Drafting effective business continuity objectives is vital to implementing ISO 22301 and developing a robust Business Continuity Management System (BCMS). However, many organisations face challenges in understanding the types of objectives, their purpose, and how to set them.

In this practical guide, we will address these common issues and provide insights on how to draft business continuity objectives aligned with ISO 22301 requirements and facilitate effective measurement and management of your BCMS.

Step 1: Understand the purpose of business continuity objectives

Business continuity objectives serve as a means of measurement and management, guiding your organisation in steering its BCMS towards the desired direction. They clarify what needs to be achieved and help gauge the effectiveness of your business continuity efforts.

Step 2: Differentiate between strategic and tactical objectives

When setting objectives, it is essential to consider both strategic and tactical levels.

Strategic objectives relate to the entire BCMS, while tactical objectives include specific targets such as Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Minimum Business Continuity Objectives (MBCOs), and exercising and testing objectives.

Depending on your organisation’s size and complexity, you may consider adding additional layers of objectives at the unit or department level.

Examples of strategic objectives

  • Establish a comprehensive BCMS framework that covers all critical functions and processes across the organisation.
  • Ensure alignment of business continuity efforts with your organisation’s overall strategic goals.
  • Obtain senior management support and commitment to allocate necessary resources for successfully implementing the BCMS.
  • Foster a culture of business continuity awareness and preparedness throughout the organisation.

Examples of tactical objectives

  • Set a Recovery Time Objective (RTO) of 4 hours for critical business functions to ensure minimal disruption during a disaster.
  • Define a Recovery Point Objective (RPO) of no more than 1 hour to minimise data loss and ensure data integrity.
  • Establish Minimum Business Continuity Objectives (MBCOs) for each department or business unit, outlining the essential functions that must be maintained during a disruption.
  • Conduct regular exercises and tests to validate the effectiveness of business continuity plans and procedures.

Step 3: Apply the SMART criteria to set objectives

To create effective objectives, utilise the SMART criteria – Specific, Measurable, Achievable, Relevant, and Time-Based.

Avoid vague objectives like “implement business continuity” or “achieve resilience”. Instead, focus on specific objectives that are measurable and time-bound, like the following:

  • “Comply with XYZ law/regulation by 31st December 2023, using ISO 22301 methodology” or
  • “Improve recovery time by 12 hours in 2015 without incurring new costs”.

Step 4: Consider inputs and link to company strategy

When crafting business continuity objectives, begin by aligning them with your company’s overall strategy. Consider how business continuity can support achieving your organisation’s goals and competencies. Think about the benefits that business continuity brings and translate them into objectives. This exercise helps establish a clear link between your BCMS objectives and your organisation’s broader strategic direction.

Step 5: Collaborate and obtain management buy-in

Include your project team in the brainstorming process for setting objectives. Seek input from colleagues responsible for performance measurement and control, such as the controlling department. Involving key stakeholders ensures a comprehensive perspective and buy-in. Before presenting the objectives to your CEO, discuss them with your project sponsor to gain their support.

Actions to take next

  • Set standards and guidelines for business continuity in your organisation by asking us to draft a business continuity policy.
  • Ensure you comply with applicable laws by asking us to review your business continuity plan.
  • Train your personnel on the ins and outs of business continuity by asking us to host a workshop on the topic.
  • Ensure your vendors, suppliers, and contractors comply with your business continuity programme by asking us to draft the relevant contractual clauses.
  • Understand the relationship between business continuity, data protection, and information security by reaching out to us for training.