Clause 9 closes the “Check” loop of the PDCA cycle. Without systematic performance evaluation, the BCMS operates without feedback and cannot improve. Monitoring measures whether BCMS activities are being executed as planned (exercises are scheduled and completed, plans are reviewed, staff are trained). Measurement quantifies BCMS effectiveness (what percentage of BCPs were current, what percentage of exercises achieved RTO, what percentage of corrective actions were closed on time). Analysis reveals trends (is capability improving or declining). And evaluation determines whether the BCMS is achieving its objectives.
The evaluation is completed through two key processes: internal audit (an independent assessment of BCMS compliance with ISO 22301) and management review (senior management’s review of BCMS performance and decisions about improvements or resource changes). Together, these ensure the organisation knows whether the BCMS is working and whether improvements are needed.
Monitoring, Measurement, Analysis, and Evaluation (9.1)
Effective monitoring and measurement requires key performance indicators (KPIs) that measure what matters. KPIs fall into two categories: activity metrics (are we doing the things we planned to do?) and outcome metrics (are the things we’re doing working?). Activity metrics are necessary (you need to conduct exercises, conduct training, review plans) but not sufficient. An organisation that conducts four exercises per year but never achieves its RTO in any of them has active BCM and zero capability.
KPIs should measure: whether critical processes have current business continuity plans, whether plans are being reviewed within their review cycle, whether exercises are being conducted as scheduled, whether exercises achieve the target outcomes (RTO achieved, communication worked, staff understood roles), whether staff in critical roles are trained and aware, whether recovery time objectives are being met, whether suppliers with critical roles have up-to-date BCM capability assessments, whether internal audit findings are being closed, and whether management review is occurring and driving decisions.
Analysis of these metrics reveals trends: Is exercise performance improving or declining? Are recovery times getting faster or slower? Is the percentage of current plans improving as the BCMS matures? Are the same gaps being found repeatedly in exercises (suggesting actions are not being implemented) or are new improvements being tested each cycle? This trend analysis is presented in the management review and informs decisions about where to focus effort.
| KPI | What It Measures | Target | Data Source |
|---|---|---|---|
| BCP currency rate | Percentage of BCPs reviewed within their review cycle (typically 12 months) | 100% | Document management system, BCP review log |
| Exercise completion rate | Percentage of scheduled exercises completed on schedule | 100% annually | Exercise programme schedule, exercise completion records |
| RTO achievement rate | Percentage of exercises where Recovery Time Objective was achieved | 90% or higher | Exercise reports, RTO measurement records |
| Corrective action closure rate | Percentage of corrective actions closed within agreed timeframe | 95% or higher | Corrective action register, closure evidence |
| BIA currency rate | Percentage of BIAs reviewed within their review cycle | 100% | BIA review log, document management |
| Staff awareness rate | Percentage of in-scope staff who have completed BCM awareness training | 95% or higher | HR/Training records, attendance lists |
| Supplier BCM compliance rate | Percentage of critical suppliers with current BCP assessment | 80% or higher | Supplier assessment register, assessment dates |
| Internal audit completion | Annual audit programme completed on schedule | 100% | Internal audit plan, audit completion records |
| Management review completion | Management review held at planned intervals | 100% (typically annual, minimum bi-annual) | Management review schedule, meeting minutes |
| Incident/exercise improvement actions | Percentage of improvement actions implemented within agreed timelines | 90% or higher | Action register, implementation evidence |
| KEY IDEA | BCMS KPIs should measure capability, not just activity. Counting the number of exercises conducted tells you something; measuring whether the RTO was achieved in those exercises tells you whether the BCP actually works. An organisation that conducts four tabletop exercises per year and achieves its RTO in none of them has active BCM and zero BCM capability. KPI design should prioritise outcome measures over process measures. The question is not “Are we doing business continuity?” but “Does our business continuity work?” |
Internal Audit (9.2)
Internal audit is an independent, systematic assessment of whether the BCMS is compliant with the requirements of ISO 22301 and whether it is being effectively implemented. An audit programme is established that covers all requirements of the standard (Clauses 4–10), all critical processes, all critical activities, and all relevant departments or business units. The audit frequency is planned — typically annually, or more frequently for critical processes.
Auditors conducting the internal audit must be competent in ISO 22301 requirements and in audit methodology, and they must be independent (auditing areas different from their normal responsibilities). An internal auditor from the BCM team can audit departments, but the BCM programme should be audited by someone independent of the programme. Large organisations may use internal audit functions; smaller organisations may use external consultants.
The audit scope includes whether BCMS requirements are being met (scope is defined, policy is current, objectives are established, roles are clear), whether processes are being executed (BIAs are current, risk assessments are updated, exercises are scheduled and conducted, training is completed), whether documented information exists and is managed properly, and whether the BCMS is integrated into how the organisation operates. Audit findings are classified as conformities (requirement is met), minor nonconformities (requirement not fully met but systematic non-compliance is not evident), and major nonconformities (requirement is not met or systematic non-compliance is evident).
Management Review (9.3)
The management review is the governance mechanism through which the organisation’s leadership periodically evaluates the BCMS, assesses whether it is achieving its objectives, identifies improvements needed, and makes resource decisions. It is not a status report from the BCM team; it is an active engagement by management with evidence of BCMS performance.
A compliant management review covers mandatory inputs: the status of actions from the previous management review (showing follow-through on decisions), changes in the organisation or external environment that affect the BCMS, BCMS performance metrics and KPIs, internal audit findings and status of corrective actions, external audit or compliance examination findings (if applicable), results of monitoring and measurement, exercise results and findings, actual disruption event analysis (if applicable), feedback from interested parties (regulators, clients, suppliers), and opportunities for improvement.
The management review must produce outputs: decisions and actions (decisions must be recorded, not just discussed), approved changes to the BCMS or its objectives, approved improvements, approved resource allocation changes, and communication of decisions to relevant staff. A management review that produces no decisions is not fulfilling its Clause 9.3 purpose. An auditor will ask to see management review minutes; if those minutes show no decisions, it is an audit finding.
| Management Review Input | Source | Expected Management Output |
|---|---|---|
| Status of actions from previous reviews | Previous management review minutes and action log | Confirmation of action completion or explanation of delays; decision on extended actions |
| Changes affecting the BCMS | Organisational change register, strategic planning documents, regulatory updates | Scope changes required; policy updates needed; objectives updated |
| BCMS performance and KPI results | Monitoring and measurement data, KPI dashboard | Assessment of whether KPI targets are being met; decision on resource needs if gaps exist |
| Nonconformities and corrective actions | Internal audit report, audit follow-up log, exercise findings | Status of corrective action implementation; decision on root cause analysis if actions are not closing |
| Monitoring and measurement results | Ongoing metrics, exercise records, training completion data | Assessment of BCMS effectiveness; identification of trends (improving/declining) |
| Internal audit results | Internal audit report, audit schedule | Response to findings; approval of corrective action plans; decision on audit resource needs |
| Exercise and test results | Exercise reports, RTO achievement data, post-exercise reviews | Assessment of capability; decision on which improvements to prioritise |
| Disruption event post-incident reviews | Actual incident records, post-incident review analysis | Lessons learned; major improvements to plans or strategy if incident revealed gaps |
| Feedback from interested parties | Regulatory examinations, client feedback, supplier feedback, insurance reviews | Regulatory compliance gaps to address; client concerns about capability; decisions on external expectations |
| Opportunities for improvement | Exercise findings, audit observations, incident analysis, staff suggestions, technology developments | Improvement initiatives to be undertaken; resource allocation for capability enhancements |
| IMPORTANT | Management review is not a status report from the BCM team to management. It is a governance activity in which top management actively reviews evidence of BCMS performance and makes decisions about objectives, resources, and improvements. An ISO 22301 auditor will ask to see management review minutes. Those minutes should show: who attended (must be top management or equivalent, not just BCM staff); what was reviewed (all mandatory inputs); what was decided (specific decisions, not vague commitments); what actions were approved (with owners and deadlines); and what resources were allocated. If management review produces no visible decisions, it has not fulfilled its Clause 9.3 purpose. |
Demonstrating BCMS Effectiveness to Regulators and Clients
Clause 9 outputs are the primary evidence that the BCMS is functioning and achieving its objectives. This evidence is used to satisfy regulatory requirements (OJK, Bank Indonesia, BSSN), to respond to audits from clients or enterprise audit functions, and to support certifications such as ISO 22301 certification. The evidence includes: KPI data showing that plans are current and exercises are being conducted; internal audit reports showing compliance with the standard; management review records showing that senior management is actively engaged; and corrective action records showing that findings are being addressed.
Regulators increasingly expect organisations to demonstrate continuity capability through evidence. An ISO 22301 certification is one form of evidence; exercise reports and KPI dashboards are others. Organisations preparing for regulatory examinations should compile Clause 9 outputs: the most recent management review, the latest KPI summary, the audit plan and recent reports, and a summary of exercise results. These demonstrate that continuity management is active and achieving its objectives.
| BITLION INSIGHT | The management review is the single most important governance artefact in an ISO 22301 audit. It is the document that proves top management is engaged with the BCMS — that they review performance, make resource decisions, and direct improvements. Indonesian organisations preparing for certification should conduct at least one full management review before the Stage 1 audit and ensure the minutes capture: attendance by top management (not delegates), review of all mandatory inputs, specific decisions made, actions assigned with owners and deadlines, and clear evidence of top management engagement. Management review done well demonstrates leadership commitment, which is the foundation on which everything else rests. |