ISO31000 was promoted as the level playing field for putting all types of risk into the “same pot” and seeing which ones broke through the surface to cause losses of some form or another.
ISO31000 galvanised into a major Standard (in fact becoming the largest selling Standard of all others in Australia and other regions) as it drew interest from a wide range of stakeholders across a number of industries. It put on the table in many boardrooms processes that had as yet not been as well defined, for example protecting directors and office bearers from personal liability in cases where staff or visitors were injured in their premises or facilities.
Many risk practitioners jumped in to take advantages of the growing demand for the wisdom they could impart to customers needing insights from the risk process.
Of course interruption to business always scored in the top 10 risks, placing the risk practitioner in the pound seat to address BCP (business continuity planning).
Business continuity planning is a nicer way of saying managing business disruption, since the results of an actual interruption event could well lead to the demise of the business in part or whole.
The advent of ISO31000 has to some extent overshadowed the role of practitioners of BCP and Standards like 22301 that set out what is needed to demonstrate that you have a healthy BCP in place.
It seems to bring a contrast of where BCP sits in the pecking order of risk management. ISO31000 may create the perception that its process is as suitable for BCP as it is for other risk types (or strategies).
But don’t be misled by this! ISO31000 in itself is insufficient to cater for BCP. The old adage is still as true as ever, forewarned is forearmed, or planning is better than the cure. So ISO31000 has its role, to pre-empt potential risks that could lead to business disruption.
When an actual disruption event takes place that’s where you say good-bye to ISO31000 and take up the role of BCP in the mechanisms it gives for responding to the disruption event.
BCP is generally well-documented and typically found in paper-based documents. The actual procedures and resources that are called upon to deal with significant disruption events are held in a variety of systems or even just in peoples’ heads through training they’ve gone through.
But we have taken BCP to a whole new level, integrating the processes and procedures in systems that make the job of BCP so much easier to manage. The next couple of years will see an interesting divide; will BCP tools become even more specialised and prescriptive, or will BCP mould into an integrated technology solution for managing different key risk types?