Introduction to Business Continuity Management (BCM)

Business Continuity Management (BCM)

Business continuity management (BCM) is a framework for identifying an organization's risk of exposure to internal and external threats. Many organizations miss the critical step of mapping their business processes with their BCM. This step is crucial to prevent disastrous results.  Having an effective BCM is an essential risk management activity. The expression Business Continuity Plan (BCP) and IT Disaster Recovery (DR) are often used to designate BCM. However, BCP and DR are only a component of BCM as BCM goes beyond BCP and DR, it includes disaster recovery, business recovery, crisis management, incident management, emergency management, and contingency planning.

BCM improves the resilience of organization activities (Business Continuity Management: Crisis Leadership). It can be broken down into 5 phases that constitute an interactive life cycle:

• Phase 1: Understanding your organization.
• Phase 2: Defining your Business Continuity (BC) Strategy.
• Phase 3: Choosing and Implementing Business Continuity (BC) Solutions.
• Phase 4: Testing, Maintaining, and Reviewing Business Continuity (BC) Arrangements.
• Phase 5: Developing Business Continuity Culture (BCC).

BCM is an ongoing and permanent managerial process that consists of:

• Identifying threats (natural or accidental disasters and voluntary disruptive acts) to which the company is subject to and analyzing their possible impacts.
• Establishing and testing arrangements, procedures, and resources capable of coping with these threats and with extreme disruptions.
• Raising employee awareness.

The 5 phases of the life cycle for Business Continuity Management.

The live phases of the process are built around a BCM Program characterized by:

• Specific framework for standards and governance
   - Principles and rules, binding key points and deliverables
   - Objectives to be fulfilled

• Resources allocated and a process of continuous improvement involving;

   - Regular exercises and tests
   - Ongoing maintenance and
   - Periodic revisions of the BC arrangements.

Phase 1: Understanding your organization

The first phase of the BCM life cycle is dedicated to understanding your organization. Understanding what the business does, and how it is done, is a must in BCM. As this cycle is iterative, it determines the success of the entire BCM process. This first phase includes three successive stages:

• The description of activities.
• The Business Impact Analysis (BIA).
• The assessment of the criticality level.

The purpose of this first phase is to identify essential Information for the impacts of the disruption of each activity, and to assess the process, assess the level of criticality per activity.

Phase 2: Defining your Business Continuity Strategy

The definition of your Business Continuity strategy constitutes the second phase of the BCM life cycle. It is a phase of decision-making and determination of objectives in terms of recovery.

This second phase includes three successive stages:

• The selection of the activities to be recovered as a priority.
• The definition of Business Continuity objectives.
• The entity's expression of requirements in terms of Business Continuity (BC).

The final version of the Business Continuity strategy results from iterations between the present phase (Phase 2 - Defining your Business Continuity strategy) and the following one (Phase 3 - Choosing and Implementing solutions).

However, it is crucial to maintain the decisions between these two phases to de-correlate the setting of objectives and constraints specific to solutions. This is because the level of requirements for BC must not depend on the investment required to finance a solution. Therefore, solutions should support the strategy, not the reverse.

The question of solutions (choice and implementation) is not addressed in this stage but in the following (Phase 3- choosing and implementing solutions).

Phase 3: Choosing and Implementing Business Continuity Solutions

The third phase of the BCM life cycle is dedicated to the implementation of BC arrangements. After an analysis phase (Phase 1) and a decision making phase (Phase 2), comes the operational phase.

This third phase contains four stages:

• The consideration of reference scenarios and their application according to the specifics of the structure in question.
• The choice of solutions.
• Purchasing and contract agreement solutions.
• Documenting the solutions by preparing a BCP.

The result of Phase 3 is the implementation of Business Continuity arrangements. These arrangements must be operational and sufficiently flexible to allow the entity to avert, or to cope with, an interruption to activity caused by an incident impacting its resources. When activated, these arrangements must meet the objectives set out in the Business Continuity strategy.

Phase 4: Testing, Maintaining and Reviewing Business Continuity Arrangements

In contrast to the previous phases, there is no chronological order between the organization of tests or exercises and the maintenance and revision of the arrangements. Once the BCM process has been introduced, tests, exercises, and maintenance are carried out simultaneously throughout the entire year.

Phase 4 is structured around three themes:

• Carrying out tests or exercises to validate the operational character of solutions;
• Maintenance of the BC arrangements; and
• Revision of the BC arrangements

The fourth phase of BCM helps the entity ensure that the BC solutions are operational and that the BC arrangements are maintained and reviewed. The BC solutions cover all the technical and/or organizational for generally partial coverage of one or more scenarios. The solutions are one of the components of the Business Continuity arrangements.

Phase 5: Developing Business Continuity Culture (BCC)

Developing Business Continuity Culture (BCC) primarily consists of gradually changing attitudes, and for this, there are two strategies, raising awareness and training. We must increase awareness. Not only with those directly involved in the application of the BCM process but all across the full staff population.

Developing the BCC:

• Promotes the application of the BCM program.
• Increases the responsiveness of staff if the BCP is activated.
• Promotes the inclusion of BC in project studies where applicable.
• Makes BC part of the criteria in the decision-making process at all levels.

Phase 5 covers the development of a BCC in three successive stages:

• Assessment of the current awareness concerning the defined objective.
• The design and implementation of an awareness campaign and a training program.
• An assessment as to the attainment of objectives and the follow up of awareness.

Conclusion

Business Continuity Management looks at an entire organization, not only for requirements but also for dependencies. A formal training and awareness component is necessary for a successful BCM program so that the tests and exercises contribute to the ongoing improvement of BCM.

An effective Business Continuity Management:

• Is ongoing.
• Infiltrates the business culture.
• Influences the access, design, implementation, operation, and maintenance of all environments.
• Includes a resilient infrastructure.
• Includes solid processes and procedures.
• Includes a strong security practice.
• Includes a strong safety program.
• Includes sound IT principles.
• Includes an awareness and training program.

ISO 22301 BCM system standard is the most popular “International Organization for Standardization (ISO), ISO 22301:2012 Societal Security-Business continuity management systems Requirements, Switzerland, 2012”.  The standard can be downloaded from (ISO 22301:2012), a fee is applicable. 

Also, I recommend reading “The Definitive Handbook of Business Continuity Management 3rd Edition” and “Business Continuity Management: Global Best Practices, 4th Edition 4th Edition” written by Andrew Hiles to give you the concept of BCM and best practices.