ISO22330 Guidelines for people aspects of business continuity
June 2018 saw the publication of the international standard ISO 22330 “Guidelines for people aspects of business continuity.” This new document expands on the guidance in ISO 22301 and ISO 22313 providing a uniform approach to preparing for, and responding to, events that are disruptive, challenging or distressing for its people.
There will always be cynicism surrounding the publication of yet another international standard particularly where much of the content is already seen to be covered in different standards, so a) why should you be interested and b) is it worth reading?
The first question to answer - are people really a business continuity issue? Some organizations find this out the hard way. They have temporary offices and IT services back online but the people sitting at these relocated desks are not functioning well, and many of their colleagues are absent. If we don’t recover the people, then we haven’t recovered the service.
By managing the people aspects well, you can positively influence productivity, motivation, attendance (short and long-term) and retention. You can also mitigate against reputational damage and litigation. Following a crisis or distressing event at work, be it act of terror, violence, fire, flood or pandemic, how quickly and fully your people respond and recover will determine the same for your organisation.
Given then that people are an essential part of business continuity, their safety and wellbeing surely warrant a standalone document. But is ISO 22330 actually useful?
It is certainly not a prescriptive guide to managing an incident but does provide a helpful starting point for considering where an organization currently sits in its people response. It details recommendations across the phases of preparation, response, recovery and restoration.
ISO 22330 begins by setting out a rationale for taking a people approach, attributes of the organization and steps for developing competencies along with suggestions for where a duty of care may lie and the needs, expectations and demands of different groups. However, in my opinion, the most useful part of the document is section 7. Here, subjects such as accounting for people, communication (internal and external), travel issues and mobilising the workforce in adverse conditions are given more specific guidance. This part of the document is a good framework for creating policies and procedures and clear pathways of care. It will be useful for considering blind spots – the things we don’t know that we don’t know – gaps in existing processes, current strengths and areas for improvement.
Once they have identified the “what to do,” organizations can then dig deeper and more effectively utilise existing internal resources and / or identify the areas of external expertise required to implement the “how to do it.” This preparation is crucial. Having worked on many acute and major incidents, I can confidently say that if you are not prepared, then your “people” intervention will be too late and knee jerk and your recovery impeded.
Two informative annexes focus on psychological response management and relatives’ response teams.
Psychological response management is often side-lined to be dealt with by Human Resources, Occupational Health or an Employee Assistance Provider with an attitude of “leave it to the professionals.” ISO 22330 encourages more effective use of internal resources whilst helping organizations make informed choices about external services. It offers more comprehensive and structured recommendations particularly in what can be seen as an “ambiguous” field – for example rather than saying “offer support” it clarifies and defines the various levels of support and with clear terms and internationally agreed best practice.
Organizations often want to do the right thing but don’t know what that is. ISO 22330 emphasises clinically effective, immediate actions that all organizations should be taking after an event that impacts on its people. Far from encouraging “wrapping people in cotton wool”, this document is practical and evidence-based.
The document encourages shared ownership and collaboration amongst professionals working in business continuity, risk management, crisis response, human resources, health and welfare, leadership roles.
Although it claims to be relevant to any size of organization, it will undoubtably me more so for a larger or higher-risk organization. Annex 2, for example, looks at relatives’ response teams. A team will be beyond the scope of most small businesses, but they can still take many of the principles suggested and adapt them for their own purposes.
In summary, ISO 22330 is a useful reference document. Rather than taking a disjointed approach spread across many other documents, it enables organizations to more clearly analyse their current performance. Its perceived value will be determined by the level of risk faced by an organization and their existing expertise and confidence in this area.