Sources of Corrective Actions

This perspective is the eighth in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.

Today we’re going to take a look at ISO 22301’s requirements regarding corrective actions.

The management system approach to business continuity, as outlined in ISO 22301, requires that when “nonconformity occurs, the organization shall react to the nonconformity and evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere” (Clause 10.1).  In addition to preventing reoccurrence, identifying and addressing appropriate corrective actions allows an organization to continually improve its business continuity management system (BCMS).

Corrective actions can be identified from a variety of sources, so this post takes a deeper look at each potential source and the best approach for identifying and reacting to potential nonconformities from each source.

ISO 22301 defines a corrective action as an “action to eliminate the cause of a non-conformity and to prevent reoccurrence”; however, Castellan also views lessons learned and opportunities for performance enhancement as forms of corrective actions.  Once an organization identifies a non-conformity, lesson learned, or opportunity for improvement, a root cause analysis should be conducted in order to fully understand the problem at hand and ensure that the identified corrective action(s) properly address the problem to avoid the same issue in the future or within another department.

It’s no secret that a list of corrective actions can get rather lengthy, so it’s important to prioritize to ensure you address that most critical items first. We recommend prioritizing corrective actions based on the potential impacts, should the identified problem or gap remain uncorrected.  An organization should seek to define these categories with measurable criteria to avoid improperly prioritizing corrective actions, which could lead to a failure to address the most critical gaps.

To remain in compliance with ISO 22301, it is also critical that corrective actions are maintained in a repository that not only lists the organization’s corrective actions, but also documents the creation date, source, description, priority, status, due date, responsible individual, and actual resolution date for each corrective action.  Further, corrective actions must be included as part of an organization’s management reviews.  Doing so gives top management the opportunity to provide feedback, ensure that the appropriate priority level has been assigned, and allocate the resources required to address corrective actions.

While there are many sources of corrective actions, through our experience we’ve found that the common sources are:

Let’s review each source in greater detail.

Business Impact Analysis and Gap Analysis
When properly executed, the business impact analysis (BIA) identifies an organization’s resource dependencies as well as the potential impacts associated with a disruptive incident.  After completion of the BIA (organization wide), the organization should perform a Gap Analysis and/or document a BIA Summary report.  This document identifies gaps in the organization’s business continuity capabilities, which highlights corrective actions needed to close gaps through the strategy identification process.

Risk Assessment
The risk assessment, which is typically conducted in parallel to (or immediately following) the BIA, helps an organization further clarify the potential impacts of resource loss as well as the likelihood of occurrence.  The primary outcome of the risk assessment is a risk rating (impacts multiplied by likelihood) which allows an organization to rank risks and prioritize the implementation of appropriate risk treatment options during the strategy identification effort.  The risk assessment also contributes to the completion of a Gap Analysis, resulting in clearly identified corrective actions.

Lessons Learned from Disruptive Incidents
Following any type of disruptive incident, an organization’s business continuity team should facilitate a post-incident after action review.  The review should focus on answering two questions:

  1. Were the actions taken or plans implemented by the organization effective in responding to the disruptive incident?
  2. What could the organization do differently in the future – during planning or during an actual response – to minimize impact and downtime?

By focusing on these two questions, an organization will identify gaps in its response and recovery plans and capabilities.  These gaps should again be analyzed allowing appropriate corrective actions to be identified and addressed according to their priority level.

Exercise Lessons Learned
Following any exercise (or test), an organization should conduct a post-exercise after action review.  By again focusing on the two questions in the previous section, an organization will identify gaps in its response and recovery plans.  These gaps are just as important as post-incident lessons learned and must be analyzed, documented, and corrected accordingly.

Management Reviews
We recommend that every quarter, at a minimum, the business continuity team prepares a presentation for their organization’s business continuity steering committee (or the top level managers) who are accountable for the business continuity program.  While the content of this presentation will vary based on the size, industry, and complexity of an organization, every management review will result in feedback for the business continuity team, as well as input regarding the priority of proposed correction actions.

An effective management review, regardless of an organization’s industry or complexity, should include up-to-date business continuity performance metrics.  Performance metrics should provide a clear picture of an organization’s business continuity preparedness level, which allows management to provide additional feedback to the business continuity team, resulting in the identification of new corrective actions.

Regulatory Feedback
Certain organizations, especially those in the financial and banking industries, are subject to regulatory audits and oversight from organizations such as the Office of the Comptroller of the Currency (OCC) or the Securities and Exchange Commission (SEC).  While certain audit findings may result in major program changes, which would require a project to be initiated, often times an audit results in small but critical adjustments to the BCMS, including approaches and solutions.  Following the receipt of regulatory feedback, an organization’s business continuity team must capture results, conduct an analysis, present results to top management (typically during the next management review), and, once identified, document applicable corrective actions.

Internal and External Audit Results; Quality Inspections
In addition to regulatory audits, an organization may undergo a variety of other internal audits, external audits, and/or quality inspections (e.g. standards audit).  As with a regulatory audit, the business continuity team must capture results, perform an analysis, present results, and document applicable corrective actions following any audit or quality inspection.

Supplier Evaluations
It is increasingly common for organizations to have a heavy reliance on third party suppliers.  As such, it is critical that an organization’s business continuity team understands which suppliers are required to deliver products and services, as well as the impacts and likelihood associated with supplier downtime.  Once suppliers have been identified and a risk rating for each has been established, an organization should further evaluate each supplier using appropriate methods, such as supplier interviews or surveys.  Doing so will expose supplier vulnerabilities, gaps, and areas of non-conformity providing an organization with a comprehensive list of supplier-related corrective actions, after a thorough root cause analysis has been completed.

Corrective actions can be identified from a variety of sources, the most common of which are described in this post.  While each organization has unique and varied sources, it is critical that business continuity personnel understand their organization’s most common sources and be prepared to receive and prioritize feedback.

Remember, there are several steps between identifying a gap, non-conformity, and/or problem, and documenting it as part of the corrective actions handling process.  These include:

  • Conducting a root cause analysis
  • Determining if the problem is isolated or present within multiple departments
  • Assigning a priority level to the corrective action
  • Obtaining management feedback (if required) and determining next steps

Once these steps are complete, corrective actions should be documented and managed within a centralized repository.

Following these guidelines enables an organization to effectively identify and manage corrective actions while also using them to drive continual improvement of their BCMS.

Continue to visit our business continuity and IT disaster recovery blog for more posts in Castellan’s Conforming to ISO 22301 series.

In the meantime, don’t hesitate to reach out to us to discuss aligning to the standard or pursuing certification. We look forward to hearing from you!

Get The Business Continuity Operating System Book by Brian Zawada

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.