Business Continuity Management (BCM) provides the framework for determining an organization’s risk of being exposed to internal and/or external threats. The objective of implementing and operating a Business Continuity Management System (BCMS) is to enable an organization and its managers to respond effectively to threats such as natural disasters or data breaches, but also to raw material shortages or sudden market fluctuations. Read more in an interview with BCM expert Frank Machhalz.
To protect the business interests of a company and to increase security in a crisis situation, a BCMS comprises the following areas:
- Disaster recovery
- Business recovery
- Crisis Management
- Incident management
- Emergency management and emergency planning
In keeping with international standard ISO 22301, a Business Continuity Management System emphasizes the importance of
- Understanding the requirements for continuity and readiness and the need to establish policies and objectives for managing business continuity
- Implementation and operation of controls and measures to manage the general continuity risks of a company
- Monitoring and reviewing the performance and effectiveness of the BCMS
- Continuous improvement based on objective measurements
The current corona pandemic would appear to be a real boost to the debate on the subject. DQS talked to BCM expert and DQS auditor Frank Machalz (Mr.) about aspects of risk management and the purpose of BCM certification.
A SOMEWHAT PROVOCATIVE QUESTION, MR. MACHALZ: BCM – JUST A HYPE?
Of course in the current situation, organizations are certainly more sensitive than before to the need to maintain their business operations under various external and internal influences. And if there is a temporary need to suspend them, logically, also to resume business operations as quickly as possible. The topic itself, however, is not new. It has always been part of appropriate risk management for any company and even any person. After all, none of us actively take life-shortening measures in our daily lives. Rather, we try to stay alive as long as possible and, above all, healthy.
This is no different with regard to organisations or legal entities. However, here such measures are not at the discretion of the respective top executive or other managers, who are usually “only” employed by the respective company. Rather, they have a direct obligation to avert damages due to the legal environment in which the organization operates. This duty also includes appropriate risk prevention, also taking into account changing environments.
DOES THIS MAKE ISO-CERTIFICATION MANDATORY FOR BCM?
No, of course not. ISO standards and certifications based on them are and remain voluntary standards. No organization is necessarily expected to be certified according to ISO 22301.
Independent of a certification of their Business Continuity Management, however, many companies are currently finding that up to now they have always had to deal with the issue of maintaining or resuming their business operations as quickly as possible in a rather academic and theoretical manner.
This realization is often followed by a search for extant solutions, where ISO 22301 can be a real eye-opener. It is after all a good guide for every organization as to which aspects should be sensibly considered when implementing and maintaining BCM in business processes.
To what extent an assessment and certification of the implemented BCMS by an independent third party is necessary is something that each organization decides for itself. Currently, however, there is a clear trend on the market that, due to the strong networking of companies, mutual proof of an existing, ISO 22301-certified BCMS is expected as the basis for initiating or continuing business relationships.
CAN THE CERTIFICATE BE USED IN THE DEFENCE AGAINST CLAIMS IN CONNECTION WITH NEGATIVE BUSINESS DEVELOPMENT?
Yes, definitely. Usually, the top management of a company is not also one of its stakeholders. For example, the managing director of a German limited liability company (GmbH) is not at the same time also its shareholder, who “only” holds a stake in the company with capital. In company law, the term “foreign body” is also commonly used in this context.
This creates constant pressure for managers – or top management, to use a term from the ISO world – to justify the way they deal with the tangible and intangible assets of their shareholders. And: which measures of profit maximization and risk minimization – including the loss of capital up to insolvency – they have taken. So, as already mentioned, there is an obligation to avert damage.
With a certified management system and its proven and confirmed practical implementation, the accusation of deliberate misconduct and possibly even general misconduct towards this group of people is not applicable. Possible claims for compensation by the stakeholders due to negligent and wrongful management and insufficient risk prevention will have no further basis.
Such a certification can also be advantageous in connection with directors and officers insurance policies, so-called D&O insurance or liability insurance for financial loss, both for the insurance cover provided and for the premium structure, and can contribute to the trust of institutions in the company and its managers.
WHAT REASONABLE EXPENSES SHOULD AN ORGANISATION EXPECT?
This depends on the maturity level of its management system. And of course this is also influenced by the existence of ISO certifications. ISO standards, which meanwhile also means High Level Structure (HLS). And since a Business Continuity Management System is also HLS-capable, there are good prerequisites because one can build on already existing structures and organizational knowledge in this regard.
WHAT ARE THE SPECIAL FEATURES OF BCMS COMPARED TO OTHER ISO MANAGEMENT SYSTEM STANDARDS?
When compared to other ISO standards, we see that BCMS has a specific focus on entrepreneurial processes:
- Which processes of the organization are relevant for the maintenance of business processes or for their resumption as soon as possible?
- Which measures are necessary to make these processes as trouble-free as possible?
Many ISO standards also have a separate chapter “Emergency planning / emergency precautions”. Here, the Business Continuity Management System has the role and task of a kind of sub-management, in that these parts of the ISO standard are then examined and evaluated in greater depth under BCMS aspects. This would also be possible, by the way, if one did not immediately decide on a further certification according to ISO 22301.
Management systems according to ISO 27001 (information security management) also contain some partial aspects of a BCMS. For example, the protection requirements analysis (SBA) for IT applications is comparable with the Business Impact Analysis (BIA) according to ISO 22301 in terms of its methodological approach. An existant BA can therefore be part of the BIA.
MR. MACHALZ, THANK YOU VERY MUCH FOR THE INTERVIEW.
ISO just launched two public surveys in order to get the opinion of as many stakeholders as possible. In this case, stakeholder is exactly that: anybody who has a stake in one of these management system standards, be it as an auditor, audit program manager, decision maker, business owner, consultant, etc.
The surveys for ISO 9001 and ISO 45001 will form part of the foundation of upcoming revisions and updates. Please find the links below for your convience:
Thanking you in advance for your care to this issue. Stay safe.
If you want to continue to read about the latest developments in the world of standards, and what's new at DQS Group, please visit our social media channels
If your organization relies on the GRI Standards for its sustainability reporting, you will want to keep a close eye on current developments: GRI is revising its universal standards, which apply to organizations of any type and size. While many of the proposed changes are minor, there are a number of modifications that will require some reporters to rethink the content of their sustainability reports.
As you probably know, the GRI framework comprises two types of standards:
- The so-called universal standards, applicable to all reporting organizations (101, 102 and 103)
- Topic-specific standards, focusing on distinct sustainability topics like human rights, waste, emissions, … (the 200, 300 and 400 series).
The current revision, which is currently in a consultation phase, only affects the universal standards. However, because the universal standards describe the principles and framework, changing them has far-reaching implications for the topic-specific standards. In this article, we will walk you through the most significant changes.
IMPACT AND MATERIALITY
One of the key concepts of sustainability reporting is “materiality”: the idea that reports should focus on the topics that are the most relevant to the sustainability performance of the reporting organization. Many reporters include a materiality matrix in their report, which indicates the relevance and priority of the specific sustainability topics. For example, companies in the oil and gas industry are likely to have emissions as one of their most material topics, whereas companies in the service industry may focus more on social aspects, like employee wellbeing.
However, there are many different approaches to defining materiality. Many companies still rank the topics on two axes:
- relevance to stakeholders and
- relevance to the company.
We should point out that this approach is not compliant with the GRI standards. The definition provided in GRI 101 also has two axes, but different ones:
- influence on the decisions of stakeholders and
- significance of economic, environmental and social impact.
The graphic below is taken from the 2016 version of GRI 101:
The revised version, however, focuses on the horizontal axis only. According to the revised definition, a material topic is a “topic that reflects the organization’s most significant impacts on the economy, environment, and people, including impacts on human rights”.
So what does that change in practice? It means the focus shifts entirely to impact: reporting organizations will need to ensure they understand their actual and potential impacts on the economy, the environment and society. Of course they still need to involve their stakeholders to gather their input, but not in order to understand what their priorities are, but rather to get a better understanding of the impact of the organization.
IMPACT AND DUE DILIGENCE
This focus on impact means that reporting organizations need a process to identify and manage their impacts. This is where the concept of due diligence comes into play. The term, almost entirely absent in the first version of the standard, now takes center stage. It is defined as “the process through which an organization identifies, prevents, mitigates, and accounts for how it addresses its actual and potential negative impacts on the economy, environment, and people.”
One of the key topics for which reporters will need to disclose their due diligence approach is human rights. Frequent readers of our blog will know that many countries are in the process of making human rights due diligence mandatory (Link, Link). As such, the update to the GRI Standards ensures a better alignment with the UN Guiding Principles on Business and Human Rights.
DISTINCTION BETWEEN CORE AND COMPREHENSIVE DISAPPEARS
Another noteworthy change is that the distinction between reporting only the core disclosures and reporting comprehensively disappears. This means that for all topics that are judged to be material, reporting organizations will need to report appropriate disclosures from the topic standards, instead of reporting at least one or all disclosures as per the existing Core and Comprehensive options.
SECTOR SPECIFIC STANDARDS
Besides the universal standards and the topic-specific standards, GRI is also developing sector-specific standards. These will not contain new disclosures, but will help companies in determining their material topics. The sector-specific standards will identify and describe the main economic, environmental and social impacts of a sector, thereby setting the context for reporting.
The first sector-specific standard will be for the oil and gas industry, to be published in the course of 2020. A second standard for the agriculture sector should follow soon.
HOW DQS CAN SUPPORT YOUR SUSTAINABILITY REPORTING:
As an independent audit and assurance provider, we can support your sustainability reporting processes with the following services:
- Training: DQS is a certified GRI Training Provider
- Third-party Assurance: we are an AA1000 licensed Assurance Provider for sustainability reporting (learn more)
- Verification of sustainability KPIs (learn more)