Business Continuity Management (BCM)
What is BCM?
BCM is a form of risk management that deals with the threat of business activities or processes being interrupted by external and/or internal factors. It involves making arrangements to ensure you can respond as effectively as possible in the event of a disruption so mission-critical functions will continue to provide an acceptable level of service.
Effective business continuity can be best attained through the implementation of a business continuity management system (BCMS) aligned to its international standard, ISO 22301.
Click here to download our free green paper that provides an introduction to BCM and ISO 22301 >>
What is the purpose of BCM?
BCM involves being prepared for disruption by identifying potential threats to your organisation early and analysing how day-to-day operations may be affected.
Effective BCM ensures the organisation can provide a minimum acceptable service in spite of a disaster, and helps preserve corporate reputation and ultimately revenue. It may also improve insurance rates and provide new contract opportunities.
The current cyber threat landscape has made business leaders more aware of the risks of cyber attacks and the importance of being able to respond to and recover from such attacks. Effective BCM, based on international best-practice standards such as ISO 22301, can protect organisations from widespread business disruption in the event of a cyber attack, industrial action, natural disaster and more.
Click here to read about the benefits of effective BCM >>
How BCM can meet regulatory requirements
A growing body of legislation also requires organisations in essential areas to demonstrate a degree of organisational resilience; implementing effective business continuity measurements would be a good start. The UK Companies Act 2006 requires directors to “exercise reasonable care, skill and diligence” when performing their duties, which includes mitigating risks to the organisation.
Organisations offering essential services need to implement incident response capabilities in line with the requirements of the Network and Information Systems Regulations 2018 (NIS Regulations). Digital service providers (DSPs) within scope have the explicit requirement to put business continuity measures in place. Although not an explicit requirement for operators of essential services (OES), we strongly encourage them to consider implementing BCM measures; such measures would provide a well-defined structure for building incident response measures and effectively managing business interruptions.
Click here to learn more about how BCM can help you comply with the NIS Regulations >>
The BCM lifecycle
Effective BCM involves:
- Identifying critical activities;
- Performing a business impact analysis (BIA);
- Performing a risk assessment;
- Designing and implementing a business continuity plan (BCP);
- Testing and evaluating performance; and
- Putting a continual improvement process in place.
Click here to read about writing a BCM policy for your organisation >>
Business continuity planning
Business continuity planning involves the processes and procedures for developing, testing and improving the BCP, which will enable an organisation to continue operating during a disaster and quickly return to the status quo. The BCP can be considered the ‘heart’ of a BCMS; best practice for forming the plan is set out in ISO 22301.
Click here to learn how to create a BCP >>
Disaster recovery planning
Disaster recovery planning prioritises fully recovering and returning to full functionality in the event of an incident, whereas BCM focuses on preserving an organisation’s ability to function. Having said that, there is still a clear overlap, and disaster recovery does fit within an organisation’s business continuity framework.
Disaster recovery plans are often relatively technical and focus on the recovery of specific operations, functions, sites, services or applications. The BCP might contain or refer to a number of disaster recovery plans.
ISO 27031 – ICT continuity best practice
ISO 27031 describes best practice for information and communications technology (ICT) continuity management within an organisation’s overall business continuity framework. ISO 27031 can be used in conjunction with ISO 22301, but can also be used on a standalone basis, should an organisation wish to address ICT continuity management specifically.
Purchase the ISO 27031 standard here >>
Let’s get started on your BCM project
IT Governance has a wide range of affordable easy-to-use solutions.
BCM/ISO 23301 resources
Speak to a BCM expert