What is Business Continuity Management (BCM)?
Business continuity management (BCM) is the holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause. It provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. (Source: ISO 22301:2012)
Truly effective business continuity management will go beyond organisational boundaries to encompass the supply chain and ensure a key supplier’s failure does not affect your own business in terms of service interruption or reputational damage.
How will it benefit my business?
An effective business continuity management programme will result in many proven business benefits including the ability to:
- Identify and manage current and future threats to your business
- Take a proactive approach to minimising the impact of incidents
- Keep critical functions up and running during times of crisis
- Minimise downtime during incidents and improve recovery times
- Demonstrate resilience to customers, suppliers and for tender requests
Why isn’t Risk Management enough?
Risk management is a complementary discipline to business continuity management (BCM) and in some cases the two can overlap.
Having said that, there is a huge difference in what each discipline achieves. For example, while risk management involves mapping risks into a risk matrix and developing a mitigation plan and strategy for each threat, business continuity goes further. Critical activities are objectively identified, planned for and tested so that when a potential risk identified in the matrix materialises your organisation knows what to do about it. A BCM programme ensures the organisation has tried and tested procedures in place that will keep the business running, from the point the issue is identified through crisis management and successful recovery of affected operations.
In short, business continuity builds upon the foundation of risk management, hugely enhancing your response to incidents and helping to make your organisation resilient.
What is the difference between a Business Continuity plan (BCP) and a Business Continuity Management System (BCMS)?
First of all, a plan is just a piece of paper – if not acted upon it is worthless. That is why people are at the very heart of a business continuity management system (BCMS).
A business continuity plan (BCP) is the first step towards resilience whereas a well-established and certified BCMS is an ongoing management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. Implementing a BCMS is a decision that will affect every single area of the organisation and, as such, requires senior management commitment and support.
I already have Disaster Recovery arrangements in place. Is my business safe?
The short answer is ‘no’. That’s because disaster recovery is the process by which an organisation resumes business after a disruptive event. The event might be something huge-like an earthquake, tsunami or major terrorist attack – or something small and localised like malfunctioning software caused by a computer virus or a power failure.
If you have adequate disaster recovery provision in place and are able to get back to business as usual fairly quickly you are likely to survive without too much lost business, too many customers defecting to competitors and too much harm to your reputation. However, this isnot the same as resilience, which means having the ability to withstand potentially disruptive events without any interruption to services in the first place.
Do I have to implement everything in one go?
Obviously, the sooner you are able to implement any business continuity recommendations that have been made, the sooner your business will be protected. However, in the real world budgetary and resource constraints mean it is not always possible to achieve everything in one hit. For this reason, Resilience Guard takes a phased approach, prioritising the work to be done in terms of urgency and available budget.
How much time will I need to implement a full scale Business Continuity Management System (BCMS)?
The timescale will very much depend on the complexity and size of the organisation. Typically, SMEs that do not have a dedicated BCM team but contract professional consultancy support, should be in a position to apply for certification within around 12-18 months, while for medium-sized and large international organisations with visible senior management commitment this could extend to 18-24 months.
Is there an international standard for Business Continuity Management (BCM)?
Yes. ISO 22301:2012 – Societal Security – Business Continuity Management Systems – Requirements is the internationally recognised standard and builds on the success of the British Standard BS 25999 and other regional standards. It’s designed to protect organisations from potential disruption. This includes extreme weather, fire, flood, natural disaster, theft, IT outage, staff illness or terrorist attack. The ISO 22301 management system helps organisations identify threats relevant to their business and the critical business functions they could impact. And it allows you to put plans in place ahead of time to ensure the business doesn’t come to a standstill.
Can I get a certification for my Business Continuity Management System?
The publication of ISO 22301 in May 2012 enables organisations to gain an independent seal of approval for their business continuity management system. This shows customers, suppliers, employees, investors and all other stakeholders they can be confident your company can successfully manage incidents and minimise business disruption.
Commercially, it can give your organisation a competitive advantage, demonstrating to your valuable customers that the products and services they rely on will always be available when they need them.
My business is located in a safe country. So why do I need Business Continuity Management?
In today’s interconnected world, there is no such thing as a ‘safe’country. The threats to your business are many and varied, and only some are geographic risks. Even if you can be absolutely confident that the country in which you’re located has plentiful supplies of energy, skilled workers and reliable infrastructure, there is still the threat of staff shortages, denial of access to your premises, a natural disaster, human error or failure of a key supplier to consider.
In conclusion, while certain areas of risk may be lower than for businesses in high risk countries, you will almost certainly benefit from a business continuity plan that addresses your organisation and country-specific threats.
Isn’t Business Continuity Management something only big companies need to worry about?
The need to be ‘always-on’ is something that’s vital for all businesses, regardless of size or sector. Threats range from hardware failure, power outages and being let down by a key supplier all the way through to major disruptions caused by challenges such as flooding, severe weather and flu pandemics.
We recognise that smaller businesses may not have the money, time and resources to prepare for disruptions, yet the cost of dealing with them when they arise can be significant. It’s never too early in the life of an organisation to build in resilience, robustness and availability. This is far easier to do as the business grows, rather than attempt to retrofit measures later on.
Our consultants are experienced in helping smaller businesses improve their resilience – contact us to arrange an exploratory meeting without any obligation!