Business continuity management: Definition & benefits of a BCM

The facts in a nutshell

• Business continuity management is defined as the action an organisation takes in advance to maintain its business activities in the event of a disruptive incident.
• Crises that might disrupt business activities can range from weather events like hurricanes or earthquakes, unforeseen events such as global pandemics, technical failures such as power loss and various cyber security incidents.
• An effective BCM program develops security measures and contingency plans that allow you to react to the specific security threats and risks your company faces.
• The PDCA cycle (plan, do, check, act) is a highly effective approach for creating, implementing and maintaining a BCM program.
• While a BCM program is not a must for most businesses, anticipating threats and analysing risks is a benefit to all.

In this article

• What is business continuity management (BCM) and how does it work?
• Which businesses need a BCM program and why?
• What risks and threats does a BCM program address?
• Who is in charge of creating and maintaining a BCM program?
• Is there a difference between a business continuity plan and business continuity management?
• How does business continuity management differ from incident management?
• Are BCM and risk management the same thing?
• What criteria should a good BCM program meet?
• What are the benefits of business continuity management?
• What will business continuity management look like in the future?

What is Business Continuity Management (BCM)?

The goal of business continuity management is ensuring that a business can continue to deliver goods and services in crisis situations. Depending on your business, this ability may be threatened by a variety of events ranging from power outages caused by natural catastrophes through to cybercrime and IT failures. A business continuity program identifies potential threats and develops preventative strategies, processes, and measures to ensure a business or organisation can maintain normal business operations in an emergency or recover in the shortest possible time.

How does business continuity management work?

The so-called PDCA cycle – which stands for plan, do, check, act – is fundamental to BCM concepts.

The four stages of the PDCA cycle:

1. Plan – What potential threats does your business face, how can you prevent them and what should happen in an emergency? It is vital the plans for action developed in this phase are tested regularly and thoroughly understood by all involved parties. This is the only way to guarantee that everyone in your company knows what to do – for example, if there is a fire alarm.

2. Do – In this phase, you implement your contingency plan. Those in charge follow the plans for action you developed in Phase 1 to ensure your company’s business continuity – for example, by recovering lost data from a backup.

3. Check – After the current crisis has been successfully managed, it is time to address the root causes. To this end, your company’s BCM officer should evaluate the incident and undertake forensic analysis.

4. Act – Last but not least, it is time to draw conclusions from the incident before returning to normal business operations. Should the next PDCA cycle include new measures and improvements to be implemented already in Phase 1? Or is the likelihood of this particular threat repeating itself so low that no adjustments to your business continuity management program are even necessary?

Which businesses need a BCM program and why?

The answer is that no business technically needs a BCM – and that every business should have one. Let’s explain this apparent contradiction. In general, a BCM program will benefit any company regardless of its size or industry. After all, events that compromise business continuity can jeopardise the existence of each and every business. That’s why it is so crucial to identify potential threats as early as possible in order to counteract them, no matter the size or industry you operate in. Business continuity management will allow you to do just that.

In order to effectively minimise risks, BCM concepts always assume the worst-case scenario to allow you to prepare for extreme situations. But BCM is not a legal requirement. The exception: If you want to certify your company as per ISO 9001 (quality management) or ISO 27001 (IT security), you will need a specified BCM program.

What risks and threats does a BCM program address?

There are really no limitations here. BCM can focus on any and all risks that might endanger your company’s business continuity. The possible causes range from pandemics, natural hazards such as floods, earthquakes, fires, storms and volcanic eruptions, technical failures such as power cuts and Internet blackouts through to all imaginable cyber incidents – from data loss via ransomware attacks to spontaneous server failure.

Good to know: According to an international survey conducted by Allianz*, cyber risks such as IT failure, data breaches, and the theft of personal data rank at 39 per cent as the top risk for businesses worldwide.

* Allianz Risk Barometer — Identifying The Major Business Risks for 2020

Who is in charge of creating and maintaining a BCM program?

Creating a business continuity management system is first and foremost a management-level task, similar to the creation of an Information Security Management System (ISMS).

In larger companies and in corporations, the Chief Information Security Officer (CISO) will be responsible for creating a BCM system. The CISO should set up a team of BCM experts and risk managers to head up the BCM program. But BCM can only be successful if everyone in your company knows the concrete BCM measures and regularly runs practice drills.

Is there a difference between a business continuity plan and business continuity management?

The difference is the depth of detail. Ideally, every company will have worked out contingency plans for all imaginable disruptions to normal business operations. It is the entirety of these plans along with the establishment of related processes and measures that make up a business-specific BCM program that addresses a company’s individual risk and threat profile. For instance, a company housed in a building situated in an area prone to flooding, such as in a valley basin or near a river, will need to develop a much more extensive high-water plan than one whose headquarters are located on higher ground.

How does business continuity management differ from incident management?

Incident management exclusively addresses IT security incidents or events. An example of an IT security event would be a failed login attempt to the company network due to an incorrect password. Events of this kind must be evaluated. Was it a harmless typing error made by an authorised employee? Or was it a brute-force attempt to crack your network password? If it turns out to have been the latter, the event is elevated to an IT security incident that needs to be addressed by your incident management system. By the way, a security incident of this magnitude would also be relevant to a BCM program.

Are BCM and risk management the same thing?

Risk management forms the foundation of the business continuity management concept. The aim and object of risk management is to identify the risks a company faces, to determine how likely they are to occur and to analyse their potential impact. Business continuity management builds on the answers to these questions to develop and establish plans and measures that will allow your company to maintain business operations if it comes to the worst.

Learn more about risk management in our blog article 'Conducting ISO 27001 risk assessment in 7 steps'.

What criteria should a good BCM program meet?

A quality BCM program is one that addresses all the potential risks and threats your company faces, leaving none out. There are no binding criteria for a BCM program, but the ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). Other well-known ISO standards for quality management (ISO 9001) and information security (ISO 27001) do give some points of reference and best practice guidelines. All of these standards focus on a business’s protection and functionality as well as the availability of persons, processes and data.

The central criterion for a quality BCM program is that it keeps a watchful eye on every possible risk. Prescribing a one-size-fits-all BCM program that balances both aspects successfully – vigilance and exhaustive risk identification – is practically impossible. Business continuity management is company-specific and requires risk assessment and analysis. This makes BCM a unique challenge for every company to face.

What are the benefits of business continuity management?

Business continuity management minimises the likelihood that, due to an unexpected incident, a business will have to discontinue business operations and ultimately declare bankruptcy. In short: BCM is a means of insurance against the worst case. One knock-on effect of BCM is that it promotes a new degree of risk awareness throughout your company. Contingency plans and regular drills will sensitise your team members to potential threats, thus making your company more resilient overall.

What will business continuity management look like in the future?

It will come as no surprise that digitalisation is by far the greatest driver of change when it comes to business continuity management, and not only as it relates to cyber incidents.

Take cloud storage for example: A company that forgoes storing its business data on an in-house physical server in favour of a cloud storage solution no longer needs to worry about data loss in the event of water damage in the building. But: The risk of data loss has not been eliminated; it has only been displaced to your cloud provider. Ideally, your cloud provider will be better able to manage the risk, but it will never fully disappear. Moreover, the forward march of digitalisation itself gives rise to entirely new risks. The more digitalised your company is, the more susceptible you are to cybercrime – and in this day and age, a business running without a working Internet connection and reliable power is simply unthinkable.

There are still some questions that you would like to get answered? Feel free to reach out to one of our experts.

                                                                                                                                           Back to overview