ISO 22301 is not universally required. Many organisations operate successfully without certification. But the population of organisations for whom ISO 22301 is either regulated, commercially required, or operationally essential is larger than most assume—and growing. The drivers come in three categories: regulatory requirements (when a law or regulator mandates BCM), commercial requirements (when clients or partners demand certification), and operational requirements (when the organisation’s risk profile makes certification the prudent choice).
In the Indonesian market, the regulatory drivers are increasingly strong. Financial institutions face OJK requirements, critical infrastructure operators face BSSN obligations, and payment system operators face Bank Indonesia requirements. Commercial drivers exist for organisations supplying regulated entities. Operational drivers affect organisations with high business continuity risk—single-site operations, complex ICT environments, critical supplier dependencies.
This article reviews the regulatory landscape, commercial drivers, and operational factors that make ISO 22301 relevant. It also examines the readiness prerequisites and the business case for certification.
Regulatory Drivers: When ISO 22301 Is Required by Law or Regulation
In Indonesia, business continuity management is mandated by regulation for specific organisation types. The Financial Services Authority (OJK) requires BCM for banks, insurance companies, and capital market participants. Bank Indonesia (BI) requires ICT continuity capability for payment system operators and critical payment infrastructure. The National Cyber and Crypto Agency (BSSN) requires ICT continuity planning for critical infrastructure operators.
These are not aspirational requirements. They are supervisory expectations assessed during regulatory examinations. Financial institutions that do not maintain active, tested BCMs are subject to supervisory findings, and in severe cases, enforcement action. For payment system operators, the BI requirements are explicit: critical payment systems must achieve 99.5% availability, which implies recovery capability with a 2-hour RTO.
ISO 22301 certification is not always explicitly required. But certification provides demonstrable, auditable evidence that the BCMS requirements are being met. An OJK examiner reviewing a bank’s BCM can assess a certification more efficiently than assessing a bespoke, non-certified programme. Many regulated organisations choose certification as the evidence of regulatory compliance.
| Organisation Type | Regulatory Driver | BCM Obligation | ISO 22301 Role |
|---|---|---|---|
| Banks and conventional/sharia financial institutions | OJK POJK 11/2022 | BCM policy, BIA, BCP, annual testing, IT continuity | Certification demonstrates POJK 11/2022 BCM governance compliance to OJK supervisors |
| Payment system operators and fintech | Bank Indonesia PBI 23/2021 | 99.5% availability, 2-hour RTO for critical payment systems, DR testing | Provides the BCMS governance framework for achieving and evidencing BI availability requirements |
| Insurance companies | OJK POJK 10/2022 | BCM and IT continuity requirements equivalent to banking | Certification provides consistent BCM evidence across OJK-supervised entities |
| Capital market participants | OJK POJK 57/2017 | BCM for stock exchanges, broker-dealers, custodian banks | Increasingly assessed during OJK IT examinations |
| Critical infrastructure operators (energy, telecoms, transport, water) | BSSN PP 82/2021, Presidential Reg 82/2022 | ICT continuity planning, incident response, national resilience obligations | Provides certified ICT continuity framework aligned with BSSN expectations |
| Government agencies and state-owned enterprises | Government BCM expectations post-PDNS 2024 | BCM governance, IT continuity, incident recovery | Emerging requirement in K/L and BUMN IT governance frameworks |
Commercial Drivers: When ISO 22301 Is Required by Clients
The commercial driver for ISO 22301 is increasingly peer-to-peer rather than top-down. Enterprise clients that hold ISO 22301 certification are including BCM requirements in their supplier contracts. A large bank or telecommunications company with ISO 22301 certification will ask its major suppliers, "Do you have business continuity capability for service delivery to us?" and increasingly, "Do you hold ISO 22301 certification?"
This is motivated partly by the organisation’s own auditors and certifiers, who assess supply chain BCM maturity as part of the certification audit. An enterprise client that holds ISO 22301 can expect its certification auditor to ask about supply chain BCM. The auditor will examine whether major suppliers have been assessed for business continuity capability. A certified supplier is an efficient answer.
For Indonesian technology companies, consultancies, and service providers supplying large regulated institutions or multinational enterprises, BCM certification is increasingly a contract requirement. An Indonesian fintech company supplying a major Indonesian bank, or an Indonesian IT services firm supplying an international enterprise, can expect to face BCM audit questions. ISO 22301 certification is the most efficient answer.
| KEY IDEA | The commercial driver for ISO 22301 is increasingly peer-to-peer rather than top-down. Enterprise clients that hold ISO 22301 certification are including BCM requirements in their supplier contracts, partly because their own auditors and certifiers assess their supply chain BCM maturity. An Indonesian technology company supplying services to a certified financial institution can expect to face BCM audit questions—and a certification is the most efficient answer. |
Operational Risk Drivers: When ISO 22301 Makes Business Sense
Beyond regulation and commercial requirements, operational risk factors make ISO 22301 certification prudent. Organisations that operate with high single-point-of-failure risk, complex dependencies, or critical customer commitments face genuine business continuity risk. For these organisations, ISO 22301 certification is not compliance—it is resilience.
Examples: An organisation with a single processing location faces total business interruption if that location is disrupted (fire, flood, access denial). An organisation that is highly dependent on a single supplier for a critical input faces supply chain disruption. An organisation with complex, legacy ICT systems faces long recovery times for system failures. An organisation with key-person dependencies faces loss of critical knowledge if that person leaves. An organisation with tight regulatory deadlines faces deadline miss if normal operations are disrupted. An organisation in a rapidly growing phase faces the risk that BCPs become stale as the business changes faster than recovery plans are updated.
For these organisations, BCM is not an audit requirement—it is a business imperative. ISO 22301 certification is a mechanism to ensure that the BCM programme is rigorous, tested, and continuously improved.
| Risk Factor | Business Impact Without BCMS | Mitigation Through ISO 22301 |
|---|---|---|
| Single-site operations | Any premises disruption (fire, flood, access denial) could halt all operations with no recovery procedure | Requires alternative premises strategy and work-from-home capability as documented BCMS controls |
| Key-person dependency | Loss of a single person (death, illness, resignation) disrupts critical processes | BIA identifies key-person risks; BCMS requires documented succession and cross-training |
| Critical supplier concentration | Single supplier for a business-critical service; supplier failure = service failure | Supplier BCM assessment, dual-sourcing strategy, contractual BCM requirements |
| Complex or legacy IT infrastructure | Legacy system failures can take weeks to recover without documented procedures | ICT continuity plans with tested RTO targets and recovery runbooks |
| Highly regulated operational environment | Regulatory deadlines (tax, reporting, settlement) that cannot be missed regardless of disruption | BCPs that address regulatory deadline management during disruption |
| Rapidly growing organisation | Growth outpaces documented procedures; people, processes, and systems change faster than recovery plans | BCMS review cycle keeps BCPs current through growth phases |
When Not to Pursue ISO 22301 Certification (Yet)
Not every organisation is ready for certification. Certification requires a functioning BCMS—not just documentation, but operational capability. An organisation that has not conducted a Business Impact Analysis, or that has BCPs that have not been tested and exercised, is not ready for Stage 2 certification audit.
If the regulatory or commercial requirement is BCM governance (policy, BIA, documented BCPs) rather than certified BCMS, the organisation can build a functional BCM programme without pursuing certification. A bespoke BCM programme that meets regulatory requirements but is not certified may be appropriate. Certification is a quality assurance mechanism for the BCMS, not the only path to regulatory compliance.
| IMPORTANT | ISO 22301 certification requires a functioning BCMS—not just a plan document. Organisations that attempt certification without completing a genuine BIA, without tested BCPs, and without an exercise programme will fail the Stage 2 audit. The most common cause of failed first-attempt certifications is attempting to certify a documentation exercise rather than an operational BCM programme. If your organisation does not yet have a BIA, the first step is not certification—it is BIA. |
The Business Case: Cost, Benefit, and Timing
A typical ISO 22301 implementation programme (BIA through certification) requires 6 to 12 months of effort and investment. A financial institution with 500 staff conducting a comprehensive BIA, developing BCPs for all critical activities, implementing a training and exercise programme, and achieving certification might invest IDR 500 million to IDR 2 billion depending on complexity and internal resources. A smaller organisation with fewer critical activities and simpler recovery requirements might invest 200-500 million.
Benefits are quantified in incident cost avoidance. A financial institution that avoids a major system outage because its ICT continuity plan was tested and effective avoids costs of millions of rupiah per hour of downtime. An insurance company that can process claims during a major disaster because it has degraded-mode procedures avoids reputational damage and client losses. An organisation that prevents key-person knowledge loss through succession planning avoids expensive turnover and learning curve costs. For regulated organisations, certification avoids supervisory findings and enforcement risk.
Optimal timing is when the organisation has the business need (regulatory requirement, client requirement, or risk mitigation), sufficient resources (personnel, budget, leadership commitment), and stability (changes to business processes, systems, or structure are not disruptive to the programme). For many Indonesian organisations, optimal timing is when the organisation is already conducting IT governance or risk management improvements. The BCMS is layered onto those existing initiatives.
| BITLION INSIGHT | The organisations that extract maximum value from ISO 22301 certification in Indonesia are those that treat it as a business capability programme with a certification as the quality assurance mechanism—not as a compliance project with documentation as the deliverable. The certification audit forces rigour. The capability it certifies provides genuine protection. The organisations that understand this are the ones whose BCPs are actually activated and followed when disruption occurs, because the plans were built to be used, not to be filed. |