nd annual the adoption of iso 22301 - lrqa · more comparable with iso 27001 ... the adoption of...

2nd Annual Survey

The Adoption of ISO 22301 Published October 2013

The Adoption of ISO22031

2

Introduction The Business Continuity Institute (BCI) undertook a survey of its members and the wider Business Continuity in 2012, immediately following the publication of the Business Continuity standard ISO 22301. This study looked at three basic questions:

What does the current landscape look like with respect to the adoption of BCM standards?

How is ISO 22301 likely to be received by the BCM community?

What are going to be the benefits and difficulties in adopting ISO 22301?

The results of the 2012 survey were published in two parts, the first one in the summer and the second at the BCM World Conference in November. Given that by November more evidence was available about the practicalities of implementing the standard, some additional issues were addressed in the subsequent report. These focused primarily on:

Who is involved in the decision making process and the development of a business case for adoption.

What transition issues were perceived to be challenging in moving from the earlier British Standard BS 25999.

The reasons that are given for not following ISO 22301.

It was felt it would be useful that one year after the initial study the BCI recirculate the survey to its members and supporters to see how these views had changed based upon real experience, rather than expectation. This report is being published to coincide with a Paper presented by LRQA™ at the BCM World Conference in November 2013.

About the survey The field work for this survey took place during September 2013. All BCI members were contacted and provided with the survey link. The survey was also promoted on the BCI main website (public access) and the Continuity Central™ website. The survey attracted 417 respondents which was 32% lower than the 613 who replied in 2012. This is probably not unexpected as the 2012 survey was launched amid much global publicity and promotion of the standard itself. It is still considered that the respondent numbers are encouraging, and suggest an ongoing interest in the topic. Like with 2012, respondents came from an international audience with 61 countries represented and were non‐sector specific with 15 industry sectors represented.


3

Key findings

We learned the following from the survey:

The interest in the standard remains high, with medium sized firms in predominantly Business to Business markets particularly involved. Regulated firms are much more likely than non‐regulated firms to adopt the standard

The intent to align to the standard rather than fully comply or certify remains the dominant intention. However in each of the three categories – Align, Comply, Certify – the intent to move ahead in the next 12 months is much greater than it was in 2012

The formal certification community is still fighting a difficult battle as over 60% of respondents prefer to use an in‐house approach to BCM

The claimed benefits of a Business Continuity Management System (BCMS ) are still not proven but the majority of respondents felt it helps with cooperation, communication and building confidence, both internally and externally

There is a strong level of support for the idea that ISO 22301 explains what needs to be done, although not necessarily how to do it

Those who have previously used BS 25999 find the transition to ISO 22301 far easier than those who are not experienced in using any formal BCMS

Few organizations have provided specific funds for ISO 22301 implementation and the availability of any additional BCM budget seems fairly widespread

Generally it was felt that ISO 22301 was a good standard with applicability to all parts of an organization. A better method of measuring its effectiveness needed developing to help get better business buy‐in

Conclusions

Generally it was felt that ISO 22301 was a good standard with applicability to all parts of an organization. A more consistent method of justifying expenditure on a Business Continuity Management System and ways of measuring its effectiveness (rather than just compliance) was needed to help get better business buy‐in.


4

Respondent company profile Sector The survey provided an interesting insight into the types of companies that are interested in this topic. Firstly looking at sector, 60% of all respondents came from Financial Services (25%), Professional Services (22%) and ICT (13%). This suggests that BCM is still strongest in areas when the product/service is essentially information (virtual) rather than physical. This would make it more comparable with ISO 27001 (Information Security) rather than ISO 9001 (Quality), which is more adopted in manufacturing, logistics and delivery of physical products. Size The sizes of company varied widely with the median sized company being 1000‐5000 employees (24% of respondents). Interestingly small companies below 50 employees made up the second largest block at 13.7%. A significant number of respondents in this category came from consultancies and organizations involved with either BCM or Standards as part of their commercial activities, and therefore are not necessarily typical of the general SME sector. Only 6% of respondents were from large companies with more than 100,000 employees.

Market Respondents were asked if they were in Business to Business (B2B), Business to Consumer (B2C) or public services (free at the point of delivery) markets. Multiple selections were permitted. B2B topped the list at 62.1%, followed by B2C at 47.5% and public sector at 14.8%. This seems to reflect the influence the ultimate customer has on organizations. In the B2B market‐place clients are likely to be informed and focused on supplier performance. In the B2C market this is less the case Regulation It is often claimed that regulated firms are more interested in standards than non‐regulated ones of similar size. Our respondent analysis seems to support this. 56.8% of respondents said their business was subject to some form of BCM regulation. A further 30.6% said that although BCM was not included they were subject to a regulatory framework. Only 17% of all respondents worked for a totally non‐regulated organization. Multiple selections were permitted. The ‘stick’ of regulation still seems much stronger than the ‘carrot’ of business benefit.


5

We comply with an existingstandard

We are certified against an existingstandard

We have developed an in-houseapproach which aligns with one ormore standards

We have developed an in-houseapproach and do not seek to align,comply or certify with standards

Don't know

Organizational approach to standards Which of the following statements best describes your current organization's approach to BCM standards? The result to this question can be viewed in both optimistic and pessimistic ways. It is good that most respondents are interested in some form of connection with existing standards and that those who reject them entirely only total 8.6%. It is concerning however that most respondents (62%) use an in‐house approach. In this situation what is meant by aligning with one or more standards seems to be rather vague and sometimes might not differ very much from those who claim an in‐house approach without reference to standards. The strongest support for standards (compliance and certification) is just under 30%, which is quite a strong showing after the relatively short time that ISO 22301 has been available. Comments include:

A major business unit is certified against ISO 22301, not the whole organization

BCM is handled as a component

of ERM in our business

In process of aligning with ISO 22301

We are certified against ISO 27001 and ISO 9001

I have been tasked to align with the Standard but not to seek certification

Following BS 25999 standards but not fully comply with it

We were certified to BS 25999 and successfully transitioned certification/ passed the ISO 22301 audit

We advise on BCM for other companies

Compliance to an existing standard is selectively done for select locations

Our certification has changed

from BS 25999 to ISO 22301

We were aligned with BS 25999

– we are shifting to ISO 23001

Not sure if we will seek to comply, but it is a possibility

We have aligned our in‐house BCM approach modelled

on BS25999 and now adjusting to ISO22301


6

0

50

100

150

200

250

300

350

Align with ISO 22301Certify to ISO 22301Comply with ISO 22301

In next 12months12-18 months

18-24 months

24-36 months

Alignment, compliance or certification Which of the following actions is your organization likely to take and when? This question was first asked in 2012. There now appears to be some polarization between responses this year. On the plus side, many more intend to take positive action in the next 12 months than in the previous survey. Align scores 48% (22% in 2012), Comply scores 23% (8% in 2012) and Certification scores 11% (5% in 2012). Don’t knows (not shown in chart but 42, 65, 52 respectively are included in the calculation. It also looks as if more have decided not to do any of these things. The answer to “we will not do this” scores Align 10.3% (7% in 2012), Comply 22.8% (19% in 2012) and Certify 38.5% (28% in 2012). On consideration this is again not unexpected. In 2012, little was known about the new standard so definite judgment about adoption or not was inevitably vague. As opinion has firmed up some of those who were concerned now seen positive benefits of (at least) aligning and so many more are planning to do so over the next 12 months. The figures also suggest that we will see a good increase in the number of organizations both complying and certifying in 2014. The significant increase in those planning to assign does suggest that ISO 22301 is getting wide‐spread acceptance as the definitive standard to use if you are intending to implement a BCMS. Some organizations that already have their own BCM embedded in their business will not wish to implement a formal BCMS. They might support the principles of ISO 22301 but not necessarily the practical implementation. It is also true that in some countries, organizations may prefer their local BCM standards or regulatory guidelines to ISO 22301. This probably explains the responders who definitely will not embrace ISO 22301. Some interesting responses include:

We use the standards of the Dutch National Bank

We prefer to align to the BCI GPG 2013 We recommend our clients that they do use it

We use ISO 27001 and ISO 9001 FFIEC is what we follow

We won't do it personally, but our clients may wish their product to be certified

We are already aligned, do not want to get certified

All depends on client pressure

ISO 22301 will be treated as a partial input to our approach

We prefer NFPA 1600 Standard Alignment


7

ISO

223

01 s

uppo

rts

an in

crea

sed

unde

rsta

ndin

g an

d be

tter

resp

onse

to r

isk…

ISO

223

01 im

prov

es c

olla

bora

tion

and

co-

ordi

natio

n w

ith ‘i

nter

este

d pa

rtie

s’

ISO

223

01 h

elps

bui

ld c

onfid

ence

in s

uppl

ych

ain

resi

lienc

e

Cus

tom

ers

see

ISO

223

01 a

s a

relia

ble

indi

cato

r of

Bus

ines

s C

ontin

uity

cap

abili

ty

ISO

223

01 r

educ

es c

usto

mer

due

dili

genc

ean

d au

dit r

equi

rem

ents

We

have

won

bus

ines

s as

a r

esul

t of h

oldi

ngIS

O 2

2301

cer

tific

atio

n

ISO

223

01 h

as g

ener

ated

opp

ortu

nitie

s fo

rim

prov

emen

t in

the

BC

M p

rogr

amm

e

ISO

223

01 h

as h

elpe

d en

gage

men

t with

and

buy-

in fr

om T

op M

anag

emen

t

ISO

223

01 h

as le

d to

red

uced

leve

ls o

fdi

srup

tion/

fast

er r

ecov

ery

sinc

e its

…

ISO

223

01 h

as r

aise

d th

e pr

ofile

of B

usin

ess

Con

tinui

ty a

nd th

e B

CM

team

in o

ur…

StronglyAgree

Agree

Neither agreenor disagree

Disagree

Stronglydisagree

Don't know

Value of having ISO 22301 in place For each of the statements below, please state how strongly you agree or disagree based on your experience. The results are positive in that on most criteria the Strongly Agree/Agree scores are much higher than the equivalent disagreement scores. There is clearly a ‘wait and see’ approach to some of the expected benefits with high Neither Agree/Disagree scoring highly on ‘business won’, ‘top management engagement’ and ‘reduced disruption/faster recovery’. As these are some of the most claimed benefits from BCM as a whole, it might simply be that the use of a BCMS has not yet sufficiently demonstrated the benefits above compared to those already in place with a conventional BCM approach.


8

ISO 22301 tellsme *how* to do

BusinessContinuity

Management

ISO 22301 tellsme *what* I

need toconsider in a

BusinessContinuity

Managementprogramme

ISO 22301imposes

requirementson my BCM

programme thatI do not think

are appropiatefor our

organization

ISO 22301requirements

and terminologyare confusingand difficult to

interpret for myorganization

Strongly agree

Agree

Neither agree nor disagree

Disagree

Strongly disagree

Don't know

Issues perceived with ISO 22301 For each of the statements below, please state how strongly you agree or disagree based on your experience. This question demonstrated some confusion from many respondents about the purpose of a BCMS as opposed to Business Continuity as an overall discipline. Surprisingly large numbers agreed that ISO 22301 tells them ‘how to do BCM’, which is fundamentally not the real purpose of a management system. However, even more agreed that it told them ‘what needs to be considered’, a much more reasonable claim. The main negative findings were that it is felt to be inappropriate to many organizations and that terminology is confusing. Some telling comments are shown below:

ISO 22301 is not a corporate standard, so

we cannot use it

It is an evolution of the prior standard and provides few extra

perspectives

It is an over complicated process that can be

explained much easier

It has different definitions to other ISO standards, this causes

confusion

It requires way too much

administration and record keeping

Our organization does not use BIA’s, so any references to them is

superfluous

The management system is often confused with a BCM programme

in the minds of colleagues

The problem with ISO 22301 is that one can

comply with it completely and still have plans that are useless in terms of real response

The book (documented standard) is not great, I would have expected more information

On reflection, management have

decided not to evaluate ISO 22301

It is important to realise that having a standard is not enough to measure

the quality (effectiveness) of a plan

Our BCM programme is quite mature and we have aligned it with BS

25999

The BCI’s Good Practice Guidelines 2013, is the best framework for ‘how

to do BCM’

ISO 22301 has changed some of the BS 25999

terms – our organization finds this hard

Terminology does not work for us, particularly defining Risk within BIA

process

We are certified to ISO 27000, and that covers BCM as far as we are

concerned


9

Undertaking ISO 22301 gap analysis Survey respondents were asked to discuss the different they found between their normal method of undertaking BCM and that required by ISO 22301 when they undertook a GAP analysis. This was an open ended question and a very wide range of views were expressed. Reflecting on the responses it seemed there was a significant difference between those who were experienced in management systems (particularly BS 25999‐2) and those who were implementing ISO 22301 without a management systems background. It is also interesting that a number of respondents had not undertaken, or seen any need for, a GAP analysis. For those who had prior BCMS experience some typical responses include:

No major difference

The only difference is in certain terms and definitions

Very little difference, only now need to show what plans are needed at even lower risk levels

More formal documentation needed, but no real gaps

Minor terminology, implementation cycle, some wording changes

Improved management reporting needed and more senior management engagement

Documentation requirements have become more stringent

Supplier Management was the main gap

The need to more formally align BCM with our business objectives

MTPD and MAO only defined in Glossary, not standard

Stakeholders changed to interested parties

More bureaucracy

The BC framework is different

More focus on governance, policy, objectives, business support For those who had no prior BCMS experience some typical responses include:

We found it asked for the ‘moon and stars’ without taking a common sense approach

The quality of the auditors need to be improved, they do not understand BCM

Our company BCM programme is more developed anyway

We had weak controls and poor documentation

We need greater involvement from senior management

Our previous plan was too localised, now we are more structured

It mandates a more comprehensive approach

Evidence of competence needed including education of employees in BCM

We are closely aligned with BCI professional practices and had few real differences

Better performance monitoring required

We need to better align RTOs and RPOs

Our ERM risk assessment process does not agree with the standard

Better communication needed and improved record keeping

Better definition of context and the role of leadership

Organization needs to think of BCM as a system

Need for a cultural change needed for it to work effectively


10

How have costs to implement and maintain been justified In an open ended question, we received 209 responses as the question would only be relevant to those who had at least aligned to ISO 22301. The answers showed no specific trends with a number of respondents simply answering ‘they haven’t’ or ‘not justified’. In fact, of the 209 responses considered, 83 explicitly said no formal attempt at justification had been made. For those who identified justifications some were based on the regulatory need. Examples of such answers include:

Regulatory requirement as public category two responder

Legislative requirement so it has to be funded

Costs are part of normal regulated business

Compliance costs

Costs are not considered an issue

Contractual and regulatory demands

Clients mandate ISO 27001 and we have added ISO 22301

Need to meet BCM statutory duties Beyond this, most of the claimed justifications were actually along the rationale of insurance – “the risk of not doing it is greater than the cost of doing it” – or the strategic business case. Examples include:

We wanted to be the first firm in our sector certified against ISO 22301

As a marketing opportunity

Competitors are doing it

Good for reputation

Competitive edge risk on tenders

Customer service demands

As a product differentiator

Key client has made certification a requirement

Certification reassures clients However many accept that this is more an ‘act of faith’ than a financially justified investment such as might be made for a capital investment project. Examples of this include:

There is no ROI on certifying through ISO 22301

No capital costs so we include in normal operating budget

We just treat it like everything else in the budget

Costs are just kept to a minimum

BCM is supported in words, but not in budgets This type of response does show why BCM expenditure can come under threat when finances are tight and that the commitment made to BCM is still tentative in many organizations. The benefits of having a certified BCMS as opposed to just undertaking effective BCM is demonstrated by the fact that many organizations are seeing it as a strategic decision, not just an operational necessity.


11

Other main issues Standard Portability In response to a question about areas of the organization where it is difficult to extend the BCMS, there seemed to be a wide spread view that in general ISO 22301 is applicable very widely. Few felt there were any areas in their companies where ISO 22301 would not be suitable, although it might be subject to limited funding so priorities would be selected. The main issue raised in this section was the need to get outsourced operations to comply with the same level of BCM as the in‐house activities. Answers such as outsourcers, supply chain, third parties and key suppliers are the only real area of concern. In the financial world, traders and front office activities were seen as appropriate for ISO 22301 but more difficult to implement because of the different operating cultures. Standard Performance Metrics The survey tried to identify the most popular means of measuring the performance of the BCMS against its objectives. Again the range of answers indicated that no single method dominated. Some organizations had identified specific metrics which usually formed part of the overall Risk Management process. These metrics were reported to management on a predetermined scheduled basis. Others used the results of tests, internal BCM audits and BCM methods (like Business Impact Analysis) or general management techniques like SWOT to provide some oversight. Key Performance Indicators had been designed by some respondents to define what was expected from the various aspects of the BCMS and in some case RAG performance monitoring had been established. The overall conclusion was that, to date, the means of judging the efficacy of a BCMS is still some way from maturity. It is accepted that for those aiming at certification, the formal audit does provide proof of compliance but the general feeling is that other metrics are needed to prove that the programme itself will work when called upon. ISO 22301 Improvements A final question was asked to determine views on how the standard could be improved. This question was asked without restricting it to those who were experienced in formal Management Systems, so some of the suggestions would not fit into the basic requirements of an ISO system. Some of the most informative suggestions included:

Developing a code of practice to support the implementation

Adding metrics and indicators

Include a specific maturity assessment

Closer integration with other ISO standards

Write it in plain English

Having separate versions for SME businesses

Need a better flow with lifecycle like BS 25999

nd annual the adoption of iso 22301 - lrqa · more comparable with iso 27001 ... the adoption of...

Documents