Understanding the updated ISO 22301 business continuity management systems standard

Resilience: See how this revised ISO can reduce business disruptions and recover from them when they occur

by Maureen Roskoski, CFM, SFP, ProFM, LEED AP O+M — This article originally appeared in the March/April 2020 issue of FMJ

Careful business resilience planning can mitigate the impacts of a disruption and allow your business to continue to function or recover more quickly.  The ISO 22301 Business Continuity Management Systems Standard (BCMS) can help the organization build its management system in clear and tangible ways by creating, implementing and training on the organization’s management systems’ requirements and procedures.  The BCMS is the framework for business resilience for the organization and generally consists of the strategy, procedures, solutions and education as shown in Figure 1.  This framework can build a strong, effective business resilience plan that will allow the organization to be prepared to avoid, mitigate and recover from adverse events.

Figure 1 – High=level Components of Business Continuity Management System

Figure 1 – High=level Components of Business Continuity Management System

The standard gets updated

ISO 22301 was initially released in 2012 and underwent its first revision in 2019.  While there are a few substantial changes to the standard, the majority of changes are to remove duplicative content, improve readability and terminology updates. All ISO management systems go through a systematic review every five years. Here are the significant changes to ISO 22301.

  • Clauses 4-7 – The ISO 22301 standard contains 10 clauses, identical to other management systems standards, as shown in Figure 2. Management system standards also align to the familiar Deming Cycle, or the Plan Do Check Act. Clauses 4-7 focus on the Plan portion of the cycle and set the foundation for the system. The standard now focuses on the organization understanding the issues that may affect its ability to achieve intended outcomes, including the amount and type of risk that may influence those issues. Significant changes to the Plan portion of the standard include removal of the term risk appetite, which was a poorly understood term, and replacing with a defined outcome. In addition, a section was added to Clause 6, which emphasizes the importance of planning and managing change to the BCMS.
Figure 2: Structure and Content of ISO 22301

Figure 2: Structure and Content of ISO 22301

 

  • Clause 8 is the heart of the standard and provides a framework to develop a business continuity plan based on a foundation of business impact analysis (BIA) and risk assessment (RA). There are several implementation items within Clause 8 that can be summarized into four main categories as shown in Figure 3.
Figure 3 – ISO 22301 Clause 8 Requirements

Figure 3 – ISO 22301 Clause 8 Requirements

Major changes to Clause 8 include updating the BIA requirements to provide more clarity on the process and include impact types and criteria relevant to the organization’s context to assess the impacts of a disruption on its essential functions. In addition, the standard now requires regular review of the BIA and RA at planned intervals (determined by the organization) to highlight the importance of maintaining the relevancy of those key components. An additional section was added to 8.3, the business continuity strategy section that introduces a requirement of strategies and solutions so that the organization meets its overall business continuity strategy. The concept is that the organization must identify initiatives to meet the overall business continuity strategy. For example, if personnel need an alternate work location to be able to continue operations if the facility is damaged, then the solution might be working from home or identifying another facility to work in.

  • Clauses 9-10 – Changes were made to Clauses 9 and 10 primarily to improve readability and clarity. There was an emphasis added to Clause 10 to ensure that continual improvement is directly related to evaluations conducted and that organizations improve their management system based on lessons learned.

Planning matters…

In our own experience, we have seen the impact of planning and preparation. FEA is a small business focusing on the built environment and helping clients improve the way they manage facilities. We have offices in Fairfax, Virginia (headquarters), Denver, Colorado, Santa Rosa, California, and Cheyenne, Wyoming.  FEA decided to pursue certification to make sure that we had an effective business continuity program so that we could continue to meet our client needs during a disruptive incident.  With offices across the country we faced varying threats to business disruption, and we needed a program, not just a set of documents that sit on a shelf. In 2015 we began implementing the ISO 22301 standard; in 2016 our headquarters was certified, and then re-certified in 2019. The process of becoming certified and building our business continuity management system put the foundation in place for FEA to respond and recover from real emergencies in our Santa Rosa, California, office. In October 2017, our BCMS was put to the test during the Santa Rosa wildfires:-

Tubbs Fire, October 2017

  • Most destructive fire in California history (at the time)
  • 36,810 acres burned
  • 5,643 structures destroyed
  • 2,900 homes lost (City of Santa Rosa)
  • US$1.2 billion estimated damages (City of Santa Rosa)
  • 5 percent housing stock destroyed (City of Santa Rosa)

During the 2017 wildfires, the FEA Santa Rosa office was closed for two weeks, and some employees were evacuated from their homes for a significant period. It was disruptive, but even as the incident progressed, the Santa Rosa employees were able to keep working during the disaster using the procedures we put in place. Our planning allowed us to continue operations and meet the ongoing needs of our clients. We learned a few things, particularly around communications, but overall, we were proud of our response. Everyone knew their role and what to do in the immediate aftermath.

In the fall of 2019, we faced a similar threat as the Kincade fire threatened the Santa Rosa area.

Kincade Fire, October 2019

  • 78,000 acres burned
  • 374 buildings destroyed
  • 180,000 residents evacuated
  • FEA office and employees evacuated for 4 days

During this wildfire event, FEA was again able to continue operations and found the process went smoother than in 2017. We learned a lot about communication in the first event and streamlined our communication protocols to ensure consistent communications. This allowed all employees across the organization to understand how they would be notified about decisions and updates, which helped ease anxiety and set clear expectations. By applying lessons learned from our previous experience, employees knew what to expect and were prepared.

Other ISO management system standards

While our focus has been on ISO 22301, management systems — whether 22301, 9001, 41001 or 55001 — are useful tools that help an organization put a laser focus on operations and meet core objectives. The standards are outcome-based and allow some flexibility in how you achieve those outcomes. Each organization can determine the scope of the management system and scale it to meet the organization’s needs. For more information on these standards, “The Right Fit,” an article appearing in the 2016 May/June edition of FMJ, provides a helpful summary.

Conclusion

Business continuity planning is essential for any organization, as we have experienced. The most recent revisions in the 22301 standard have provided clarity and streamlining; with less repetition of requirements that often caused confusion, it is much easier to navigate.  Although committing to an ISO certification may seem daunting, that commitment is what will make your business continuity plan most effective. Requirements such as the annual auditor’s visit are a great way to make sure you are implementing your plan and that it is not just sitting on a shelf. The other major benefit to ISO certification is the continual improvement requirements. It is not enough to meet the standard requirements each year; your organization must show improvement based on exercising your plan or implementing your plan in an incident. The revised ISO 22301 standard can be a valuable tool to help your organization build a strong, effective and repeatable business continuity program.

About the author

Maureen RoskoskiMaureen Roskoski is a Senior Professional at FEA with over twenty years of experience in facility management consulting.  Maureen is FEA’s internal Business Continuity Lead and helped FEA adopt business resilience as part of the company culture as we achieved ISO 22301 certification at FEA’s corporate office.  Maureen has worked with clients on continuity of operations plans (COOP), organizational assessments, FM technology process improvement, sustainability and resilience planning.  Maureen has facilitated drills, educational activities, and tabletop exercises and is an approved Instructor for industry associations, including IFMA and the Northwest Energy Efficiency Council, teaching adult continuing education courses. 

FMJ, the official magazine of the International Facility Management Association (IFMA), is written by and for workplace professionals and is published six times a year. FMJ is the only magazine that draws on the collective knowledge of IFMA’s global network of thought leaders to provide insights on current and upcoming FM trends. For more information on FMJ, visit www.ifma.org/publications/fmj-magazine.

Articles in FMJ are the exclusive property of IFMA and are subject to all applicable copyright provisions. To view abstracts and articles not shown here, subscribe or order individual issues at www.ifma.org/publications/fmj-magazine/subscribe. Direct questions on contributing, as well as on permission to reprint, reproduce or use FMJ materials, to Editor-in-Chief Bobby Vasquez at Bobby.Vasquez@ifma.org.

IFMA, founded in 1980, is the world’s largest and most widely recognized association for facility management professionals, supporting 24,000 members in more than 100 countries. IFMA advances collective knowledge, value and growth for Facility Management professionals. IFMA certifies professionals in facility management, conducts research, provides educational programs, content and resources, and produces World Workplace, the largest series of facility management conferences and expositions. To join and follow IFMA’s social media outlets online, visit the association’s LinkedIn, Facebook, YouTube and Twitter pages. For more information, visit www.ifma.org.