3 December 2021
Continuous Improvement with Business Continuity
Business continuity management (BCM) plays a vital role in the financial industry. To ensure that companies meet certain standards, annual audits are carried out, including at Worldline. When it comes to BCM, it mainly involves ISO 22301, which describes the requirements for a BCM system to protect the company from disruptive events, reduce the likelihood of these events, and recover from said events.
Every year, BSI performs an audit in the field of business continuity at Worldline. This year as well, numerous interviews with people who work in specific fields and thus make an active contribution to business continuity and organisational resilience were conducted in each country. The ISO 22301 assessments were also successfully completed this year. In particular, the maturity of Worldline’s Business Continuity Management System was noted. That is why Aart Bitter, Lead Assessor at the BSI, and Natascha Hannema, Head of BC, Resilience and Information Security at Worldline, explain more about the audits and the road to a better BCM system.
Can you briefly explain how you see business continuity?
NH: “In essence, it is all about the continuity of your business operations. I always compare it with entering a house. If you want to keep unwanted guests out, you put locks on your doors. These locks are the measures that guarantee business continuity. If you then look at the locks and keys, they all have their own access code. That's where information security comes into play, as the individual encryption of the keys again contributes to business continuity. Incidentally, those keys are one of the ways to implement security.”
AB: “Before the pandemic, of course, companies were already working on their business continuity. In the past, you sometimes needed a general explanation about what an auditor does or what BCM is. However, over the past two years, everyone has certainly gained an idea about how important the continuity of one’s company is.”
What does an audit roughly look like?
AB: “The main question in ISO audits is always about the way in which our customers can maintain or regain continuity. We find out how the planning and organisation work and ensure that they know sufficiently whether the entire system works well for them. The other part of the audit involves observations that we make ourselves. Naturally, over a period of three years, which is often the term of a certification, we try to get a holistic overview of the organisation.”
NH: “Due to the duration of certificates, assessors get a complete picture of the organisation in question. It is also a way to go further in depth. Of course, one can solely participate to obtain a certification, but we do it because we want to continuously improve ourselves and find the blind spots. If someone looks at it from an external perspective and asks questions because they already know the company, this opens even more opportunities for further optimisation. It also involves the necessary preparation and making sure that the right people are being interviewed, so that we can learn even more from them. You don't learn to drive until you get your driver's license – and I think that applies here as well.”
Is there a clear pattern to see over the past years for Worldline?
AB: “Worldline has changed a lot as an organisation and BCM has grown with it. The company’s advantage is that it was already involved from the start of publication of the ISO 22301. As a result, they have grown along with the knowledge that has come in such a standard. Worldline made clear choices from the beginning, and with all kinds of changes within the organisation, one can see that the main part of the framework is still standing. That's very interesting to see.”
NH: “People might think that continuity and change don’t blend well and that it is very difficult to maintain yourself during changes. Things move so quickly and change so fast that people have a hard time keeping up. A standard such as ISO 22301 helps to go back to the essence and to look at what exactly has changed, what the core values are and how one can ensure that these are safeguarded. After all, you can't stop change; the world will always keep changing.”
How are the results of the audit monitored within Worldline?
NH: “After we discover new findings, these will be added to our improvement calendar. This way, we can make sure we work on it during the year. Those points don’t fall out of sight, and they can be evaluated during the following sessions. That is also one of ISO 22301’s core values: to have a PDCA Cycle, or improvement cycle. Improvement is continuous and not something to check off on a to-do list. We want to keep reviewing and improving, continuously throughout the year.”
In what way can companies ensure that the maturity of their BCM system continues to improve or is safeguarded?
AB: “There are two essential aspects arising from ISO 22301: continuous evaluation and continuous improvement. For that, one must keep analysing, talking, correcting, and updating. From a BCM perspective, this means making important matters measurable and setting up your own audit structure. One can learn a lot from practice and testing, if only to learn how to create a good program that reflects the right scenarios. This way, the BCM system is brought to the next level every time.”
NH: “As Aart has indicated, there are a number of points that contribute to maturity and continuous improvement. However, people are a very important factor as well. In terms of technology, everything is possible these days. Still, in the end, the people do the work. If you don't know how to communicate with your own workers and treat themx8 well, you can have the best plans on the table and obtain certifications, but you will lose resilience anyway. That is why I think it is important to stay in touch with everyone I work with.”