bci iso 22301 benchmarking report
TRANSCRIPT
B u s i n e s s C o n t i n u i t y I n s t i t u t eISO 22301 BENCHMARKING
SURVEY 2015
BCI Foreword
This publication is the third report produced by the Business Continuity Institute looking at ISO 22301, the international standard for business continuity, which was launched in June 2012.
Our first report appeared in May 2012, just ahead of the launch of the standard, as we considered its anticipated adoption and how this new standard could change the business continuity landscape. Our second report from June 2013 recorded the discussions of a Roundtable as senior practitioners and early adopters shared experiences and challenges faced in the first year after launch.
This third report, sponsored by NQA, is based on a wider scale survey of BCI members and other continuity and resilience practitioners who have had the opportunity to consider, align to or adopt ISO 22301 for approaching three years.
An excellent response from 560 organisations across 69 countries makes this a valuable reference document for those still considering their ISO 22301 journey. While 40% of respondents are, as yet, unclear on whether ISO 22301 is appropriate for their organisation, 60% are either compliant with (11%), aligned to (39%) or certified against (10%) the standard. Unsurprisingly, top management commitment within these organisations was measured at a much higher rate than within those organisations who have not yet considered introducing the standard. Aside from gaining top management support, other stumbling blocks include resource constraints (25%) and the complexity of implementation (19%).
For those organisations which are certified against the standard the main benefits were cited as: assurance of continued services (61%); protecting reputation and brand (48%); reduced risk of business interruption (48%); greater resilience against disruption (45%); and quicker recovery from interruption (44%).
A surprisingly high percentage of respondents (82%) were not seeking ISO 22301 alignment from their suppliers but, as this is still a relatively new standard, we would hope that this percentage will drop in future years.
The BCI has been delighted to work with NQA on the production of this report which will add great value to the business continuity body of knowledge as the profession broadens and continues to mature.
David James-Brown FBCIBCI Chairman
NQA Foreword
NQA is really pleased to support the Business Continuity Institute in the publication of this research into the adoption of ISO 22301, the international standard for business continuity management systems.
Naturally this subject is in NQA’s interest as we provide accredited certification for ISO 22301, but the subject of business continuity and the role of the ISO 22301 standard are of greater societal importance.
We have all experienced disruption to our professional and private lives as a result of minor and sometimes major events beyond our control – from freak weather, internet downtime and late deliveries to accidents, terrorist activities and natural disasters.
What if? That is the question. Is your organisation resilient enough to withstand disruption and can it recover quickly from serious downtime?
For this reason it is vital that business continuity isn’t just seen as a specialist subject owned by continuity and resilience practitioners – it is a fundamental component of organisational resilience for commercial entities and sustainable public services.
Senior managers must understand this perspective and it is research like this that provides the business case for investing in business continuity management systems. And more specifically aligning to, adopting and certifying to ISO 22301.
Our clients have seen significant benefit of adopting ISO 22301 and taking the extra step to maintain third-party certification to the standard. They report greater resilience, agility and customer confidence.
We are delighted with the response to this research and remain optimistic that the benefits of ISO 22301 will be realised by more organisations with each cycle of this report.
Kevan Parker Head of NQA
CONTENTS
Executive Summary 5
Section 1
Conclusion and Recommendations 17
Section 3
Section 2
Introduction 8
How Organisations Approach ISO 22301 8
Drivers and Challenges behind ISO 22301 Certification 11
Validating BC Arrangements Using ISO 22301 14
Requesting ISO 22301 Certification from Suppliers 15
Annex
1: Demographic Information 20
2: Benchmarking ISO 22301 23
EXECUTIVE SUMMARY
05
EXECUTIVE SUMMARY
Section 1
4x times likely to adopt
4x times likely to adoptOrganisations with strong top management commitment are more than 4x likely to adopt ISO 22301 in some form than the ones who exhibit little/no commitment at all.
27%27%are strongly committed towards using ISO 22301
560560Respondents
6969Countries
ISO 22301 Uptake
11% 10% 39% 41%
50%0% 100%
CompliantCertified Aligned None/Don’t know
Section 1
06
61%48%
45%48%
44%Assurance of Continued Service
Protecting Reputation And Brand
Greater Resilience Against Disruption Quicker Recovery From Interruption
Reduced Risk Of Business Interruption
Top Reasons For ISO 22301 Certification
100%
Resource ConstraintsComplexity of ImplementationTop Management Buy In
25%19%18%
Challenges To ISO 22301 Certification
100%
21%82%
21%82%
Do not seek ISO 22301 certification from their suppliers
Report that ISO 22301 certification may not be appropriate to their business
54% Checking BC plans51% Conducting internal audit
47% Desktop exercises
50% 100%
Validating ISO 22301 Certification
MAIN REPORT
INTRODUCTIONBusiness continuity (BC) standards such as ISO 22301 promote good practice and are used as a starting point for building organisational resilience. The 2015 ISO 22301 Benchmarking Survey, produced in association with NQA, has the following aims:
• Track the uptake of the standard• Identify drivers and challenges behind benchmarking• Examine how BC is validated in organisations
This year’s survey ran for four weeks and has garnered 560 responses from 69 countries worldwide.
Section 2
08
How organisations approach ISO 22301 An important part of determining the uptake of standards, an enabler of good practice, is top management commitment. The BCI Good Practice Guidelines and past Institute research affirm the importance of leadership in creating the right conditions for good practice leading to organisational resilience. Nonetheless, overall data suggests that many organisations struggle with this, with only just over a quarter (27%) reporting strong commitment towards ISO 22301 adoption. Figure 1 summarises the results.
Figure 1. Question 6: What is top management commitment towards compliance, certification or alignment towards ISO 22301? In relation to ISO 22301, our top management is… (N=527)
Strong Committed
Fairly Committed
Slightly Committed
Not At All Committed
Don’t Know
14127%
15630%110
21%
7614%
448%
Top management commitment to ISO 22301
1. Certification is being fully audited and issued a certificate of compliance to ISO 22301 by an accredited body.2. Compliance is conforming to ISO 22301 requirements.
3. Alignment is developing an in-house approach consistent with elements of ISO 22301.09
Six out of 10 organisations adopt ISO 22301 in various forms such as certification1 (10%), compliance2
(11%) and alignment3 (39%).
Segmenting the data according to top management commitment however reveals interesting results. Organisations with strong top management commitment to business continuity are four times more likely to adopt ISO 22301 in some form than the ones who exhibit little/no commitment at all. Certification against ISO 22301 seems to be most strongly related to top management commitment (Table 2).
Section 2 How organisations approach ISO 22301
Figure 2. Question 7: Which of the following best describes your organisation’s approach to ISO 22301? (N=528)
Approach to ISO 22301
We Comply With ISO 22301
We Are Certified Against ISO 22301
We Are Aligned Against ISO 22301
None Of The Above
Don’t Know
5811%
5210%
20739%
17633%
357%
Section 2
10
4. SMEs are defined by EU law as organisations having ≤250 employees and annual turnover of ≤€50 million.
How organisations approach ISO 22301
Table 2. Comparing ISO 22301 uptake with top management commitment levels
Analysing ISO 22301 Uptake
Strong Commitment
Some Commitment
Slight Commitment
No commitmentor don’t know
Certification against ISO 22301 26% 7% 3% 1%
Compliance with ISO 22301 18% 14% 5% 6%
Alignment withISO 22301 45% 56% 38% 12%
No ISO 22301or Don’t Know 11% 23% 54% 81%
Large enterprises are more than twice as likely to align with ISO 22301 compared to small and medium sized enterprises or SMEs4 (46% to 21%).
Organisations in manufacturing (13%) report higher rates of ISO 22301 certification than the overall average (10%).
Companies in Oceania (49%), the Middle East/North Africa (44%) and the United States (48%) report higher alignment rates than the survey average of 39%.
11
Organisations identify several drivers behind ISO 22301 certification such as assurance of continued service to customers (61%), protecting reputation and brand (48%), the need to reduce risk of business interruption (48%) and greater resilience against disruption (45%). Figure 3 summarises the results.
DRIVERS AND CHALLENGES BEHIND ISO 22301 CERTIFICATION
Adopting ISO 22301 is seen as a good starting point towards building organisational resilience. Whilst standards on their own must not be seen as the be-all and end-all of resilience, it provides opportunities for organisations to reflect on their practices and check the robustness of their planning and response capabilities.
Section 2
Figure 3. Question 8: Q8: If your BCMS is certified against ISO 22301, why did you acquire certification? (Multiple answers allowed, N=128)
Drivers to ISO 22301 Certification
61
48
48
45
44
36
29
21
19
14
Assurance of continuedservice to customers
Reduced risk of business interruption
Protecting reputation and brand
Greater resilienceagainst disruption
Quicker recovery frombusiness requirements
Facilitates customer due diligenceand audit requirements
Getting new business
Legal compliance
Other
Competitors are certified against it
0 10 20 30 40 50 60 70 80 90 100%
12
DRIVERS AND CHALLENGES BEHIND ISO 22301 CERTIFICATION
Adopting ISO 22301 is seen as a good starting point towards building organisational resilience. Whilst standards on their own must not be seen as the be-all and end-all of resilience, it provides opportunities for organisations to reflect on their practices and check the robustness of their planning and response capabilities.
Organisations are aware of the challenges behind ISO 22301 certification. The survey examines these challenges and makes a distinction between organisations that have certified against the standard and those who have not.
For organisations that have actually certified their BCMS against ISO 22301, a quarter of them report resource constraints as a main limitation.
Respondents offer other factors such as:
• Lack of national regulations which drive standards certification,
• Lack of BCM awareness within the organisation,
• Time required to demonstrate compliance on top of other audits and commitments,
Figure 4 summarises these barriers to companies that have already certified their BCMS.
Drivers and challenges behind ISO 22301 certification Section 2
Figure 4. Question 10: What are the main challenges of implementing a BCMS certified against ISO 22301? (N=191)
Challenges to ISO 22301 Certification
Appropriateness of standardto my business
Budget constraints
Complexity of implementation
Resource constraints
Top management buy in
Other
3016%
2614%
3719%
4725%
3418%
179%
13
For organisations that have not certified their BCMS against ISO 22301, 21% report that certification may not be appropriate for their businesses. Others cite lack of top management commitment (13%), costs (12%) and perceived lack of benefits (12%).
Organisations echo the same reasons (lack of compelling regulation, BCM awareness and time constraints in demonstrating compliance) in not wanting to certify against ISO 22301. Other factors worth noting are:
• Industry sector (some government agencies are not required to certify BC plans against a standard);
• Lack of alignment to corporate culture;
• Certification against other standards creating too many reporting requirements.
Figure 5 summarises the results for organisations who have not certified their BCMS.
Figure 5. Question 12: If your BCMS is NOT certified against ISO 22301, what are the reasons? (N=421)
Drivers and challenges behind ISO 22301 certification Section 2
Reasons for Lack of ISO 22301 Certification
I plan to get certified in the near future
I am not familiar with ISO 22301
I can’t justify the cost of certification
I can’t see the benefit of certification
I can’t get commitment from top management
Certification may not be appropriate to my business
Other
8921%
328%
5012%
4912%
5613%
8821%
5713%
14
VALIDATING BC ARRANGEMENTSUSING ISO 22301
Beyond certification, it is essential for organisations to validate the implementation of ISO 22301. Certification cannot be maintained if BC systems are not audited and tested. A majority of organisations recognise this with 70% conducting various forms of testing to check the robustness of their BC arrangements as certified by ISO 22301.
The most common forms of validation of BC arrangements include checking BC plans (54%), internal audits (51%) and desktop exercises (47%). Nonetheless, almost a third of organisations (30%) do not validate ISO 22301 implementation at all. This is a worrying situation that must be tackled by identifying barriers to testing and addressing those. Figure 6 summarises how organisations validate their BC arrangements as certified against ISO 22301.
Section 2
Figure 6. Question 11: How have you validated the implementation of ISO 22301 within your organisation? (Multiple answers allowed, N=179)
Validating ISO 22301 Certification
Checking BC plans
Internal audit
Desktop exercises
Conducted tests/actual exercises
Checking BCM programmes
Observed exercises
We have not validatedISO 22301 implementation
Seeking credentials of thosewho run BCM programmes
54
51
47
44
40
32
30
18
0 10 20 30 40 50 60 70 80 90 100%
15
It is therefore surprising to note that in this survey, 82% of organisations do not request ISO 22301 certification from their suppliers (Figure 7). The study offers a reason behind this. ISO 22301 is a fairly new standard and many organisations have not yet transitioned to the standard as a requirement for assurance, much less adopted it themselves. Future studies may focus on tracking this particular metric as an indicator of the maturity of the standard.
Figure 7. Question 13: Do you request ISO 22301 certification for your suppliers? (N=477)
REQUESTING ISO 22301CERTIFICATION FROM SUPPLIERS
Recent BCI studies suggest the increasing uptake of ISO 22301 in providing supplier assurance. The 2014 BCI Supply Chain Resilience Report indicates that 40% of organisations require certification to recognised standards which include ISO 22301 from their key suppliers. Comparisons with historic data also reveal the movement towards increased alignment with standards (38% from 2009-2013 compared to 45% in 2014).
Section 2
Do you request ISO 22301 certification for your suppliers?
Yes
No
Don’t Know
409%
439%
39482%
16
Requesting ISO 22301 certification from suppliers
Organisations that request ISO 22301 certification for supplier assurance share different reasons for doing so. It largely mirrors the drivers mentioned by organisations in adopting the standard themselves such as assurance of continued service (70%), greater resilience against disruption (48%) and protecting reputation and brand (42%). Organisations also note how ISO certification facilitates due diligence and audit requirements (36%). Figure 9 summarises the reasons for requesting ISO 22301 certification for supplier assurance.
REQUESTING ISO 22301CERTIFICATION FROM SUPPLIERS
Recent BCI studies suggest the increasing uptake of ISO 22301 in providing supplier assurance. The 2014 BCI Supply Chain Resilience Report indicates that 40% of organisations require certification to recognised standards which include ISO 22301 from their key suppliers. Comparisons with historic data also reveal the movement towards increased alignment with standards (38% from 2009-2013 compared to 45% in 2014).
Section 2
Figure 9. Question 14: What were your reasons for requesting ISO certification from your suppliers? (Multiple answers allowed, N=84)
Reasons for Supplier ISO 22301 Certification
Assurance of continued service
Greater resilienceagainst disruption
Protecting reputation and brand
Facilitates due diligence andaudit requirements
Requirement for rewardingnew business
Legal compliance
Other
70
48
42
36
21
19
17
0 10 20 30 40 50 60 70 80 90 100%
CONCLUSION &RECOMMENDATIONS
Section 3
18
CONCLUSION ANDRECOMMENDATIONS
Business continuity is a key component of organisational resilience and relevant standards such as ISO 22301 offer a good starting point in this regard. Benchmarking against standards provide opportunities to reflect on organisational practice, identify gaps in planning and implementation, and assess improvement. Approached in a holistic manner, standards benchmarking may help organisations build resilience.
1 The survey underscores the need for leadership. It is clear from the survey results that top management commitment is an indicator of standards uptake. This is a challenge to BC practitioners to engage their top management in this regard. BC practitioners must articulate the value of standards benchmarking and certification, as well as relate it to the overall strategic goal of organisational resilience.
2 Survey results affirm the relative complexity of standards benchmarking and certification, with organisations sharing the challenges behind adopting ISO 22301. Nonetheless, data also suggests possible benefits such as assuring continued service, mitigating the effects of business disruptions and protecting organisational reputation. Of course, it is worthwhile to note that benchmarking and certification itself does not guarantee these benefits. Benchmarking and certification are only the first steps towards building resilience and it requires to be followed through by validation. The survey shows that most organisations appreciate this.
3 Nonetheless, more needs to be done in encouraging other organisations to validate their BC capabilities after benchmarking and certification against standards such as ISO 22301. There is also a need to articulate the importance of the standard in supplier assurance which could play a part in enabling more resilient supply chains.
4 The most encouraging findings involve the growing recognition of ISO 22301 in upholding BC good practice. Recent BCI research affirms this. A majority of organisations now report at least aligning themselves to the standard. Whilst universal uptake remains yet to be seen, the BCI identifies the state of standards benchmarking and certification as a key area of research interest and will track this in future studies.
Annex
20
Annex
1. DEMOGRAPHIC INFORMATIONa. Functional Role of Respondents
Question 1: Which of the following describes your functional role? (N=557)
Question 3: Please indicate the primary activity of your organisation using the SIC 2007 categories given below. (N=557)
b. Industry Sector
21
Annex
Question 4: How many employees work in your organisation? (N=557)
d. Number of Employees
c. Geographical Base
22
Annex
Question 5: Please let us know the approximate annual revenues of your business. (N=557)
e. Approximate Annual Revenues
23
Annex
2. BENCHMARKING ISO 22301 by region/country
Europe North America Asia OceaniaMiddle East & North
Africa
Top management commitment
towards ISO 22301
Strongly - 24%
Fairly - 29%
Slightly - 21%
Not at all - 15%
Strongly - 21%
Fairly - 27%
Slightly - 27%
Not at all - 19%
Strongly - 41%
Fairly - 29%
Slightly - 18%
Not at all - 8%
Strongly - 18%
Fairly - 39%
Slightly - 18%
Not at all - 18%
Strongly - 34%
Fairly - 28%
Slightly - 22%
Not at all - 9%
Approach toISO 22301
Compliance- 7%
Certification-10%
Alignment - 36%
None - 37%
Compliance -14%
Certification - 5%
Alignment - 45%
None - 34%
Compliance -16%
Certification-20%
Alignment - 31%
None - 24%
Compliance -15%
Certification - 0%
Alignment - 49%
None - 36%
Compliance -19%
Certification - 3%
Alignment - 44%
None - 34%
Validation of ISO 22301 within
organisation67% 62% 71% 56% 82%
Seeking ISO 22301 Certification from
suppliers
Yes - 7%No - 85%
Don’t know - 7%
Yes - 7%No - 82%
Don’t know - 10%
Yes - 31%No - 62%
Don’t know - 7%
Yes - 0%No - 84%
Don’t know - 16%
Yes - 11%No - 81%
Don’t know - 7%
Central & Latin America
Sub-Saharan Africa UK Australia United States
Top management commitment
towards ISO 22301
Strongly - 25%
Fairly - 31%
Slightly - 25%
Not at all - 19%
Strongly - 60%
Fairly - 27%
Slightly - 13%
Not at all - 0%
Strongly - 24%
Fairly - 31%
Slightly - 16%
Not at all - 16%
Strongly - 17%
Fairly - 41%
Slightly - 17%
Not at all - 17%
Strongly - 23%
Fairly - 32%
Slightly - 26%
Not at all - 16%
Approach toISO 22301
Compliance -19%
Certification - 6%
Alignment - 44%
None - 31%
Compliance - 0%
Certification-27%
Alignment - 67%
None - 7%
Compliance -6%
Certification - 13%
Alignment - 34%
None - 36%
Compliance 20%
Certification - 0%
Alignment - 40%
None - 40%
Compliance - 14%
Certification - 7%
Alignment - 47%
None - 32%
Validation of ISO 22301 within
organisation78% 88% 66% 57% 68%
Seeking ISO 22301 Certification from
suppliers
Yes - 15%No - 77%
Don’t know - 8%
Yes - 8%No - 83%
Don’t know - 8%
Yes - 8%No - 85%
Don’t know - 7%
Yes - 0%No - 79%
Don’t know - 21%
Yes - 9%No - 77%
Don’t know - 13%
24
Annex
2. BENCHMARKING ISO 22301 by Industry Sector
Financial & Insurance Health & Social Care Public Admin & Defence Manufacturing
Top Management Commitment Towards
ISO 22301
Strongly - 28%
Fairly - 31%
Slightly - 16%
Not at all - 12%
Strongly - 9%
Fairly - 35%
Slightly - 26%
Not at all - 24%
Strongly - 22%
Fairly - 42%
Slightly - 16%
Not at all - 13%
Strongly - 13%
Fairly - 13%
Slightly - 27%
Not at all - 22%
Approach ToISO 22301
Compliance - 10%
Certification - 8%
Alignment - 48%
None - 28%
Compliance - 24%
Certification - 0%
Alignment - 44%
None - 32%
Compliance - 16%
Certification - 2%
Alignment - 53%
None - 22%
Compliance - 0%
Certification - 13%
Alignment - 16%
None - 53%
Validation Of ISO 22301 Within Organisation
77% 50% 82% 56%
Seeking ISO 22301 Certification from
suppliers
Yes - 6%No - 86%
Don’t know - 8%
Yes - 13%No - 73%
Don’t know - 13%
Yes - 9%No - 82%
Don’t know - 9%
Yes - 2%No - 91%
Don’t know - 7%
AcknowledgementsThe BCI wishes to thank NQA for sponsoring this research. The authors also like to acknowledge the efforts of Andrew Scott CBCI during the fieldwork of this survey.
About the AuthorPatrick Alcantara is a Research Associate for the Business Continuity Institute (BCI). In this role, he manages the delivery of the Institute’s research program that focuses on global thought leadership and commercial research. His work on business continuity and resilience topics has been featured in several publications. Prior to the BCI, he has worked in the education and lifelong learning sectors. He completed a Masters in Lifelong Learning with distinction from the Institute of Education (University College London) and Deusto University under an Erasmus Mundus grant.
He can be contacted at [email protected].
Elliot Brooks is a Research Assistant for the Business Continuity Institute (BCI). He is finishing a degree in Disaster Management & Emergency Planning at Coventry University. His previous research work includes the 2014 BCI reports on emergency communications and supply chain resilience.
He can be contacted at [email protected].
About the BCIThe Business Continuity Institute (BCI) is the world’s leading institute for Business Continuity. Established in 1994, the BCI has established itself as the leading membership and certifying organisation for Business Continuity (BC) professionals worldwide. The BCI offers a wide range of resources for business professionals concerned with raising levels of resilience within their organisation or considering a career in business continuity.
With circa 8,000 members in more than 100 countries worldwide, working in an estimated 3,000 organisations in private, public and third sectors, the BCI truly is the world’s leading institute for business continuity. The BCI stands for excellence in the business continuity profession and its Certified grades provide assurance of technical and professional competency in BC.
Contact the BCI
Andrew ScottSenior Communications
Manager
10-11 Southview ParkMarsack Street
Caversham RG4 5AFUnited Kingdom
+44 (0) 118 947 [email protected]
About NQANQA is a leading assessment, verification and certification body and works in partnership with a wide range of businesses, government departments and charitable organisations to help improve performance in quality, environment, health & safety and business continuity management.
NQA holds accreditation from UKAS and ANAB (the respective national accreditation bodies of the UK and USA) and has one of the widest scopes of accreditation, including quality, environmental, information security and business continuity management systems. In addition, there are a number of sector specific schemes covering suppliers to the automotive and aerospace industries.
NQA has issued around 33,000 certificates of registration in 70 countries.
Contact NQA
Kevan ParkerHead of NQA
Warwick HouseHoughton Hall Park
Houghton RegisDunstable LU5 5ZX
United Kingdom
+44 08000 [email protected]
10-11 Southview ParkMarsack StreetCavershamRG4 5AFUnited Kingdom
+44 (0)118 947 8215www.thebci.org