In our previous article, we explored strategies for selecting appropriate business continuity strategies for organizations based on the principles of ISO 22331. This week, we will discuss how to apply the recommendations from ISO 22331 and the Good Practice Guideline 7.0 to select organizational strategies for continuous business operations, considering the context of the recent earthquake in Thailand.
Selecting Business Continuity Strategies
From the image above, it is shown that before determining and selecting business continuity strategies, there are prerequisites that must be considered or have information available. This topic is crucial in determining whether the strategies we choose are suitable for the organization or feasible. The prerequisites that organizations must consider before analyzing and selecting strategies, as outlined in clause 4 of ISO 22331, include:
These topics are all crucial elements in the ISO 22301 requirements, serving as the foundation of the BCMS (Business Continuity Management System).
Determinination and Selection of BC Strategies
Both ISO 22331 and the Good Practice Guideline (GPG) recommend similar steps for determining and selecting business continuity strategies. The process begins with conducting a GAP Analysis to compare current resources and response plans with the business continuity requirements derived from the results of the BIA and RA. Following this, various potential strategies are identified before selecting the most appropriate strategy for the organization.
Example of a GAP Analysis Using the Earthquake Context
GAP analysis is a tool widely used by organizations to identify the gaps between the current situation and desired goals. This helps improve work efficiency and enhances strategic planning. In this article, we will provide an example of a GAP analysis based on the context of the earthquake that occurred last month, as illustrated in the table below.
From the table above, we provided a preliminary example of conducting a GAP analysis to give a rough overview. However, in determining actual business continuity strategies, it is necessary to compare the business continuity requirements with the current business continuity capabilities to identify the gaps. These gaps will then be used to formulate the strategies.
Examples of Business Continuity Strategies for Different Types of Resources
Once we have identified the gaps from the review, another technique recommended by both the ISO standard and the Good Practice Guideline (GPG) is to categorize continuity strategies based on the urgency of the recovery time objectives (RTO) determined during the Business Impact Analysis (BIA), as illustrated in the example below.
From the example, you can see that activities or resources with very short RTOs (in Category A) require continuity strategies that provide the fastest recovery capabilities and often involve the highest investment. In contrast, activities with RTOs in Category D, which are less urgent, require less immediate recovery strategies. The table below provides example strategies to illustrate this concept more clearly.
This article is just a part of the recommendations from ISO 22331. Identifying and selecting strategies suitable for an organization requires knowledge from various areas, including specific risk assessments such as natural disasters like floods and earthquakes. At InterRisk, we have teams specializes in these areas. If your organization is looking for mitigate risks that could disrupt your business, contact us today. If you enjoy articles about BCP (Business Continuity Planning) and BCM (Business Continuity Management), you can read more of our articles below.
