The BCM lifecycle: an overview

Earthquake. Flood. Cyber attack. It is impossible to know when disaster might strike, and unforeseen disruptions to your business can occur at any time.

It is essential for businesses to have continuity planning measures that will help them survive and minimise the incident.

Moreover, implementing a business continuity management system (BCMS) as outlined by the international standard ISO 22301 can help you satisfy corporate governance requirements and meet the demands of impending new legislation (such as the NIS Directive and the GDPR) that will mandate incident response measures in the event of a data breach.

What is business continuity management?

Business continuity management (BCM) is defined in ISO 22301:2012 as “an holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities”.

According to best practice outlined in ISO 22301, the BCM lifecycle has five stages:

1) Impact analysis

The impact analysis phase consists of:

  • Business impact analysis (BIA): differentiating between critical (urgent) and non-critical (non-urgent) organisational functions, and determining the recovery requirements for each critical function.
  • Threat and risk analysis (TRA): determining any unique recovery steps that may be required to respond to each potential threat.

In addition, impact scenarios should be considered and documented for each identified threat.

2) Solution design

The solution design phase identifies the most cost-effective disaster recovery solution that meets the main requirements from the impact analysis stage, and determines:

  • Crisis management command structure
  • Secondary work sites
  • Data replication methodology between primary and secondary work sites
  • Applications and data required at the secondary work site

3) Implementation

This stage of the lifecycle concentrates on executing the agreed strategies and tactics through the process of developing a business continuity plan (BCP).

4) Testing and organisational acceptance

The purpose of testing is to make sure it meets the organisation’s requirements.

The 2008 book Exercising for Excellence, published by the British Standards Institution, identified three types of exercises for testing BCPs:

  1. Tabletop exercises: Typically involving a small number of people, tabletop exercises tend to concentrate on a specific aspect of a BCP.
  2. Medium exercises: A medium exercise is conducted within a ‘virtual world’ and typically concentrates on multiple BCP aspects, prompting interaction between teams. Realism may extend to simulated news broadcasts and websites.
  3. Complex exercises: A complex exercise incorporates all the aspects of a medium exercise and aims to have as few boundaries as possible. Exercises might include no-notice activation, actual evacuation and actual invocation of a disaster recovery site.

5) Maintenance

Maintenance of a BCP ensures that plans remain aligned with current business practices, and can be broken down into three periodic activities:

  1. Confirmation of information, roll out to staff for awareness and specific training for critical individuals.
  2. Testing and verification of technical solutions established for recovery operations.
  3. Testing and verification of organisational recovery procedures.

Issues identified in the testing phase often need to be reconsidered as part of the impact analysis phase.

Following the BCM lifecycle guarantees your organisation can continue to deliver its key products and services during a disaster, and ensures that it survives thereafter.

Undertaking a BCM project? Check out these resources.

For all business continuity management resources, visit our BCM webshop >>