Implementing ISO 22301: The Business Continuity Management System Standard
Plan Do Check Act (PDCA) – How It Applies to Business Continuity
The business continuity industry has heard a lot about Plan, Do, Check Act (PDCA) recently. Nearly every emerging standard is following this approach, from BS 25999 and NFPA 1600 (2010 edition) to the new American business continuity standard being created by ASIS. However, there seems to be a lot of confusion about what PDCA is – and what it means for business continuity.
The PDCA model is the basic building block of a management system, focused on weaving management-level decision making into traditional program practices. The “traditional” business continuity program activities, like a business impact analysis and plan development, fall mostly into one of the categories (“do”) – see figure 1 – but the value of PDCA is that management input and feedback wraps around these activities, thus ensuring continuous improvement. The following sections break down the components of a PDCA approach to business continuity, with a focus on which activities will provide your organization’s program the most value.
The “plan” process establishes objectives, targets, controls, processes and procedures for the program to deliver results in accordance with an organization’s overall policies and objectives. Related to business continuity, this involves defining the business continuity management program; including identifying standards, creating a policy statement, appointing a program sponsor and steering committee, and establishing an initial program scope and risk tolerance.
One of the most important “plan” activities is for executive management to identify what they want to protect and recover with respect to their business continuity program. These are typically stated as “critical products and services”. Of note, phrasing the key objectives of the business continuity program as key organizational outputs helps to position the business continuity program in management’s language, thus gaining understanding, support, and involvement from management.
The “do” process implements and operates the business continuity policy, controls, processes and procedures. This includes a number of actions in order to understand, strategize, plan, and test the organization for business continuity events.
As mentioned earlier, the “do” process is where the common business continuity tasks are performed. The first step in “do” is to perform a business impact analysis, or BIA, as well as a risk assessment. The business impact analysis maps critical products and services to individual departments and activities, and seeks to identify recovery objectives for each. The purpose of the risk assessment is to describe the outcomes from disruptive events and the suitability of current-state controls to prevent the disruptive event from occurring, as well as control recommendations to align with the organization’s risk tolerance.
The second step is the identification of risk mitigation, response and recovery strategy options, and once selected, the implementation of these risk treatments. The third step of “do”, involves developing plan documentation, which should be written in a way to enable repeatable response and recovery performance, regardless of the experience of the person leading the effort. The last step is organization-wide training and validation of strategies and plans through exercises, and the initiation of program maintenance activities.
The “check” process monitors and reviews performance against established management system objectives and policies and reports the results to management for review. The program should be subject to internal review to measure program performance against pre-defined policies and objectives. The results of said assessments should be presented to management via the established business continuity steering committee.
You may be thinking: my organization’s management will hardly meet to establish objectives, let alone meet to review them. If this is the case for your organization, implementing a management system is likely the exact solution that you need. Instead of merely presenting metrics based on BIA and plan reviews and maintenance, the “check” process allows the business continuity program to communicate program performance in a language that management understands. Presenting the organization’s continuity capability in terms of alignment to pre-defined organizational outputs (critical products and services) will help management understand how the program is performing in association to what is important to them. This also helps them better recognize how key risks would actually impact the organization, allowing them to accept the risk or take action on the risk.
In short, the “check” process ensures that management is accountable for the program and the organization’s overall business continuity capability.
The “act” process maintains and improves the program by taking preventive and corrective actions, based on the results of management review and re-appraising the scope, business continuity policy, and objectives. This includes updating and maintaining the corrective actions / preventative actions (CAPA) list and a post-incident review process, as well as ensuring continuous improvement of the business continuity program in order to constantly align the business continuity program to management expectations.
SHOULD MY ORGANIZATION USE THE PDCA MODEL?
In many organizations, management systems concepts are already incorporated into many existing programs, such as quality management. Thus, it is likely that your executive management team may be already familiar with management systems concepts and understand their role in operating within a management system. Consequently, implementing a management system-framework connects business continuity planning efforts to commonly understood and defined business objectives.
Business continuity efforts are enhanced with management system-oriented models that avoid professional jargon and focus on business outcomes. Putting the business continuity program into key organizational outputs is meant to focus on the objectives of management and to speak in the language of the organization. Because of this, the business continuity program is able to communicate real capability and output, rather than focusing on micro business continuity-specific projects.
WHAT ARE THE BENEFITS ASSOCIATED WITH THE PDCA MODEL?
There are many benefits to implementing a business continuity management system, many of which have already been described in this article. However, the benefits can be summarized into two key benefits: a business continuity management system compels management to be accountable to the outcome of the program, and provides an accepted approach for external validation.
The key to a successful business continuity management system is gaining and maintaining the interest and support of executive management. Guidelines on how to do this have been discussed throughout this article, but the main tip is to ensure the program speaks executive management’s language (key organizational outputs) and to communicate program performance and tasks in terms of alignment to the continuity capability of those organizational outputs. By communicating in this way, management understands the need for their continued interest in the program. Management will be presented with choices to accept or take action on risks that directly contribute to the success and continuity of key organizational outputs. A business continuity management system forces strong alignment with what management is thinking with what the business continuity program is doing and communicating – it actually compels management to be accountable to the program.
The second key benefit to implementing a business continuity management system is that it inherently solves the “audit a plan” problem that many organizations encounter. Has your organization been asked for a copy of your business continuity plan to prove you’re prepared? We all know that a thick business continuity plan doesn’t equate to organizational capability. Unfortunately, third parties often have few other options than to review the plan and evaluate it. By implementing a business continuity management system, especially one certified by a third party, it changes the focus from a “check the box” viewpoint (auditing a plan), to actually making sure that your organization has a real, useful, and capable business continuity capability (reviewing the performance of the management system). This enables the organization to validate and communicate program performance both internally (to executive management) and externally (to key stakeholders) – in many cases just by showing proof of certification!
HOW CAN MY ORGANIZATION IMPLEMENT A PDCA MODEL OR INCORPORATE PDCA INTO OUR EXISTING PROGRAM?
The following guidelines can assist you in implementing business continuity management system into your organization:
- Establish a cross-functional management steering committee
- Talk in the language that management understands
- How they view the business and what is important to them
- Make business continuity relevant and easy to understand – simplicity is key!
- Focus on organizational outputs (key products and services)
- Establish downtime tolerances for key products and services
- Explain current capability of key products and services in order for management to take action or accept risk
- Ensure objectives are realistic and management is willing to spend the resources needed to achieve objectives
With the growing popularity and continued success of business continuity management systems, this approach and framework is proving to be the future of business continuity. Organizations struggling with capturing and maintaining executive management’s attention will realize tremendous value when implementing a business continuity management system. Input and continuous feedback will increase, as will the decisions and resources necessary to meet management’s expectations. The business continuity management systems framework has one goal: to provide a business continuity program that works, is flexible, and is efficient.
Get resilience insights delivered to your inbox.