Implementing a Business Continuity Management Program

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy – Standards & Guidelines

In many cases the BCM policy and approaches are driven by standardization bodies along with local, regional, industry-imposed requirements. Codes of practice and specifications are defined by relevant international standards such as ISO 27001 – specification for an ISMS, an Information Security, Management System, and ISO 22301 – Societal security – Business Continuity Management Systems Requirements.

ISO 22301 is the leading global standard for Business Continuity Management.

The focus of ISO 22301 is to ensure continuity of business delivery of products and services after occurrence of disruptive events (e.g., natural disasters, man-made disasters, etc.). This is done by finding out business continuity priorities (through business impact analysis), what potential disruptive events can affect business operations (through risk assessment), defining what needs to be done to prevent such events from happening, and then defining how to recover minimal and normal operations in the shortest time possible (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 22301 is based on analyzing impacts and managing risks: find out which activities are more important and which risks can affect them, and then systematically treat those risks. ¹

Said another way, BCM is an: Holistic management process that identifies potential impacts that threaten an organization with associated risk, and provides a framework for building resiliency with the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities. ²

As such, the basis for building an effective business continuity management program consists of an understanding of the following primary elements:

> Potential Impacts are developed from the Business Impact Analysis (BIA).

> Threats are developed from the Risk Assessment (RA) by identifying potential hazards with the highest probability, impact and vulnerability.

> The BCM view of the Organization as distinct named Critical Functions, locations, dependencies and technology requirements is determined from the Business Impact Analysis (BIA)

> An Effective Response is developed by focusing on recovery strategies for each of the organization’s critical functions with a recovery plan that attains a defined Maximum Allowable Outage (MAO) value for each.

Your organization may require adherence to several industry standards. Select the BCM and industry-specific standards and guidelines to be included in scope of your BCM program and policy. The BCM process will need to address each of the above elements in order to implement an effective Business Continuity Management program.

– NFPA 1600/1660 https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600; https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1660

– NIMS https://www.fema.gov/emergency-managers/nims

– ISO 22301 https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-22301-Implementation-Guide.pdf

– FFIEC https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

– NCUA https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ffiec-release-updated-business-continuity-planning-examination-handbook

For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via: