Processing Payment

DRI Logo

  • Take Courses
  • Get Certified
  • Attend Events
  • Explore Resources
  • The Foundation
  • On-Demand Training

We offer a mix of in-person and online, instructor-led courses. Search courses for more information.

  • Business Continuity
  • Business Continuity Review
  • Advanced Continuity
  • Mastering Business Continuity
  • Continuity Audit
  • Auditing a Business Continuity Program: ISO 22301
  • Auditing a Business Continuity Program: NFPA 1600
  • Cyber Resilience
  • Cyber Resilience Review
  • Healthcare Continuity
  • Business Continuity for Healthcare
  • Business Continuity for Healthcare Review
  • Public Sector Continuity
  • Public Sector Continuity Review
  • Risk Management
  • Risk Management for Business Continuity
  • Risk Management for Business Continuity Review
  • BCOE 0100: Understanding Professional Practice One
  • BCOE 0200: Understanding Professional Practice Two
  • BCOE 0300: Understanding Professional Practice Three
  • BCOE 0400: Understanding Professional Practice Four
  • BCOE 0500: Understanding Professional Practice Five
  • BCOE 0600: Understanding Professional Practice Six
  • BCOE 0700: Understanding Professional Practice Seven
  • BCOE 0800: Understanding Professional Practice Eight
  • BCOE 0900: Understanding Professional Practice Nine
  • BCOE 1000: Understanding Professional Practice Ten
  • Instructor-Led Training
  • Healthcare Continuity Review
  • Risk Management Continuity Review
  • Master's Case Study Review
  • IT Disaster Recovery Planning
  • Crisis Communications
  • Business Continuity for Insurance Professionals
  • Managing BC Team Burnout
  • Business Continuity Metrics
  • Exercising a Business Continuity Plan
  • What's New in Business Continuity?
  • Business Impact Analysis
  • Pandemic Preparedness for Organizations
  • Business Continuity Overview
  • Professional Examinations
  • Qualifying Exam 2017 Version - Arabic
  • Qualifying Exam 2017 Version - English
  • Qualifying Exam 2017 Version - English (ADA Compliant)
  • Qualifying Exam 2017 Version - Español
  • Qualifying Exam 2017 Version - Français
  • Qualifying Exam 2017 Version - Hebrew
  • Qualifying Exam 2017 Version - Italian
  • Qualifying Exam 2017 Version - Japanese
  • Qualifying Exam 2017 Version - Português
  • Qualifying Exam 2023 Version - English
  • Qualifying Exam 2023 Version - Português
  • Master's Case Study Examination
  • Specialty Examinations
  • 2023 Audit Exam - ISO 22301
  • 2023 Cyber Resilience Exam
  • 2023 Cyber Resilience Exam-Japanese
  • Audit Exam - CSA Z1600-17
  • Audit Exam - ISO 22301
  • Audit Exam - NFPA 1600
  • Cyber Resilience Exam
  • Cyber Resilience Exam - Japanese
  • Healthcare Exam
  • Public Sector Exam
  • Risk Management Exam
  • Workshop Examinations
  • BCP BIA Exam
  • BCP BIA Exam - Español
  • BCP COMMS Exam
  • BCP EXR Exam
  • BCP IT/DR - Español
  • BCP MET Exam
  • BCP MET Exam - Español
  • BCP MND Exam

Training Overview

See a summary of all our training options one page. All courses are currently available online.

Group Training

The leader in business continuity education and certification across many industries, DRI International offers team training designed to fit the needs of every organization, from private corporations to the public sector and everywhere in-between.

Higher Education

DRI International offers colleges and universities the opportunity to familiarize their students with information on business continuity professions and certifications recognized by private and public sector organizations around the world.

  • Individual Certification
  • Organizational Certification
  • Honor Society
  • Center of Excellence in Resilience
  • Resilient Enterprise

* DRI's three levels of certification are associate certified, certified and master certified. Certifications beginning with "A" are associate, "C" certified and "M" master.-->

Certification Overview

Certification is a two-part process; verification of knowledge and confirmation of experience.

Value of Certification

A DRI International certification is the most widely recognized and respected business continuity certification in the world. DRI only certifies professionals that have demonstrated both knowledge and experience in the business continuity and/or disaster recovery profession.

Digital Badge Program

Learn more about how to unlock your DRI digital badge and display your DRI certification to enhance your online professional profile today.

Maintain Certification

Maintaining your DRI International certification carries two requirements; an annual maintenance fee as well as Continuing Education Activity Points (CEAP).

  • Annual DRI Conference
  • Agenda/Program
  • Awards of Excellence
  • Submit a Nomination
  • Past Award of Excellence Winners
  • Collegiate Conferences
  • Past Webinars
  • Resilience Excellence Summit

Learn more and register for this free online event March 1-3, 2021!

DRI DRI2021

Be a part of the premier business continuity conference. Join us at DRI2024 in New Orleans, Mar. 3-6, 2024. Registration is now open!

Meet DRI

We speak at numerous industry events around the globe and engage with our community in a variety of ways. Find out where you can meet DRI at these upcoming events.

dri2019-circle

Join us for the must-attend DRI annual conference for business continuity and resilience professionals taking place in Las Vegas, Nevada Feb 17-20, 2019.

  • Professional Practices
  • Government/Policymakers
  • Digital Badges
  • RFP Assistance
  • Drive en Español
  • Advertising in Drive
  • Scholarships
  • High School/College
  • Veterans Outreach Program
  • Women in Business Continuity Management
  • Certified Professionals
  • Certified Vendors
  • Hiring Resources
  • Hiring Guide
  • Local Language Information

Thought Leadership

Through committees and other initiatives, we publish research and insights about the profession. Explore our library and other resources.

Webinars

DRI International webinars cover vital resilience issues, engaging and informing professionals in the field. See what's coming up next and view previously broadcast presentations here.

Hiring Guide

Learn how to hire the right business continuity professionals that will enable your organization to withstand any crisis and come through even stronger with the DRI Hiring Guide. Download now.

  • Our Mission
  • Letter from the President
  • Leadership and Staff
  • Testimonials
  • Diversity and Inclusion
  • International Partners
  • United Kingdom
  • Collaborative Partner Organizations
  • DRI in the News
  • Press Releases
  • What is BCM?

What is BCM

BCM is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience.

DRI in the News

We reach out and engage as many audiences as possible using broad media coverage to provide a forum for discussion. We serve as a trusted resource to other professions and the general public.

We speak at numerous industry events around the globe and engage with our community in a variety of ways. Find out where you can meet DRI.

DRI International Accessibility Statement

DRI International is committed to ensuring that individuals with disabilities can access the content offered through our website, www.drii.org .

If you are having trouble accessing www.drii.org , you can email [email protected] for assistance. Please put "ADA Inquiry" in the subject line of your email and we will assist you.

Payment Receipt

Conference orders, business continuity management.

BCM image

What is Business Continuity Management?

Business Continuity Management is defined as a: Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. ( International Glossary for Resiliency )

wbcside image

Business Continuity Management (BCM) integrates the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity (organizational/operational relocation).

Throughout the profession, definitions of Business Continuity Management abound. However, research conducted by the DRI International Glossary Committee identifies the most accurate description of Business Continuity Management as the definition from the ISO 22301 standard cited above. As part of an ongoing process to create and maintain an international glossary, the committee determined the best-in-class definitions for commonly used BCP/DR terms. Creation of the glossary document involved an independent body of highly respected volunteers examining existing recognized definitions and reaching a consensus on which source(s) reflected the most accurate meaning.

The Value of Business Continuity Management

The reasons to have a robust Business Continuity Management program are many and the scope of such a program is enterprise-wide. Here is a list of some of the top reasons that make Business Continuity Management a priority:

Legal and Regulatory Compliance

Regulation: There are over 120 regulations that mandate Business Continuity Management across a variety of industries, including but not limited to:

  • Financial Services - Federal Financial Institution's Examination Council ( FFIEC ), Financial Industry Regulatory Authority ( FINRA ), Financial Services Authority ( FSA ), among others
  • Energy - North American Electric Reliability Corporation ( NERC ) and Federal Energy Regulatory Commission ( FERC )
  • Healthcare - Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) and Joint Commission on Accreditation of Healthcare Organizations ( JCAHO )
  • International - The International Regulatory Framework for Banks ( BASEL III ) and all Central Banks have Business Continuity Management requirements

Negligence: Court decisions, the basis for common law, have ruled that "failure to prepare" as well as "failure to plan" are grounds for negligence. Negligence is defined as a part of tort or personal injury as "a failure to use that degree of care that any prudent person would use under the same or similar circumstances."

Demands by Organizations for their Vendors

Customer demand: Requests for Proposal (RFPs) now require potential vendors to demonstrate that they have Business Continuity Management programs in place.

Regulation: There are regulatory requirements that govern preparedness in the supply chain. Specifically, federally chartered banks are governed by the FFIEC and the OCC (Office of the Controller of the Currency), which charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. For healthcare organizations, the primary regulatory consideration in the supply chain is covered under HIPAA. All of these regulations call for ongoing monitoring of the third party's activities and performance.

Smart business: It is a competitive advantage for companies to have a resilient supply chain that will make them better able to respond to a disruption than their competition. This ability will make the prepared company a more attractive supplier to larger organizations that will benefit from the increased reliability of the smaller business.

To Maximize Insurance Coverage

Business Continuity Management increases an organization's ability to provide risk transfer information, including in the:

  • Analysis Phase of Business Continuity Management: Organizations conducting a Business Impact Analysis (BIA) will be able to ascertain the profit losses as well as the amount of fixed costs that must be paid in the event of an incident that triggers an insured peril. This calculation will help quantify the proper amount of Business Interruption Insurance (BI). The BIA similarly helps to calculate Contingent Business Interruption Insurance (CBI) and Supply Chain Insurance reimburses lost profits resulting from an interruption of business at the premises of a customer or supplier.
  • Strategy Phase of Business Continuity Management: Extra Expense Insurance provides for maintaining the operations of an insured item after an accident until normal operations can be restored.

Reputation and Resilience Management

Business Continuity Management can help organizations protect their reputation and increase their resilience in the face of adverse circumstances, whether internal or external. Business Continuity Management can help to protect the brand from a variety of risks, including cyber risks, deliver to customers as promised, and reduce downtime and the cost of recovery in the event of an incident.

  • Project Management
  • Application Development
  • Collaboration
  • Cloud Virtualization
  • Enterprise Apps
  • Infrastructure
  • News & Trends
  • Case Studies
  • Books for CIOs

CIO Insight Logo

Business Continuity Management (BCM) Explained

Lauren Hansen

Business continuity management (BCM) is essential for business resilience. It’s part of a company’s broader plan for handling internal or external changes that disrupt or halt a business. 

Table of Contents

What is business continuity management (BCM)?

Business continuity management is the set of proactive measures that a company takes in order to avoid loss as a result of major events that negatively impact a business. Such events include hostile mergers or acquisitions, change in leadership, natural disasters , ransomware attacks, data breaches, and other changes that impact company data and assets.

Key areas to safeguard in BCM include but are not limited to:

  • Human resources
  • Hardware and software
  • Products, both physical and intellectual property 

BCM entails several closely related activities. Some examples include disaster recovery , emergency management, incident management, and contingency planning. To maximize preparedness and resilience, some businesses purchase business interruption insurance (BII) after drafting a business impact analysis (BIA) to estimate losses for various scenarios.

In spite of doing all the right things—like applying patches to software, implementing a zero-trust policy , training employees, and other proactive security measures—a company can never completely shield itself against natural or malicious events. When an attack occurs, companies ideally have an up-to-date incident response plan (IRP) at the ready. 

A company prepares for and handles the inevitable event that shakes up one or more aspects of the company’s operations, but then what? A business continuity plan rounds out disaster planning with a focus on recovery and resilience.

For more on how current work models impact IT security, also read: Work-From-Anywhere Requires More Resilient IT

Benefits of BCM

There are many benefits to implementing BCM that make it well worth the investment. 

Reduce downtime and cost

With an effective business continuity plan in place, your business quickly snaps back into normal operations. Reduced downtime feeds into fewer losses not only in terms of revenue but also customers and employees. BCM decreases the likelihood of your business coming to a grinding halt or, worse, closing. 

The quicker your company gets back up and running, the fewer losses it suffers as a result. Implementing business continuity also safeguards your organization from becoming ensnared in litigation for negligence and potentially paying hefty fines. 

Improve reputation 

Successfully navigating a detrimental situation by protecting customer, partner, employee, and vendor data wins over the trust of parties involved. BCM puts stakeholders at ease that their data, assets, and investments are in good hands.

Gain insights

When incidents occur, they present valuable learning opportunities. Your company has the benefit of wisdom to further improve its response measures. You’ll also have a better idea of what to expect in the event of an attack on or disruption to the company’s operations.

A business continuity plan is not a one-off task. It requires continuous revision as threats and your business evolve. As your business grows and changes over time, you’ll need regular updates to your plan.

BCM use case examples

BCM is more of a priority in some industries than in others. 

Financial institutions hold a lot of sensitive information about consumer and business financials, credit information, and more. Therefore, businesses within this industry are subject to multiple governing bodies. 

For example, the Federal Financial Institutions Examination Council ( FFIEC ) enforces a set of standards that US financial institutions must adhere to. One set of standards for them to follow pertains to cybersecurity awareness and ensures institutions identify, assess, and mitigate cybersecurity risks to their businesses and their third-party service providers.  

HIPAA requires companies in the healthcare sector to protect patient privacy, data, and records. For example, HIPAA’s Security Rule declared national standards that insurance companies, medical providers, etc. must abide by to protect patient health information. This means that they need appropriate administrative, physical and technical safeguards to protect patient data. 

SaaS and the supply chain

Companies frequently vet third-party SaaS vendors, requiring a business continuity plan in order to conduct business with them. A company will want to know what preventative measures that SaaS company takes. That way, if something goes wrong, the SaaS company will have a plan to minimize down-chain disruptions. 

Read more at IT Business Edge: How to Prevent Third-Party Vulnerabilities 

Pro tips for BCM

  • Brainstorm and note as many potential, realistic scenarios as possible
  • Have a plan and back-up plans for each scenario
  • Each plan within BCM needs objectives and policies that align with those objectives
  • Measure the performance of each scenario-plan within the broader business continuity plan
  • Continuously evaluate and, if needed, revise parts of your business continuity plan
  • Invest in business continuity software to help manage and update the business continuity plans 

Not a matter of “if” but “when”: Is your business ready?

Could your company, in its current state, cope with a formidable event? Could it resume operations without missing a beat, perhaps emerge even stronger? 

The effort and foresight that you put into business continuity management will be a key factor in determining how quickly your business bounces back from a setback. 

Read next: How to Create a Business Continuity Plan

Lauren Hansen

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles

Storage vulnerabilities: the neglected cybersecurity frontier, 7 principles of quality management, domo vs tableau: which is the better bi solution, related articles, best supply chain certifications to get in 2022, best social media crm software 2022, benefits of erp: weighing the pros and cons, how cios can support retention during the great reshuffle: interview with carter busse at workato.

CIO Insight Logo

CIO Insight offers thought leadership and best practices in the IT security and management industry while providing expert recommendations on software solutions for IT leaders. It is the trusted resource for security professionals who need to maintain regulatory compliance for their teams and organizations. CIO Insight is an ideal website for IT decision makers, systems integrators and administrators, and IT managers to stay informed about emerging technologies, software developments and trends in the IT security and management industry.

Advertisers

Advertise with TechnologyAdvice on CIO Insight and our other IT-focused platforms.

  • IT Management
  • IT Strategy
  • Privacy Policy
  • California – Do Not Sell My Information

Property of TechnologyAdvice. © 2022 TechnologyAdvice. All Rights Reserved Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Status :  Published

  • Add to cart

What is ISO 22301?

ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It provides a framework for organizations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.

Why is ISO 22301 important?

This standard is crucial for organizations to enhance their resilience against various unforeseen disruptions, ensuring continuity of operations and services. It helps in identifying risks, preparing for emergencies, and improving recovery time.

Benefits of ISO 22301

  •  Enhances organizational resilience
  • Improves risk management processes
  •  Ensures a systematic response to crises
  •   Increases trust among stakeholders

Who should use ISO 22301?

Organizations of all sizes seeking to establish a robust business continuity plan.

How does ISO 22301 integrate with other management standards?

It can be integrated with other ISO management standards, providing a comprehensive approach to organizational resilience .

Standard first page

Read sample 

General information.

  • Status  :  Published Publication date  :  2019-10 Stage : International Standard published [ 60.60 ]
  • Edition  : 2 Number of pages  : 21
  • Technical Committee : ISO/TC 292 ICS  : 03.100.01   03.100.70  
  • RSS  updates

Add to cart this standard

Iso 22301:2012.

  • ISO 22301:2019
  • 00 Preliminary
  • 10.99 2017-11-27 New project approved
  • 20 Preparatory
  • 30.00 2017-12-06 Committee draft (CD) registered
  • 30.20 2017-12-06 CD study initiated
  • 30.60 2018-02-02 Close of comment period
  • 30.92 2018-06-01 CD referred back to Working Group
  • 30.99 2018-11-01 CD approved for registration as DIS
  • 40.00 2018-11-01 DIS registered
  • 40.20 2019-01-03 DIS ballot initiated: 12 weeks
  • 40.60 2019-03-29 Close of voting
  • 40.99 2019-06-11 Full report circulated: DIS approved for registration as FDIS
  • 50.00 2019-06-14 Final text received or FDIS registered for formal approval
  • 50.20 2019-07-19 Proof sent to secretariat or FDIS ballot initiated: 8 weeks
  • 50.60 2019-09-14 Close of voting. Proof returned by secretariat
  • 60.00 2019-09-14 International Standard under publication
  • 60.60 2019-10-30 International Standard published
  • 90.20 International Standard under systematic review
  • 90.60 Close of review
  • 90.92 International Standard to be revised
  • 90.93 International Standard confirmed
  • 90.99 Withdrawal of International Standard proposed by TC or SC
  • 95.99 Withdrawal of International Standard

Corrigenda / Amendments

Iso 22301:2019/amd 1, got a question.

Check out our FAQs

Opening hours: Monday to Friday - 09:00-12:00, 14:00-17:00 (UTC+1)

  • Standards catalogue

loading

How it works

For Business

Join Mind Tools

Article • 4 min read

An Introduction to Business Continuity Management

An introduction to business continuity management and why it is so important.

By the Mind Tools Content Team

First there was contingency planning. Then there was disaster recovery. Today, the emphasis and terminology for how organizations guard against unforeseen disruptions to their business has shifted again, to ‘business continuity management’. Here we examine what this is, and why it matters.

business continuity management (bcm)

What is Business Continuity Management?

According to the Business Continuity Institute (BCI), Business Continuity Management (BCM) is:

“A holistic management process that identifies potential impacts that threaten an organization, and provides a framework for building resilience, with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.” [1]

BCM is a much broader concept than the previously favored approach of Disaster Recovery , which has tended to focus on responding to major setbacks and restoring IT systems.

Why Does BCM Matter?

Almost 20% of businesses experience a major disruption every year.[2] UK research has shown that for organizations with no form of tested Disaster Recovery or Business Continuity Plan, if disaster strikes:

  • 12% fail after five years
  • 40% fail after 18 months
  • 40% go out of business
  • only 8% survive in the long-term[3]

While some organizations rely heavily on insurance to see them through a major incident, it is important to realize that this is not a fail-safe strategy. In fact, it is estimated that when a major incident does occur, for every £1 of insured costs, uninsured costs of up to £36 can also be incurred by intangible losses, such as management time, and adverse publicity. This is sometimes referred to as ‘the loss iceberg’, because the greatest threats or costs to the organization are hidden. [4]

These statistics send out a very clear message: BCM is essential, not optional, for organizations that want to safeguard their long-term survival.

The good news is that once in place, an effective Business Continuity Plan can reduce losses by up to 90%, should an incident occur.[5]

Who Needs BCM?

The terrible events of 11 September 2001 provided a stark reminder to organizations, large and small, about the importance of comprehensive Business Continuity provision.

In New York, global financial firm Merrill Lynch, with four large downtown offices, found that after the disaster it had 9,000 staff without any office space to work in.[6] Despite being several thousand miles from the scene, 58% of UK organizations were also affected by the disaster, with one in eight experiencing serious disruption.[7]

Even though the majority of incidents that organizations face will be far less dramatic, it is advisable for all organizations to turn their attention to BCM if they haven’t already done so.

What Should BCM Cover?

BCM should assess the risks, and plan for recovery, for every conceivable disruption an organization might have to cope with. Generally these threats can be broken down into:

  • natural disasters – e.g. fire or flood
  • technical problems – e.g. systems failure or power failure
  • human error or incompetence
  • acts of malice – e.g. terrorism, arson, computer viruses
  • economic disasters – e.g. a stock market crash

Without proper BCM, such disruptions can result in:

  • loss of contracts
  • loss of reputation
  • human resources problems
  • higher insurance premiums

The ultimate worst-case scenario, of course, is that the organization will fail altogether.

What is the BCM Process?

You will find an in-depth eight-stage plan for BCM in our article 8 Steps to Business Continuity Management, but as an overview, BCM should cover the following five steps:

  • analyze your organization
  • assess the risks
  • develop a strategy
  • develop a Business Continuity Plan
  • rehearse the Plan

One aspect of BCM that merits special attention is media management. The organization that fails to communicate well with its customers, suppliers, employees or the public in a crisis risks damaging its reputation amongst these groups. This in turn can impact on profits.

Worryingly, a recent Business Continuity Institute survey revealed that only 16% of companies have a Business Continuity strategy with provision for protecting their reputation.[8]

Simple measures such as providing key staff with media training, and preparing public statements in advance of any crisis can help to avert a PR disaster.

Who Needs to Know About BCM?

For BCM to work well, it should be supported and endorsed from board level down. Internal and external stakeholders should understand what the organization’s Business Continuity Plan is, what it aims to achieve, and what is expected of everyone if an incident occurs. If only a few people in the organization know what to do during an incident, and they happen to be unavailable, the organization will immediately struggle to cope.

Keeping Your Plan Up to Date

As an organization changes, its BCP should be updated. Typical examples where changes would be necessary are when an organization expands, relocates staff, moves to new premises, or adopts new IT systems or applications. For bigger changes, such as mergers or acquisitions, a complete overhaul of BCM processes is usually necessary. It is important to test and rehearse any Plan regularly, and always when considerable changes are made.

BCM is about understanding your organization and establishing what is vital for its survival. Even a seemingly minor incident can escalate into a crisis situation if it is not anticipated, recognized and dealt with appropriately. BCM costs organizations relatively little in comparison to the potential costs of dealing with a disaster without a Continuity Plan in place.

[1] Honor, D. (2006). Continuity Central: Defining Business Continuity [online] . Available here . [Accessed 14 August 2023.]

[2][7] Expecting the Unexpected: Business Continuity in an Uncertain World [onlne]. Available here . [Accessed 14 August 2023.]

[3][4] Power, P. (2004). Preparing for a Crisis [online]. Available here . [Accessed 14 August 2023.]

[5] Naef, W.E. (2003).'Business Continuity Planning – a Safety Net for Business', Infocon Magazine 1(1). Available here .

[6] Scalet, S.D. (2002). IT Executives From Three Wall Street Companies - Lehman Brothers, Merrill Lynch and American Express - Look Back on 9/11 and Take Stock of Where They Are Now [online]. Available here . [Accessed 14 August 2023.]

[7] London Prepared (2004). Businesses Continuity Advice [online]. Available here . [Accessed 14 August 2023.]

[8] BCI. (2009). Business Continuity Research [online]. Available here . [Accessed 14 August 2023.]

Join Mind Tools and get access to exclusive content.

This resource is only available to Mind Tools members.

Already a member? Please Login here

business continuity management (bcm)

Enhance your in-demand workplace skills

Top skills - leadership, management, communication and more - are available to develop using the 3,000+ resources available from Mind Tools.

Join Mind Tools today!

Sign-up to our newsletter

Subscribing to the Mind Tools newsletter will keep you up-to-date with our latest updates and newest resources.

Subscribe now

Business Skills

Personal Development

Leadership and Management

Most Popular

Newest Releases

Article azazlu3

Locke's Goal-Setting Theory

Article aq7esry

The Speed of Trust: The One Thing That Changes Everything

Mind Tools Store

About Mind Tools Content

Discover something new today

How to do a personal swot analysis.

Spotting career opportunities and threats

How to Deal With Unfair Criticism

Handling harsh or personal criticism calmly and professionally

How Emotionally Intelligent Are You?

Boosting Your People Skills

Self-Assessment

What's Your Leadership Style?

Learn About the Strengths and Weaknesses of the Way You Like to Lead

Recommended for you

The Most Beautiful Word in the English Language

Business Operations and Process Management

Strategy Tools

Customer Service

Business Ethics and Values

Handling Information and Data

Project Management

Knowledge Management

Self-Development and Goal Setting

Time Management

Presentation Skills

Learning Skills

Career Skills

Communication Skills

Negotiation, Persuasion and Influence

Working With Others

Difficult Conversations

Creativity Tools

Self-Management

Work-Life Balance

Stress Management and Wellbeing

Coaching and Mentoring

Change Management

Team Management

Managing Conflict

Delegation and Empowerment

Performance Management

Leadership Skills

Developing Your Team

Talent Management

Problem Solving

Decision Making

U.S. flag

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

  • Publications
  • Account settings
  • Advanced Search
  • Journal List
  • Springer Nature - PMC COVID-19 Collection

Logo of phenaturepg

Business Continuity Management (BCM)

Leni sagita riantini supriadi.

Department of Building, National University of Singapore, Singapore, Singapore

Low Sui Pheng

This chapter elaborates on a review of BCM. As the background, it describes the historical development of BCM and its relationships with other concepts. It will be followed by reviews on BCM as a management system, BCM’s main principles, and Business Continuity Planning overview. The next section will describe the implementation of BCM, related with regulations or standards that support the concept and the development of BCM level of preparedness. Several reviews on BC plans from various sectors are elaborated in the final part of the chapter, followed by reviewing the need for BCM in organizations based on its benefits and challenges.

Introduction

Bcm definition and development.

The Business Continuity Institute (Business Continuity Institute 2007b) defines Business Continuity Management (BCM) as an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner. Moreover, the Singapore Standard for BCM (SPRING 2008) looked at this concept as a holistic management process that identifies potential impacts which threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Foster and Dye (2005) similarly viewed BCM as the process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. In this context, top management must take the lead in driving organizational BCM with a view to garnering the collective efforts of all individuals within the organization for this purpose (Low et al. 2008a).

The main objectives of developing and implementing a BCM in an organization are (O’Hehir 1999; Health 1999):

  • To enable a focused approach in developing a business continuity plan (BCP), using a well structured and comprehensive methodology.
  • To develop a pragmatic, cost effective, and operable recovery plan, to enable the firm to achieve critical business processes during a major disruption to the firm’s operations.
  • To minimize the impact of the crisis on the firm’s operations.

Moreover, Smith (2003) stated that an effective BCM strategy should be to ensure the safety of staff, maximize the defense of the organization’s reputation and brand image, minimize the impact of business continuity events (including crises) on customers or clients, prevent impact beyond the organization, demonstrate effective and efficient governance to the media, markets and stakeholders, protect the organization’s assets, and meet insurance, legal and regulatory requirements.

Historically, BCM was developed many years ago, where this concept is an evolution of a disaster recovery approach in a firm. Its roots lie in Information Systems (IS) protection although it is argued that it has grown a long way since then. Elliott et al. (2002) developed on these theories in more details explaining that the evolution of BCM has progressed from a focused technical aspect to a broader strategic organizational requirement. They also described the evolution as being linked to three mindsets within organizations which are technology, auditing and value based mindsets. The key features of these mindsets are:

  • Technology mindset in the 1970s—The focus was on the protection of computer systems, principally hard corporate main frame systems. During the 1970s, a common assumption was that business disruptions were triggered by a technology failure; thus priority was placed on protecting hard systems such as corporate main frame systems (Prithchard 1976; Broadbent 1979; Kuong and Isaacson 1986).
  • Auditing mindset in the 1980s—Technological changes in the 1980s which moved the IT element away from main frame to end user PC responsibility, brought with it regulations, corporate legislation and policies. Auditing was needed to ensure compliance. The major focus of the auditing perspective is still on the technology, the plan itself, and how continuity can be established through protecting essential business activities.
  • Value mindset in the 1990s—This described the value-based mindset as being focused on the needs of the business, where BCM is considered to have the potential to add value to the organization. The value-based perspective departs from the technology and auditing perspectives in the assumptions that were made about the scope and purpose of BCM. The scope is perceived as constituting the entire organization including employees, who are regarded as presenting the biggest challenge in terms of implementation and management of the business continuity process. Organizational stakeholders are regarded as being the most important driver for change and BCM. The fundamental approach in this perspective is that business continuity is regarded as the integration of social and technical systems which together enable effective organizational protection (Swartz et al. 1995). Therefore, BCM not only protects but is also seen to contribute to the value adding process through more efficient systems or providing value-adding benefits to customers through superior responsiveness, reliability, and security.

According to Foster and Dye (2005), after the September 11 2001 attacks, an event that hit the World Trade Centers in New York City, many companies had realized that the world is now full of many unknown threats, requiring that business continuity plans be much broader than in the past. Significant threats are now not only confined in the categories of fire, natural disasters and some infrastructure breakdown. Threats such as terrorism, cybercrime, reliance on third-party vendors and suppliers have also become significant. Therefore, business continuity planning should require more robust prioritization efforts for business recovery, proactive development of new and innovative recovery strategies, and a greater dependence on the testing of plans. Furthermore, considerations that need strategic thinking are not only on the location decisions of a company’s own facilities, but also the location decisions of a business partner (such as supplier). All of these environmental changes take BCM into a higher level, which is more focused on building resilience.

Smith (2003) also argued that BCM is not only about disaster recovery or responding to a crisis. It should be a business-owned and driven process that unifies a broad spectrum of management disciplines. In addition, crisis and risk management are part of the fundamentals used for developing a BCM concept.

Figure 3.1 shows the difference between the old and new BCM approach. Herbane et al. (1997) described the continuum of standard and better practice of BCM and identified a number of dimensions against which practice might be assessed. The first two dimensions refer to the types of staff employed in continuity projects and to the scope of their work. Standard practice is concerned with IT systems and employs only IT staff while better practice organizations employ staff from various backgrounds on a project which is business wide in scope. In standard practice, there was little need for new structures because IT could deal with continuity. In better practice cases, new structures of coordinators were identified with responsibility for the continuity process being delegated to each business unit and the dedicated continuity team providing a supporting role. The final group of dimensions relates to the strategy. Better practice saw continuity as a strategic issue both in terms of protecting its place in the supply chain and in marketing activities.

An external file that holds a picture, illustration, etc.
Object name is 449594_1_En_3_Fig1_HTML.jpg

Old and new BCM approach. Source: Adapted from Herbane et al. (1997)

Based on these reviews, it shows that BCM has developed and evolved into a more holistic approach. It has progressed into a broader strategic organizational mindset which focuses on its business values. In the context of definition, it appears that SPRING’s (2008) definition of BCM has incorporated all of these aspects and represents the latest BCM mindset. Other BCM definition from BCI (2007b), Foster and Dye (2005), and Smith (2003) provide similar meanings of the BCM concept, which focuses on the keywords of: processes/procedures for the organization; response to incidents/threats/events; critical functions; and a planned and rehearsed manner. However, SPRING (2008) defined BCM’s critical functions in more detailed aspects which include key stakeholders, reputation, brand and value-creating activities. Moreover, it specified the management process as holistic and the responses to threats/incidents are developed as a framework for building resilience.

BCM and Other Related Concepts

BCM has been considered as part of other concepts for overcoming crisis. There are relationships between BCM and these concepts, such as risk management, crisis management, and disaster recovery.

BCM and Risk Management

There are differences between risk management and BCM. Risk management focuses on a thorough organization-wide identification and assessment of risks and evaluating risks in relation to their likelihood and impact before identifying an appropriate risk response. BCM is concerned only with events that cause a significant business disruption, where it is not mainly concerned with probability but with the impact of an event and the time required for an organization to return to normal business operations (Collier 2009). Moreover, Goh (2010) mentioned that the relationship between risk management and BCM can be partially explained by referring to the Australian Standard for risk management. BCM efforts focus on addressing those risks which are deemed not acceptable to the organization. Subsequent BCM activities are aimed at establishing the appropriate measures to address these risks. It relegates BCM as part of risk treatment. Business Continuity has been defined “to safeguard the interests of an organization and its key stakeholders by protecting its critical business functions against predetermined disruptions” (BCI 2010, p. 3). The numbers and types of critical business functions in an organization would depend on the nature of the business and its mission as reflected in its Minimum Business Continuity Objective (MBCO). Risk management in BCM should be restricted to those instances where it affects the MBCO of the organization. It is also important to note that BCM is focused on identifying vulnerabilities within organizations, especially those linked to the underlying value they support and understanding the impact of their non-availability over time on the organization (BCI 2010; Hiles 2007). Table 3.1 summarizes the comparison between risk management and BCM.

Comparison between Risk Management and BCM [adapted from BCI (2005, p. 6)]

Source: Drennan and McConnell (2007)

BCM and Crisis Management

BCM has strong links with crisis management through the incident management component. In the BCM context, incidents come in different shapes and sizes and will typically invoke the BCM plan. Crisis management is often seen as the domain of communication and public relations (PR) practitioners with the BCM practitioner in a support role, if involved at all. Crisis management is also seen as responding to non-physical as well as physical events such as financial performance and reputation tarnishing incidents (BCI 2010).

Moreover, BCM considers any disruption holistically and determines how an organization will respond to the disruption, continue its activities and recover. BCM practitioners consider the media response to an incident or crisis to be an integral part of a full business continuity (BC) programme. Regarding emergency planning that is usually included in incident management, BCM views that this planning is not only seen as the domain of services from police, fire, ambulance and local authorities, but also for the organization in general. The company that adopts BCM would have a specific emergency response team that will coordinate with other external emergency response agencies (BCI 2010).

Other relationships between BCM and crisis management were also mentioned by Elliott et al. (2002), where BCM provides principles that use a crisis management approach. A crisis management approach may be defined as one that:

  • Recognizes the social and technical characteristics of business interruption (organizations are socio-technical systems).
  • Emphasizes the contribution that managers may make to the resolution of interruptions (the importance of the human response element).
  • Assumes that managers may build resilience to business interruptions through processes and changes to operating norms and practices.
  • Assumes that organizations themselves play a major role in “incubating the potential failure” (early detection is vital).
  • Recognizes that, if managed properly, interruptions do not inevitably result in crises (the importance of preventative measures).
  • Acknowledges the impact, potential or realized, of interruptions upon a wide range of stakeholders (think beyond the impact on the organization itself) (Elliott et al. 2002).

Some studies had made a distinction between BCM and crisis management. BCM refers to the planning and implementation of systems and procedures to enable an organization to sustain normal operations in the event of a disaster or other potential interruption. It is the process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. Crisis management is viewed to be a process by which an organization deals with major unexpected events that have already happened. Crisis management focuses on the immediate activities which need to be considered when the incident occurs. At most, the crisis management planning phase deals with the first couple of hours of the incident occurring, detailing who the key decision makers are, who will talk to the customers/clients/regulators and when this will be conducted (Smith 2003; Devlin 2007; Foster and Dye 2005). In addition, BCI (2007a) defined crisis management as the role that senior management have during an incident. It includes the high level command and control aspects of identifying a crisis situation, deciding how and when to respond, communicating both internally and externally, and leading and directing the recovery process.

BCM and Disaster Recovery

According to Elliott et al. (1999), the difference between disaster recovery and BCM is primarily based on its scope. Disaster recovery is a focus on technology-based problems triggered by external factors. BCM focuses more on adding value, creating an attitudinal change throughout the organization and considering its associated stakeholder groups. It is more concerned with the continuance of the whole business in the face of any unusual or unforeseen event. Moreover, disaster recovery is the implementation of a response capability to a specific type of event that impacts the continuity of the business. BCM is responsible for the overall identification of potential events, the likelihood of the occurrence of the event, and the predicted impact on the organization. BCM puts in place plans to deal with such occurrences. Disaster recovery is essentially a plan, with supporting infrastructure, which is enacted in the event of a disaster. In this way, disaster recovery is a subset of BCM, as is contingency planning, high availability planning, and the like (McCrackan 2005).

BCM and Business Resilience

BCM is a relatively newcomer to the business disciplines; however, aspects of BCM may have always been present in organizations, under different names. The vulnerabilities in the business and operating model of an organization can be considered in seven areas, which are reputation, supply chain, information and communication, sites and facilities, people, finance and customers. The nature of the BCM approach is to provide the framework to understand how value is created and maintained within an organization and establishes a direct relationship to dependencies or vulnerabilities inherent in the delivery of that value. This approach is conducted in a holistic and cross-functional manner. A successful BCM implementation would increase an organization’s resilience, where it is defined as the ability to absorb, respond and recover from disruptions. This will eventually contribute to higher corporate performance (BCI 2010).

BCM as a Management System

BCM is a system that develops a framework of protocols and sets of procedures and instructions which give structure, order and stability to the particular function being managed. It is in line with the definition of a management system, stated by Griffith (1999), that sets out and describes, for a particular management function, the organization’s policies, strategies, structures, resources and procedures used, within the firm to manage the processes that delivers its products or services (Griffith 2011). Based on its theory development and main principles, it can be seen that BCM adopts several management mainstream theories.

In its implementation, BCM adopts the Plan-Do-Check-Act (PDCA) methodology for achieving continual improvement. The BCM policy, objectives, processes and procedures are planned, implemented, assessed, and reviewed regularly (SPRING 2008). PDCA is a key attribute within standards-based management systems that is widely used nowadays. It was established by Deming, who propounded the view of quality management within a cycle of plan-do-check-act. The theories underpinning quality management have influenced systems development and continue to form component parts of systems applications. Historically, quality management was developed from a range of traditional organizational theories such as scientific, human and classical schools of thought. These theories are also pertinent to the evolution, development and implementation of management systems (Griffith 2011).

BCM also adopts the view of complexity theory, where an organization consists of a number of components (agents) that interact with each other according to sets of rules that require them to examine and respond to each other’s behavior in order to improve their behavior (Stacey 1996). According to Griffith (2011), due to the extensive and complexity in the arrangement of business activities, processes and resourcing, a management system in an organization should establish an effective framework of responsibilities at various organizational levels. Parts of BCM principles are determining various responsibilities to the BCM members.

Based on its definition, BCM is developed and implemented in a holistic approach. The holistic perspective has much in common with systems theory. This theory viewed management system as a central part that directly supports the core business of the organization. Moreover, it is considered that a management system focuses not only on itself but also for the greater contribution that it can make to the organization (SPRING 2008; Griffith 2011; Checkland 1981).

According to Lawrence and Lorsch (1967), contingency theory suggests that organizational variables are in a complex interrelationship with one another, where environmental contingencies act as constraints and opportunities which influence the organization’s internal structures and processes. Moreover, decision making are made through considerations of all aspects and situational approach (Olum 2004; Carlisle 1976). In BCM, this approach is adopted by implementing risk analysis and business impact analysis. The consideration of risk is viewed as a key element of the system (BCI 2010).

The BCM methodology has strong links with crisis management. Crisis management is often viewed as responding to non-physical as well as physical events such as financial performance and reputation tarnishing incidents. Furthermore, the domain of communication and public relations are important in crisis management. BCM considers any disruption holistically and determines how an organization will respond to the disruption, continue its activities and recover. BCM practitioners also viewed that communication and response to public are part of a full business continuity programme (BCI 2010).

Regarding change management, it is also part of crisis management. Lawrence et al. (1976) stated that a visible crisis faced by an organization can be an important force for triggering behavioral change, although such change may have costs derived from it. Essentially, such crisis has an unfreezing impact on the members of the organization, causing them to review and analyze their current attitudes and behavior patterns. Managing change in an organization should be conducted in orderly phases which are diagnosing the problem, planning the change, launching the change, and following up on the change in the organization. In this matter, it appears that these phases are similar to the PDCA approach which is adopted by BCM (SPRING 2008; Lawrence et al. 1976).

In accordance with Griffith (2011), a general approach to planning, delivering and implementing any management system consists of the following key considerations, which BCM also provides:

  • The needs of the customer and other stakeholders.
  • The policies and objectives of the organization.
  • The organizational processes necessary to fulfill the policies and objectives.
  • The assignment of responsibilities to manage processes towards the objectives.
  • The provision of resources to attain the objectives.
  • The establishment of procedures and instructions to manage the processes.
  • The monitoring of processes to determine their efficiency and effectiveness.
  • The identification and elimination of non-conformities in the processes.
  • The encouragement of continual improvement in management of the processes.
  • The audit and review of systems to improve the overall management approach.
  • The feedback on performance to improve provision to customers through improved policies and objectives.

Furthermore, the highly influential factors to be considered in implementing a management system are as follows (Griffith 2011):

  • Organizational culture. Instilling a trusting and cooperative workforce is vital to embedding the system.
  • Involvement, which is bottom-up involvement from grassroots level in system development is essential, as is inviting contribution and feedback to management.
  • Resources, which are trained and capable managers, supervisors and workforce are essential and, as such, investments in training and system ownership should be a priority.
  • Flexibility. The system should be allowed considerable flexibility in performance upon system establishment, incrementally becoming more demanding as familiarity with its operation is developed.
  • Shared commitment. Management must develop a blame-free culture where learning and improvement are preferred to difficulty and blame.

These factors should be embedded in an organization for its BCM implementation effectiveness.

Main Principles of BCM

To implement BCM, each organization must identify the threats and assess their resulting impacts. BCM needs to address issues and concerns in six broad areas in the following order (SPRING 2008):

  • Risk analysis and review: The threats to an organization can be identified through a risk analysis and review of its internal operations and external operating environment.
  • Business Impact Analysis: The potential impact of these threats on an organization and its ability to continue business operations and service can be obtained by conducting a business impact analysis. This would include, where possible, the loss impact from both a number of days of business disruption and financial consequences.
  • Strategy: The organization determines the appropriate strategies to safeguard its interests. These strategies can be preventive or pre-emptive in nature.
  • Business Continuity Plan (BC Plan): A detailed business continuity plan should be formulated to indicate the resources and capabilities required of the organization to prepare, respond, and recover from potential threats.
  • Tests and exercises: An established BC plan shall be validated by implementing tests and exercises. These are done to highlight errors or omissions and verify if the resources committed are accessible, available and adequate for efficient and effective recovery. It also verifies whether the staff is familiar with recovery procedures, and whether the BC plan meets its recovery objectives.
  • Program management: The organization will demonstrate commitment in maintaining the currency of its plan through regular and systematic review of its risks and business impacts, regularly reviewing its BCM strategies and revalidating its BC plan. Program management serves to validate the capability of the BC plan to fulfill the plan’s objectives. Validation aims to uncover flaws in the plan design, for example any inaccuracies and incompleteness of the design of the plan.

There are four main components that must be considered in implementing BCM in an organization, which are (SPRING 2008):

  • Policies: Senior management must stipulate policies to guide BCM efforts by the staff. The policies should set out the organization’s aims, principles and approach specifying what is to be achieved or delivered, and will serve as the rationale and support for all BCM areas. In addition, policies provide the rationale for establishing the processes, people and infrastructure to support BCM on an ongoing basis.
  • Processes: The set of activities with defined outcomes, deliverables and evaluation criteria to attain the objectives of the BCM policies. They include formal change control and documentation processes.
  • People: Participation from various business units in the firm should be established to oversee BCM efforts and the skill sets of participants are crucial to the success of BCM. The roles and responsibilities of staff involved in the organization’s BCM efforts should be clearly defined.
  • Infrastructure: The organization should allocate resources to support critical business functions against potential risk events. This consistently requires a good understanding and application of available technology and equipment, and physical facilities to respond to risk occurrences.

Generally, BCM has four main processes which are developed in an organization. The processes are the initiation process (initiating the BCM concept in the firm), planning for business continuity [which produces a business continuity plan (BC Plan)], implementation (implementing the BC Plan through testing and exercising), and lastly the operational management process (maintaining and updating the BC Plan). These four processes can be divided more comprehensively into six phases which are (Pitt and Goyal 2004; Elliott et al. 2002; BCI 2010):

The fundamental critical activity required prior to the establishment of a BC Plan is obtaining senior management approval, support, and commitment. Having obtained management approval, the initial phase of the BC Plan will include establishment of the BC Plan objectives and requirements of the plan. A business continuity steering committee would normally be established. This committee is likely to be made up of senior staff within the organization who have the relevant strategic view of the firm’s operations. It is important that they also have nominated deputies who are suitably briefed and have an in-depth understanding of the BCP process.

The principal objectives of phase two relate to data gathering and review of alternative courses of action. The identification and evaluation of this information will then allow senior management to make decisions on the critical aspects of the core business. Having identified the risks, a business impact analysis should then be carried out. Karakasidis (1997) identified this as a key step in protecting an organization, and identified some of the minimum objectives as being:

  • Determine critical requirements and resources and the effects a disaster may have on the people, place, process, and premises.
  • Estimate anticipated target recovery time for each core business function and service.
  • Establish core business recovery priorities.
  • Identify key personnel, equipment, and facilities needed to support core functions.
  • Estimate costs of extended business disruption.
  • Identify resources required to develop, test, and implement BC Plan.

Essential issues to be addressed at this stage include detailed scope strategy and objectives of the plan, administration procedures, formation of business continuity committee and downstream business recovery teams, lines of communication, escalation notification and plan activation, scenario setting for plan execution, establishing BC Plan records, storage, access, and its budget.

This phase basically deals with the creation of the BC Plan. The key issues to be addressed include:

  • Emergency response procedures covering evacuation, decanting access to work areas, and access to documentation.
  • Emergency control center establishment, command and control procedures.
  • Detailed procedure for communications, delegation or designation of authority, and key stakeholders.
  • Detailed resumption, recovery, and restoration procedures.
  • External support, vendor contracts, contacts, and resources.

In order to establish the effectiveness of BC Plan, it is essential to implement a regular testing and exercise program. The key activities to be established during the testing and exercising stage will include preparation of exercise program and objectives, the details of exercise scenarios and monitoring and recording procedures, and identification of training requirements, communication channels, and induction of new staff.

Having established the need for testing and the degree of probability that a substantial number of plans might fail following the testing exercise, it is essential that the lessons learned and shortfalls documented are incorporated into the plans. The key issues to be addressed during this phase include:

  • BC Plan review criteria and objectives
  • Schedules and program of review
  • Plan distribution and security

In responding to the changing environment of a business from time to time, the maintenance and updating process should be done in a regular and continuous basis.

Based on this review, it is considered that BCM has evolved from a simple reactive disaster recovery planning, to crisis management principally driven by information technology, and finally to a more proactive comprehensive approach.

Business Continuity Planning (BCP)

The main process of BCM is Business Continuity Planning (BCP). BCP refers to the identification and protection of critical business processes and resources required to maintain an acceptable level of business, protection of such resources, and preparation of procedures to ensure the survival of the organization in times of business disruptions. Fundamentally, it seeks to mitigate the impact of a disaster by ensuring alternative mission-critical capability is available when disaster strikes. The process seeks to preserve the organization’s assets in the event of a disaster, which are its capability to achieve its mission, its operational capability, its reputation and image, its customer base and market share, and its profitability (Low et al. 2008; Hiles 2007). This is regarded as the main process due to its vital output for the firm in handling disruptions and overcoming crises. This planning process will be followed by regular monitoring and updates.

Before formulating the BCP framework, the following issues have to be considered thoroughly (Low et al. 2008a; O’Hehir 1999; Eternity Business Continuity Consultants 2007; Civil Contingencies Secretariat 2007):

  • Policy—formulating a policy statement at the managerial level to signify the company’s attitude towards a particular risk and prescribing the objectives of such a policy.
  • Methodology—analyzing the assessment processes involved in evaluating a crisis, and promoting greater commitment for the company to proceed with the plans.
  • Accountability—establishing individual accountability for managing the risk and ensuring that the nominated person has the appropriated technical expertise and authority to manage the risk.
  • Management support—determining the company’s current managerial attitude or process towards assessing and managing the risk, without which the company will not have the initiative to implement BCM in the organization.
  • Dependencies—defining the scope of the BCP clearly, so that every individual is aware of the dependencies involved, whether this is external or internal (key supplier, personnel, operating system, etc.) to successfully mitigate the specified crisis.
  • Being realistic—educating the management that a crisis brings about certain risks and to mitigate the effects, certain costs are involved. The management should be ready to accept certain risks and should be prepared to spend the necessary funds to mitigate the risks involved.
  • Future actions—determining the appropriate business processes to be implemented or to be refined, to reduce the risk to an acceptable level, and assigning responsibilities and milestones.
  • Performance measures—establishing measurement indicators to enable assessment, and monitoring the effectiveness of risk management which can be proactive or reactive. Proactive action is recommended to prevent occurrence.
  • Independent expert—appointing an internal or external, qualified, independent expert to determine the adequacy of the response to the crisis, such as through regular meetings, and reporting to higher management to signify the importance of BCM.
  • Contingency plan—establishing an alternate plan for the unforeseen circumstances not being provided for.

According to Vancoppenolle (1999) and Elliott et al. (2002), the respective elements are included in the operational flow of a company’s operations, which are: (1) Business processes (how the products and services are delivered to the client); (2) Participants (who the participants are, in the execution of the business process); and (3) Infrastructure and resources (what is used in the execution of the business process). These elements are necessary to be reviewed when analyzing a crisis during BCP.

Furthermore, upon the occurrence of a crisis, many parties could be affected (Elliott, Swartz and Herbane 2002). It could be the company management or interest groups like investors, suppliers, etc., who have direct or indirect investments in the company. The occurrence of a crisis, if not appropriately mitigated, could lead to adverse consequences such as withdrawal of funds, which is an external factor. Even though investors are not directly involved in the company’s operations, they have an indirect influence on the growth of the company. Therefore, the requirements of the various stakeholders in the organization should also be considered, which include the following (Singapore Business Federation 2003):

  • The ways and means of the employees’ livelihood protection.
  • The defined time lines for the resumption of support and services and transparency of operations in a crisis, which relate to customers and suppliers.
  • The control of the situation, cost effective solutions to handle the impact of the crisis and the effects on business resumption, and transparency of operations by managers.
  • Good corporate governance, protecting the image of the organization, and sharing of the company’s profits that linked strongly to what investors will review on the company.

Hiles (2007) stated that the company’s BCP should not be driven by eliminating risks according only to their probability, but rather be based on the effects and impacts on the business if an unexpected event were to occur. Such classification according to effects could be:

  • Failure of an individual infrastructure element, including single points of failure.
  • Longer-term interruption of a critical information flow.
  • Longer-term interruption of a critical business activity chain or business process.
  • Local longer-term business interruption.
  • Complete business interruption.

These effects from an unexpected event may cascade into larger impact levels. Some examples of these effects are damages to infrastructure elements and resources supporting the business operations. The damage can result in impacts such as unavailability of infrastructure elements or resources or loss of information. Loss of information due to a disaster is not limited to data in computers. All of the information stored in binders, folders (with, for instance, customer information), contracts, property deeds, the archives, the legally required vital records, the paper client files, the business knowledge spread over the place, and others can be lost too.

Other than impacts on business operations, the long-term impacts of such crises or events may also arise, even after the business has been resumed and operations have returned to normal. The examples of long-term impacts are: loss of market share; lower share price; lower credit rating; loss of brand value; loss of company image, public confidence and credibility; and loss of key staff. Furthermore, the rippling effects of a business interruption should never be underestimated, particularly for companies that are an integral component of a wider supply chain. When a company participating in a supply chain is hit by a disaster, this could ripple down throughout the supply chain (Hiles 2007).

BCM Implementation

Nowadays, BCM is widely used in various types of firms. Firms in banking, telecommunication, oil and gas, and retail industries had developed a BCM concept in their management systems. BCM is developed based on their respective business strategies and activities. Due to the different business environments, the firms developed different procedures for overcoming different types of crises. Some of them had also focused not only on their business continuity, but the service continuity to their customers. This shows that they had developed the program based on the value mindset (Elliott et al. 2002).

Herbane et al. (2004) also found that BCM has evolved to encompass wider participants, threats, techniques and responses. It has been applied in the financial service industry, vehicle breakdown services, gas suppliers, water utilities, supermarkets, and local authorities. All of these organizations recognize that in the face of internal and external threats to the continuity of operations, a socio-technical approach (beyond IT disaster recovery) is essential to improve business recovery from crises. They also have linked BCM to strategically important dimensions of their operations.

When implementing BCM for the first time in an organization, project management practices should be adopted. The practices of project management that may usefully be employed include the identification of deliverables, timescales and deadlines, and budget and work effort control. Other knowledge in project management such as communications, risks, procurement and human resources management are also needed for establishing effective BCM components (Business Continuity Institute 2007a).

Legislation and Standards Relating to BCM

Elliott et al. (2010) elaborated that the earliest legal provisions to influence disaster recovery and business continuity (BC) ideas can be found in the 1977 Foreign Corrupt Practices Act, which is the US financial services sector’s provision. It is often cited as an important development in firm’s reorientation of the perceived threats and impacts. Since then, the US financial services industry has developed various regulations and legal requirements to impose greater requirements on BC provisions. Although the acts do not refer specifically to BC, they specify the importance of countering the increasing risk of external threats to digital resilience, which is one of the dependencies on BCM.

Moreover, the introduction of BCM-specific regulations in the financial services sector is not only applied in the US. The Australian Prudential Regulation Authority (APRA) Standard on BCM APS 222 (for deposit taking institutions) and GPS 222 (for general insurers) published in April 2005 (APRA 2005a, 2005b) requires Australian financial institutions to implement a whole of business approach to BCM. Elsewhere, the Reserve Bank of India (RBI) set out a requirement for Indian banks to fully implement BCP, presents a planning methodology, and further specifies a template for plan content. Banks are required to submit recovery time objectives for critical systems to RBI’s Department of Banking Supervision at the end of each financial year and to report major failures and response activities or prevention measures on a quarterly basis (Parthasarathi 2005; Elliott et al. 2010).

In several countries such as United Kingdom (UK), United States of America (US), Switzerland, Australia, New Zealand and Singapore, BCM had been developed into a national standard, where every firm from various sectors is encouraged to have this system in its organization (Elliott et al. 2010). In Singapore, the SS540:2008 standard has been formally used as the standard for implementing BCM in a firm. This Singapore Standard is applicable to all organizations regardless of their size. This standard emphasizes resilience and protection of critical assets, in the human, environmental, intangible and physical domains. It focuses on continuity management and recovery of critical business functions (SPRING 2008). Up to now, Singapore is the only country in Asia that has established a BCM standard, whereas other BCM standards came from Europe, North America, and Australia (Elliott et al. 2010).

In the UK, the Business Continuity Institute (BCI) has developed a certification standard for business continuity practitioners. Besides that, a BCM standard (BS25999:1-2006) as a Code of Practice for Business Continuity Management was also published by the British Standards Institution and can be viewed as an implementation guide and a definitive text for those intending to understand BCM principles and practices in a more comprehensive manner (Business Continuity Institute 2007a). Moreover, the American Chapter of the Business Continuity Institute (BCI) and BSI America have joined forces to help businesses better prepare for disasters by encouraging the adoption of BS 25999 (Business Continuity Institute 2009). This standard is also in line with US’s national standard for business continuity, which is NFPA 1600:2007 (National Fire Protection Association 2007).

Furthermore, ISO has officially launched ISO 22301, “Societal security—Business continuity management systems—Requirements”, the new international standard for Business Continuity Management System (BCMS). ISO 22301 has been developed in 2012 to help organizations minimize the risk of business disruptions (St-Germain et al. 2012). This standard is similar to the previous BCM standards, but it has some improvements for BCM implementation such as (St-Germain et al. 2012; SPRING 2012):

  • Greater emphasis on setting the objectives, monitoring performance and metrics;
  • Clearer expectations on management; and
  • More careful planning for and preparing the resources needed for ensuring business continuity.

According to Goh (2010) and St-Germain et al. (2012), the standards from various countries have similar contents. The differences are on how the standards develop the detailed components in the BCM planning process. In general, each standard has the same BCM planning methodology, which are: Risk analysis and review; Business impact analysis (BIA); Recovery strategy; BC plan development; Testing and exercising; and Programme management (some standards incorporate project management in this phase). All of the above standards have the common objectives, which are to guide the users to recover from any disasters that have occurred in their business environment and still continuously focus on the continuity of their business processes. Furthermore, the standards also help the users in identifying the potential impacts of various disruptions to the firm and be able to prioritize the efforts in aiming to achieve resilience. Table 3.2 illustrates the main aspects of the BCM concept being grouped into six categories. These aspects are summarized from various standards.

The main aspects of BCM principles

Sources: Adapted from SS540:2008 (SPRING 2008), NFPA1600:2007 (National Fire Protection Association 2007), BS25999:2006 (BSI 2006), ANZ5050:2009 (Standards Australia 2009; Elliott et al. 2010), SS ISO 22301: 2012 (SPRING 2012)

BCM Level of Preparedness

Regarding implementing BCM in an organization, several agencies from various countries had developed assessment levels of BCM preparedness. These levels are useful to assess whether an organization has adopted a complete BCM concept or not. From understanding the position of the company within these levels, the organization gains feedback from its current BCM preparedness level and may increase its effort for a better BCM maturity level.

Levels of preparedness assessments have been proven to be an effective evaluation method (Scott 2007). In general, this type of assessment can help the organization to verify what they have achieved relative to the topic assessed. The organization’s current achievement can also be determined by describing their current activities. In addition, it can assist the organization in prioritizing the necessary improvement based on their assessment results (Peng et al. 2011; Stevanovic 2011).

The Ministry of Finance in British Columbia, Canada (MOF-BC 2007), had developed the BCM maturity assessment for every financial agency in the province. There are three levels of criteria involved, which are:

  • High maturity. This level demonstrated strong executive support for BCM, the establishment of an organization-wide structure supporting the activity, and staff responsible for BCM had a strong awareness of and compliance with core policy requirements, guidelines and procedures for BCP. BC plans for mission critical processes and business priority areas were developed and updated, and testing/exercising was ongoing, with results used to make changes. Monitoring and reporting processes were effective and efficient, and pandemic planning had been undertaken.
  • Moderate maturity. This level demonstrated strong executive support and a level of coordination within the organization to ensure progress is made towards BCM objectives, although roles and responsibilities may not be adequately defined to ensure all recovery staffs were clear on their expectations in a business interruption. Compliance with core policy was low, and BC plans for mission critical processes and business priority areas were either under construction or in need of updating. Monitoring and reporting processes were largely ad hoc and pandemic planning may have been in the commencement phase.
  • Low maturity. This is the lowest level of preparedness, where typically the organization had a lower level of executive support and BCM may not have been considered a high priority. These organizations exhibited a low level of awareness of policies and guidelines and of roles and responsibilities. Compliance with core policy was also low, and BC plans were either not developed or in need of significant updating. Pandemic planning may have been initiated, although activities to date were limited to those driven by existing OHS committees.

The Australian National Audit Office (2009) had also developed characteristics of better BCM preparedness for public sector entities. There are two levels, which are (1) Basic level, that is generally found in small, non-complex or less time-critical entities and (2) Mature level which is found in large, complex, geographically dispersed or critical entities. The characteristics that are described and assessed in each level are:

  • A BCM framework is in place.
  • Training and awareness of BC has been conducted.
  • A risk assessment has been conducted.
  • A BIA has been conducted.
  • Preparatory controls have been implemented.
  • The entity has documented and the executive has endorsed, its BC plans and framework.
  • BC testing and exercises have been conducted.
  • The entity monitors BC.

Also in Australia, Lansley and McAtee (2009) had established a six-level BCM preparedness model for companies, which are:

  • Level 1—Self-governed: BCM has not yet been recognized as strategically important by senior management.
  • Level 2—Supported self-governed: At least one business unit (BU) or corporate function has recognized the strategic importance of BC and has begun efforts to increase executive and enterprise-wide awareness.
  • Level 3—Centrally-governed: Participating BUs and departments have instituted a basic governance program, mandating at least limited compliance to standardized BCM policy, practices and processes to which they have commonly agreed.
  • Level 4—Enterprise awakening: All critical business functions (CBFs) have been identified and continuity plans for their protection have been developed across the enterprise.
  • Level 5—Planned growth: BC plans and tests incorporate multi-departmental considerations of critical enterprise business processes.
  • Level 6—Synergistic: All BUs has a high degree of BCP competency. Complex business protection strategies are formulated and tested successfully.

Smit (2005) had studied and defined another BCM maturity model that can be applied to organizations. According to the study, there are six level of BCM maturity, described as follows:

  • BCM initiated. An organization has initiated BCM if there is formal management commitment to the organization of BCM. The responsibility for BCM is covered at a sufficiently high level within the organization and an explicit BCM policy is in effect. The deliverable of the initiated stage is BCM as an initiative.
  • BCM planned. An organization reaches the stage planned if it has performed all necessary analyses and has written all relevant plans. Therefore, this stage is characterized by a BC analysis and a BC plan. The deliverable of the planned stage is BCM as a blueprint.
  • BCM implemented. Implemented stage is reached as soon as not only the measures to assure BC are planned, but also realized. This means BCM facilities have to be realized, services have been contracted and BCM tasks have to be assigned to the right people. The deliverable of the implemented stage is BCM as an implemented project.
  • BCM embedded. On the first three stages, BCM is a project. As soon as an organization reaches the embedded stage, BCM has turned into a process instead of a project. This stage is reached as soon as a maintenance process is designed; hence a maintenance plan is developed, the plan is known and available within the organization and there is awareness regarding the importance of BCM within the organization. The deliverable of the embedded state is BCM as a process.
  • BCM controlled. At the stage of BCM embedded, an organization has developed a maintenance plan and probably formulated some BCM exercises and tests. In the next stage, BCM controlled, this maintenance process is also executed as it should and exercises are done as planned for. In addition to that, the existing BCM is audited and controlled. The deliverable of the controlled stage is BCM as business as usual. If an organization has reached stage 5, it controls its existing BCM. For some organization, a BCM process that is controlled is sufficient. However, other organizations will strive for stage 6.
  • BCM optimized. If an organization has optimized its BCM, it can use its BCM as a strategic instrument, for example to gain a commercial advantage or strive for operational excellence as a business strategy. For this, a strategic approach of BCM is a requisite. Furthermore, the organization should strive for continuous improvement of their BCM and the deliverable of the optimized stage is BCM as a strategic instrument.

Furthermore, other BCM preparedness level model from a risk consulting firm in Canada (Marsh Risk Consulting 2010) had been developed. The level of preparedness with its label, overview of the preparedness level description, and the organization’s ability to respond can be seen in Table 3.3 .

Marsh BCM preparedness level

Source: Marsh Risk Consulting (2010)

Last but not least, the Singapore Business Federation (2011) provided a BCM preparedness assessment, based on the company’s level of understanding about business continuity. Red level shows that the organization has a minimal understanding of BC, whereas Yellow level shows the organization has a basic understanding of BC, and finally Green level describes the organization has an advanced understanding of BC. The assessment are conducted through rating the firm’s understanding and preparedness towards risk analysis and review, BIA, strategy development, BC plan development, tests and exercises, and programme management.

According to a study from New York University (2006), most businesses, particularly small and medium sized ones, are lacking formal BCM programs. Only one-quarter of the companies surveyed have formal, written continuity plans. Moreover, only four in those companies provided BCM training to their employees. These four companies had prepared the concept within their organization due to regulatory forces, which are risks to employees and business operations, legal liability, and insurance requirements. From this study, it is recommended that an organization should analyze its own case for BCM preparedness and invest accordingly.

Reviews of BC Plan

Various sectors have developed their BC plans based on the functions of their business and impacts that may occur from certain crises. There are general principles that can be gained from these plans that may provide insights on developing a BC plan.

BC Plan from Financial Services Sector

As mentioned before, the financial services sector is the pioneer of developing and implementing BCM. In general, the main principles that are established in their BCM policy are as follows (Monetary Authority of Singapore (MAS) 2003; Bank Van De Nederlandse Antillen (Central Bank) 2010):

The responsibility for the state of BC preparedness of an institution lies with the Board of Directors and senior management. Senior management is responsible for steering BCM with policies and strategies necessary for the continuation of CBFs. In addition, they should demonstrate that they have sufficient awareness of the risks, mitigating measures and state of readiness by way of a confirmation to the Board of Directors.

Depending on the scale and complexity of the businesses, institutions could adopt sound BCM practices that include the following components:

  • Clear BCM policy, strategy and budget.
  • Well-defined roles and responsibilities for the BCM programme.
  • BC plan comprising of detailed tasks and activities.
  • Succession plans for critical staff and senior management.
  • BIA or similar process.
  • Programme for the development, implementation, testing and maintenance of BC plan.
  • Programmes for training and awareness.
  • Emergency responses.
  • External communications and crisis management coordination programmes.
  • Coordination with external parties (including authorities, interdependent parties, etc.).

It is essential to regularly test its functionality and effectiveness. Tests will also familiarize staff with the location of the recovery site, as well as the recovery procedures. Senior management and staff should participate in these exercises and be familiar with their roles and responsibilities in the event of activation. Exercises may include:

  • Desk-top-walk-through exercise to full system test.
  • Staff call-tree activation (with and without mobilization).
  • Back-up site to back-up site exercise (including with external service providers).
  • Alternative arrangements of shared services.
  • Back-up tape restoration.
  • Retrieval of vital records.

The establishment of recovery strategies enables institutions to execute their BC plan in an orderly and predefined manner that minimizes disruption and financial loss. Recovery strategies form the basis for defining recovery time objectives of CBFs. Without these clear markers, scarce resources may be inappropriately diverted to less important activities. This may adversely affect the institutions’ reputation and survivability. Recovery time objectives may range from minutes to hours. The transparency and sharing of recovery time objectives would help improve service level expectations and understanding among institutions and further contribute towards the mitigation of interdependency risk.

When planning for the BC of CBFs, institutions should take into account the interdependencies of these business functions, and the extent to which they depend on other parties. Institutions should also understand the business processes of these parties that support their critical functions, including their BC preparedness and recovery priorities.

These financial services look to institutions to demonstrate that they have planned and catered for a wide-area disruption in their BCM. Some planning parameters that institutions may consider include the geographical concentration of institutions, transactional processing activities and dependencies on internal or external service providers. Institutions are responsible for deciding on the need to cater for multiple zones outage scenarios, taking into consideration their respective levels of critical business activities and prudent risk management policies. In addition, they should also consider broadening and deepening their BCM scope to cater for prolonged operational disruptions.

Critical staff and information are important assets that are difficult to replace quickly. Many institutions assume that the same pool of staff would be available to recover their CBFs at the recovery sites. This may not always be true as disruptions may result in the unavailability of critical staff. Also, identifying alternates to critical staff may not always reduce the risk, especially if both the primary and alternate critical staffs are housed in the same location or zone. It is important, therefore, to find the right balance between mitigating concentration risk and not losing the efficiencies gained from the centralization of business processes and critical staff.

BC Plan from Education Institutions: A Case Study

On April 16, 2007, Virginia Polytechnic Institute and State University (Virginia Tech) experienced one of the most horrific events in American university history. A double homicide had occurred, followed by a mass shooting that left 32 students and faculty killed, with many others injured, and many more scarred psychologically. Families of the slain and injured as well as the university community have suffered terribly from this event. One of the main recommendations from the tragedy is to update and improve the university’s emergency response plan. It is recommended that the plan should be more systematic, including conducting risk analysis (threat assessment) in advance and choose a level of security appropriate for the campus. Along with that, the university should update and enhance the plan where students, faculty and staff should also be trained annually about responding to various emergencies (Tridata Division 2009; Flynn and Heitzmann 2008).

In 2010, the school had developed a comprehensive emergency response and continuity plan. The brief description of the plan is as follows (Virginia Polytechnic Institute and State University 2010):

The plan outlines procedures for managing major emergencies that may have threatened the health and safety of the campus community or disrupt business operations on the local campus. It identifies individuals and departments that have a direct or supporting role in emergency response, and it provides a management structure for coordinating and deploying university resources to handle the event.

This plan consists of the basic plan, the appendices, and the emergency support function and incident annexes. The basic plan provides an overview of the university’s approach to emergency response and operations. It explains the policies, organization and tasks that would be involved with the response to an emergency. The annexes and appendices give definition to the terms and acronyms used throughout the basic plan, and are the location for any supporting figures, maps and forms. The emergency support function appendices focus on detailing the specific responsibilities, tasks and operational actions to complete a specific emergency operations function, while the incident annexes focus on any additional special planning or response needs beyond the basic response plan for particular event scenarios.

This plan applies to all of the university’s students, facilities, staff and visitors. Surrounding community in addition to the campus may be impacted by major emergencies, and if this happens, the university will further cooperate with local, state, and federal officials in their delivery of emergency services. Categories of emergencies or hazards are identified through risk assessment with significance ranking that are most likely to impact the university.

The plan’s response priorities are (1) to protect life safety; (2) to secure critical infrastructure and facilities (in priority order: buildings used by dependent population; buildings critical to health and safety; facilities that sustain the emergency response; classroom and research buildings; administrative buildings); (3) to resume teaching and research programs.

The university response to a disaster or emergency will generally involve the following phases:

  • Planning and mitigation. The process of evaluating exposures and developing or refining response plans that will assure an orderly and effective response to an emergency, and for identifying and mitigating areas of vulnerability.
  • Response. The reaction(s) to an incident or emergency in order to assess the level of containment and control activities that may be necessary.
  • Resumption. The process of planning for and/or implementing the resumption of critical business operations immediately following an interruption or disaster. During this phase, more in-depth forecasts of the impact will be available, and university-wide priorities for program resumption will be determined.
  • Recovery/restoration. The process of planning for and/or implementing recovery of non-critical business processes and functions after critical business process functions have been resumed, and for implementing projects/operations that will allow the university to return to a normal service level.

The university provides an Emergency Notification System (ENS) which is intended to rapidly circulate emergency information on an incident, and give instructions to the campus population.

The university’s emergency response and continuity plan had been coordinated with the town’s agencies, local government and organizations. The functional groups in delivering the response and continuity process are:

  • The policy group, which is composed of lead administrators. It establishes policies and procedures as needed to support emergency operations, and determines business recovery and resumption priorities.
  • The Emergency Response Resource Group (ERRG) directs resources in support of emergency response operations, assures the continuity of critical business functions, and implements business recovery and resumption activities. The ERRG convenes at the Emergency Operations Center (EOC).
  • Satellite Operations Centers (SOCs), located in the administrative headquarters. Deans, Vice Presidents and Vice Provosts, gather emergency impact data from their constituent departments, account for their personnel, transmit reports to the EOC, disseminate emergency instructions to constituents, and develop and implement business continuity, resumption and recovery plans.

In addition to these groups, there are also essential roles who will direct these groups, supported by essential personnel.

Even when emergency response activities are nearing completion, business recovery activities may continue for weeks or months after the event. Business recovery activities include reestablishing complete services and functions following a major incident and recovering extraordinary costs caused by the event. Furthermore, recovery priorities should be established as follows:

  • Immediate recovery (true continuity) is essential;
  • Recovery required within 24 hours;
  • Recovery required between 24 and 72 hours;
  • Recovery not required within 72 hours.

Trained and knowledgeable personnel are essential for the prompt and proper execution of the plan. All personnel will be provided with the necessary training to execute those responsibilities in an effective and responsible manner. Training on university-level emergency response roles and the incident command system will generally be coordinated by the Director of Emergency Management.

Exercises will be conducted as needed which allow all persons involved in emergency response to practice their roles and to better understand emergency operations and their responsibilities under emergency conditions. University-wide exercises will be held at least once per year, and will consist of tabletop, practical and full-scale staged events as deemed appropriate.

BC Plan for Influenza Pandemic: A Review

A pandemic is an epidemic or outbreak of infectious disease that spreads through populations across a large region; for instance a continent, or even worldwide. A flu pandemic could occur when a new flu virus emerges and starts spreading as easily as normal seasonal flu. As the virus is new, the human immune system will have no pre-existing immunity. This makes it easier for people to contract the new flu and experience more serious symptoms than that caused by normal seasonal flu. Current viruses that had spread across a large region (particularly in Asia) are the influenza A (H1N1), the SARS incident in 2003, and the avian flu (H5N1) (SPRING 2009).

According to some studies, no one could predict when a flu pandemic will occur. When it does occur, the impacts may be felt in various ways. Regarding its possible general impact, public gatherings may be discouraged, people with flu-like symptoms may not be allowed in public places, public transport may be disrupted and regular updates and clarifications may be necessary. As for the business impact, supplies may be disrupted, the number of customers may drop, likely increase of electronic communications use which may lead to overloaded communication systems and some staff in any organization may be absent from work (SPRING 2009).

Based on these likely impacts, companies are encouraged to ensure their business remain viable in the event of an outbreak. BCP should be developed with further considerations on how to operate their business with minimal face to face contact between staff, staff and customers, and with suppliers; how to operate business effectively with key members of staff being absent from work; and how to operate if supply chains are disrupted. Moreover, the key risks to the company that need to be addressed in BCP are (SPRING 2009):

  • Processes and business functions (e.g. production, sales and marketing, etc.)
  • Business infrastructure (e.g. offices, shops, factories, equipment, etc.)
  • Stakeholders (shareholders, suppliers, customers, etc.)
  • Communications, both internal and external

The Singapore government had proactively taken an approach to overcome this crisis through initiatives such as the Flu Pandemic Guide for small and medium-sized enterprises (SMEs) in 2006. The BC guideline developed by a Singapore standards agency provides these contents particularly for handling flu pandemic (Low et al. 2010a; Singapore Business Federation 2006; SPRING 2009):

Annex section

This section describes:

  • Information about personal hygiene awareness, as an example: correct hand washing procedures; basic information on sanitization such as disinfectants, recommended use and their precautions.
  • Contact list of key customers, key suppliers/vendor/contractors and others.
  • Contact list of key personnel and key organizations for information and assistance on flu pandemic.
  • Description about roles and responsibilities of the Flu Manager.
  • Procedures upon detection of visitors and staff who are unwell. These include procedures of (1) Visitor detection and isolation; (2) Staff unwell at workplace; (3) Staff unwell outside workplace and (4) Contact tracing.
  • Forms such as temperature screening, notification form (for suspected flu case at work), and body temperature monitoring log.

BC Plan for Flu Pandemic Contents

  • Green—isolated overseas or local cases of animal-to-human transmission. Threat of human-to-human infection remains low.
  • Yellow—slight human-to-human transmission. A small risk of it being imported here, but has not resulted in sustained spread.
  • Orange—evolves into human disease. WHO confirms several outbreaks in one country, spreading to other countries. Deaths are expected. Local confirmation of new cases and evidence of more than one transmission has occurred.
  • Red—widespread infection. Increase in deaths has occurred. Healthcare system likely to be overwhelmed and essential services are added to ensure full operational capacity.
  • Black—high death rates reported. Economic activities are severely disrupted, as panic sweeps through the community.
  • Green—to set up a team to oversee BCP.
  • Yellow—appoint a Flu manager.
  • Action plans are written for every alert level.

The Need for BCM

According to a survey on trends in business continuity, it was found that BCM has become mandatory to maintain customer confidence and a competitive edge. The threat of interruption and the need to respond promptly has manifested itself, where a vast increase in regulatory requirements and a mandate from customers for BC plan development has occurred. Organizations are expected to manage the BC process more collaboratively, be driven to complete their BC plans and include it in Requests for Proposals (RFP) and Requests for Information (RFI) (BUCORIM 2008).

There are several sources of external influence that are encouraging an increased focus on business continuity. According to respondents questioned for a report conducted by the Economist Intelligence Unit (EIU 2007), customers are the stakeholder that is viewed as most important in driving decisions about business continuity, with 59% citing them as a significant influence. Moreover, in the supply chain relationships that are getting complex and more dependent, customers will most likely ask about a detailed scope of BC plan, whether the supplier has it in place and would request evidence of compliance with particular policies.

In addition to customers, pressure from regulators is also becoming more distinct. Regulators are viewed as the second most important external influence over decisions about BC, with 58% seeing them as significant in the regard. This figure rises to 72% from respondents who are in the financial services sector (EIU 2007).

Benefits of BCM

Previous section of this chapter had described the relationships between BCM and other concepts. Table 3.4 summarizes the distinction between these concepts based on their main focus and key methods.

BCM distinction with other related concepts

Sources: Collier (2009), Drennan and McConnell (2007), BCI (2007a), Foster and Dye (2005), Devlin (2007), Smith (2003), Elliott (1999), McCrackan (2005)

Whilst BCM is able to help firms to have a response for major disruptions that may threaten their business activities, the Business Continuity Institute (2007a) found that there are other benefits that can be gained by embracing BCM as a management discipline in an organization. Firstly, BCM will help address some key risks in the firm and help them achieve compliance. Secondly, BCM can be used as a competitive advantage to gain new customers and to improve margins by using it as a demonstration of “customer care”. Thirdly, a thorough review of the business through Business Impact Analysis (BIA) can highlight business inefficiencies and focus on priorities that would not otherwise have come to light. And last but not least, firms providing services or goods recognize that keeping customers through a more reliable service is cheaper than tempting back the deserters after an interruption. Other studies have also found various benefits of implementing BCM in an organization. Table 3.5 shows the BCM benefits from various studies. In addition, the table shows that BCM’s main focus and key method of conducting Business Impact Analysis plays an important role and provides positive implication for an organization that implements BCM.

BCM benefits

Challenges in BCM

Although BCM is considered as necessary to be implemented in organizations, there are several issues regarding the challenges of its implementation. Robinson (2009) viewed that the recent economic recession would be a challenge in implementing BCM. Recession has delayed or reduced BCM uptake; with top management viewing it as a discretionary spend. Moreover, only a minority will recognize that recession increases the need for BCM, with cutbacks reducing operational resilience and scarce liquidity eroding financial tolerance. Nonetheless, when a senior management team still has a strong commitment in sustaining its business resilience, and perceiving the recession-BCM link being strong enough, these can be a strong contributory factor to maintain its BCM. Moreover, Molinier (2009) opined that these economic conditions should be viewed as an opportunity to demonstrate how the companies can provide resilience whilst streamlining processes and adopting a cost-benefit approach that demonstrably support business objective.

In accordance with Continuity Central’s survey to BC professionals (Continuity Central 2011), the biggest challenge in implementing BCM was lack of resource for the implementation. The second biggest challenge was the difficulties in obtaining senior management support and input. Thirdly, getting the wider organization to buy-in to BC and to provide support to the process was another challenge that needs to be considered. Following these top three challenges, other reasons are: organizational cut backs and changes; technology issues; testing and exercising issues; compliance, regulations and auditing; and culture change. These findings provide important feedbacks to those who have implemented BCM and who are in the phase of initiating it.

This chapter provided a review on BCM, starting from its historical development, its relationships with other concepts, its main principles and methodology, to its implementation in various sectors that shows the necessary need of the concept in an organization.

As an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner, BCM has evolved from a technology-based disaster recovery approach to a value-based drive for business resilience. It is also viewed as a unifying process that includes various concepts for overcoming crises.

BCM is considered as a management system that, similar with other management systems, needs influential factors such as organizational culture, involvement, resources, flexibility and shared commitments for its effectiveness. Moreover, these approaches are embedded in its main principles and methodology.

Currently, BCM is widely adopted in various firms from various sectors. Regulations and international standards have been developed for this concept and methods in assessing the level of BCM preparedness have also been established. The need for BCM is currently supported by various drivers and although there are some challenges in implementing the concept, the benefits of BCM are worth mentioning.

business continuity management (bcm)

ISO 22000 Certification

Getting certified with the world's leading food safety management standard.

ISO 13485 Certification

Getting certified with the global standard used by healthcare industry.

ISO 27001 Certification

Getting certified with a globally accepted indication of security effectiveness.

Medical Device Regulatory

Establish a complete and effective medical device regulatory strategy.

ISO Consulting

Increase product and service quality with Stendard's ISO consulting.

Stendard Solution™

Summary of our product and features that may help your business process even greater and possibly solve your difficulties in business process.

ISO Template

Use our document generator to generate each Manual, Procedure, Form Templates and etc. Define the step-by-step instructions needed for each operation within the Work Instructions.

A powerful tool that streamlines the monitoring process and helps users make informed decisions based on the data that is most relevant to their needs.

A simple but powerful module for you to store, organise and edit your files seamlessly without any hassle.

Document Management System

With Document Control, never worry about inaccuracy and non-compliance of documentation files and processes ever again.

An effective way to reduce paperwork related hindrance within the workplace and improve organisational efficiency.

With the ability to add, edit, and delete data, import data from external sources, and search and sort data, you can easily organize, analyze, and report on data in a more efficient manner.

Form Builder

Create any form that you need to support your daily activities. As the name suggests, building a form is now a breeze as you drag & drop components in.

Our aim at Stendard is not only to provide you with quality consulting services. We want to empower our clients such as yourself by providing a wide range of ISO related courses.

Training Plan

Create your training plan to group your training courses. By setting up these plan, you can set multiple items to be trained by several team members at once.

Evidence Submission

Compile and organise essential documents required for audits. With this module, you will be able to breeze through any up and coming audits without fearing missing or incorrect documents!

Artificial Intelligence

Our AI engine for Document Classification will help you significantly speed up the document classification process and allow less room for human error when handling these vast amounts of documents.

Changelog will list all the updates and patches we have made to every software update to ensure that you know the new features or updates introduced to the system.

Audit Trail

You can ensure that accountability is incorporated into your organisation’s document management system with a robust audit trail system.

Search (OCR)

A simple but powerful tool to locate every single document you need.

A Complete Guide to Business Continuity Management

Business Continuity Management

Organisations may be exposed to the risk of unexpected disruption to their business operations such as natural disaster, fire, flood, supply chain disruption, cyber attack, employee strike and pandemic. Such events can severely impact revenue, profitability and even survival.

To protect your organisation and ensure that business operations continue to function when such events occur, you must establish a business continuity management system (BCM).

By the end of this article, you will be equipped with knowledge on:

• What is business continuity management?

• What are the 3 main areas of business continuity management?

• What is the difference between a business continuity plan (BCP) and BCM?

• What are the key elements of business continuity management?

• What are the steps in business continuity management?

What is business continuity management?

Business Continuity Management (BCM) is the management process that oversees and implement strategies to address the risk of unexpected disruptions. It covers emergency response, risk management, planning, business continuity plan (BCP), training, testing and improvements.

What are the 3 main areas of business continuity management?

There are three main areas in the processes of business continuity management:

1. Establishment

2. Implementation

3. Continuous improvement

These processes and their interactions are needed for an effective and comprehensive business continuity management that will help your organisation identify potential threats and recover from any form of disruptions or threats to your business functions. These three areas will be covered in greater detail under the steps in BCM.

What is the difference between BCP and BCM?

BCP is a plan that your organisation can develop to perform the necessary actions to recover from unexpected disruptions and resume normal operations again.

BCM is the management process to oversee and implement strategies to address the risk of unexpected disruptions or crises and minimise the impact on business operations. Disruptions can include floods, fires, workers strikes, supply chain cut-off, pandemic, computer system hacked, etc.

What are the key elements of business continuity management?

BCM is a holistic management process that integrates various elements, namely Business Continuity Plan (BCP), Emergency Response, Crisis Management, Disaster Recovery, Risk Management, Business Impact Analysis, Resilience and Reputation Management.

1.   BUSINESS CONTINUITY PLAN (BCP)

business continuity plan

BCP is an integral part of BCM that focuses on resuming operations during an unplanned disruption until it returns to normal again. The plan outlines the strategies and actions required by the organisation, which is more comprehensive than a disaster recovery plan. It contains contingency plans for every aspect of your business operations that may be affected, such as financial services, human resources, productions, inventory management, distributions, external suppliers and business partners etc. The BCP must detail the roles and responsibilities of various key stakeholders and be shared with top management for their agreement and sign-off.

2.   EMERGENCY RESPONSE

This is often seen as one of the critical elements in BCM that require the most resources and management’s attention. It requires very urgent intervention to mobilise people and various resources to bring an incident under control quickly. An emergency can include natural disasters, pandemics or major accidents etc. The response usually focuses heavily on the protection and safety of lives, the company’s assets, health and the environment.

3.   CRISIS MANAGEMENT

This is a process to manage a response to a crisis or major event affecting your business operations in order to stabilise and effectively control the situation and recover your operations in the quickest time possible. Crisis can be attributed to impending changes related to the country’s social, political, economic, environmental or security situation. It often causes uncertainty and threats to the organisation’s goals.

4.   DISASTER RECOVERY

A key component of BCM is disaster recovery. It includes the activation of the recovery team to carry out the necessary actions in handling a specific disruption when an incident happens. For example, when there is an IT disruption to the organisation’s network servers or cyber attacks, the disaster recovery plan will include workarounds or the use of backup systems to recover critical IT assets or systems so that your business operations can continue until they are restored. An essential aspect of disaster recovery is reviewing and assessing the recovery time objective after the incident to address any shortcomings and revise the plan for future implementation.

5. BUSINESS IMPACT ANALYSIS

carrying out risk analysis

This analysis is conducted to help your company identifies potential threats and possible risks that your organisation is exposed to and analyse the impact of the disruption if it happens. It is an essential element of BCM as it supports the business continuity process.   It involves reviewing all critical activities   within your business functions and the recovery point objective and time frame required to minimise the impact of a disruption.

6.  RISK MANAGEMENT

Another key component of BCM is the creation of Risk Management to identify the broad array of potential risks to your organisation, covering resources (human, property, equipment and facilities), financial assets, operations, regulatory compliance, information security etc. The probability or likelihood of each risk occurring and their potential impact and severity have to be evaluated, assessed, ranked and measured against your organisation’s risk tolerance to prioritise which risks to address or mitigate first relative to the others.

7. RESILIENCE AND REPUTATION MANAGEMENT

BCM is a very fundamental and significant aspect of business operations in any organisation. BCM is itself a risk to the organisation if it is not managed effectively or adequately. Your organisation needs to be prepared for any unexpected disruptions or incidents so that it can protect or resume its operations and continue to function and recover from the adversity. Having an effective BCM process in place can help companies meet regulatory compliance and manage and protect their reputation and build organisational resilience, thereby protecting the brand and enhancing their competitive advantage.

What are the steps in business continuity management?

Establishment

Establish a BCM system by first creating a team to manage the various processes. Your top management must show commitment and support to the team by providing the necessary resources and training competent people with defined responsibilities.

Carry out a risk assessment of your organisation. You will need to identify and evaluate the risks or possible disruptions your organisation is exposed to and determine the severity and likelihood of different threat scenarios.

Perform a business impact analysis (BIA). This is to assess the potential impact to the different functions within your business operations in the event of a disruption and the maximum time required to resume operations or recover from it.

Implementation

After the management team has been formed, with risk assessment and business impact analysis performed, the next phase is the implementation, which will utilise the results and findings from your risk assessment and business impact analysis.

Develop strategies and create a BCP and implement these recovery strategies across your organisation. These strategies and plans must be detailed, comprehensive, realistic and effective so that every stakeholder involved can understand and be guided on their roles and responsibilities. Do include the actions to be taken in the event a disruption strikes.

Continuous improvement

The final phase is continuous improvement.

Carry out regular testing of your BCP to ensure that the entire organisation is thoroughly trained and prepared for any disruption to your operations. This is typically performed through annual simulation exercises to ensure all stakeholders are fully aware of their respective actions in response to various scenarios or disruptions that can affect the business operations.

 Step 6:

Periodically review your business continuity plan to make improvements to the existing BCP. Through the tabletop exercises in step five, your organisation can identify new threats, fine-tune and adjust in accordance with any changes in the business process so that your existing plans will continuously improve, adapt and update to accurately and effectively respond to new different scenarios.

teamwork in business continuity management

Business Continuity Management plays a very critical role in every organisation. For your company to continue its business operations when disruptions occur, you will need to establish, implement and continuously improve your business continuity management processes.

ISO 22301 is the international standard that helps organisations craft business continuity plans to protect them and help them recover from disruption when an incident occurs. It also helps companies identify potential threats to their businesses and build the capacity to deal with unforeseen events with an adequate response.

Stendard can help your organisation by providing business continuity management consulting services with experienced consultants. If you have any questions regarding business continuity, please feel free to drop us an inquiry.

At Stendard, we believe that quality is everyone’s business because it takes a team to consistently deliver and uphold excellent standards that build confidence with customers, partners and the community. We are a competent group of experts who can provide consultancy support and advice on using technological platforms for your company through this journey.

As always, if you have any queries or questions, feel free to contact us.

our Academy e-learning course:

business continuity management (bcm)

Do you have any questions?

Drop us an inquiry now!

CONNECT WITH US

© 2016-2024 YNL 360 Pte Ltd d.b.a Stendard. All rights reserved.

TERMS OF SERVICE .  PRIVACY POLICY .

business continuity management (bcm)

business continuity management (bcm)

The New Equation

business continuity management (bcm)

Executive leadership hub - What’s important to the C-suite?

business continuity management (bcm)

Tech Effect

business continuity management (bcm)

Shared success benefits

Loading Results

No Match Found

Enterprise risk management and business continuity management: Together at last

Organizations that integrate enterprise risk management (ERM) into their strategic planning efforts have found that business continuity management (BCM) enhances both their value creation objectives and their protection objectives. The confidence that comes from identifying and appropriately addressing interruption risks enables them to more boldly execute those strategic plans. But to gain that confidence requires the melding of ERM and BCM programs.

business continuity management (bcm)

Download Enterprise risk management and business continuity management: Together at last

Executing a series of well-coordinated erm and bcm integration activities makes it possible to realize the full value of optimized business continuity management.

Leading-practice integration examples include:

  • Consider ERM and BCM program integration
  • Involve BCM management in the ERM risk assessment process
  • Involve ERM management in BCM interruption risk assessment planning and analysis
  • Perform a BCM business impact analysis (BIA) that is informed by the ERM program’s impact categories, weighting, and thresholds
  • Develop ERM-informed risk resiliency improvement recommendations
  • Enhance risk scenario analysis
  • Conduct BCM capability examination and post-incident analysis
  • Link BCM and ERM program effectiveness reporting
  • Leverage governance, risk management, and compliance (GRC) technology

ERM lifecycle and BCM lifecycle synergies

Program governance, risk assessment/business impact analysis (bia), risk treatments/strategies, risk plans/business continuity plans, program effectiveness monitoring and reporting.

  • ERM and BCM program governance is tightly coupled, sharing many of the same stakeholders 
  • The ERM and BCM program owner can be the same individual, yet supported by separate administrative teams 
  • The ERM and BCM programs report to the same risk committee and/or board of directors 
  • ERM and BCM risk assessment scopes align for areas related to operational interruption risks 
  • ERM risk impact categories and their thresholds are used to standardize the way BCM BIA participants describe operational interruption impacts 
  • Management’s risk appetite and tolerance decisions are informed by BIA results 
  • Deciding whether and how to respond to interruption risks is based on management’s risk tolerance and risk appetite 
  • Resiliency improvements are made to areas that leadership identifies as critical to achieving operational and strategic goals
  • Approved strategies for responding to interruption risk are documented in actionable business continuity plans
  • Responses to actual interruption events and the results of business continuity and crisis management exercises are formally evaluated against risk reduction objectives 
  • The BCM program’s effectiveness analysis provides a feedback loop to the overall ERM program, thereby providing comfort that resiliency and recoverability efforts reduce interruption risk impact

Explore further

Mike Maali

Partner, Cyber, Risk and Regulatory, PwC US

Steve Zawoyski

Steve Zawoyski

Enterprise Risk Management Solutions Leader, PwC US

Linkedin Follow

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

  • Data Privacy Framework
  • Cookie info
  • Terms and conditions
  • Site provider
  • Your Privacy Choices

BCMIWhiteLogo.png

  • ISO22301 BCMS Audit
  • Business Continuity Management
  • Crisis Management
  • Crisis Communication
  • IT Disaster Recovery
  • Operational Resilience

CM_d

Understanding the Business Continuity Management Framework

In the ever-evolving landscape of modern business, organizations face many risks that can disrupt operations and threaten continuity. Enterprises must have a structured approach to mitigate and manage these risks. One such approach is implementing a BCM framework. A well-structured BCM framework provides a systematic and strategic approach to ensuring business resilience and recovery during adverse events.

A Business Continuity Management Framework is a comprehensive structure that guides organizations in identifying potential threats, assessing their impact on critical business functions, and formulating strategies to minimize disruption and facilitate a swift recovery.

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '3aefb2d2-3110-47c1-ad4f-d3e6e5381066', {"useNewLoader":"true","region":"na1"});

Exploring the business continuity management framework.

New call-to-action

One such approach is implementing a BCM framework. A well-structured BCM framework provides a systematic and strategic approach to ensuring business resilience and recovery during adverse events.

New call-to-action

The framework incorporates interrelated processes, methodologies, and standards to enhance an organization's resilience and responsiveness to disruptions.

Key Components of a BCM Framework

To effectively manage business continuity, a robust BCM framework comprises several essential components:

Risk Assessment and Business Impact Analysis (BIA)

Understanding the risks and potential impacts on critical business functions is the foundation of any BCM framework. Conducting a thorough risk assessment and BIA helps identify vulnerabilities, prioritize critical processes, and establish recovery time objectives.

Business Continuity Strategies

Developing strategies to maintain essential operations during a disruption is a core component. These strategies encompass contingency plans, disaster recovery plans, crisis management plans, and incident response plans tailored to address different disruptions.

Business Continuity (BC) Plans

BCPs outline step-by-step procedures and actions to restore critical business functions and processes. They often include communication plans, resource allocation, recovery strategies, and roles and responsibilities during recovery.

Testing and Exercising

New call-to-action

Crisis Communication Plan

A robust communication plan is crucial during disruptions. It defines how communication will be managed internally and externally, ensuring precise and timely dissemination of information to stakeholders, employees, and the public.

Governance and Compliance

Establishing governance structures and ensuring compliance with relevant laws, regulations, and industry standards are vital aspects of a BCM framework. It includes defining roles, responsibilities, and reporting mechanisms.

Continuous Improvement and Maintenance

A continuous improvement cycle involves regular reviews, updates, and enhancements to the BCM framework based on lessons learned from incidents, changes in the business environment, or technological advancements.

Benefits of Implementing a BCM Framework

Implementing a robust BCM framework offers several key benefits to an organization:

Enhanced Resilience

The framework enables organizations to respond swiftly and effectively to disruptions, minimizing downtime and financial losses.

Stakeholder Confidence

Organizations build trust and confidence among stakeholders, including customers, partners, and investors, by demonstrating a proactive approach to risk management and business continuity.

Legal and Regulatory Compliance

Adhering to a BCM framework ensures compliance with legal and regulatory requirements, mitigating potential legal repercussions during disruptions.

Cost-Efficiency

Proactive planning and streamlined recovery processes result in cost savings compared to reacting to disruptions without a structured approach.

In a world with constant uncertainties, having a well-defined Business Continuity Management Framework is imperative for organizational sustainability.

Step 3 Develop a BCP Framework

Related Topics

Learn more about bcm-5000 [b-5] and or-5000 [or-3].

New Call-to-action

  • Information Security
  • Quality Management
  • Sustainability
  • Support Portal
  • Exonaut® Platform
  • Public & Corporate Solutions
  • Military Exercise Management
  • Military Training Evaluation, Assurance & Readiness
  • Military Lessons Management
  • Military Experimentation Management
  • Operational Resilience
  • DORA regulatory software
  • Risk Management
  • Business Continuity Management
  • Exercise Management
  • Incident & Crisis Management
  • Security Operations Center
  • Emergency Operations Center
  • Climate Resilience
  • Cyber Security and IT Continuity
  • Training & Exercises
  • Climate Risk & Resilience
  • DORA consultant services
  • News & Insights
  • Case Studies

Book a demo

What is business continuity management.

Business Continuity Management  (BCM) has moved higher and higher up the agenda of organisations since the COVID-19 pandemic. But what is Business Continuity Management and how do you make sure you get it right at your organisation?

Business Continuity Management 101

In short, BCM is a set of policies, processes and plans designed to ensure that an organisation can maintain critical operations during a disruption. The overall objective is to ensure that organisations can uphold essential services at a tolerable predefined level, regardless of the disruption or its timing.

BCM policies, processes and plans are not reactive, but rather proactive measures that are put into place prior to a disruption based on an organisation’s risk appetite and potential threats, to safeguard operations brand reputation. BCM should be considered as a continuous cycle of measuring business continuity capabilities across an organisation, defining gaps, and developing an executable programme of continuous improvement.

A tailored Business Continuity plan can give a business a competitive advantage. Unprepared businesses must focus their energies on managing the disruption, while those that are more resilient can continue to focus on securing and even growing revenues.

“We wanted to look beyond the traditional BCM norms with a focus on better anticipating future business risk, while having solid foundations to minimise the risk of whatever unprecedented issues and potential threats may arise. This led us to work with 4C Strategies.” Director of Security and Resilience – Openreach

Business Continuity Management Standards – ISO 22301

The second edition of The International Standard for Business Continuity Management, ISO 22301:2019 defines the purpose for BCM as to “ prepare for, provide and maintain controls and capabilities for managing an organisation’s overall ability to continue to operate during disruptions. ”

It then goes on to list different organisational benefits, including:

  • Supporting its strategic objectives
  • Protecting and enhancing its reputation and credibility
  • Contributing to organisational resilience
  • Reducing direct and indirect costs of disruptions
  • Protecting life, property and the environment
  • Demonstrating proactive control of risks effectively and efficiently
“4C Strategies have contributed to our business continuity management and strategic crisis programme with their expertise as well as with their flexible and innovative working methods. This was key in preparing us for the ISO 22301 certification of our production facilities.” Niclas Johansson, Global Business Continuity Manager – Cytiva, GE Healthcare Life Sciences

Supporting standards for Organisational Resilience

Beyond ISO 22301, there are a number of other standards that pertain to effective BCM that should be acknowledged and followed where appropriate by an organisation to increase resilience to disruptions.

These include:

  • BS 11200  – a crisis management standard for building a strategic capability. It is designed for stakeholders ­– policy decision makers, risk and BCM managers, senior management, etc. – that are involved in growing capabilities that can impact an organisation’s objectives, reputation, or operations. Although a British Standard, it is equally relevant for non-British organisations.
  • ISO 27031  –  IT continuity and cyber security  are now central to any BCM strategy. The ISO 27031 standard includes the concepts and principles of information and communication technology (ICT) readiness. It also provides a framework for identifying, categorising and improving ICT readiness – through such things as performance criteria and design – to support business continuity.
  • ISO 22318  – Supply chain management is vital for many organisations. For those industries and organisations whose business is intrinsically tied to a supplier of services or products, following ISO 22318 guidelines can prove extremely beneficial for mitigating the impact of a major disruption.
  • BCI Good Practice Guidelines  – All BCI certification is based on the Good Practice Guidelines, a practitioner-driven information source for individuals and organizations seeking an understanding of business continuity as part of their awareness raising campaigns and training schedules.
  • For registered actors within the UK financial services sector, the soon to be implemented  operational resilience  regulations must also be considered.  Operational resilience  shifts focus from the actor, typical in BCM and  incident management  approaches, to the resilience of the important business services being offered.

The  Business Continuity Institute  (BCI) refers to Business continuity Management as a framework embedded into an organisation to identify threats and the impact to operations they pose. A BCM plan is then created and continually validated with the goal of enabling you to re-establish business operations as quickly as possible in the event of a disruption. A number of 4C consultants are certified to  FBCI, MBCI and CBCI level , based on their extensive experience and training as business continuity practitioners.

Watch the 4C Strategies & BCI webinar

Our experts teamed up with the Business Continuity Institute for a webinar on post COVID-19 BCM. You can watch “ From Compliance to Capability – what does ‘good’ look like in a post-COVID era? ” by clicking below:

Three pillars of organisational resilience

Business Continuity Management is a governance issue that together with Enterprise Risk Management (ERM) and Incident & Crisis Management (ICM) interrelate and create organisational resilience. These are the three key pillars that should form part of any organisation’s resilience program as can be seen in the 4C Strategies Resilience Model below. The model also includes the key foundational attributes of any proactive resilience plan, namely cybersecurity and capability development.

business continuity management (bcm)

Handling major disruptions – the need for effective BCM

Regardless of industry –  public  or private – all organisations can be subject to a major disruption at any time. Increased dependencies on IT and the security risks that come with it, as well as the growth in disinformation by antagonists, means the risks of incidents and major disruptions are greater and closer than ever before. Thus, building resilience is essential.

Major disruptions can be classed into the following categories:

  • Supply chain disruptions
  • Cyber-attacks and disinformation
  • Natural disasters
  • Loss of key data
  • Loss of essential staff
  • Large-scale workforce disruptions
  • Major disruptions at facilities
  • Political upheaval in key markets

Regardless of the disruption it’s important to follow the activity steps – as seen below – to manage the response. At each point it’s advisable to assess the organisation’s response before moving ahead.

BCM graph

A structured BCM strategy for increased resilience

Implementing a structured BCM strategy across an organisation will have an extensive impact on an organisation’s eco-system, which brings with its wide-reaching benefits on multiple levels.

  • Organisational – Deploying a structured framework across departments, business units and/or production facilities – as opposed to using diverse and tailored BCM processes – make it easier to compare risks and capabilities and define where actions should be taken to assure business continuity.
  • Operative – With a better and unified understanding of holistic and fine-grained risks and readiness capabilities, an operative plan can be developed to mitigate risk where the biggest gaps exist. These can be ranked by importance based on the potential impact and likelihood of occurrence vs the value they add to operations. Budgeting can be developed based on BCM and incident readiness plans.
  • Regulatory – With a standardised BCM methodology you can ensure and prove that facilities follow the same framework and meet regulatory requirements. Updates to regulations can be easily incorporated centrally and implemented organisation-wide.
  • Production – In an organisation with multiple facilities or a large proportion of staff working remotely, having a standardised BCM framework is critical. If, for instance, IT continuity issues are identified at one unit or within certain processes, steps can be put into place and implemented locally or globally to improve cyber resilience. Such issues may not be identified if fragmented BCM processes exist.
  • Customers – A standardised BCM framework highlighting that your organisation can withstand major disruptions can prove invaluable to customers. Knowing that you have the processes in place that safeguard production and delivery of goods, builds a new sense of trust among customers.
  • Suppliers  – The implications on suppliers can be considerable. You may identify continuity risks among your suppliers in the event of a major disruption. The upshot of this can be that suppliers have to prove they can guarantee products or services, supplier KPI and SLAs change, or new, more resilient suppliers are contracted.

Digitalising Business Continuity for more effective results

The  Exonaut® Business Continuity Manager , is a web-based and mobile solution designed to digitalise, test and invoke business continuity plans. Exonaut BCM forms part of the Exonaut readiness management platform, with fully integrated solutions for  risk management ,  incident and crisis management ,  compliance management  and  training and exercises .

See Exonaut BCM in action

See a demo of our Exonaut software solutions for your risk, business continuity, crisis and exercise management needs.

Implementing a BCM strategy – a lifecycle perspective

Whether you are looking to implement business continuity management methodology for the first time or wish to make BCM a part of everyday operations – something that has become more common since the pandemic struck – taking a lifecycle perspective is essential. This will ensure the organisation remains resilient even when operations change, new trends evolve or the political sphere alters.

BCM methodology graph

Any BCM strategy must consider how business continuity policies will be implemented, controlled and validated at organisational and unit level to ensure success. The 4C BCM methodology is ideal for this.

The 4C BCM methodology

  • Governance and Policy : Defines how organisational policy relating to business continuity will be implemented, controlled and validated.
  • Analysis : Operations, objectives and constraints are reviewed and assessed.
  • Design : Appropriate strategies and solutions are selected that determine how to achieve continuity and recovery from a disruption.
  • Implementation : Agreed strategies and solutions are executed in the form of a business continuity plan.
  • Validation : The business continuity plan is tested to ensure it is fit for purpose and that staff are familiar and confident in its application during a disruption.
  • Embedding : Business continuity is integrated into business-as-usual (BAU) activities and organisational culture.

Get started: Increase organisational resilience with effective BCM

At 4C Strategies we can help you get started with BCM or help you grow your BCM capabilities. With over 20 years of experience we offer a unique  combination of expert consultant services with leading BCM/organisational resilience software to support your organisation. From the public sector, to international finance institutes to global manufacturers and telecom providers, we can help any organisation to be better prepared for the current or next major disruption.

Contact us  to find out more.

Want to learn more?

Discover how you can build, verify and track your organisational resilience with our training and exercise services and Exonaut® software solutions.

  • Exonaut® releases

Recent news & insights

winter mil exercise

4C software and consultants support NATO STEADFAST DEFENDER 24 Exercise

Still_1.1.1

4C and Hadean: Empowering Data-Driven Military Training through industry collaboration

bcm-infrastructure

Five Business Continuity Management Trends for a Stronger Business in Uncertain Times

Subscribe to our Newsletter

Bcm case studies, related articles, join the conversation, message sent, thank you for downloading, download pack, photo credits.

  • Original image
  • Large image (2900px)
  • Medium image (1920px)
  • Small image (1024px)

Get in touch

Subscribe to newsletter.

  • Privacy Overview
  • Strictly Necessary Cookies
  • Marketing Cookies
  • Cookie Policy

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies are needed for correct functionality of the site.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

This website uses Google Analytics, LeadFeeder and MixPanel to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

More information about our Cookie Policy

Business Continuity Management (BCM)

business continuity management (bcm)

business continuity management (bcm)

2. Holistic management process that identifies potential threats to and organization and the impacts to business operations those threats , if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities .

business continuity management (bcm)

( Source : ISO 22301:2012 – Societal Security – Business Continuity Management Systems - Requirements) - clause 3.4

3. Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities

( Source : AE/HSC/NCEMA 7000:2012)

4. A holistic management process that identifies potential impacts which threaten an organization and provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities .

( Source: SS540 Singapore Standard on Business Continuity Management - SS 540:2008)

5. A holistic management process that identifies potential impacts which threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities .

( Source: British Standard BS25999-1:2006 Code of Practice for Business Continuity Management)

6. A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities .

( Source: Business Continuity Institute - BCI)

7. A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Also, the management of the overall programme through training, rehearsals, and reviews, to ensure the plan stays current and up to date.

(Source: ENISA - the European Network and Information Security Agency . BCM & Resilience Glossary )

8. Business Continuity Management provides for the availability of processes and resources in order to ensure the continued achievement of critical objectives.

( Source: HB 221:2004 Business Continuity Management)

8. Business continuity management provides for the availability of processes and resources in order to ensure the continued achievement of critical objectives.

( Source: Malaysia BCM Standard MS1970:2007)

9. Management process that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities by identifying potential impacts that threaten the organization and provides a framework for building resilience and the capability for an effective response .

( Source: Australia. A Practitioner's Guide to Business Continuity Management HB292 - 2006 )]]

  • Pages with broken file links
  • BCM Institute Glossary
  • BCM Institute Crisis Communication Glossary
  • BCM Institute Crisis Management Glossary
  • BCM Institute DR Glossary
  • BCM Institute Audit Glossary
  • BcmBoK 1 CL 2A
  • BcmBoK 1 CL 1B
  • BcmBoK 1 CL 1C
  • BcmBoK 1 CL 1CC
  • BcmBoK 1 CL 1D
  • ORBoK 1 CL 1OR
  • ORBoK 1 CL 1ORA

Navigation menu

Personal tools.

  • Request account
  • View source
  • View history
  • About BCM Institute
  • Business Continuity
  • Crisis Management
  • Crisis Communication
  • Disaster Recovery
  • Supply Chain BCM
  • Cyber Security
  • Operational Resilience
  • Pandemic Flu
  • Competency Level
  • OR Competency Level

Chinese Glossary (S)

Bahasa glossary (m).

  • Examination
  • Certification
  • Recertification
  • Meet-the-Experts
  • World Continuity Congress
  • BCM Institute Website
  • Specialist Series
  • Dictionary Series

Acknowledgment

  • Contributors

ISO Glossary

Bcm glossary.

  • Request Changes
  • What links here
  • Related changes
  • Special pages
  • Printable version
  • Permanent link
  • Page information
  • This page was last edited on 30 January 2024, at 11:29.
  • Privacy policy
  • About BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
  • Disclaimers

Powered by MediaWiki

Business Continuity Conferences in 2024

Published on February 14, 2024

Jump to a section

Everything you need to know about business continuity, straight to your inbox.

Discover unparalleled opportunities for learning, networking, and staying at the forefront of dynamic industry trends by attending and participating in business continuity conferences and events.

The realm of business continuity is continually evolving, and choosing to attend a business continuity event provides a unique platform for organisations to connect with other expert professionals, gaining fresh perspectives on crucial aspects such as risk assessment and disaster recovery.

Join us as we explore some of the upcoming events across this year's calendar!

ALARM South Conference 2024

25-27 February, Slough, UK

The ALARM South Conference will be held at the end of February at the Copthorne Hotel in Slough. The theme for the conference will be Risk Resuscitation , and will open with a keynote talk from the BBC's first dedicated Cyber Security Reporter, Joe Tidy. For more information and to see the full agenda of events, visit here.

DRI2024 - The Business Continuity Conference

DRI2024

3-6 March, New Orleans, USA

This event is held by the Disaster Recovery Institute International, a leading non-profit aiming to aid organisations recover from disasters. The conference will be held at the Hilton New Orleans Riverside and offers the chance to learn and connect with industry leaders from around the globe. Register your interest and find out more here.

DRJ Spring 2024

DRJ Spring 2024

17-20 March, Orlando, USA

The Disaster Recovery Journal's spring conference will be held at the Renaissance Orlando at Seaworld in Orlando, Florida. The theme chosen for the conference is Unleashing the Power of Resilience . The agenda is packed with panel discussions and networking opportunities, with over 80 expert speakers waiting to give their insights. Get registered here.

RIMS RISKWORLD

RIMS RISKWORLD

5-8 May, San Diego, USA

Those specialising in global risk management will find discussions, networking, and education at the Risk and Insurance Management Society's conference. This event is due to take place at the San Diego Convention Center and offers 300+ speakers from over 70 countries. Registration is due to open in March, but more about the event can be learned here.

Continuity Insights Management Conference

CIMC

6-8 May, Charlotte, USA

The CIMC is pitched as a conference for senior business continuity executives, and will take place in the Le Meridian Hotel Complex in Charlotte, USA. With over 50 sessions to choose from, and a full schedule of networking events (including a bowling reception!), it offers a great place to learn more about business continuity strategy. Find out more here.

Business Continuity Awareness Week (BCAW)

Though no major events have been tabled yet, Business Continuity Awareness Week is due to land in mid-May. This annual, global event is organised by the Business Continuity Institute and draws attention to the need for operational resilience and forward planning.

Keep an eye out for the announcement of webinars and other events to help promote and celebrate this week of knowledge-sharing.

World Conference on Business, Management, Finance, Economics, and Marketing

16-17 May, Vienna, Austria

The 5th World Conference on Business, Management, Finance, Economics, and Marketing is due to take place in mid-May. Keynote speakers are flying in from across the world to deliver talks across a wide range of disciplines. Abstracts and registrations can be submitted here.

business continuity conference

ABA Risk and Compliance Conference

11-14June, Seattle, USA

The American Bankers Association will be holding their risk and compliance conference at the Seattle Convention Center in June. In-person registration includes full access to all events and opportunities during the event, while on-demand registration offers access to livestreams and recordings of sessions. More information and registration can be found here.

International Conference on Disaster Recovery and Business Continuity 2024

13-14 June, Bangkok, Thailand

The 7th ICDRBC is due to take place in mid-June in Bangkok. This conference will offer the chance to attend in person and online and proposes bringing together both academic researchers and industry experts to explore all aspects of business continuity. An agenda and venue are yet to be announced, but you can register and submit papers for consideration here.

DRJ Fall 2024

DRJ Fall

8-11 September, Dallas, USA

The DRJ hold a fall conference in addition to their spring events, and this year it will be held at the Gaylord Texan Resort & Convention Center near Dallas, Texas. This will be the DRJ's 71st annual conference, and carries a theme of Building Tomorrow's Resilience Today . They have previously attracted speakers with a wide range of expertise and backgrounds, and more information can be found on their site here.

International Conference on Business Continuity Management and Applications

19-20 September, Toronto, Canada

Though it is marketed as being held in Toronto, the International Conference on Business Continuity Management and Applications will be held online. Discussions at this event are promised to be an interdisciplinary affair, with students, academics, and industry experts all coming together to learn and network. More information can be found here.

Gartner Security Risk & Management Summit

23-25 September, London, UK

Gartner's 2024 London conference carries the theme of Building Cybersecurity Resilience in a Complex World . It is due to take place in ExCeL London, and promises to bring together risk and cybersecurity experts for workshops, roundtables, and more. Find out more and get registered for this event here.

Continuity & Resilience Today

CRT

22-23 October, Toronto, Canada

Those searching for an in-person event in Toronto should mark their diaries for the CRT conference, taking place at the International Centre in late October. This conference promises both practical and collaborative events with an emphasis on strengthening resilience across the business world. Register interest here.

BCI World Hybrid 2024

26-27 October, London, UK

The Business Continuity Institute's big annual conference is due to draw business continuity and organisational resilience experts from across the globe to London. Taking place at the Leonardo Royal London Hotel Tower Bridge, this event promises to bring together experts in both a physical and virtual conference, with their vendor exhibition also being available on a hybrid basis. More information about the conference can be found here.

business continuity conference networking

2025 and beyond

Though we are currently at the start of 2024, some conferences have already pencilled in dates for 2025. As we progress through the year, more and more events will confirm times and locations, but for now clear a space in your diary for these upcoming continuity and resilience conferences.

DRJ Spring 2025

23-26 March, Orlando, USA

DRJ's next Spring conference is scheduled to take place again at the Renaissance Orlando at SeaWorld in Orlando, Florida. As with the fall conferences, the schedule is filled with speakers and events, plus an exhibit hall packed with vendors and connections to meet. Though registration has not yet opened, more information will be announced here.

International Conference on Business Continuity Planning and Analysis

18-19 February, Rome, Italy

The International Conference on Business Continuity Planning and Analysis is due to be held as hybrid event, with the in-person events scheduled to take place in Rome. A number of papers will be selected to be published in a Special Journal after the conference. To find out more about this event, visit here.

Bookmark this page and check back regularly as we bring you the latest business continuity and resilience events!

Written by Grace Lowe

Operations Manager at Continuity2

With a solid background in sales and support, Grace manages day-to-day activities so that business processes run smoothly, efficiently, and effectively. For the past 3 years, Grace has built and maintained strong relationships with clients, maximising their Business Continuity and Resilience efforts to the fullest.

C2 Author Grace 1

Business Analysis Techniques

Introduction.

There are many techniques that Business Analyst's employ to do their job. With different techniques being available for different purposes in different situations.  The goal of this section of the wiki is to eventually provide:

  • A fairly comprehensive list of techniques of use to Business Analysts
  • A brief description for each of those techniques (the more info the better, but starting small)
  • Tips for when, how, and why to use each technique
  • Links to other resources on the web (blog posts, articles, papers, etc) where you can find out more about the technique

The amount of content for different entries may vary significantly, depending on whether users add to the wiki entry for that technique, and whether it is a commonly used technique.

What do I mean by Technique ?

For purposes of this wiki, I am defining a Technique as a specific action or set of actions that is used by a Business Analyst to help deal with issues of scope, elicitation, documentation, analysis, and verification.

I want to try and separate Techniques from Skills which I see as more general capabilities or knowledge sets of the Business Analyst.  As an example, I would say that facilitation is a Skill, while Brainstorming or running Joint Application Development (JAD) sessions are specific Techniques that supplement the Skill.  Because Skills are more generic to BA's in general, I have them in the Career section of the wiki.

Technique Categories and List

Each technique has it's own page, but I have attempted to group them below by usage. Any technique that is not a link below is a placeholder for a future page.

General Analysis Techniques

  • Class Modelling
  • Mind Mapping

Data Analysis Techniques

  • Data Dictionary
  • Data Flow Diagrams

Decision and Rules Techniques

  • Business Rule Analysis
  • Decision Models
  • Decision Tables
  • Decision Trees

Elicitation Techniques

  • Concept Map
  • Document Analysis
  • Feature Tree
  • Focus Groups
  • Interface Analysis
  • JAD Sessions
  • Observation
  • Problem Statements
  • Prototyping
  • Requirements Workshops
  • Storyboarding
  • Surveys and Questionnaires
  • Use Case Diagrams
  • User Stories

Enterprise Analysis Techniques

  • Benchmarking
  • Context Diagrams
  • Feasibility Analysis
  • Force Field Analysis
  • Futures Wheel
  • Organizational Modeling
  • PEST Analysis
  • SWOT Analysis
  • Value Stream Mapping
  • VMOST Analysis

Features and Functional Analysis Techniques

  • Decomposition - Functional and Otherwise

Prioritization Techniques

  • Category Assignment Prioritization
  • Cumulative Voting Prioritization
  • Hierarchical Cumulative Voting Prioritization
  • Hierarchical MoSCoW Prioritization
  • Kano Model Prioritization
  • Matrix Prioritization
  • MoSCoW Prioritization

Problem Solving and Ideation Techniques

  • Affinity Diagram
  • Brainstorming

Process Analysis Techniques

  • Activity Diagram
  • Business Process Modeling
  • Sequence Diagram

Project Analysis and Scoping Techniques

  • In/Out List
  • Investment Logic Mapping
  • Scope Analysis

Root Cause Analysis

  • Fishbone Diagram

Stakeholder Management Techniques

  • Responsibility Matrices: RACI, RASCI, and More
  • Stakeholder Communications Matrix
  • Stakeholder Maps
  • Stakeholder Onion Diagram
  • Stakeholder Radar Diagram
  • Stakeholder Role Matrix
  • Stakeholder Salience Diagram

Jobad was not found

Unfortunately, the requested job ad does not exist anymore. Please run a new search.

We use cookies on our website. Some cookies are necessary for the operation of the website and all its functionalities, others are used for statistic purposes. You can find further information in our Data Protection Statement .

These cookies are necessary in order to operate our website with the mandatory security features as well as to enable the use of the offered functionalities.

We collect pseudonomyzed data for statistics and analyses which help us to constantly optimize our website and content.

IMAGES

  1. Introduction to Business Continuity Management (BCM)

    business continuity management (bcm)

  2. Business Continuity Management

    business continuity management (bcm)

  3. SoJo Consulting Services

    business continuity management (bcm)

  4. Business Continuity Management(BCM)

    business continuity management (bcm)

  5. BCMS:ISO 22301:2012-Business Continuity Management System

    business continuity management (bcm)

  6. Business Continuity Management (BCM) Explained (BCM)

    business continuity management (bcm)

COMMENTS

  1. What is Business Continuity Management (BCM)?

    Business continuity management (BCM) is critical for managing business operations and ensuring success in today's digital landscape. When facing potential disruptions, organizations need to have reliable and efficient solutions in place that will help them bounce back and restore operations as soon as possible.

  2. What is Business Continuity Management

    Business Continuity Management (BCM) integrates the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity (organizational/operational relocation). Throughout the profession, definitions of Business Continuity Management abound.

  3. Business Continuity Management (BCM) Explained

    Business continuity management is the set of proactive measures that a company takes in order to avoid loss as a result of major events that negatively impact a business.

  4. Business Continuity Management (BCM)

    Contact Sales Prioritize critical functions, find key dependencies, and create plans to protect vital assets. Identify and close gaps in continuity plans by performing tabletop and other plan exercises. Reduce crisis impact with plans, including secondary site definitions and predefined runbooks.

  5. ISO

    Year of publication: 2019 | Edition: 1 A free publication about ISO 22301, Security and resilience - Business continuity management systems - Requirements, the International Standard for implementing and maintaining effective business continuity plans, systems and processes. Download CHF0 * Add to cart * Shipping costs will be charged

  6. ISO 22301:2019

    ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It provides a framework for organizations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.

  7. Business continuity planning

    Business continuity planning life cycle. Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential ...

  8. An Introduction to Business Continuity Management

    What is Business Continuity Management? According to the Business Continuity Institute (BCI), Business Continuity Management (BCM) is: "A holistic management process that identifies potential impacts that threaten an organization, and provides a framework for building resilience, with the capability for an effective response that safeguards the interests of its key stakeholders, reputation ...

  9. Business Continuity Management Guideline

    Business Continuity Management Guideline. Organizations of all sizes and types are susceptible to events that can disrupt operations—floods, tornados, terrorist attacks, public health emergencies, and more. To weather such crises, organizations need a business continuity management (BCM) program so they can recover as quickly as possible.

  10. Business Continuity Management (BCM): definition

    Business Continuity Management (BCM) is an integrated management process with the aim of identifying serious risks for an organization at an early stage and taking measures against them.

  11. What is business continuity and why is it important?

    Business continuity management software is also an option. Software -- either on premises or cloud-based -- helps conduct BIAs, create and update plans and pinpoint areas of risk. Business continuity is an evolving process. As such, an organization's business continuity plan shouldn't just sit on a shelf. The organization should communicate its ...

  12. Business Continuity Management (BCM)

    The Business Continuity Institute (Business Continuity Institute 2007b) defines Business Continuity Management (BCM) as an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner.

  13. Business Continuity Management (Complete Guide)

    Business Continuity Management (BCM) is the management process that oversees and implement strategies to address the risk of unexpected disruptions. It covers emergency response, risk management, planning, business continuity plan (BCP), training, testing and improvements. What are the 3 main areas of business continuity management?

  14. Enterprise risk management and business continuity management ...

    The ERM and BCM programs report to the same risk committee and/or board of directors. Organizations that integrate enterprise risk management (ERM) into their strategic planning efforts have found that business continuity management (BCM) enhances both their value creation objectives and their protection objectives.

  15. Understanding the Business Continuity Management Framework

    A Business Continuity Management Framework is a comprehensive structure that guides organizations in identifying potential threats, assessing their impact on critical business functions, and formulating strategies to minimize disruption and facilitate a swift recovery.

  16. BCM 101: What is Business Continuity Management?

    Business Continuity Management (BCM) has moved higher and higher up the agenda of organisations since the COVID-19 pandemic. But what is Business Continuity Management and how do you make sure you get it right at your organisation? Watch the 4C Strategies & BCI webinar

  17. The Basics of Business Continuity Management (BCM)

    The Basics of Business Continuity Management (BCM) June 5, 2020 5 minute read Stephen Watts In the wake of the recent unforeseen global pandemic, many organizations are thinking about what they have done, what they should have done, and what they need to do in the future in order to maintain normal business operations during times of disaster.

  18. Business Continuity Management (BCM)

    Business Continuity Management or BCM is an organization-wide discipline and a complete set of processes that identifies potential impacts which threaten an organization. It provides a capability for an effective response that safeguards the interests and reputation of its major stakeholders. BL-B-5 Click to know more

  19. Business Continuity Management Program Solutions Reviews and ...

    Gartner defines business continuity management program solutions as the primary tools used by organizations to manage all phases of the business continuity management (BCM) life cycle, from planning to crisis activation. BCMP solutions provide capabilities for availability risk assessment, business impact analysis (BIA), business process and ...

  20. Business Continuity Conferences in 2024

    International Conference on Business Continuity Management and Applications. 19-20 September, Toronto, Canada. Though it is marketed as being held in Toronto, the International Conference on Business Continuity Management and Applications will be held online. Discussions at this event are promised to be an interdisciplinary affair, with ...

  21. Risk map

    Risk of expenses (losses) sustained by the market operator as a result of mistakes (defects) made in deciding on the operator's business and development strategy. Principal methods of strategic risk management include: building up a process for strategic planning and management commensurate with the Exchange's calibre and operations;

  22. Open programmes

    Dorie Clark. Dorie Clark is an adjunct professor at Duke University's Fuqua School of Business and a professional speaker. She is the author of Entrepreneurial You (Harvard Business Review Press), which was named one of the Top 10 Business Books of 2017 by Forbes. Her previous books include Reinventing You and Stand Out, which Inc. magazine declared the #1 Leadership Book of 2015, and was a ...

  23. Techniques

    Business Analysis Techniques Introduction. There are many techniques that Business Analyst's employ to do their job. With different techniques being available for different purposes in different situations. The goal of this section of the wiki is to eventually provide: A fairly comprehensive list of techniques of use to Business Analysts

  24. Business Continuity Management (100%, all genders)

    BCM complements the existing structures to strengthen the resilience of SWISS and LH Group. The position involves the establishment of a BCM system. ... Several years of professional experience with in depth knowledge of Business Continuity Management; Very analytical and conceptual thinking approach; Very strong self organization skills;

  25. Risk management strategy

    This annual report gives an overview of Moscow Exchange's performance during 2019. Moscow Exchange is the sole multifunctional exchange platform in Russia for equities, bonds, derivative instruments, currencies, money market instruments and commodities.

  26. Fikre Gebretsadkan on Instagram: "Master the Art of Business Continuity

    1 likes, 0 comments - wolelay_management_consultancy on December 10, 2023: "Master the Art of Business Continuity Management with Our Training Program! Looking to develop a..." Fikre Gebretsadkan on Instagram: "Master the Art of Business Continuity Management with Our Training Program!