Processing Payment

DRI Logo

  • Take Courses
  • Get Certified
  • Attend Events
  • Explore Resources
  • The Foundation
  • On-Demand Training

We offer a mix of in-person and online, instructor-led courses. Search courses for more information.

  • Business Continuity
  • Business Continuity Review
  • Advanced Continuity
  • Mastering Business Continuity
  • Continuity Audit
  • Auditing a Business Continuity Program: ISO 22301
  • Auditing a Business Continuity Program: NFPA 1600
  • Cyber Resilience
  • Cyber Resilience Review
  • Healthcare Continuity
  • Business Continuity for Healthcare
  • Business Continuity for Healthcare Review
  • Public Sector Continuity
  • Public Sector Continuity Review
  • Risk Management
  • Risk Management for Business Continuity
  • Risk Management for Business Continuity Review
  • BCOE 0100: Understanding Professional Practice One
  • BCOE 0200: Understanding Professional Practice Two
  • BCOE 0300: Understanding Professional Practice Three
  • BCOE 0400: Understanding Professional Practice Four
  • BCOE 0500: Understanding Professional Practice Five
  • BCOE 0600: Understanding Professional Practice Six
  • BCOE 0700: Understanding Professional Practice Seven
  • BCOE 0800: Understanding Professional Practice Eight
  • BCOE 0900: Understanding Professional Practice Nine
  • BCOE 1000: Understanding Professional Practice Ten
  • Instructor-Led Training
  • Healthcare Continuity Review
  • Risk Management Continuity Review
  • Master's Case Study Review
  • IT Disaster Recovery Planning
  • Crisis Communications
  • Business Continuity for Insurance Professionals
  • Managing BC Team Burnout
  • Business Continuity Metrics
  • Exercising a Business Continuity Plan
  • What's New in Business Continuity?
  • Business Impact Analysis
  • Pandemic Preparedness for Organizations
  • Business Continuity Overview
  • Professional Examinations
  • Qualifying Exam 2017 Version - Arabic
  • Qualifying Exam 2017 Version - English
  • Qualifying Exam 2017 Version - English (ADA Compliant)
  • Qualifying Exam 2017 Version - Español
  • Qualifying Exam 2017 Version - Français
  • Qualifying Exam 2017 Version - Hebrew
  • Qualifying Exam 2017 Version - Italian
  • Qualifying Exam 2017 Version - Japanese
  • Qualifying Exam 2017 Version - Português
  • Qualifying Exam 2023 Version - English
  • Qualifying Exam 2023 Version - Português
  • Master's Case Study Examination
  • Specialty Examinations
  • 2023 Audit Exam - ISO 22301
  • 2023 Cyber Resilience Exam
  • 2023 Cyber Resilience Exam-Japanese
  • Audit Exam - CSA Z1600-17
  • Audit Exam - ISO 22301
  • Audit Exam - NFPA 1600
  • Cyber Resilience Exam
  • Cyber Resilience Exam - Japanese
  • Healthcare Exam
  • Public Sector Exam
  • Risk Management Exam
  • Workshop Examinations
  • BCP BIA Exam
  • BCP BIA Exam - Español
  • BCP COMMS Exam
  • BCP EXR Exam
  • BCP IT/DR - Español
  • BCP MET Exam
  • BCP MET Exam - Español
  • BCP MND Exam

Training Overview

See a summary of all our training options one page. All courses are currently available online.

Group Training

The leader in business continuity education and certification across many industries, DRI International offers team training designed to fit the needs of every organization, from private corporations to the public sector and everywhere in-between.

Higher Education

DRI International offers colleges and universities the opportunity to familiarize their students with information on business continuity professions and certifications recognized by private and public sector organizations around the world.

  • Individual Certification
  • Organizational Certification
  • Honor Society
  • Center of Excellence in Resilience
  • Resilient Enterprise

* DRI's three levels of certification are associate certified, certified and master certified. Certifications beginning with "A" are associate, "C" certified and "M" master.-->

Certification Overview

Certification is a two-part process; verification of knowledge and confirmation of experience.

Value of Certification

A DRI International certification is the most widely recognized and respected business continuity certification in the world. DRI only certifies professionals that have demonstrated both knowledge and experience in the business continuity and/or disaster recovery profession.

Digital Badge Program

Learn more about how to unlock your DRI digital badge and display your DRI certification to enhance your online professional profile today.

Maintain Certification

Maintaining your DRI International certification carries two requirements; an annual maintenance fee as well as Continuing Education Activity Points (CEAP).

  • Annual DRI Conference
  • Agenda/Program
  • Awards of Excellence
  • Submit a Nomination
  • Past Award of Excellence Winners
  • Collegiate Conferences
  • Past Webinars
  • Resilience Excellence Summit

Learn more and register for this free online event March 1-3, 2021!

DRI DRI2021

Be a part of the premier business continuity conference. Join us at DRI2024 in New Orleans, Mar. 3-6, 2024. Registration is now open!

Meet DRI

We speak at numerous industry events around the globe and engage with our community in a variety of ways. Find out where you can meet DRI at these upcoming events.

dri2019-circle

Join us for the must-attend DRI annual conference for business continuity and resilience professionals taking place in Las Vegas, Nevada Feb 17-20, 2019.

  • Professional Practices
  • Government/Policymakers
  • Digital Badges
  • RFP Assistance
  • Drive en Español
  • Advertising in Drive
  • Scholarships
  • High School/College
  • Veterans Outreach Program
  • Women in Business Continuity Management
  • Certified Professionals
  • Certified Vendors
  • Hiring Resources
  • Hiring Guide
  • Local Language Information

Thought Leadership

Through committees and other initiatives, we publish research and insights about the profession. Explore our library and other resources.

Webinars

DRI International webinars cover vital resilience issues, engaging and informing professionals in the field. See what's coming up next and view previously broadcast presentations here.

Hiring Guide

Learn how to hire the right business continuity professionals that will enable your organization to withstand any crisis and come through even stronger with the DRI Hiring Guide. Download now.

  • Our Mission
  • Letter from the President
  • Leadership and Staff
  • Testimonials
  • Diversity and Inclusion
  • International Partners
  • United Kingdom
  • Collaborative Partner Organizations
  • DRI in the News
  • Press Releases
  • What is BCM?

What is BCM

BCM is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience.

DRI in the News

We reach out and engage as many audiences as possible using broad media coverage to provide a forum for discussion. We serve as a trusted resource to other professions and the general public.

We speak at numerous industry events around the globe and engage with our community in a variety of ways. Find out where you can meet DRI.

DRI International Accessibility Statement

DRI International is committed to ensuring that individuals with disabilities can access the content offered through our website, www.drii.org .

If you are having trouble accessing www.drii.org , you can email [email protected] for assistance. Please put "ADA Inquiry" in the subject line of your email and we will assist you.

Payment Receipt

Conference orders, business continuity management.

BCM image

What is Business Continuity Management?

Business Continuity Management is defined as a: Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. ( International Glossary for Resiliency )

wbcside image

Business Continuity Management (BCM) integrates the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity (organizational/operational relocation).

Throughout the profession, definitions of Business Continuity Management abound. However, research conducted by the DRI International Glossary Committee identifies the most accurate description of Business Continuity Management as the definition from the ISO 22301 standard cited above. As part of an ongoing process to create and maintain an international glossary, the committee determined the best-in-class definitions for commonly used BCP/DR terms. Creation of the glossary document involved an independent body of highly respected volunteers examining existing recognized definitions and reaching a consensus on which source(s) reflected the most accurate meaning.

The Value of Business Continuity Management

The reasons to have a robust Business Continuity Management program are many and the scope of such a program is enterprise-wide. Here is a list of some of the top reasons that make Business Continuity Management a priority:

Legal and Regulatory Compliance

Regulation: There are over 120 regulations that mandate Business Continuity Management across a variety of industries, including but not limited to:

  • Financial Services - Federal Financial Institution's Examination Council ( FFIEC ), Financial Industry Regulatory Authority ( FINRA ), Financial Services Authority ( FSA ), among others
  • Energy - North American Electric Reliability Corporation ( NERC ) and Federal Energy Regulatory Commission ( FERC )
  • Healthcare - Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) and Joint Commission on Accreditation of Healthcare Organizations ( JCAHO )
  • International - The International Regulatory Framework for Banks ( BASEL III ) and all Central Banks have Business Continuity Management requirements

Negligence: Court decisions, the basis for common law, have ruled that "failure to prepare" as well as "failure to plan" are grounds for negligence. Negligence is defined as a part of tort or personal injury as "a failure to use that degree of care that any prudent person would use under the same or similar circumstances."

Demands by Organizations for their Vendors

Customer demand: Requests for Proposal (RFPs) now require potential vendors to demonstrate that they have Business Continuity Management programs in place.

Regulation: There are regulatory requirements that govern preparedness in the supply chain. Specifically, federally chartered banks are governed by the FFIEC and the OCC (Office of the Controller of the Currency), which charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. For healthcare organizations, the primary regulatory consideration in the supply chain is covered under HIPAA. All of these regulations call for ongoing monitoring of the third party's activities and performance.

Smart business: It is a competitive advantage for companies to have a resilient supply chain that will make them better able to respond to a disruption than their competition. This ability will make the prepared company a more attractive supplier to larger organizations that will benefit from the increased reliability of the smaller business.

To Maximize Insurance Coverage

Business Continuity Management increases an organization's ability to provide risk transfer information, including in the:

  • Analysis Phase of Business Continuity Management: Organizations conducting a Business Impact Analysis (BIA) will be able to ascertain the profit losses as well as the amount of fixed costs that must be paid in the event of an incident that triggers an insured peril. This calculation will help quantify the proper amount of Business Interruption Insurance (BI). The BIA similarly helps to calculate Contingent Business Interruption Insurance (CBI) and Supply Chain Insurance reimburses lost profits resulting from an interruption of business at the premises of a customer or supplier.
  • Strategy Phase of Business Continuity Management: Extra Expense Insurance provides for maintaining the operations of an insured item after an accident until normal operations can be restored.

Reputation and Resilience Management

Business Continuity Management can help organizations protect their reputation and increase their resilience in the face of adverse circumstances, whether internal or external. Business Continuity Management can help to protect the brand from a variety of risks, including cyber risks, deliver to customers as promised, and reduce downtime and the cost of recovery in the event of an incident.

ISO 22301 Business Continuity Simplified: Fortify Your Business Against Disruption

By Andy Marker | June 22, 2020 (updated September 15, 2022)

  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Link copied

In this article, you’ll find expert tips and implementation guides, and you'll learn how ISO 22301 can buffer your business against disasters. 

Included on this page, you’ll find an International Standards Organization (ISO) 22301 audit checklist template , a simplified ISO 22301 cheat-sheet , and an ISO 22301 self-assessment checklist , as well as examples of ISO 22301 in action and an ISO 22301 quick-start guide .

What Is ISO 22301?

ISO 22301 is a global standard for business continuity planning requirements to help organizations protect themselves against disruptions. The most current version is 22301:2019, Security and resilience - Business continuity management systems - Requirements.

The requirements in ISO 22301 address disruptive incidents that can be natural or human-made, widespread or local, intentional or unintentional, such as a snowstorm, a broken water main, an epidemic, a data breach, or a phishing attack. Large or small, for- and nonprofit organizations alike can use ISO 22301.

The Business Manager’s Quick-Start Guide to ISO 22301

The ISO 22301 standard can provide benefits for your business continuity planning, even if your organization chooses not to pursue certification, or the review process that confirms your business continuity system meets all ISO 22301 requirements. 

"Certification is nice, but not required,” says Mart Rovers of InterProm. “First, seek compliance. That way, you know that your business continuity management practices are in better shape." You can start to create a solid business continuity plan with just a few simple steps, which you can also download as this ISO 22301 Quick-Start Guide .

  • Check If You Already Have Continuity Plans: Find out if your organization already has business continuity plans. Search through your document management system and ask management or long-time employees. Organizations sometimes create and quickly forget about resources, or store responses locally in an informal system.  As Andrew Nichols of the Michigan Manufacturing Technology Center suggests, if your organization already implements other ISO standards, such as ISO 9001 or ISO 27000, you can leverage some of the common requirement elements for your 22301 plan.
  • Identify Missing Components: Conduct a gap analysis of existing policies and processes to see what business continuity resources you need. According to Mart Rovers, one way to conduct a self-assessment is to copy into a spreadsheet each phrase of the ISO 22301 standard that contains the word "shall." Then, determine gaps between your company and the standard. "Use the standard as your guide to establishing a coherent set of practices to address business continuity management for your organization," says Rovers. You can also use Smartsheet's ISO 22301 Self-Assessment Checklist and ISO 22301 Simplified Cheatsheet for your gap analysis.
  • Keep It Simple: Having binders full of perfectly formatted procedures won’t help in an emergency. Create easy-to-follow guidelines and checklists and, more importantly, build "muscle memory" in your employees through training and drills. That way, in a panic, people understand what to do without having to be told.
  • Make Your Plan a Living Document: Ticking off items on an audit checklist doesn't mean you’re prepared. Frequently read, revise, and practice your plan to keep it relevant and to train new staff.

Alex Fullick

  • Communicate Your Plan to Staff and Other Stakeholders: Even the most well-written plan is useless if the people who can benefit from it don't know about it. Inform everyone covered by the plan that it exists, including your supply chain and other outside stakeholders.

ISO 22301 Requirements

The ISO 22301 standard offers a framework for planning, testing, and monitoring a business continuity management system (BCMS). The ISO 22301 document contains 10 sections, which introduce the standard and definitions, as well as actionable requirements of the standard. 

As with other ISO requirement documents, ISO 22301 describes only what organizations must do to reach minimum proficiency — it does not prescribe how to achieve these standards. Each organization must consider its distinct conditions and obligations to find the best way to follow the requirements.

Here is an overview of the clauses in ISO 22301 that impact an organization most: 

  • Clause 4, Context: Your organization must understand what it is, what it does, and what outputs and processes it must sustain. You must also determine who has a stake in the continuity of your operations — in other words, the interested parties. For example, customers have a stake in your organization continuing to function.
  • Clause 5, Leadership: Few organizational initiatives thrive without the sustained support and championship of top management. Management must commit to a business continuity plan and make available any resources — human, financial, or otherwise — to ensure its success. 
  • Clause 6, Planning: To plan for sustainability, you must understand what disruptions could potentially occur and how these incidents affect the business — in other words, potential risks and their impact. Set measurable business continuity objectives to guarantee the minimum viable products or services, as well as compliance with any legal or regulatory requirements. 
  • Clause 7, Support: No program can advance without resources and support. Decide what personnel, roles, and teams you need for threat response and how you can best enhance their effectiveness. Create internal and external communication procedures for reference, and communicate the continuity plan to all necessary parties before and during a crisis. Establish a document management system for key continuity documents, such as procedures.
  • Clause 8, Operation: Conduct your risk assessment and business impact analysis , and plan your disruption recovery approach. Implement the recovery plan with detailed procedures, and test it regularly to verify that it works. Make sure people can find the procedures (and other documents) they need, and revise your plan as necessary.
  • Clause 9, Evaluation: Establish a process to regularly measure and assess your continuity policies and procedures and their execution. Review and revise your plan and documents to ensure they are effective and relevant
  • Clause 10, Improvement: Seek continual improvement in all functional and operational areas, including through periodic management reviews. Improvements in day-to-day activities help bolster the organization in times of disruption. When processes veer from the standard or fail to conform with ISO and quality management standards, implement corrective action.

Key Definitions Related to ISO 22301

Some of the following key terms and concepts originate with ISO, some with ISO 22301, and some with business continuity and risk management:

  • Context: The purpose and character of the organization and the environment in which it operates. This includes internal and external influences that shape the business continuity management system.
  • Disruptive Incident: A disruptive incident is an event that stops or slows the everyday work of an organization. Examples of disruptive incidents include earthquakes, internet stoppages, broken fans in a data center, or food poisoning in a cafeteria. 
  • Interested Parties: Interested parties are stakeholders in the successful operation and outcomes of your business continuity plan. They can include customers, employees, suppliers, or regulatory officials.
  • Leadership: In ISO 22301, leadership refers to top management or the person or people who run the organization and champion the business continuity effort. 
  • Maximum Acceptable Outage (MAO): The length of time an activity or process can be unavailable or ineffective before the health and survival of the organization are threatened. 
  • Minimum Business Continuity Objective (MBCO) : The lowest level of products or services that is acceptable for a business to offer during a disruption.
  • Recovery Timeframe Objectives (RTO): This refers to the prioritization of key activities and the timing that makes those activities operational.

Benefits of ISO 22301 and Business Continuity Management System

If teams are already overwhelmed with their workload, they may not like to think about disasters. Furthermore, organizations might think that ISO standards include difficult jargon and that pursuing a continuity plan adds unnecessary work. However, management systems practitioners suggest that continuity preparations produce substantial gains.

Andy Nichols

“I think it's a truism that many organizations can benefit from the principles and some of the practices of resiliency and contingency planning,” says Andrew Nichols, Quality Program Manager at the Michigan Manufacturing Technology Center .

As an example of the benefits that risk analysis and preparation can yield, Nichols relates his experience of visiting a small northeastern town during a widespread winter power outage. The whole town was closed, with the exception of one restaurant that had a generator. 

“They had a line of people out the door every mealtime because nowhere else was capable,” Nichols remembers. “Somebody had the foresight to think about the loss of power. And that organization cleaned up financially because they were able to provide what the customers needed.” 

Consider these specific benefits to using ISO 22301 business continuity planning:

  • Protect against and recover from disruptive incidents.
  • Identify and control current and future threats.
  • Improve your risk management planning efforts.
  • Prevent large-scale damage.
  • Become proactive in preventing problems and recovering from incidents, rather than reactive to damage and disruption.
  • Reduce downtime and increase recovery time.
  • Keep important activities running during disruption.
  • Deliver quality products consistently. 
  • Provide dependable service. 
  • Prove you’re a reputable supplier.
  • Prove your resilience to all stakeholders.

Experts also assert that ISO 22301 can be a simple and effective continuity tool. “All these ISO standards, they’re like hidden gems because of how fast they can get you up to speed without having to reinvent the wheel,” says Mart Rovers, President of IT consulting firm InterProm . 

Mart Rovers

“I cannot emphasize enough how within reach this standard is. Anytime people hear the word ‘ISO,’ they think, ‘Oh, that's for large organizations. Oh, that's way too formal. It's too much. It's overkill.’ I understand where this is coming from because the word ‘standard’ itself is scary for many organizations. However, the size of organization really doesn't matter. The things you should be doing in ISO 22301, you can do at a smaller scale,” says Rovers. 

Some also hesitate at the thought of certification. Both Nichols and Rovers stress that certification is not necessary for every enterprise. Although certification may be a condition of doing business for some companies, those who don’t need certification can still gain advantages from following ISO 22301. 

In weighing the pros and cons of ISO certification, Rovers suggests buying a copy of ISO 22301 , and then copying and pasting each sentence that contains the word “shall” into a spreadsheet (these sentences represent the requirements you must follow). From the spreadsheet, consider whether full ISO adoption and certification are too complicated for your organization. Regardless of your decision, you can always use the spreadsheet to conduct a self-audit.

ISO 22301 in Action

The following image provides a small sample of the possible outcomes to business continuity management.

How a Management System Helps Business Continuity

For those familiar with other ISO standards, the management system component of ISO 22301 might be a new concept. Rovers describes management systems as follows: 

“The best way to explain a management system is to imagine opening up an old watch. It has these spinning wheels, these gears. In the case of an ISO standard, you're looking at a number of requirements to put that watch together with all these spinning wheels. That watch is a coherent system. You take out one of those gears, and then the watch fails. 

“A management system for continuity follows the same idea — every requirement that the standard asks for represents one of those gears. And every requirement serves a distinct purpose (otherwise, it would not be a requirement). If you don't meet a particular requirement, the watch, so to speak, may not function as it could or should. These ISO requirements are not just there to keep you busy.”

ISO 22301 and PDCA

Each segment of the PDCA (plan-do-check-act) cycle for continuous improvement corresponds to at least one ISO 22301 clause. Organizations can use ISO 22301 to test continuity procedures, review outcomes, and implement updates or fix problems in a continuous cycle that leads to an increasingly resilient business continuity system.

PDCA for ISO 22301

ISO 22301 and Maturity Models

A maturity model measures an organization’s ability to pursue continuous improvement in key areas. ISO 22301 does not have a maturity model.

As Rovers explains, “It was never the intent of ISO 22301 to be a maturity model. You either meet all the requirements of the standard, or you don’t. You could say that by not meeting the requirements of the standard, you’re not mature. Or better said, your business continuity management practices are not mature.”

BCM Lifecycle ISO 22301

The business continuity management (BCM) lifecycle represents industry best practices and some of the core requirements of ISO 22301. These practices offer a solid foundation for resilience, while offering flexibility to adapt to changes in the organization. 

Guided by leadership, these are the key activities for the lifecycle:

  • Conduct a business impact analysis and risk assessment.
  • Establish a business continuity strategy.
  • Establish and implement business continuity procedures.
  • Exercise and test the procedures regularly before a disruption occurs.

BCM Lifecycle ISO 22301

ISO 22301 Audit Checklist Template (Excel)

ISO 22301 Audit Checklist Template

Use this detailed checklist to determine if your business continuity plan aligns with ISO 22301 standards. You can use the template whether you’re applying for certification or simply pursuing a continuity management plan. 

Download ISO 22301 Audit Checklist Template

Excel  | Smartsheet

ISO 22301 Self-Assessment Checklist

ISO 22301 Self-Assessment Checklist Template

This self-assessment checklist is divided into sections that correspond to clauses in ISO 22301. Use it to confirm whether your business continuity system meets the requirements for leadership, planning, support, operation, performance evaluation, and continual improvement.

Download ISO 22301 Self-Assessment Checklist Template

Excel | Word |  PDF

ISO 22301 Implementation Guide

ISO 22301 Implementation Guide Template

This guide states the essential information from ISO 22301 in plain English. For best results, read it with the full standard, which is currently available for free online to support the COVID-19 response. 

Download ISO 22301 Implementation Guide Template

Excel | Word | PDF

ISO 22301 Simplified Cheat-Sheet

ISO 22301 Simplified Cheatsheet Template

Use this simplified cheat-sheet to understand the basic elements of creating a business continuity plan. The template walks you through the process of determining critical aspects of your organization, writing the recovery plan, and exercising the plan to ensure proficiency. 

Download ISO 22301 Simplified Cheat-Sheet Template

ISO 22301 Business Continuity Policy Template

ISO 22301 Business Continuity Policy Template

A business continuity policy describes the processes and procedures an organization needs in order to function well daily, including in times of disruption and crisis. This policy template includes space for BCMS objectives, a leadership description, a policy outline, and any certification details.

Download ISO 22301 Business Continuity Policy Template

ISO 22301 Business Continuity Template

ISO 22301 Business Continuity Plan Template

Use this template to create a business continuity plan. Describe the results of your risk analysis and business impact analysis, detail your disaster recovery and continuity procedures, and list key contacts and important assets. 

Download ISO 22301 Business Continuity Template

Word |  PDF

ISO 22301 Business Continuity Sample

The Community Nonprofit Center of New York made available this business continuity template to support the response to coronavirus. Find space to detail responses to minimal and critical emergencies, a risk matrix template, and lists for information about insurance, critical assets, and responses to disruptive events.

For other most useful free, downloadable business continuity plan (BCP) templates please read our  "Free Business Continuity Plan Templates"  article.

Disaster Recovery Plan Templates

After you perform a risk analysis and business impact analysis, consider writing a disaster recovery plan. Disaster recovery plan templates , available in different formats, provide an easy-to-use structure for documenting continuity plans. Download templates specialized for IT, payroll, small businesses, and more.

To learn about the difference between recovery plans and continuity plans, visit our "Business Continuity and Disaster Recovery: Their Differences and How They Work Together" article.

ISO 22301 Versus ISO 27301

ISO 27301 provides requirements that organizations use to ensure their information and communications technology (ICT) continuity, security, and readiness to survive a disruption. The standard is often staged with ISO 22301 because both are based on similar management system approaches.

The full name of this standard is ISO 27301 - Information Technology - Security Techniques . Originally published in 2011, it is soon to be revised.

“Both [ISO 27301 and ISO 22301] ask for top management involvement and commitment, both ask that you have the right resources, that you have documentation management, that you do performance evaluations, and that you make improvements,” explains Rovers. 

They differ in the focus of the risk assessment: ISO 27001 addresses security, whereas ISO 22301 addresses business continuity. “Each area has different risks, but the approach to the risk management assessment and mitigation follows the same steps. There's enormous overlap.”

IT security continuity has significant relevance in the remote work environment. For example, while using your work laptop at home or signed into the work network, what happens when someone innocently plugs in a thumb drive that infects your laptop and corrupts the network? Both ISO 22301 and ISO 27001 work together to prevent such incidents and mitigate problems that occur.

For additional resources, visit " Free ISO 27001 Checklists and Templates ."

General Requirements Across Management System Standards

Some ISO requirements are commonly stated across the management system standards, which include ISO 22301; ISO 9001 , Quality Management; ISO 20000, IT Service Management; and ISO 27001, Information Security. Examples of common requirements include establishing objectives for the business continuity management system as appropriate to the organization, obtaining management’s commitment to supporting the system, implementing a documentation management system, conducting internal audits, and pursuing continual improvement. This functional overlap enables organizations to undertake combined audits for these standards.

Historical Foundations of ISO 22301

The concept of business continuity was borne out of the IT boom of the 1980s and 1990s. Public and private organizations realized the need to ensure continuity of service and key supplies and to mitigate the effects of disruptive events. The first formal standard reflecting these concerns was the United Kingdom’s British Standard (also known as BS) 25999, which introduced the management system concept to the business continuity discipline. 

In 2012, the global standards body ISO released ISO 22301:2012 as the first international standard for business continuity. Based on the contributions and comments of continuity professionals from assorted industries in over 60 countries, ISO 22301 superseded BS 25999. 

ISO’s consensus-based standards, such as 22301, cover practices and industries ranging from quality management, IT service, and food safety to environmental safety and information security. ISO standards aim to increase the quality and safety of many products and services, including most common household items, appliances, and cars. Although large enterprises and manufacturers usually follow ISO requirements and guidelines, organizations of all sizes and types can benefit from ISO principles. 

For ISO 22301, the standard provides a consistent BCMS framework and a universal language among organizations for communicating about continuity and aligning processes.

When they get certified in ISO 22301 and other ISO standards, organizations can demonstrate to management, legislators, regulators, customers, and other stakeholders that they follow good practices. For ISO certification, organizations need third-party verification that they comply with all requirements of a standard. 

“Certification shows you have some level of competence,” explains Rovers. “It shows you take the standard seriously. For organizations buying your goods or services, it can be a compelling reason to choose you.”

Guidance Documents for ISO 22301

For in-depth discussions of aspects of the 22301 standard, ISO offers a series of guidance documents. To those considering pursuing ISO 22301 certification, these documents provide additional insight:

  • ISO 22313 - Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301
  • ISO 22316 - Security and resilience — Organizational resilience — Principles and attributes
  • ISO 22317 - Societal security — Business continuity management systems — Guidelines for business impact analysis (BIA)
  • ISO 22318 - Societal security — Business continuity management systems — Guidelines for supply chain continuity
  • ISO 22330 - Security and resilience — Business continuity management systems — Guidelines for people aspects of business continuity
  • ISO 22331 - Security and resilience — Business continuity management systems — Guidelines for business continuity strategy

What Is the Latest Version of ISO 22301?

The requirement document ISO 22301:2019, Security and resilience - Business continuity management systems - Requirements , was released on October 31, 2019. The update from the original 2012 version reflects changes in management system approaches and clarifies specifications around clause 8.

Build Powerful, Automated Business Processes and Workflows with Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk. 

These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

  • Search Search Please fill out this field.
  • Business Continuity Plan Basics
  • Understanding BCPs
  • Benefits of BCPs
  • How to Create a BCP
  • BCP & Impact Analysis
  • BCP vs. Disaster Recovery Plan

Frequently Asked Questions

  • Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

what is business continuity management framework

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

  • Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
  • BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
  • BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

  • Determining how those risks will affect operations
  • Implementing safeguards and procedures to mitigate the risks
  • Testing procedures to ensure they work
  • Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

  • Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
  • Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
  • Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
  • Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

  • The impacts—both financial and operational—that stem from the loss of individual business functions and process
  • Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

what is business continuity management framework

  • Terms of Service
  • Editorial Policy
  • Privacy Policy
  • Your Privacy Choices

Would you like to view this website in another language?

What is Business Continuity Management? A Comprehensive Guide

  • Written by: Rinaily Bonifacio
  • Last updated: 28 September 2023

business continuity management, business continuity planning, business continuity plans, competitive advantage, organizational resilience, disaster recovery plans, business continuity team, mission critical business functions, normal business operations, business continuity professionals,

In this article, we will discuss the different components of a BCM framework and the strategies an organization can use to protect itself from potential disruptions.

Table of contents

What is business continuity management?

Bcm framework: the building blocks of resilience, the role of communication and managing business continuity, resilience and reputation management, consider establishing a business continuity management program today., frequently asked questions.

Business continuity management refers to an organization's proactive planning and preparation to uphold business operations or promptly recover after a disaster, such as fire, flood, or cyber-attack. It also entails identifying potential risks.

Business leaders aim to anticipate and handle potential crises by developing preventive measures. They will then verify the effectiveness of these procedures through testing and regularly evaluate the process to ensure its relevance and validity.

Policies and Strategies

Continuity management encompasses responding to natural disasters or cyber attacks and creating, testing, and implementing policies and procedures in the event of an incident.

The policy should clearly outline the program's scope, key stakeholders, and management structure while emphasizing the importance of business continuity and governance during this phase.

One aspect of creating and modifying a business continuity plan checklist is determining who is accountable for it, while another is identifying the team in charge of its execution. Proper governance helps clarify what can be a chaotic situation for everyone involved.

Defining the scope is important as it explains what business continuity entails for the organization.

Does the plan cover maintaining the functionality of applications, availability of products and services, accessibility of data, or safety of physical locations and people? To ensure clarity, businesses should specify which aspects of the company are included in the plan, such as revenue-generating components, external-facing areas, or any other subset of the organization.

During this phase, it's important to assign roles and responsibilities.

The roles required for managing disruption can either be based on job function or tailored to the specific type of disruption. In all cases, it is important to communicate and receive support for the policies, governance, scope, and roles.

Business Impact Assessment

The impact assessment is a process that helps you identify the data your company holds, where it's stored, how it's collected, and how it's accessed. It also determines which data are the most critical and how much downtime is acceptable if that data or apps become unavailable.

Although companies strive for 100% uptime by implementing redundant systems and storage capacities, there may still be instances where this goal is not achievable. During this stage, it is essential to determine the recovery time objective, which is the maximum duration needed for restoring applications to a functional state in the event of a sudden service interruption.

Additionally, companies need to be aware of their recovery point objective. This refers to the maximum amount of time that data can be lost before it would become detrimental to the business and its customers. Another way to think of it is as the level of acceptable data loss.

Risk Assessment

To ensure enterprise safety, it is essential to identify potential threats such as bad actors, internal players, competitors, market conditions, political matters (both domestic and international), and natural occurrences. Creating a risk assessment is crucial in developing a plan for addressing these threats.

The process of risk assessment aims to identify various potential risks that may affect the organization.

The first step is to identify potential threats, which can have a wide range of effects. This involves:

  • The impact of personnel loss
  • Changes in consumer or customer preferences
  • Internal agility and preparedness to react to security incidents by creating a plan.
  • Financial volatility

Companies that operate under regulation should consider the possibility of non-compliance, as it could lead to severe financial penalties and fines, greater scrutiny from regulatory agencies, and the loss of reputation, certification, or credibility.

It is essential to describe and provide details for every risk. The organization should evaluate each risk's likelihood and possible impact in the following step. Probability and potential are essential factors to consider during the risk assessment process.

After identifying and ranking the risks, the organization should determine its risk tolerance. They need to focus on urgent and critical matters that need addressing. This stage involves finding potential solutions, evaluating them, and determining their cost. The organization should prioritize which risks to address based on their probability and cost.

The risks that have been ranked must be assessed to determine which ones will be tackled initially. It is important to note that this is not a one-time event and should be revisited regularly to accommodate any new risks that may emerge due to technological changes, geopolitical factors, and competition.

Validation and Testing

It is important to regularly monitor, measure, and test potential risks and their impacts. After implementing plans to mitigate these risks, they should also be evaluated to confirm their effectiveness and cohesiveness.

Incident Identification

To ensure business continuity, it is crucial to define what qualifies as an incident clearly. This definition should be included in policy documents and the specific actions or factors that can activate the incident alert. Once activated, the business continuity plan should be implemented, and the team should be prepared to respond accordingly.

Disaster recovery

Can you explain the distinction between business continuity and disaster recovery? Business continuity refers to the overall framework for operations and policy-making, while disaster recovery is concerned explicitly with responding to incidents.

Disaster recovery aims to identify and address risks to respond to specific incidents. It involves deploying teams and taking action to mitigate the effects of a disaster but is not the same as broader planning.

After an incident, a key task is to hold a debriefing to evaluate the response and make necessary plan revisions.

Employee scheduling and Time-tracking software!

Employee scheduling and Time-tracking software!

  • Easy Employee scheduling
  • Clear time-tracking
  • Simple absence management

Shiftbase

Effective communication plays a crucial role in managing business continuity. This includes crisis communication, which involves establishing clear and transparent channels for communication with customers, consumers, employees, senior management, and stakeholders.

Consistency in communication strategies is critical before, during, and after any incident. All messaging should be accurate, consistent, and delivered with a unified corporate voice.

Related:  The Power of Internal Communication in a Modern Business World

In crisis management, multiple levels of communication are necessary. This includes developing tools to track progress, identify critical needs, and address issues. Although different groups may require different types of communication, the information provided should be consistent across all sources.

Not having a business continuity plan poses significant risks. If a company fails to prepare, it will not be equipped to handle urgent problems.

These risks can make a company unprepared and cause additional problems, such as:

  • Cloud-based servers, systems, and applications may experience downtime, and even a few minutes of downtime can lead to significant revenue loss.
  • Frequent or prolonged periods of downtime can damage the trust and loyalty of customers and negatively impact a business's reputation and brand identity. This can result in a loss of customer retention.
  • Financial services, healthcare, and energy industries can face regulatory compliance risks. Severe consequences may arise if the systems and data are not operational and accessible.

Properly managing business continuity involves ensuring data protection and integrity. If data is lost, the consequences can be catastrophic.

A systematic approach to business continuity planning should be a part of the organizational culture. This approach can help businesses to recover critical activities more quickly.

Business Continuity Management (BCM) is an essential strategy for organizations looking to ensure the continuity of their operations in the face of disruptions. By proactively identifying risks, assembling a cross-functional BCM team, and regularly reviewing and updating your plans, you can keep your organization operational—no matter what comes your way. With the proper BCM framework and strategies in place, you can safeguard your organization's future success

What's the difference between Business Continuity Management (BCM) and Disaster Recovery (DR)?

While BCM and DR are geared toward helping organizations recover from disruptions, they're not quite the same. BCM is a broader approach that focuses on ensuring the continuity of critical business functions. In contrast, DR is a subset of BCM that deals with recovering IT systems and infrastructure.

Why is Business Continuity Management (BCM) important?

In today's fast-paced, interconnected world, disruptions can strike at any time—and the consequences can be severe. A well-designed BCM plan can help your organization minimize the impact of disruptions, protect your reputation, and ensure long-term success.

How often should I review and update my Business Continuity Management (BCM) plan?

There's no one-size-fits-all answer to this question, as the frequency of reviews and updates will depend on your organization's unique circumstances. However, as a rule of thumb, reviewing your plan at least annually or whenever significant changes occur in your organization or the business environment is a good idea.

Rinaily Bonifacio

Written by:

Rinaily Bonifacio

Rinaily is a renowned expert in the field of human resources with years of industry experience. With a passion for writing high-quality HR content, Rinaily brings a unique perspective to the challenges and opportunities of the modern workplace. As an experienced HR professional and content writer, She has contributed to leading publications in the field of HR.

Please note that the information on our website is intended for general informational purposes and not as binding advice. The information on our website cannot be considered a substitute for legal and binding advice for any specific situation. While we strive to provide up-to-date and accurate information, we do not guarantee the accuracy, completeness and timeliness of the information on our website for any purpose. We are not liable for any damage or loss arising from the use of the information on our website.

Ready to try Shiftbase for free?

  • Shift Leader
  • Shift Supervisor
  • Payroll Schedule
  • Paid in Arrears
  • HR Automation

male restaurant worker holding food inventory, managing par inventory

U.S. flag

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

  • Publications
  • Account settings
  • Advanced Search
  • Journal List
  • Springer Nature - PMC COVID-19 Collection

Logo of phenaturepg

Business Continuity Management (BCM)

Leni sagita riantini supriadi.

Department of Building, National University of Singapore, Singapore, Singapore

Low Sui Pheng

This chapter elaborates on a review of BCM. As the background, it describes the historical development of BCM and its relationships with other concepts. It will be followed by reviews on BCM as a management system, BCM’s main principles, and Business Continuity Planning overview. The next section will describe the implementation of BCM, related with regulations or standards that support the concept and the development of BCM level of preparedness. Several reviews on BC plans from various sectors are elaborated in the final part of the chapter, followed by reviewing the need for BCM in organizations based on its benefits and challenges.

Introduction

Bcm definition and development.

The Business Continuity Institute (Business Continuity Institute 2007b) defines Business Continuity Management (BCM) as an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner. Moreover, the Singapore Standard for BCM (SPRING 2008) looked at this concept as a holistic management process that identifies potential impacts which threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Foster and Dye (2005) similarly viewed BCM as the process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. In this context, top management must take the lead in driving organizational BCM with a view to garnering the collective efforts of all individuals within the organization for this purpose (Low et al. 2008a).

The main objectives of developing and implementing a BCM in an organization are (O’Hehir 1999; Health 1999):

  • To enable a focused approach in developing a business continuity plan (BCP), using a well structured and comprehensive methodology.
  • To develop a pragmatic, cost effective, and operable recovery plan, to enable the firm to achieve critical business processes during a major disruption to the firm’s operations.
  • To minimize the impact of the crisis on the firm’s operations.

Moreover, Smith (2003) stated that an effective BCM strategy should be to ensure the safety of staff, maximize the defense of the organization’s reputation and brand image, minimize the impact of business continuity events (including crises) on customers or clients, prevent impact beyond the organization, demonstrate effective and efficient governance to the media, markets and stakeholders, protect the organization’s assets, and meet insurance, legal and regulatory requirements.

Historically, BCM was developed many years ago, where this concept is an evolution of a disaster recovery approach in a firm. Its roots lie in Information Systems (IS) protection although it is argued that it has grown a long way since then. Elliott et al. (2002) developed on these theories in more details explaining that the evolution of BCM has progressed from a focused technical aspect to a broader strategic organizational requirement. They also described the evolution as being linked to three mindsets within organizations which are technology, auditing and value based mindsets. The key features of these mindsets are:

  • Technology mindset in the 1970s—The focus was on the protection of computer systems, principally hard corporate main frame systems. During the 1970s, a common assumption was that business disruptions were triggered by a technology failure; thus priority was placed on protecting hard systems such as corporate main frame systems (Prithchard 1976; Broadbent 1979; Kuong and Isaacson 1986).
  • Auditing mindset in the 1980s—Technological changes in the 1980s which moved the IT element away from main frame to end user PC responsibility, brought with it regulations, corporate legislation and policies. Auditing was needed to ensure compliance. The major focus of the auditing perspective is still on the technology, the plan itself, and how continuity can be established through protecting essential business activities.
  • Value mindset in the 1990s—This described the value-based mindset as being focused on the needs of the business, where BCM is considered to have the potential to add value to the organization. The value-based perspective departs from the technology and auditing perspectives in the assumptions that were made about the scope and purpose of BCM. The scope is perceived as constituting the entire organization including employees, who are regarded as presenting the biggest challenge in terms of implementation and management of the business continuity process. Organizational stakeholders are regarded as being the most important driver for change and BCM. The fundamental approach in this perspective is that business continuity is regarded as the integration of social and technical systems which together enable effective organizational protection (Swartz et al. 1995). Therefore, BCM not only protects but is also seen to contribute to the value adding process through more efficient systems or providing value-adding benefits to customers through superior responsiveness, reliability, and security.

According to Foster and Dye (2005), after the September 11 2001 attacks, an event that hit the World Trade Centers in New York City, many companies had realized that the world is now full of many unknown threats, requiring that business continuity plans be much broader than in the past. Significant threats are now not only confined in the categories of fire, natural disasters and some infrastructure breakdown. Threats such as terrorism, cybercrime, reliance on third-party vendors and suppliers have also become significant. Therefore, business continuity planning should require more robust prioritization efforts for business recovery, proactive development of new and innovative recovery strategies, and a greater dependence on the testing of plans. Furthermore, considerations that need strategic thinking are not only on the location decisions of a company’s own facilities, but also the location decisions of a business partner (such as supplier). All of these environmental changes take BCM into a higher level, which is more focused on building resilience.

Smith (2003) also argued that BCM is not only about disaster recovery or responding to a crisis. It should be a business-owned and driven process that unifies a broad spectrum of management disciplines. In addition, crisis and risk management are part of the fundamentals used for developing a BCM concept.

Figure 3.1 shows the difference between the old and new BCM approach. Herbane et al. (1997) described the continuum of standard and better practice of BCM and identified a number of dimensions against which practice might be assessed. The first two dimensions refer to the types of staff employed in continuity projects and to the scope of their work. Standard practice is concerned with IT systems and employs only IT staff while better practice organizations employ staff from various backgrounds on a project which is business wide in scope. In standard practice, there was little need for new structures because IT could deal with continuity. In better practice cases, new structures of coordinators were identified with responsibility for the continuity process being delegated to each business unit and the dedicated continuity team providing a supporting role. The final group of dimensions relates to the strategy. Better practice saw continuity as a strategic issue both in terms of protecting its place in the supply chain and in marketing activities.

An external file that holds a picture, illustration, etc.
Object name is 449594_1_En_3_Fig1_HTML.jpg

Old and new BCM approach. Source: Adapted from Herbane et al. (1997)

Based on these reviews, it shows that BCM has developed and evolved into a more holistic approach. It has progressed into a broader strategic organizational mindset which focuses on its business values. In the context of definition, it appears that SPRING’s (2008) definition of BCM has incorporated all of these aspects and represents the latest BCM mindset. Other BCM definition from BCI (2007b), Foster and Dye (2005), and Smith (2003) provide similar meanings of the BCM concept, which focuses on the keywords of: processes/procedures for the organization; response to incidents/threats/events; critical functions; and a planned and rehearsed manner. However, SPRING (2008) defined BCM’s critical functions in more detailed aspects which include key stakeholders, reputation, brand and value-creating activities. Moreover, it specified the management process as holistic and the responses to threats/incidents are developed as a framework for building resilience.

BCM and Other Related Concepts

BCM has been considered as part of other concepts for overcoming crisis. There are relationships between BCM and these concepts, such as risk management, crisis management, and disaster recovery.

BCM and Risk Management

There are differences between risk management and BCM. Risk management focuses on a thorough organization-wide identification and assessment of risks and evaluating risks in relation to their likelihood and impact before identifying an appropriate risk response. BCM is concerned only with events that cause a significant business disruption, where it is not mainly concerned with probability but with the impact of an event and the time required for an organization to return to normal business operations (Collier 2009). Moreover, Goh (2010) mentioned that the relationship between risk management and BCM can be partially explained by referring to the Australian Standard for risk management. BCM efforts focus on addressing those risks which are deemed not acceptable to the organization. Subsequent BCM activities are aimed at establishing the appropriate measures to address these risks. It relegates BCM as part of risk treatment. Business Continuity has been defined “to safeguard the interests of an organization and its key stakeholders by protecting its critical business functions against predetermined disruptions” (BCI 2010, p. 3). The numbers and types of critical business functions in an organization would depend on the nature of the business and its mission as reflected in its Minimum Business Continuity Objective (MBCO). Risk management in BCM should be restricted to those instances where it affects the MBCO of the organization. It is also important to note that BCM is focused on identifying vulnerabilities within organizations, especially those linked to the underlying value they support and understanding the impact of their non-availability over time on the organization (BCI 2010; Hiles 2007). Table 3.1 summarizes the comparison between risk management and BCM.

Comparison between Risk Management and BCM [adapted from BCI (2005, p. 6)]

Source: Drennan and McConnell (2007)

BCM and Crisis Management

BCM has strong links with crisis management through the incident management component. In the BCM context, incidents come in different shapes and sizes and will typically invoke the BCM plan. Crisis management is often seen as the domain of communication and public relations (PR) practitioners with the BCM practitioner in a support role, if involved at all. Crisis management is also seen as responding to non-physical as well as physical events such as financial performance and reputation tarnishing incidents (BCI 2010).

Moreover, BCM considers any disruption holistically and determines how an organization will respond to the disruption, continue its activities and recover. BCM practitioners consider the media response to an incident or crisis to be an integral part of a full business continuity (BC) programme. Regarding emergency planning that is usually included in incident management, BCM views that this planning is not only seen as the domain of services from police, fire, ambulance and local authorities, but also for the organization in general. The company that adopts BCM would have a specific emergency response team that will coordinate with other external emergency response agencies (BCI 2010).

Other relationships between BCM and crisis management were also mentioned by Elliott et al. (2002), where BCM provides principles that use a crisis management approach. A crisis management approach may be defined as one that:

  • Recognizes the social and technical characteristics of business interruption (organizations are socio-technical systems).
  • Emphasizes the contribution that managers may make to the resolution of interruptions (the importance of the human response element).
  • Assumes that managers may build resilience to business interruptions through processes and changes to operating norms and practices.
  • Assumes that organizations themselves play a major role in “incubating the potential failure” (early detection is vital).
  • Recognizes that, if managed properly, interruptions do not inevitably result in crises (the importance of preventative measures).
  • Acknowledges the impact, potential or realized, of interruptions upon a wide range of stakeholders (think beyond the impact on the organization itself) (Elliott et al. 2002).

Some studies had made a distinction between BCM and crisis management. BCM refers to the planning and implementation of systems and procedures to enable an organization to sustain normal operations in the event of a disaster or other potential interruption. It is the process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. Crisis management is viewed to be a process by which an organization deals with major unexpected events that have already happened. Crisis management focuses on the immediate activities which need to be considered when the incident occurs. At most, the crisis management planning phase deals with the first couple of hours of the incident occurring, detailing who the key decision makers are, who will talk to the customers/clients/regulators and when this will be conducted (Smith 2003; Devlin 2007; Foster and Dye 2005). In addition, BCI (2007a) defined crisis management as the role that senior management have during an incident. It includes the high level command and control aspects of identifying a crisis situation, deciding how and when to respond, communicating both internally and externally, and leading and directing the recovery process.

BCM and Disaster Recovery

According to Elliott et al. (1999), the difference between disaster recovery and BCM is primarily based on its scope. Disaster recovery is a focus on technology-based problems triggered by external factors. BCM focuses more on adding value, creating an attitudinal change throughout the organization and considering its associated stakeholder groups. It is more concerned with the continuance of the whole business in the face of any unusual or unforeseen event. Moreover, disaster recovery is the implementation of a response capability to a specific type of event that impacts the continuity of the business. BCM is responsible for the overall identification of potential events, the likelihood of the occurrence of the event, and the predicted impact on the organization. BCM puts in place plans to deal with such occurrences. Disaster recovery is essentially a plan, with supporting infrastructure, which is enacted in the event of a disaster. In this way, disaster recovery is a subset of BCM, as is contingency planning, high availability planning, and the like (McCrackan 2005).

BCM and Business Resilience

BCM is a relatively newcomer to the business disciplines; however, aspects of BCM may have always been present in organizations, under different names. The vulnerabilities in the business and operating model of an organization can be considered in seven areas, which are reputation, supply chain, information and communication, sites and facilities, people, finance and customers. The nature of the BCM approach is to provide the framework to understand how value is created and maintained within an organization and establishes a direct relationship to dependencies or vulnerabilities inherent in the delivery of that value. This approach is conducted in a holistic and cross-functional manner. A successful BCM implementation would increase an organization’s resilience, where it is defined as the ability to absorb, respond and recover from disruptions. This will eventually contribute to higher corporate performance (BCI 2010).

BCM as a Management System

BCM is a system that develops a framework of protocols and sets of procedures and instructions which give structure, order and stability to the particular function being managed. It is in line with the definition of a management system, stated by Griffith (1999), that sets out and describes, for a particular management function, the organization’s policies, strategies, structures, resources and procedures used, within the firm to manage the processes that delivers its products or services (Griffith 2011). Based on its theory development and main principles, it can be seen that BCM adopts several management mainstream theories.

In its implementation, BCM adopts the Plan-Do-Check-Act (PDCA) methodology for achieving continual improvement. The BCM policy, objectives, processes and procedures are planned, implemented, assessed, and reviewed regularly (SPRING 2008). PDCA is a key attribute within standards-based management systems that is widely used nowadays. It was established by Deming, who propounded the view of quality management within a cycle of plan-do-check-act. The theories underpinning quality management have influenced systems development and continue to form component parts of systems applications. Historically, quality management was developed from a range of traditional organizational theories such as scientific, human and classical schools of thought. These theories are also pertinent to the evolution, development and implementation of management systems (Griffith 2011).

BCM also adopts the view of complexity theory, where an organization consists of a number of components (agents) that interact with each other according to sets of rules that require them to examine and respond to each other’s behavior in order to improve their behavior (Stacey 1996). According to Griffith (2011), due to the extensive and complexity in the arrangement of business activities, processes and resourcing, a management system in an organization should establish an effective framework of responsibilities at various organizational levels. Parts of BCM principles are determining various responsibilities to the BCM members.

Based on its definition, BCM is developed and implemented in a holistic approach. The holistic perspective has much in common with systems theory. This theory viewed management system as a central part that directly supports the core business of the organization. Moreover, it is considered that a management system focuses not only on itself but also for the greater contribution that it can make to the organization (SPRING 2008; Griffith 2011; Checkland 1981).

According to Lawrence and Lorsch (1967), contingency theory suggests that organizational variables are in a complex interrelationship with one another, where environmental contingencies act as constraints and opportunities which influence the organization’s internal structures and processes. Moreover, decision making are made through considerations of all aspects and situational approach (Olum 2004; Carlisle 1976). In BCM, this approach is adopted by implementing risk analysis and business impact analysis. The consideration of risk is viewed as a key element of the system (BCI 2010).

The BCM methodology has strong links with crisis management. Crisis management is often viewed as responding to non-physical as well as physical events such as financial performance and reputation tarnishing incidents. Furthermore, the domain of communication and public relations are important in crisis management. BCM considers any disruption holistically and determines how an organization will respond to the disruption, continue its activities and recover. BCM practitioners also viewed that communication and response to public are part of a full business continuity programme (BCI 2010).

Regarding change management, it is also part of crisis management. Lawrence et al. (1976) stated that a visible crisis faced by an organization can be an important force for triggering behavioral change, although such change may have costs derived from it. Essentially, such crisis has an unfreezing impact on the members of the organization, causing them to review and analyze their current attitudes and behavior patterns. Managing change in an organization should be conducted in orderly phases which are diagnosing the problem, planning the change, launching the change, and following up on the change in the organization. In this matter, it appears that these phases are similar to the PDCA approach which is adopted by BCM (SPRING 2008; Lawrence et al. 1976).

In accordance with Griffith (2011), a general approach to planning, delivering and implementing any management system consists of the following key considerations, which BCM also provides:

  • The needs of the customer and other stakeholders.
  • The policies and objectives of the organization.
  • The organizational processes necessary to fulfill the policies and objectives.
  • The assignment of responsibilities to manage processes towards the objectives.
  • The provision of resources to attain the objectives.
  • The establishment of procedures and instructions to manage the processes.
  • The monitoring of processes to determine their efficiency and effectiveness.
  • The identification and elimination of non-conformities in the processes.
  • The encouragement of continual improvement in management of the processes.
  • The audit and review of systems to improve the overall management approach.
  • The feedback on performance to improve provision to customers through improved policies and objectives.

Furthermore, the highly influential factors to be considered in implementing a management system are as follows (Griffith 2011):

  • Organizational culture. Instilling a trusting and cooperative workforce is vital to embedding the system.
  • Involvement, which is bottom-up involvement from grassroots level in system development is essential, as is inviting contribution and feedback to management.
  • Resources, which are trained and capable managers, supervisors and workforce are essential and, as such, investments in training and system ownership should be a priority.
  • Flexibility. The system should be allowed considerable flexibility in performance upon system establishment, incrementally becoming more demanding as familiarity with its operation is developed.
  • Shared commitment. Management must develop a blame-free culture where learning and improvement are preferred to difficulty and blame.

These factors should be embedded in an organization for its BCM implementation effectiveness.

Main Principles of BCM

To implement BCM, each organization must identify the threats and assess their resulting impacts. BCM needs to address issues and concerns in six broad areas in the following order (SPRING 2008):

  • Risk analysis and review: The threats to an organization can be identified through a risk analysis and review of its internal operations and external operating environment.
  • Business Impact Analysis: The potential impact of these threats on an organization and its ability to continue business operations and service can be obtained by conducting a business impact analysis. This would include, where possible, the loss impact from both a number of days of business disruption and financial consequences.
  • Strategy: The organization determines the appropriate strategies to safeguard its interests. These strategies can be preventive or pre-emptive in nature.
  • Business Continuity Plan (BC Plan): A detailed business continuity plan should be formulated to indicate the resources and capabilities required of the organization to prepare, respond, and recover from potential threats.
  • Tests and exercises: An established BC plan shall be validated by implementing tests and exercises. These are done to highlight errors or omissions and verify if the resources committed are accessible, available and adequate for efficient and effective recovery. It also verifies whether the staff is familiar with recovery procedures, and whether the BC plan meets its recovery objectives.
  • Program management: The organization will demonstrate commitment in maintaining the currency of its plan through regular and systematic review of its risks and business impacts, regularly reviewing its BCM strategies and revalidating its BC plan. Program management serves to validate the capability of the BC plan to fulfill the plan’s objectives. Validation aims to uncover flaws in the plan design, for example any inaccuracies and incompleteness of the design of the plan.

There are four main components that must be considered in implementing BCM in an organization, which are (SPRING 2008):

  • Policies: Senior management must stipulate policies to guide BCM efforts by the staff. The policies should set out the organization’s aims, principles and approach specifying what is to be achieved or delivered, and will serve as the rationale and support for all BCM areas. In addition, policies provide the rationale for establishing the processes, people and infrastructure to support BCM on an ongoing basis.
  • Processes: The set of activities with defined outcomes, deliverables and evaluation criteria to attain the objectives of the BCM policies. They include formal change control and documentation processes.
  • People: Participation from various business units in the firm should be established to oversee BCM efforts and the skill sets of participants are crucial to the success of BCM. The roles and responsibilities of staff involved in the organization’s BCM efforts should be clearly defined.
  • Infrastructure: The organization should allocate resources to support critical business functions against potential risk events. This consistently requires a good understanding and application of available technology and equipment, and physical facilities to respond to risk occurrences.

Generally, BCM has four main processes which are developed in an organization. The processes are the initiation process (initiating the BCM concept in the firm), planning for business continuity [which produces a business continuity plan (BC Plan)], implementation (implementing the BC Plan through testing and exercising), and lastly the operational management process (maintaining and updating the BC Plan). These four processes can be divided more comprehensively into six phases which are (Pitt and Goyal 2004; Elliott et al. 2002; BCI 2010):

The fundamental critical activity required prior to the establishment of a BC Plan is obtaining senior management approval, support, and commitment. Having obtained management approval, the initial phase of the BC Plan will include establishment of the BC Plan objectives and requirements of the plan. A business continuity steering committee would normally be established. This committee is likely to be made up of senior staff within the organization who have the relevant strategic view of the firm’s operations. It is important that they also have nominated deputies who are suitably briefed and have an in-depth understanding of the BCP process.

The principal objectives of phase two relate to data gathering and review of alternative courses of action. The identification and evaluation of this information will then allow senior management to make decisions on the critical aspects of the core business. Having identified the risks, a business impact analysis should then be carried out. Karakasidis (1997) identified this as a key step in protecting an organization, and identified some of the minimum objectives as being:

  • Determine critical requirements and resources and the effects a disaster may have on the people, place, process, and premises.
  • Estimate anticipated target recovery time for each core business function and service.
  • Establish core business recovery priorities.
  • Identify key personnel, equipment, and facilities needed to support core functions.
  • Estimate costs of extended business disruption.
  • Identify resources required to develop, test, and implement BC Plan.

Essential issues to be addressed at this stage include detailed scope strategy and objectives of the plan, administration procedures, formation of business continuity committee and downstream business recovery teams, lines of communication, escalation notification and plan activation, scenario setting for plan execution, establishing BC Plan records, storage, access, and its budget.

This phase basically deals with the creation of the BC Plan. The key issues to be addressed include:

  • Emergency response procedures covering evacuation, decanting access to work areas, and access to documentation.
  • Emergency control center establishment, command and control procedures.
  • Detailed procedure for communications, delegation or designation of authority, and key stakeholders.
  • Detailed resumption, recovery, and restoration procedures.
  • External support, vendor contracts, contacts, and resources.

In order to establish the effectiveness of BC Plan, it is essential to implement a regular testing and exercise program. The key activities to be established during the testing and exercising stage will include preparation of exercise program and objectives, the details of exercise scenarios and monitoring and recording procedures, and identification of training requirements, communication channels, and induction of new staff.

Having established the need for testing and the degree of probability that a substantial number of plans might fail following the testing exercise, it is essential that the lessons learned and shortfalls documented are incorporated into the plans. The key issues to be addressed during this phase include:

  • BC Plan review criteria and objectives
  • Schedules and program of review
  • Plan distribution and security

In responding to the changing environment of a business from time to time, the maintenance and updating process should be done in a regular and continuous basis.

Based on this review, it is considered that BCM has evolved from a simple reactive disaster recovery planning, to crisis management principally driven by information technology, and finally to a more proactive comprehensive approach.

Business Continuity Planning (BCP)

The main process of BCM is Business Continuity Planning (BCP). BCP refers to the identification and protection of critical business processes and resources required to maintain an acceptable level of business, protection of such resources, and preparation of procedures to ensure the survival of the organization in times of business disruptions. Fundamentally, it seeks to mitigate the impact of a disaster by ensuring alternative mission-critical capability is available when disaster strikes. The process seeks to preserve the organization’s assets in the event of a disaster, which are its capability to achieve its mission, its operational capability, its reputation and image, its customer base and market share, and its profitability (Low et al. 2008; Hiles 2007). This is regarded as the main process due to its vital output for the firm in handling disruptions and overcoming crises. This planning process will be followed by regular monitoring and updates.

Before formulating the BCP framework, the following issues have to be considered thoroughly (Low et al. 2008a; O’Hehir 1999; Eternity Business Continuity Consultants 2007; Civil Contingencies Secretariat 2007):

  • Policy—formulating a policy statement at the managerial level to signify the company’s attitude towards a particular risk and prescribing the objectives of such a policy.
  • Methodology—analyzing the assessment processes involved in evaluating a crisis, and promoting greater commitment for the company to proceed with the plans.
  • Accountability—establishing individual accountability for managing the risk and ensuring that the nominated person has the appropriated technical expertise and authority to manage the risk.
  • Management support—determining the company’s current managerial attitude or process towards assessing and managing the risk, without which the company will not have the initiative to implement BCM in the organization.
  • Dependencies—defining the scope of the BCP clearly, so that every individual is aware of the dependencies involved, whether this is external or internal (key supplier, personnel, operating system, etc.) to successfully mitigate the specified crisis.
  • Being realistic—educating the management that a crisis brings about certain risks and to mitigate the effects, certain costs are involved. The management should be ready to accept certain risks and should be prepared to spend the necessary funds to mitigate the risks involved.
  • Future actions—determining the appropriate business processes to be implemented or to be refined, to reduce the risk to an acceptable level, and assigning responsibilities and milestones.
  • Performance measures—establishing measurement indicators to enable assessment, and monitoring the effectiveness of risk management which can be proactive or reactive. Proactive action is recommended to prevent occurrence.
  • Independent expert—appointing an internal or external, qualified, independent expert to determine the adequacy of the response to the crisis, such as through regular meetings, and reporting to higher management to signify the importance of BCM.
  • Contingency plan—establishing an alternate plan for the unforeseen circumstances not being provided for.

According to Vancoppenolle (1999) and Elliott et al. (2002), the respective elements are included in the operational flow of a company’s operations, which are: (1) Business processes (how the products and services are delivered to the client); (2) Participants (who the participants are, in the execution of the business process); and (3) Infrastructure and resources (what is used in the execution of the business process). These elements are necessary to be reviewed when analyzing a crisis during BCP.

Furthermore, upon the occurrence of a crisis, many parties could be affected (Elliott, Swartz and Herbane 2002). It could be the company management or interest groups like investors, suppliers, etc., who have direct or indirect investments in the company. The occurrence of a crisis, if not appropriately mitigated, could lead to adverse consequences such as withdrawal of funds, which is an external factor. Even though investors are not directly involved in the company’s operations, they have an indirect influence on the growth of the company. Therefore, the requirements of the various stakeholders in the organization should also be considered, which include the following (Singapore Business Federation 2003):

  • The ways and means of the employees’ livelihood protection.
  • The defined time lines for the resumption of support and services and transparency of operations in a crisis, which relate to customers and suppliers.
  • The control of the situation, cost effective solutions to handle the impact of the crisis and the effects on business resumption, and transparency of operations by managers.
  • Good corporate governance, protecting the image of the organization, and sharing of the company’s profits that linked strongly to what investors will review on the company.

Hiles (2007) stated that the company’s BCP should not be driven by eliminating risks according only to their probability, but rather be based on the effects and impacts on the business if an unexpected event were to occur. Such classification according to effects could be:

  • Failure of an individual infrastructure element, including single points of failure.
  • Longer-term interruption of a critical information flow.
  • Longer-term interruption of a critical business activity chain or business process.
  • Local longer-term business interruption.
  • Complete business interruption.

These effects from an unexpected event may cascade into larger impact levels. Some examples of these effects are damages to infrastructure elements and resources supporting the business operations. The damage can result in impacts such as unavailability of infrastructure elements or resources or loss of information. Loss of information due to a disaster is not limited to data in computers. All of the information stored in binders, folders (with, for instance, customer information), contracts, property deeds, the archives, the legally required vital records, the paper client files, the business knowledge spread over the place, and others can be lost too.

Other than impacts on business operations, the long-term impacts of such crises or events may also arise, even after the business has been resumed and operations have returned to normal. The examples of long-term impacts are: loss of market share; lower share price; lower credit rating; loss of brand value; loss of company image, public confidence and credibility; and loss of key staff. Furthermore, the rippling effects of a business interruption should never be underestimated, particularly for companies that are an integral component of a wider supply chain. When a company participating in a supply chain is hit by a disaster, this could ripple down throughout the supply chain (Hiles 2007).

BCM Implementation

Nowadays, BCM is widely used in various types of firms. Firms in banking, telecommunication, oil and gas, and retail industries had developed a BCM concept in their management systems. BCM is developed based on their respective business strategies and activities. Due to the different business environments, the firms developed different procedures for overcoming different types of crises. Some of them had also focused not only on their business continuity, but the service continuity to their customers. This shows that they had developed the program based on the value mindset (Elliott et al. 2002).

Herbane et al. (2004) also found that BCM has evolved to encompass wider participants, threats, techniques and responses. It has been applied in the financial service industry, vehicle breakdown services, gas suppliers, water utilities, supermarkets, and local authorities. All of these organizations recognize that in the face of internal and external threats to the continuity of operations, a socio-technical approach (beyond IT disaster recovery) is essential to improve business recovery from crises. They also have linked BCM to strategically important dimensions of their operations.

When implementing BCM for the first time in an organization, project management practices should be adopted. The practices of project management that may usefully be employed include the identification of deliverables, timescales and deadlines, and budget and work effort control. Other knowledge in project management such as communications, risks, procurement and human resources management are also needed for establishing effective BCM components (Business Continuity Institute 2007a).

Legislation and Standards Relating to BCM

Elliott et al. (2010) elaborated that the earliest legal provisions to influence disaster recovery and business continuity (BC) ideas can be found in the 1977 Foreign Corrupt Practices Act, which is the US financial services sector’s provision. It is often cited as an important development in firm’s reorientation of the perceived threats and impacts. Since then, the US financial services industry has developed various regulations and legal requirements to impose greater requirements on BC provisions. Although the acts do not refer specifically to BC, they specify the importance of countering the increasing risk of external threats to digital resilience, which is one of the dependencies on BCM.

Moreover, the introduction of BCM-specific regulations in the financial services sector is not only applied in the US. The Australian Prudential Regulation Authority (APRA) Standard on BCM APS 222 (for deposit taking institutions) and GPS 222 (for general insurers) published in April 2005 (APRA 2005a, 2005b) requires Australian financial institutions to implement a whole of business approach to BCM. Elsewhere, the Reserve Bank of India (RBI) set out a requirement for Indian banks to fully implement BCP, presents a planning methodology, and further specifies a template for plan content. Banks are required to submit recovery time objectives for critical systems to RBI’s Department of Banking Supervision at the end of each financial year and to report major failures and response activities or prevention measures on a quarterly basis (Parthasarathi 2005; Elliott et al. 2010).

In several countries such as United Kingdom (UK), United States of America (US), Switzerland, Australia, New Zealand and Singapore, BCM had been developed into a national standard, where every firm from various sectors is encouraged to have this system in its organization (Elliott et al. 2010). In Singapore, the SS540:2008 standard has been formally used as the standard for implementing BCM in a firm. This Singapore Standard is applicable to all organizations regardless of their size. This standard emphasizes resilience and protection of critical assets, in the human, environmental, intangible and physical domains. It focuses on continuity management and recovery of critical business functions (SPRING 2008). Up to now, Singapore is the only country in Asia that has established a BCM standard, whereas other BCM standards came from Europe, North America, and Australia (Elliott et al. 2010).

In the UK, the Business Continuity Institute (BCI) has developed a certification standard for business continuity practitioners. Besides that, a BCM standard (BS25999:1-2006) as a Code of Practice for Business Continuity Management was also published by the British Standards Institution and can be viewed as an implementation guide and a definitive text for those intending to understand BCM principles and practices in a more comprehensive manner (Business Continuity Institute 2007a). Moreover, the American Chapter of the Business Continuity Institute (BCI) and BSI America have joined forces to help businesses better prepare for disasters by encouraging the adoption of BS 25999 (Business Continuity Institute 2009). This standard is also in line with US’s national standard for business continuity, which is NFPA 1600:2007 (National Fire Protection Association 2007).

Furthermore, ISO has officially launched ISO 22301, “Societal security—Business continuity management systems—Requirements”, the new international standard for Business Continuity Management System (BCMS). ISO 22301 has been developed in 2012 to help organizations minimize the risk of business disruptions (St-Germain et al. 2012). This standard is similar to the previous BCM standards, but it has some improvements for BCM implementation such as (St-Germain et al. 2012; SPRING 2012):

  • Greater emphasis on setting the objectives, monitoring performance and metrics;
  • Clearer expectations on management; and
  • More careful planning for and preparing the resources needed for ensuring business continuity.

According to Goh (2010) and St-Germain et al. (2012), the standards from various countries have similar contents. The differences are on how the standards develop the detailed components in the BCM planning process. In general, each standard has the same BCM planning methodology, which are: Risk analysis and review; Business impact analysis (BIA); Recovery strategy; BC plan development; Testing and exercising; and Programme management (some standards incorporate project management in this phase). All of the above standards have the common objectives, which are to guide the users to recover from any disasters that have occurred in their business environment and still continuously focus on the continuity of their business processes. Furthermore, the standards also help the users in identifying the potential impacts of various disruptions to the firm and be able to prioritize the efforts in aiming to achieve resilience. Table 3.2 illustrates the main aspects of the BCM concept being grouped into six categories. These aspects are summarized from various standards.

The main aspects of BCM principles

Sources: Adapted from SS540:2008 (SPRING 2008), NFPA1600:2007 (National Fire Protection Association 2007), BS25999:2006 (BSI 2006), ANZ5050:2009 (Standards Australia 2009; Elliott et al. 2010), SS ISO 22301: 2012 (SPRING 2012)

BCM Level of Preparedness

Regarding implementing BCM in an organization, several agencies from various countries had developed assessment levels of BCM preparedness. These levels are useful to assess whether an organization has adopted a complete BCM concept or not. From understanding the position of the company within these levels, the organization gains feedback from its current BCM preparedness level and may increase its effort for a better BCM maturity level.

Levels of preparedness assessments have been proven to be an effective evaluation method (Scott 2007). In general, this type of assessment can help the organization to verify what they have achieved relative to the topic assessed. The organization’s current achievement can also be determined by describing their current activities. In addition, it can assist the organization in prioritizing the necessary improvement based on their assessment results (Peng et al. 2011; Stevanovic 2011).

The Ministry of Finance in British Columbia, Canada (MOF-BC 2007), had developed the BCM maturity assessment for every financial agency in the province. There are three levels of criteria involved, which are:

  • High maturity. This level demonstrated strong executive support for BCM, the establishment of an organization-wide structure supporting the activity, and staff responsible for BCM had a strong awareness of and compliance with core policy requirements, guidelines and procedures for BCP. BC plans for mission critical processes and business priority areas were developed and updated, and testing/exercising was ongoing, with results used to make changes. Monitoring and reporting processes were effective and efficient, and pandemic planning had been undertaken.
  • Moderate maturity. This level demonstrated strong executive support and a level of coordination within the organization to ensure progress is made towards BCM objectives, although roles and responsibilities may not be adequately defined to ensure all recovery staffs were clear on their expectations in a business interruption. Compliance with core policy was low, and BC plans for mission critical processes and business priority areas were either under construction or in need of updating. Monitoring and reporting processes were largely ad hoc and pandemic planning may have been in the commencement phase.
  • Low maturity. This is the lowest level of preparedness, where typically the organization had a lower level of executive support and BCM may not have been considered a high priority. These organizations exhibited a low level of awareness of policies and guidelines and of roles and responsibilities. Compliance with core policy was also low, and BC plans were either not developed or in need of significant updating. Pandemic planning may have been initiated, although activities to date were limited to those driven by existing OHS committees.

The Australian National Audit Office (2009) had also developed characteristics of better BCM preparedness for public sector entities. There are two levels, which are (1) Basic level, that is generally found in small, non-complex or less time-critical entities and (2) Mature level which is found in large, complex, geographically dispersed or critical entities. The characteristics that are described and assessed in each level are:

  • A BCM framework is in place.
  • Training and awareness of BC has been conducted.
  • A risk assessment has been conducted.
  • A BIA has been conducted.
  • Preparatory controls have been implemented.
  • The entity has documented and the executive has endorsed, its BC plans and framework.
  • BC testing and exercises have been conducted.
  • The entity monitors BC.

Also in Australia, Lansley and McAtee (2009) had established a six-level BCM preparedness model for companies, which are:

  • Level 1—Self-governed: BCM has not yet been recognized as strategically important by senior management.
  • Level 2—Supported self-governed: At least one business unit (BU) or corporate function has recognized the strategic importance of BC and has begun efforts to increase executive and enterprise-wide awareness.
  • Level 3—Centrally-governed: Participating BUs and departments have instituted a basic governance program, mandating at least limited compliance to standardized BCM policy, practices and processes to which they have commonly agreed.
  • Level 4—Enterprise awakening: All critical business functions (CBFs) have been identified and continuity plans for their protection have been developed across the enterprise.
  • Level 5—Planned growth: BC plans and tests incorporate multi-departmental considerations of critical enterprise business processes.
  • Level 6—Synergistic: All BUs has a high degree of BCP competency. Complex business protection strategies are formulated and tested successfully.

Smit (2005) had studied and defined another BCM maturity model that can be applied to organizations. According to the study, there are six level of BCM maturity, described as follows:

  • BCM initiated. An organization has initiated BCM if there is formal management commitment to the organization of BCM. The responsibility for BCM is covered at a sufficiently high level within the organization and an explicit BCM policy is in effect. The deliverable of the initiated stage is BCM as an initiative.
  • BCM planned. An organization reaches the stage planned if it has performed all necessary analyses and has written all relevant plans. Therefore, this stage is characterized by a BC analysis and a BC plan. The deliverable of the planned stage is BCM as a blueprint.
  • BCM implemented. Implemented stage is reached as soon as not only the measures to assure BC are planned, but also realized. This means BCM facilities have to be realized, services have been contracted and BCM tasks have to be assigned to the right people. The deliverable of the implemented stage is BCM as an implemented project.
  • BCM embedded. On the first three stages, BCM is a project. As soon as an organization reaches the embedded stage, BCM has turned into a process instead of a project. This stage is reached as soon as a maintenance process is designed; hence a maintenance plan is developed, the plan is known and available within the organization and there is awareness regarding the importance of BCM within the organization. The deliverable of the embedded state is BCM as a process.
  • BCM controlled. At the stage of BCM embedded, an organization has developed a maintenance plan and probably formulated some BCM exercises and tests. In the next stage, BCM controlled, this maintenance process is also executed as it should and exercises are done as planned for. In addition to that, the existing BCM is audited and controlled. The deliverable of the controlled stage is BCM as business as usual. If an organization has reached stage 5, it controls its existing BCM. For some organization, a BCM process that is controlled is sufficient. However, other organizations will strive for stage 6.
  • BCM optimized. If an organization has optimized its BCM, it can use its BCM as a strategic instrument, for example to gain a commercial advantage or strive for operational excellence as a business strategy. For this, a strategic approach of BCM is a requisite. Furthermore, the organization should strive for continuous improvement of their BCM and the deliverable of the optimized stage is BCM as a strategic instrument.

Furthermore, other BCM preparedness level model from a risk consulting firm in Canada (Marsh Risk Consulting 2010) had been developed. The level of preparedness with its label, overview of the preparedness level description, and the organization’s ability to respond can be seen in Table 3.3 .

Marsh BCM preparedness level

Source: Marsh Risk Consulting (2010)

Last but not least, the Singapore Business Federation (2011) provided a BCM preparedness assessment, based on the company’s level of understanding about business continuity. Red level shows that the organization has a minimal understanding of BC, whereas Yellow level shows the organization has a basic understanding of BC, and finally Green level describes the organization has an advanced understanding of BC. The assessment are conducted through rating the firm’s understanding and preparedness towards risk analysis and review, BIA, strategy development, BC plan development, tests and exercises, and programme management.

According to a study from New York University (2006), most businesses, particularly small and medium sized ones, are lacking formal BCM programs. Only one-quarter of the companies surveyed have formal, written continuity plans. Moreover, only four in those companies provided BCM training to their employees. These four companies had prepared the concept within their organization due to regulatory forces, which are risks to employees and business operations, legal liability, and insurance requirements. From this study, it is recommended that an organization should analyze its own case for BCM preparedness and invest accordingly.

Reviews of BC Plan

Various sectors have developed their BC plans based on the functions of their business and impacts that may occur from certain crises. There are general principles that can be gained from these plans that may provide insights on developing a BC plan.

BC Plan from Financial Services Sector

As mentioned before, the financial services sector is the pioneer of developing and implementing BCM. In general, the main principles that are established in their BCM policy are as follows (Monetary Authority of Singapore (MAS) 2003; Bank Van De Nederlandse Antillen (Central Bank) 2010):

The responsibility for the state of BC preparedness of an institution lies with the Board of Directors and senior management. Senior management is responsible for steering BCM with policies and strategies necessary for the continuation of CBFs. In addition, they should demonstrate that they have sufficient awareness of the risks, mitigating measures and state of readiness by way of a confirmation to the Board of Directors.

Depending on the scale and complexity of the businesses, institutions could adopt sound BCM practices that include the following components:

  • Clear BCM policy, strategy and budget.
  • Well-defined roles and responsibilities for the BCM programme.
  • BC plan comprising of detailed tasks and activities.
  • Succession plans for critical staff and senior management.
  • BIA or similar process.
  • Programme for the development, implementation, testing and maintenance of BC plan.
  • Programmes for training and awareness.
  • Emergency responses.
  • External communications and crisis management coordination programmes.
  • Coordination with external parties (including authorities, interdependent parties, etc.).

It is essential to regularly test its functionality and effectiveness. Tests will also familiarize staff with the location of the recovery site, as well as the recovery procedures. Senior management and staff should participate in these exercises and be familiar with their roles and responsibilities in the event of activation. Exercises may include:

  • Desk-top-walk-through exercise to full system test.
  • Staff call-tree activation (with and without mobilization).
  • Back-up site to back-up site exercise (including with external service providers).
  • Alternative arrangements of shared services.
  • Back-up tape restoration.
  • Retrieval of vital records.

The establishment of recovery strategies enables institutions to execute their BC plan in an orderly and predefined manner that minimizes disruption and financial loss. Recovery strategies form the basis for defining recovery time objectives of CBFs. Without these clear markers, scarce resources may be inappropriately diverted to less important activities. This may adversely affect the institutions’ reputation and survivability. Recovery time objectives may range from minutes to hours. The transparency and sharing of recovery time objectives would help improve service level expectations and understanding among institutions and further contribute towards the mitigation of interdependency risk.

When planning for the BC of CBFs, institutions should take into account the interdependencies of these business functions, and the extent to which they depend on other parties. Institutions should also understand the business processes of these parties that support their critical functions, including their BC preparedness and recovery priorities.

These financial services look to institutions to demonstrate that they have planned and catered for a wide-area disruption in their BCM. Some planning parameters that institutions may consider include the geographical concentration of institutions, transactional processing activities and dependencies on internal or external service providers. Institutions are responsible for deciding on the need to cater for multiple zones outage scenarios, taking into consideration their respective levels of critical business activities and prudent risk management policies. In addition, they should also consider broadening and deepening their BCM scope to cater for prolonged operational disruptions.

Critical staff and information are important assets that are difficult to replace quickly. Many institutions assume that the same pool of staff would be available to recover their CBFs at the recovery sites. This may not always be true as disruptions may result in the unavailability of critical staff. Also, identifying alternates to critical staff may not always reduce the risk, especially if both the primary and alternate critical staffs are housed in the same location or zone. It is important, therefore, to find the right balance between mitigating concentration risk and not losing the efficiencies gained from the centralization of business processes and critical staff.

BC Plan from Education Institutions: A Case Study

On April 16, 2007, Virginia Polytechnic Institute and State University (Virginia Tech) experienced one of the most horrific events in American university history. A double homicide had occurred, followed by a mass shooting that left 32 students and faculty killed, with many others injured, and many more scarred psychologically. Families of the slain and injured as well as the university community have suffered terribly from this event. One of the main recommendations from the tragedy is to update and improve the university’s emergency response plan. It is recommended that the plan should be more systematic, including conducting risk analysis (threat assessment) in advance and choose a level of security appropriate for the campus. Along with that, the university should update and enhance the plan where students, faculty and staff should also be trained annually about responding to various emergencies (Tridata Division 2009; Flynn and Heitzmann 2008).

In 2010, the school had developed a comprehensive emergency response and continuity plan. The brief description of the plan is as follows (Virginia Polytechnic Institute and State University 2010):

The plan outlines procedures for managing major emergencies that may have threatened the health and safety of the campus community or disrupt business operations on the local campus. It identifies individuals and departments that have a direct or supporting role in emergency response, and it provides a management structure for coordinating and deploying university resources to handle the event.

This plan consists of the basic plan, the appendices, and the emergency support function and incident annexes. The basic plan provides an overview of the university’s approach to emergency response and operations. It explains the policies, organization and tasks that would be involved with the response to an emergency. The annexes and appendices give definition to the terms and acronyms used throughout the basic plan, and are the location for any supporting figures, maps and forms. The emergency support function appendices focus on detailing the specific responsibilities, tasks and operational actions to complete a specific emergency operations function, while the incident annexes focus on any additional special planning or response needs beyond the basic response plan for particular event scenarios.

This plan applies to all of the university’s students, facilities, staff and visitors. Surrounding community in addition to the campus may be impacted by major emergencies, and if this happens, the university will further cooperate with local, state, and federal officials in their delivery of emergency services. Categories of emergencies or hazards are identified through risk assessment with significance ranking that are most likely to impact the university.

The plan’s response priorities are (1) to protect life safety; (2) to secure critical infrastructure and facilities (in priority order: buildings used by dependent population; buildings critical to health and safety; facilities that sustain the emergency response; classroom and research buildings; administrative buildings); (3) to resume teaching and research programs.

The university response to a disaster or emergency will generally involve the following phases:

  • Planning and mitigation. The process of evaluating exposures and developing or refining response plans that will assure an orderly and effective response to an emergency, and for identifying and mitigating areas of vulnerability.
  • Response. The reaction(s) to an incident or emergency in order to assess the level of containment and control activities that may be necessary.
  • Resumption. The process of planning for and/or implementing the resumption of critical business operations immediately following an interruption or disaster. During this phase, more in-depth forecasts of the impact will be available, and university-wide priorities for program resumption will be determined.
  • Recovery/restoration. The process of planning for and/or implementing recovery of non-critical business processes and functions after critical business process functions have been resumed, and for implementing projects/operations that will allow the university to return to a normal service level.

The university provides an Emergency Notification System (ENS) which is intended to rapidly circulate emergency information on an incident, and give instructions to the campus population.

The university’s emergency response and continuity plan had been coordinated with the town’s agencies, local government and organizations. The functional groups in delivering the response and continuity process are:

  • The policy group, which is composed of lead administrators. It establishes policies and procedures as needed to support emergency operations, and determines business recovery and resumption priorities.
  • The Emergency Response Resource Group (ERRG) directs resources in support of emergency response operations, assures the continuity of critical business functions, and implements business recovery and resumption activities. The ERRG convenes at the Emergency Operations Center (EOC).
  • Satellite Operations Centers (SOCs), located in the administrative headquarters. Deans, Vice Presidents and Vice Provosts, gather emergency impact data from their constituent departments, account for their personnel, transmit reports to the EOC, disseminate emergency instructions to constituents, and develop and implement business continuity, resumption and recovery plans.

In addition to these groups, there are also essential roles who will direct these groups, supported by essential personnel.

Even when emergency response activities are nearing completion, business recovery activities may continue for weeks or months after the event. Business recovery activities include reestablishing complete services and functions following a major incident and recovering extraordinary costs caused by the event. Furthermore, recovery priorities should be established as follows:

  • Immediate recovery (true continuity) is essential;
  • Recovery required within 24 hours;
  • Recovery required between 24 and 72 hours;
  • Recovery not required within 72 hours.

Trained and knowledgeable personnel are essential for the prompt and proper execution of the plan. All personnel will be provided with the necessary training to execute those responsibilities in an effective and responsible manner. Training on university-level emergency response roles and the incident command system will generally be coordinated by the Director of Emergency Management.

Exercises will be conducted as needed which allow all persons involved in emergency response to practice their roles and to better understand emergency operations and their responsibilities under emergency conditions. University-wide exercises will be held at least once per year, and will consist of tabletop, practical and full-scale staged events as deemed appropriate.

BC Plan for Influenza Pandemic: A Review

A pandemic is an epidemic or outbreak of infectious disease that spreads through populations across a large region; for instance a continent, or even worldwide. A flu pandemic could occur when a new flu virus emerges and starts spreading as easily as normal seasonal flu. As the virus is new, the human immune system will have no pre-existing immunity. This makes it easier for people to contract the new flu and experience more serious symptoms than that caused by normal seasonal flu. Current viruses that had spread across a large region (particularly in Asia) are the influenza A (H1N1), the SARS incident in 2003, and the avian flu (H5N1) (SPRING 2009).

According to some studies, no one could predict when a flu pandemic will occur. When it does occur, the impacts may be felt in various ways. Regarding its possible general impact, public gatherings may be discouraged, people with flu-like symptoms may not be allowed in public places, public transport may be disrupted and regular updates and clarifications may be necessary. As for the business impact, supplies may be disrupted, the number of customers may drop, likely increase of electronic communications use which may lead to overloaded communication systems and some staff in any organization may be absent from work (SPRING 2009).

Based on these likely impacts, companies are encouraged to ensure their business remain viable in the event of an outbreak. BCP should be developed with further considerations on how to operate their business with minimal face to face contact between staff, staff and customers, and with suppliers; how to operate business effectively with key members of staff being absent from work; and how to operate if supply chains are disrupted. Moreover, the key risks to the company that need to be addressed in BCP are (SPRING 2009):

  • Processes and business functions (e.g. production, sales and marketing, etc.)
  • Business infrastructure (e.g. offices, shops, factories, equipment, etc.)
  • Stakeholders (shareholders, suppliers, customers, etc.)
  • Communications, both internal and external

The Singapore government had proactively taken an approach to overcome this crisis through initiatives such as the Flu Pandemic Guide for small and medium-sized enterprises (SMEs) in 2006. The BC guideline developed by a Singapore standards agency provides these contents particularly for handling flu pandemic (Low et al. 2010a; Singapore Business Federation 2006; SPRING 2009):

Annex section

This section describes:

  • Information about personal hygiene awareness, as an example: correct hand washing procedures; basic information on sanitization such as disinfectants, recommended use and their precautions.
  • Contact list of key customers, key suppliers/vendor/contractors and others.
  • Contact list of key personnel and key organizations for information and assistance on flu pandemic.
  • Description about roles and responsibilities of the Flu Manager.
  • Procedures upon detection of visitors and staff who are unwell. These include procedures of (1) Visitor detection and isolation; (2) Staff unwell at workplace; (3) Staff unwell outside workplace and (4) Contact tracing.
  • Forms such as temperature screening, notification form (for suspected flu case at work), and body temperature monitoring log.

BC Plan for Flu Pandemic Contents

  • Green—isolated overseas or local cases of animal-to-human transmission. Threat of human-to-human infection remains low.
  • Yellow—slight human-to-human transmission. A small risk of it being imported here, but has not resulted in sustained spread.
  • Orange—evolves into human disease. WHO confirms several outbreaks in one country, spreading to other countries. Deaths are expected. Local confirmation of new cases and evidence of more than one transmission has occurred.
  • Red—widespread infection. Increase in deaths has occurred. Healthcare system likely to be overwhelmed and essential services are added to ensure full operational capacity.
  • Black—high death rates reported. Economic activities are severely disrupted, as panic sweeps through the community.
  • Green—to set up a team to oversee BCP.
  • Yellow—appoint a Flu manager.
  • Action plans are written for every alert level.

The Need for BCM

According to a survey on trends in business continuity, it was found that BCM has become mandatory to maintain customer confidence and a competitive edge. The threat of interruption and the need to respond promptly has manifested itself, where a vast increase in regulatory requirements and a mandate from customers for BC plan development has occurred. Organizations are expected to manage the BC process more collaboratively, be driven to complete their BC plans and include it in Requests for Proposals (RFP) and Requests for Information (RFI) (BUCORIM 2008).

There are several sources of external influence that are encouraging an increased focus on business continuity. According to respondents questioned for a report conducted by the Economist Intelligence Unit (EIU 2007), customers are the stakeholder that is viewed as most important in driving decisions about business continuity, with 59% citing them as a significant influence. Moreover, in the supply chain relationships that are getting complex and more dependent, customers will most likely ask about a detailed scope of BC plan, whether the supplier has it in place and would request evidence of compliance with particular policies.

In addition to customers, pressure from regulators is also becoming more distinct. Regulators are viewed as the second most important external influence over decisions about BC, with 58% seeing them as significant in the regard. This figure rises to 72% from respondents who are in the financial services sector (EIU 2007).

Benefits of BCM

Previous section of this chapter had described the relationships between BCM and other concepts. Table 3.4 summarizes the distinction between these concepts based on their main focus and key methods.

BCM distinction with other related concepts

Sources: Collier (2009), Drennan and McConnell (2007), BCI (2007a), Foster and Dye (2005), Devlin (2007), Smith (2003), Elliott (1999), McCrackan (2005)

Whilst BCM is able to help firms to have a response for major disruptions that may threaten their business activities, the Business Continuity Institute (2007a) found that there are other benefits that can be gained by embracing BCM as a management discipline in an organization. Firstly, BCM will help address some key risks in the firm and help them achieve compliance. Secondly, BCM can be used as a competitive advantage to gain new customers and to improve margins by using it as a demonstration of “customer care”. Thirdly, a thorough review of the business through Business Impact Analysis (BIA) can highlight business inefficiencies and focus on priorities that would not otherwise have come to light. And last but not least, firms providing services or goods recognize that keeping customers through a more reliable service is cheaper than tempting back the deserters after an interruption. Other studies have also found various benefits of implementing BCM in an organization. Table 3.5 shows the BCM benefits from various studies. In addition, the table shows that BCM’s main focus and key method of conducting Business Impact Analysis plays an important role and provides positive implication for an organization that implements BCM.

BCM benefits

Challenges in BCM

Although BCM is considered as necessary to be implemented in organizations, there are several issues regarding the challenges of its implementation. Robinson (2009) viewed that the recent economic recession would be a challenge in implementing BCM. Recession has delayed or reduced BCM uptake; with top management viewing it as a discretionary spend. Moreover, only a minority will recognize that recession increases the need for BCM, with cutbacks reducing operational resilience and scarce liquidity eroding financial tolerance. Nonetheless, when a senior management team still has a strong commitment in sustaining its business resilience, and perceiving the recession-BCM link being strong enough, these can be a strong contributory factor to maintain its BCM. Moreover, Molinier (2009) opined that these economic conditions should be viewed as an opportunity to demonstrate how the companies can provide resilience whilst streamlining processes and adopting a cost-benefit approach that demonstrably support business objective.

In accordance with Continuity Central’s survey to BC professionals (Continuity Central 2011), the biggest challenge in implementing BCM was lack of resource for the implementation. The second biggest challenge was the difficulties in obtaining senior management support and input. Thirdly, getting the wider organization to buy-in to BC and to provide support to the process was another challenge that needs to be considered. Following these top three challenges, other reasons are: organizational cut backs and changes; technology issues; testing and exercising issues; compliance, regulations and auditing; and culture change. These findings provide important feedbacks to those who have implemented BCM and who are in the phase of initiating it.

This chapter provided a review on BCM, starting from its historical development, its relationships with other concepts, its main principles and methodology, to its implementation in various sectors that shows the necessary need of the concept in an organization.

As an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner, BCM has evolved from a technology-based disaster recovery approach to a value-based drive for business resilience. It is also viewed as a unifying process that includes various concepts for overcoming crises.

BCM is considered as a management system that, similar with other management systems, needs influential factors such as organizational culture, involvement, resources, flexibility and shared commitments for its effectiveness. Moreover, these approaches are embedded in its main principles and methodology.

Currently, BCM is widely adopted in various firms from various sectors. Regulations and international standards have been developed for this concept and methods in assessing the level of BCM preparedness have also been established. The need for BCM is currently supported by various drivers and although there are some challenges in implementing the concept, the benefits of BCM are worth mentioning.

You are using an outdated browser. Please upgrade your browser or activate Google Chrome Frame to improve your experience.

Building blocks

Introduction to Business Continuity

Start here if you're new to business continuity.

What is Business Continuity?

BCM Lifecycle

Flood. Cyber attack. Supply chain failure or losing a key employee. Disruptions to your business can happen at any moment.

Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible.

Whether it’s a business, public sector organization, or charity, you need to know how you can keep going under any circumstances.

Potential incidents to consider

  •  Supply chain failure - You don't have access to materials, goods or services
  •  Utilities outage - You don't have access to electricity, water or internet
  •  Cyber incident - You have suffered a cyber attack and your website is down

These are just some of the many incidents an organziation needs to consider and plan for.

Make a plan

A good BC plan recognises potential threats to an organization and analyses what impact they may have on day-to-day operations.

It also provides a way to mitigate these threats, putting in place a framework which allows key functions of the business to continue even if the worst happens.

Example: Do not rely on one supplier of raw materials, what if that supplier goes out of business? If you purchase raw materials from two suppliers then you are potentially halving your risk.

The BCI has designed a short, self-paced eLearning course that will help you understand the importance of business continuity and get you starting to think about the incidents that might impact your own organization and what you can do to mitigate them. This short course takes up to 30 minutes to complete.

Business Continuity Basics course

The BCI has many other free resources available to enhance your understanding of business continuity, see a few below to start ...

View free webinar to understand the basics of business continuity.

 This webinar takes you through the basic business continuity concepts and quick wins on where to start (aimed at SMEs)

View webinar

What threats do organizations face?

The BCI Horizon Scan report identifies threats organziations should be aware of. Free to download.

Download Report

Download the BCI Good Practice Guidelines Lite

The BCI Good Practice Guidelines (GPG) Lite gives your a brief introduction to the Business Continuity Management Lifecycle and the stages included. It will help you put a plan together and give you insight to what is included in the full edition of the GPG and the content of the CBCI Certification course  

https://www.thebci.org/resource/good-practice-guidelines--gpg--lite-edition-7-0.html

  • Project Management
  • Application Development
  • Collaboration
  • Cloud Virtualization
  • Enterprise Apps
  • Infrastructure
  • News & Trends
  • Case Studies
  • Books for CIOs

CIO Insight Logo

Business Continuity Management (BCM) Explained

Lauren Hansen

Business continuity management (BCM) is essential for business resilience. It’s part of a company’s broader plan for handling internal or external changes that disrupt or halt a business. 

Table of Contents

What is business continuity management (BCM)?

Business continuity management is the set of proactive measures that a company takes in order to avoid loss as a result of major events that negatively impact a business. Such events include hostile mergers or acquisitions, change in leadership, natural disasters , ransomware attacks, data breaches, and other changes that impact company data and assets.

Key areas to safeguard in BCM include but are not limited to:

  • Human resources
  • Hardware and software
  • Products, both physical and intellectual property 

BCM entails several closely related activities. Some examples include disaster recovery , emergency management, incident management, and contingency planning. To maximize preparedness and resilience, some businesses purchase business interruption insurance (BII) after drafting a business impact analysis (BIA) to estimate losses for various scenarios.

In spite of doing all the right things—like applying patches to software, implementing a zero-trust policy , training employees, and other proactive security measures—a company can never completely shield itself against natural or malicious events. When an attack occurs, companies ideally have an up-to-date incident response plan (IRP) at the ready. 

A company prepares for and handles the inevitable event that shakes up one or more aspects of the company’s operations, but then what? A business continuity plan rounds out disaster planning with a focus on recovery and resilience.

For more on how current work models impact IT security, also read: Work-From-Anywhere Requires More Resilient IT

Benefits of BCM

There are many benefits to implementing BCM that make it well worth the investment. 

Reduce downtime and cost

With an effective business continuity plan in place, your business quickly snaps back into normal operations. Reduced downtime feeds into fewer losses not only in terms of revenue but also customers and employees. BCM decreases the likelihood of your business coming to a grinding halt or, worse, closing. 

The quicker your company gets back up and running, the fewer losses it suffers as a result. Implementing business continuity also safeguards your organization from becoming ensnared in litigation for negligence and potentially paying hefty fines. 

Improve reputation 

Successfully navigating a detrimental situation by protecting customer, partner, employee, and vendor data wins over the trust of parties involved. BCM puts stakeholders at ease that their data, assets, and investments are in good hands.

Gain insights

When incidents occur, they present valuable learning opportunities. Your company has the benefit of wisdom to further improve its response measures. You’ll also have a better idea of what to expect in the event of an attack on or disruption to the company’s operations.

A business continuity plan is not a one-off task. It requires continuous revision as threats and your business evolve. As your business grows and changes over time, you’ll need regular updates to your plan.

BCM use case examples

BCM is more of a priority in some industries than in others. 

Financial institutions hold a lot of sensitive information about consumer and business financials, credit information, and more. Therefore, businesses within this industry are subject to multiple governing bodies. 

For example, the Federal Financial Institutions Examination Council ( FFIEC ) enforces a set of standards that US financial institutions must adhere to. One set of standards for them to follow pertains to cybersecurity awareness and ensures institutions identify, assess, and mitigate cybersecurity risks to their businesses and their third-party service providers.  

HIPAA requires companies in the healthcare sector to protect patient privacy, data, and records. For example, HIPAA’s Security Rule declared national standards that insurance companies, medical providers, etc. must abide by to protect patient health information. This means that they need appropriate administrative, physical and technical safeguards to protect patient data. 

SaaS and the supply chain

Companies frequently vet third-party SaaS vendors, requiring a business continuity plan in order to conduct business with them. A company will want to know what preventative measures that SaaS company takes. That way, if something goes wrong, the SaaS company will have a plan to minimize down-chain disruptions. 

Read more at IT Business Edge: How to Prevent Third-Party Vulnerabilities 

Pro tips for BCM

  • Brainstorm and note as many potential, realistic scenarios as possible
  • Have a plan and back-up plans for each scenario
  • Each plan within BCM needs objectives and policies that align with those objectives
  • Measure the performance of each scenario-plan within the broader business continuity plan
  • Continuously evaluate and, if needed, revise parts of your business continuity plan
  • Invest in business continuity software to help manage and update the business continuity plans 

Not a matter of “if” but “when”: Is your business ready?

Could your company, in its current state, cope with a formidable event? Could it resume operations without missing a beat, perhaps emerge even stronger? 

The effort and foresight that you put into business continuity management will be a key factor in determining how quickly your business bounces back from a setback. 

Read next: How to Create a Business Continuity Plan

Lauren Hansen

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles

Storage vulnerabilities: the neglected cybersecurity frontier, 7 principles of quality management, domo vs tableau: which is the better bi solution, related articles, best supply chain certifications to get in 2022, best social media crm software 2022, benefits of erp: weighing the pros and cons, how cios can support retention during the great reshuffle: interview with carter busse at workato.

CIO Insight Logo

CIO Insight offers thought leadership and best practices in the IT security and management industry while providing expert recommendations on software solutions for IT leaders. It is the trusted resource for security professionals who need to maintain regulatory compliance for their teams and organizations. CIO Insight is an ideal website for IT decision makers, systems integrators and administrators, and IT managers to stay informed about emerging technologies, software developments and trends in the IT security and management industry.

Advertisers

Advertise with TechnologyAdvice on CIO Insight and our other IT-focused platforms.

  • IT Management
  • IT Strategy
  • Privacy Policy
  • California – Do Not Sell My Information

Property of TechnologyAdvice. © 2022 TechnologyAdvice. All Rights Reserved Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

International Observatory of E-fuels: The Race…

Avion e-fuels

A Practical Guide to PPAs

Wind turbines in the sky

Top 2023 Cosmetic Trends

pastel colours

Business Continuity Framework: Protect Your Organization

Does your organization have a resilient BC Framework?

In the wake of the recent unforeseen global pandemic, organizations have become more aware of the impact that many unforeseen disruptive events such as natural disasters, cyber-attacks, pandemics, and civil disturbances have on critical operational functioning. As the threat landscape continues to evolve, organizations must demonstrate not only business and operational resiliency but also the ability to adapt quickly to dynamic events that can stress existing plans.

It is vital for organizations to build and maintain a structured Business Continuity (BC) Framework to ensure operational resilience, which include three basic elements. The framework begins with a comprehensive Threat and Risk Assessment that considers potential threats from a 360° perspective. Fully cataloging risks is crucial to planning how your business can react during a crisis.  Next, it is important to conduct a comprehensive Business Impact Analysis (BIA) that identifies all critical business processes and systems and interdependencies across the enterprise.  Finally, as part of a thorough business continuity planning process, custom-tailored recovery strategies must be thoughtfully developed, deployed, and tested to guarantee continuity when a disruption materializes.

BC Framework

Business Continuity Management (“BCM”) groups must implement and maintain a documented framework for Business Units (“BU”) to evaluate their business processes in terms of Business Continuity risks and planning requirements. This framework requires BUs to identify and assess disruptive business risks and the impacts of those risks to the organization, its clients, and potentially industry. When documenting the BC Framework, the following components must be considered and evidenced including:

Business Continuity Threat and Risk Assessment

Business Impact Analysis

  • Recovery Strategies to manage disruptive events

Business Continuity Threat and Risk Assessments provide the basis for BUs to determine vulnerabilities of their critical business processes to different drivers of disruptions (“Threats”). Common impacts as the result of an event include the premises being inaccessible, regional power outage, unavailability of personnel, loss of supplier, and technology failure. The types of threats include:

G eopolitical - The impact of international political behavior through geographic variables.

Security - Security risks including cybersecurity.

Environmental - Weather events and other naturally occurring disruptions.

Local Infrastructure - Stability and availability of local utilities and other supplies.

Emerging Risks and Technologies - Newly developing or changing risks or technologies that could have a major impact on an organizations industry.

To help safeguard from disruptions, a Threat Analysis is performed to assess and assign risk likelihood and to estimate impacts and costs. Results are often graphed in a Threat Analysis Matrix displayed in a simplified form below:

what is business continuity management framework

Particular emphasis should be given to low probability, high impact, catastrophic events (Black Swan), and predictable, low impact events (Routine).

A BIA is an assessment and prioritization of business functions and processes in a BC Plan that identifies the potential impact of business disruptions arising from a disruptive event. It should be documented in the BC Framework to support business-critical processes and include the following steps and considerations:

  • Process Taxonomy that identifies and analyzes mission critical processes, systems, equipment, and records.
  • Interviews with key personnel in each BU.
  • Development of an Enterprise or BU wide analysis to ensure interconnectivity and consistency throughout the organization.
  • Estimate of disruptions to processes, downtimes, and associated costs.
  • Consideration of industry-wide impacts on suppliers and customers as well as regulatory requirements.
  • Prioritization (tiering) of critical processes, roles, and systems.

what is business continuity management framework

Recovery Strategies to Manage Disruptive Events

The BC Framework should include approved recovery strategies, developed as part of a BC Plan, that the organization and BUs use to mitigate the impacts of a disruptive event. Recovery strategies selected must be consistent with the outcome of the BC Plan, Threat and Risk Assessment, and BIAs. The BCM Team will coordinate with key partners as the affected BUs invoke their recovery strategies during the event. The recovery strategies selected should be appropriate for the BU and address a range of impacts of varying severity and duration.

BUs must identify and prioritize their short-term functional requirements for short-term outages (i.e., impact of the event lasts five days or fewer). BUs must also document functional requirements to operate the business critical functions during extended outages (i.e., impact of the event lasts more than five days, potentially up to several months). If the organization experiences a disruptive event with the potential to become an extended outage, BCM groups should coordinate with key partners at the organization-level and the BUs as the disruptive event evolves.

REPs login and work remotely using a virtual machine (or a production virtual machine where deployed). If an employee logs into their non-virtual production machine from home, this does not qualify as Remote strategy.

Pre-Installed and existing seating which is configured to BUs requirements and is generally vacant until invocation of the BU's BC Plan.

Displacement

Space occupied by Non-Critical Personnel who will be displaced by an incoming BU during invocation of the BU’s BC Plan. Displacement requires a predetermined agreement between the staff members that are displacing a group and the group being displaced.

Common space (e.g., cafeteria, conference rooms) that has been pre-cabled to enable PC/laptop installation, post a BC Event.

Transference

Recovery Strategy that moves a business process from an impacted area to an alternate, non-impacted area staffed with Personnel that the BU has trained and provisioned to conduct that process.

A backup in the same Functional Group as a REP who has defined recovery strategies. The backup can assume the REP’s defined recovery strategies during an event.

Sia Partners Approach

Sia Partners focuses on actionable strategies aimed at safeguarding against disruptive events. We facilitate coordination among our clients’ business units, teams, and leadership to develop a robust and resilient BC Framework.

Sia Partners performs a multi-phased process for our clients to develop their BC Framework. Our approach is as follows:

what is business continuity management framework

A well thought out BC Framework is instrumental to ensuring your business can operate successfully through disruptions.  Sia Partners offers a comprehensive program to bolster your framework and Operational Resilience program.

Publications

Ceo point of view: ai predictions 2024, benchmark of vigilance plans: first edition.

Business continuity management is a must. Here’s a framework.

By Kenneth W. Witt, Senior Manager — Management Accounting and Member Engagement

The importance of planning for business continuity has become abundantly clear with the coronavirus pandemic.

Before the pandemic, the onset of cybersecurity risks resulted in a wealth of resources, such as the CGMA Cybersecurity Risk Management Tool , that focus on risk mitigation, response and remediation strategies for the seemingly inevitable cyber intrusion. While businesses have widely adopted strategies to address cyber risks, broader business continuity plans may not have been a priority.

Nearly 75% of U.S. companies report some supply chain disruption due to coronavirus-related transportation restrictions, and more than 44% of U.S. companies have no plan to address supply chain disruption from China.

The role of finance professionals in managing supply chain risk — a key component to ‘get back to business’ — is addressed in the Financial Management article, ‘ Finance’s crisis role in managing supply chain risk .’ Julia Graham, Airmic’s deputy CEO and technical director, emphasises the necessity of managing risks across the organisation by taking an enterprise risk management approach and managing potential disruptions with a business continuity plan.

While addressing the immediacy of supply chain disruptions is front and center, a broader business continuity plan is imperative.

Creating a business continuity management plan

The CGMA Business Continuity Management Tool — Key Strategies and Processes provides a framework to develop this critical corporate capability in your company. The tool identifies essential components, clarifies roles and responsibilities and details a step-by-step process to develop and maintain an effective business continuity management plan.

Step 1: Initial assessment and objective setting

Review the organisation’s current strategy, disaster recovery and crisis management plan, compliance requirements, etc.

Step 2: Critical process identification

Identify critical business functions, processes and process owners, along with key resources and tools needed for implementation.

Step 3: Business impact analysis

Evaluate the potential impact of a disruption to ‘business as usual’, ranging from customers to suppliers, employees to stakeholders, financial reporting to reputation.

Step 4: Continuity response approaches

Preparation — with plans for human resources, facilities, IT and data storage, customers and suppliers, etc. — and crisis management are the two areas of continuity response approaches.

Step 5: Plan, implement, and test

Ensure your staff is familiar with plans, and with testing, identify gaps and areas for improvement.

Step 6: Monitor, validate, and improve

Monitor the effectiveness of the organisational changes and adjust as needed.

Business continuity management requires you to identify critical processes, analyse potential impacts and assess the trade-offs between cost and recovery time objectives of different responses. Effective business continuity management takes a comprehensive approach — top-down, bottom-up and organisation-wide. Finance professionals are uniquely positioned to facilitate this.

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Mentioned in this article

Related content.

This site is brought to you by the Association of International Certified Professional Accountants, the global voice of the accounting and finance profession, founded by the American Institute of CPAs and The Chartered Institute of Management Accountants.

CA Do Not Sell or Share My Personal Information

main logo

  • Cloud Services and Solutions We are cloud agnostic. We’ll recommend the cloud solution that best meets workload requirements – and manage each platform.
  • Managed Public Cloud Multicloud and hybrid solutions Azure Managed Services AWS Managed Services
  • Hosted Private Cloud Hyperconverged (HCI) and dedicated, single-tenant cloud resources
  • Multitenant Cloud Secure, enterprise-level solution on shared infrastructure
  • Cloud Connectivity / On Ramps High-performance on ramps between our data centers and public clouds
  • Applications Managed application services can improve efficiency and reduce OpEx with highly experienced experts and up-to-date technology solutions.
  • SAP Managed Services Design, implementation, management, security, and private cloud services
  • Microsoft 365 Secure, optimized applications for productivity and collaboration across your unique workforce
  • Security Customize your security solution for a multilayered approach to safeguarding your environment.
  • CleanIP NGFW (Next-Generation Firewall) Secure your business with less complexity and more visibility
  • CleanIP XDR (Extended Detection and Response) Real-time, holistic view of your IT environment with response options
  • CleanIP MMFA Managed multi-factor authentication for secure and streamlined logins
  • CleanIP AV Endpoint anti-virus keeps your organization up and running
  • WAF & DDoS Web Application Firewall and DDoS Defense defend against next-gen threats
  • Compliance Helping ensure regulatory compliance across multiple industries
  • Advisory & Consulting Our experts are in your corner, ready to help your team address evolving needs with consulting, solution design, and migration services.
  • Hybrid Cloud Consulting Identify the right mix of cloud solutions to fit your workloads
  • Azure Consulting Services Seamless cloud migration, application innovation, and scalable business solutions.
  • Security Consulting Identify vulnerabilities and optimize your security posture while meeting compliance requirements
  • BC/DR Consulting Build an implementation plan for business continuity and disaster recovery
  • Application Modernization Lower costs and gain advantages for your business with advanced technologies
  • Data & Analytics Capture the intelligence in your data
  • DevOps Select the right strategy, tools, and platforms to accelerate time-to-market
  • Disaster Recovery Avoid unexpected interruptions to operations and protect your data from cyber threats.
  • Disaster Recovery as a Service (DRaaS) Ensure resiliency for your applications, data, and infrastructure Zerto Nutanix Leap vCloud Director Availability
  • Backup as a Service (BaaS) Enterprise-grade backup protection powered by Commvault
  • Microsoft 365 Backup and Recovery Safeguard your Microsoft 365 data & reduce risk from data loss and downtime
  • Veeam Cloud Connect Extend your Veeam backup infrastructure with hosted offsite backups
  • Managed Services You don’t have to delay those strategic projects. TierPoint managed services take day-to-day management tasks off your team’s plate.
  • Database Management High availability, data protection, and performance management for MySQL and SQL databases
  • Help Desk Services Best-in-class, U.S.-based technical professionals provide 24×7 multi-tiered support
  • OS Management Keep your servers up to date, patched, optimized and available – to ensure optimal performance, security and uptime
  • Colo & Data Center Services TierPoint data center services enable uptime and availability, compliance, and various connectivity options to reach your business goals.
  • High-Density Colocation Elevate performance and resource efficiency of AI and high-performance workloads with high- and ultra-high-density colocation.
  • Colocation Maximize availability, minimize risk and realize cost savings when you deploy hardware in our state-of-the-art facilities
  • Remote Hands Offload routine tasks and easily manage and monitor them from afar
  • Network Services Access a spectrum of redundant, carrier-diverse connections and hyperscale cloud providers
  • Business Continuity Workspace Secondary workspace to keep employees productive during a disaster or disruption
  • IBM Managed Services Our world-class team of IBM-certified solutions experts deliver comprehensive 24/7/365 management for your mainframe and IBM Power Systems workloads.
  • IBM Power Systems Management, maintenance, and SLAs for IBM Power Operating Systems (IBM i and AIX) production and recovery environments
  • IBM Mainframe (z) Monitoring and infrastructure management ensure consistent performance for production and recovery workloads
  • Little Rock Data Center
  • Waterbury Data Center
  • Jacksonville Data Center
  • Chicago - Polk Data Center
  • Chicago – West Data Center
  • Kansas City - Lenexa Data Center
  • Baltimore Data Center
  • Baltimore - BWI Data Center
  • Boston - Andover Data Center
  • Boston - Marlborough Data Center
  • Kansas City Data Center
  • St. Louis - Millpark Data Center
  • St. Louis - Olive Data Center
  • Omaha - Bellevue Data Center
  • Omaha - Midlands Data Center
  • New York – Hawthorne Data Centers
  • Charlotte - North Myers Data Center
  • Charlotte - Center Park Data Center
  • Raleigh Data Center
  • Raleigh - RTP Data Center
  • Oklahoma City Data Centers
  • Tulsa - Archer Data Center
  • Tulsa - State Farm Data Center
  • Allentown - TekPark Data Center
  • Bethlehem Data Center
  • Lehigh Valley Data Center
  • Philadelphia Data Center
  • Valley Forge Data Center
  • Sioux Falls - East Data Center
  • Sioux Falls - West Data Center
  • Nashville Data Center
  • Dallas Data Center
  • Dallas-Allen Data Center
  • Dallas-Fort Worth Data Center
  • Seattle Data Center
  • Spokane Data Centers
  • Milwaukee Data Center
  • Pricing Guidance
  • Why Tierpoint

Back to Glossary Home   | Business Continuity Management

What Is Business Continuity Management?

Why is business continuity management important.

What Is the Business Continuity Management Framework?

How Can Business Continuity Management Meet Regulatory Requirements?

Bcm starts with business continuity consulting services at tierpoint, related articles, business continuity management.

Business continuity management is the process of identifying and mitigating risks that are most harmful to a business during a disruption. Business continuity management works in tandem with a business impact assessment (BIA) and these processes are tested and revised so they are ready to implement in the event of a disaster, cyber-attack, or other business disruption. When an organization is facing disruption, business continuity management (BCM) creates an approach to ensure an organization can continue to function.

Organizations can't properly prepare for or recover from disruptions without building and following a disaster recovery plan .

Implementing BCM can help your business reduce the impact of disruptions and improve the odds you will recover quickly by having plans ready for different scenarios. Knowing what might befall your organization and how to combat it is a key component of decreasing the likelihood of disruptions altogether. In the long term, BCM can give your employees, customers, and partners increased peace of mind, knowing that you are prepared and able to recover quickly from disruptions and ensure data resiliency .

What is the Business Continuity Management Framework?

Although the exact Business Continuity Management (BCM) Framework can be dependent upon the individual organization, it typically includes a risk assessment, impact analysis, budget, recovery plans, and testing.

Risk Assessment

Start by assessing your risk landscape. Based on your industry and how you operate, what poses a threat to your business? This can include cyber-attacks, natural disasters, human error, vulnerabilities brought on by third parties, and so on. Once you've identified all risks, evaluate them based on their level of probability, severity, as well as your willingness to accept certain levels of risk.

Business Impact Analysis

A business impact analysis (BIA) looks at each risk in accordance with its level of impact on different areas of your business, both operationally and financially. Creating a BIA helps you determine what it would cost to weather specific disruptions and the maximum amount of time it would take to resume operations post-event.

Cost-Benefit Analysis and Budget

What are the costs associated with your desired business continuity management strategies? How will these costs maintain your revenue, productivity, and trust over time? A budget should be prioritized based on what is found in the risk assessment and BIA, focusing on the measures that will carry the most weight for your critical business processes and functions.

Conducting routine audits and testing is critical in determining whether your BCM strategy is effective and that your DR plan is up-to-date. Document your tests to help in identifying any gaps in the recovery process and offer recommendations for improvement.

Testing may also be required for regulatory compliance and to secure cyber Insurance or Business Resumption Insurance.

Recovery Measures

After you have an idea of the risks, impacts to your business, and scope of your needs, plan a recovery strategy that is sufficiently detailed and can be implemented quickly. What should happen at every step along the way after a disruption is discovered? What people and resources are needed to carry out these plans?

Many businesses need to have a business continuity or disaster recovery plan in place as required by law. This is especially true for organizations in the healthcare, government, and financial industries. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare organizations have a plan for how they will provide services to patients if there is a data breach .

While BCM is important for every organization, it's especially important for those who have specific requirements to meet. During a disruption, the last thing you want to have to worry about is potential regulatory action on top of an already complicated situation.

Business continuity management can include a wide range of tasks, including risk assessment, business impact analysis, budgeting, testing, disaster recovery, and more. It's a lot to manage for one business when your IT team already has a lot on their to-do lists. TierPoint's business continuity consulting services can help you address your risks with confidence, create a strategy that prioritizes your most critical business processes, and get back to business as usual faster. Learn more.

Related Services

Planning to develop or update your business continuity plan? Get help from a experienced partner today!

Related Terms

ItemIcon

Recovery Point Objective

Recovery Time Objective

Data Center Footprint

Disaster Recovery

How to Develop a Ransomware Recovery Plan & Prevent an Attack

What is Data Fragmentation? 8 Strategies to Solve & Combat

Business Continuity

Business Continuity vs Disaster Recovery: What’s the Difference?

what is business continuity management framework

The New Equation

what is business continuity management framework

Executive leadership hub - What’s important to the C-suite?

what is business continuity management framework

Tech Effect

what is business continuity management framework

Shared success benefits

Loading Results

No Match Found

Enterprise risk management and business continuity management: Together at last

Organizations that integrate enterprise risk management (ERM) into their strategic planning efforts have found that business continuity management (BCM) enhances both their value creation objectives and their protection objectives. The confidence that comes from identifying and appropriately addressing interruption risks enables them to more boldly execute those strategic plans. But to gain that confidence requires the melding of ERM and BCM programs.

what is business continuity management framework

Download Enterprise risk management and business continuity management: Together at last

Executing a series of well-coordinated erm and bcm integration activities makes it possible to realize the full value of optimized business continuity management.

Leading-practice integration examples include:

  • Consider ERM and BCM program integration
  • Involve BCM management in the ERM risk assessment process
  • Involve ERM management in BCM interruption risk assessment planning and analysis
  • Perform a BCM business impact analysis (BIA) that is informed by the ERM program’s impact categories, weighting, and thresholds
  • Develop ERM-informed risk resiliency improvement recommendations
  • Enhance risk scenario analysis
  • Conduct BCM capability examination and post-incident analysis
  • Link BCM and ERM program effectiveness reporting
  • Leverage governance, risk management, and compliance (GRC) technology

ERM lifecycle and BCM lifecycle synergies

Program governance, risk assessment/business impact analysis (bia), risk treatments/strategies, risk plans/business continuity plans, program effectiveness monitoring and reporting.

  • ERM and BCM program governance is tightly coupled, sharing many of the same stakeholders 
  • The ERM and BCM program owner can be the same individual, yet supported by separate administrative teams 
  • The ERM and BCM programs report to the same risk committee and/or board of directors 
  • ERM and BCM risk assessment scopes align for areas related to operational interruption risks 
  • ERM risk impact categories and their thresholds are used to standardize the way BCM BIA participants describe operational interruption impacts 
  • Management’s risk appetite and tolerance decisions are informed by BIA results 
  • Deciding whether and how to respond to interruption risks is based on management’s risk tolerance and risk appetite 
  • Resiliency improvements are made to areas that leadership identifies as critical to achieving operational and strategic goals
  • Approved strategies for responding to interruption risk are documented in actionable business continuity plans
  • Responses to actual interruption events and the results of business continuity and crisis management exercises are formally evaluated against risk reduction objectives 
  • The BCM program’s effectiveness analysis provides a feedback loop to the overall ERM program, thereby providing comfort that resiliency and recoverability efforts reduce interruption risk impact

Explore further

Mike Maali

Partner, Cyber, Risk and Regulatory, PwC US

Steve Zawoyski

Steve Zawoyski

Enterprise Risk Management Solutions Leader, PwC US

Linkedin Follow

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

  • Data Privacy Framework
  • Cookie info
  • Terms and conditions
  • Site provider
  • Your Privacy Choices

BCMIWhiteLogo.png

  • ISO22301 BCMS Audit
  • Business Continuity Management
  • Crisis Management
  • Crisis Communication
  • IT Disaster Recovery
  • Operational Resilience

CM_d

Business Continuity Management: Framework vs Policy

In business continuity planning, two crucial elements are pivotal in safeguarding an organization's operations during adverse events: the BCM and the BCM Policy. While they are interrelated and complement each other, they serve distinct purposes and functions within an organization's approach to resilience and recovery.

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '3aefb2d2-3110-47c1-ad4f-d3e6e5381066', {"useNewLoader":"true","region":"na1"});

Hbspt.cta._relativeurls=true;hbspt.cta.load(3893111, '794d010b-2991-4be8-8b31-dd67fa5a2e33', {"usenewloader":"true","region":"na1"}); decoding the distinction: business continuity management framework vs business continuity management policy.

In business continuity planning, two crucial elements are pivotal in safeguarding an organisation's operations during adverse events: the BCM Framework and the BCM Policy.

While they are interrelated and complement each other, they serve distinct purposes and functions within an organisation's approach to resilience and recovery.

Understanding the Business Continuity Management Policy

New call-to-action

It is a formalized statement articulating the organisation's stance on managing and responding to disruptions.

The policy defines the organisation's overall philosophy and strategy concerning business continuity and establishes the context for further planning and implementation. Typically, a BCM policy covers the following aspects:

Statement of Commitment

A concise declaration reflecting the organisation's commitment to ensuring business continuity and its significance.

Scope and Applicability

Defining the boundaries and applicability of the policy across different functions, units, or subsidiaries within the organisation.

Roles and Responsibilities

Outlining the roles, responsibilities, and accountability of individuals and teams involved in implementing the BCM policy.

Policy Objectives

Enumerating the specific objectives the organization aims to achieve through implementing the BCM policy.

Key Elements of a Business Continuity Management Framework

New call-to-action

Key Components of a BCM Framework

BCM Planning Methodology

Risk Assessment (RAR) and Business Impact Analysis (BIA)

Identifying risks and evaluating their potential impacts on critical business functions.

Business Continuity Strategies (BCS) and Plan Development (PD)

Formulating strategies and detailed plans to maintain essential operations during disruptions.

Testing and Exercising (TE)

Conducting regular tests, training sessions, and simulated exercises to ensure the effectiveness of the BCM plans and enhance preparedness.

Program Management

Managing and continuously improving the business continuity program with continuous review, update, and enhancement of the BCM framework to align with changing organizational needs and external factors.

Governance and Compliance

Establishing governance structures and ensuring compliance with relevant laws, regulations, and industry standards.

Distinguishing the Two Pillars of Preparedness

In summary, the primary distinction between a BCM framework and a BCM policy lies in their scope, purpose, and level of detail:

Scope and Purpose

The BCM policy sets the organisation's overarching strategic direction and commitment towards business continuity.

The BCM framework provides a structured approach and operational guidance to implement the strategic objectives outlined in the policy.

Level of Detail

The BCM policy and the BCM framework are essential components of a successful business continuity program. While the policy provides direction and commitment, the framework translates that commitment into actionable strategies and plans that ensure business resilience in disruptions.

Together, they form a robust foundation for an organization to thrive amidst uncertainties and swiftly recover from adverse events.

A successful business continuity program thrives on a symbiotic relationship between a well-defined BCM policy and a robust BCM framework.

Step 3 Develop a BCP Framework

By integrating these elements into their operational fabric, organizations can endure disruptions, swiftly recover, and thrive in an ever-changing business landscape.

Related Topics

Learn more about bcm-5000 [b-5] and or-5000 [or-3].

New Call-to-action

  • Cost Management
  • Risk & Compliance
  • HR Solutions
  • Best Practices
  • Datacenter Solutions
  • Infra Solutions
  • Unifed Comm
  • Internet of Things

Atlas Search Webinar

Atlas Search Webinar...

2023 Organizational Culture and Ethics Report

2023 Organizational Culture and Ethics Report...

2024 Focus on the Future Report: Widening Risk Exposure Gap Demands Internal Audit Transformation

2024 Focus on the Future Report: Widening Risk Exp...

Winter 2024 G2 Grid Report: Best Audit Management Software

Winter 2024 G2 Grid Report: Best Audit Management ...

Guia para compradores: segurança de endpoints

Guia para compradores: segurança de endpoints...

Tips for Creating an Expense Policy

Tips for Creating an Expense Policy...

6 Ways to Grow Your Business

6 Ways to Grow Your Business...

5 Steps to Strategic Spend Management

5 Steps to Strategic Spend Management...

3 questions procurement manufacturers should ask

3 questions procurement manufacturers should ask...

Delivering on the Promise of 100% Legacy VPN Retirement

Delivering on the Promise of 100% Legacy VPN Retir...

The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement

The 6 Most Compelling Use Cases for Complete Legac...

The Potential of the Internet of Things for Utilities

The Potential of the Internet of Things for Utilit...

Lessons Learned from the Best Run Supply Chain Networks.

Lessons Learned from the Best Run Supply Chain Net...

Leverage Demand Planning and Forecasting for Best In Class Performance During Volatile Times

Leverage Demand Planning and Forecasting for Best ...

The key to building a customer centric team

The key to building a customer centric team...

Long live customer service! Your answer to great customer experiences

Long live customer service! Your answer to great c...

Future-proof Your Workplace: Simplifying workstreams with flexible communications

Future-proof Your Workplace: Simplifying workstrea...

The Unexpected Costs of Running a Small Business

The Unexpected Costs of Running a Small Business...

RingCentral's United Communications and Contact Center Solution

RingCentral's United Communications and Contact Ce...

  • Unified Communication

Decentralized Applications: Blockchain-powered Cutting-edge Solutions

Decentralized Applications: Blockchain-powered Cut...

Decoding Blockchain Interoperability: Bridging Networks for Seamless Integration

Decoding Blockchain Interoperability: Bridging Net...

Optimizing the Software Testing Process – Expert Advice

Optimizing the Software Testing Process – Expert...

Beyond Buzz: How the Internet of Robotic Things Drives Business Evolution

Beyond Buzz: How the Internet of Robotic Things Dr...

Upgrade Your Brand with Graphic Design Trends 2024

Upgrade Your Brand with Graphic Design Trends 2024...

Internet of Behavior: Navigating Digital Tapestry

Internet of Behavior: Navigating Digital Tapestry...

Key Business Process Management Trends in 2024

Key Business Process Management Trends in 2024...

Streamlining Business Communication with SIP Trunking Services

Streamlining Business Communication with SIP Trunk...

Top New Technology Trends of 2024

Top New Technology Trends of 2024...

Navigating Supply Chain Visibility to Spot Businesses Loopholes

Navigating Supply Chain Visibility to Spot Busines...

The Impact of Secure Access Service Edge (SASE) Solutions on Businesses

The Impact of Secure Access Service Edge (SASE) So...

Unveiling Neural Dust: The Intriguing Symphony of Brain Signals

Unveiling Neural Dust: The Intriguing Symphony of ...

The Power of M2M Authentication in Business

The Power of M2M Authentication in Business...

The Dawn of Brain-Computer Interfaces

The Dawn of Brain-Computer Interfaces...

Layer 1 Blockchains: Shaping the Landscape of Digital Transformation

Layer 1 Blockchains: Shaping the Landscape of Digi...

Simplifying Code Churn in Software Development

Simplifying Code Churn in Software Development...

Digital Twins and IoT Use Cases: Beyond Manufacturing

Digital Twins and IoT Use Cases: Beyond Manufactur...

Navigating the Moral Compass of Coding

Navigating the Moral Compass of Coding...

Virtualization Hypervisors: Navigating Through Virtual Realm

Virtualization Hypervisors: Navigating Through Vir...

Digital Twins in IoT: Pioneers of Industry Transformation

Digital Twins in IoT: Pioneers of Industry Transfo...

Novity Raises USD 7.8M for AI-enabled Industrial Predictive Maintenance

Novity Raises USD 7.8M for AI-enabled Industrial P...

Lava Protocol Seed Funding Secures USD 15M for Blockchain Access

Lava Protocol Seed Funding Secures USD 15M for Blo...

Oobit Technologies UAB Raises USD 25M for Crypto Payments Expansion

Oobit Technologies UAB Raises USD 25M for Crypto P...

Ethereum Name Service Collaborates with GoDaddy to Associate Domain Names and Blockchain Addresses

Ethereum Name Service Collaborates with GoDaddy to...

Portal Receives USD 34 M for Safe Decentralized Bitcoin Exchange

Portal Receives USD 34 M for Safe Decentralized Bi...

Casper Labs Discloses Blockchain-based AI Governance Tool Developed Using IBM’s Watsonx Platform

Casper Labs Discloses Blockchain-based AI Governan...

SEC Promotes 11 Bitcoin ETFs Amid Its X Hack Incident Investigation

SEC Promotes 11 Bitcoin ETFs Amid Its X Hack Incid...

Wi-Fi 7 Devices Now Certified by Wi-Fi Alliance for Enhanced Connectivity

Wi-Fi 7 Devices Now Certified by Wi-Fi Alliance fo...

Xreal Introduces Air 2 Ultra Augmented Reality Glasses

Xreal Introduces Air 2 Ultra Augmented Reality Gla...

Qualcomm Reveals Snapdragon XR2  Gen 2 for VR Advancements

Qualcomm Reveals Snapdragon XR2 Gen 2 for VR Adva...

Energy Optimization Startup Lumian Secures USD 3.2M

Energy Optimization Startup Lumian Secures USD 3.2...

Levana, a Blockchain-based Protocol, Got Exploited for USD 1 Million   in Crypto Hacking

Levana, a Blockchain-based Protocol, Got Exploited...

BotBuilt, a Robotic Homebuilding Startup, Raises USD 12.4M

BotBuilt, a Robotic Homebuilding Startup, Raises U...

Addressable, Web3 Growth Marketing Firm, Secures USD 6M

Addressable, Web3 Growth Marketing Firm, Secures U...

New York, IBM, Micron Partner for USD 10B Semiconductor Lab

New York, IBM, Micron Partner for USD 10B Semicond...

Coinbase Wallet Enables Sending Crypto Through Links on Email or Messaging Apps

Coinbase Wallet Enables Sending Crypto Through Lin...

Extropic Raises USD 14.1M in Seed Funding

Extropic Raises USD 14.1M in Seed Funding...

OQC, a Superconducting Quantum Chip Developer Raises USD 100 M Funding

OQC, a Superconducting Quantum Chip Developer Rais...

Niantic Unveils Lightship ARDK 3.0

Niantic Unveils Lightship ARDK 3.0...

Account Labs Secures USD 7.7M Funding  Launches UniPass Wallet

Account Labs Secures USD 7.7M Funding Launches Un...

OpenZeppelin Rolls Out Defender 2.0 for New Blockchain Security

openzeppelin rolls out defender 2.0 for new blockc...

Why is business continuity management essential for modern businesses.

Why is Business Continuity Management Essential for Modern Businesses?

Highlights:

  • Disaster recovery revolves around the process that swiftly enables an organization to resume vital business operations post-disruption.

Crafting a risk assessment that identifies potential perils to the organization is an indispensable element of your strategic plan.

Business Continuity Management (BCM) plays a pivotal role in proactively strategizing and equipping an organization to preemptively identify, mitigate, and diminish the impact of risks while concurrently ensuring the seamless flow of critical business operations .

Irrespective of an enterprise’s existing BCM maturity, planning, and preparation for forthcoming incidents, it remains a continual endeavor guided by an ethos of perpetual enhancement. The bedrock of this undertaking lies in the formulation and execution of a robust business continuity management strategy.

At its core, a business continuity management plan is the linchpin for many BCM processes, encompassing three key segments: an emergency response plan, a crisis management plan, and an operational recovery plan.

Each facet of this comprehensive triad constitutes an essential component contributing to the efficacy of the overall business continuity management program. But what is it, and how does it operate?

What Is Business Continuity Management ?

The goal of business continuity management entails a comprehensive organizational process focused on discerning potential risks and their implications.

The core objective is to cultivate robust organizational resilience after natural calamities or data breaches. By implementing business continuity management, enterprises can effectively shield their reputation and prioritize stakeholder interests during crisis.

Business continuity management operates within a multidisciplinary framework, seamlessly incorporating the following interrelated disciplines, each elaborated upon below:

  • Crisis Management (CM) — CM establishes quantifiable metrics that define crisis scenarios within an organization. It outlines the precise steps to restore IT systems to an operational stage.
  • Emergency Response (ER) — ER involves a systematic approach to addressing difficult or unforeseen situations during their initial stages.

This encompasses evacuating premises, shutting down utilities, and combatting fires. ER strives to minimize such events’ impact on individuals and the environment.

  • Disaster Recovery (DR) — DR revolves around the process that swiftly enables an organization to resume vital business operations post-disruption. After an outage, it emphasizes restoring access to pivotal IT infrastructure supporting its mission-critical applications.
  • Business Continuity (BC) — BC focuses on sustaining essential functions during and after a catastrophe. Unlike DR, which centers on reestablishing IT infrastructure, BC centers on restoring business operations to a normal state following a crisis.
  • Risk Management (RM) — Risks manifest in various forms. A comprehensive business impact analysis and a thorough threat and risk assessment are recommended.

Potential threats include malicious actors, internal elements, competitors, market dynamics, geopolitical issues, and natural incidents.

As awareness grows regarding the critical role of business continuity management in modern business, the need to bridge the gap between theoretical understanding and effective implementation becomes evident.

As risks evolve, organizations must transition from grasping business continuity management fundamentals to executing a tailored framework that ensures seamless continuity amid unforeseen disruptions.

How to Implement an Effective Business Continuity Management Framework?

A robust and effective business continuity management framework is essential for any forward-looking organization.

As the landscape of risks and disruptions continues to evolve, having a meticulously designed and thoughtfully executed business continuity management framework is crucial in ensuring operational resilience, safeguarding stakeholder interests, and upholding a business reputation.

Here are the steps to create a business continuity management framework :

Risk Assessment

  • Perform a thorough assessment of industry-specific and operational threats unique to your organization.
  • Identify potential disaster scenarios and evaluate their potential impact with precision.
  • Backing your assessments with robust data ensures a meticulous understanding of each risk.
  • Systematically rank these risks by severity to create a prioritized hierarchy.

This data-driven approach aids you in making informed decisions for risk mitigation strategies and solutions. The process demands a concise yet insightful analysis of each risk’s implications to effectively guide your organization’s preparedness.

Communications

  • Effective communication of instructions and information is critical for business continuity and crisis management.
  • Your company can establish communication templates and protocols to streamline notifications across different scenarios and recipient groups.

This proactive approach ensures a consistent and swift exchange of critical information during disruption, bolstering organizational readiness and response.

Impact Analysis

  • Following the risk assessment and examining each risk’s potential impact on specific business segments gives you time to assess recovery time for each scenario.
  • Your business can methodically differentiate mission-critical processes from non-essential ones allowing you to identify operations indispensable for functioning and those that can be foregone.

This disciplined approach facilitates precise resource allocation, ensuring valuable resources are directed where they matter the most. This enhances your company’s overall capability to manage disruptions effectively.

Dependency Mapping

A common challenge in business continuity planning (BCP) is overlooking the potential ripple effects of disruptions on interconnected functions, partners, and customers.

In this case, a business continuity management app can construct a comprehensive map that outlines these connections and dependencies.

This proactive measure ensures accurate consideration within the Business Continuity Plan (BCP), minimizing vulnerabilities from overlooked interdependencies.

  • After implementing your system or framework, evaluate and compare the initial risk level with the remaining residual risk.
  • Maintain comprehensive evaluations, focusing on metrics that enhance continuity and recovery, avoiding unnecessary time and costs.
  • Next, initiate process and workflow development . Leveraging the insights from thorough risk assessments creates, evaluates, and refines processes.

This iterative approach ensures continuity and resilience during incidents, aligning strategies with quantified risks and their potential impacts.

  • After gathering all the necessary information, it’s time to develop clear and actionable plans and strategies. These frameworks should be checklist-oriented, outlining practical steps for each threat you’ve found.
  • Cover all phases—before, during, and after the incident—leaving no gaps.
  • Rather than getting bogged down in policies, concentrate on aligning with industry standards during a crisis.
  • A factor in budget allocations and design systems adjusts to different scenarios, like equipment loss or remote work hurdles.

This adaptable approach ensures your plans are versatile and effective in handling unforeseen challenges.

Validation and Testing

  • Businesses also leverage business continuity management applications as part of their ongoing schedule for periodically reviewing and updating their Business Continuity Plans (BCP).
  • Furthermore, these apps serve as a foundation for testing various BCP elements, pinpointing room for enhancement under normal operational circumstances instead of during a crisis.

This proactive approach contributes to seamless continuity and enhances crisis response strategies.

Incident Identification

In the context of business continuity, it’s paramount to establish a clear understanding of what qualifies as an incident.

This necessitates detailed descriptions of events in policy documents, along with specifications regarding who or what has the authority to trigger the acknowledgment of an incident.

These trigger points serve as cues for initiating the implementation of the business continuity plan, rallying the team to take appropriate actions as defined in the plan.

Business continuity management stands as a steadfast process.

By intertwining Crisis Management, Emergency Response, Disaster Recovery, Business Continuity, Risk Management, and Cyber Crisis Response , businesses fortify their capacity to triumph over disruptions.

This method, evolving from theory to action, involves precise risk assessment, strategic communication, impact analysis, and dependency mapping, guided by metrics to drive perpetual enhancement.

Proactive testing and incident identification ensure seamless continuity, embedding operational resilience and safeguarding business reputation amidst evolving challenges.

Gain valuable insights into technology by delving into our wide array of tech-related whitepapers .

  • Business impact analysis
  • Crisis management
  • data breaches
  • Operational recovery

Insights Desk

Related posts

Upgrade Your Brand with Graphic Design Trends 2024

Harness the Power of Enterprise Resource Planning...

From Chaos to Control: How ERP Software Drives Business Transformation

From Chaos to Control: How ERP Software Drives Bus...

Business-to-Business Marketers' Guide to Brand Safety

Business-to-Business Marketers' Guide to Brand Saf...

Unlock Value with Data Innovation Acceleration

Unlock Value with Data Innovation Acceleration...

2021 Best Practices for Healthcare Data Center

2021 Best Practices for Healthcare Data Center...

New to SaaS? Five Best Practices to Track your Business

New to SaaS? Five Best Practices to Track your Bus...

In-Memory Computing Unleashing Innovation Big Time

In-Memory Computing Unleashing Innovation Big Time...

Best Practices for Hosting, Running, and Attending Virtual Conferences

Best Practices for Hosting, Running, and Attending...

  • Whitepapers
  •   Mobility
  • Skip to right header navigation
  • Skip to main content
  • Skip to secondary navigation
  • Skip to footer

Bryghtpath

Business Continuity and Crisis Management Consultants

What are the most effective frameworks for business continuity planning?

Discover effective business continuity planning frameworks. Learn how to implement and maintain these strategies for optimal resilience in your organization.

business continuity planning frameworks

September 21, 2023 By //  by  Bryan Strawser

Business continuity planning frameworks are pivotal in ensuring the resilience and sustainability of an organization during disruptions. These strategic blueprints guide businesses to maintain operations, safeguard stakeholders’ interests, and ultimately survive potential crises.

The importance of these frameworks cannot be overstated as they provide a structured approach towards identifying risks and developing mitigation strategies. They offer clear guidelines on how to respond effectively when disaster strikes.

Yet, despite their significance, many organizations struggle with implementing effective business continuity planning frameworks . This can lead to unpreparedness that could jeopardize the very existence of a business in times of crisis.

This post will delve into understanding what these frameworks entail, their benefits, different types available such as ISO 22301 or NIST 800-34 among others, and how best to implement them for optimal organizational resilience.

Want to learn more about Business Continuity?

Our Ultimate Guide to Business Continuity contains everything you need to know about business continuity.

You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your  Crisis Management  strategy.

We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.

Read our Ultimate Guide to Business Continuity

What is Business Continuity Planning?

In the realm of commerce, where unforeseen circumstances and disturbances are unavoidable, having a sound strategy to manage these issues is essential. This is where business continuity planning (BCP) comes into play.

At Bryghtpath, we understand that business continuity isn’t just about developing an emergency response plan; it’s about designing plans for resilience and recovery strategies that will help your organization weather any storm.

The Essence of BCP

From natural disasters to cyber-attacks and supply chain disruptions, modern organizations must be prepared for threats from any direction. A comprehensive business continuity plan ensures not only operational survival but also safeguards financial stability and brand reputation during times of crisis.

A well-prepared organization stands tall amidst adversity because they have proactively invested in its future through an effective risk management framework. “The best defense against unforeseen events is being well-prepared.”

Anatomy of Business Continuity Planning

A sound BCP consists of several key elements: identifying potential risks with a thorough assessment, understanding how those risks could impact operations via detailed business impact analysis (BIA), and outlining steps needed for restoring functions post-disruption with strategic recovery plans, among others. All this information then converges into actionable procedures tailored specifically to meet organizational-level requirements.

Benefits of Business Continuity Planning

In the world of business, expecting the unexpected is a rule rather than an exception. At Bryghtpath, we understand this reality and recognize that effective business continuity planning (BCP) protects businesses against potential disruptions or disasters.

Risk Identification and Mitigation Strategies

The cornerstone of any robust BCP lies in risk identification. It’s about understanding your organization’s vulnerabilities to various threats and how they could disrupt operations. But it doesn’t stop there; having identified these risks, devising mitigation strategies becomes paramount – measures designed for prevention and recovery post-disruption.

We believe in creating comprehensive plans that detail procedures for restoring critical functions within stipulated time frames, ensuring minimal downtime – because every second counts during crises.

Crisis Response Efficiency

Much like our own at Bryghtpath, a sound business continuity plan provides organizations with detailed response blueprints tailored to different types of crises or disruptions. The power of preparedness cannot be overstated here as it eliminates panic-induced inefficiencies during crisis situations leading to more streamlined decision-making processes.

This efficiency goes beyond minimizing operational disruption by protecting stakeholder interests by maintaining customer service levels even when facing adversity, safeguarding brand reputation amidst chaos.

Safeguarding Stakeholder Interests & Regulatory Compliance

An effective BCP does more than protect assets, it builds trust among stakeholders, including employees, customers, suppliers, etc. Moreover, certain industries mandate formalized BCPS under regulatory norms, further underscoring their importance.

Adherence not only ensures legal compliance but boosts credibility too. Many financial institutions rely on firms such as Deloitte for assistance in meeting stringent industry regulations related to business continuity management.

After delving into some benefits of implementing solid business continuity plans, let’s focus on international standards guiding BCM practices, specifically ISO 22301.

Key Takeaway: 

Business continuity planning (BCP) is a must-have shield for businesses, offering protection against disruptions and disasters. It involves identifying risks, devising mitigation strategies, ensuring efficient crisis response, safeguarding stakeholder interests and maintaining regulatory compliance. In essence, it’s about expecting the unexpected to ensure minimal downtime during crises.

ISO 22301: The International Standard for Business Continuity Management

The foundation of any solid business continuity plan is a robust framework. ISO 22301 serves as this sturdy structure, providing guidelines on constructing and maintaining an effective BCMS (Business Continuity Management System). It’s like the blueprint that guides you in building your organization’s resilience against potential disruptions.

Diving Deeper into ISO 22301

To truly appreciate the beauty of this standard, let’s dissect its key components:

  • Contextual Understanding: This involves gaining insights about your operational environment – stakeholder needs, strategic objectives, and compliance requirements are all part of the mix.
  • Risk Assessment: Here, we identify threats capable of disrupting normal operations. A bit like foreseeing storm clouds before they unleash their fury. MHA IT offers expert guidance during these crucial risk assessment stages based on specific business continuity methodology.
  • BIA (Business Impact Analysis): This stage evaluates each identified disruption’s impact across various organizational levels, such as financial stability or reputation management.
  • Mitigation Strategies & Plans: We then develop strategies to prevent possible disruptions and response plans should they occur despite our best efforts. This includes designing plans for recovery strategies and operational recovery procedures, among others.

Audit by an independent certification body forms the crux step towards achieving ISO certification. Bryghtpath’s ISO 22301 Maturity Model for Business Continuity helps streamline the audit process, thereby making the path smoother. Certification validates commitment and instills stakeholders’ confidence regarding the company’s resilience capabilities. In today’s volatile world, it can provide a much-needed competitive edge too. So while ISO offers a strong base, other frameworks are worth exploring.

Consider ISO 22301 as the blueprint for your business continuity plan, helping you foresee and weather any storm. It’s all about understanding your environment, assessing risks, analyzing impacts, and crafting mitigation strategies.

Other Frameworks for Business Continuity Planning

The journey of business continuity planning is not a solitary one. Multiple frameworks can guide organizations, such as NIST 800-34 and NFPA 1600.

NIST 800-34: A Guiding Light in Federal Information Systems Contingency Planning

In our quest to build robust business continuity plans, we encounter various tools such as NIST Special Publication (SP) 800-34 Rev.1 . This framework, developed by the National Institute of Standards and Technology, provides us with an effective process to develop contingency strategies, including conducting a BIA and identifying preventive controls, among others.

NFPA 1600: The Holistic Approach towards Disaster/Emergency Management

As part of this exciting expedition into building resilience against disruptions or disasters, NFPA offers another perspective on disaster/emergency management, encompassing prevention, mitigation, response, and recovery aspects.

How to Implement a Business Continuity Plan

In the Bryghtpath team, we value thoroughness and precision. To ensure a successful business continuity plan, we focus on recognizing the risks that could affect operations by conducting comprehensive risk assessments. We engage in meticulous risk assessment activities that identify potential threats and vulnerabilities which could impact operations.

Risk Assessment & Analysis

The process of identifying risks isn’t one-dimensional; rather, it involves considering various types of disruptions such as cyber-attacks or natural disasters that can interrupt normal functioning. Further analysis includes evaluating these impacts on different aspects within the organization like finance or reputation.

Developing Mitigation Strategies & Response Plans

An integral part of effective business continuity planning lies in developing strategies aimed at mitigating identified risks – think robust cybersecurity measures or backup plans for essential processes.

  • Beyond strategizing mitigation efforts, response plans outlining how organizations should react amidst disruptions need development.
  • This step ensures readiness by detailing actionable steps following disaster strikes. Corporate Security Advisors provide valuable guidance here.

Plan Documentation & Training

  • A well-documented plan outlines roles clearly so everyone knows what they’re responsible for during incidents.
  • Training employees is equally important; their familiarity with procedures helps ensure smooth execution if faced with unexpected events.

At Bryghtpath, we recognize that maintaining your BCP over time is just as vital as its initial creation – regular reviews based on organizational changes keep your plan up-to-date.

Implementing a business continuity plan is all about precision. It starts with understanding your organization’s risk profile, identifying potential threats and impacts, then developing mitigation strategies and response plans. Remember to document the plan clearly, train employees accordingly, and keep it updated over time for true resilience.

Exercising & Maintenance of Business Continuity Plans

A few weeks after I started working in the field of business continuity planning, a colleague asked me about my approach to testing and maintaining these plans. My answer was simple: “It’s not enough just to create a plan; it needs constant refinement.”

The Role Exercises Play

In many ways, conducting exercises with your business continuity plan is akin to rehearsing with your band before a big gig. You simulate disruptions or disasters that could impact operations and evaluate how well you’re prepared for them.

This process helps identify any potential weaknesses in the rhythm section, allowing necessary adjustments.

Maintenance – The Constant Refinement

Your organization isn’t static, it evolves, and so should your business continuity plans. New processes are introduced, systems get updated, and personnel changes occur – all factors necessitating updates to your business continuity program.

This ongoing task requires regular reviews and revisions based on feedback from rehearsals (tests) or live performances (real-life incidents).

Just like a band’s rehearsal before the big gig, business continuity plans need constant testing and refinement to keep up with evolving organizations. Don’t shy away from external help for an objective assessment and expert guidance – it could be your ticket to smooth sailing amidst crises.

The significance of business continuity planning in today’s volatile world cannot be emphasized enough. It forms the backbone for organizations to ensure their operations remain unaffected, even when faced with potential disruptions or disasters. Frameworks such as ISO 22301 , NIST 800-34 , and NFPA 1600 provide a solid foundation for companies to build comprehensive plans.

These standards not only guide an organization through identifying risks but also assist it in developing strategies to mitigate them, creating robust response plans, and testing those regularly. They are instrumental in setting up your Business Continuity Management System (BCMS).

Beyond just following established frameworks, you must understand your organization’s risk profile thoroughly while implementing a business continuity plan. This involves assessing threats specific to your industry sector or geographical location and vulnerabilities within the system.

An effective BCMS isn’t static – it requires regular exercising to ensure its effectiveness during real-life scenarios.

Want to work with us or learn more about Business Continuity?

  • Our proprietary  Resiliency Diagnosis  process is the perfect way to advance your business continuity program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
  • Our  Business Continuity  and  Crisis Management  services help you rapidly grow and mature your program to ensure your organization is prepared for the storms that lie ahead.
  • Our  Ultimate Guide to Business Continuity  contains everything you need to know about Business Continuity while our  Ultimate Guide to Crisis Management  contains the same for Crisis Management.
  • Learn about our  Free Resources , including articles, a  resource library , white papers, reports,  free introductory courses , webinars, and more.
  • Set up an  initial call with us  to chat further about how we might be able to work together.

' src=

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link .

crisis management strategies

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

  • Active Shooter Programs
  • Business Continuity as a Service (BCaaS)
  • IT Disaster Recovery Consulting
  • Resiliency Diagnosis®️
  • Crisis Communications
  • Global Security Operations Center (GSOC)
  • Emergency Planning & Exercises
  • Intelligence & Global Security Consulting
  • Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Our Products

After-Action Templates

Business Continuity Plan Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

what is business continuity management framework

Business Continuity Management Framework

what is business continuity management framework

  • BCM Institute Glossary
  • BCM Institute Crisis Communication Glossary
  • BCM Institute Crisis Management Glossary
  • BCM Institute DR Glossary
  • BcmBoK 1 CL 1B
  • BcmBoK 1 CL 1C
  • BcmBoK 1 CL 1CC
  • BcmBoK 1 CL 1D

Navigation menu

Personal tools.

  • Request account
  • View source
  • View history
  • About BCM Institute
  • Business Continuity
  • Crisis Management
  • Crisis Communication
  • Disaster Recovery
  • Supply Chain BCM
  • Cyber Security
  • Operational Resilience
  • Pandemic Flu
  • Competency Level
  • OR Competency Level

Chinese Glossary (S)

Bahasa glossary (m).

  • Examination
  • Certification
  • Recertification
  • Meet-the-Experts
  • World Continuity Congress
  • BCM Institute Website
  • Specialist Series
  • Dictionary Series

Acknowledgment

  • Contributors

ISO Glossary

Bcm glossary.

  • Request Changes
  • What links here
  • Related changes
  • Special pages
  • Printable version
  • Permanent link
  • Page information
  • This page was last edited on 24 September 2023, at 07:51.
  • Privacy policy
  • About BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
  • Disclaimers

Powered by MediaWiki

IMAGES

  1. How to create an effective business continuity plan?

    what is business continuity management framework

  2. Business Continuity Management

    what is business continuity management framework

  3. Business Continuity Planning

    what is business continuity management framework

  4. Policy Framework Business Continuity Planning Template

    what is business continuity management framework

  5. What Exactly is BCM?

    what is business continuity management framework

  6. Business Continuity Management System (BCMS)

    what is business continuity management framework

VIDEO

  1. 6. What is a business continuity management system? (Avalution, 2014)

COMMENTS

  1. What is Business Continuity Management (BCM)?

    Business continuity management (BCM) involves 5 phases. 1. Establishment Phase In the establishment phase, business analysts identify and evaluate the effect the disruptions may have on business operations. This requires a thorough assessment of all business activities and the resources they utilize.

  2. ISO 22301:2019

    ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It provides a framework for organizations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.

  3. What is Business Continuity Management

    Business Continuity Management (BCM) integrates the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity (organizational/operational relocation). Throughout the profession, definitions of Business Continuity Management abound.

  4. ISO 22301 Business Continuity Management Made Easy

    The ISO 22301 standard offers a framework for planning, testing, and monitoring a business continuity management system (BCMS). The ISO 22301 document contains 10 sections, which introduce the standard and definitions, as well as actionable requirements of the standard. ... ISO 22330 - Security and resilience — Business continuity management ...

  5. ISO

    Year of publication: 2019 | Edition: 1 A free publication about ISO 22301, Security and resilience - Business continuity management systems - Requirements, the International Standard for implementing and maintaining effective business continuity plans, systems and processes. Download CHF0 * Add to cart * Shipping costs will be charged

  6. Understanding the Business Continuity Management Framework

    A Business Continuity Management Framework is a comprehensive structure that guides organizations in identifying potential threats, assessing their impact on critical business functions, and formulating strategies to minimize disruption and facilitate a swift recovery.

  7. What Is a Business Continuity Plan (BCP), and How Does It Work?

    Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks. BCP is designed to protect personnel and assets and make...

  8. PDF ISO 22301

    Business continuity management systems - Requirements, was the world's first International Standard for implementing and ... This framework is designed to facilitate the integration of new management topics into an organization's established manage - ment processes.

  9. What is Business Continuity Management? A Comprehensive Guide

    Business continuity management refers to an organization's proactive planning and preparation to uphold business operations or promptly recover after a disaster, such as fire, flood, or cyber-attack. It also entails identifying potential risks. Business leaders aim to anticipate and handle potential crises by developing preventive measures.

  10. Business Continuity Management (BCM)

    The Business Continuity Institute (Business Continuity Institute 2007b) defines Business Continuity Management (BCM) as an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner.

  11. Introduction to Business Continuity

    Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible. Whether it's a business, public sector organization, or charity, you need to know how you can keep going under any circumstances. Potential incidents to consider

  12. What is business continuity and why is it important?

    Business continuity management software is also an option. Software -- either on premises or cloud-based -- helps conduct BIAs, create and update plans and pinpoint areas of risk. Business continuity is an evolving process. As such, an organization's business continuity plan shouldn't just sit on a shelf. The organization should communicate its ...

  13. Business Continuity Management (BCM) Explained

    Business continuity management is the set of proactive measures that a company takes in order to avoid loss as a result of major events that negatively impact a business. Such events include hostile mergers or acquisitions, change in leadership, natural disasters, ransomware attacks, data breaches, and other changes that impact company data and ...

  14. Business Continuity Framework: Protect Your Organization

    A BIA is an assessment and prioritization of business functions and processes in a BC Plan that identifies the potential impact of business disruptions arising from a disruptive event. It should be documented in the BC Framework to support business-critical processes and include the following steps and considerations:

  15. PDF Business Continuity Management Policy and Framework

    This BCM Policy and Framework documents the University's approach to Business Continuity Management (BCM) and provides a consistent, overarching structure to support Schools and Departments in the development and implementation of their own BCM arrangements.

  16. Business continuity and resilience management: A conceptual framework

    Aspects of business continuity management (BCM) include planning, preparation and mitigation activities that aim to deal with potential threats to a company, reduce vulnerability and maintain operations after experiencing disturbing circumstances (ISO22301, 2019 ).

  17. Business continuity management is a must. Here's a framework

    The CGMA Business Continuity Management Tool — Key Strategies and Processes provides a framework to develop this critical corporate capability in your company. The tool identifies essential components, clarifies roles and responsibilities and details a step-by-step process to develop and maintain an effective business continuity management plan.

  18. Business Continuity Management Definition & FAQ's

    Business continuity management is the process of identifying and mitigating risks that are most harmful to a business during a disruption. Business continuity management works in tandem with a business impact assessment (BIA) and these processes are tested and revised so they are ready to implement in the event of a disaster, cyber-attack, or other business disruption.

  19. Enterprise risk management and business continuity management ...

    Organizations that integrate enterprise risk management (ERM) into their strategic planning efforts have found that business continuity management (BCM) enhances both their value creation objectives and their protection objectives.

  20. Business Continuity Management: Framework vs Policy

    Key Components of a BCM Framework The key components of a BCM framework typically include: Risk Assessment (RAR) and Business Impact Analysis (BIA) Identifying risks and evaluating their potential impacts on critical business functions. Business Continuity Strategies (BCS) and Plan Development (PD)

  21. A Framework for Business Continuity Management

    A robust and effective business continuity management framework is essential for any forward-looking organization. As the landscape of risks and disruptions continues to evolve, having a meticulously designed and thoughtfully executed business continuity management framework is crucial in ensuring operational resilience, safeguarding ...

  22. What are the most effective frameworks for business continuity planning?

    Business continuity planning frameworks are pivotal in ensuring the resilience and sustainability of an organization during disruptions. These strategic blueprints guide businesses to maintain operations, safeguard stakeholders' interests, and ultimately survive potential crises.

  23. Business Continuity Management Framework

    Business Continuity Management (BCM) Framework or BCM Framework is defined as BCM methodology and planning process for managing disruption related risk. BL-B-5 Click to know more Similar Term: BCM Framework, BCM Policy