"11 PM (...) The man who took over command of the control room was a Bengali Hindu named Suman Dey. Twenty-six years old, with a degree in science from the University of California, he was both competent and respected. The seventy-five dials lit up in front of him made up the factory’s control panel. Every needle, every luminous indicator supplied information, showed the state of activity in each section, signaled an eventual anomaly. Temperatures, pressures, levels, outputs—in his capacity as officer of the watch, Suman Dey was kept constantly apprised of the condition of the plant. At least that was the theory, because, for some time now, some of the apparatus had been breaking down. Dey was therefore obliged to go and get his information on site. He was not always able to. For the past several days, because of a fault in the transmission circuit, there had been no temperature reading coming through from tank 610. To calm his own frustration, he meditated on the words of a large notice hanging on the wall above the dials: “SAFETY IS EVERYBODY’S BUSINESS.” There was nothing definite, however, to make the young Bengali believe that the safety of the factory was not assured."
(Dominique Lapierre, Javier Moro - Five Past Midnight in Bhopal)
In the passage above, we can find many references to the ISO 22301 standard (ISO 22301:2019 Security and Resilience — Business Continuity management Systems - Requirements):
- there is a small context analysis with some important indications (fault indicators, fault on transmission circuits, frustration, a sense of neglect)
- objectives ("safety is everybody's responsibility" is not just a slogan)
- competences and awareness (Suman Dey has a degree in Science, he is competent and respected, and he knows his responsibilities)
- measurement systems (many indicators and alternative procedures)
But within one hour, one of the most famous industrial disasters of the last century is about to begin, a disaster which is often cited as a negative case study in business continuity courses.
ISO 22301:2019 – The Standard
In the ISO vocabulary, Business Continuity Management is defined as:
"holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities."
So we can say that the job of business continuity is to implement a framework that:
- proactively improves an organization's resilience against the disruption of its ability to achieve its key objectives
- provides a rehearsed method to restore the ability to supply the key products/services in case of a disruption
- delivers a proven capability to manage a business disruption and protect the organization's reputation and brand
The standard follows the ISO Annex SL (renamed in Annex L in 2019) structure, as many others do:
- Scope
- Normative references
- Terms and definitions
- Context the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
Clause 8 "Operation" is the most interesting because it contains the indication on how to implement a business continuity impact analysis, develop business continuity strategies and solutions, and create business continuity plans and procedures.
Business Impact Analysis
Business Impact Analysis (BIA) allows the organization to identify the effects of a business disruption. It's also useful for the decision-making process related to recovery priorities and strategies.
Through the use of questionnaires, meetings, interviews, documentation reviews, and an in-depth analysis of their business, organizations can summarize:
- The operational and financial impacts when losing business function and processes
- The point in time when the identified business impacts derive from the loss
- The dependencies between the processes (internal and external)
Therefore, the functions and processes with the highest operational and financial impacts become a priority within a recovery plan.
The time when those functions and processes are recovered before the occurrence of any unacceptable consequences is known as the Recovery Time Objective (RTO).
Other essential parameters that BIA needs to define are:
- Minimum Business Continuity Objective (MBCO): the minimum level of services that is acceptable to the organization to achieve its business objectives during a disruption
- Recovery Point Objective (RPO): point to which information used by an activity is restored to enable the activity to operate on resumption. In another way, it is the maximum amount of data the organization can lose during a disruption
Business Continuity Strategies
"The Union Carbide company was quite unready for the emergency. It could render to aid to people. For all the good they did, the thousand employees and the Indian and world network of 100 00 employees and hundreds of offices and factories and outlets might as well have been on holiday."
(Alfred De Grazia - A cloud over Bhopal - Causes, consequences and constructive solutions)
The business continuity standard ISO 22301 was first published in 2012 but as a form of crisis management. Business continuity management (BCM) has evolved since the 1970s in response to the technical and operational risks that threaten an organization's recovery from hazards and interruptions.
In the 'Dow Chemical - Union Carbide' plant in Bhopal, there were some emergency procedures but not enough to handle that type of emergency, and, worst of all, the security measures were neglected and not adequately followed by personnel.
The Business Continuity Strategies collect the BIA output and form the basis for the Business Continuity Plan. It is related to the determination and selection of alternative operating strategies to be used to maintain the organization's critical activities. Experience and good practice identified that the early provision of an organizational BC Strategy would ensure that Business Continuity Management activities are aligned and support the organization's overall business strategy.
In general, there are six approaches for developing a BC Strategy:
1. Multi-site operation
- This approach is suitable for organizations operating across several different sites where the critical products and services are delivered.
2. Backup arrangement
- The backup approach is characterized by the utilization of a secondary location to back up critical operations at the primary site.
3. Standby arrangement
- Generally is provided by third-party specialist and is suitable for critical functions with RTOs in hours rather than in minutes.
4. Third-party arrangement
- This option is likely to be a primary strategy for organizations that operate in service and manufacturing, which are predominantly people-intensive and are seeking external support in rebuilding key processes.
5. Modification
- Under certain circumstances, it may be necessary to modify the process of operations. This option is appropriate when there are limited resources to maintain the standard level of delivering following a disruption.
6. Combined arrangement
- This option grants flexibility and balances the strengths and weaknesses of previous approaches.
Business Continuity Plan
The BCP is a framework that enables organizations to respond to an incident and deal with the recovery of their activities.
The procedures have to address all aspects of responding to an incident, with particular regard to life safety issues and achieve the timely resumption of the organization's delivery product and services (RTO).
The components and content of a BCP vary from organization to organization based on criticality, importance, and technical complexity. In general, it is possible to identify and include:
- Incident Response Plan to respond to an incident and enhance mitigation of disruption
- Emergency Response Plan for mitigating loss of life or injury and protect property damage
- Crisis Management Plan to manage complex situations that represent a threat to the objective, reputation or existence of an organization
- Recovery Plan to recover and maintain critical business operations, possibly at an alternate location
- Restoration Plan to restore business operations following a disaster to return to normal activities
- Communication Plan procedures for disseminating status reports to personnel, public, and media
- Training and Awareness Plan to ensure competency and awareness of personnel
- Testing and Exercising Plan to ensure the effectiveness of the business continuity plans and procedures
Communication
"On December 3, 1984, one of the most tragic incidents in the history of the chemical industry occurred in Bhopal, India. Those of us in the industry remember that day well, and the following days, when many people died and others were injured as a result of exposure to gas released from a plant owned and operated by Union Carbide India Limited.
Although Dow never owned nor operated the plant, we - along with the rest of the chemical industry have learned from this tragic event, and we have tried to do all we can to assure that similar incidents never happen again.
To that end, the chemical industry learned and grew as a result of Bhopal – creating the Responsible Care program with its strengthened focus on process safety standards, emergency preparedness, and community awareness. The industry also has worked with governmental regulators to assure that industry best practices are implemented through regulations for the protection of workers and communities.
We have led the industry in the implementation of Responsible Care to drive global industry performance improvements. Responsible Care standards are essential for the protection of our employees and the communities where we live and work. While Dow has no responsibility for Bhopal, our pledge and our commitment is the full implementation of Responsible Care everywhere we do business around the world."
Statement of The Dow Chemical Company Regarding the Bhopal Tragedy
In the official press release, the company communicates important Responsible Care initiatives that would be implemented, but reveals the lack of a sense of ownership and says nothing about prevention activities to avoid the recurrence of similar disasters. This is a clear example of no brand-reputation protection.
Communication is essential during a crisis, and a Communication Plan needs to be included in the BC Plan. Organizations have to communicate with their personnel, stakeholders, suppliers, clients, emergency forces authorities, and with the media.
Each of them needs to know different detail at different times, so it's of great importance that a Communication Plan is in place and is regularly reviewed and tested.
An efficient communication strategy is based on five principles:
1. Transparency
- Make the procedures available to all interested parties
2. Appropriateness
- Provide relevant information to interested parties using a format that meets their needs
3. Credibility
- Conduct communication honestly and fairly, and provide the truth
4. Responsiveness
- Respond to the queries of interested parties in a full and timely manner
5. Clarity
- Ensure that communication approaches and languages are understandable to interested parties
Conclusion
I cited in this article the disaster of Bhopal, which happened almost 40 years ago. Still, recent natural disasters, environmental accidents, and also the current pandemic flu, have demonstrated that disasters can happen, impacting private and public sectors alike.
Today's threats require the creation of an ongoing, dynamic, and interactive process that assures the survival and sustainability of an organization's core activities before, during, and after a disruptive event.
ISO 22301 helps the organizations in this great challenge. Advantio's Data Protection experts have helped many organizations worldwide to improve their sustainability and security. To start your ISO journey book a free call with us.
Comments