The recent worldwide IT outage serves as a great reminder for schools to develop and maintain robust business continuity practices. This article assists schools by providing an overview of the structure and requirements for implementing and maintaining a business continuity management system (BCMS) in line with the Standard AS ISO 22301:2020 Security and resilience - Business continuity management systems – Requirements (Standard).

What is a BCMS?

Business continuity is the capability of an organisation to continue the delivery of products and services within acceptable time frames at predefined capacity during disruption.

As the Standard explains, a BCMS helps you develop business continuity appropriate to the amount and type of impact that your school may accept following a disruption. A BCMS contains policies, people, management processes and documented information.

What are some disruptions to business continuity?

The Standard defines disruptions as incidents, whether anticipated or unanticipated, that cause an unplanned, negative deviation from the expected delivery of products and services according to an organisation’s objectives.

While the CrowdStrike event certainly met this definition, every organisation can be impacted by disruption events such as natural disasters, pandemics, breakdowns in critical infrastructure and services, or chemical spills on property or adjacent properties – just to name just a few.

What are the benefits of implementing a BCMS?

The recent CrowdStrike outage is tipped to cost Australian businesses over a billion dollars and may impact them for weeks, according to one report. In NSW alone, damages are estimated to be around $200 million. Developing and maintaining a BCMS to help you identify and plan for disruption-related risks such as IT outages and natural disasters can help you improve your capability to remain effective and continue business operations during disruptions thereby reducing the costs of such disruptions.

Implementing a BCMS can also help you:

• demonstrate your dependability and good governance to internal and external stakeholders
• support the achievement of your operational and strategic objectives
• protect and enhance your reputation and credibility
• better understand your organisational processes, thereby revealing opportunities to improve efficiency, governance and treatment of other risks
• protect your customer base
• give you the confidence to accept further risk
• remain compliant with legislative or other obligations
• protect life, property and the environment
• support the proactive identification and control of risks impacting on your business continuity
• increase your organisational resilience.

In spite of these benefits, reports suggest that only one in four small businesses actually have a current business continuity plan.

How do you implement a BCMS?

The Standard applies the continuous improvement cycle of Plan, Do, Check and Act (PDCA) to implement, maintain and continually improve the effectiveness of an organisation’s BCMS.

The PDCA approach in the Standard is common to several other standards. It recognises that business continuity management is an active process that is responsive to a school’s changing legal and regulatory environment, operational profile and activities, objectives, stakeholder requirements, and the scope and context of the BCMS.

We provide a high-level summary below of what each stage of the PDCA cycle may involve.

1. Plan

• Developing a BCMS policy that includes the purpose and scope of the BCMS, and a commitment from the school’s governing body and management team to the implementation of an effective BCMS.
• Understanding your business context and operational profile.
• Deciding on what your key business continuity assumptions will be (for example, that key people will be available to perform recovery operations).
• Establishing a business continuity response team that will have access to critical information and resources.

2. Do

• Creating a business continuity risk register.
• Assessing business continuity risks based on the current level of preparedness.
• Completing a business impact analysis for those risks.
• Assigning training to staff that are involved in the implementation and operation of your BCMS.
• Taking a ’risk-based’ approach to prioritising strategies and solutions to business disruption risks by prioritising the most vulnerable critical infrastructure that is the least prepared.
• Developing pre-prepared business continuity response plans for disruption risk events to guide the response to the event and enable systems and operations to continue to operate within acceptable timeframes.

3. Check

• Testing the BCMS through drills and exercises, internal audits and management review. If you have never tested your business disruption systems, you are not prepared for disruptions.
• Reviewing the performance of your BCMS following an actual disruption event occurring.

4. Act

• Implementing changes to the BCMS following testing, checking and following an actual disruption event.
• Continuous improvement.

What should your school do?

The secret to successfully managing business disruptions is preparation, planning, and testing.

If you haven’t already, your school should ask: “What events might occur that would prevent us from maintaining our business-as-usual operations and achieving our objectives?”

Once you identify these events, you should develop a BCMS that:

• assesses the likelihood and consequences of those events
• determines the school’s level of preparedness and the preventative measures in place
• analyses the impact of these events on all aspects of your school
• develops the detailed plans that you will implement for specific disruption events
• undertakes training, testing and auditing to confirm that the BCMS and pre-prepared response plans work as intended.