In this interview, we hear from Mr Kev Brear, MSc F. ISRM, FICPEM MBCI MEPS, Consulting Partner, Global Cyber Resilience Wipro, Project Lead ISO22361 as he reflects on "Crisis 2030: Are We Ready?" He discusses International Standards, ISO (International Standard) Working Groups, International Standard (ISO) 22361 and International Compliance. He joined us for the first-ever conference looking at the emergent threats that we will be facing between now and 2030. This conference brought current and futures leaders together with world-renowned experts to highlight the complexity of global crisis in 2030.
International Standard Working Groups
So in 292 we are the ninth working group. And it starts at working group one, which is terminology. And then there's working group two, which looks after business continuity and organisational resilience. Working Group three is Emergency Management, working group four eludes me at this precise moment. And then working group five is about urban resilience. And then one is around security for products. And so if you are making an expensive perfume or something like that it needs, it needs some anti-counterfeiting markers on it. And so they produce the standards around that. And then we just go through to working group nine, and we were formed in August of this year.
International Standard 22361
So the UK produced the business continuity standard called 25999 in 2006. whilst they were doing that work there was debating the committee around incident and crisis, and which terms should be used. And the decision was made in that British Standard that they would go with the term “incident” and they put up sort of footnote that someone foundations may refer to term “crisis”. And that's how that debate was resolved. However, after that debate, it was felt that there was a lot of information that was relevant to crisis management that could have gone into that 25999. And so the decision was made to produce a publicly available specification which was called BSI200. And then that was published in 2011. And it was sponsored by the UK government, the Cabinet Office, who are responsible for management of crisis at the government level, and that was well received by industry, but it was very, very focused on national emergencies, blue light type responses. Industry felt that it wasn't quite right for industrial needs. And so the decision was made to revisit that document and they produced that document, a revised document which BS-11200 on crisis management on good practice and guidelines, and that was published in 2014. And that was very well received, and industry like that document and feedback has been very positive on that document. However, it was also noted that there wasn't much going on at European level in crisis management. The European Commission wanted to see standards on crisis management, and they produce mandate 487 from the Commission, asking for countries to produce documentation and in support of that mandate, we then took that British Standard into the European arena, and then we improved it and that became CEN-17091. that was published in November of last year, again, well received. However, people then said, Well, this is just the European view of the world. What about the rest of the world? And so the decision was made okay will elevate this to ISO or take this to ISO. we introduced the new proposal to them, the vote was had and it was successful. And then ISO appointed me as the convener of the work group and the project team leader. And so work actually commenced in October of this year. And we had our first face to face meeting in Brussels, which was very well attended some great discussions, some good output and the programme to produce the standard. It's envisaged. So we should by September of next year, have a committee draft that goes out for global coming, for all the national standards bodies, everyone will have to feedback, their comments, their observations. And then from that, we'll take stock for what’s said, revise the document,
What are International Standards?
So it's meant to be applicable to all organisations, whether they’re say, a small to medium enterprise business all the way through to big governments, the actual principles, the tenants are transferable, and the things that one has to think about are transferable it's just comes from sort of scale, that becomes the issue. So, in terms of the challenges, we're looking at the sort of things that that would possibly be of an existential nature to an organisation, something that the organisation because the impact of what happened, actually, it's very existence just drawn into it, or it could be a reputational matter. And, and there's the potential for serious reputational damage or more much to protect share value, and there's research that came out from Oxford University about 36 months ago, three years ago, that showed that after a crisis struck an organisation the share value would tumble and then once the crisis management process kicked in, normally, there are a couple of outliers, the share price would stabilise and then depending on how well the organisation was perceived to be managing the crisis, the share value would recover in line with how that recovery process was perceived. And, well normally, that worked. However, they also looked at those organisations that did nothing. And they found that those organisations that did nothing, the Share Value continued to plummet and so actually, really these sort of things have a financial value and have an importance to protect organisations. And so we're going to be talking things perhaps like the NotPetya virus, something of that scale, for an example, yes. Something that an organisation would possibly not have normally planned for it in its normal contingency planning and it comes along and it sort of generates those the strategic level challenges that they really have to sort of have that agile, adaptable, flexible type approach
Creation and utilisation of ISO 22361
So because we're building on a good foundation for the European document, they've given us the accelerated timetable of two years, I've been told that's an ambitious timetable. Normally these standards take about three to four years for them actually to get published, which when one thinks about it for something as important as this it’s quite a long time really. So when we put the proposal in, we asked for the accelerated timetable, because we think the world is at a point now where that sort of guidance would be welcome. There are a number of things going on in the world such as the fires in New South Wales, in Australia, and all sorts of challenges going on around the globe, where this information would be relevant. So we were keen to try and disseminate that information as widely as possible, as swiftly as possible.
I think in terms of the take up and the usage, certainly for the BSI11200, it was one of the best selling standards in the BSI portfolio. So the actual take up from it was very, very good, which was pleasing to see, because it made the organisations where we're taking it on board, and the actual industry feedback to get that industry feedback that we received, went into 17091, the European iteration. And again, we're getting feedback from that 17091 piece, and from 11200. And that'll go into the ISO thing, the whole process is about constant improvement, getting better, It has to be it has to be fit for purpose and do the job.
International compliance for ISO 22361
So most organisations do not have to follow ISO standards. However, in Europe, the European Union has said that where there's a stain standards applicable, or an ISO sense standards relevant, then that should be referred to so actually within the European arena, these standards do actually have the weight of law behind them. Whereas across the rest of the globe, they're sort of more voluntary. And the one thing that one may see if an organisation is subject to a civil action or litigation if they can then say, well, we followed the international standard, we did everything that they suggested was sensible that can possibly assist in defending litigation if they left to show that one was being reasonably diligent and following good practice and following accepted norms that can all help if one gets into a problem of the civil case, but generally they're not sort of written into legislation as a compliance tool.
Find out more about our Crisis Management offerings: https://bit.ly/2xh9NMZ
Disclaimer: The views, information and opinions expressed in this digital product are the authors’ own and do not necessarily reflect those shared by the Geneva Centre for Security Policy or its employees. The GCSP is not responsible for and may not always verify the accuracy of the information contained in the digital products.