Business continuity (BC) is an iterative process that results in living documents, such as BC plans. This requirement...
overlaps with the well-known Plan-Do-Check-Act (PDCA) model that is used for the control and continuous improvement of processes, procedures and products.
- Plan: Define objectives and expected results, and outline processes to achieve the desired results.
- Do: Perform the process(es) as designed and track the results for use in the Check activities step.
- Check: Examine what happens when the processes are executed; identify what did and did not work; document variations from the original plan and changes in the processes that improved the overall results.
- Act: Once the Check activities step confirms the processes work as designed, they can be put into production, turned into formal procedures and standards, and used to create products and services.
Once the Act step has been completed, the process starts again with the goal of finding ways to continually improve the original processes and/or products.
In fact, the PDCA process is often characterized in a wheel format, such as in Figure 1 below.
PDCA and business continuity
An examination of global BC standards ISO 22301 (specifications) and ISO 22313 (how-to guidance) finds the PDCA process prominently displayed at the beginning of each standard. Both standards also define a business continuity management system (BCMS) and the many activities a BCMS supports. The PDCA model is essential to the ongoing development and improvement of the BCMS, and each step can be identified in the standards. The ISO uses the PDCA process model in many of its standards, particularly those that recommend the use of management systems, such as ISO 27001 (information security management) and ISO 9000 (quality management).
ISO 22301 states the PDCA process is used for "planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization's BCMS."
Figure 2 depicts how the PDCA overlays business continuity activities.
The Plan-Do-Check-Act process reinforces the importance of business continuity as an ongoing, iterative process. Incoming requests for BC activities, such as plans, assessments and exercises, originate in the course of managing the BCMS. These requests are turned into requirements that are addressed by the PDCA process embedded in the BCMS. Outputs from that process can be completed plans, completed exercises and refinements to the BCMS.
The following table explains how BC activities map to the PDCA process model.
What if you don't follow the PDCA process model?
While the PDCA model stresses continual improvement and a prescribed sequence of activities, it's not uncommon for some BC activities to occur out of sequence, based on the above model. For example, suppose a requirement for a BC plan is defined for a new department or a newly acquired remote office. Because of time constraints, there's no time to get the plan done properly -- completing a business impact analysis (BIA), finalizing a risk analysis and defining strategies. In effect, we may be forced to skip some of the key "plan" activities.
Given such circumstances, you can leverage the resources you already have, such as existing plans/templates or BC software tools, and make assumptions regarding key plan attributes, like recovery time objectives, dependencies, contact lists and incident response procedures. While this is not recommended, it’s sometimes necessary, so your BCMS must be flexible and adaptable.
Tips for leveraging PDCA
Plan-Do-Check-Act is a structured process model, so let it serve as a framework for your business continuity management system and related activities. The same is true of the ISO 22301/22313 standards. How you execute specific activities defined in the standards is entirely up to you and your organization's management team.
If you simply don't know how to perform certain BCMS activities, such as a BIA or BC plan exercise, there are plenty of resources available to assist you. The Rothstein Catalog has a large selection of books, CDs, references and tools that will simplify your efforts. Organizations like the Business Continuity Institute and the Continuity Central website provide access to extensive tools and guidance to further assist you.
The PDCA model and ISO 22301/22313 standards are important from an audit perspective. If it's likely your BCMS will be audited, be sure to organize your BCMS along the structure of the two ISO standards to ensure audit compliance. Sometimes an auditor may wish to see evidence that your BCMS follows the PDCA process. By aligning your BCMS with ISO 22301/22313, you will demonstrate compliance with PDCA.
Finally, if you wish to secure formal certification (via self-certification or a third party) that your BCMS is compliant with ISO standards, you should organize your BCMS along the ISO structure. Specific BC activities, such as BIAs or plan exercises, can be designed and implemented according to your policies and procedures, and with support from senior management. Just ensure they are documented in your BCMS playbook for auditor review.
The importance of using a continuous improvement process
Integrate a BCMS into your organization
Find the most useful BC standards for your organization