What is Business Continuity Management?

Business Continuity Management Standards – ISO 22301

The second edition of The International Standard for Business Continuity Management, ISO 22301:2019 defines the purpose for BCM as to “prepare for, provide and maintain controls and capabilities for managing an organisation’s overall ability to continue to operate during disruptions.”

It then goes on to list different organisational benefits, including:

• Supporting its strategic objectives
• Protecting and enhancing its reputation and credibility
• Contributing to organisational resilience
• Reducing direct and indirect costs of disruptions
• Protecting life, property and the environment
• Demonstrating proactive control of risks effectively and efficiently

Supporting standards for Organisational Resilience

Beyond ISO 22301, there are a number of other standards that pertain to effective BCM that should be acknowledged and followed where appropriate by an organisation to increase resilience to disruptions.

These include:

• BS 11200 – a crisis management standard for building a strategic capability. It is designed for stakeholders ­– policy decision makers, risk and BCM managers, senior management, etc. – that are involved in growing capabilities that can impact an organisation’s objectives, reputation, or operations. Although a British Standard, it is equally relevant for non-British organisations.
• ISO 27031 – IT continuity and cyber security are now central to any BCM strategy. The ISO 27031 standard includes the concepts and principles of information and communication technology (ICT) readiness. It also provides a framework for identifying, categorising and improving ICT readiness – through such things as performance criteria and design – to support business continuity.
• ISO 22318 – Supply chain management is vital for many organisations. For those industries and organisations whose business is intrinsically tied to a supplier of services or products, following ISO 22318 guidelines can prove extremely beneficial for mitigating the impact of a major disruption.
• BCI Good Practice Guidelines – All BCI certification is based on the Good Practice Guidelines, a practitioner-driven information source for individuals and organizations seeking an understanding of business continuity as part of their awareness raising campaigns and training schedules.
• For registered actors within the UK financial services sector, the soon to be implemented operational resilience regulations must also be considered. Operational resilience shifts focus from the actor, typical in BCM and incident management approaches, to the resilience of the important business services being offered.

A structured BCM strategy for increased resilience

Implementing a structured BCM strategy across an organisation will have an extensive impact on an organisation’s eco-system, which brings with its wide-reaching benefits on multiple levels.

• Organisational – Deploying a structured framework across departments, business units and/or production facilities – as opposed to using diverse and tailored BCM processes – make it easier to compare risks and capabilities and define where actions should be taken to assure business continuity.
• Operative – With a better and unified understanding of holistic and fine-grained risks and readiness capabilities, an operative plan can be developed to mitigate risk where the biggest gaps exist. These can be ranked by importance based on the potential impact and likelihood of occurrence vs the value they add to operations. Budgeting can be developed based on BCM and incident readiness plans.
• Regulatory – With a standardised BCM methodology you can ensure and prove that facilities follow the same framework and meet regulatory requirements. Updates to regulations can be easily incorporated centrally and implemented organisation-wide.
• Production – In an organisation with multiple facilities or a large proportion of staff working remotely, having a standardised BCM framework is critical. If, for instance, IT continuity issues are identified at one unit or within certain processes, steps can be put into place and implemented locally or globally to improve cyber resilience. Such issues may not be identified if fragmented BCM processes exist.
• Customers – A standardised BCM framework highlighting that your organisation can withstand major disruptions can prove invaluable to customers. Knowing that you have the processes in place that safeguard production and delivery of goods, builds a new sense of trust among customers.
• Suppliers – The implications on suppliers can be considerable. You may identify continuity risks among your suppliers in the event of a major disruption. The upshot of this can be that suppliers have to prove they can guarantee products or services, supplier KPI and SLAs change, or new, more resilient suppliers are contracted.

The 4C BCM methodology

• Governance and Policy: Defines how organisational policy relating to business continuity will be implemented, controlled and validated.
• Analysis: Operations, objectives and constraints are reviewed and assessed.
• Design: Appropriate strategies and solutions are selected that determine how to achieve continuity and recovery from a disruption.
• Implementation: Agreed strategies and solutions are executed in the form of a business continuity plan.
• Validation: The business continuity plan is tested to ensure it is fit for purpose and that staff are familiar and confident in its application during a disruption.
• Embedding: Business continuity is integrated into business-as-usual (BAU) activities and organisational culture.