The new global standard for business continuity, ISO 22301, underscores the importance of teams, particularly defining the roles and responsibilities of team members, training them properly, and ensuring the ongoing competence of team members. The following tips will ensure you are compliant with ISO 22301's provisions. Note that the issues addressed also apply to disaster recovery programs.
When building a business continuity management system (BCMS), among the most important activities is identifying employees to participate in the BCMS in several capacities:
- Administrators (i.e., business continuity director/manager)
- Staff (i.e., business continuity analysts)
- Business continuity liaisons (members of other departments with BCMS duties)
- Business continuity response teams (e.g., incident response teams, damage assessment teams, emergency management teams, business recovery teams, technology recovery teams)
In addition to full-time employees, it may be appropriate to include vendors, consultants and other specialized contractors as members of these teams.
When building a business continuity program, staffing the associated teams is one of the most important activities. Be sure that when you secure approval for the program, you also obtain approval for funding the teams. Once you've established the need for specific teams, do the following:
- Define the teams and their roles and responsibilities.
- Identify team members and assign their roles and responsibilities.
- Determine the training team members need to perform their roles and responsibilities.
- Determine whether to develop the training in-house or to obtain it from qualified external sources.
- Organize the teams and conduct training.
- Schedule and conduct exercises so that teams know their roles and responsibilities.
Be sure to document all your activities for future review and audit.
At a governance level, ISO 22301 states that senior management supports the "establishment, implementation, operation, monitoring, review, maintenance and improvement of the BCMS by establishing roles, responsibilities and competencies for business continuity management." Senior management is also responsible for identifying a suitably qualified manager to lead the BCMS activity and to report regularly to management on its status. Senior management may also identify an executive-level group to oversee BCMS and disaster recovery programs; this is often called a "steering committee" and serves as a link between the BCMS and top management.
The person assigned responsibility for launching and managing the BCMS (i.e., the business continuity manager) is also responsible for defining the roles and responsibilities for BCMS teams and supporting staff. He/she is also responsible for ensuring that employees and non-employees selected for team membership are suitably qualified and also properly trained to perform their duties in an incident. The process of identifying and qualifying team members should be coordinated with human resources.
When defining team roles and responsibilities, discuss your ideas with the human resources, risk management (if you have such a department), security (physical) and facilities departments. Individuals selected for a specific role may not be the best possible choice. An effective way to assess this is, when conducting exercises and tests, to watch individual performances very closely and re-evaluate their roles as needed based on exercise results. Be sure to work with human resources on this.
An important consideration when selecting business continuity teams is how they are likely to respond and perform in a real disaster. In a test situation, individuals may perform with no obvious difficulties, such as hesitation, anxiety or even fear. Work with human resources to identify ways to screen prospective team members and identify any potential issues that could appear in a real disaster situation.
The issue of "competence" is an important one in the ISO 22301 standards. Specifically, ISO 22301 calls for a process that not only defines and delivers training to team members, but also requires the creation of procedures to ensure that team members are competent to perform their duties. This includes participating in plan exercises and other events that test an individual's (and a team's) ability to perform in a disaster situation. In addition, the standards encourage tracking, evaluating and recording the training activities of each team member. Coordination with human resources for such an activity is recommended.
ISO 22301 also recommends integrating BCMS roles, accountabilities, responsibilities and authorities into job descriptions and skill sets, and then reinforcing them by including them in the organization's appraisal, reward and recognition policies. Again, partnering with human resources is highly recommended.
Finally, examine resources from the Federal Emergency Management Agency, Business Continuity Institute, International Center for Organizational Resilience and DRI International.
When building your business continuity management system, be sure to follow the ISO 22301 standards carefully so that your BCMS teams will be fully prepared for an incident and your team members will be able to demonstrate their competence.
About the author:
Paul Kirvan, CISA, FBCI, has more than 24 years of experience in business continuity management (BCM) as a consultant, author and educator. He has completed dozens of BCM consulting and audit engagements that address all aspects of a business continuity management system and are aligned with global standards, including BS 25999 and ISO 22301. Kirvan currently works as an independent business continuity consultant/auditor and is secretary of the Business Continuity Institute USA chapter and member of the BCI Global Membership Council. He can be reached at [email protected].
How to prepare an annual BCMS schedule