This perspective takes a look at one element of Clause 9.3, the management review (a process that Riskonnect feels is one of the most valuable elements of ISO 22301).
ISO 22301 is the first standard to employ the new ISO format for management systems standards, which involves a considerable amount of “templatized” management system content across ten clauses. Because this format, language, and many of the requirements are new to most business continuity professionals, it’s important to review and consider the intent associated with some of the content and concepts.
This perspective is the second in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.
Today we’re going to take a look at one element of Clause 9.3, the management review (a process that Riskonnect feels is one of the most valuable elements of ISO 22301).
Clause 9.3 – Management review
Top management shall review the organization’s BCMS, at planned intervals, to ensure its continued suitability, adequacy, and effectiveness.
Robert Burns penned the quote, “The best laid plans of mice and men often go awry.” In no profession is this idea more relevant than in business continuity. What immediately comes to mind may be the inevitable deviation from a well-crafted crisis management or business continuity plan or that once-in-a-million event that even the most thorough plans do not address. This perspective will focus on “the other” area that can derail the effectiveness of not just one plan, but rather an entire business continuity program or management system. This elusive area is simply the lack of support and/or input from management and other key decision makers in any organization. This perspective is meant to delve deeper into garnering management and executive support through the management review process. Without support from senior leadership, support for business continuity initiatives, as well as business continuity solution performance, will quickly decline.
The question then becomes how does one engage “top management,” secure support for the business continuity management system and its initiatives, and ensure that recommendations are taken seriously without simply being balked at when there happens to be a price tag associated with preparedness efforts. The answer is seemingly easier said than done: involve – in a recurring manner – senior leadership in the business continuity planning process. Conducting effective management reviews is one way to work towards this goal.
A key component of ISO 22301, the management review is an essential systems component in ensuring that management is aware of important aspects of the business continuity planning effort and works to engage actively in any issues, audit findings and customer feedback (to name a few), leading to the prioritization of continual improvement opportunities. Perhaps even more importantly, the management review is about awareness, building relationships, and establishing the business continuity effort as a key element of the organization’s risk management program. All parties should be able to walk out of a management review session feeling that the organization is better off than where it started and that business continuity will continue to be a priority – focusing on the right things at the right time – throughout the organization. While ISO 22301 lists a fairly comprehensive set of guidelines that detail what management shall consider as part of recurring management reviews, the following list summarizes (paraphrases) these requirements:
- Ensure the business continuity management system aligns to organizational and strategic objectives
- Identify ways to make business continuity simpler and more effective
- Avoid the use of jargon and acronyms
- Follow-up on previous issues and make sure that management is aware of any deficiencies
- Address any feedback from recent incidents and analyze them for areas of improvement
Let’s take a deeper dive into each.
Ensure the Management System Aligns to Organizational and Strategic Objectives
One of the most important aspects of conducting a business continuity management review is to remember the audience. To maximize the effectiveness of a management review, the business continuity practitioner should think in terms of critical products and services and align program results to the organization’s overall strategic direction. The business continuity practitioner should convey how a well-run business continuity management system can contribute to the continued ability of the organization to deliver key products and services (and the implications if it fails to do so). It is very easy to get lost in false metrics that don’t demonstrate value outside of the business continuity team. While documenting metrics specific to the number of BIA interviews or plan updates has its place, it is often far too easy to dwell on numbers without linking everything back to the recoverability of core products and services that the organization provides. At the end of the review session, management should have a better understanding of the capabilities of the organization to actually respond to and recover from a disruptive incident, not just which departments or business units didn’t complete their annual plan updates.
For more information metrics, check out: Business Continuity Metrics
Make Business Continuity Simpler and More Effective
Let’s face it, business continuity can be complex. The combination of business continuity and IT disaster recovery can be even more complex. While developing materials for a management review, be sure to make things as simple as possible. If you can describe a business continuity concept using every day language, do so. The management review provides a golden opportunity to sell the business continuity program; however, many practitioners tend to overwhelm non-business continuity professionals with their own knowledge and expertise by providing unnecessary details that cause managers to quickly lose interest. This same mentality can be applied not just to a management review but to all aspects of a well-run business continuity management system. When you can choose to go with a 200 page recovery plan or a checklist with only the essential information, go with the checklist. Business continuity should be about achieving results in the event of disruption. Adapt the “do more with less” slogan for your program and apply it to the management review process as well.
Avoid the use of Jargon and Acronyms
Business continuity professionals love acronyms. BIA, RTO, RPO, MAD, MTPOD, BC, DR, ITDR, BCMS etc. I could continue but this would likely bore this audience… AND, if it would be boring for me to continue using acronyms in this article for business continuity professionals, why do business continuity professionals continue to overload materials designed for management with these same terms? All it does is lead to a decreased understanding and interest and create a situation that could potentially alienate key managers and stakeholders? As a way to simplify materials for use in management review, try to avoid acronyms when possible, especially if you are dealing with leaders whose day to day activities are usually not business continuity related. This goes back to remembering who your audience is. A management review is an opportunity to give management a glimpse at the business continuity program and examine response and recovery capabilities of the organization – using THEIR language. If management doesn’t understand what you are conveying because of too many industry specific terms and acronyms, this creates a barrier in conducting an efficient management review and gaining continued support for business continuity initiatives.
Follow-Up on Previous Issues
Identifying opportunities for improvement and revising policies and procedures is an important part of the management review process. Even though these actions are important, it is very easy to become lost in a sea of planned action items, activities that get pushed to the side or delayed, or outdated and overly complex policies and procedures that seem to be more focused on planning for planning’s sake as opposed to actually improving the resiliency of the organization. Just because an item was identified for remediation five years ago, it does not mean that it still needs to be completed to align with organizational objectives. Management reviews should be treated as an opportunity to go through recommendations, determine which are actually relevant to the organization’s objectives and strategic direction, and make changes accordingly. Items identified for improvement shouldn’t be considered just because they make it on the rolling list of action items, they should be considered because through remediation, the organization would see a tangible benefit that seeks to drive major goals and objectives. The business continuity practitioner can aide in this process by reviewing items before the meeting and making recommendations as to which items could benefit the organization and which to remove from consideration. This approach will set leadership up to endorse value-adding recommendations, which reflects positively on you. And, who doesn’t want to look good in a meeting with organizational leadership?
Address Recent Incidents and Use them to Build Awareness
At some point in time, every organization will experience a disruption of some sort. It may be as minor as a forced evacuation of an office or as significant as a three-month loss of a distribution center. The management review session should provide an opportunity to address the effectiveness of the organization’s response and recovery from recent incidents. All incidents provide feedback that can be used to legitimize the importance and effectiveness of a business continuity management system and its strategies. Management reviews should present an honest assessment of what went well and what didn’t and provide recommendations to move forward. It can be natural to want to shy away from examining the response to a disruptive incident, especially if it didn’t go as planned; however, difficulties should be addressed in such a way that creates actionable results. The management review session creates a forum to discuss these results. An actual disruption can provide an opportunity in the form of building awareness and ensuring that stakeholders see the value in maintaining a robust business continuity program.
Management reviews provide an excellent opportunity to review the organization’s current status, identify areas for improvement, and build support for future business continuity initiatives. By focusing on the needs of the audience and ensuring alignment of business continuity activities to the organization’s overall strategic direction, the business continuity professional can see senior leadership as partners in the business continuity planning process. Your plans and initiatives don’t have to go awry, if you involve the right stakeholders and portray activities in a way that is relevant for key decision makers within your organization.
Continue to visit our blog for more posts in Riskonnect’s Conforming to ISO 22301 series.
In the meantime, don’t hesitate to reach out to us to discuss aligning to the standard or pursuing certification. We look forward to hearing from you!