What is BCM?
BCM is a form of risk management that deals with the threat of business activities or processes being interrupted by external and/or internal factors. It involves making arrangements to ensure you can respond as effectively as possible in the event of a disruption so mission-critical functions will continue to provide an acceptable level of service.
Effective business continuity can be best attained through the implementation of a business continuity management system (BCMS) aligned to its international standard, ISO 22301.
Find out more about ISO 22301 >>
What is the purpose of BCM?
BCM involves being prepared for disruption by identifying potential threats to your organisation early and analysing how day-to-day operations may be affected.
Effective BCM ensures the organisation can provide a minimum acceptable service in spite of a disaster, and helps preserve corporate reputation and ultimately revenue. It may also improve insurance rates and provide new contract opportunities.
The current cyber threat landscape has made business leaders more aware of the risks of cyber attacks and the importance of being able to respond to and recover from such attacks. Effective BCM, based on international best-practice standards such as ISO 22301, can protect organisations from widespread business disruption in the event of a cyber attack, industrial action, natural disaster and more.
ISO 22301 – the international business continuity standard
The international standard ISO 22301:2012 provides a best-practice framework for implementing an optimised BCMS (business continuity management system), enabling you to minimise business disruption and continue operating in the event of an incident. An ISO 22301-aligned BCMS will include disaster recovery and business continuity plans to help your organisation recover critical operations as quickly as possible.
How BCM can meet regulatory requirements
A growing body of legislation also requires organisations in essential areas to demonstrate a degree of organisational resilience; implementing effective business continuity measurements would be a good start. The UK Companies Act 2006 requires directors to “exercise reasonable care, skill and diligence” when performing their duties, which includes mitigating risks to the organisation.
Organisations offering essential services need to implement incident response capabilities in line with the requirements of the Network and Information Systems Regulations 2018 (NIS Regulations). Digital service providers (DSPs) within scope have the explicit requirement to put business continuity measures in place. Although not an explicit requirement for operators of essential services (OES), we strongly encourage them to consider implementing BCM measures; such measures would provide a well-defined structure for building incident response measures and effectively managing business interruptions.
Find out how BCM can help you comply with the NIS Regulations >>
The BCM lifecycle
Effective BCM involves:
- Identifying critical activities;
- Performing a business impact analysis (BIA);
- Performing a risk assessment;
- Designing and implementing a business continuity plan (BCP);
- Testing and evaluating performance; and
- Putting a continual improvement process in place.
Find out how to write a BCM policy for your organisation >>
Business continuity planning
Business continuity planning involves the processes and procedures for developing, testing and improving the BCP, which will enable an organisation to continue operating during a disaster and quickly return to the status quo. The BCP can be considered the ‘heart’ of a BCMS; best practice for forming the plan is set out in ISO 22301.
Find out how to create a business continuity plan >>
Disaster recovery planning
Disaster recovery planning prioritises fully recovering and returning to full functionality in the event of an incident, whereas BCM focuses on preserving an organisation’s ability to function. Having said that, there is still a clear overlap, and disaster recovery does fit within an organisation’s business continuity framework.
Disaster recovery plans are often relatively technical and focus on the recovery of specific operations, functions, sites, services or applications. The BCP might contain or refer to a number of disaster recovery plans.
Let’s get started on your BCM project
Let us share our expertise and support you on your journey to ISO 22301 compliance. Browse our range of best selling product, services and simple solutions.