Business Continuity Management System (BCMS) Vs BCM Arrangement
Often when we discuss about the implementation of business continuity, we must establish if the end point is whether the organization is going for its Business Continuity Management System (BCMS) e.g. ISO 22301 certification or it is just a “traditional BC project plan” to equip the organization with a BC plan and its readiness to disruptions. Before we move into whether we are referring to a project or is it for organization certification purpose, it is worthwhile to take time to clarify two frequently misunderstood BCM concepts, namely BCMS and BCM Implementation and Arrangement.
A key requirement is to understand the difference between BCM arrangements and BCM systems. It may sound like a subtle difference but it is not, and it is well worth investing time in understanding the distinction.
BCMS is a holistic management system which encompasses the development of policies, processes and procedures to safeguard the organization, its people, business processes and infrastructure. It refers to the way in which BCM is conducted in your organization and provides a management framework which gives you the necessary controls to address risks and monitor and measure your organization’s ability to manage and recover from disruptions.
A BCMS operates like any other management system, with one of the major components being the Plan, Do, Check, Act (PDCA) methodology. This BCMS PDCA approach utilizes BCM requirements and expectations of stakeholders as inputs and, through the methodology, derives the risk management outcomes.
Another aspect of the PDCA methodology in a BCMS is the continual improvement of an organization’s BCM framework and structure, thus increasing its resiliency in the face of an incident, crisis or a disaster. This continual improvement aspect should be one of the immutable objectives of the organization. It calls for regular training and awareness of the organization exists BCM framework, as well as the establishment of BC goals and measures to govern and track the progress and extent of the improvement.
Hence, the PDCA, together with its continual improvement aspect, portray the BCMS as an ongoing system. This continuity will enable BCM to become embedded in an organization’s cultures, including its core values, which will not only meet but exceed the expectations of stakeholders and interested parties in the ability of the organization to cope with disruptions. With increased stakeholder confidence, continual improvement will occur and this cycle will continue as long as the PDCA methodology is in place. This also allows for any evolution of the BCMS.
BCM Planning Methodology
The Business Continuity Plan (BC Plan) is a set of clearly defined and documented procedures and information for use when a disaster occurs. This differs from the BC Plan Implementation, which is the actualization of business continuity procedures and processes in the BCMS.
It is a set of specific business continuity procedures in the BCM Planning Methodology:
- Project Management
- Risk Analysis and Review
- Business Impact Analysis
- Recovery Strategy
- Plan Development
- Testing and Exercising
- Programme Management
These procedures are the core elements in BCM, especially in identifying the potential threats to an organization. There may be certain add-ons to this set of procedures, for example, the BC Pandemic Flu Plan and the Emergency Response Plan.
This is an example of how a BCMS differs from a BCM Implementation and Arrangement. Implementing the BC Plan is similar to going through a BCM-5000 Managing and Implementing BCM course by BCM Institute. In other words, a more theoretical approach is taken as one will have to go through each phase of the planning methodology, gather the appropriate information in individual templates, and then generate a report at the end of each phase. Like the BCM-5000 course, an understanding of BCM terms and concepts are required.
However, a BCMS adopts a more hands-on approach because it is a culture; an ongoing process to bring about certain improvements within the organization. To achieve this, continual improvement, reviews and maintenance of the BCMS have to be done on a regular basis, and these are the main difficulties of the BCMS. This will be explained in detail in the next section which touches on the expectations of undergoing BCM certification.
ISO 22313 Societal security — Business continuity management systems — Guidance (Draft)
BCM-5000: Implementing and Managing BCM http://www.bcm-institute.org/bcmi10/en/business-continuity-course/bcm-5000-implementing-and-managing-bcm