What is a Business Continuity Management System and why would I need one?
Before we answer that question, let’s first reflect on what a business might have in place to help it achieve business continuity:
- A policy that sets out the Scope, Objectives and Management Processes for Business Continuity (i.e. review, testing, exercising).
- Risk Register and Risk Assessments that allow it to record and assess threats to the organisation.
- Business Impact Analysis that allows it to understand its Business Continuity requirements.
- A Business Continuity Team.
- Risk management policies, protections and procedures such as environmental, health and safety, cyber and quality that operate to minimise the likelihood of loss or reduce the potential consequences in their individual sphere of operation - all of which could impact Business Continuity.
- An Incident Response Plan, the "go-to" document that details the steps the business needs to go through in the event of an Invocation.
- Communication Plans to maintain certainty amongst stakeholders.
- Resources the business needs to manage an Invocation if it has lost or lost access to its primary infrastructure.
- A plan to manage the business' workforce through the event.
- Continuity Plans that detail how the supply of product or service is reinstated using its Business Continuity planning (i.e. swapping a function to another site).
- Recovery Plans to reinstate operations.
- A number of these may be replicated for multiple sites/processes (i.e. IT).
So, to answer “what is a Business Continuity Management System” (BCMS) and “why would I need one?”
- A business continuity management system bundles together all of interrelated methods, procedures and resources as illustrated above, to ensure that your critical business processes keep running in the event of an invocation, damage or emergency.
- It may encompass multiple business continuity plans; for instance, production, supply chain and IT/network, representing distinct business functions.
- Your BCMS should also help you continuously develop and improve your arrangements to ensure they reflect the business' needs on an ongoing basis.
- It should also help you maintain, monitor and test all of your business continuity arrangements to ensure that they are operable when required.
- If the BCMS complies with ISO22301 then it will also have an internal and external audit component that supports the ongoing operation, review and continuous development of business continuity.
- Another key output from your BCMS is the visibility of your continuity arrangements, so business continuity as a management discipline can be managed and maintained.
In essence, a BCMS provides visibility of your organisation's resilience and helps you keep your business continuity plans and Arrangements up-to-date and relevant to the Organisation's business' continuity needs.
BCarm is certified to ISO22301 and we utilise our cloud-based BCMS to manage, monitor and test our Business Continuity management arrangements daily.
Our BCMS has 3 separate plans reflecting our different activities, and a database of all our assets/resources, including a risk assessment for each and their recovery times.
This information is pulled into a business impact analysis module to calculate our target recovery times based on our recovery objectives.
It also records the risk reduction and recovery measures we have in place to either minimise the likelihood of loss, or recover the asset/resource within its recovery time objective, and any monitoring or testing regimes these require to ensure they are operative.
These monitoring/testing activities are then managed through the task management module which also sends alerts if testing etc isn't done.
Each business continuity management plan has its own incident response plan which includes:
- Communications plan, including contact databases and incident scripts
- Details of the recovery resources we have in place
- Our plan for managing our people
- Our continuity plan, reinstating supply of services
- Recovery management plan
This meant that we didn't need to invoke our business continuity plan to respond to Covid-19, because we already had tried and tested resources in place that would allow us to continue to deliver our services should we lose/lose access to our premises. We moved to remote working without a change in pace in our working performance.
More information on Business Continuity management
To find out how we can help your business create a Business Continuity management plan, get in touch for a discussion.