ISO 22331, Guidance for Business Continuity Strategy

Posted: February 21, 2017 at 10:09 am, Last Updated: April 24, 2017 at 1:16 pm

George B. Huff, Esquire
The Continuity Project, LLC

This note describes the value to executives and business continuity professionals of an emerging ISO technical specification for business continuity management (BCM).[1] ISO 22331 (Security and resilience – Business continuity management systems – Guidance for business continuity strategy) is scheduled for publication in 2018. The emerging ISO 22331 is consistent with the requirements of ISO 22301, the international Business Continuity Management Systems (BCMS) standard.[2] ISO 22331 is being designed to guide the organization’s business continuity (BC) strategy determination and selection effort as a part of the operation of its BCM system or BCM program.[3]

The rationale for the new guidance is to remedy a recurring problem within the organization’s operation of the lifecycle of the BCM systems or BCM programs—namely, that organizations often jump from the business impact analysis (BIA) and risk assessment to writing plans, overlooking the process of evaluating the range of options available to them to address management-approved business continuity requirements. This lapse may omit elements of BC strategy formation, including determination and selection, as well as protection and mitigation of risk, that are vital to the organization’s tactical recovery within a predetermined timeframe.

The Art of War

A discussion of business tactics and strategies may evoke an analogy to military plans and operations. Sun Tzu’s The Art of War remains a compulsory text in major military schools around the world and its influence on twentieth-century military thinking is undisputed.[4] Also in recent years, the use of military strategies in business and management contexts is increasing.[5] Written over two thousand four hundred years ago, The Art of War captures the attention of business leaders today, providing what is seen by many as a fundamental guide for the management of people, places, and things.[6]

The clear tone of Sun Tzu’s 13 chapters is direct and aggressive, and—moving beyond a mere mortal-combat interpretation—one with powerful underlying implications for tactical operations and management strategy.[7] But The Art of War is arranged for the military leader and not the CEO; making connections between ancient warfare and today’s corporate world is not always easy.[8] So, what is the point for business continuity?

The ancient Chinese general’s lesson learned, below, translates well over the centuries and captures what is basic to the success of modern, risk-based management systems, namely the critical relationship of unseen strategies (i.e., policies and plans) and highly visible tactics (i.e., methods, procedures, and implementation).

All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.

The Art of War, Chapter VI Weaknesses and Strengths

To invoke Sun Tzu, a strategy without implementing procedures is the slowest way to do things— the organization will flail around but eventually will find a way to get there. But tactics without a strategy are doomed to failure. So, the point is that the emerging ISO 22331 guidance offers an unusual opportunity to apply an ancient lesson on the relationship of strategy and tactics to the proper operation of a modern management system. ISO 22331 provides executives and BC professionals with proper emphasis on risk-based, resourced BC strategies that enable their organizations to implement BC procedures that link to BC objectives, policies, and requirements.

BC procedures are the most visible, tactical manifestations of an organization’s effective management of a disruptive event, including the continuity of activities based on the recovery objectives identified in the organization’s BIA. The BC strategy, however, is an output of the BIA and risk assessment processes, such as protecting their prioritized activities that organizations necessarily keep unseen.

Also, while ISO 22313 provides “how to” guidance on implementing the requirements in ISO 22301, it does not provide methodology details or options regarding the performance of recurring business continuity strategy processes.[9] Since determining, selecting, and improving BC strategy may prove to be a difficult task, ISO 22331 provides pragmatic, detailed guidance on various methods to execute successfully BC strategy determination and selection.

George B. Huff Jr., Esquire, MBCI, ISO 22301 Lead Auditor, is the Founder and Director of Consulting of The Continuity Project, LLC, <www.thecontinuityprojec.com> and an ANSI-U.S. Delegate to the U.S. Technical Advisory Group to ISO Technical Committee 292, Security and Resilience.

References

[1] The Switzerland-based International Organization for Standardization (English acronym is ISO) develops management systems standards for a number of global certifications.

[2] ISO 22301:2012, Business continuity management systems – Requirements specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented business continuity management system within an organization.  Like all other ISO management systems, ISO 22301 is the product of consensus decision-making by delegates from many countries working together over a period of years, so it’s safe to say the international BCM systems standard summarizes the best practices applicable to any organization, regardless of location, purpose or size.

[3] Working Group 2 of ISO Technical Committee 292, Security and Resilience, is responsible for the development of ISO 22331. More than 50 countries and several liaisons are represented on ISO Technical Committee 292.  See http://www.isotc292online.org/. The national standards bodies of ISO member countries approve delegates who are subject matter experts from business, academia, and government that serve on their country’s advisory groups to the technical committee.

[4] S.L Lee, P. Roberts, W.S. Lau, & S.K. Bhattacharyya, “Sun Tzu’s the Art of War as Business and Management Strategies for World Class Business Excellence Evaluation under QFD Methodology,” Business Process Management Journal 4, no. 2 (1998): 96-113, http://www.emeraldinsight.com/doi/full/10.1108/14637159810212299.

[5] Id.

[6] Isidora Stefanovic, “The Art of War and Business Strategy,” Sammpress, November 15, 2016, http://www.sammpress.com/2016/11/the-art-of-war-and-business-strategy/.

[7] Id.

[8] Mark R. McNeilly, Sun Tzu and the Art of Business, (Oxford; Oxford University Press, 1998).

[9] ISO 22313: 2012, Societal security – Business Continuity management systems – Guidance is the companion guidance standard to ISO 22301 BCMS Requirements.

Write to the Editors at ciprpt@gmu.edu