Why Most Resilience Plans Fail Before a Crisis: 5 Takeaways from ISO 22301 Clause 6.1

For many organizations, business continuity is treated as a "check-the-box" compliance exercise—a library of binders gathering dust until a disaster strikes. This reactive stance is a hallmark of a fragile system. As a Lead Auditor, I frequently see well-funded plans crumble because leadership focused on the disaster but neglected the health of the management system meant to handle it.

ISO 22301 Clause 6.1 is the "backbone" of the Business Continuity Management System (BCMS). It bridges the gap between high-level leadership intent (Clause 5) and operational execution (Clause 8). To move beyond superficial paperwork, organizations must understand that Clause 6.1 isn’t just about listing fears; it’s about systematically identifying risks and opportunities to ensure the system achieves its intended outcomes.

1. You’re Probably Confusing System Risks with Operational Risks

A fundamental error that leads to audit findings is the failure to distinguish between BCMS risks and operational risks. These are not interchangeable, and confusing them is a sign of a weak planning process.

• Operational Risks are the inputs to your Business Impact Analysis (BIA). These include data center fires, supply chain failures, or cyberattacks. They are the disruptive events you are planning for.
• BCMS Risks are risks to the system itself. If your incident response team is untrained, or if your BIA is outdated, your BCMS cannot function effectively.

If you only plan for the disaster, you ignore the rot in the system meant to manage it. An auditor will look for how you manage the risk of a "single point of failure in recovery resources" or "lack of leadership engagement," as these directly threaten the achievement of your continuity objectives.

"BCMS risks focus on the system’s capability—not the incident itself."

2. Identification is a Waste of Time Without Action (and Opportunities)

Clause 6.1 explicitly requires that risk and opportunity identification must lead to planned actions. From an auditor’s perspective, risk identification without action is a nonconformity. If an organization identifies a critical gap in its BCMS but has no treatment plan or implementation timeline, it is failing the "Plan" phase of the PDCA cycle.

Furthermore, Clause 6.1 is not just a defensive requirement. A "Strategist" looks for opportunities to enhance resilience. This might include:

• Integrating the BCMS with other management systems to reduce redundancy.
• Leveraging new technology to improve recovery time objectives (RTOs).
• Strengthening supplier relationships to create a more robust ecosystem.

In an audit, if you cannot show how you have integrated these actions into your BCMS processes, you risk a Major Nonconformity (the total absence of an effective process) or a Minor Nonconformity (an inconsistent application of the process).

"Risk identification without action is nonconformity."

3. The "Mandatory" Risk Register is a Myth (But You Still Need One)

Strictly speaking, ISO 22301 does not mandate a document specifically titled "Risk Register." However, a Lead Auditor will demand evidence of traceability. No risk register is acceptable only if risks and opportunities are clearly addressed elsewhere, such as in Management Review minutes, change management records, or dedicated improvement plans.

In practice, the risk register is the gold standard for audit evidence. A "red flag" for any auditor is a static register—one that hasn’t been updated in a year or lacks defined owners. To pass muster, your evidence must show that risks are linked to your organizational context (Clause 4.1) and the requirements of interested parties (Clause 4.2).

Pro-Tip: During an interview, I won’t just look at your list; I will ask: "How do you know these actions actually worked?" If your register doesn't include a status update or a link to an effectiveness review, the chain is broken.

4. If Everything is High Risk, Nothing Is

True resilience requires "Risk-Based Thinking." This concept is designed to prevent resource exhaustion by ensuring that risks are prioritized and resources are allocated proportionately.

Risk-based thinking allows for justified decision-making regarding risk treatment. ISO 22301 allows you to Avoid, Reduce, Share, or even Accept a risk. However, there is a critical distinction: Acceptance must be informed and approved—not accidental. Accidental risk acceptance is simply negligence. When an auditor sees a "High Risk" item with no action and no sign-off from top management, it demonstrates a failure of the system's strategic layer.

"If everything is high risk, risk-based thinking has failed."

5. The Secret Auditor's Chain (Traceability)

Lead Auditors use a specific "Audit Traceability Technique" to see if your BCMS is a living system or just a "paper tiger." We follow a thread from the beginning to the end:

• Context Issue: A requirement or issue found in Clause 4.
• BCMS Risk/Opportunity: How that issue threatens or helps the management system.
• Planned Action: The strategy to address it.
• Implementation Evidence: Proof the action happened (e.g., training logs, failover tests).
• Effectiveness Review: Data showing the action actually achieved its goal.

The most common point of failure is Step 5: Effectiveness Review. Many organizations implement an action but never go back to verify if it actually reduced the risk or seized the opportunity. If the chain breaks here, it is a clear sign that the system is superficial.

Conclusion: Moving Beyond the Paperwork

Ultimately, Clause 6.1 is the "brain" of your BCMS. Its purpose is to ensure the system achieves its intended outcomes: preventing undesired effects and driving continual improvement. It transforms risk management from a passive list of disasters into a dynamic roadmap for organizational health.

If you want to survive an audit—and more importantly, a crisis—you must ask yourself:

Is your risk management a static list of fears, or is it a dynamic roadmap for improvement?

Share This Article

Found this useful? Share it with your network: