Unit 3. Business Continuity Management System

What is BCMS?

A business continuity management system is the set of organized practices that promotes and maintains all activities necessary to ensure the continued delivery of an organization’s products or services.

ISO 22301: 2019 is the main international standard that sets out the requirements for a sufficiently functional BCMS, but there are many methodologies on the market that illustrate how to implement one in your organization.

ISO 22313: 2020 elaborates on the content of ISO 22301, but here below you see the general steps for implementation.

Setting Everything Up

Every BCMS needs to receive adequate support and resources to be effective. Only the organization’s top management can ensure that this is the case, both initially and throughout the years.

Accordingly, top management must make sure that there is no doubt about the answer to the following four questions:

1. What is the BCMS’s scope?

2.Who is in charge of the BCMS?

3. What are its strategic and operational objectives?

4. Is the organizational culture ready to accept the BCMS?

BCMS Policy vs BCMS Programme:
What’s the Difference?

Many organizations confuse the organization’s BCMS Policy with its BCMS Programme. Indeed, it is quite common that organizations define a document that, properly understood, is its BCMS Programme but call it their BCMS Policy.
In reality, the two documents are very different.

“If you don’t know where you are going,
you’ll end up someplace else.” – Yogi Berra

Getting Everybody On Board

Once the BCMS is adequately sourced and promoted, efforts need to be undertaken to ensure that the organization’s culture and people are ready to absorb and maintain the new management system.

The key goals of this phase are:

1.Ensuring that everyone is speaking a common operational language

2.Developing 360° awareness of staff’s BCMS roles

3.Embedding business continuity in daily activities

There are many ways to do so.

Embedding business continuity into an organization is a continuous effort. Like any other management practice, it needs to be maintained regularly. 

If it is properly maintained, there are several long-term corollary benefits that business continuity can bring to the organization. 

To Sum Up

During the analysis phase, the organization conducts what is called a business impact analysis (or BIA) to determine:

1.The organization’s critical processes

2.Its recovery priorities (among critical processes, which are more critical than others?)

3.Its continuity resource requirements, meaning the necessary tools and assets needed to continue process output at minimum acceptable levels after a disruption

During the BIA, subjective opinions must not be taken into consideration in order to make the results as objective and comparable as possible.

How can I quantify a process’s
level of criticality?

The BIA has to be as objective as possible. This requires that, especially for levels of criticality, there be a quantifiable criterion that allows the organization to distinguish between critical and non-critical processes, as well as between more and less critical processes.

This criterion is often known as an RTO, or recovery time objective. The criticality of a process is defined as the amount of time that the organization can tolerate its disruption in a worst-case scenario before impacts on the organization become unacceptable.

The organization can therefore define what constitutes acceptable and unacceptable impacts and timeframes («impact thresholds») and, consequently, derive an RTO scale that can be applied during the analysis.

How to perform the BIA

Every organization will have their unique way of conducting a business impact analysis, but most organizations start by showing the impact thresholds to a process owner and asking: if you were unable to complete your regular activities in a worst-case scenario (such as in times of peak business) for an extended period of time, what would be the impacts on the organization? 

It’s important to help the process-owner along their evaluation by keeping the following tips in mind: 

1.Do not consider the probability of disruption

2.Do not consider currently active continuity strategies/tactics

3.Do not consider currently active recovery plans

The process owner must evaluate the «gross» impact on the organization, both to evaluate the effectiveness of existing strategies/tactics/plans and to ensure that truly critical processes – the ones who tend to be already safeguarded – are given the appropriate priority.  

After the BIA, the CRA: Continuity Requirements Analysis

After achieving a good understanding of an organization’s critical processes, the next step is performing the continuity requirements analysis (CRA). The organization needs to understand what each critical process needs to operate so, when the time comes, effective strategies can be deployed to make sure that those resources are available in the face of an incident or disruption.

The following are common continuity requirements that process owners need to detail during the analysis phase.

Finally, the Threat Assessment

The last analysis activity that the organization needs to perform is a threat assessment to identify single points of failure and unacceptable levels of risk inherent to its critical processes.

Finding Out What’s What (Step by Step)

How to Get From Point A to Point B

The analysis provides the information. The design phase is where the organization attempts to «design» strategies and solutions to make sure that:

1.Recovery priorities are met

2.Threats and vulnerabilities are mitigated

3.Resource requirements are deployable

To do so, the organization must compare its objectives with its available resources to ensure that any approved measure is realistic, effective, and does not conflict with other existing or proposed strategies. 

The strategies and solutions an organization will design and select, in most cases, will be coherent with the recovery priorities identified in the analysis.

Specifically, it is important that confirmed RTOs be realistic – and there are various strategies to ensure that they are so. 

Plans, plans, and nothing but plans

Once the organization has identified its business continuity strategies and tactics, it must set out their exact implementation in business continuity plans (BCPs).

Successful BCPs have several qualities in common:

1.They are concise, adaptable, and relevant

2.They are practical documents, made to be used, not just read

3.They are constantly updated and tested

An organization’s BCPs should be scenario independent, not focusing on fixing the cause of a business disruption, but rather on making sure that the organization is ready to react to:

•Loss of site

•Loss of personnel

•Loss of IT/technology

•Loss of supplier/supply

Testing Everything to See If It Works

The last step of an effective BCMS is the validation phase, where the organization needs to «stress test» its business continuity management structures and see where they are effective and where they can be improved. 

Business continuity is a continuous improvement cycle. Lessons are learned every year, every cycle, and their takeaways must be incorporated iteratively. 

It is not essential to get everything right the first time. Nor is it a good thing. «An exercise that finds no faults is a perfect failure.» There are always improveable areas, and if an organization’s exercises are not identifying them, it means that the exercises themselves are not effective.