The new ISO standard for crisis management: does it add value?
As many practitioners in the security and resilience space will be aware, the International Standards Organisation (ISO) has issued a new standard for Crisis Management, ISO 22361:2022, with the European Committee for Standardisation (CEN) approving it on 14 October 2022 and the British Standard being published on 30 November 2022. The British and European standards are identical to the original ISO version and supersede the previous crisis management standards PD CEN/TS 17091:2018 and BS 11200:2014 which are now both withdrawn. The European standard has been published in English, French and German and the deadline for national standards bodies to publish an identical text or to endorse EN ISO 22361:2022 is May 2023. For those who don’t yet have a copy, the ISO standard can be purchased from a national standards body which has published its own version or direct from the ISO online store.
Although this is the first ISO version of a crisis management standard, this is not the first crisis management standard by any means. The first was PAS 200:2011 published by BSI (British Standards Institute) which although not a full standard, had all the functionality of a British Standard for the purpose of sharing good practice. In 2014, BSI published a full standard, BS 11200:2014 Crisis management – Guidance and good practice which was the world’s first standard on crisis management. In 2018, CEN then went on to develop and publish CEN/TS 17091, principally adding more content to the leadership and training and learning sections of BS 11200, but otherwise not substantially different.
New ISO vs old BS
Many readers will be asking themselves whether they need to buy ISO 22361 if they already own a copy of BS 11200 and the simple answer is, “Yes, you do”. But if you want to have a clearer understanding of the key differences between the two, then read on and judge for yourself. For those not familiar with BS 11200, these notes will provide an overview of the new ISO and help with an appreciation of its added value.
The new introduction provides a slightly clearer overview of the standard and its purpose, with a neat diagram summarising the principles, framework and process being the real substantive addition here. Parts of the old BS introduction have been incorporated into the ‘Scope’ section of the ISO which provides a few more terms and definitions in section three, including a new definition of crisis1, with additional notes for further definition. This section also references ISO 22300 which provides a comprehensive definition of vocabulary for security and resilience practitioners.
Context, concepts and principles
Section four of the new ISO provides a useful contextualisation of crisis management within an organisation. Although the old BS does provide commentary on the implications of the nature of crises, ISO 22361 simplifies this and puts it at the start of this section, where it is better placed. More helpful comment on ‘readiness to respond and recover’, including some input on leadership, has also been added.
These are minor improvements however when compared to the more significant and comprehensive re-work of the original ‘principles for crisis management’2, which now form a strategic and coherent set of principles to guide organisations in developing a strategic crisis management capability. Although they cover some of the same ground, e.g., the need for effective decision-making, they also place responsibility much higher up the food chain at the governance level, making top management more accountable and providing greater strategic focus. The old BS always had strategic intent; the new ISO just goes further by providing stronger guidance and a clearer rationale.
This strategic theme continues throughout the new ISO, including through the following section (five), taking the original concept of the crisis management framework, adding substance, and providing a more coherent approach, separating the framework from the crisis management process that underpins it3.
The management process outlined is, by and large, the same as it was in the old BS with some useful adjustments to content and presentation, including the addition of a ‘prevention and mitigation’ stage between the ‘assess’ and ‘prepare’ stages. Helpfully, in the ‘prepare’ stage, the new ISO removes one of the suggestions from the old BS that the CMT should be formed from the main board. However, the suggestion that the CMT should be supported by operational and tactical teams implies that the required human resources will be available for this. The old BS made the sensible point that smaller organisations might not need this (in fact, many don’t have the resources for it), but the new ISO has eliminated this comment altogether, contributing to the feeling that the whole standard now has more of a corporate flavour.
The ‘response’ stage of the process in the new ISO adds more content, combining advice from the old BS with additional guidance, adding another useful diagram summarising the process for CMT response and closing with new commentary on the importance of an organised and timely transition from response to recovery. One thing that is perhaps not so helpful in this section is how it splits response into two sections, one with general advice given in 14 separate alphabetised points and one with six bullet points outlining the response process, with some of the items in the ‘general’ section being arguably a repetition of what is covered in the ‘process’ section.
In the new ISO, the recovery stage of the process is largely similar to the old BS guidance but with a couple of sensible additional notes around timing, strategic direction and the risk of lost opportunities. The final stage of the process – ‘continual improvement’ – provides a much clearer set of points to consider when compared to the slightly rambling though valid narrative of the old BS.
Crisis leadership and decision-making
Section six, on crisis leadership, neatly amplifies the point that an individual’s position in the organisational hierarchy should not entitle them to a CMT seat at the proverbial table, with some people simply not being immediately suited to crisis management, at least not without further training and development. This section has been substantially re-worked, with the addition of a diagram showing crisis leadership skills, as well as a welcome new sub-section covering sustainability and the well-being of responders and other interested parties. As such, it provides structured and valuable guidance on the requirements of crisis leaders. In contrast, the following section (seven), on strategic crisis decision-making, is chiefly a re-hash of the same points made in the old BS but with some worthwhile additions including notes on human behaviour, the risk of influence from certain interested parties, and the importance of maintaining a strategic focus, delegating, and avoiding micromanagement. However, the addition of a diagram outlining the flow of strategic decision-making could have been better aligned with the earlier diagram in section five which outlined the process for
CMT response. Section seven would also have benefitted from some guidance on decision techniques and models for making decisions, covering questions such as how to set direction, develop options and make decisions.
There is a lot of fresh material in this section which adds real value, with useful new guidance on communication plan content, managing relationships and communication strategy. The inclusion of communicating with next of kin as an ‘interested party’, however, risks paying lip service to a critical and potentially destabilising and reputation harming issue. This section tries to encompass all interested parties, from the media to employees and in general this works as an external and internal communications approach, however there are special issues to consider with regard to next of kin, who in Terra Firma’s opinion are much more than just an ‘interested party’. Where there is a sub- section specifically on media relations, the ISO would have benefitted from a sub-section on communicating with next of kin.
Training and learning
Although the old BS covered this subject well and in great detail, the revised text for the new ISO is an interesting mix of old and new with substantial portions of the old BS interwoven with new material in a completely re-worked structure. The question is, do this new material and structure add value? Our analysis suggests that the revised structure does provide greater clarity and the additional material certainly adds to the knowledge base although some of the language used creates complexity where simplicity would have been preferred. For example, the use of the terms ‘validation’ and ‘assurance’, whilst understood, lack clarity and require detailed explanation, which is given but which might have been avoided by use of clearer language in the first instance. Nonetheless, this section is undoubtedly helpful in providing a more strategic approach to the subject.
A word on the old CEN vs the new ISO
The CEN standard could arguably be described as a half-way house between the old BS and the new ISO although that may not accurately portray the real differences. The significant developments in the new ISO such as the elaboration of the seven principles, the establishment of the four tenets of the crisis management framework and a well-defined and developed crisis management process are absent in the old CEN, so it would be fairer to state that the new ISO is a substantive upgrade.
The new ISO is clearly an improvement on the crisis management standards that preceded it. There are areas where additional narrative helps and others where it might just make things a bit more complicated. The beauty of the old BS was that it used simple, clear language and this is the one area where the new ISO struggles a bit. There is a lot more content to wade through and at times it feels like the new ISO is trying too hard to cover every conceivable angle. This is laudable but makes the standard slightly harder to navigate, which may make it harder for organisations to digest and apply. But that might have an unexpected bonus in that greater resources and commitment at every level will be required in order to put the standard into practice. On the whole, we believe that the advice provided by ISO 22361:2022 goes further than previous iterations in guiding organisations towards successfully adopting a strategic crisis management capability and, for that reason alone, is a welcome addition to the ISO family of standards.
This report contains general information only, and Terra Firma Risk Management is not, by means of this report, rendering professional advice and shall not be responsible for any loss whatsoever sustained by any person who relies on information provided in this report.
© 2023 Terra Firma Risk Management www.terrafirma-rm.com
1 Crisis: abnormal or extraordinary event or situation that threatens an organization (3.13) or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity. (BS EN ISO 22361:2022, Security and resilience - Crisis management – Guidelines, Section: Terms and definitions, BSI Standards Ltd, 2022, p1, clause 3.)
2 Seven principles are outlined in ISO 22361 which include Governance, Strategy, Risk Management, Decision-making, Communication, Ethics, and Learning.
3 The framework is broken down into four elements: Leadership, Structure, Culture, and Competence.