The survey found that while 60% of respondents have adopted ISO 22301 in some form such as certification (10%), compliance (11%) or alignment (39%), top management commitment is still lacking in many organizations. Organizations with strong top management commitment were over 4 times more likely to adopt ISO 22301. The main benefits of certification were assurance of continued services (61%), protecting reputation (48%) and reducing risk of interruptions (48%). However, challenges included resource constraints (25%) and complexity of implementation (19%). Most organizations validated their ISO 22301 implementation through checking plans (54%) and audits (51%). Surprisingly, 82% of respondents did not require ISO 22301 certification from suppliers.
2. BCI Foreword
ThispublicationisthethirdreportproducedbytheBusinessContinuityInstitute
looking at ISO 22301, the international standard for business continuity, which
was launched in June 2012.
Our first report appeared in May 2012, just ahead of the launch of the standard,
as we considered its anticipated adoption and how this new standard could
change the business continuity landscape. Our second report from June
2013 recorded the discussions of a Roundtable as senior practitioners and
early adopters shared experiences and challenges faced in the first year after
launch.
This third report, sponsored by NQA, is based on a wider scale survey of BCI
members and other continuity and resilience practitioners who have had the
opportunity to consider, align to or adopt ISO 22301 for approaching three
years.
An excellent response from 560 organisations across 69 countries makes this a valuable reference document for
those still considering their ISO 22301 journey. While 40% of respondents are, as yet, unclear on whether ISO 22301
is appropriate for their organisation, 60% are either compliant with (11%), aligned to (39%) or certified against
(10%) the standard. Unsurprisingly, top management commitment within these organisations was measured at a
much higher rate than within those organisations who have not yet considered introducing the standard. Aside from
gaining top management support, other stumbling blocks include resource constraints (25%) and the complexity of
implementation (19%).
For those organisations which are certified against the standard the main benefits were cited as: assurance of
continued services (61%); protecting reputation and brand (48%); reduced risk of business interruption (48%);
greater resilience against disruption (45%); and quicker recovery from interruption (44%).
A surprisingly high percentage of respondents (82%) were not seeking ISO 22301 alignment from their suppliers but,
as this is still a relatively new standard, we would hope that this percentage will drop in future years.
The BCI has been delighted to work with NQA on the production of this report which will add great value to the
business continuity body of knowledge as the profession broadens and continues to mature.
David James-Brown FBCI
BCI Chairman
3. NQA Foreword
NQA is really pleased to support the Business Continuity Institute in the
publication of this research into the adoption of ISO 22301, the international
standard for business continuity management systems.
Naturally this subject is in NQA’s interest as we provide accredited certification
for ISO 22301, but the subject of business continuity and the role of the ISO
22301 standard are of greater societal importance.
We have all experienced disruption to our professional and private lives as a
result of minor and sometimes major events beyond our control – from freak
weather, internet downtime and late deliveries to accidents, terrorist activities
and natural disasters.
What if? That is the question. Is your organisation resilient enough to withstand
disruption and can it recover quickly from serious downtime?
For this reason it is vital that business continuity isn’t just seen as a specialist subject owned by continuity and
resilience practitioners – it is a fundamental component of organisational resilience for commercial entities and
sustainable public services.
Senior managers must understand this perspective and it is research like this that provides the business case for
investing in business continuity management systems. And more specifically aligning to, adopting and certifying to
ISO 22301.
Our clients have seen significant benefit of adopting ISO 22301 and taking the extra step to maintain third-party
certification to the standard. They report greater resilience, agility and customer confidence.
We are delighted with the response to this research and remain optimistic that the benefits of ISO 22301 will be
realised by more organisations with each cycle of this report.
Kevan Parker
Head of NQA
4. CONTENTS
Executive Summary 5
Section 1
Conclusion and Recommendations 17
Section 3
Section 2
Introduction 8
How Organisations Approach ISO 22301 8
Drivers and Challenges behind ISO 22301 Certification 11
Validating BC Arrangements Using ISO 22301 14
Requesting ISO 22301 Certification from Suppliers 15
Annex
1: Demographic Information 20
2: Benchmarking ISO 22301 23
6. 05
EXECUTIVE SUMMARY
Section 1
4xtimes
likely to
adopt
4xtimes
likely to
adopt
Organisations with strong top management
commitment are more than 4x likely to
adopt ISO 22301 in some form than the ones
who exhibit little/no commitment at all.
27%27%are strongly committed towards
using ISO 22301
560560
Respondents
6969
Countries
ISO 22301 Uptake
11%10% 39% 41%
50%0% 100%
CompliantCertified Aligned None/Don’t know
7. Section 1
06
61%
48%
45%
48%
44%
Assurance of Continued Service
Protecting Reputation And Brand
Greater Resilience Against Disruption
Quicker Recovery From Interruption
Reduced Risk Of Business Interruption
Top Reasons For ISO 22301
Certification
100%
Resource Constraints
Complexity of Implementation
Top Management Buy In
25%
19%
18%
Challenges To ISO 22301
Certification
100%
21%
82%
21%
82%
Do not seek ISO 22301 certification from their
suppliers
Report that ISO 22301 certification may not
be appropriate to their business
54% Checking BC plans
51% Conducting internal audit
47% Desktop exercises
50% 100%
Validating ISO 22301 Certification
9. INTRODUCTION
Business continuity (BC) standards such as ISO 22301 promote
good practice and are used as a starting point for building
organisational resilience. The 2015 ISO 22301 Benchmarking
Survey, produced in association with NQA, has the following aims:
• Track the uptake of the standard
• Identify drivers and challenges behind benchmarking
• Examine how BC is validated in organisations
This year’s survey ran for four weeks and has garnered 560 responses from
69 countries worldwide.
Section 2
08
How organisations approach ISO 22301
An important part of determining the uptake of standards, an enabler of good practice, is top
management commitment. The BCI Good Practice Guidelines and past Institute research affirm the
importance of leadership in creating the right conditions for good practice leading to organisational
resilience. Nonetheless, overall data suggests that many organisations struggle with this, with
only just over a quarter (27%) reporting strong commitment towards ISO 22301 adoption. Figure 1
summarises the results.
Figure 1. Question 6: What is top management commitment towards compliance, certification or alignment
towards ISO 22301? In relation to ISO 22301, our top management is… (N=527)
Strong Committed
Fairly Committed
Slightly Committed
Not At All Committed
Don’t Know
141
27%
156
30%110
21%
76
14%
44
8%
Top management commitment to ISO 22301
10. 1. Certification is being fully audited and issued a certificate of compliance to ISO 22301 by an accredited body.
2. Compliance is conforming to ISO 22301 requirements.
3. Alignment is developing an in-house approach consistent with elements of ISO 22301.
09
Sixoutof10organisationsadoptISO22301invariousformssuchascertification1
(10%),compliance2
(11%) and alignment3
(39%).
Segmenting the data according to top management commitment however reveals interesting results.
Organisations with strong top management commitment to business continuity are four times
more likely to adopt ISO 22301 in some form than the ones who exhibit little/no commitment at all.
Certification against ISO 22301 seems to be most strongly related to top management commitment
(Table 2).
Section 2 How organisations approach ISO 22301
Figure 2. Question 7: Which of the following best describes your organisation’s approach to ISO 22301? (N=528)
Approach to ISO 22301
We Comply With ISO 22301
We Are Certified Against ISO 22301
We Are Aligned Against ISO 22301
None Of The Above
Don’t Know
58
11%
52
10%
207
39%
176
33%
35
7%
11. Section 2
10
4. SMEs are defined by EU law as organisations having ≤250 employees and annual turnover of ≤€50 million.
How organisations approach ISO 22301
Table 2. Comparing ISO 22301 uptake with top management commitment levels
Analysing ISO 22301 Uptake
Strong
Commitment
Some
Commitment
Slight
Commitment
No commitment
or don’t know
Certification against
ISO 22301
26% 7% 3% 1%
Compliance with
ISO 22301
18% 14% 5% 6%
Alignment with
ISO 22301
45% 56% 38% 12%
No ISO 22301
or Don’t Know
11% 23% 54% 81%
Large enterprises are more
than twice as likely to align with
ISO 22301 compared to small
and medium sized enterprises
or SMEs4
(46% to 21%).
Organisations in manufacturing
(13%) report higher rates of
ISO 22301 certification than
the overall average (10%).
Companies in Oceania (49%),
the Middle East/North Africa
(44%) and the United States
(48%) report higher alignment
rates than the survey average
of 39%.
12. 11
Organisations identify several drivers behind ISO 22301 certification such as assurance of continued
service to customers (61%), protecting reputation and brand (48%), the need to reduce risk of
business interruption (48%) and greater resilience against disruption (45%). Figure 3 summarises
the results.
DRIVERS AND CHALLENGES
BEHIND ISO 22301 CERTIFICATION
Adopting ISO 22301 is seen as a good starting point towards
building organisational resilience. Whilst standards on their own
must not be seen as the be-all and end-all of resilience, it provides
opportunities for organisations to reflect on their practices and check
the robustness of their planning and response capabilities.
Section 2
Figure 3. Question 8: Q8: If your BCMS is certified against ISO 22301, why did you acquire certification? (Multiple
answers allowed, N=128)
Drivers to ISO 22301 Certification
61
48
48
45
44
36
29
21
19
14
Assurance of continued
service to customers
Reduced risk of
business interruption
Protecting reputation and brand
Greater resilience
against disruption
Quicker recovery from
business requirements
Facilitates customer due diligence
and audit requirements
Getting new business
Legal compliance
Other
Competitors are certified against it
0 10 20 30 40 50 60 70 80 90 100%
13. 12
Organisations are aware of the challenges behind ISO 22301 certification. The survey examines
these challenges and makes a distinction between organisations that have certified against the
standard and those who have not.
For organisations that have actually certified their BCMS against ISO 22301, a quarter of them
report resource constraints as a main limitation.
Respondents offer other factors such as:
• Lack of national regulations which drive standards certification,
• Lack of BCM awareness within the organisation,
• Time required to demonstrate compliance on top of other audits and commitments,
Figure 4 summarises these barriers to companies that have already certified their BCMS.
Drivers and challenges behind ISO 22301 certification Section 2
Figure4.Question10:WhatarethemainchallengesofimplementingaBCMScertifiedagainstISO22301?(N=191)
Challenges to ISO 22301 Certification
Appropriateness of standard
to my business
Budget constraints
Complexity of implementation
Resource constraints
Top management buy in
Other
30
16%
26
14%
37
19%
47
25%
34
18%
17
9%
14. 13
For organisations that have not certified their BCMS against ISO 22301, 21% report that certification
may not be appropriate for their businesses. Others cite lack of top management commitment (13%),
costs (12%) and perceived lack of benefits (12%).
Organisations echo the same reasons (lack of compelling regulation, BCM awareness and time
constraints in demonstrating compliance) in not wanting to certify against ISO 22301. Other factors
worth noting are:
• Industry sector (some government agencies are not required to certify BC plans against a
standard);
• Lack of alignment to corporate culture;
• Certification against other standards creating too many reporting requirements.
Figure 5 summarises the results for organisations who have not certified their BCMS.
Figure 5. Question 12: If your BCMS is NOT certified against ISO 22301, what are the reasons? (N=421)
Drivers and challenges behind ISO 22301 certificationSection 2
Reasons for Lack of ISO 22301 Certification
I plan to get certified in the near future
I am not familiar with ISO 22301
I can’t justify the cost of certification
I can’t see the benefit of certification
I can’t get commitment from top
management
Certification may not be appropriate
to my business
Other
89
21%
32
8%
50
12%
49
12%
56
13%
88
21%
57
13%
15. 14
VALIDATING BC ARRANGEMENTS
USING ISO 22301
Beyond certification, it is essential for organisations to validate the
implementation of ISO 22301. Certification cannot be maintained if
BC systems are not audited and tested. A majority of organisations
recognise this with 70% conducting various forms of testing to check
the robustness of their BC arrangements as certified by ISO 22301.
The most common forms of validation of BC arrangements include checking BC plans (54%), internal
audits (51%) and desktop exercises (47%). Nonetheless, almost a third of organisations (30%) do
not validate ISO 22301 implementation at all. This is a worrying situation that must be tackled
by identifying barriers to testing and addressing those. Figure 6 summarises how organisations
validate their BC arrangements as certified against ISO 22301.
Section 2
Figure 6. Question 11: How have you validated the implementation of ISO 22301 within your organisation?
(Multiple answers allowed, N=179)
Validating ISO 22301 Certification
Checking BC plans
Internal audit
Desktop exercises
Conducted tests/
actual exercises
Checking BCM programmes
Observed exercises
We have not validated
ISO 22301 implementation
Seeking credentials of those
who run BCM programmes
54
51
47
44
40
32
30
18
0 10 20 30 40 50 60 70 80 90 100%
16. 15
It is therefore surprising to note that in this survey, 82% of organisations do not request ISO 22301
certification from their suppliers (Figure 7). The study offers a reason behind this. ISO 22301 is a fairly
new standard and many organisations have not yet transitioned to the standard as a requirement for
assurance, much less adopted it themselves. Future studies may focus on tracking this particular
metric as an indicator of the maturity of the standard.
Figure 7. Question 13: Do you request ISO 22301 certification for your suppliers? (N=477)
REQUESTING ISO 22301
CERTIFICATION FROM SUPPLIERS
Recent BCI studies suggest the increasing uptake of ISO 22301 in
providing supplier assurance. The 2014 BCI Supply Chain Resilience
Report indicates that 40% of organisations require certification to
recognised standards which include ISO 22301 from their key suppliers.
Comparisons with historic data also reveal the movement towards
increased alignment with standards (38% from 2009-2013 compared to
45% in 2014).
Section 2
Do you request ISO 22301 certification for your suppliers?
Yes
No
Don’t Know
40
9%
43
9%
394
82%
17. 16
Requesting ISO 22301 certification from suppliers
Organisations that request ISO 22301
certification for supplier assurance
share different reasons for doing so. It
largely mirrors the drivers mentioned by
organisations in adopting the standard
themselves such as assurance of continued
service (70%), greater resilience against
disruption (48%) and protecting reputation
and brand (42%). Organisations also note
how ISO certification facilitates due diligence
and audit requirements (36%). Figure 9
summarises the reasons for requesting ISO
22301 certification for supplier assurance.
Section 2
Figure 9. Question 14: What were your reasons for requesting ISO certification from your suppliers? (Multiple
answers allowed, N=84)
Reasons for Supplier ISO 22301 Certification
Assurance of continued service
Greater resilience
against disruption
Protecting reputation and brand
Facilitates due diligence and
audit requirements
Requirement for rewarding
new business
Legal compliance
Other
70
48
42
36
21
19
17
0 10 20 30 40 50 60 70 80 90 100%
19. Section 3
18
CONCLUSION AND
RECOMMENDATIONS
Businesscontinuityisakeycomponentoforganisationalresilience
and relevant standards such as ISO 22301 offer a good starting
point in this regard. Benchmarking against standards provide
opportunities to reflect on organisational practice, identify gaps in
planning and implementation, and assess improvement. Approached in
a holistic manner, standards benchmarking may help organisations build
resilience.
1 The survey underscores the need for leadership.
It is clear from the survey results that top management commitment is an indicator of standards
uptake. This is a challenge to BC practitioners to engage their top management in this regard. BC
practitioners must articulate the value of standards benchmarking and certification, as well as relate
it to the overall strategic goal of organisational resilience.
2 Survey results affirm the relative complexity of standards benchmarking and
certification, with organisations sharing the challenges behind adopting ISO 22301.
Nonetheless,dataalsosuggestspossiblebenefitssuchasassuringcontinuedservice,mitigatingthe
effects of business disruptions and protecting organisational reputation. Of course, it is worthwhile
to note that benchmarking and certification itself does not guarantee these benefits. Benchmarking
and certification are only the first steps towards building resilience and it requires to be followed
through by validation. The survey shows that most organisations appreciate this.
3 Nonetheless, more needs to be done in encouraging other organisations to validate their
BC capabilities after benchmarking and certification against standards such as ISO 22301.
There is also a need to articulate the importance of the standard in supplier assurance which could
play a part in enabling more resilient supply chains.
4 The most encouraging findings involve the growing recognition of ISO 22301 in
upholding BC good practice.
Recent BCI research affirms this. A majority of organisations now report at least aligning themselves
to the standard. Whilst universal uptake remains yet to be seen, the BCI identifies the state of
standards benchmarking and certification as a key area of research interest and will track this in
future studies.
21. 20
Annex
1. DEMOGRAPHIC INFORMATION
a. Functional Role of Respondents
Question 1: Which of the following describes your functional role? (N=557)
Question 3: Please indicate the primary activity of your organisation using the SIC 2007 categories given
below. (N=557)
b. Industry Sector
22. 21
Annex
Question 4: How many employees work in your organisation? (N=557)
d. Number of Employees
c. Geographical Base
23. 22
Annex
Question 5: Please let us know the approximate annual revenues of your business. (N=557)
e. Approximate Annual Revenues
24. 23
Annex
2. BENCHMARKING ISO 22301
by region/country
Europe North America Asia Oceania
Middle East & North
Africa
Top management
commitment
towards ISO 22301
Strongly - 24%
Fairly - 29%
Slightly - 21%
Not at all - 15%
Strongly - 21%
Fairly - 27%
Slightly - 27%
Not at all - 19%
Strongly - 41%
Fairly - 29%
Slightly - 18%
Not at all - 8%
Strongly - 18%
Fairly - 39%
Slightly - 18%
Not at all - 18%
Strongly - 34%
Fairly - 28%
Slightly - 22%
Not at all - 9%
Approach to
ISO 22301
Compliance- 7%
Certification-10%
Alignment - 36%
None - 37%
Compliance -14%
Certification - 5%
Alignment - 45%
None - 34%
Compliance -16%
Certification-20%
Alignment - 31%
None - 24%
Compliance -15%
Certification - 0%
Alignment - 49%
None - 36%
Compliance -19%
Certification - 3%
Alignment - 44%
None - 34%
Validation of
ISO 22301 within
organisation
67% 62% 71% 56% 82%
Seeking ISO 22301
Certification from
suppliers
Yes - 7%
No - 85%
Don’t know - 7%
Yes - 7%
No - 82%
Don’t know - 10%
Yes - 31%
No - 62%
Don’t know - 7%
Yes - 0%
No - 84%
Don’t know - 16%
Yes - 11%
No - 81%
Don’t know - 7%
Central & Latin
America
Sub-Saharan Africa UK Australia United States
Top management
commitment
towards ISO 22301
Strongly - 25%
Fairly - 31%
Slightly - 25%
Not at all - 19%
Strongly - 60%
Fairly - 27%
Slightly - 13%
Not at all - 0%
Strongly - 24%
Fairly - 31%
Slightly - 16%
Not at all - 16%
Strongly - 17%
Fairly - 41%
Slightly - 17%
Not at all - 17%
Strongly - 23%
Fairly - 32%
Slightly - 26%
Not at all - 16%
Approach to
ISO 22301
Compliance -19%
Certification - 6%
Alignment - 44%
None - 31%
Compliance - 0%
Certification-27%
Alignment - 67%
None - 7%
Compliance -6%
Certification - 13%
Alignment - 34%
None - 36%
Compliance 20%
Certification - 0%
Alignment - 40%
None - 40%
Compliance - 14%
Certification - 7%
Alignment - 47%
None - 32%
Validation of
ISO 22301 within
organisation
78% 88% 66% 57% 68%
Seeking ISO 22301
Certification from
suppliers
Yes - 15%
No - 77%
Don’t know - 8%
Yes - 8%
No - 83%
Don’t know - 8%
Yes - 8%
No - 85%
Don’t know - 7%
Yes - 0%
No - 79%
Don’t know - 21%
Yes - 9%
No - 77%
Don’t know - 13%
25. 24
Annex
2. BENCHMARKING ISO 22301
by Industry Sector
Financial & Insurance Health & Social Care Public Admin & Defence Manufacturing
Top Management
Commitment Towards
ISO 22301
Strongly - 28%
Fairly - 31%
Slightly - 16%
Not at all - 12%
Strongly - 9%
Fairly - 35%
Slightly - 26%
Not at all - 24%
Strongly - 22%
Fairly - 42%
Slightly - 16%
Not at all - 13%
Strongly - 13%
Fairly - 13%
Slightly - 27%
Not at all - 22%
Approach To
ISO 22301
Compliance - 10%
Certification - 8%
Alignment - 48%
None - 28%
Compliance - 24%
Certification - 0%
Alignment - 44%
None - 32%
Compliance - 16%
Certification - 2%
Alignment - 53%
None - 22%
Compliance - 0%
Certification - 13%
Alignment - 16%
None - 53%
Validation Of ISO 22301
Within Organisation
77% 50% 82% 56%
Seeking ISO 22301
Certification from
suppliers
Yes - 6%
No - 86%
Don’t know - 8%
Yes - 13%
No - 73%
Don’t know - 13%
Yes - 9%
No - 82%
Don’t know - 9%
Yes - 2%
No - 91%
Don’t know - 7%
26. Acknowledgements
The BCI wishes to thank NQA for sponsoring this research. The authors also like to acknowledge
the efforts of Andrew Scott CBCI during the fieldwork of this survey.
About the Author
Patrick Alcantara is a Research Associate for the Business Continuity
Institute (BCI). In this role, he manages the delivery of the Institute’s
research program that focuses on global thought leadership and
commercial research. His work on business continuity and resilience
topics has been featured in several publications. Prior to the BCI,
he has worked in the education and lifelong learning sectors. He
completed a Masters in Lifelong Learning with distinction from the
Institute of Education (University College London) and Deusto
University under an Erasmus Mundus grant.
He can be contacted at patrick.alcantara@thebci.org.
Elliot Brooks is a Research Assistant for the Business Continuity
Institute (BCI). He is finishing a degree in Disaster Management &
Emergency Planning at Coventry University. His previous research
work includes the 2014 BCI reports on emergency communications
and supply chain resilience.
He can be contacted at elliot.brooks@thebci.org.
27. About the BCI
The Business Continuity Institute (BCI) is the world’s leading
institute for Business Continuity. Established in 1994, the BCI
has established itself as the leading membership and certifying
organisation for Business Continuity (BC) professionals worldwide.
TheBCIoffersawiderangeofresourcesforbusinessprofessionals
concerned with raising levels of resilience within their organisation
or considering a career in business continuity.
With circa 8,000 members in more than 100 countries worldwide,
working in an estimated 3,000 organisations in private, public
and third sectors, the BCI truly is the world’s leading institute for
business continuity. The BCI stands for excellence in the business
continuity profession and its Certified grades provide assurance of
technical and professional competency in BC.
Contact the BCI
Andrew Scott
Senior Communications
Manager
10-11 Southview Park
Marsack Street
Caversham RG4 5AF
United Kingdom
+44 (0) 118 947 8215
research@thebci.org
About NQA
NQA is a leading assessment, verification and certification
body and works in partnership with a wide range of businesses,
government departments and charitable organisations to help
improve performance in quality, environment, health & safety and
business continuity management.
NQA holds accreditation from UKAS and ANAB (the respective
national accreditation bodies of the UK and USA) and has one of
thewidestscopesofaccreditation,includingquality,environmental,
information securityandbusinesscontinuitymanagementsystems.
In addition, there are a number of sector specific schemes covering
suppliers to the automotive and aerospace industries.
NQA has issued around 33,000 certificates of registration in 70
countries.
Contact NQA
Kevan Parker
Head of NQA
Warwick House
Houghton Hall Park
Houghton Regis
Dunstable LU5 5ZX
United Kingdom
+44 08000 522424
info@nqa.com