Business Continuity Management (BCM) outlines the minimum requirements needed to keep vital functions operating during an emergency or shutdown, to allow an organization to weather unexpected storms.
BCM identifies risk, threats and vulnerabilities that could impact an organization’s continued operations and provides a framework for building resilience and effective response capabilities. It improves an organization’s resilience by identifying key products and services and the most urgent activities that underpin them and devising plans and strategies that will enable the continuation of business operations.
Released in May 2012, ISO 22301 provides a framework for policy and program management, ongoing monitoring and reporting, and routine governance tasks. ISO 22301:2012 specifies requirements to for the development and continual improvement of a documented management system to protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptive incidents.
The requirements specified in ISO 22301:2012 are generic and applicable to all organizations, regardless of type, size and nature. The extent of application of these requirements depends on the organization’s operating environment and complexity.
Preparing for the worst
“BCM identifies an organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization while maintaining its competitive advantage and value system,” explains Steve Simmonds, subject matter expert at IsoMetrix.
This plan describes how to continue operations if an organization is affected by different levels of disasters which can range from localized short-term disasters to a permanent loss of a building. The plan details how the business would recover its operations, or move operations to a different location after damage by events such as natural disasters, flooding, fire, or theft.
There are six distinct professional practices in the BCM Life Cycle as referenced in the Business Continuity Institute (BCI) Good Practice Guidelines that are aligned with the ISO 22301 Standards requirements:
Policy and Programme Management – Defining Governance of the BCM program and implementing it
Embedding Business Continuity – Developing employee skills and competence through training and awareness programs.
Analysis – Developing and carrying out Business Impact Analysis and mitigating threats.
Design – Developing continuity, recovery strategies and tactics including incident/crisis response.
Implementation – Developing and implementing the plan and communicating it.
Validation – Developing and implementing exercise programs and review of the BCM program.
The ideal Business Continuity Management Solution
Steve explains: “In the development of the ideal Business Continuity Management Solution, the six professional practices and ISO 22301:2012 should be taken into consideration and the functionality of the software designed in such a way that it provides a balanced return on investment without sacrificing discipline over automation and vice versa.”
The following modules make up a complete Business Continuity Management Solution offering:
- Strategy, Objectives, and Targets Module: assists management in defining the business strategy provides and its associated objectives and targets that can be translated into measurable Key performance indicators (KPI’s). From a BCM perspective, this module can be used for defining and managing the Governance of the BCM program and allocating the roles, responsibilities and actions required for its implementation. Another useful aspect of this module would be for carrying out benchmarking activities.
- Document Management Module: provides the ability to manage and control all documentation comprising the management system including the compilation, development, and updating of business continuity plans. Plans can have virtual battle boxes where any documentation can be stored in any format for recall during incidents.
- Business Impact Analysis (BIA) Module: used to identify the different types of business impacts and their associated activities to determine where any threats to the business may exist.
- Risk Assessment Module: provides an important link to the BIA Module by analyzing the threats identified and rating them so that risk mitigation measures can be put in place where possible and reported on to reduce the impact of the likelihood of the business to an acceptable level.
- Tests and Exercises Module: allows for the development of performance metrics, conducting pre and post exercise briefings, recording the results and reporting on and recommending the next actions required.
- Incident / Crisis Management Response Module: assists in managing responses, recovery and restoration actions for the crisis, incident or situation that has occurred. It also provides for post-mortem reviews of the crisis or incident for regulatory training, reporting and business continuity management (BCM) process improvement efforts.
- Stakeholder Management Module: manages relationships with all organization stakeholders (internal and external). Business Continuity Teams can also be managed in this module.
- Internal Audit Module: provides the capability for the development of Compliance and or Internal Audit requirements. Requirements can be tracked for Compliance and findings captured in the module along with recommendations regarding the next actions required.
- Meeting Manager: can be used for carrying out post incident reviews as well as any number of other Meetings that are held within the business.
- Assessments/Inspections Module: is very useful for carrying out qualitative and quantitative questionnaires and assessments to assist in raising awareness of business continuity within the wider business.
- Training Module: can be used for scheduling training, capturing training and planning refresher / retraining where required. Including business continuity personnel.
To find out more about IsoMetrix’s solutions for managing your enterprise risk, click here