top of page
Back to Home page

BUSINESS CONTINUITY MANAGEMENT (BCM) BASICS

​

Introduction

​

Whenever the definition of Business Continuity Management or BCM is discussed in any seminar or workshop, professionals seem to align this term to “Enterprise Risk Management,” “Risk Management,” “Crisis Management,” “Contingency Planning'” etc. This is followed by a discussion about similarity of terms and debating which term should be used.

​

Whilst it is important to recognise that there is a holistic approach to what may be termed ‘Organisational Resilience’, and that there are commonalities and complementary approaches to the functions that will enable support to an organisation, there are also distinct differences in approach to some areas.

 

Business Continuity (BC) is seen by many as a specialism or as an IT-related and based function rather than what it has grown to become.

​​

Definition of BCM

 

The following definition for BC is from ISO 22301:2012 (Societal Security - Business Continuity Management Systems - Requirements) whereby BC is a: ‘holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organisational Resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.’

​

It is useful to orientate thoughts towards the idea of what BC aims to achieve, and where it may fit with the other organisational resilience sub-functions such as:

  • Disaster Recovery (DR/ IT continuity)

  • Security Management (includes both physical and electronic security)

  • Risk Analysis

  • Crisis Management

  • Emergency management and planning.

 

All the above are complementary and contribute to BC. Organisations and practitioners do need to be clear about what is important and where they fit together.

​

Elliott, Swartz and Herbane (2010, 18) champion this approach and say that: ‘The value based perspective is concerned less with compliance, regulations or technology failure than with the needs of the business itself.’ Having previously considered audit and technology motives for and mindsets behind BC, they consider that the value offered to the organisation by BC is evident, but go on to add that: ‘...the auditing mindset is still in existence...’ (2010,23). If this is indeed the case then Elliott et al’s approach to BC, if that is what organisations should aspire to, has yet to be as embedded in organisations as would be desirable.

 

Key Elements of BC

​

Business continuity encompasses planning and preparation, to ensure that an organization:

  • Can continue to operate, in case of serious incidents or disasters

  • Is able to recover to an operational state within a reasonably short period.

 

As such, business continuity includes three key elements:

  • Resilience: critical business functions and the supporting infrastructure must be designed in such a way, that they are materially unaffected by relevant disruptions, for example through the use of redundancy and spare capacity;

  • Recovery: arrangements have to be made to recover or restore both, critical and less critical business functions that fail for some reason.

  • Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.

 

Typical disasters that business continuity is meant to account for include:

  • Natural disasters, such as fires and floods

  • Accidents by business personnel

  • IT server crashes or virus infections

  • Insolvency of key suppliers

  • Negative media campaigns

  • Market upheavals such as stock market crashes.

 

Such disasters may not necessarily have to occur in the place of business to have catastrophic impact in the globalized economy.

​

The management of business continuity falls largely within the sphere of quality management and risk management, with some cross-over into related fields such as governance, information security and compliance.

​

Risk management is an important tool for business continuity, as it provides a structured way to identify the sources of business disruption and assess their probability and impact. It is expected that all business functions, operations, supplies, systems, relationships, etc. that are critically important to achieve the organization's operational objectives are analysed and included in the business continuity plan.

 

Business Impact Analysis (BIA) is the generally accepted risk management term for the process of determining the relative importance or criticality of those elements, and in turn drives the priorities, planning, preparations and other business continuity management activities.

 

One important way to achieve business continuity is the use of international standards, programme development, and supporting policies. These standards ensure that proven methods and concepts for business continuity are used. As with many quality management standards though, the primary tasks of: identifying relevant potential disasters, making plans for evacuation, buying spare machines and servers, performing backups and bringing them off-site, assigning responsibility, performing drills, educating employees and being vigilant cannot be replaced by adherence to standards. As such, commitment by management to see business continuity as an important topic and assign people to work on it, remains the most important step in establishing business continuity.

​

"If there is no Business Continuity plan implemented and the organization in question is facing a rather severe threat or disruption that may lead to bankruptcy, the implementation and outcome, if not too late, may strengthen the organization's survival and its continuity of business activities" (Gittleman, 2013).

​

Standards

​

Several business continuity standards have been published by various standards bodies:

​

ISO Organisation

​

ISO 22301:2012, "Societal security - Business continuity management systems - Requirements", specifies a management system of an organization's business continuity arrangements. It is formal in style in order to facilitate compliance auditing and certification.

 

ISO 22313:2012, "Societal security - Business continuity management systems - Guidance" supports the above requirements standard and provides more pragmatic advice concerning business continuity management.

 

ISO/IEC 27031:2011, "Information security - Security techniques - Guidelines for information and communication technology [ICT] readiness for business continuity" offers guidance on the ICT aspects of business continuity management.

 

United Kingdom - British Standards Institute (BSI)

​

British Standard BS 25999 was a two-part business continuity management standard.

  • BS 25999-1:2006 Business Continuity Management. Code of Practice” offered pragmatic implementation guidance, but was withdrawn in 2012 when ISO 22313 effectively superseded it.

  • BS 25999-2:2007 Specification for Business Continuity Management” formally specified a set of requirements for a business continuity management system. It too was withdrawn in 2012 when it was (in effect) replaced by ISO 22301.

 

North America

 

NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs - Published by the National Fire Protection Association.

​

ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems - Requirements with Guidance for Use American National Standard is under consideration for inclusion in the DHS PS-Prep, a voluntary program designed to enhance national resilience in an all hazards environment by improving private sector preparedness.

 

Australia

 

Published by Standards Australia:

  • HB 292-2006: A practitioner’s guide to business continuity management

  • HB 293-2006: Executive guide to business continuity management.

 

In 2010, Standards Australia introduced their Standard AS/NZS 5050 that connects far more closely with traditional risk management practices. This interpretation is designed to be used in conjunction with AS/NZS 31000 covering risk management.

​

Programme

​

Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats.

 

It also involves:

  • Assessment of the probable effect of such events

  • Development of recovery strategies and plans

  • Maintenance of their readiness through personnel training and plan testing.

 

See also business impact analysis

 

Policies

 

Policies are mandated by the management of an organization. They will always be performed according to a pre-set design plan, and support all business functions within the organization.

​

BC/BCM Plan

 

The components of the business continuity methodology required for manifestation into a documented plan include:

  • Business Resumption Plan (Disaster Recovery Plan, or Recovery Plan). Set of documents, instructions, and procedures which enable a business to respond to accidents, disasters, emergencies, and/or threats without any stoppage or hindrance in its key operations.

  • Purpose, scope, objectives and assumptions that were used to develop the plan.

  • Key accountabilities, including the authority to invoke, instructions subsequent to invocations, and a detailed communications plan.

 

The above components must be included in the plan, to ensure efficient resumption of operations.

 

BC/BCM Planning

​

The task of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm's key operations in the event of an accident, disaster, emergency, and/or threat. It involves:

  • Risk mitigation planning (reducing possibility of the occurrence of adverse events)

  • Business recovery planning (ensuring continued operation in the aftermath of a disaster).

​

Guidelines

 

Guidelines are recommended to be performed according to a pre-set design plan. However, depending upon the needs and requirements of the target business function, these items may or may not be performed, or may be altered during implementation.

 

Procedures

 

British Standard 25999-2 and other standards mentioned above provide a specification for implementing a business continuity management system (BCMS) within an organization.

 

Business Impact Analysis (BIA)

 

The entire concept of business continuity is based on the following:

  • Identification of all business functions within an organization

  • Assigning a level of importance to each business function.

 

A Business Impact Analysis (BIA) is the primary tool for gathering this information and assigning criticality, recovery point objectives, and recovery time objectives, and is therefore part of the basic foundation of business continuity.

​

The BIA can be used to identify extent and timescale of the impact on different levels of an organization. For instance, it can examine the effect of disruption on operational, functional and strategic activities of an organization. Not only the current activities but the effect of disruption on major business changes, introducing new product or services for example, can be determined by BIA.

​

Most standards require that a Business Impact Analysis should be reviewed at defined intervals appropriate for each organization and whenever any of the following occur:

  • Significant changes in the internal business process, location or technology

  • Significant changes in the external business environment - such as market or regulatory change

 

Security Management

 

In today's global business environment, security:

  • Is the top priority in managing Information Technology.

  • Is mandated by law (for most organizations)

 

Conformance to security management requirements is investigated regularly, in the form of audits. Failure to pass security audits can have financial and management changing impact upon an organization.

​

Document Management

 

In large IT (information technology) environments, personnel turnover is inevitable and must be planned as part of business continuity. The solution to the problems associated with turnover, is complete and up-to- date documentation. This ensures that new personnel will have the information they need to quickly become knowledgeable and productive with respect to the business functions they are tasked to support. This also implies that business function related documentation is largely generated (rather than written) from existing systems and managed in an automated manner.

​

Change Management

 

Regulations require that changes to business functions are documented, maintained, and traceable for auditing purposes; this is designated as "change control". This brings a level of stability to the business functions by requiring the support personnel to document and coordinate proposed changes to the underlying systems.

 

As this process becomes more and more automated, the emphasis will be less upon personnel control, and more upon regulatory compliance.

​

Audit Management

​

One of the most costly and time-consuming aspects of information technology management is dealing with auditors. One of the goals of business continuity is data centre automation, which includes audit management.

 

All modern business functions should be designed with the concept of automatically generating the requisite audit compliance information and documentation as part of conducting day-to-day business. This dramatically reduces the time and cost associated with manually producing this information.

​

Service Level Agreements (SLAs)

 

The interface between management and information technology is the Service level agreement (SLA). This provides a written contract stipulating the expectations of management with regard to the:

  • Availability of a necessary business function

  • Deliverables that information technology provides in support of that business function.

​

Communication Systems

 

Another component of business continuity is communications in times of duress. Members of the Disaster Recovery (DR) team must be able to communicate effectively among themselves, as well as with managers, directors, customers, partners, and even with the media.

 

In order to avoid some of the potential problems associated with disrupted communication channels, the Business Continuity Plan (BCP) should include a Lead Manager who will be in charge of:

  • All communications in that area

  • Cooperation of executives and public relations personnel

  • Scheduled exercises to test the BCP plan.

​

General Course Information

​

For general course information please click on the link here.

​

N.B. Please read our Terms & Conditions (T&Cs) and ask for clarifications, if any, before booking your training event.

​

Book now to reserve an on-site or online instructor-led training event of your choice.

​

For more details about our:

  • List of training courses please click here.

  • Consulting services please click here

  • Workshops please click here.

​

For queries, including non-obligation quotes, please contact us.

​

bottom of page