The International Standards Organisation (ISO) recently launched its first standard for Business Continuity Management, ISO22301. “The business world is increasingly digital with systemic dependencies and a company’s effectiveness depends on its systems’ resilience,” says Eugene Taylor, managing director of TaGza and the UK’s Institute of Directors (IoD) constituent representative on the British Standards Institute TC223 committee. “Adherence to a reputable standard for business continuity like ISO22301 indicates that a company is serious about its organisational resilience and is thus a suitable partner. Think of it as a ticket to the dance—and a strategy for remaining in business.”
Mr Taylor was addressing a briefing on the new ISO22301 standard, hosted by ContinuitySA as part of Business Continuity Awareness Week. Business Continuity Awareness Week (BCAW) is an annual global event organised by the Business Continuity Institute (BCI) and, this year, took place between 18-22 March.
Although South Africa has fully adopted the new standard, obtaining certification here is problematic at present as the South African National Accreditation Service (SANAS) has not yet decided whether it is viable to accredit local companies who would in turn be able to provide certification to local organisations. Alternatively, this certification can be done via internationally accredited certification companies through the International Accreditation Forum (IAF) who are party to the Multi Lateral Agreement (MLA) currently in place, but this approach is likely to be expensive and geographically problematic. While this issue is being resolved, South African companies should take a positive step towards organisational resilience and begin to align themselves with the new standard in preparation for Certification.
“Business continuity has been incorporated into the principles of King III and so is already on the corporate agenda,” Mr Taylor notes. “As most of King II was incorporated into the new Companies Act (2008), I would not be surprised if we found the King III recommendations making its way into Company legislation in due course.”
Three valuable practical resources for companies contemplating this move are Hilary Estall’s Business Continuity management systems: Implementation and certification to ISO 22301, The BCI’s Good Practice Guide (GPG) and Business Continuity for dummies.
Mr Taylor said that before considering the upgrading of an existing business continuity management system or implementing one from scratch, they should follow four steps.
“First make a strong business case,” he says. “It’s also vital to obtain an enthusiastic sponsor in top management and a suitably qualified implementer.”
The next step is to obtain the buy-in of the executive team and board of directors, which will mean identifying the benefits and costs of the chosen approach over the entire life cycle. Allied to this is the process of putting together a comprehensive, realistic budget that covers not just the implementation but also delivery. “Don’t restrict the budget discussion to basic resourcing of personnel money, make sure you provide for technological support resources you will need to make business continuity management work,” Mr Taylor adds.
The final step is the important task of building relationships. At one level, this means obtaining buy-in from the enterprise as broadly as possible but also building relationships with those who do not initially support the move. “There are always the doubters but if you work closely with them, they can be brought round to seeing the real benefits,” Mr Taylor observes. “I’ve had instances in which those who were most hostile at the beginning of the process have become business continuity champions.”
Once these four steps have been completed, the company will be prepared to embark on its programme to comply with ISO22301—and thus demonstrate its reliability as a business partner or service provider across its entire value chain.