Monday, 22 October 2012

Use ISO 22301 to Help Develop Your Risk Management System

Use ISO 22301 to Help Develop Your Risk Management System

 ISO 22301:2012, “Social security – Business continuity management systems – Requirements.”  This is one of the first ISO management system standards that follows the generic MS format presented in ISO Guide 83.
This post is one in a series that will focus on ISO 22301, also referred to as a Business Continuity Management System (BCMS).  For those of you who are contemplating either an upgrade of your existing EHS or security management systems, or are considering the development of a risk management system that is tailored to ISO 31000, you might want to consider using ISO 22301 as your guide and template.  This could provide a win-win for you and your organization.It is valuable to see how the 22301 addresses risk assessment.  This management system cornerstone is now addressed, following the Guide 83 framework.  Section 8, titled “Operation”, contains the following sub-elements.
8.1  Operational planning and control
8.2  Business impact analysis and risk assessment
8.2.1  General
8.2.2  Business impact analysis
8.2.3  Risk assessment
8.3  Business continuity strategy
8.3.1  Determination and selection
8.3.2  Establishing resource requirements
8.3.3  Protection and mitigation
8.4  Establish and implement business continuity procedures
8.4.1  General
8.4.2  Incident response structure
8.4.3  Warning and communication
8.4.4  Business continuity plans
8.4.5  Recover
8.5  Exercising and testing
There are obviously many important and juicy items in this section.  Lets drill down a bit on 8.2.3 – Risk assessment.  Those of you familiar with ISO 14001 and OHSAS 18001, will see that 22301 incorporates pieces of ISO 31000 (risk management)  and states that “this process [risk assessment] can be made in accordance with ISO 31000.”  8.2.3 states “the organization shall establish, implement and maintain a formal risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization.”  This BCMS continues with requirements to: prioritize the risks; systematically analyze them; evaluate which disruption related risks require treatment; and, identify treatments commensurate with the BC objectives in accordance with the organization’s risk appetite.
This piece of 22301 (§8.2.3) does a nice job of succinctly summarizing several key concepts from ISO 31000.
For those of you looking to develop and implement a risk management system, ISO 22301 provides a way to do it.  Yes, 22301 is a BCMS, but if you think about it, in many ways, risk management and business continuity management can be thought of interchangeably.  Even if you don’t use it in this way, it provides a simple way to address and beef up your risk management activities.  If this is an area you would like to discuss or would like support,

No comments:

Post a Comment