In business, risks abound at all angles at any given time. The risk of a customer dissatisfaction, the risks of penalties and closure arising to that of non compliance to prevailing rules and regulations, the risks of attritions, cyber-attacks, fraud, and repudiation, the reputational risk for any smear campaign that can be done against the company image and its personalities. That’s but to name a few, but when a detailed assessment is performed, it makes all process owners realise that the way to manage a process is not just to understand its input and outputs but expand the perspective to cover dependencies not only towards process compliance and effectiveness, but its general protection from risks towards business continuity.
The challenge to companies is to understand the environment in which it operates, to understand the prevailing threat in its priority processes, determine its impact to business and perform business contingency plans and recovery strategies to mitigate such risks.
As system evolve, managing processes became more than just documenting procedures, we began to look beyond effectiveness and look at resources and its conservation towards efficiency. Managing processes became more than just making a plan out of what we would normally do per customer and regulatory requirement, we began to look closer at the process dependencies and evaluate the risks of any failure from any such dependencies.
As the market widens and technology is ever improving, and convenience became a top concern for managing processes, risk increases across every transaction. Managing risks used to be a specialist function, nowadays, we see every process owners becoming aware of business risks and initiating and instituting controls in their processes beyond basic requirements.
We have seen CHANGE becoming a norm in our everyday concerns. In all angles of the upcoming standards, the ISO 9001 proves to be useful but just a basic component of managing systems at its core and support operation perspectives. The prevailing question can be a resounding “Is ISO 9001 a sufficient answer to all business concerns? “ And we all know that the answer is NO, that it provides a good anchor for business success but it’s not all encompassing that will cover all the various aspects of managing risks that may befall the company. We saw the transition of the focus on managing compliance to set clauses and its requirement moving towards managing the process based approach. We are not faced to see through the need for addressing change being the basic drive to manage the organisation’s sustained success, the ISO 9004 framework proved to be a good insight for the strategy of extending our process beyond the customer requirement. Through the years, we have seen extension of managing processes to cover that of a company going for environment management system, health and safety management system, information security management system as among the core standards in its attempt to address legal compliance, employee protection and information asset protection being the motivation for such efforts.
At this juncture, companies are bracing themselves for bigger risks. The climate has been fazed with disasters brought about by climate change and the need to address the concern on the conservation of natural resources and reduce our carbon foot prints abound as priority concerns for companies to contribute to business continuity. The technological convenience and the risks it brings intensifies the image or reputational risks because of the fast dissemination of information across the various medium and channels available.
Managing the change , is managing business risks towards business continuity. We now see directions from the International standard taking care of these needs. Among the upcoming standards are as follows:
A new standard just recently released March 2011 was ISO/IEC 27031: 2011 that intends to facilitate the security techniques for information and communications technology readiness for business continuity. The scope of this standard encompasses all events and incidents (not just information security related) that could have an impact on ICT infrastructure and systems. It therefore extends the practices of information security incident handling and management, ICT readiness planning and services.
The standard will incorporate the cyclical PDCA approach beloved of ISO 9000, extending the conventional business continuity planning process to take greater account of ICT to prepare the organisation’s ICT against unforeseeable events that could change the risk environment and impact ICT and business continuity. It will incorporate ‘failure scenario assessment methods’ such as FMEA (Failure Modes and Effects Analysis), with a focus on identifying ‘triggering events’ that could precipitate serious incidents. It will streamline the resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities. An ISO/IEC standard on ICT Disaster Recovery has been released as ISO/IEC 24762:2008.
ISO TC233 is working on other business continuity standards including ISO 22301: Societal security – Business continuity management system working on the initial successes gained by BS 25999. The leading business continuity standard BS 25999-2 will be replaced by an international standard ISO 22301 by the end of 2011.
The coverage of ISO 22301 is similar to BS 25999-2 such as business continuity policy, business impact analysis, risk assessment, business continuity strategy , business continuity plans, exercising and testing etc. to raise the company’s level of resilience and credibility . The level of importance of this standard is fast increasing along with the business intent to address action requirements for managing the risks that abound.
As the old mantra goes, an ounce of prevention is better than a pound of cure. And while a regular process owner struggles between the difference of Correction and Corrective Action to address prevailing business concerns. To manage business continuity, we must facilitate the change to shift the emphasis from Corrective action to Preventive Action. Preventive actions should be a primary focus of business nowadays along with performing a good business impact analysis and programs to manage the risks.
Interested in discussing your requirements? Let’s talk.
Training / Online training / Capacity building