Misunderstood Business Continuity Concepts
Often, Business Continuity Management or BCM professional are criticized for promising more that they can deliver. This is especially true when they are subjected to a BCMS certification audit. This happen to me when I first encountered my BS 25999 and SS 540 BCMS certification audit. It is worthwhile to take the time to clarify two frequently misunderstood BCM concepts, namely Business Continuity Management System (BCMS) and BCM Implementation and Arrangement (or BC Planning). A key requirement is to understand the difference between BCP and BCM systems. It may sound like a subtle difference but it is not, and it is well worth investing time in understanding the distinction.
What is BCMS?
Based on the definition of BCM, BCMS is the extension of BCM and it is a holistic management system which encompasses the development of the policies, processes and procedures to safeguard the organization, its people, business processes and infrastructure. It refers to the way in which BCM is conducted in your organization and provides a management framework which gives you the necessary controls to address risks and monitor and measure your organization’s ability to manage and recover from disruptions.
Generally, a BCMS operates like any other management system, with one of the major components being the Plan, Do, Check, Act (PDCA) methodology. This BCMS PDCA approach utilizes BCM requirements and expectations of stakeholders as inputs and, through the methodology, derives the risk management outcomes.
Another aspect of the PDCA methodology in a BCMS is the continual improvement of an organization’s BCM framework and structure, thus increasing its resiliency in the face of an incident, crisis or a disaster. This continual improvement aspect should be one of the immutable objectives of the organization. It calls for regular training and awareness of the organization exists BCM framework, as well as the establishment of BC goals and measures to govern and track the progress and extent of the improvement.
Hence, the PDCA, together with its continual improvement aspect, portray the BCMS as an ongoing system. This continuity will enable BCM to become embedded in an organization’s cultures, including its core values, which will not only meet but exceed the expectations of stakeholders and interested parties in the ability of the organization to cope with disruptions. With increased stakeholder confidence, continual improvement will occur and this cycle will continue as long as the PDCA methodology is in place. This also allows for any evolution of the BCMS.
What is BCM Implementation and Arrangement?
The BCM Implementation and Arrangement (or BC Planning) focus on the planning process to implement the BC plan and its arrangement. the The Business Continuity Plan (BC Plan) is a set of clearly defined and documented procedures and information for use when a disaster occurs. This differs from the BC Plan Implementation, which is the actualization of business continuity procedures and processes in the BCMS.
It is a set of specific business continuity procedures in the BCM Planning Methodology:
- Project Management
- Risk Analysis and Review
- Business Impact Analysis
- Recovery Strategy
- Plan Development
- Testing and Exercising
- Programme Management
These procedures are the core elements in BCM, especially in identifying the potential threats to an organization. There may be certain add-ons to this set of procedures, for example, the Crisis Management Plan, BC Pandemic Flu Plan and the Emergency Response Plan.
This is an example of how a BCMS differs from a BCM Implementation and Arrangement. Implementing the BC Plan is similar to going through a BCM Institute‘s BCM-5000: Implementing and Managing BCM course. In other words, a more theoretical approach is taken as one will have to go through each phase of the BCM planning methodology, gather the appropriate information in individual templates, and then generate a report at the end of each phase. Like the BCM-5000 course, an understanding of BCM terms and concepts are required.
However, a BCMS adopts a more hands-on approach because it is a culture; an ongoing process to bring about certain improvements within the organization. To achieve this continual improvement, reviews and maintenance of the BCMS have to be done on a regular basis, which is one of the main difficulties of the BCMS. This will be explained in detail in the the previous articles “Achieving BCMS Certification” the expectations of undergoing BCM certification.
It is Not About Planning for Every Possible Incident, Emergency, Event, Crisis and Disaster
BCM is not about everything that could cause an organization to fail. There is a need to be clear on the exact requirement for BCM via the rigorous completion of the Risk Analysis and Review (identification and management of the risk and threats) and the Business Impact Analysis (identification of the critical business functions) phases.