Prioritize your critical functions for business continuity during times of crisis - ISO 22301:2019

Ananya Chowdhury
By Ananya Chowdhury

September 22, 2020

Introduction

Businesses are established with the intention of continuing to operate profitably for the foreseeable future, and business plans often project this aspiration. But what happens in the event of unforeseen, disruptive incidents? Whether it be a natural disaster, cybersecurity attack, or a pandemic, the impact can be detrimental.

Although one can never predict if or when such incidents will occur, there is a responsibility for leaders to prepare the organization to their best ability; one way to do this is through a strategic, resilient approach involving a Business Continuity Plan (BCP). A BCP is designed to keep the business afloat despite the circumstances, by allowing it to remain operational and productive.

A significant part of BCP is to identify critical business operations. Critical functions are ones which if interrupted, can lead to serious financial (and other) problems, which will have the most negative impact on the organization. In essence, a business that cannot sustain critical functions cannot remain viable.

Categorizing the impact of disrupted business functions in the event of a crisis can help in prioritizing their effect on business sustainability. If a business is to be sustainable, restoration of these critical business activities needs to be achieved within a determined time frame.

Current Situation 2020 Business Continuity:

The current pandemic has posed many challenges that have severely restricted several business functions. In an effort to keep their businesses afloat and continue delivering products or services, many organizations have already triggered their BCP.

The challenge arose when inadequate BCP testing resulted in an inability to function remotely during the pandemic effectively. The obstacles came in various forms, including scarce laptops, inadequate VPN licenses, test environment exposure without adequate protection, personal laptop use, and lack of remote access policies. These unprecedented times have highlighted the importance of not only having a BCP but making sure it is regularly tested to ensure all possibilities are considered and accounted for.

Role of ISO 22301:2019

Organizations seeking to comply with reliable BCP standards can refer to the International Organization of Standardization (ISO) standard 22301:2019. This standard lays down the framework that can be used by an organization to understand the necessities of an effective BCP. It helps to protect the business as well as its reputation, allowing organizations to stay agile & resilient to unexpected interruptions.

Why ISO 22301:2019?

  • Demonstrates credibility to shareholders and other key stakeholders
  • Ensures compliance with industry standards, which will positively affect customer acquisition and retention
  • Protects critical business assets.
  • Safeguards brand integrity, thus encouraging confidence among customers and employees.
  • Reduces financial risk
  • Gives a competitive advantage

Measuring your readiness during the crisis:

Considering the problems faced during the current pandemic and other similar large scale disruptions, it is important to have strategic plans in place to mitigate these risks. The ultimate preventative measure involves the implementation of a Business continuity management system (BCMS).

An effective BCMS includes a Business Impact Analysis (BIA), Risk Assessment (RA), and a BCP. BIA and RA are used to identify and prioritize critical business processes and are crucial steps that will feed into the BCP. They project the impact of a disruption to critical functions on parameters including financial, operational, reputational, and services. They also evaluate infrastructure resilience.

A BIA looks at core operations, critical business functions, resources, and dependencies. It then determines recovery strategies and optimization of backup. This is achieved by calculating the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO is the maximum time frame that business activities can be down following disruption, in order to avoid significant damage. The RPO is defined as the maximum timeframe in which the system and data must be recovered following a disaster

In order for the BCP to be successful, organizations should also perform business continuity related to RA. The objective is to identify and assess the risk to which an organization and its assets could be exposed and how much damage each risk could cause.

The third component of the BCMS is the BCP. Taking into account the BIA and RA, the BCP details the implementation of controls to mitigate the potential risks, as well as how the organization would respond to them. Following this, it is advised that businesses continually develop, test, and review their BCP to ensure it is as effective as possible.

Recommendations:

Disruption to operations can have a disastrous impact on an organization. In order to sustain businesses during a crisis, they need to adopt the best industry practices.

Here are some key ways to minimize the risks associated with disrupted business functions:

  • Maintain and periodically test your BCP plan, process, and strategy to ensure their effectiveness
  • Enhance the utilization of virtualization 
  • Conduct Business Continuity Awareness & Training Programs
  • Sustain your Business with Cloud during a crisis 
  • Boost up connectivity & collaboration
  • Remote Replication

Outcomes

By adhering to ISO 22301, businesses can be confident that they have taken all measures to continue operating in the event of a disruptive incident. It is an effective step towards resilience, recovery of critical business functions, and resuming Business As Usual (BAU) operations following the event.

How Paladion can help

Paladion has been working with critical businesses around the globe and has helped develop robust business continuity models. These business continuities and disaster recovery models are conscientiously designed, developed, and tested to ensure steadiness and stability in business operations during and post the incident that is affecting business continuity.

Using ISO 22301, the business continuity and disaster recovery models we help develop will act as an incentive for an organization to access security controls and compliance, and will also help it remain composed during a crisis.

Paladion’s advisory services on business continuity, in conjunction with implementation and auditing services, has helped organizations re-define their operations during the Covid-19 pandemic. These re-engineered operational models have become the new normal for many businesses today.

 

Speak to a Paladion consultant to set up a custom business continuity framework now.