Guidance

ISO 22317 Business Continuity

Management Systems –Business Impact Analysis

ISO 22316Organizational

Resilience – Principles and Guidelines

ISO 22320Emergency

Management –Requirements for

Incident Response

ISO 22398Guidelines for Exercises

7

8

Requirements Standards

HOW(ISO 22313)

Guidance Standards

WHAT(ISO 22301)

Types of Standards

5

What is ISO 22301?

• Clause 1: Scope• Clause 2: Normative References• Clause 3: Terms and Definitions

Introduction

• Clause 4: Context of the Organization• Clause 5: Leadership• Clause 6: Planning• Clause 7: Support• Clause 8: Operations• Clause 9: Performance Evaluation• Clause 10: Improvement

Requirements

9

ISO 22301 Value

• Management and customers respect ISO standards

• A form of benchmarking (agreement on minimum expectations)

• Common language / simplicity of concept descriptions

• Drives engagementthrough continuousimprovement

10

6

Things You Need to Know

• What is a management system?• Products and services versus…• Scope and objectives• Top management• Risk treatment• Risk appetite• Documentation• Internal and external• ISO language

– Shall versus Should

11

What is ISO 22301?By the numbers…

12

ISO 22301 BS 25999-2 NFPA 1600 v2013

Pages of “Actual Content”* 16 12 13

Shall Statements 92 54 121

Top Management or Committee References

10(+18 sub-tasks) 4 8

* Requirements-related content

7

What is ISO 22301?By the numbers…

13

Ways to Prepare

1. Identify an executive sponsor in your organization, possibly a steering committee (“top management”)

2. Identify your “interested parties”

3. Establish your “obligations”

4. Begin to identify an appropriate program scope and objectives

5. Explore the concept of risk appetite

14

8

Management Systems -What/Why

Build an ISO 22301 Management System to Capture Executive Attention

15

Common Performance Issues

Lack of Focus

No Strategic Alignment

16

9

Management System

Set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives.

17

Management System

18

Connecting a discipline to organizational strategy through executive management

10

Management System-Aligned Business Continuity Standards

• ISO 22301• BS 25999-2• NFPA 1600 (2010+)• ISO 27001 (Security)• ASIS SPC.1-2009• ASIS/BSI BCM.01-2010

19

Management System

20

Plan

Do

Check

Act

11

Management System vs. Program

21

Is there a difference and does it really matter?

The Value of a Management System

• Built-In (Consistent) Executive Involvement

• Scope Based on Products/Services

• Alignment to other disciplines

• Continual improvement

22

12

Key Elements of a Management System

Build an ISO 22301 Management System to Capture Executive Attention

23

Key Elements

1. Leadership2. Obligations and Risk Appetite3. Products and Services4. Objectives, Priorities and Scope5. Competencies6. Documentation7. Corrective Actions8. Internal Audit9. Metrics10. Management Review

24

13

Key Element #1

Leadership: “Top management shall demonstrate

leadership…”

25

Collaboration Session

What is the appropriate role(s) of leadership? How often do they get involved? Can they delegate their responsibilities (all of their responsibilities)?

Key Element #2

Obligations and Risk Appetite:

– What are obligations?• Regulations, customer/supplier contracts, internal

policy, other

– And in the case of ISO 22301, what’s the role of risk appetite?

26

14

Risk Appetite (Example/Excerpt)

Avalution Consulting management selects and implements appropriate risk treatments for each critical in-scope activity in accordance with its objectives and level of risk acceptance. The BCSC defines its risk appetite as the following:

We are willing to tolerate a finite amount of downtime as long as it does not result in the following:

– Damaged reputation among our clients that leads to broader, negative market perception

– Missed service level agreements specific to The Planning Portal and BC Catalyst

– Financial loss in excess of $X– Project delays of more than three days due to resource disruption

and lost data

27

Key Element #3Product and Service Oriented:

– The BCMS must be focused on the organization’s products and services (internal and external)

– Plans must recover the key outputs the business produces, not just facilities, people and applications

Collaboration Session

How do products and services apply to my organization? Discuss your organization’s and BC program’s unique needs Pick one example to share with the group

28

15

Example Products and Services

• Banking– Online Banking– Deposit Funds– ATM Card

Services– Wires and ACH

Processing– Close Mortgages– Securities Trade

Execution

• Insurance– Voice Customer

Services– Pay Recurring

Claims– Claims Intake– Adjudicate

Claims– Process

Premiums

• Manufacturing– Produce Product A– Produce Product B– Service Product A– Service Product B– Engineering

Services– Ship Product– Receive Orders– Bill Customer

30

Example Products and Services

• Example Organization:

– Fuel Hedging– Manage Cash– Reporting Financials– Customer Support– Paying Bills– Selling Tickets– Maintaining Airplanes– Fly Planes (Operations)– Supporting Field Operations– Frequent Flyer Program

31

16

Key Element #4

Collaboration Session

Setting BCMS boundaries Discuss your organization’s and BC program’s unique needs Feedback on example objectives

Objectives, Priorities and Scope:

– The BCMS scope must include all key products and services for your organization

– Ensure BCMS objectives are aligned with the overall objectives of your organization

31

Company X’s Business Continuity Management System addresses all aspects of the corporation, with a focus on the delivery of the following key customer-facing products and services:

Product Line A Downtime Tolerance: 48 HoursProduct Line B Downtime Tolerance : 72 HoursProduct Line C Downtime Tolerance: 72 HoursCustomer Service Downtime Tolerance: 24 HoursResearch and Development Downtime Tolerance: 168 Hours

Example Scope

33

17

Example ObjectivesCompany X’s Business Continuity Management System objectives include the following:

• Protecting the safety of Company X’s employees and visitors• Managing the threats and impacts associated with an interruption to

critical manufacturing operations, including a facility interruption or loss of resources (including personnel, technologies and business partners).

• Reducing business continuity risk through four approaches: – An appropriate and proactive control environment designed to

decrease the likelihood of a disruptive event;– Strategies to effectively respond to a crisis;– Plans to recover critical business activities within stakeholder

expectations; and – The ability to maintain consistent communication with personnel

and clients.

34

Key Element #5Competencies:

– Establish roles, responsibilities and competencies– Create interactive and engaging training methods

for personnel within the management system– Develop role-specific Subject Matter Experts

throughout the BCMS

Example Documentation

Sample Role Description and Training Plans How could these apply to your organization?

34

18

Example Training Record (1)Business Continuity Steering Committee MemberResponsibilities Provide oversight to the Business Continuity Management System

Review and validate all analysis, strategy, and exercise outcomes Meet semi‐annually to discuss scope, analysis results and other 

performance metrics (as part of the management review process)

COMPETENCIESEducation No specific requirement noted

Knowledge Knowledge of the Company X, as well as key products or services within the scope of the Business Continuity Management System

Must have a detailed understanding of the business continuity needs and objectives of the organization, as well as stakeholder expectations

Experience A director with broad organizational / strategy visibility and understanding, regardless of region

Skills Strong leadership and verbal communication skills, as well as broad business acumen that addresses key elements of the organization (specific to those he/she represents)

Training Participation in management reviews and exercises Participation in Company  X awareness training ISO 22301 Introduction

36

Example Training Record (2)Training Format: Computer Based Training (CBT)

Training Topic: Business Continuity at Company X

Approver(s): Alex Smith

Title: Company X Business Continuity Awareness

Audience: US employees at Facility A and Facility B

Objective(s): Overall Objective: To introduce/remind all key stakeholders of the security and emergency response procedures at both locations;1. The purpose and need for the business continuity2. Business Continuity Program objectives at Company X3. Key roles and responsibilities4. Key business continuity program elements5. How employees are involved in business continuity6. Conclusions and next steps

Format Requirements:

1. Utilize a computer based format that can be accessed and viewed on demand.

2. Utilize a computer based format that supports both sound compatible and non‐compatible PCs.

3. Be as specific as possible, always attempting to minimize the need to revise content over the lifetime of the product.

37

19

Key Element #6

Documentation:

“… a documented process…”

– Policy• Expectations

– “SOP” / Framework / Standard• Planning process and management system operations

– Evidence• Are we doing what we said we would do

37

Policy Outline

39

20

Key Element #7Corrective Actions:

– Work to improve the suitability, adequacy and effectiveness of the BCMS

– Identify and react to BCMS “nonconformities”– Create a process to manage continual improvement

Example Documentation / Discussion

Sample Corrective Actions List How could this apply to your organization? What are sources of corrective actions?

39

Example Corrective Actions Structure

Other Potential Fields: Start Date; Detailed Description

Item Root Cause Proposed Solution Source Owner PriorityTarget

Resolution Date

Status

Develop and Implement a Crisis Communications Strategy

Lack of realistic training

New Plan Documentation

Post-incident

Greg Hamm

High 12/01/11 Completed

Define CMT Leader Responsibilities

Lack of management involvement

Update PlanDocumentation

Exercise SteveJohns

Low 03/01/12 Open

41

21

Key Element #8

Internal Audit:

“The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system…” – ISO 22301

Example Documentation

Example Internal Audit Work program

41

Example Audit Program Line Item

Requirement Definition Review of Requirement

Audit # Standard Name Ref # ISO Element Policy

AreaProgram

RequirementGeneral Test Plan Evidence Interviews Notes

1 ISO 22301

4.2 Understand-ing the Organization

VI.Business Continuity Planning Process

See ExcelFile

See Excel File

BCPolicy

Senior Management

4.2 – allelements documented

43

22

Key Element #9

Metrics:

– “The organization shall evaluate the BCMS performance and effectiveness of the BCMS”• Compliance to internal policy• Compliance to a standard• Performance of response and recovery strategies

43

Collaboration Session – Metrics “brainstorm”

Is This Your Report to Management?

Process UpdatedBIA?

Updated Plan?

Performed Exercise?

Went to Training? Rating

Process X Yes No Yes Yes

Process Y Yes Yes No No

Process Z No No Yes No

This is the wrong approach. It reinforces a check the box view point.

44

23

Metrics that Mean SomethingProduct /

ServiceBusiness Continuity Objective Current State Recovery

CapabilityRating

Perform Customer Support

Ensure No More Than 4 Hours Downtime with Less than a 90 Second Wait Time

8 hours, Estimated 4Minute Wait Time at Recovery

Manufacture Product

10 Days Target Safety Stock (offsite), Maintain Contingency Sourcing Agreement Effective Within 7 Days

1 Days Safety Stock, Contingency Sourcing Agreement With Acme Pending

Process Warranty Claims

Seamless Failover Between Each ClaimsHandling Region in the United States,

Claims Failover Process Complete and Demonstrated – No Downtime

Bill Customers

Restart Bill Generation and Catch Up On All Back Logged Work Within 5 Days; Suspend Collection Reminders to Protect Customer Relationship

Billing Tested and Restarted in Three Days –Back Log Closed in 4 Days

45

Key Element #10Management Review:

– Top level management must review the organization's BCMS at planned intervals

– Reviews should include status of action items from previous reviews, changes in issues relevant to the BCMS, information on business continuity performance and opportunities for continual improvement

46

Collaboration Session

Best practices for management review Discuss your organization’s and BC program’s unique needs Does anyone in the group use the management review process today?

24

Example Management Review Agenda• Program Scope and Objectives• Maximum Downtime Discussion• Feedback / Audit Results• Risk Assessment Results• Exercise Results• Post-Incident Lessons Learned• Training Results• Corrective Actions Review and Feedback• Dashboard / Metrics• Special Topics / Next Steps

48

Implementation Strategies and Case Studies

Build an ISO 22301 Management System to Capture Executive Attention

48

25

“Recipe”1. Executive Involvement

2. Organizational Strategy

3. Products/Services

4. Customer Knowledge

5. Inventory of Obligations

6. Organizational Knowledge

49

“Top Down” Implementation Strategies

• Start with your boss / program sponsor

• Personally explain the organizational benefits of a Business Continuity Management System

• Look for early wins and implement those specific items you can control

50

26

Apply the Key Elements

51

Documentation(Clause 7.5+)

Metrics(Clause 9.1)

Corrective Actions

(Clause 10.1)Objectives, Priorities,

Scope(Clause 4)

Obligations and Risk Appetite(Clause 4)

Leadership(Clause 5)

Management Review

(Clause 9.3)

Competencies(Clause 7.2)

Products and Services(Clause 4)

Internal Audit

(Clause 9.2)

Avalution Consulting

• Overview

• BCMS Implementation

• Issues

• Outcome

52

27

Case Study #2

• Overview

• BCMS Implementation

• Issues

• Outcome

53

Conclusions and QuestionsBuild an ISO 22301 Management System to Capture Executive Attention

54

28

Let’s Connect

866.533.0575 | avalution.com

@Avalution-Consulting

@Avalution

perspectives.avalution.com

Robert GiffinDirectorrobert.giffin@avalution.com

55