Business Continuity Management SystemGap Analysis against ISO 22301:2012

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T S Y S T E M

BackgroundIn early 2019 a global manufacturing and servicing organisation employed 4C Strategies to conduct a Gap Analysis in order to identify and make recommendations to address identified gaps in its current Business Continuity Management System (BCMS) prior to the organization seeking ISO 22301:2012 accreditation (the international Standard for a Business Continuity Management System). Although the company possesses extensive Health & Safety expertise and experience, there is less focus given on Business Continuity, therefore external help was sought to aid the company in obtaining ISO 22301 accreditation.

4C Strategies was able to conduct the gap analysis using its proprietary software Exonaut® to focus on the review of identified BCM documentation and information provided both electronically and via interviews with relevant key individuals and subject matter experts. It was anticipated that the results of the gap analysis would provoke internal discussion within the organisation to identify current state compliance to the ISO 22301 standard and be used to inform subsequent decision making in their BCMS readiness prior to seeking ISO 22301 accreditation.

Exonaut® SolutionThe key defining factor for the success of the gap analysis project was the provision of the Exonaut® system and its capability as an integrated management platform to manage the requirements of the different entities reviewed including i) structured and efficient gap analysis and observation planning, ii) dynamic and flexible delivery options, iii) real-time evidence-based assessment and evaluation, irrespective of location (observations were taken both remotely at the organisation’s sites and in 4C Strategies offices).

Design, Delivery and Evaluation in Exonaut®

Each aspect of the gap analysis cycle from design, development and delivery through to evaluation was powered by Exonaut, the software’s ability to operate across multiple operating systems (Windows, Android, iOS) and devices enabled 4C Strategies evaluators to input observations in real-time and to monitor ISO 22301 compliance throughout the interview and document review process.

Design and DeliveryQuestion set

The question set used for the review was a standard question set which 4C Strategies have developed over a number of years. The questions that are being asked are not just designed to look at whether there is compliance with the ISO standard but also to ensure there is a cross reference to the Business Continuity Institute’s (BCI) Good Practice Guidelines. The question set is broken down into a number of levels. The first level is the theme or area and the second level is a question designed to look at a specific part of that area or theme. There are 6 main themes or areas in the question set:

• Context or the organisation

• Leadership

• Planning

• Support

• Operations

• Performance Evaluation

Below is an example of how the question set is broken down with the relevant standards.

L1 L2 ISO STANDARD REF BCI GPG REF

Context of the organisation

Are the organisation’s products, services, functions and activities documented?

4.1 (a) – The organisation shall identify and document] …. [the organisation’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident.

Introduction – Business continuity requirements are defined as the timeframes, resources and capabilities necessary to continue to deliver the prioritised products, services, processes, and activities following a disruption.

Are the organisations interested parties identified, who are the interested parties and what do they deliver/provide?

4.2.1 (a) – When establishing its BCMS, the organisation shall determine the interested parties that are relevant to the BCMS.

PP1 – An understanding of the outsourced activities and suppliers of products and services.

What has been thought of when identifying the needs and requirements of the organisation and it’s interested parties?

4.2.1 (b) – When establishing its BCMS, the organisation shall determine the requirements of these interested parties (i.e. their needs and expectations whether stated, generally implied or obligatory).

PP4 – The organisation should ensure that the needs of various interested parties are identified, prioritised, and agreed when designing business continuity solutions.

Maturity ModelA best practice BCMS maturity model was also used as a baseline for the comparison of relevant documentation in addition to the scoring of interview responses. The maturity model provides an ability to score each question 1-6, which, when rolled up to the top level theme will help to identify current levels of maturity by theme or area. In time this can be used as a benchmark to assess other areas of the business.

ConductThere were two methods used to conduct the review. The first method being the facilitation of short interviews with identified key personnel and subject matter experts to ascertain their perception and knowledge of current BCMS capability. The most relevant questions from the question set were pulled in to make a specific question set for each interview.

The second method was a detailed review of current BCM documentation a list of the documentation provided by the organisation.

Throughout the two processes and methods detailed here observations against each question were made which included a score against the maturity model plus some comment and any recommendation.

Analysis and AssessmentOnce all the data had been captured, whether through interviews or documentation review there were a number of observations made against each question. Utilising 4C Strategies’ proprietary software Exonaut™ we were able to roll up all the observations made for a particular question to provide and overall assessment against that question. Once this was done all the assessments were rolled up again to provide an assessment against the theme or area, for example, context of the organisations. Finally, all of those assessments are rolled up again to provide an overarching assessment for the report.

The data captured using Exonaut can be used for benchmarking future review of other operational areas.

EvaluationExonaut Observer (OBS) mobile app enabled 4C Strategies consultants to capture observations in a consistent format, linked to real-time assessments linked to identified overarching objectives. 4C Strategies consultants were equipped with smartphones and tablets to capture data and build a fully auditable evaluation set both for real time analysis and post-exercise reviews.

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T S Y S T E M

The evaluation process starts by reviewing all the observations which had been made through the course of the project against a particular objective. Exonaut then enables us to roll up all those observations into a single assessment. The grades applied throughout the project are also reviewed with a final grade being made against the objective at the Objective assessment level.

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T S Y S T E M