‘ISO 22330 Security and resilience - Business continuity management systems - Guidelines for people aspects on business continuity’ is a new technical specification being developed by ISO. In this article Lynne Donaldson, project lead for ISO 22330, provides some background to why people aspects are being addressed in this specific business continuity guidance.
Nobody said managing people was easy! Organizations face an ongoing challenge to execute plans that deliver desired outcomes over the long term, regardless of their size or mission. The ability of an organization to lead, motivate, develop and engage its people holds the key to how well this is achieved.
Add to the mix the impacts of a disruptive event on operations: from cyber-attack or loss of infrastructure, to natural disaster or act of terrorism, why should the delivery of business continuity be any different?
A people focused project
People are the common factor in business continuity. Whatever the event, people will be affected, whether it is those adversely impacted, identified critical staff or the wider organization and community. In every case, their cooperation, competency and engagement are vital to the successful implementation of business continuity plans.
In early 2016, ISO (International Standards Organization) approved a project for a technical specification (TS) that will provide guidance for the people aspects of business continuity, supporting business continuity ISO standards 22301 and 22313 with practical, people focused guidelines.
Recognising the complexities
The way I see it, if it’s about people, it’s also about relationships. In business continuity it’s the relationship an organization has with those to whom it has a responsibility and those on whom it depends for response and recovery. This is very much a two-way street.
- The organization needs its people to respond as planned, get behind delivery of recovery strategies and carry on running the rest of the business.
- On the other hand, people expect a host of things from their organization according to how they are affected: from care and concern to information and dialogue through to direction and leadership.
- The relationships are interlinked: the response of one can impact the perceptions and reactions of the other.
- The needs and expectations of all parties are dynamic as a situation unfolds.
- The actions of the actors involved (people) are unpredictable by nature.
There is a lot riding on how well an organization delivers its duty of care responsibilities and the assumptions it makes about how people will react to a business continuity event.
What does the project propose to deliver?
The TS is an opportunity to support business continuity through combining good business continuity practices with the relevant good people management practices. As set out in the project proposal, it is not a definitive guide to managing an incident but a review of the people issues which need to be considered and the possible strategies for improving these aspects of the overall response.
What does an organization need to deliver to fulfil its duty of care and responsibilities to people? What is current good practice in these areas?
How does the way an organization approaches business continuity from planning to execution make a difference to its success? How can it deliver the desired outcomes in response, recovery and restoration?
We have the benefit of work already done in this area through BSI document PD25111, a recognised starting point for the TS.
Progress and involvement
The team formed in April and is now actively involved in the drafting process. It has the benefit of good representation internationally and cross-functionally, involvement extending beyond the business continuity community to bring a wide range of people perspectives to the project.
If you have a specific interest or viewpoint you would like to share with the project team, please contact me at email@example.com. Or why not share this with your HR Director and invite them to get involved?
I will be providing a project update at BCI World in November; if you are attending why not come and find out more. Or you can track progress via the ISO public project website: http://www.isotc292online.org/projects/iso-22330/