Unit 3. Business Continuity Management System

What is BCMS?

A business continuity management system is the set of organized practices that promotes and maintains all activities necessary to ensure the continued delivery of an organization’s products or services.

ISO 22301: 2019 is the main international standard that sets out the requirements for a sufficiently functional BCMS, but there are many methodologies on the market that illustrate how to implement one in your organization.

ISO 22313: 2020 elaborates on the content of ISO 22301, but here below you see the general steps for implementation as conceptualized by the Business Continuity Institute.

Causes of ripple effect

Every BCMS needs to receive adequate support and resources to be effective. Only the organization’s top management can ensure that this is the case, both initially and throughout the years.

Accordingly, top management must make sure that there is no doubt about the answer to the following four questions:

1. What is the BCMS’s scope?

2.Who is in charge of the BCMS?

3. What are its strategic and operational objectives?

4.Is the organizational culture ready to accept the BCMS?

BCMS Policy vs BCMS Programme:
What’s the Difference?

Many organizations confuse the organization’s BCMS Policy with its BCMS Programme. Indeed, it is quite common that organizations define a document that, properly understood, is its BCMS Programme but call it their BCMS Policy.
In reality, the two documents are very different.

“If you don’t know where you are going,
you’ll end up someplace else.” – Yogi Berra

Getting Everybody Onboard (1/2)

Once the BCMS is adequately sourced and promoted, efforts need to be undertaken to ensure that the organization’s culture and people are ready to absorb and maintain the new management system.

The key goals of this phase are:

1.Ensuring that everyone is speaking a common operational language

2.Developing 360° awareness of staff’s BCMS roles

3.Embedding business continuity in daily activities

There are many ways to do so.

Getting Everybody Onboard (2/2)

Embedding business continuity into an organization is a continuous effort. Like any other management practice, it needs to be maintained regularly. 

If it is properly maintained, there are several long-term corollary benefits that business continuity can bring to the organization. 

Finding Out What’s What

During the analysis phase, the organization conducts what is called a business impact analysis (or BIA) to determine:

1.The organization’s critical processes

2.Its recovery priorities (among critical processes, which are more critical than others?)

3.Its continuity resource requirements, meaning the necessary tools and assets needed to continue process output at minimum acceptable levels after a disruption

During the BIA, subjective opinions must not be taken into consideration in order to make the results as objective and comparable as possible.

How can I quantify a process’s
level of criticality?

The BIA has to be as objective as possible. This requires that, especially for levels of criticality, there be a quantifiable criterion that allows the organization to distinguish between critical and non-critical processes, as well as between more and less critical processes.

This criterion is often known as an RTO, or recovery time objective. The criticality of a process is defined as the amount of time that the organization can tolerate its disruption in a worst-case scenario before impacts on the organization become unacceptable.

The organization can therefore define what constitutes acceptable and unacceptable impacts and timeframes («impact thresholds») and, consequently, derive an RTO scale that can be applied during the analysis.

How to perform the BIA

Every organization will have their unique way of conducting a business impact analysis, but most organizations start by showing the impact thresholds to a process owner and asking: if you were unable to complete your regular activities in a worst-case scenario (such as in times of peak business) for an extended period of time, what would be the impacts on the organization? 

It’s important to help the process-owner along their evaluation by keeping the following tips in mind: 

1.Do not consider the probability of disruption

2.Do not consider currently active continuity strategies/tactics

3.Do not consider currently active recovery plans

The process owner must evaluate the «gross» impact on the organization, both to evaluate the effectiveness of existing strategies/tactics/plans and to ensure that truly critical processes – the ones who tend to be already safeguarded – are given the appropriate priority.  

After the BIA, the CRA: Continuity Requirements Analysis

After achieving a good understanding of an organization’s critical processes, the next step is performing the continuity requirements analysis (CRA). The organization needs to understand what each critical process needs to operate so, when the time comes, effective strategies can be deployed to make sure that those resources are available in the face of an incident or disruption.

The following are common continuity requirements that process owners need to detail during the analysis phase.

Finally, the Threat Assessment

The last analysis activity that the organization needs to perform is a threat assessment to identify single points of failure and unacceptable levels of risk inherent to its critical processes.

Finding Out What’s What (Step by Step)

How to Get From Point A to Point B (1/2)

The analysis provides the information. The design phase is where the organization attempts to «design» strategies and solutions to make sure that:

1.Recovery priorities are met

2.Threats and vulnerabilities are mitigated

3.Resource requirements are deployable

To do so, the organization must compare its objectives with its available resources to ensure that any approved measure is realistic, effective, and does not conflict with other existing or proposed strategies. 

How to Get From Point A to Point B (2/2)

The strategies and solutions an organization will design and select, in most cases, will be coherent with the recovery priorities identified in the analysis.

Specifically, it is important that confirmed RTOs be realistic – and there are various strategies to ensure that they are so. 

Plans, plans, and nothing but plans (1/3)

Once the organization has identified its business continuity strategies and tactics, it must set out their exact implementation in business continuity plans (BCPs).

Successful BCPs have several qualities in common:

1.They are concise, adaptable, and relevant

2.They are practical documents, made to be used, not just read

3.They are constantly updated and tested

An organization’s BCPs should be scenario independent, not focusing on fixing the cause of a business disruption, but rather on making sure that the organization is ready to react to:

•Loss of site

•Loss of personnel

•Loss of IT/technology

•Loss of supplier/supply

Plans, plans, and nothing but plans (2/3)

Plans, plans, and nothing but plans(3/3)

Testing Everything to See If It Works (1/2)

The last step of an effective BCMS is the validation phase, where the organization needs to «stress test» its business continuity management structures and see where they are effective and where they can be improved. 

Business continuity is a continuous improvement cycle. Lessons are learned every year, every cycle, and their takeaways must be incorporated iteratively. 

It is not essential to get everything right the first time. Nor is it a good thing. «An exercise that finds no faults is a perfect failure.» There are always improveable areas, and if an organization’s exercises are not identifying them, it means that the exercises themselves are not effective. 

Testing Everything to See If it Works (2/2)

Practical part

•2 Real Life Business Examples

•2 Business Scenarios

•2 best practices (global level related with the topic)

Real life business continuity: Dell Inc.

Real life business continuity:
Evonik Industries

Best practice 1: «Scenario independent plans» (1/2)

«Scenario independence» is a concept that will be most relevant when we talk about business continuity plans, but it is also one of the key advantages of business continuity methodology, as compared to more probabilistic approaches to risk, like risk management.

«Scenario independent» thinking means that the organization plans and implements its business continuity strutctures to respond to business disruptions without considering their possible causes.

This approach provides two main benefits:

1. It avoids the common impulse to want to fix the cause of the disruption. While this is an important goal, it is only relevant to the organization if the cause is within the organization’s power to fix – which isn’t often the case. Even then, the resilient organization wants to minimize product and service delivery disruptions as much as possible, which can be achieved by focusing on alternative delivery methods while «fixing-the-cause» efforts proceed in parallel.

2. It allows the organization to create effective plans regardless of the nature of the disruption. If all disruptions can cause organizations to lose access to a worksite, to their staff, to their technology assets, or to their supplies/suppliers, and I have plans to continue product and service delivery for each of these four instances, my organization can be said, with four plans, to be able to respond to an almost infinite number of possible circumstances.

Best practice 1: «Scenario independent plans» (2/2)

Scenario independent plans work like this:

They focus on unavailability scenarios, common to any type of disruption. These are the standard scenarios:

•Worksite unavailability
•IT/technology unavailability
•Staff/personnel unavailability
•Supplier/supply unavailability

For each of these scenarios, focus not on fixing the cause of the unavailability (which is often out of your control), but on restoring the output that the lost asset(s) usually contribute.

Since these four scenarios are common to all possible incidents affecting the organization’s business continuity, a single scenario independent plan can contribute significantly to a product or service’s resilience in the face of any number and kind of incidents – a very efficient state of affairs.

Best practice 2: «Professional certification»

Just like any other professional skill, there are professional certifications for business continuity, risk management, and other organizational resilience disciplines.

Much of the perceived difficulty of implementing a business continuity management system or equivalent for other disciplines comes from a lack of a structured and proven methodology – a methodology that is quite easy to learn through available certification courses.

Certification can systematize «scattered» knowledge and provide a reliable method for implementation, but certification can also serve as external proof of reliability and embedded skills/resilience.

Many open and invite-only tenders require candidates to provide evidence of professional skills and the good news is that business continuity and risk management certifications are easy to achieve, but widely recognized.

Main takeaways

Implementing a BCMS with the proper methodology can transform a complicated process into a linear effort.

Each project phase improves and flows into the next; correctly executing one, in the proper order, means benefits further along the project. Accordingly:

1.It is useful to follow a predetermined project plan;

2.Each project phase has its own importance – understimating one because it doesn’t seem important in the moment is NOT a best practice;

3.A BCMS is a great tool for capacity building – by embedding it into daily activities, you can make it become «second nature»