TÜV Rheinland Blog - Insights from Asia and Africa

Is Your Business Ready To Handle An Unexpected Disaster?

Posted by TUV Rheinland on Oct 19, 2021 9:00:00 AM
TUV Rheinland

Is Your Business Ready To Handle An Unexpected Disaster?Understanding that the ISO 22301 plays a crucial role in developing your business continuity plans is only the first step. Developing the plan itself is a complex process which involves multiple different factors, scenarios, stakeholders, parties, and angles. It can be challenging, especially if you don’t know where to start and the steps to take.

To support you in developing a thorough and robust continuity plan, we’ve designed a self-assessment checklist based on the ISO 22301 so that you can analyse your own continuity plan, identify the gaps present, and improve from there.

  1. Leadership
    Having a dedicated leadership team is the first step. This team should oversee the development of your business continuity plan from the beginning, and should also be responsible for the implementation, maintenance, reviewing and updating, and executing of these plans in the event that it is necessary. They should also ensure that the policies and objectives outlined in the plan are in alignment with your organisation’s objectives and obligations to your stakeholders and clients.

    Here are some questions you can consider:
    • Has top management taken responsibility for the effectiveness of the plan and have they communicated the importance of an effective plan?
    • Have the policy and objectives for the plan, which should be in alignment with the context and strategic direction of the organization, been established and communicated?
    • Do the roles carry the authority for ensuring conformance and reporting, as well as the responsibility?


  1. Management System
    After establishing your leadership committee, it is crucial to establish a system for managing all the necessary and relevant documents relating to each stage of the business continuity plan. This system is crucial for increasing accessibility to staff, employees, stakeholders, and even clients who may need to refer to them in the event of a crisis.

    Secondly, it is also important to set up a maintenance schedule for updating the plan in terms of policies, objectives, effectiveness, relevant stakeholders, impact analysis, and so on. This is to ensure that all business continuity plans are relevant to the circumstances and state of the world in this present day and age.

    Thirdly, on top of that, having a crisis management and recovery training program implemented so that staff at all levels and departments of your business, be it C-Suite leaders, managers, supervisors, or junior employees, are all aware of what needs to be done and practiced. If your business has branches set up worldwide or regionally, those branches should implement these programs as well.

    Lastly, setting up a communication system ensures that all relevant parties involved have clarity before, during, and after an event.

    Here are some questions you can consider:
    • Is the documented information stored managed such that it is protected, distributed, stored, retained and under change control?
    • Have you determined the factors and metrics that need to be monitored and measured, when, by whom, the measures to be used, and come up with a schedule for evaluating these results?
    • Are the results of monitoring and measurement documented?
    • Are internal audits conducted periodically to check that the plan is effective and conforms to both ISO 2230 and the organization’s objectives?
    • Has the organization established a program for internal audits of the continuity plan? Are results of these audits reported to management, documented and retained in a timely manner?


  1. Planning, Crisis Management, and Recovery Strategies

    A risk and threat assessment should be conducted on your business as a whole to identify the risks that it will inevitably encounter and come up with preventive ways to control or mitigate them. This also determines the areas of operations and work processes that are critical to the functionality of your business. For these operations and processes, contingency and continuity plans must also be implemented to ensure that they can continue to run even during times of crisis or uncertainty.

    Recovery strategies should also be established based on this risk and threat assessment to determine the elements that need to be recovered and the timeframe they need to be recovered within. Make sure that all these findings are properly documented and stored and that regular scheduled testing and maintenance is conducted to ensure the viability of these plans.

    Here are some questions you can consider:
    • Has the documented information necessary for the effective implementation and operation of the plan been established?
    • Have the risks and opportunities that need to be addressed to ensure the plan can achieve its intended results been established?
    • Has the organization planned actions to address these risks and opportunities and integrated them into the system processes?
    • Have measurable business continuity objectives been established, documented and communicated throughout the organization with a plan to achieve them?
    • Are there documented plans and procedures in place for restoring business operations after an incident?
    • Do these procedures reflect the needs of those who will use them and contain all the essential information they need?
    • Do the plans define roles and responsibilities and a process for activating the response?
    • Do the plans consider the management of the immediate consequences of a disruption, in particular the welfare of individuals, options for response and further loss prevention?
    • Do the plans detail how to communicate with interested parties, including the media during the disruption and how to prioritize activities?


  1. Performance Evaluation
    As internal performance evaluations and audits tend to be more subjective, it is more effective to hire an external auditing service to review and evaluate the performance of your business continuity plan every two years. The results of these evaluations should be regularly documented and reviewed so that improvements can be put into place.

    If the audit is done internally, there should be processes set up to measure performance according to specific metrics, compliance regulations, and residual risks.

    In the event of a crisis or incident, post-incident review processes should also be in place so that findings and weaknesses identified can be used to further improve the continuity plan while addressing existing loopholes.

    Here are some questions you can consider:
    • Where weaknesses and loopholes are identified, has the organization established appropriate processes for managing these anomalies and the related corrective actions?
    • Do top management undertake regular and periodic reviews of the continuity plan?
    • Does the output from the management review identify changes and improvements?
    • Are the results of the management review documented, acted upon, and communicated to relevant parties?
    • Have actions to control, correct and deal with the consequences of weaknesses and loopholes been identified?


Looking to develop your own BCMS? TÜV Rheinland is here for you.

Our experts have extensive experience in the field of business continuity management. In just three steps, we determine the maturity of your business continuity, develop a shared procedure for its continuous improvement, and work with you to develop shared emergency strategies and plans:

  1. GAP analysis
    We analyse the existing aspects of your business continuity management system or IT emergency management system and its maturity level.
  1. Improvement planning
    Based on this analysis, we identify the measures needed to improve the maturity of your business continuity management system. We develop pragmatic approaches and measures that help you establish a suitable business continuity management system that evolves and improves over time.
  1. Implementation
    We work with you to implement the improvement plan and coach BCM officers how to implement and establish management tasks. This will give you the tools you need to handle a disaster or major incident, so you can act and react precisely and effectively in the event of an emergency.

The BCMS will be designed, implemented, and operated based on the standards ISO 22301 and ISO 27031.

In addition, our "survival mix – risk and business continuity management" offer can bring together various analyses of threats ensuring alignment of your BCMS with identified risks.

To learn more about BCM, make an appointment with our experts today.