Can you tell us about your involvement in the standardization and how it all started?
It is a nice coincidence that I actually started being involved in ISO/TC 223 Societal security (later merged into ISO/TC 292) twelve
years ago. While there were the BCI's Good Practice Guidelines and a couple of national standards as lighthouses in a sea of uncertainty about business continuity approaches, there was indeed no International standard on business continuity. Located in Switzerland at the time, in my daily crusades for business continuity, I was asked about a national or International standard. There was none. Customers asked: why should we adhere to a British standard - that's nothing for us?
In the meantime, the German Federal Office for Information Security developed a BCM standard, a development I was involved in, too. At least this was a standard in German language, but still foreign, and it did not carry an international reputation. Through my antennas I learned about a group of people in an ISO technical committee working on an international at BCM standard...
I enrolled with the Swiss member body of ISO and started receiving information about these developments. Finally I packed my suitcase and attended a first work group meeting. What I found was a number of enthusiastic, cooperative and focused group of experts who seemed to have the same objective as me. Hard standardization work with all the associated ups and down followed, and after the lengthy ISO commenting on the voting process, we were able to produce the world's first International standard on BCM. To be more precise: It was an ISO system management standard for BCM, a BCMS. As the flagship standard of the committee it received a number 01: ISO 22301:2012.
Back when you started working on standards in ISO/TC 223, we only had national standards on BCM. In your opinion, have the ISO 22301 series made a difference and how?
Yes, the situation changed completely. Today, we as a work group offer a comprehensive and growing portfolio of BCM-related standards. Sometimes we even ask ourselves if we still need more auxiliary standards around ISO 22301. No, earnestly, if and when a task group of our work group starts working on a new standard, we feel pretty sure about its necessity and value to the users. We not only see a horizontal expansion of the product range, but also an adoption of major standards of this committee by regional standardization bodies. For example, ISO 22301, both in its initial release of 2012 and its revised version of 2019 has been adopted as European Standard (EN) and therefore also of all EU member states. As such, we have achieved our goal of developing "national" BCM standards, for example in Germany, Switzerland, Austria and other countries. I put "national" in quotation marks, because these standards, as seen from a national perspective, are local, while, on a global perspective, they are identical.
What would be your advice to people and organisations that are just starting out in BCM. How can they make the work effective?
The great achievement in standardization for BCM in the last decade certainly is the availability of proven approaches and best practices. So my advice, please, by all means, don't reinvent the wheel by creating bespoke approaches to implement BCM or implement only certain components of a proven approach, but follow the standards. For example, if customers ask me to write a business continuity plan (out of thin air) I keep responding to them that this is not possible if there is no business impact analysis, no risk assessment, no business continuity strategy, and so on. You just can not build a house or a roof on top of it if there is no foundation or basement. The main necessity when embarking on a BCM approach is to obtain top management commitment (each and every standard will tell you so). Get a motivated and well-trained project manager, get your copy of ISO 22301 and get started. That's it in a nutshell. It remains to be noted that there is no obligation, when implementing BCM for the first time, to fully comply with every dot and comma of ISO 22301.
Standardization never stops and more standards will be developed by ISO/TC 292. What do you think will be the new areas to look into and what can we do better?
The number of work groups of ISO/TC 292 has grown from originally five or six WGs to more than 10, and counting. As my focus was and is WG2 (Continuity and resilience) I have some difficulties following the proliferation of new work groups. The increasing number of work groups reflects upon the name of ISO/TC 292 Security and resilience. Anyone can imagine that this is a very wide field of activities, and promoters of NWIPs (New Work Items Proposals) just feel the need and necessity to propose the standardization of work on a certain topic. Since its inception in 1946, ISO has developed more than 23.000 standards - for me this is a mirror of today's complex society. ISO/TC 292 is an amalgamation of working groups from diverse areas, it was a pragmatic solution when founded over 5 years ago. Maybe, in the not too distant future, ISO management may have to think about a new configuration for the ever-growing number of work groups.
For WG2, I think we have to stick our heads together on an approach to organizational resilience. While ISO 22316:2017 Security and resilience - Organizational resilience - Principles and attributes, was a first landmark standard on the topic, I think that WG2 (maybe in conjunction with other experts) should proceed in order to develop a more comprehensive approach to organizational resilience. I think we should try to propose methods to set up a maturity model for organizational resilience.
After many years in standardization, what would you say are the benefits of being part of ISO and being involved in standardization?
I have been in Business Continuity for over 25 years now. As you never stop learning, for me participating in the ISO standardization process always is a privilege and an excellent opportunity to learn from the group of people you are part of. It's just great to realize that they have similar challenges and refreshing approaches to challenges. Their arguments and ideas provide great insights into complex matters and putting these great ideas into words and paragraphs by a dozen or so dedicated people is a fantastic experience. My English-language native colleagues unwittingly often try to create perfectly word-minced ultra-long sentences. Then it's my "job" to stop them telling them that these sentences probably cannot be translated or understood by people whose first language is not English. We break it down to short sentences, and all group members agree that we arrived at a better wording.
During the Corona-induced lockdown I was asked by ASI (Austrian Standards International) to write the book on BCM. As such a project has been on my bucket list for many years, I agreed and tried to put down on paper everything I know about BCM. As the national standards bodies and ISO generate income by selling standards, I focused on the Austrian "version" of the EN ISO 22301:2020. Note the quotes: identical with ISO 22301:2019, but translated into German. Of course, I greatly benefited from being a member of WG2, and I tried to put the spirit of WG2 into the book. The German-language edition was published late in July 2020 (there are not so many books on BCM in German language), and I'm planning to produce an English language version within the next couple of weeks. The German-language is available in print or e-book format here, the English-language version will be available as e-book only.