Unsure about implementing a BCMS? Here are a few things you should know

Business continuity is more important than ever. Security incidents are so widespread that it’s impossible to tackle them all, and sooner or later disaster will strike. When that time comes, you’ll need a system to mitigate the damage and ensure that mission-critical functions continue to operate.

Although most organisations are starting to recognise the importance of such measures, some remain apprehensive about implementing a business continuity management system (BCMS). If they’ve never been subject to a cyber attack or other disruption, they might assume that the chances of it happening are slim and that, therefore, a BCMS is an unnecessary expense.

Alternatively, they might overrate their ability to prevent incidents. Senior staff often fall into an ‘all or nothing’ approach to cyber security, dedicating most of their resources to prevention. Defences are certainly important, but no one should rely on them being effective in every instance.

Investing in your future

A BCMS is essentially a form of insurance; you are preparing for a scenario that you hope never occurs. You’ll spend a lot of money and might wonder if it’s worth it, but when disaster strikes (and it will), you’ll not only breathe a huge sigh of relief – you might also have prevented your organisation from going out of business.

Ponemon Institute’s 2017 Cost of Data Breach Study: Impact of Business Continuity Management found that, on average, a BCMS helps save organisations £500,000 per incident. This saving is largely because of the speed with which organisations can recover. The report found that a BCMS saves organisations 43 days in identifying a breach, and 35 days in containing it.

The report also quantifies other major benefits of implementing a BCMS. For example, organisations are 8% less likely to suffer future data breaches (31.8% compared to 23.9%) and will mitigate the negative impact of a breach, with reputational damage reported 10% less often.

There is also evidence that the longer you keep your BCMS, the more comprehensive and effective it becomes. The Business Continuity Institute’s Horizon Scan Report 2018 found that 86% of organisations that have had a BCMS for more than five years intended to maintain or increase their investment levels in 2018. By contrast, only 71% of organisations that have had a BCMS for less than five years said they would do the same.

It might sound like a BCMS is a financial black hole, but this overlooks what makes it effective. The additional spending is a result of identifying new areas that a BCMS could help with. For example, an organisation might expand the number of threats its system covers or add processes to improve remediation. This means that, the more comprehensive it becomes, the more helpful it is and the higher the organisation’s return on investment.

Giving customers what they want

If you ask customers and clients what they want most from your organisation, few would explicitly say “a BCMS”, but most would rank its benefits (i.e. guaranteed, uninterrupted service) very highly.

By implementing a BCMS, you can tackle this expectation head-on and demonstrate to customers that your organisation can continue to operate in the face of major disruption.

Implementing a BCMS in line with the requirements of ISO 22301, the international standard that describes business continuity best practices, brings additional benefits. Certification to the Standard proves that your system is effective, gives you a competitive advantage and helps you comply with the EU General Data Protection Regulation (GDPR) and other laws.

To find out how you can implement an ISO 22301-compliant BCMS, take a look at our free green paper: Business Continuity Management – The nine-step approach. It explains:

  • How to implement a BCMS;
  • The issues you need to consider;
  • The roles that your employees will play; and
  • How to measure, monitor and review your BCMS.