nd annual the adoption of iso 22301 - lrqa · more comparable with iso 27001 ... the adoption of...
TRANSCRIPT
2nd Annual Survey
The Adoption of ISO 22301 Published October 2013
The Adoption of ISO22031
2
Introduction The Business Continuity Institute (BCI) undertook a survey of its members and the wider Business Continuity in 2012, immediately following the publication of the Business Continuity standard ISO 22301. This study looked at three basic questions:
What does the current landscape look like with respect to the adoption of BCM standards?
How is ISO 22301 likely to be received by the BCM community?
What are going to be the benefits and difficulties in adopting ISO 22301?
The results of the 2012 survey were published in two parts, the first one in the summer and the second at the BCM World Conference in November. Given that by November more evidence was available about the practicalities of implementing the standard, some additional issues were addressed in the subsequent report. These focused primarily on:
Who is involved in the decision making process and the development of a business case for adoption.
What transition issues were perceived to be challenging in moving from the earlier British Standard BS 25999.
The reasons that are given for not following ISO 22301.
It was felt it would be useful that one year after the initial study the BCI recirculate the survey to its members and supporters to see how these views had changed based upon real experience, rather than expectation. This report is being published to coincide with a Paper presented by LRQA™ at the BCM World Conference in November 2013.
About the survey The field work for this survey took place during September 2013. All BCI members were contacted and provided with the survey link. The survey was also promoted on the BCI main website (public access) and the Continuity Central™ website. The survey attracted 417 respondents which was 32% lower than the 613 who replied in 2012. This is probably not unexpected as the 2012 survey was launched amid much global publicity and promotion of the standard itself. It is still considered that the respondent numbers are encouraging, and suggest an ongoing interest in the topic. Like with 2012, respondents came from an international audience with 61 countries represented and were non‐sector specific with 15 industry sectors represented.
The Adoption of ISO22031
3
Key findings
We learned the following from the survey:
The interest in the standard remains high, with medium sized firms in predominantly Business to Business markets particularly involved. Regulated firms are much more likely than non‐regulated firms to adopt the standard
The intent to align to the standard rather than fully comply or certify remains the dominant intention. However in each of the three categories – Align, Comply, Certify – the intent to move ahead in the next 12 months is much greater than it was in 2012
The formal certification community is still fighting a difficult battle as over 60% of respondents prefer to use an in‐house approach to BCM
The claimed benefits of a Business Continuity Management System (BCMS ) are still not proven but the majority of respondents felt it helps with cooperation, communication and building confidence, both internally and externally
There is a strong level of support for the idea that ISO 22301 explains what needs to be done, although not necessarily how to do it
Those who have previously used BS 25999 find the transition to ISO 22301 far easier than those who are not experienced in using any formal BCMS
Few organizations have provided specific funds for ISO 22301 implementation and the availability of any additional BCM budget seems fairly widespread
Generally it was felt that ISO 22301 was a good standard with applicability to all parts of an organization. A better method of measuring its effectiveness needed developing to help get better business buy‐in
Conclusions
Generally it was felt that ISO 22301 was a good standard with applicability to all parts of an organization. A more consistent method of justifying expenditure on a Business Continuity Management System and ways of measuring its effectiveness (rather than just compliance) was needed to help get better business buy‐in.
The Adoption of ISO22031
4
Respondent company profile Sector The survey provided an interesting insight into the types of companies that are interested in this topic. Firstly looking at sector, 60% of all respondents came from Financial Services (25%), Professional Services (22%) and ICT (13%). This suggests that BCM is still strongest in areas when the product/service is essentially information (virtual) rather than physical. This would make it more comparable with ISO 27001 (Information Security) rather than ISO 9001 (Quality), which is more adopted in manufacturing, logistics and delivery of physical products. Size The sizes of company varied widely with the median sized company being 1000‐5000 employees (24% of respondents). Interestingly small companies below 50 employees made up the second largest block at 13.7%. A significant number of respondents in this category came from consultancies and organizations involved with either BCM or Standards as part of their commercial activities, and therefore are not necessarily typical of the general SME sector. Only 6% of respondents were from large companies with more than 100,000 employees.
Market Respondents were asked if they were in Business to Business (B2B), Business to Consumer (B2C) or public services (free at the point of delivery) markets. Multiple selections were permitted. B2B topped the list at 62.1%, followed by B2C at 47.5% and public sector at 14.8%. This seems to reflect the influence the ultimate customer has on organizations. In the B2B market‐place clients are likely to be informed and focused on supplier performance. In the B2C market this is less the case Regulation It is often claimed that regulated firms are more interested in standards than non‐regulated ones of similar size. Our respondent analysis seems to support this. 56.8% of respondents said their business was subject to some form of BCM regulation. A further 30.6% said that although BCM was not included they were subject to a regulatory framework. Only 17% of all respondents worked for a totally non‐regulated organization. Multiple selections were permitted. The ‘stick’ of regulation still seems much stronger than the ‘carrot’ of business benefit.
The Adoption of ISO22031
5
We comply with an existingstandard
We are certified against an existingstandard
We have developed an in-houseapproach which aligns with one ormore standards
We have developed an in-houseapproach and do not seek to align,comply or certify with standards
Don't know
Organizational approach to standards Which of the following statements best describes your current organization's approach to BCM standards? The result to this question can be viewed in both optimistic and pessimistic ways. It is good that most respondents are interested in some form of connection with existing standards and that those who reject them entirely only total 8.6%. It is concerning however that most respondents (62%) use an in‐house approach. In this situation what is meant by aligning with one or more standards seems to be rather vague and sometimes might not differ very much from those who claim an in‐house approach without reference to standards. The strongest support for standards (compliance and certification) is just under 30%, which is quite a strong showing after the relatively short time that ISO 22301 has been available. Comments include:
A major business unit is certified against ISO 22301, not the whole organization
BCM is handled as a component
of ERM in our business
In process of aligning with ISO 22301
We are certified against ISO 27001 and ISO 9001
I have been tasked to align with the Standard but not to seek certification
Following BS 25999 standards but not fully comply with it
We were certified to BS 25999 and successfully transitioned certification/ passed the ISO 22301 audit
We advise on BCM for other companies
Compliance to an existing standard is selectively done for select locations
Our certification has changed
from BS 25999 to ISO 22301
We were aligned with BS 25999
– we are shifting to ISO 23001
Not sure if we will seek to comply, but it is a possibility
We have aligned our in‐house BCM approach modelled
on BS25999 and now adjusting to ISO22301
The Adoption of ISO22031
6
0
50
100
150
200
250
300
350
Align with ISO 22301Certify to ISO 22301Comply with ISO 22301
In next 12months12-18 months
18-24 months
24-36 months
Alignment, compliance or certification Which of the following actions is your organization likely to take and when? This question was first asked in 2012. There now appears to be some polarization between responses this year. On the plus side, many more intend to take positive action in the next 12 months than in the previous survey. Align scores 48% (22% in 2012), Comply scores 23% (8% in 2012) and Certification scores 11% (5% in 2012). Don’t knows (not shown in chart but 42, 65, 52 respectively are included in the calculation. It also looks as if more have decided not to do any of these things. The answer to “we will not do this” scores Align 10.3% (7% in 2012), Comply 22.8% (19% in 2012) and Certify 38.5% (28% in 2012). On consideration this is again not unexpected. In 2012, little was known about the new standard so definite judgment about adoption or not was inevitably vague. As opinion has firmed up some of those who were concerned now seen positive benefits of (at least) aligning and so many more are planning to do so over the next 12 months. The figures also suggest that we will see a good increase in the number of organizations both complying and certifying in 2014. The significant increase in those planning to assign does suggest that ISO 22301 is getting wide‐spread acceptance as the definitive standard to use if you are intending to implement a BCMS. Some organizations that already have their own BCM embedded in their business will not wish to implement a formal BCMS. They might support the principles of ISO 22301 but not necessarily the practical implementation. It is also true that in some countries, organizations may prefer their local BCM standards or regulatory guidelines to ISO 22301. This probably explains the responders who definitely will not embrace ISO 22301. Some interesting responses include:
We use the standards of the Dutch National Bank
We prefer to align to the BCI GPG 2013 We recommend our clients that they do use it
We use ISO 27001 and ISO 9001 FFIEC is what we follow
We won't do it personally, but our clients may wish their product to be certified
We are already aligned, do not want to get certified
All depends on client pressure
ISO 22301 will be treated as a partial input to our approach
We prefer NFPA 1600 Standard Alignment
The Adoption of ISO22031
7
ISO
223
01 s
uppo
rts
an in
crea
sed
unde
rsta
ndin
g an
d be
tter
resp
onse
to r
isk…
ISO
223
01 im
prov
es c
olla
bora
tion
and
co-
ordi
natio
n w
ith ‘i
nter
este
d pa
rtie
s’
ISO
223
01 h
elps
bui
ld c
onfid
ence
in s
uppl
ych
ain
resi
lienc
e
Cus
tom
ers
see
ISO
223
01 a
s a
relia
ble
indi
cato
r of
Bus
ines
s C
ontin
uity
cap
abili
ty
ISO
223
01 r
educ
es c
usto
mer
due
dili
genc
ean
d au
dit r
equi
rem
ents
We
have
won
bus
ines
s as
a r
esul
t of h
oldi
ngIS
O 2
2301
cer
tific
atio
n
ISO
223
01 h
as g
ener
ated
opp
ortu
nitie
s fo
rim
prov
emen
t in
the
BC
M p
rogr
amm
e
ISO
223
01 h
as h
elpe
d en
gage
men
t with
and
buy-
in fr
om T
op M
anag
emen
t
ISO
223
01 h
as le
d to
red
uced
leve
ls o
fdi
srup
tion/
fast
er r
ecov
ery
sinc
e its
…
ISO
223
01 h
as r
aise
d th
e pr
ofile
of B
usin
ess
Con
tinui
ty a
nd th
e B
CM
team
in o
ur…
StronglyAgree
Agree
Neither agreenor disagree
Disagree
Stronglydisagree
Don't know
Value of having ISO 22301 in place For each of the statements below, please state how strongly you agree or disagree based on your experience. The results are positive in that on most criteria the Strongly Agree/Agree scores are much higher than the equivalent disagreement scores. There is clearly a ‘wait and see’ approach to some of the expected benefits with high Neither Agree/Disagree scoring highly on ‘business won’, ‘top management engagement’ and ‘reduced disruption/faster recovery’. As these are some of the most claimed benefits from BCM as a whole, it might simply be that the use of a BCMS has not yet sufficiently demonstrated the benefits above compared to those already in place with a conventional BCM approach.
The Adoption of ISO22031
8
ISO 22301 tellsme *how* to do
BusinessContinuity
Management
ISO 22301 tellsme *what* I
need toconsider in a
BusinessContinuity
Managementprogramme
ISO 22301imposes
requirementson my BCM
programme thatI do not think
are appropiatefor our
organization
ISO 22301requirements
and terminologyare confusingand difficult to
interpret for myorganization
Strongly agree
Agree
Neither agree nor disagree
Disagree
Strongly disagree
Don't know
Issues perceived with ISO 22301 For each of the statements below, please state how strongly you agree or disagree based on your experience. This question demonstrated some confusion from many respondents about the purpose of a BCMS as opposed to Business Continuity as an overall discipline. Surprisingly large numbers agreed that ISO 22301 tells them ‘how to do BCM’, which is fundamentally not the real purpose of a management system. However, even more agreed that it told them ‘what needs to be considered’, a much more reasonable claim. The main negative findings were that it is felt to be inappropriate to many organizations and that terminology is confusing. Some telling comments are shown below:
ISO 22301 is not a corporate standard, so
we cannot use it
It is an evolution of the prior standard and provides few extra
perspectives
It is an over complicated process that can be
explained much easier
It has different definitions to other ISO standards, this causes
confusion
It requires way too much
administration and record keeping
Our organization does not use BIA’s, so any references to them is
superfluous
The management system is often confused with a BCM programme
in the minds of colleagues
The problem with ISO 22301 is that one can
comply with it completely and still have plans that are useless in terms of real response
The book (documented standard) is not great, I would have expected more information
On reflection, management have
decided not to evaluate ISO 22301
It is important to realise that having a standard is not enough to measure
the quality (effectiveness) of a plan
Our BCM programme is quite mature and we have aligned it with BS
25999
The BCI’s Good Practice Guidelines 2013, is the best framework for ‘how
to do BCM’
ISO 22301 has changed some of the BS 25999
terms – our organization finds this hard
Terminology does not work for us, particularly defining Risk within BIA
process
We are certified to ISO 27000, and that covers BCM as far as we are
concerned
The Adoption of ISO22031
9
Undertaking ISO 22301 gap analysis Survey respondents were asked to discuss the different they found between their normal method of undertaking BCM and that required by ISO 22301 when they undertook a GAP analysis. This was an open ended question and a very wide range of views were expressed. Reflecting on the responses it seemed there was a significant difference between those who were experienced in management systems (particularly BS 25999‐2) and those who were implementing ISO 22301 without a management systems background. It is also interesting that a number of respondents had not undertaken, or seen any need for, a GAP analysis. For those who had prior BCMS experience some typical responses include:
No major difference
The only difference is in certain terms and definitions
Very little difference, only now need to show what plans are needed at even lower risk levels
More formal documentation needed, but no real gaps
Minor terminology, implementation cycle, some wording changes
Improved management reporting needed and more senior management engagement
Documentation requirements have become more stringent
Supplier Management was the main gap
The need to more formally align BCM with our business objectives
MTPD and MAO only defined in Glossary, not standard
Stakeholders changed to interested parties
More bureaucracy
The BC framework is different
More focus on governance, policy, objectives, business support For those who had no prior BCMS experience some typical responses include:
We found it asked for the ‘moon and stars’ without taking a common sense approach
The quality of the auditors need to be improved, they do not understand BCM
Our company BCM programme is more developed anyway
We had weak controls and poor documentation
We need greater involvement from senior management
Our previous plan was too localised, now we are more structured
It mandates a more comprehensive approach
Evidence of competence needed including education of employees in BCM
We are closely aligned with BCI professional practices and had few real differences
Better performance monitoring required
We need to better align RTOs and RPOs
Our ERM risk assessment process does not agree with the standard
Better communication needed and improved record keeping
Better definition of context and the role of leadership
Organization needs to think of BCM as a system
Need for a cultural change needed for it to work effectively
The Adoption of ISO22031
10
How have costs to implement and maintain been justified In an open ended question, we received 209 responses as the question would only be relevant to those who had at least aligned to ISO 22301. The answers showed no specific trends with a number of respondents simply answering ‘they haven’t’ or ‘not justified’. In fact, of the 209 responses considered, 83 explicitly said no formal attempt at justification had been made. For those who identified justifications some were based on the regulatory need. Examples of such answers include:
Regulatory requirement as public category two responder
Legislative requirement so it has to be funded
Costs are part of normal regulated business
Compliance costs
Costs are not considered an issue
Contractual and regulatory demands
Clients mandate ISO 27001 and we have added ISO 22301
Need to meet BCM statutory duties Beyond this, most of the claimed justifications were actually along the rationale of insurance – “the risk of not doing it is greater than the cost of doing it” – or the strategic business case. Examples include:
We wanted to be the first firm in our sector certified against ISO 22301
As a marketing opportunity
Competitors are doing it
Good for reputation
Competitive edge risk on tenders
Customer service demands
As a product differentiator
Key client has made certification a requirement
Certification reassures clients However many accept that this is more an ‘act of faith’ than a financially justified investment such as might be made for a capital investment project. Examples of this include:
There is no ROI on certifying through ISO 22301
No capital costs so we include in normal operating budget
We just treat it like everything else in the budget
Costs are just kept to a minimum
BCM is supported in words, but not in budgets This type of response does show why BCM expenditure can come under threat when finances are tight and that the commitment made to BCM is still tentative in many organizations. The benefits of having a certified BCMS as opposed to just undertaking effective BCM is demonstrated by the fact that many organizations are seeing it as a strategic decision, not just an operational necessity.
The Adoption of ISO22031
11
Other main issues Standard Portability In response to a question about areas of the organization where it is difficult to extend the BCMS, there seemed to be a wide spread view that in general ISO 22301 is applicable very widely. Few felt there were any areas in their companies where ISO 22301 would not be suitable, although it might be subject to limited funding so priorities would be selected. The main issue raised in this section was the need to get outsourced operations to comply with the same level of BCM as the in‐house activities. Answers such as outsourcers, supply chain, third parties and key suppliers are the only real area of concern. In the financial world, traders and front office activities were seen as appropriate for ISO 22301 but more difficult to implement because of the different operating cultures. Standard Performance Metrics The survey tried to identify the most popular means of measuring the performance of the BCMS against its objectives. Again the range of answers indicated that no single method dominated. Some organizations had identified specific metrics which usually formed part of the overall Risk Management process. These metrics were reported to management on a predetermined scheduled basis. Others used the results of tests, internal BCM audits and BCM methods (like Business Impact Analysis) or general management techniques like SWOT to provide some oversight. Key Performance Indicators had been designed by some respondents to define what was expected from the various aspects of the BCMS and in some case RAG performance monitoring had been established. The overall conclusion was that, to date, the means of judging the efficacy of a BCMS is still some way from maturity. It is accepted that for those aiming at certification, the formal audit does provide proof of compliance but the general feeling is that other metrics are needed to prove that the programme itself will work when called upon. ISO 22301 Improvements A final question was asked to determine views on how the standard could be improved. This question was asked without restricting it to those who were experienced in formal Management Systems, so some of the suggestions would not fit into the basic requirements of an ISO system. Some of the most informative suggestions included:
Developing a code of practice to support the implementation
Adding metrics and indicators
Include a specific maturity assessment
Closer integration with other ISO standards
Write it in plain English
Having separate versions for SME businesses
Need a better flow with lifecycle like BS 25999
The Adoption of ISO22031
12managing all PR and brand engagement in one place.
© The BCI 2013