The Value of an Independent Review

A couple of weeks ago I received an enquiry from a company that provides cloud-based energy management software, asking I would perform a review of their business continuity plans.

I performed the review last week for the client, using ISO 22301 as the criteria as well as best practice that I have observed as both a consultant and Lead Auditor for business continuity management systems and ISO 22301.

The review has helped the company to identify a number of immediate tasks that they can now perform to get more from their plans, including improvements to:

  • better risk methodology
  • defining the company’s appetite for risk
  • re-visiting the context of the company
  • widening the scope of the plans in accordance with the context
  • the consideration of prevention as well as reaction

A major output from the session was a large number of mini-projects that will, over time, help them to create a business continuity management system.

The plans will become a system when they are connected and created from a defined methodology. You need to be able to justify why a certain action has been performed (rather than a different one) based on methodology. Controls, such as continuity plans need to come from a suitable analysis and risk assessment. Controls shouldn’t be limited to reaction, they should also include recovery and prevention.

The client said, ‘I really did take a lot away from the review and I’m very grateful to you; I’ll certainly keep in touch.’

There is a lot of value from a ‘fresh pair of eyes’ and in independent review of a system. Get in touch if you would like to discuss a review of your plans or systems, regardless of certification requirements.

Back to Blog