Why Documentation Is So Much More Than Just Documents

Part of Avalution’s Conforming to ISO 22301 Series

This perspective takes a look at ISO 22301’s requirement for documentation, which includes documented processes and procedures, as well as evidence of business continuity planning execution.  The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the spring of 2013).

ISO 22301 is the first standard to employ the new ISO format for management systems standards, which involves a considerable amount of “templatized” management system content across ten clauses. Because this format, language, and many of the requirements are new to most business continuity professionals, it’s important to review and consider the intent associated with some of the content and concepts.

This perspective is the third in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.

Today we’re going to take a look at the standard’s requirement for documentation, which includes documented processes and procedures, as well as evidence of business continuity planning execution.  The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the spring of 2013).

Introduction
While all business continuity standards require documented analysis and plans, ISO 22301 requires that organizations document procedures (to drive repeatable performance) and outcomes of the planning process (to serve as evidence).  While this effort is necessary if an organization chooses to seek certification, there are several benefits organizations can achieve just by conforming to the ISO 22301 standard.  Documented planning processes are often more thorough and enable repeatability.  Documentation also increases awareness among those called upon to participate in business continuity planning.  In addition, documenting outcomes and obtaining management approval helps ensure organizations perform program activities in a manner consistent with expectations and that management is aware of and approves the outcomes.

ISO 22301 Documentation Requirements
As the standard requires evidence and procedures throughout, we’ve compiled a list of the instances where ISO 22301 specifically calls out a requirement for evidence, approval, or documented procedures.  This list is meant to be a high-level reference-able summary; however, be sure to refer to the standard for additional details, particularly if preparing for certification:

Again, while some of these items are common across all management systems or business continuity standards, some documentation requirements are unique to this standard.  The remaining sections of this article highlight some of these unique requirements, as well as the benefits gained from each.

Risk Appetite
While all business continuity standards require documented business impact analyses and plans, ISO 22301 is the first to require a documented risk appetite.  With this requirement, the standard requires an organization to define unacceptable loss before identifying business continuity strategies.  Analyzing and formally documenting risk appetite pushes leadership to understand possible impacts associated with disruptive incidents, such as financial loss, reputational impairment, market share loss, and more.  Such clarity then enables the organization to focus the planning effort, and define more accurate triggers and escalation criteria.  Defining risk appetite also helps organizations justify when investment in strategies is necessary (i.e. if loss scenarios are unacceptable otherwise).

Legal and Regulatory Requirements
ISO 22301 also requires that organizations “maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties”.  By requiring that organizations document the process by which they identify and assess legal requirements, it makes it more likely the organization will fully vet its requirements and obligations, as well as periodically reassess how requirements may grow or change over time.

Exclusions
In 4.3.2, ISO 22301 requires organizations to not only define their scope, but that they also document any exclusions to the program scope and justify why these business activities and resources are not required to be part of the program efforts.  Documenting and justifying exclusions drives an organization to fully vet the scope and truly justify why key elements of the organization should not be ignored during the planning effort (or why certain elements may be (at least temporarily) excluded).

Communication
While effective communications has long been a part of business continuity standards, ISO 22301 requires procedures on how the organization will ensure effective, accurate communications with internal and external interested parties.  Specifically, in 8.4.3, ISO 22301 includes content requiring procedures on how an organization will become aware of and monitor incidents, ensure two-way communications with its stakeholders, integrate and respond to national or regional risk advisory systems, and enable communications with emergency responders.  The standard also requires procedures around documenting incident information, assuring interoperability with responding partners, and identifying and communicating with interested parties.  By requiring that organizations document incoming sources of information, such as local triggers, it calls on organizations to define the process by which they’ll monitor alerts and communicate this information; the same is true for documenting the process to ensure interoperability – ISO 22301 requires organizations to think through the process and ensure effectiveness.

Performance Evaluation
ISO 22301 requires procedures for monitoring program performance, calling on organizations to:

  • Set performance metrics that align to organization need;
  • Ensure the organization meets its defined policy, objectives, and targets;
  • Monitor and validate compliance with program and standard requirements;
  • Track program deficiencies; and
  • Capture outcomes that require and should result in corrective actions.

By requiring that organizations define how they’ll evaluate program and business continuity solutions performance, management becomes better aware of alignment (or misalignment) between actual practices and expectations, which increase the likelihood that the organization will appropriately identify, document, and take action on program issues.

Management Reviews
ISO 22301 also requires periodic, documented management reviews and management input regarding program performance.  This requirement calls on management to dedicate time to understand the program, its outcomes, and its deficiencies, and identify or approve potential strategies to address continual improvement opportunities.  ISO 22301 outlines specific topics to be addressed in management reviews, which helps ensure management is given the information necessary to understand risks and take appropriate action.

A Little Work Goes a Long Way
While it may seem that formal procedures to define program expectations, ensure execution, and monitor performance creates extra work, documenting the process by which your organization will perform its activities and requiring management approval helps focus the planning effort and ensure alignment between business strategies and business continuity planning.  Documentation also drives long-term oriented continual improvement.  Business continuity software can be a great way to automatically track and automate the completion and approval processes, so consider such tools when designing an effective program maintenance model for your organization.

Continue to visit our business continuity and IT disaster recovery blog for more posts in Avalution’s Conforming to ISO 22301 series.

For an example of a business continuity software that can help streamline the documentation and evidence process, be sure to check out Catalyst.

In the meantime, don’t hesitate to reach out to us to discuss aligning to the standard or pursuing certification. We look forward to hearing from you!

Additional Resources:
Implementing ISO 22301: The Business Continuity Management Systems Standard

_______________________

Stacy Gardner
Avalution Consulting: Business Continuity Consulting


Leave a Reply