Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BCI ISO 22301 Benchmarking Report


Published on

A new report by the Business Continuity Institute, supported by certification body NQA, has shown that 6 out of 10 organizations adopt ISO 22301. Organizations with strong top management commitment to standardising business continuity practice are four times more likely to adopt ISO 22301 than those who do not.

There are many reasons why an organization would want to embrace ISO 22301, most notably it provides assurance of continued service with 61% respondents identifying this as a significant reason. By certifying to the Standard, organizations can provide reassurance to their stakeholders that, in the event of a crisis, it will still be able to function.

Read the full survey report for more information on the business benefits of ISO 22301.

Published in: Data & Analytics
  • Click here for all your ISO 22301 Certification Information:
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

BCI ISO 22301 Benchmarking Report

  1. 1. Business Continuity Institute ISO 22301 BENCHMARKING SURVEY 2015
  2. 2. BCI Foreword ThispublicationisthethirdreportproducedbytheBusinessContinuityInstitute looking at ISO 22301, the international standard for business continuity, which was launched in June 2012. Our first report appeared in May 2012, just ahead of the launch of the standard, as we considered its anticipated adoption and how this new standard could change the business continuity landscape. Our second report from June 2013 recorded the discussions of a Roundtable as senior practitioners and early adopters shared experiences and challenges faced in the first year after launch. This third report, sponsored by NQA, is based on a wider scale survey of BCI members and other continuity and resilience practitioners who have had the opportunity to consider, align to or adopt ISO 22301 for approaching three years. An excellent response from 560 organisations across 69 countries makes this a valuable reference document for those still considering their ISO 22301 journey. While 40% of respondents are, as yet, unclear on whether ISO 22301 is appropriate for their organisation, 60% are either compliant with (11%), aligned to (39%) or certified against (10%) the standard. Unsurprisingly, top management commitment within these organisations was measured at a much higher rate than within those organisations who have not yet considered introducing the standard. Aside from gaining top management support, other stumbling blocks include resource constraints (25%) and the complexity of implementation (19%). For those organisations which are certified against the standard the main benefits were cited as: assurance of continued services (61%); protecting reputation and brand (48%); reduced risk of business interruption (48%); greater resilience against disruption (45%); and quicker recovery from interruption (44%). A surprisingly high percentage of respondents (82%) were not seeking ISO 22301 alignment from their suppliers but, as this is still a relatively new standard, we would hope that this percentage will drop in future years. The BCI has been delighted to work with NQA on the production of this report which will add great value to the business continuity body of knowledge as the profession broadens and continues to mature. David James-Brown FBCI BCI Chairman
  3. 3. NQA Foreword NQA is really pleased to support the Business Continuity Institute in the publication of this research into the adoption of ISO 22301, the international standard for business continuity management systems. Naturally this subject is in NQA’s interest as we provide accredited certification for ISO 22301, but the subject of business continuity and the role of the ISO 22301 standard are of greater societal importance. We have all experienced disruption to our professional and private lives as a result of minor and sometimes major events beyond our control – from freak weather, internet downtime and late deliveries to accidents, terrorist activities and natural disasters. What if? That is the question. Is your organisation resilient enough to withstand disruption and can it recover quickly from serious downtime? For this reason it is vital that business continuity isn’t just seen as a specialist subject owned by continuity and resilience practitioners – it is a fundamental component of organisational resilience for commercial entities and sustainable public services. Senior managers must understand this perspective and it is research like this that provides the business case for investing in business continuity management systems. And more specifically aligning to, adopting and certifying to ISO 22301. Our clients have seen significant benefit of adopting ISO 22301 and taking the extra step to maintain third-party certification to the standard. They report greater resilience, agility and customer confidence. We are delighted with the response to this research and remain optimistic that the benefits of ISO 22301 will be realised by more organisations with each cycle of this report. Kevan Parker Head of NQA
  4. 4. CONTENTS Executive Summary 5 Section 1 Conclusion and Recommendations 17 Section 3 Section 2 Introduction 8 How Organisations Approach ISO 22301 8 Drivers and Challenges behind ISO 22301 Certification 11 Validating BC Arrangements Using ISO 22301 14 Requesting ISO 22301 Certification from Suppliers 15 Annex 1: Demographic Information 20 2: Benchmarking ISO 22301 23
  6. 6. 05 EXECUTIVE SUMMARY Section 1 4xtimes likely to adopt 4xtimes likely to adopt Organisations with strong top management commitment are more than 4x likely to adopt ISO 22301 in some form than the ones who exhibit little/no commitment at all. 27%27%are strongly committed towards using ISO 22301 560560 Respondents 6969 Countries ISO 22301 Uptake 11%10% 39% 41% 50%0% 100% CompliantCertified Aligned None/Don’t know
  7. 7. Section 1 06 61% 48% 45% 48% 44% Assurance of Continued Service Protecting Reputation And Brand Greater Resilience Against Disruption Quicker Recovery From Interruption Reduced Risk Of Business Interruption Top Reasons For ISO 22301 Certification 100% Resource Constraints Complexity of Implementation Top Management Buy In 25% 19% 18% Challenges To ISO 22301 Certification 100% 21% 82% 21% 82% Do not seek ISO 22301 certification from their suppliers Report that ISO 22301 certification may not be appropriate to their business 54% Checking BC plans 51% Conducting internal audit 47% Desktop exercises 50% 100% Validating ISO 22301 Certification
  9. 9. INTRODUCTION Business continuity (BC) standards such as ISO 22301 promote good practice and are used as a starting point for building organisational resilience. The 2015 ISO 22301 Benchmarking Survey, produced in association with NQA, has the following aims: • Track the uptake of the standard • Identify drivers and challenges behind benchmarking • Examine how BC is validated in organisations This year’s survey ran for four weeks and has garnered 560 responses from 69 countries worldwide. Section 2 08 How organisations approach ISO 22301 An important part of determining the uptake of standards, an enabler of good practice, is top management commitment. The BCI Good Practice Guidelines and past Institute research affirm the importance of leadership in creating the right conditions for good practice leading to organisational resilience. Nonetheless, overall data suggests that many organisations struggle with this, with only just over a quarter (27%) reporting strong commitment towards ISO 22301 adoption. Figure 1 summarises the results. Figure 1. Question 6: What is top management commitment towards compliance, certification or alignment towards ISO 22301? In relation to ISO 22301, our top management is… (N=527) Strong Committed Fairly Committed Slightly Committed Not At All Committed Don’t Know 141 27% 156 30%110 21% 76 14% 44 8% Top management commitment to ISO 22301
  10. 10. 1. Certification is being fully audited and issued a certificate of compliance to ISO 22301 by an accredited body. 2. Compliance is conforming to ISO 22301 requirements. 3. Alignment is developing an in-house approach consistent with elements of ISO 22301. 09 Sixoutof10organisationsadoptISO22301invariousformssuchascertification1 (10%),compliance2 (11%) and alignment3 (39%). Segmenting the data according to top management commitment however reveals interesting results. Organisations with strong top management commitment to business continuity are four times more likely to adopt ISO 22301 in some form than the ones who exhibit little/no commitment at all. Certification against ISO 22301 seems to be most strongly related to top management commitment (Table 2). Section 2 How organisations approach ISO 22301 Figure 2. Question 7: Which of the following best describes your organisation’s approach to ISO 22301? (N=528) Approach to ISO 22301 We Comply With ISO 22301 We Are Certified Against ISO 22301 We Are Aligned Against ISO 22301 None Of The Above Don’t Know 58 11% 52 10% 207 39% 176 33% 35 7%
  11. 11. Section 2 10 4. SMEs are defined by EU law as organisations having ≤250 employees and annual turnover of ≤€50 million. How organisations approach ISO 22301 Table 2. Comparing ISO 22301 uptake with top management commitment levels Analysing ISO 22301 Uptake Strong Commitment Some Commitment Slight Commitment No commitment or don’t know Certification against ISO 22301 26% 7% 3% 1% Compliance with ISO 22301 18% 14% 5% 6% Alignment with ISO 22301 45% 56% 38% 12% No ISO 22301 or Don’t Know 11% 23% 54% 81% Large enterprises are more than twice as likely to align with ISO 22301 compared to small and medium sized enterprises or SMEs4 (46% to 21%). Organisations in manufacturing (13%) report higher rates of ISO 22301 certification than the overall average (10%). Companies in Oceania (49%), the Middle East/North Africa (44%) and the United States (48%) report higher alignment rates than the survey average of 39%.
  12. 12. 11 Organisations identify several drivers behind ISO 22301 certification such as assurance of continued service to customers (61%), protecting reputation and brand (48%), the need to reduce risk of business interruption (48%) and greater resilience against disruption (45%). Figure 3 summarises the results. DRIVERS AND CHALLENGES BEHIND ISO 22301 CERTIFICATION Adopting ISO 22301 is seen as a good starting point towards building organisational resilience. Whilst standards on their own must not be seen as the be-all and end-all of resilience, it provides opportunities for organisations to reflect on their practices and check the robustness of their planning and response capabilities. Section 2 Figure 3. Question 8: Q8: If your BCMS is certified against ISO 22301, why did you acquire certification? (Multiple answers allowed, N=128) Drivers to ISO 22301 Certification 61 48 48 45 44 36 29 21 19 14 Assurance of continued service to customers Reduced risk of business interruption Protecting reputation and brand Greater resilience against disruption Quicker recovery from business requirements Facilitates customer due diligence and audit requirements Getting new business Legal compliance Other Competitors are certified against it 0 10 20 30 40 50 60 70 80 90 100%
  13. 13. 12 Organisations are aware of the challenges behind ISO 22301 certification. The survey examines these challenges and makes a distinction between organisations that have certified against the standard and those who have not. For organisations that have actually certified their BCMS against ISO 22301, a quarter of them report resource constraints as a main limitation. Respondents offer other factors such as: • Lack of national regulations which drive standards certification, • Lack of BCM awareness within the organisation, • Time required to demonstrate compliance on top of other audits and commitments, Figure 4 summarises these barriers to companies that have already certified their BCMS. Drivers and challenges behind ISO 22301 certification Section 2 Figure4.Question10:WhatarethemainchallengesofimplementingaBCMScertifiedagainstISO22301?(N=191) Challenges to ISO 22301 Certification Appropriateness of standard to my business Budget constraints Complexity of implementation Resource constraints Top management buy in Other 30 16% 26 14% 37 19% 47 25% 34 18% 17 9%
  14. 14. 13 For organisations that have not certified their BCMS against ISO 22301, 21% report that certification may not be appropriate for their businesses. Others cite lack of top management commitment (13%), costs (12%) and perceived lack of benefits (12%). Organisations echo the same reasons (lack of compelling regulation, BCM awareness and time constraints in demonstrating compliance) in not wanting to certify against ISO 22301. Other factors worth noting are: • Industry sector (some government agencies are not required to certify BC plans against a standard); • Lack of alignment to corporate culture; • Certification against other standards creating too many reporting requirements. Figure 5 summarises the results for organisations who have not certified their BCMS. Figure 5. Question 12: If your BCMS is NOT certified against ISO 22301, what are the reasons? (N=421) Drivers and challenges behind ISO 22301 certificationSection 2 Reasons for Lack of ISO 22301 Certification I plan to get certified in the near future I am not familiar with ISO 22301 I can’t justify the cost of certification I can’t see the benefit of certification I can’t get commitment from top management Certification may not be appropriate to my business Other 89 21% 32 8% 50 12% 49 12% 56 13% 88 21% 57 13%
  15. 15. 14 VALIDATING BC ARRANGEMENTS USING ISO 22301 Beyond certification, it is essential for organisations to validate the implementation of ISO 22301. Certification cannot be maintained if BC systems are not audited and tested. A majority of organisations recognise this with 70% conducting various forms of testing to check the robustness of their BC arrangements as certified by ISO 22301. The most common forms of validation of BC arrangements include checking BC plans (54%), internal audits (51%) and desktop exercises (47%). Nonetheless, almost a third of organisations (30%) do not validate ISO 22301 implementation at all. This is a worrying situation that must be tackled by identifying barriers to testing and addressing those. Figure 6 summarises how organisations validate their BC arrangements as certified against ISO 22301. Section 2 Figure 6. Question 11: How have you validated the implementation of ISO 22301 within your organisation? (Multiple answers allowed, N=179) Validating ISO 22301 Certification Checking BC plans Internal audit Desktop exercises Conducted tests/ actual exercises Checking BCM programmes Observed exercises We have not validated ISO 22301 implementation Seeking credentials of those who run BCM programmes 54 51 47 44 40 32 30 18 0 10 20 30 40 50 60 70 80 90 100%
  16. 16. 15 It is therefore surprising to note that in this survey, 82% of organisations do not request ISO 22301 certification from their suppliers (Figure 7). The study offers a reason behind this. ISO 22301 is a fairly new standard and many organisations have not yet transitioned to the standard as a requirement for assurance, much less adopted it themselves. Future studies may focus on tracking this particular metric as an indicator of the maturity of the standard. Figure 7. Question 13: Do you request ISO 22301 certification for your suppliers? (N=477) REQUESTING ISO 22301 CERTIFICATION FROM SUPPLIERS Recent BCI studies suggest the increasing uptake of ISO 22301 in providing supplier assurance. The 2014 BCI Supply Chain Resilience Report indicates that 40% of organisations require certification to recognised standards which include ISO 22301 from their key suppliers. Comparisons with historic data also reveal the movement towards increased alignment with standards (38% from 2009-2013 compared to 45% in 2014). Section 2 Do you request ISO 22301 certification for your suppliers? Yes No Don’t Know 40 9% 43 9% 394 82%
  17. 17. 16 Requesting ISO 22301 certification from suppliers Organisations that request ISO 22301 certification for supplier assurance share different reasons for doing so. It largely mirrors the drivers mentioned by organisations in adopting the standard themselves such as assurance of continued service (70%), greater resilience against disruption (48%) and protecting reputation and brand (42%). Organisations also note how ISO certification facilitates due diligence and audit requirements (36%). Figure 9 summarises the reasons for requesting ISO 22301 certification for supplier assurance. Section 2 Figure 9. Question 14: What were your reasons for requesting ISO certification from your suppliers? (Multiple answers allowed, N=84) Reasons for Supplier ISO 22301 Certification Assurance of continued service Greater resilience against disruption Protecting reputation and brand Facilitates due diligence and audit requirements Requirement for rewarding new business Legal compliance Other 70 48 42 36 21 19 17 0 10 20 30 40 50 60 70 80 90 100%
  19. 19. Section 3 18 CONCLUSION AND RECOMMENDATIONS Businesscontinuityisakeycomponentoforganisationalresilience and relevant standards such as ISO 22301 offer a good starting point in this regard. Benchmarking against standards provide opportunities to reflect on organisational practice, identify gaps in planning and implementation, and assess improvement. Approached in a holistic manner, standards benchmarking may help organisations build resilience. 1 The survey underscores the need for leadership. It is clear from the survey results that top management commitment is an indicator of standards uptake. This is a challenge to BC practitioners to engage their top management in this regard. BC practitioners must articulate the value of standards benchmarking and certification, as well as relate it to the overall strategic goal of organisational resilience. 2 Survey results affirm the relative complexity of standards benchmarking and certification, with organisations sharing the challenges behind adopting ISO 22301. Nonetheless,dataalsosuggestspossiblebenefitssuchasassuringcontinuedservice,mitigatingthe effects of business disruptions and protecting organisational reputation. Of course, it is worthwhile to note that benchmarking and certification itself does not guarantee these benefits. Benchmarking and certification are only the first steps towards building resilience and it requires to be followed through by validation. The survey shows that most organisations appreciate this. 3 Nonetheless, more needs to be done in encouraging other organisations to validate their BC capabilities after benchmarking and certification against standards such as ISO 22301. There is also a need to articulate the importance of the standard in supplier assurance which could play a part in enabling more resilient supply chains. 4 The most encouraging findings involve the growing recognition of ISO 22301 in upholding BC good practice. Recent BCI research affirms this. A majority of organisations now report at least aligning themselves to the standard. Whilst universal uptake remains yet to be seen, the BCI identifies the state of standards benchmarking and certification as a key area of research interest and will track this in future studies.
  20. 20. Annex
  21. 21. 20 Annex 1. DEMOGRAPHIC INFORMATION a. Functional Role of Respondents Question 1: Which of the following describes your functional role? (N=557) Question 3: Please indicate the primary activity of your organisation using the SIC 2007 categories given below. (N=557) b. Industry Sector
  22. 22. 21 Annex Question 4: How many employees work in your organisation? (N=557) d. Number of Employees c. Geographical Base
  23. 23. 22 Annex Question 5: Please let us know the approximate annual revenues of your business. (N=557) e. Approximate Annual Revenues
  24. 24. 23 Annex 2. BENCHMARKING ISO 22301 by region/country Europe North America Asia Oceania Middle East & North Africa Top management commitment towards ISO 22301 Strongly - 24% Fairly - 29% Slightly - 21% Not at all - 15% Strongly - 21% Fairly - 27% Slightly - 27% Not at all - 19% Strongly - 41% Fairly - 29% Slightly - 18% Not at all - 8% Strongly - 18% Fairly - 39% Slightly - 18% Not at all - 18% Strongly - 34% Fairly - 28% Slightly - 22% Not at all - 9% Approach to ISO 22301 Compliance- 7% Certification-10% Alignment - 36% None - 37% Compliance -14% Certification - 5% Alignment - 45% None - 34% Compliance -16% Certification-20% Alignment - 31% None - 24% Compliance -15% Certification - 0% Alignment - 49% None - 36% Compliance -19% Certification - 3% Alignment - 44% None - 34% Validation of ISO 22301 within organisation 67% 62% 71% 56% 82% Seeking ISO 22301 Certification from suppliers Yes - 7% No - 85% Don’t know - 7% Yes - 7% No - 82% Don’t know - 10% Yes - 31% No - 62% Don’t know - 7% Yes - 0% No - 84% Don’t know - 16% Yes - 11% No - 81% Don’t know - 7% Central & Latin America Sub-Saharan Africa UK Australia United States Top management commitment towards ISO 22301 Strongly - 25% Fairly - 31% Slightly - 25% Not at all - 19% Strongly - 60% Fairly - 27% Slightly - 13% Not at all - 0% Strongly - 24% Fairly - 31% Slightly - 16% Not at all - 16% Strongly - 17% Fairly - 41% Slightly - 17% Not at all - 17% Strongly - 23% Fairly - 32% Slightly - 26% Not at all - 16% Approach to ISO 22301 Compliance -19% Certification - 6% Alignment - 44% None - 31% Compliance - 0% Certification-27% Alignment - 67% None - 7% Compliance -6% Certification - 13% Alignment - 34% None - 36% Compliance 20% Certification - 0% Alignment - 40% None - 40% Compliance - 14% Certification - 7% Alignment - 47% None - 32% Validation of ISO 22301 within organisation 78% 88% 66% 57% 68% Seeking ISO 22301 Certification from suppliers Yes - 15% No - 77% Don’t know - 8% Yes - 8% No - 83% Don’t know - 8% Yes - 8% No - 85% Don’t know - 7% Yes - 0% No - 79% Don’t know - 21% Yes - 9% No - 77% Don’t know - 13%
  25. 25. 24 Annex 2. BENCHMARKING ISO 22301 by Industry Sector Financial & Insurance Health & Social Care Public Admin & Defence Manufacturing Top Management Commitment Towards ISO 22301 Strongly - 28% Fairly - 31% Slightly - 16% Not at all - 12% Strongly - 9% Fairly - 35% Slightly - 26% Not at all - 24% Strongly - 22% Fairly - 42% Slightly - 16% Not at all - 13% Strongly - 13% Fairly - 13% Slightly - 27% Not at all - 22% Approach To ISO 22301 Compliance - 10% Certification - 8% Alignment - 48% None - 28% Compliance - 24% Certification - 0% Alignment - 44% None - 32% Compliance - 16% Certification - 2% Alignment - 53% None - 22% Compliance - 0% Certification - 13% Alignment - 16% None - 53% Validation Of ISO 22301 Within Organisation 77% 50% 82% 56% Seeking ISO 22301 Certification from suppliers Yes - 6% No - 86% Don’t know - 8% Yes - 13% No - 73% Don’t know - 13% Yes - 9% No - 82% Don’t know - 9% Yes - 2% No - 91% Don’t know - 7%
  26. 26. Acknowledgements The BCI wishes to thank NQA for sponsoring this research. The authors also like to acknowledge the efforts of Andrew Scott CBCI during the fieldwork of this survey. About the Author Patrick Alcantara is a Research Associate for the Business Continuity Institute (BCI). In this role, he manages the delivery of the Institute’s research program that focuses on global thought leadership and commercial research. His work on business continuity and resilience topics has been featured in several publications. Prior to the BCI, he has worked in the education and lifelong learning sectors. He completed a Masters in Lifelong Learning with distinction from the Institute of Education (University College London) and Deusto University under an Erasmus Mundus grant. He can be contacted at Elliot Brooks is a Research Assistant for the Business Continuity Institute (BCI). He is finishing a degree in Disaster Management & Emergency Planning at Coventry University. His previous research work includes the 2014 BCI reports on emergency communications and supply chain resilience. He can be contacted at
  27. 27. About the BCI The Business Continuity Institute (BCI) is the world’s leading institute for Business Continuity. Established in 1994, the BCI has established itself as the leading membership and certifying organisation for Business Continuity (BC) professionals worldwide. TheBCIoffersawiderangeofresourcesforbusinessprofessionals concerned with raising levels of resilience within their organisation or considering a career in business continuity. With circa 8,000 members in more than 100 countries worldwide, working in an estimated 3,000 organisations in private, public and third sectors, the BCI truly is the world’s leading institute for business continuity. The BCI stands for excellence in the business continuity profession and its Certified grades provide assurance of technical and professional competency in BC. Contact the BCI Andrew Scott Senior Communications Manager 10-11 Southview Park Marsack Street Caversham RG4 5AF United Kingdom +44 (0) 118 947 8215 About NQA NQA is a leading assessment, verification and certification body and works in partnership with a wide range of businesses, government departments and charitable organisations to help improve performance in quality, environment, health & safety and business continuity management. NQA holds accreditation from UKAS and ANAB (the respective national accreditation bodies of the UK and USA) and has one of thewidestscopesofaccreditation,includingquality,environmental, information securityandbusinesscontinuitymanagementsystems. In addition, there are a number of sector specific schemes covering suppliers to the automotive and aerospace industries. NQA has issued around 33,000 certificates of registration in 70 countries. Contact NQA Kevan Parker Head of NQA Warwick House Houghton Hall Park Houghton Regis Dunstable LU5 5ZX United Kingdom +44 08000 522424
  28. 28. 10-11 Southview Park Marsack Street Caversham RG4 5AF United Kingdom +44 (0)118 947 8215