4 Context
4.1 Context of the company
External and internal issues that can influence the BCMS
Requirement 1 (see also the quiz)
The two most important things in a company do not appear in its balance sheet: its reputation and its people. Henry Ford
To successfully implement a business continuity management system, we must understand and evaluate everything that can influence the reason for being and business performance. You should think carefully about a few key activities:
- develop a thorough diagnosis of the unique context in which your company exists, taking into account:
- external issues such as the environment like:
- social
- regulatory
- economic
- technology
- internal issues like:
- specific aspects of the corporate culture:
- vision
- rationale, purpose and mission
- core values
- staff
- products and services
- infrastructure
- specific aspects of the corporate culture:
- external issues such as the environment like:
- monitor and review regularly any information relating to external and internal issues
- analyze the factors that may influence the achievement of business objectives
The SWOT and PESTEL analyses can be useful for relevant analysis of business context (cf. annex 07).
A list of external and internal issues is carried out by a multidisciplinary team. Each issue is identified by its level of influence and control. Priority is given to issues with great influence and poor control.
Minute of relaxation. Game: Context of the company
- the diagnosis of the context includes the main external and internal issues
- essential values such as corporate culture are taken into account
- the results of the context analysis are widely communicated
- SWOT analysis helps identify the main threats and opportunities
- issues in the business context such as the regulatory environment are not taken into account
- in some cases, corporate culture is not taken into account
- the threats and weaknesses identified in the SWOT analysis remain without action
4.2 Stakeholders
Understand the requirements of stakeholders
Requirements 2 to 6
There is only one valid definition of a business purpose: to create a customer. Peter Drucker
To understand the needs and expectations of stakeholders, we must begin by determining those who may be affected by the business continuity management system such as:
- employees
- customers
- external providers
- owners
- shareholders
- bankers
- distributors
- competitors
- citizens
- neighbors
- social and political organizations
Every stakeholder is determind by its level of influence and control. Priority is given to stakeholders with great influence and poor control. A List of stakeholders is created by a multidisciplinary team, cf. annex 08.
The customer is king but we still can fight against rudeness. This example is from the restaurant La petite Syrah in Nice and its coffee prices:
“A coffee”...................................7 €
“A coffee, please”...............4,25 €
“Hello, a coffee, please”....1,40 €
Anticipating the reasonable and relevant needs and expectations of stakeholders involves:
- meeting legal and regulatory requirements
- preparing to address threats
- finding improvement opportunities
The Identify legal requirements processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) of business continuity allows you to take into account the mandatory requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) and comply with them.
Requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) may concern:
- incident response (emergency management)
- business continuity (business continuity plan, exercise program)
- risk management
- hazard management (chemical materials)
When an applicable requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) is accepted, it becomes an internal requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the BCMS.
- the list of stakeholders is updated
- stakeholder needs and expectations are established through meetings on-site, surveys, round tables and meetings (monthly or frequent)
- the application of legal and regulatory requirements is a prevention approach and not a constraint
- regulatory and legal requirements are not taken into account
- stakeholder expectations are not determined
- the list of stakeholders does not contain their field of activity
4.3 Scope
Define the scope of the BCMS
Requirements 7 to 15
In many areas, the winner is the one who is best informed. André Muller
The scope (or in other words the perimeter) of this module applies to the business continuity management system (or in other words to crisis risk management) in the company and concerns:
- the localization
- products and services
- activities and processes
- the resources
The Scope of the BCMS is available to stakeholders, cf. annex 09.
When a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) cannot be applied, a justification is included in the document.
The scope of the BCMS of a company is established taking into account:
- its reason for being
- its products and services
- its context (internal and external issues)
- stakeholder requirements
- the complexity of its structure
Questions that require answers:
- what is the most vulnerable company activity?
- what is the maximum tolerable level of disturbance?
- what are the applicable regulatory obligations?
- what are the priority risks?
- what crisis can surprise us?
- is the crisis team prepared?
- how can we protect staff and work tools?
- what is the plan to maintain part of the activity?
- how can we restore normal activity as quickly as possible?
This module does not specifically include accounting risks and extreme risks related to:
- financial crises
- insurance
- tax fraud
- counterfeit parts
- corruption
For a circus, the risks likely to cause problems during a performance include a power outage, a storm, the absence of several actors or technicians (illness or social conflict) or major transport problems for the public.
After identifying, analyzing and evaluating the risks that could disrupt the performance, top management must decide what actions to take to reduce the chances of cancellation.
Business continuity concerns many areas and risks:
- the staff
- the reputation of the company
- products and projects
- insurance
- supply disruption
- lack of skills
- terrorist threats
- natural disasters
To properly determine the scope of the BCMS, the specificities of the company context are taken into account, such as:
- the issues (cf. paragraph 4.1)
- products and services
- corporate culture
- the environment:
- social
- financial
- technological
- economical
- stakeholder requirements (cf. paragraph 4.2)
- outsourced processes
- the scope is relevent and available on simple request
- non-applicable requirements are justified in writing
- certain workshops are outside the scope of the BCMS without justification
- the scope is obsolete (the new subsidiary is not included)
4.4 BCMS
BCMS requirements, processes and interactions
Requirement 16
Prevention is better than cure
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 22301 standard concern:
- the context of the company
- business continuity policy and objectives
- response to disruptions
- evaluation of the performance of the BCMS
- continual improvement of the BCMS
For that:
- the business continuity management system is:
- established
- documented (a simple and sufficient documentary system is put in place)
- implemented and
- continually improved
- the business continuity policy, objectives, resources and work environment are determined
- threats are identified and actions to reduce them are established (cf. paragraph 6.1)
- the essential processes necessary for the BCMS are mastered:
- the corresponding resources assured
- the input and output elements determined
- the necessary information available
- owners named (responsibilities and authorities defined)
- the sequences and interactions determined
- each process measured and monitored (established criteria), objectives established and performance indicators analyzed
- process performance evaluated
- the necessary changes introduced to achieve the expected results
- actions to achieve continual process improvement established
- the bare minimum necessary (“as much as necessary”) of process documents are maintained and retained ( )
Pitfalls to avoid:
- going overboard on quality:
- an unnecessary operation is carried out without adding value – it is waste, cf. D 12 quality tools
- having all procedures written by the business continuity manager:
- safety is everybody's business, "the staff is conscious of the relevance and importance of each to the contribution to objectives", which is even more true for department heads and process owners
- forgetting to take into account the specificities related to the corporate culture:
- innovation, luxury, secrecy, authoritarian management (Apple)
- strong culture related to ecology, action and struggle, while cultivating secrecy (Greenpeace)
- fun and quirky corporate culture (Michel & Augustin)
- liberated company, the man is good, love your customer, shared dream (Favi, cf. T 50)
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 22301 standard are shown in figure 4-1:
Figure 4-1. The requirements of ISO 22301
An effective BCMS is mainly oriented towards:
- the potential consequences
- the capacity of critical activities
- team simulation exercises
- flexible responses
Do not hesitate to look for answers in ISO 22313 (“Guidance on the Use of ISO 22301”) when you cannot find them in this module, cf. paragraph 2.2.
- the process map contains enough arrows to clearly show who the customer is (internal or external)
- many arrows (multiple customers) are used for processes (no customer is forgotten)
- during the process review the added value of the process is clearly revealed
- process performance analysis is an example of proof of continual improvement of BCMS effectiveness
- top management regularly monitors objectives and action plans
- top management commitments relating to continual improvement are widely communicated
- the purpose of each process is clearly defined
- some process output elements are not correctly defined (customers not taken into account)
- process efficiency criteria not established
- non-formalized process owner
- outsourced processes not determined
- very real activities are not identified in any process
- control of outsourced services not described
- sequences and interactions of certain processes are not determined
- criteria and methods to ensure the performance of processes are undefined
- monitoring of the performance of certain processes not established
- BCMS resources do not enable business continuity objectives to be achieved
- the BCMS is not updated (new processes not identified)