Contingency planning is a critical aspect of doing business, particularly in mitigating the effects of disasters and emergencies. In response to the international need to protect businesses from disruption, the International Standards Organization (ISO) developed a management systems standard for business continuity management (BCM). ISO 22301 is a management systems standard that can be used by any organization to mitigate the effects of disasters and emergencies.
Vendors, legislators, regulators and customers increasingly expect compliance and adherence to a BCM framework. Following these eight steps, as recommended by the Government of Canada can help to assure your organization is prepared for disruption:
- Appointing a Disaster Preparedness Team
An emergency and disaster preparedness team should comprise a stand-alone committee. The committee will be responsible for planning and implementation of the business continuity plan (BCP), related policies and procedures, and the communication of the BCP to management and staff. The committee should have sponsorship and support by a senior member of the management team.
- Identification of essential services or functions
In the event of a disaster or emergency, what are the essential services provided by your organization? It may be helpful to think about the essential services as those, when not delivered, could have a negative impact on health and safety of individuals, or on the viability of the business itself. Prioritize and rank these essential services in preparation for the next step in the BCM framework.
- Determine required skill sets and staff
Based on the prioritization and ranking exercise done in step 2, consider what skill sets are required to deliver essential services. Can single staff members take on, or be cross-trained to fill more than one role?
- Complete a comprehensive risk assessment
As the literature indicates, businesses and organizations were not prepared for a global pandemic. The economic impact will be felt for some time to come, and studies have shown the most resilient organizations have had pre-existing and robust BCP measures. This step includes conducting a risk assessment of identified threats, action plans for each threat and identification of designated individuals for each essential service or function.
- Prepare a series of strategies and action plans for each essential service or function
An action plan for each essential service or function (as identified in step 2) should include key contacts, customers, suppliers/subcontractors, business partners and other support providers.
- Review Action Plans
Once step 5 action plans and strategies have been determined, a checklist should be reviewed to ensure all issues have been addressed, as well as to identify any areas needing additional documentation. Areas to be covered should include impacts on the organization, employees and stakeholders/customers, policies to be implemented, resources to be allocated, communications and coordination with external authorities.
- Senior Management Review
The senior management sponsor should be given an opportunity to respond and comment on the draft BCP before it is adopted by the executive. Ensure the BCP is consistent with organizational objectives and addresses the critical elements identified.
- Revise, test, update, repeat
The BCP is a living document, and may require revision and updating as organizational priorities change. It is critical to ensure the BCP is ‘tested’ on a semi-annual basis to identify areas of improvement.