The new crisis management ISO is here.
In October, the International Standards Organization (ISO) published its first crisis management standalone guidance, prompting me to wonder: is ISO 22361:2022 CM worthwhile? So far, we know that “This document guides crisis management to help organizations plan, establish, maintain, review and continually improve a strategic crisis management capability.” The intent is to help any organization identify and manage a crisis. The ISO for Business continuity management systems outlines program requirements. However, it only mentioned crises in a limited fashion.
Although I am not privy to the history of this ISO’s development, I assume there was a recognition that this element was missing. Or, it was intended to address it in this recently released guidance. If you have the inside scoop, leave it as a comment below. Regardless, let’s break down the standard and how it can be helpful.
Crisis management is a focus of mine.
I am no stranger to discussing crisis management and response. This standard is on my radar, and I wrote about the pending ISO For Crisis Management before its release in May. My last blog referenced resources to respond to crisis events. Additionally, I covered the topic multiple times.
If you are interested in checking those out, I will link to previous blogs here:
- Crisis And The Big Bad Wolf – This is a take on warding against companies who overcome a significant issue, like COVID-19, and suddenly forget to watch out for the wolves. I talk about wolves as crises that can sneak up on you anytime if you don’t remain vigilant.
- Crisis Management Is A Team Sport – Here, I stress that response is a team sport and cannot be accomplished alone. There’s no lasting success in today’s businesses for individuals who prefer to go it alone or dictate problem-solving.
- How Crisis Management & Business Continuity Align – Discusses how crisis response is an integral part of a successful Business Continuity Management program.
- Crisis Management’s Value – For this article, I argued the merits of crisis management as a discipline and how it contributes to resilient organizations.
- Evolving Crisis Management Post-Covid-19 – I shared a summary of the webinar I conducted for Continuity Insights. Check out their website for more great content.
- Business Continuity vs. Crisis Management – For a slightly different take, it emphasizes the differences between planning and response in BCM.
These are just a few of the weblogs I wrote about over the past 3+ years of maintaining Disaster Empire. Throughout that time, the importance of regulations and guidance was central to things I wanted to share with others in the industry.
Six focus areas for the new standard
As with all standards, it is written to be generic enough to apply to any organization. Instead of providing a detailed outline for specific industries, it is a high-level one. As with other ISO other governance documents, 22361:2022 is developed as a framework for many organizations. As such, it is broken down into the following six categories:
- “Context, core concepts, principles, and challenges;
- Developing an organization’s crisis management capability;
- Crisis leadership;
- The decision-making challenges and complexities facing a crisis team in action;
- Crisis communication;
- Training, validation, and learning from crises”.
The focus is to provide direction to senior leadership and those working under their supervision, who will manage the crisis response process.
The ISO's value for resilient organizations
Understandably, any organization with a resilient mindset wants to build solid foundations for crisis management. With that in mind, the new guidance stresses preparing, employing strategic thinking, and building response capabilities. Professional Evaluation and Certification Board (PECB) forecasted this in their January article ISO’s Upcoming Standard for Crisis Management. What I discern is that 22361:2022 is streamlined and straightforward.
Along with the other under-guidance documents in the security and resilience grouping, the aim is for standardization in the security field to enhance society’s safety and resilience. Interestingly, it recognizes crisis management as a discipline with interdependent relationships to risk management, business continuity, information security, physical security, safety, civil protection, incident response, and emergency management. In some organizations, crisis management is a distinct unit, but in many, it is embedded in Business Continuity Management. Let us know in the comments how your company is organized. Regardless, the ISO lays out a clear crisis management framework to support resilience.
So, is ISO 22361:2022 CM worthwhile?
When analyzing any new guidance, I consider the source. Generally, I find that ISO works to provide standards applicable to businesses worldwide. To be helpful, the organization seeks to establish foundationally relevant outlines adaptable by many. What it sacrifices in specificity, it gains in providing a skeleton upon which executives and program owners can model within their distinct business culture. Simply, leaders can adopt an ISO as a governance framework.
With this in mind, the crisis management ISO is an example of a helpful substructure that programs are built on. If you have an existing crisis response methodology, you can leverage it to align and enhance any current gaps. Or, if a newly created program, the standard can help to develop a new business function. Granted, my initial analysis is based on publicly available documentation. I plan to do a deeper dive into the complete standard soon. Regardless, from what I viewed, the guidance is in alignment with recent offerings and coordinates with guidelines for exercises, social media use in emergencies, and BCM systems. So, any standard that works to integrate aspects of a response is helpful in creating resilient organizations.
Crisis management as a continuous improvement measure
If you are passionate about crisis management like I am, you’ll be following the integration of this ISO into practice. As we advance, I want to see how others interpret the standard and hear their take. Of course, I will weigh in with a more detailed analysis in the weeks ahead. For now, what I see is a good start. Acknowledging that leadership, structure, culture, and competence are critical foundational elements supports resilience.
Then, the principles, framework, and process predominately feature continual improvement as the central aspect of the work. Too often, efforts to support business resilience are treated like projects. That mindset always worries me, suggesting crisis management is a short-term effort and can be focused on only when needed. Like its aligned disciplines, crisis management is just that. Management processes must be nurtured, supported by leadership, and organized as an ongoing effort. So, while the ISO lays out the capabilities required for program governance, it also appears to provide direction for identifying and managing crisis events.
To keep this blog brief, I’m going to end here for now. As stated, I will conduct a more in-depth review soon. In the meantime, please share your initial impressions and read the ISO. For me, it is a good step forward to level-set a clear-cut process for crisis management globally.
Did you know?
Disaster Empire blogs contain embedded links to source materials, articles of interest, videos, books, and training I recommend you check out to expand your knowledge base. Just click on the blue embedded link to access the resource.