Podcast: It's time to adopt Business Continuity Standard ISO 22301

 

RiskACUMEN podcast: Episode 9 transcript

Listen instead

Johnny Thomson  00:01

Hello everyone and welcome to the RiskACUMEN podcast, which offers thoughtful insight around risk management. According to the latest BCI Horizon Scan report, there's been a significant increase recently in the number of organisations seeking to align with the business continuity management standard, ISO 22301. In many ways, this isn't surprising, as we've all seen over the past two years that events really can lead to significant disruption. My guest today, Colin Crone, who is Director at IT Konstruct, is an implementer and auditor for ISO 22301, and we're going to be talking about the business continuity standard today, it's benefits, some of the barriers to implementation, as well as a few of the current hot topics around resilience. Hi, Colin, thanks for joining me.

 

Colin Crone  01:01

Hi Johnny. How are you? 

 

Johnny Thomson  01:02

Yeah, I'm great thanks, you? 

 

Colin Crone  01:04

Yeah, not bad thank you. 

 

Johnny Thomson  01:05

Good, good, good. Okay. So before we get on to the ISO standard, tell me a bit about your background and the work you do not only with IT Konstruct, but also the International Standards Organisation and BSI as well, of course.

 

Colin Crone  01:20

So we'll start from home, being my company IT Konstruct. We set up frameworks and ISO standards, frameworks for our clients. 22301 is a big one, 27001 is another one, and 9001 is probably the third. We like to think of ourselves as people in the resilience business to help help companies go and keep on going, but you know, producing what's best for them and working not in a disruptive way, but making sure that whatever systems they implement work with them. My work with BSI, I am an associate partner with them. So I get involved in some projects with them, but also, more importantly, I'm an expert on both... unfortunately, it's not the disaster recovery 22301, but I'm on cybersecurity and AI standards. We get together and we help get sort of the language of a standard to be universally understood.

 

Johnny Thomson  02:24

I'm really bite my lip here Colin, because AI, I think would be a fascinating conversation as well. But if we get started on that, we may find ourselves 20 to 25 minutes in and don't have time to talk about the business continuity standard.

 

Colin Crone  02:38

Yeah, true. No, I agree it is a fascinating area. But maybe you can call me back and we can talk about the risks of AI and so on. A little bit involved in that, but that's it is another subject. It's a very big subject and it's fascinating and I'm having very interesting conversations over the last couple years.

 

Johnny Thomson  02:56

Another question I'd like to ask is, what's your motivation Colin? Why are you into standards and helping organisations to comply with them?

 

Colin Crone  03:05

My interest in standards sort of goes back to my IT career, as a head of sort of various companies, head of IT for various companies. And I sort of valued having something that was already done before me, I didn't have to reinvent the wheel. And that sort of grew me and when I started working independently and developing my own company and concepts I was always following standards that would help other people understand what I was doing. And with that belief, and also these standards or worked out, these frameworks or worked out to be the best, there's no ambiguity about them. They're quite, the language is simple, as simple as that can be, universally understood. And so when you see a mark like ISO 27001 or 22301 other customers, hopefully customers or suppliers or whoever would see that, recognise you as an organisation that take your, your infrastructure, your whole side of things seriously. And I think being part of that sort of setup to me is quite fulfilling and brings a lot to me to you know, at the end of each project, they've got it and it works for them. 

 

Johnny Thomson  04:22

So it's good for people to have that that framework so that they can so they can improve in essence, yeah?

 

Colin Crone  04:28

Yes, the whole point of ISO standards, especially in, well in everything is the continuous improvements. That's why you have it audited, that's why you have you have review sessions which which are embedded on it. So that means that when you look at it, you can say how can I do this better, even if it works, is how can this work better for us?

 

Johnny Thomson  04:48

Okay, so ISO 22301. I have to keep concentrating Colin to make sure that I say that correctly. Is it two two three oh one, you know, is twenty two thousand three hundred and one? And I know it varies between the different ISOs. So apologies if at any point in this, I get it wrong, but what does it cover Colin?

 

Colin Crone  05:09

What it does, and keep in mind that all standards are built for a company of any size and any kind of sophistication. So there are guidelines on how to create a disaster recovery stroke business continuity framework system that works for your company. That's, that's kind of the mission. And through that it considers, it guides us to get leadership involved to have common language involved, to organise people who are competent at their work to make sure that they are there. To have even the finances organised, make sure... one thing that probably isn't considered, because I do you have conversations with people and they say, oh, and I would ask, so how you can pay for this and they go: "Well, I've got a credit card" and you think well what happens if you have a big purchase that month, and your  credit card's maxed out and you need a couple of laptops because their building's been broken into, or there's something you can't get into the office, but you need a technology that's in there. And sure, you can get it delivered next day and get it going, or even a couple of hours, but you still need the funding, the money to pay for that. You know, that's a little example, but it goes up and up and up. So there's always a need to have some sort of contingency for budgeting for finance, for the possibility of something like this going wrong. Doesn't have to be actually money in the bank, it could just be a credit, a line of credit or insurance or something like that.

 

Johnny Thomson  06:38

So yeah, so in essence, it's about being prepared, and having so me kind of plan?

 

Colin Crone  06:44

Exactly. And not only being, well part of the being prepared and having the plans actually rehearsing it. You don't have to go through a full scale lockdown, or you know, lock everyone out of the office. You can do desktop, scenario planning, which I highly recommend the NCSC, which is the National Cyber Security Centre, that it has an 'Exercise in a box' series of potential disasters. So there could be small malware, well I say small, there could be malware attacks, and they have a plan, build up the whole background story, then you act it out and see how you do and then have like a summary at the end. It's like doing an exam really, they have the marks point system. And as long as you read the notes before, and you have a plan, you should get through it fine. But then hopefully, and this is what you really want to see, is where it went wrong. If it didn't go wrong somewhere, that's amazing, but mmmm you know, you have to question is that actually right. But hopefully, you'll see what the flaws in your plan are and then you can sort of go back and fix it. And that's yeah, if you just go to the NCSC website and search for 'Exercise in a box', that's where you'll find a whole series of them.  Great. You mentioned malware there and I don't want to get into into detail, but I'm interested to know from your perspective, what you see currently as the big issues and the emerging threats, Colin around resilience and continuity. Well, I think it is a massive threat, malware. And that's again, that's quite a big area in the ISO 27001 standard. And it's a real possibility, as well. Ee've seen I mean okay, it was the NHS I think was back in 2013, something like that, got a massive infection and they were out of action for quite a while and a lot of information was lost, a lot of patient's information stolen, and so on. So they learned from that, they've they've got a very strong robust security system up and operating now. So that's a bad way of learning from it maybe, but we know what the problems were. And they review that and we also the recovery wasn't very good either they hadn't really considered as a possibility. So malware is always a possibility and there's simple things to help you, is like continuously backup get a good backup set up and just have a good IT support, people that you can jump to it if they need and sort out your computers for you.

 

Johnny Thomson  09:17

Okay, so going back to the standard, why should organisations align their processes and their procedures to the ISO standard? What for you are the other key benefits Colin?

 

Colin Crone  09:28

It's universal. So if you need someone to help you with it, they will understand pretty much everything that needs to be understood about your plan. It's tried and tested. It's been revised a number of times. I can't remember what number what we're on now, but 2019 I think it's the latest and again ISO themselves go through that continual improvement. They review and they work on these are a body of experts from around the world, so the language is simple. And the message is well thought out and hopefully, this is what we always hope, that it's doable. It's scalable. So if you're, if you're a large organisation, it works for you, if you're just two people or one person, it's actually surprisingly appliable to a small group like that, or small business. And it's just a good standard. It's just a good way, it covers all the bases reading.

 

Johnny Thomson  10:27

And it's demonstrable as well isn't it from that perspective, the fact that it's universal, because anyone can say yes, I've got a business continuity plan, that doesn't answer the question, is it any good?

 

Colin Crone  10:41

Well, yes, and I think I'm beginning to find a lot more insurance companies are asking their clients, especially high risk companies, and so on, that their business continuity, even though the company's comfortable with their own business continuity plan. But insurance companies are asking, could you, you know, have it aligned at least, or comply with 22301? Because then they understand, the insurance company will understand that you're doing what you're doing, and you're doing the right thing. So there's that external, external kind of influence of having to have the standard or having to comply to it. But then it means that as a financial reward, your premiums get, well you get insured for starters, and your premium should be a little bit less because you're demonstrating your competence and your ability to sort of recover from potential disasters.

 

Johnny Thomson  11:35

Yep. And there's also your point in the supply chain, isn't there? If you're a supplier to somebody and you're essential to their continuity it's highly reassuring for them, isn't it, that you're also compliant with a standard?

 

Colin Crone  11:50

Yes, that's so important, especially now in this culture of just just in time supply. I was told the other day, and this is a Ukrainian thing that Porsche really wants to release their a range of EV cars and certain components, they're small, but there are connectors for the wiring are all manufactured in Ukraine. So because of the war, they've had to stop. That's not quite a disaster, we want to encounter, although maybe it's not quite relevant. But the point is, is that it's so easy to stop a whole supply from a small components that you're dependent on from one organisation from one company. But yes, you're right, companies like to see that you're resilient, that you're taking on your security, you're taking on your quality, and you're taking on very importantly, your disaster recovery plans.

 

Johnny Thomson  12:41

What resources are out there to help meet the business continuity management standard?

 

Colin Crone  12:48

Well, buy the, it's only one hundred and something pounds, £150, £160. Buy the standard, that's a start. Don't be overwhelmed. There's a lot of wordsin it, it's true. And the language can be, it can be a bit different from what you're used to. But it actually makes sense when you read it. And then you sort of start applying it from a business point of view. If you have if you can afford to either train someone within the business to implement, and it can be one week course somewhere or it could be even correspondence course, something like that. But if you can have them qualified, and trained up so that they understand what the business involves, and how to apply this. But especially if you want to go for certification, that's something that the auditors like to see, that there is competence within the organisation. Failing that, then, if you can afford to use a consultant, use a consultant on a part time basis, and they can take on a lot of the you know, they can be the expert, the doer, and also the teacher, the learner, they'll teach everyone else around them how to do what they have to do. There are sort of like practical tools. There are, I mean, from a technology point of view, there are plenty of tools out there to help you with it. And also insurance. I think insurance is a very important thing. You know we talk about how you deal risk. I think the most important thing in everything we do now is to sort of understand what your risk is, and also understand how you're going to deal with it. And insurance is one way of actually, you know, passing that responsibility on to someone else. So it helps. 

 

Johnny Thomson  14:26

Yeah, and there may well be resources within your insurance provider and so on who...

 

Colin Crone  14:32

Sometimes conditional. Yeah. I mean, okay, just to sort of extend the point. The thing about cloud computing, it takes a lot of... this is more of a data aspect of it, it takes a lot of that responsibility away from your company to look after the data. And to look after the infrastructure as well, because then instead of having one or two guys fixing everything and doing it, and you will get a very good service that way. You have thousands of technical experts who will look after your Email or look after your storage online if you're using the bigger names like Azur or Google Cloud or AWS. So that actually takes, and they have their own disaster recovery plans onboard. Yeah and also, over the last two and a half years COVID, well two years, COVID has meant that people are working from home. Well, that was a huge disaster, but because of the adoption of cloud and over the COVID period that increased adoption of cloud meant that flexibility was in, so business could carry on as normal.

 

Johnny Thomson  15:35

And that's the important thing about continual learning that you mentioned earlier as well, because the landscape changes, therefore your plan, and everything around that as well, will have to continually evolve and change as well.

 

Colin Crone  15:48

That's right, yeah, you got to as you say, you've got to keep your eye on the ball. And make sure that your company, your company changes, it's not just external elements, your internal elements of your business, you expand, you reduce the size, you relocate. All these things have to be taken into consideration. So whenever you do, you know, anything that happens, you take on board, you just think about it and deal with it.

 

Johnny Thomson  16:13

And having that broad framework to step back into is really useful, isn't it? Because it brings you back to something that's fairly easy to follow, I guess.

 

Colin Crone  16:22

That's right. If you think of it as being, it's modular, in a way, it all folds into each other. The idea that if your circumstances change, you're going to adapt different parts of the whole framework to fit, rather than changing the whole framework, you know, it's just, you move location, or you work from home, you change, everyone's going to work from home, then you change the, you know, that element of the plan that actually would be affected by that. And then awareness. Actually, one of the things that I should have mentioned, that I really wish I had mentioned earlier, is that there's a focus on awareness, of telling people what to do. So a really, really important element of it. So if something goes wrong, they know who the phone or they know what the sort of procedure is to, you know you get malware, well exactly what do you do? You know, if you feel like you've, you know, if your computer's been stolen, even or the building's not open anymore, do you have an emergency number to call, or in the more sort of front end of things, maybe something's happened that you are the point of contact for the emergency services? So another thing also is your press release.If you're a company with slight profile, you want to make sure that everyone is reading from the same page. So you have your press release, and so you know what to communicate, out there And that is reassuring for any of your customers, so that they know there's a coherent plan, the steady message that's reassuring. It's actually really reassuring and helps a lot.

 

Johnny Thomson  17:53

Yeah. And great to have something that you can turn to when a crisis hits, that's already pre prepared, rather than having to develop that thing at the moment of crisis when there's too many things to handle already, yeah?

 

Colin Crone  18:06

I totally agree. I think one of the things I have contributed to is probably a few extra hours sleep for some executives that they don't have to worry about what happens if, you know, they've got other problems they can stay awake over, but this is one less thing for them stay awake.

 

Johnny Thomson  18:21

Fantastic. Now, I mentioned in the intro that there's been increased take up of the standard recently, which is great news., but why do you think some organisations still won't go down this route?

 

Colin Crone  18:33

Well, one of the major... yeah, I think one of the major issues for a lot of organisations is that they get overwhelmed by the idea of implementing a standard, any standard. 22301 is not the biggest, but they'll feel like it'll interfere with the business and costs a lot of money. And there is definitely a need for resources. It doesn't have to be, you can fit it to work with you. I think probably the most important thing is having the time for it. But you know, the whole elements of this is trying not to overwhelm the business and to just being totally focused on getting the certification. And quite often when you talk to the certification bodies, they will give you a year or two years, whatever, there's no rush for that to happen. And also, whenever you do get your certification, I wouldn't say you get away with a lot, but I think there's a lot, you have got a lot of space. You have to tick the boxes, you have to make sure you follow, you have at least a baseline of what standard is. But then you know, you get a your annual audits will go and then it will recommend things and it will steadily help you improve as well as you go along. So the idea is yeah, you don't want to spend all your time doing it, you want to spend some time doing it. But you got to make sure that it doesn't interrupt with your business either. And I think most people are frightened that it will take away from their business time. The resources needed for it?

 

Johnny Thomson  20:02

Yeah, and I guess there's other fears around it, the fact that it feels like a test. And that tests always feel like they could have negative consequences. But I guess with a standard, it's always positive outcomes, because the reason behind the test is to just establish where you're at. And then where you therefore need to move to beyond your, your current position, yeah?

 

Colin Crone  20:24

I totally agree it is. I do think the metaphor of a test is actually quite interesting, because you need to study for a test. So you need to do you do need to work at it to make sure that you are applying what the standard says, and you're reviewing it, and you're making sure the message has been... everyone is aware, because one of the things people will be, I would hope, one of the things with a test is how we're, the organisation as a whole is of what they have to do, and when they have to do it, and so on. So if you do nothing, you're going to be... well you would never, it would be very hard to fail the test, but you'd be told to sort it out. I think it's a, by through nonconformities, of a minor. Or if you have a major nonconformity, which is quite serious, but then that keeps you on your toes, you've got to think of it that way. It's a case of, if you're serious about this, it will keep you on your toes and make sure that you are ready for anything that could come at you.

 

Johnny Thomson  21:19

So I guess any of us who are interested in managing risks should be seeking to influence our colleagues and even other organisations to meet the standard, especially following recent events. So a bit of a summing up Colin, in a way, give me a bit of a sell on ISO 22301. Sum up basically, what we've just gone through. Try and convince me and anyone listen, to adopt this, and to help anyone listening to pass on that message to others as well.

 

Colin Crone  21:50

Sure. Okay. So there's a lot of myths around implementing standards. Again, as I said just now, that it takes a lot of business time, it doesn't have to, if you plan it correctly, it could be a couple of hours a week, to implement something like this, of someone's time. You would hope it's not an IT project, it's a business project, which is really important. It's universally understood. It's globally understood, I should say, if you have it, people know what you have, which in turn is a great marketing ploy. Any ISO standard is a great marketing thing to have. I think one of the most common ones is 9001 and a lot of where if you want to work with government departments, and even a lot of private departments, they insist on that standard, and I'm finding there's a creep for disaster recovery's exactly the same and cybersecurity, they want you to have those standards implemented. Because it means that, it saves them having to audit you. And it saves you having to be audited by them. Because I don't know if you ever filled any of these disaster, these sort of cybersecurity type forms because you haven't got 27k, or the disaster record recovery form because you haven't got 22301. It takes a long time. And you have to do really well. If you have the certificate, it really is a big sort of gold star beside your company name, and it will help you get up the list if you're bidding, actively bidding for work. And the cost of it, it shouldn't cost that much. It depends. But the the certification process is made in a way that it'll fit with your business size. You know, sort of your small business, you can have two people that have a one day audit, you just pay for one day, for an auditor. If you're a large business, then it sort of relates. I you've over fifthy over 200 people that could be a four day audit, and so on. So it's... don't quote me on that, I have to say, but I know it does go up over certain bandings, the length of the audits, but there has to be like that because the larger you are the more sophisticated your work is. And also lastly, it's like the executive, as well as the operative will understand, have a clearer idea of what's expected in general. It just clears the vision and that means there's no misconception. If it's, you know, it's crystal clear what has to be done and how it has to be done.

 

Johnny Thomson  24:11

Wonderful. Any any other messages you'd like to get across to our audience of risk managers, as well as insurers and insurance brokers?

 

Colin Crone  24:20

I think encouraging your, if you're a broker, encouraging your clients to adopt at least the practice and not go as far as getting certified, and proving that you have that, and that's proven through documentation. I think that's a really that's a step in the right direction, if you can do that. I think the problem is making sure that they're doing it rather than sort of ticking boxes or anything like that. But if you can do that, I think that will save you as if you're measuring risk and also, one of the business impact and also risk analysis are so important within the standard. It helps you probably if you're trying to understand the sort of risk element of a business, it helps you understand what their risks are.There's a kind of osmosis of information going around, probably saves you or saves, even the executive makes sure that they understand what risks they're doing. And you know, if they do it as a kind of implied or built into anything they do is, okay, so we're going to do this process, we're gonna do this, what's the risk, and also what comes of risk is also opportunities. People don't realise that so by, you know, the risk of the sort of the spending of the resources with your disaster recovery, and finding that you have got a problem somewhere, you might find that the solution of the problem actually has a actual very positive impact on the business. It could be working from home, you might discover using cloud computer infrastructure works a lot better, because then you can reduce the size of your premises and save some operational costs there, and so on. So it just helps you understand and helps other businesses, parts of your business understand each other as well.

 

Johnny Thomson  26:03

Brilliant, great stuff. Colin, thank you so much for your insight today.

 

Colin Crone  26:08

You're welcome.

 

Johnny Thomson  26:09

And it's been an absolute pleasure talking to you. If people want to find out more about the services and so on you offer, where where should they go, presumably to a website Colin? Nobody likes her own website these days.

 

Colin Crone  26:19

Yeah. I would love to say come to my website. But it's not working very well at the minute. But I think if you I think if you start at BSI, for example, they've got a huge I'm not there are others there, that's the biggest. They've got a large, they're a large resource, follow them on LinkedIn. You don't have to use them but just for their information that they turn out they are the kind of the British Standard holders for the UK, so they know everything that's going on. Standards don't just come in for for disaster recovery, all this sort of bad stuff. They're also there for manufacturing, for building, for health. I think there's a new standard for mental health as well coming out to help people. So I mean, these are all things that they're not to be sold to you, they're there to help your business, help your organisation. And so that I think that's a really big resource. There are there plenty of other companies out there that will have information for you. I'd like to say come to IT, sorry konstruct.net website. It is sort of running. I've been quite sort of marketing wise, quite embarrassed, but it is... I don't think it loads up now. I just haven't done anything with it. But again...

 

Johnny Thomson  27:37

Can I just say to everyone, it's not as bad as Colin's making it out, and it's konstruct.net yeah, with a K.

 

Colin Crone  27:45

With a K yeah thanks. That's my disaster, okay.

 

Johnny Thomson  27:49

Everyone else's is better than mine, yeah

 

Colin Crone  27:51

Yeah. It's the greener fields syndrome. 

 

Johnny Thomson  27:54

Yeah, exactly. Brilliant Colin, thank you once again for your time. Really enjoyed chatting.

 

Colin Crone  27:59

Cheers. Thanks, Johnny. 

 

Johnny Thomson  28:00

And that's all for this episode of the RiskACUMEN podcast. If you have any questions or comments around the topic we've been discussing today, or any of our other risk related content, please head to our Linkedin page. You can find a link to that at riskacumen.co.uk. Thanks again Colin and to everyone listening in. And until the next time, goodbye for now.