What I know so far
An ISO for crisis management is in development and in the “enquiry” draft stage. ISO is the leading organization that provides guidelines for business operations across industries as a refresher. According to its website, they are an independent, nongovernmental international organization with a membership of 167 national standards bodies. It is constructive for companies and governments to achieve alignment. Of course, country or local regulations supersede the standards. However, the standards serve as a strong baseline for many operations, especially globally. The measure will be part of the suite of security and resilience recommendations.
It's been on-deck for a while
Unsurprisingly, the standard is taking a while to launch. As for focus, it will apply to company organization and management in general. Sometimes it seems like I have my head in the sand or juggling so many things that this announcement didn’t get on my radar until recently. As much as I try to keep up-to-date with new guidelines or regulations, this one is new to me. Hopefully, this is not new to you, but if you were also not tracking, it’s my goal to bring you the information you can use. It looks like ISO started the development of the guideless back in 2006. I, for one, welcome it, as I was only aware of the BSI crisis management PD CEN/TS 17091:2018 offering previously. It will complement the other societal security standards, like ISO 22320 for emergency management.
It will outline CM strategic capabilities
The ISO for crisis management provides guidelines for crisis management to help organizations plan, establish, maintain, review and continually improve a strategic crisis management capability. Similar to the other ISO standards that I spoke of in my blog, Resilience Program Design and What Resilience Is And Isn’t, they are helpful as a benchmark against what other companies will also try to achieve. As program managers, we leverage ISO to measure minimum expectations. Additionally, it aids in gaining clarity and expressing to senior management “what good look like” in response to a catastrophic event. Overall, it offers a baseline with which companies can use it to organize and prepare for unplanned, complex events.
You can preview it online
The ISO for crisis management is available for preview on their website here. A crisis is an abnormal or extraordinary event or situation that threatens an organization or community and requires a strategic, adaptive, and timely response to preserve its viability and integrity. By distinguishing between an incident and a crisis, we understand that the goal is to separate a planned event from one unknown to a business when it happens. Generally, we know an incident as a situation that we can plan for or are tracking as it may evolve into a larger scale or more impactful crisis.
Keep your eyes on the blog for updates
So, I’ll keep you updated as ISO 22361 moves forward. I am sometimes ambivalent about regulations when they take too rigid a stance. However, I recognize that rules are opportunities to motivate an organization. Or provide the ability to engage leadership to take resilience seriously. However, I am always mindful that a tool is only helpful when it is more than a check-the-box exercise and instead becomes meaningful to the business. Ideally, standards are a foundational element for program success. It’s most helpful when embedding critical tools (i.e., crisis management ) as a foundational practice of company culture.
If you already had eyes on this development or were involved, I would love to hear your take in the comments below. Do you think the ISO is long overdue? Or are there any challenges you anticipated? PECB reported that it’s expecting the standard to be published this year, so we’ll see how fast approval progresses. As soon as I learn more, I will post an updated blog.