---

---

Business continuity management (BCM) has evolved over time from a purely technical precaution for IT system failures in the 1980s to a comprehensive management system. Today, BCM is not only concerned with safeguarding IT systems, but with all important resources that are crucial for the survival of a company in an emergency. Some important principles and procedures have become established over time and are explained in the following.

The worst case concept

When setting up a business continuity management system (BCMS), the so-called worst-case concept is applied. Here, planning is not based on the cause of the loss of resources, but on the result, i.e. the loss of buildings, personnel in time-critical processes, IT, services/deliveries and production facilities. The cause of a possible loss is not the focus of the considerations.

The BCM Lifecycle

Based on the BCM model of the Business Continuity Institute (BCI) and the requirements of the ISO standard for BCM (ISO 22301), the BCM lifecycle consists of six phases. These include two management phases and four operational phases. The management phases represent the main tasks for those responsible for BCM, while the implementation phases are carried out in cooperation with various departments of the company. The approach is more pragmatic and should enable an efficient implementation of the BCM system.


Source: The six phases of the BCM lifecycle (adapted from The Business Continuity Institute)

MANAGEMENT PHASE 1: POLICY AND PROGRAMME MANAGEMENT

In the first phase of the BCM lifecycle, the BCM programme of the company or organisation is designed. The BCM policy is defined with regard to the requirements for business continuity management and set down in writing. The policy should be comprehensible and brief (10 to 15 pages) and roughly describe the motivation, goals, responsibilities and planned implementation. This policy is signed by the highest management levels and communicated to all employees to lay the foundation for the implementation of the business continuity programme. In the next step, the policy is elaborated by the BCM manager by refining the framework in the form of process descriptions and task descriptions. Then the necessary tools and templates are developed to support programme management. The programme management is based on the BCM policy and implements it in practice.

MANAGEMENT PHASE 2: EMBEDDING

The anchoring phase in the BCM lifecycle aims to create awareness of Business Continuity Management (BCM) throughout the organisation and to integrate it into existing processes. For this purpose, an accompanying training and awareness programme is being developed for all employees. In addition, the principles of BCM are to be anchored in as many of the organisation's processes as possible, such as in the onboarding process for new employees or in checklists for major projects. By embedding BCM aspects in business processes, the organisation's resilience should be increased.

Operational PHASE 1: ANALYSIS

The analysis phase is an important part of the BCM life cycle as it forms the basis for the other phases. In this phase, the company's business processes are examined to determine which processes are absolutely necessary to maintain operations. This information is then used to prioritise emergency operations. In addition, the analysis phase examines and assesses threats that may affect the company. These threats are identified in the form of a threat analysis and the results are used to eliminate possible vulnerabilities and find alternative resources. Through the analysis phase, a better understanding of the company's threats and risks is gained, which enables a more appropriate and effective BCM strategy to be developed.

Operational PHASE 2: DESIGN

During the analysis phase, the time-critical business processes are identified, their dependencies determined and the impact under different loss scenarios established. In the design phase, solutions for scenarios such as building failure, staff failure, IT failure and supplier/service provider failure are then identified, evaluated and selected by the management. These solutions consist of organisational and technical measures that help to minimise the risks that arise in the event of a loss. These measures are used both proactively and reactively to limit the extent of the damage and prevent an existential threat to the company. At the end of the design phase, the solution options for each location must be summarised in a concept that is presented to the management, including a cost-benefit analysis, as a basis for decision-making.

Operational PHASE 3: IMPLEMENTATION

During the implementation phase, the business continuity plans (BCPs) are formulated based on the selected solutions. Depending on the size and complexity of the company, either a common plan for all scenarios or individual plans for each scenario are created. These plans provide guidance for the affected areas in the event of a critical incident and ensure that the restart takes place as quickly as possible within the specified timeframes. The BCPs contain detailed information on priorities, procedures, responsibilities and resources required to manage a crisis situation and restore normal operations as quickly as possible. In addition, this phase defines the organisation for dealing with a crisis, including a crisis team, an assistance and service team (AST) and operational response teams.

Operational PHASE 4: VALIDATION

The final phase of the Business Continuity Management (BCM) lifecycle, validation, is divided into three areas: Testing/Exercise, Maintenance and Review.

The developed response structure plans are reviewed annually in real-life tests and exercises at all levels to identify errors and improve the solutions and plans.

Maintenance refers to the regular review and updating of documents.

Review is for quality assurance and includes self-assessments, internal or external audits, random checks by the BC manager, reviews of critical suppliers and service providers, and annual reviews by management based on reporting by the BC manager.

Establishment and operation of a BCMS

The implementation of a Business Continuity Management System (BCMS) is complex and requires a not inconsiderable amount of human resources. It is important to distinguish between setting up and operating the BCMS. To simplify the set-up, it is advisable to call in experienced external experts if no in-house staff have the relevant knowledge. For the operation of the BCMS, it is necessary to provide a full-time position for a BC manager for medium-sized companies with 1000 employees at one site. Smaller sites can manage with less staff.

For an implementation project, one should allow a year to complete the BCM lifecycle. This prevents the organisation from being overloaded and fits optimally with the BCM lifecycle.

Business continuity management and interfaces with other disciplines

There is a misconception about what BCM really entails, as not everything that is called BCM is actually BCM. There are some distinctions to be made here:

BCM and IT Service Continuity Management (ITSCM)

IT Service Continuity Management (ITSCM) is a sub-area of BCM that is used proactively to safeguard against IT failures and their risks. ITSCM has its origins in the 1980s, when disaster recovery concepts were developed. Similar to BCM, ITSCM is also operated over a lifecycle that is almost congruent with the BCM lifecycle. ITSCM focuses on a few, technical failure scenarios such as the failure of a data centre, the inaccessibility of a data centre and the failure of network connections. It is based on the results of the BCM business impact analysis and pays special attention to the required recovery time of an IT service. On this basis, solution concepts are developed, which are further processed in the further course of the ITSCM lifecycle.

BCM aND INFORMATION SECURITY MANAGEMENT (ISM)

The interface between BCM and Information Security Management (ISM) results from the sub-area of BCM concerning IT services (ITSCM). The main focus of information security is on compliance with the defined security objectives for corporate data. The best-known security objectives are compliance with confidentiality, integrity, continuity and authenticity of information. When building an ISM system, a protection needs analysis is performed, which in turn provides results for the gap analysis for the ITSCM.... Since the ITSCM does not deal with scenarios such as hacker attacks, it is important to clarify with the ISM who plans these scenarios. From a BCM perspective, IT failure means developing manual workarounds or alternative technical procedures. However, if an attack is successful, plans must exist that describe how the organisation will react after such an attack.

BCM AND CRISIS MANAGEMENT

Crisis management (CM) comes into action when business continuity management (BCM) reaches its limits and has to handle a crisis that could not be prevented by BCM. This can be the case when a disruption or critical incident leads to a crisis due to unavailable resources or exceeding the predefined timeframe. Since the scenarios that BCM deals with (failure of buildings, staff, IT and critical service providers/suppliers) are often also critical incidents, it makes sense to involve the crisis organisation as early as possible. The crisis organisation is divided into strategic (crisis team), tactical (assistance and service team, situation centre if necessary) and operational (response teams of the specialist departments) areas.

In the event of a crisis, crisis management takes over strategic leadership and tactical coordination. BCM prepares the business continuity plans that are activated by the crisis team in the event of a crisis. Good communication inside and outside the organisation is crucial for both systems (BCM and CM) and should be taken into account in planning. BCM is a strongly preventive management system that provides business continuity plans and prepares operational teams for crises through exercises. The crisis team takes over at the strategic level when BC plans are not sufficient, when situations occur that are not covered by BCM, or when emergency resources do not work.

  What is the goal of business continuity management?

• BCM identifies potential threats and minimises the resulting risks. 

• Fostering the resilience of the organisation and preparing a response to a worst-case scenario thanks to established procedures for possible losses of critical resources (employees, buildings, IT and suppliers). 

• Ensure continuity of time-critical business processes by developing contingency plans using analytical methods, relieving staff during a crisis and setting priorities for the return to normal operations. 

• Fulfilling requirements within the organisation as well as those of customers and other stakeholders. 

  How can business continuity management help my company?