w

Competence Development
Procedure

ISO22301 Toolkit: Version 6

©CertiKit
 Competence Development Procedure

Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the
final version of the document. For more details on replacing the logo, yellow highlighted
text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document describes how to determine the necessary competence of people fulfilling
roles within the BCMS and then to assess whether they have that level of competence,
resulting in development recommendations.

Areas of the standard addressed

The following areas of the ISO22301 standard are addressed by this document:

 7 Support
o 7.2 Competence

General guidance
This procedure brings together two important aspects. First, the competences needed to
support the business continuity objectives and secondly the competences that currently
exist in the organization. Ideally the two will match but it is likely they do not, and some
action will need to be taken to bring levels up to the required standard.

There are several options to do this, and formal courses are not always needed. On the job
training or internal briefings by more experienced team members can often help to increase
skill levels without using the (often limited) training budget.

The standard requires that you assess the effectiveness of the actions taken and keep
appropriate records to show what has been done.

Review frequency
We would recommend that this document is reviewed annually in line with the timescales
of your personal performance and development reviews with staff members.

Version 1 Page 2 of 15 [Insert date]

 Competence Development Procedure

Document fields
This document may contain fields which need to be updated with your own information,
including a field for Organization Name that is linked to the custom document property
“Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info >
Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select
All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that
they are no longer updateable, you will need to click into each occurrence of the field and
press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced >
Show document content > Field shading and set this to “Always”. This can be useful to check
you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions.
This document also contains guidance on working with the toolkit documents with an Apple
Mac, and in Google Docs/Sheets.

Copyright notice
Except for any specifically identified third-party works included, this document has been
authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company
registered in England and Wales with company number 6432088.

Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available
on request, or by download from our website. All other rights are reserved. Unless you
have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the
licensee in the relevant purchase order. The standard licence terms include special terms
relating to any third-party copyright included in this document.

Version 1 Page 3 of 15 [Insert date]

 Competence Development Procedure

Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk.
Document templates are intended to be used as a starting point only from which you will
create your own document and to which you will apply all reasonable quality checks before
use.

Therefore, please note that it is your responsibility to ensure that the content of any
document you create that is based on our templates is correct and appropriate for your
needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using
this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or

adequacy of our document templates; assumes no duty of care to any person with respect
its document templates or their contents; and expressly excludes and disclaims liability for
any cost, expense, loss or damage suffered or incurred in reliance on our document
templates, or in expectation of our document templates meeting your needs, including
(without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1 Page 4 of 15 [Insert date]

 Competence Development Procedure

Competence Development
Procedure

DOCUMENT REF BCMS-DOC-07-3

VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]

Version 1 Page 5 of 15 [Insert date]

 Competence Development Procedure

Revision history
VERSION DATE REVISION AUTHOR SUMMARY OF CHANGES

Distribution
NAME TITLE

Approval
NAME POSITION SIGNATURE DATE

Version 1 Page 6 of 15 [Insert date]

 Competence Development Procedure

Contents
1 Introduction...............................................................................................................8
2 Competence development procedure.........................................................................9
2.1 Assess competence requirements by role.......................................................................9
2.2 Assess existing competence levels..................................................................................9
2.3 Establish competence development actions.................................................................11
2.4 Evaluate effectiveness..................................................................................................13
3 Appendix A: Required competences by role..............................................................14
3.1 Business continuity steering group...............................................................................14
3.2 Business continuity manager........................................................................................14
3.3 Business continuity administrator................................................................................15
3.4 Business process owner................................................................................................15
3.5 Business continuity auditor..........................................................................................15

Tables
Table 1: Competence level definitions..........................................................................................10
Table 2: Identifying development actions.....................................................................................12

Version 1 Page 7 of 15 [Insert date]

 Competence Development Procedure

1 Introduction
In order to protect the critical business processes of the organization it is essential that
employees and other interested parties involved in the provision of effective business
continuity have the required competences. The consequences of not having sufficient skills
available may lead to resourcing issues, failure to comply with legal requirements and
increased risk to the business e.g. in a failure to adequately prepare.
[Organization Name] places emphasis on the provision of training to meet the needs of the
business and to develop employees so that they can better fulfil their roles. Within technical
departments such as IT there is a need to ensure that specific technology skills are
developed and maintained within the team, particularly as these can change rapidly as
technology develops, for example with new releases of software, or as new systems and
controls are introduced.
The purpose of this competence development procedure is to identify whether there are
currently sufficient business continuity-related competences available in the right areas
within the organization and what skills may be required in the near future to cope with
known changes affecting [Organization Name].
In order to do this, the required levels of competence for each business continuity role must
be identified and then compared with an understanding of the existing levels of competence
of those people fulfilling the roles to produce recommendations for further competence
development.
This procedure should be read in conjunction with the following documents which give
more detail about the context, scope, objectives, resourcing and roles, responsibilities and
authorities within the Business Continuity Management System (BCMS):

 Business Continuity Context, Requirements and Scope

 Business Continuity Policy
 Roles, Responsibilities and Authorities

Version 1 Page 8 of 15 [Insert date]

 Competence Development Procedure

2 Competence development procedure

The steps involved in developing appropriate competences are described in this section.

2.1 Assess competence requirements by role

The various roles and duties required to manage and improve the BCMS are described in the
document Roles, Responsibilities and Authorities and these are allocated to one or more
specific individuals within the organization. In many cases, an allocated role forms part of a
larger, more general role that the individual fulfils i.e. the individual’s time is not dedicated
purely to business continuity.

The following business continuity-related roles are specified:

 Business Continuity Steering Group

 Business Continuity Manager
 Business Continuity Administrator
 Business Process Owner
 Business Continuity Auditor

In order to fulfil the responsibilities of a role, individuals need to possess a number of key
competences at an appropriate level. Appendix A of this procedure gives an initial starting
point for the list of key competences required by each role. This list must be updated each
time this procedure is used to reflect changes to the competences needed due to
technology, organizational or other reasons. It is recommended that this is done in close
consultation with managers and the individuals themselves so that all relevant competences
are included.

In addition to identifying the competences themselves, an agreement must be reached for

the level of the competence that is required. This should be done with reference to the
competence level definitions shown in Table 1. Again, this should be done in consultation
with appropriate advisors.

Consideration should be given to the existing and known future requirements of the BCMS
e.g. if specific application software is in the process of being implemented, competence in it
should be included in the relevant list under the appropriate role.

The output of this procedure step is a list of roles with their required competences and
levels of competence.

Version 1 Page 9 of 15 [Insert date]

 Competence Development Procedure

2.2 Assess existing competence levels

In order to assess the current competence levels of individuals that are to fulfil specific
business continuity-related roles, a questionnaire approach is used. The people that are to
take each role are first identified. Information about BCMS resources is available from the
document Business Continuity Management Plan which sets out the resources needed to
achieve objectives and to manage and improve the BCMS.

An appropriate questionnaire is then created for each role that includes all of the
competences that have been identified as being required for that role. The required levels
of competence should not be included within the questionnaire. All relevant staff are then
asked to complete the questionnaire as objectively as possible using the competence level
definitions shown in the table below.

SKILL SUMMARY GUIDANCE

LEVEL

0 None You have no knowledge or experience in this area, and it is not part of your role.
1 Low The competence area is used infrequently and is largely based upon observation of
how others do it, with little understanding of why specific tasks are performed.
Perhaps the competence area has only been practised for a relatively short period of
time and is not seen as part of the individual’s job role. No formal training has been
given. A general awareness.
2 Medium The competence area is regularly practiced as part of the job role, and this has
probably been the case for a long enough period for the individual to feel
comfortable doing it (more than a year). Informal and in some cases formal training
may have been received and there is an understanding of the principles behind the
skill. The individual feels competent in this area.
3 High The competence area is seen as a particular strength and is backed by significant
training, qualifications and experience over a lengthy period of time (probably more
than 3 years). The principles are fully understood, and the individual keeps up to date
with developments in this area. They may have trained others and been responsible
for developing processes and procedures and been involved in several projects which
have made use of the skill.
4 Expert The individual is externally recognised as a subject matter expert who contributes to
developments in this area and may be involved in industry events such as presenting
at conferences and seminars. He/she is held in high esteem by suppliers and
customers and may assist in developing and testing new products and services.

Table 1: Competence level definitions

Individuals’ responses should then be validated by another party, depending on the nature
of the individual’s role. This may be the individual’s manager or supervisor or in appropriate
cases a peer review method may be used. This should ensure an increased level of
consistency in the responses, as some people are more likely to over- or under-estimate
their competency levels than others. Where there is disagreement about a level of
competence, the situation should be discussed with the relevant individual to understand

Version 1 Page 10 of 15 [Insert date]

 Competence Development Procedure

the reason for the discrepancy. If there is continued disagreement, a decision should be
taken by management about which level should be used.

2.3 Establish competence development actions

Once a clear picture of required and current competences has been established for an
individual within a role, the differences can be reviewed in order to identify the need for
development actions. This may be done using a method as shown in Table 2.

In recommending development actions, one or more of the following alternatives may be

considered:

 Informal training by existing staff with a higher level of competence e.g. mentoring
 Formal training via online or classroom courses
 Recruitment of additional staff with the relevant competence(s)
 Use of third-party resources on an ad-hoc basis e.g. contractors or consultancy
 Use of third-party resources via an agreed support contract which gives guaranteed
access to the required level of competence

The choice of approach may depend on factors including available internal resources,
budget and timescales.

In some circumstances it may be decided not to take action to address a perceived shortfall
in competence e.g. if the requirement is likely to reduce or disappear in the near future due
to known changes. The risks associated with doing this should be clearly stated.

Development actions and risks that are recommended for acceptance are then put forward
to management for approval.

Version 1 Page 11 of 15 [Insert date]

 Competence Development Procedure

Name:

Role:

COMPETENCE REQUIRED ACTUAL DIFFERENCE RECOMMENDED PRIORITY

LEVEL LEVEL DEVELOPMENT ACTION

Table 2: Identifying development actions

Version 1 Page 12 of 15 [Insert date]

 Competence Development Procedure

2.4 Evaluate effectiveness

The approved actions identified to develop competence in specific individuals should be
reviewed for effectiveness both as part of employee performance reviews and regular
management reviews of the BCMS.
Once a development action has been completed, a re-assessment should be carried out to
check that it has resulted in the individual possessing the required level of competence. If
this is not the case, the reasons for this should be established and, if necessary, further
actions identified to achieve the required result.
Appropriate documented evidence should be retained of all actions carried out. This may
include training records, mentoring logs or third-party contracts.

Version 1 Page 13 of 15 [Insert date]

 Competence Development Procedure

3 Appendix A: Required competences by role

[Note: The following competences by role will need to be tailored to your organization,
including adding specific technical competences for your environment]

The following lists are intended to act as a starting point for the competences required for
each of the roles within the BCMS.

3.1 Business continuity steering group

COMPETENCE REQUIRED LEVEL

BCMS concepts, planning and control 3

Business continuity risk management 3
Business continuity policies 3
Conduct of management reviews 3
Auditing principles 2
Continual improvement 2
Business continuity incident management 2

3.2 Business continuity manager

COMPETENCE REQUIRED LEVEL

BCMS concepts, planning and control 3

Business continuity risk management 3
Conduct of management reviews 3
Auditing principles 2
Continual improvement 3
Principles of business continuity controls 3
Business continuity monitoring and reporting 3
Resource management 2
Business continuity policies 3
Organization of business continuity 3
Supplier relationships 3
Business continuity incident management 3
Compliance 3
Business impact analysis 3

Version 1 Page 14 of 15 [Insert date]

 Competence Development Procedure

3.3 Business continuity administrator

COMPETENCE REQUIRED LEVEL

BCMS concepts 2
Business continuity incident management 2
Principles of business continuity controls 2
Information backup 3
BCMS documentation management 3

3.4 Business process owner

COMPETENCE REQUIRED LEVEL

BCMS concepts 2
Business continuity incident management 2
Principles of business continuity controls 2
Business impact analysis 2
Business continuity risk management 2

3.5 Business continuity auditor

COMPETENCE REQUIRED LEVEL

ISO22301 BCMS concepts, planning and control 3

Planning, establishing, implementing and maintaining an audit programme 3
Auditing principles 3
Business continuity risk management 3
Principles of business continuity controls 3

Version 1 Page 15 of 15 [Insert date]