Preparedness and efficient crisis management have become essential for success and continuity in the face of the growing dangers that organisations must contend with, from Cyber Crime
to natural disasters. The ISO 22301:2019 standard is an excellent resource that firms can use to create a solid business continuity management system and a suitable crisis management plan.
In this essay, we’ll examine how crucial ISO 22301 is for ensuring business continuity and continuing essential operations both during and after crises. We will clarify the idea behind and key elements of efficient crisis management plans and assess if they should be considered a fundamental component of the standard.
Explore this crucial area with us as we go.
What is ISO 22301?
ISO 22301 is the international standard for business continuity management systems. This standard provides organisations with guidelines and requirements for developing and implementing plans and processes to prepare for, respond to, and recover from various events.
Key requirements of ISO 22301:
ISO 22301 requires organisations and entities to establish and maintain a documented business continuity management system that includes policies, objectives, and procedures to meet the requirements of business continuity. This includes conducting risk assessments, developing a business continuity strategy, implementing response and recovery plans, and conducting regular training and exercises.
Within this framework, organisations are expected to have existing plans and processes to effectively manage and respond to crises. These plans may be referred to as crisis management plans, incident response plans, or emergency response plans, depending on the terminology used within the organisation.
So, what is a crisis management plan?
An organisation’s defined strategies, methods, and procedures for dealing with crises and emergencies are called a crisis management plan, During a crisis, it acts as a manual that is followed by important parties. It offers direction and structure to lessen the impact of the crisis and encourage prompt and well-coordinated actions.
A crisis management plan’s main goals are to ensure people’s safety, safeguard the organisation’s reputation, minimise operational disruptions, and promote quick recovery. The plan provides a structure for communication, decision-making, and resource allocation and specifies processes and roles for various stakeholders involved in crisis management, from executive leaders to frontline staff.
Common components of a crisis management plan include:
- Objectives and scope: A clear statement of the plan’s objectives and the scope it covers, including the types of crises or emergency situations it addresses.
- Crisis management team: Identification of key individuals who will form the crisis management team, along with their roles, responsibilities, and contact information
- Communication plan: Strategies and protocols for internal and external communication during the crisis, including designated spokespersons, communication channels, and message templates.
- Incident assessment and response: Procedures for assessing the nature, severity, and impact of the crisis, along with pre-defined response actions and escalation protocols
- Resources and logistics: Identification and distribution of necessary resources, such as personnel, facilities, equipment, and supplies, to support crisis response efforts
- Stakeholder management: Strategies for dealing with and managing relationships with key stakeholders, including employees, customers, suppliers, regulatory authorities, the media, and the public
- Integration with business continuity: Integration with the broader business continuity plans of the organisation to ensure a cohesive approach to crisis response, recovery, and post-crisis restoration of operations
- Training and exercises: Plans for regular training sessions and simulation exercises to familiarise employees with the plan, test its effectiveness, and identify areas for improvement
- Plan review and maintenance: Processes for regularly reviewing and updating the crisis management plan to account for changes in organisational structure, operations, or the risk landscape A well-designed crisis management plan should be tailored to the organisation’s specific needs and risks, be operational and flexible, and undergo regular testing.
Does a crisis management plan represent an essential requirement in ISO 22301:2019?
- ISO 22301:2019, the standard for business continuity management systems, does not explicitly impose a separate “Disaster Recovery plan” as a requirement. However, it emphasises the need for organisations to develop and implement processes and plans to ensure timely recovery of critical activities and resources in the event of disruptions.
- In the context of ISO 22301, the concept of disaster recovery is usually addressed as part of comprehensive business continuity management. The standard focuses on an organisation’s ability to continue its essential functions during and after a disruptive incident.
- ISO 22301 requires organisations to establish and maintain a documented business continuity management system that encompasses various components.
The components that should be included in a business continuity management system are:
- Business Impact Analysis: Organisations need to conduct an analysis to identify and prioritise critical activities, resources, and vital dependencies. Business Impact Analysis helps in understanding the potential effects of disruptions and guides the development of appropriate recovery strategies.
- Business Continuity Strategy: Based on the results of the Business Impact Analysis, entities need to determine a business continuity strategy, which includes identifying suitable recovery objectives and the required approach. This strategy may encompass various recovery options, including disaster recovery measures.
- Business Continuity Plans: ISO 22301 requires organisations to develop and maintain business continuity plans to deal with the necessary procedures and resources for ensuring the continuity of critical activities during and after disruptions. Business continuity plans typically include strategies, procedures, and protocols for short-term and long-term recovery, which may involve crisis management measures.
- Testing, Review, and Maintenance: Organisations are expected to regularly test and evaluate their business continuity to ensure its effectiveness, including the efficacy of recovery plans. Exercises and training are crucial for identifying gaps and improving recovery strategies, including any crisis management elements.
While the term “crisis management plan” is not explicitly used in ISO 22301, the standard provides a framework for organisations to develop recovery strategies and plans, including those specific to crises. The terminology and specific content of recovery plans may vary based on the organisation’s context and industry.
To effectively implement a business continuity management system with crisis management plans and measures, you can consider engaging Renad Al Majd for Information Technology (RMG) to execute and apply the ISO 22301 standard within your organisation until the final review process is completed and then obtain the internationally recognised ISO 22301 certification.