Car in flooded street - welcomia / freepik

Defining business continuity management

We will now define what Business Continuity Management (BCM) is and explore the role of impact based planning.

BCM is defined by the International Organization for Standardization as:

‘A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.’

(ISO 2014)

Examples of stakeholders (or interested parties) are:

  • Employees
  • Customers
  • Suppliers
  • Investors
  • The community or communities within which an organisation operates

In basic terms, BCM identifies what needs to be done before an incident occurs in order to protect people, premises, technology, information, supply chains, stakeholders and reputation.

An incident is defined as:

‘A situation that might be or could lead to disruption, loss, emergency or crisis.’

(ISO 2014)

BCM enables the identification and development of strategies and contingency plans to manage the effects of disruption, to mitigate the impact on critical activities or outputs and recover the business back to normal levels of operation as soon as possible within what is acceptable to the business.

BCM impact-based planning

BCM rationalises the uncertainty of what the disruptive incident will be and when it will occur by accepting that the possible causes of disruption are innumerate but the impacts will broadly be the same irrespective of the cause - referred to as common consequences.

The possible impacts which form the basis of the planning assumptions for BCM can be equated to four broad categories:

Impact Disruptive incident Example BCM strategy
Loss of or denial of access to premises
Loss of or denial of access to information and communication technology
Power outage
IT virus
Failed system patching
Human error
Work area recovery site
Generators
Secondary data centres
Bank up regimes
Manual working
Loss of staff Swine flu
Lottery syndicate
Industrial actions
Redeployment of non-critical staff
Temporary staff
Loss of or disruption to supply chain Extreme weather
Business reason
Stockpiling
Decentralised warehouse
Loss of financing or funding Banking crash
Cash flow challenges
Non-renewal of grants
Maintaining reserves
Diversification of income streams

An organisation could choose to focus on the causes, such as fire or flood, which are difficult to anticipate in terms of timing and scale or it could choose to focus on the impact of disruptive events such as loss of access to premises.

Further reading

There is an interesting article by the Avaluation Team on resource-based vs scenario-based planning.

Avaluation Team (2016) Business Continuity Plans: Resource Loss-Based vs Scenario-Based [online] available from https://avalution.com/business-continuity-plans-resource-loss-based-vs-scenario-based/

Your task

Read section 2 (pages 6-8) of the following Chartered Management Institute white paper:

CMI (2013) Weathering the storm [online] available from https://www.managers.org.uk/~/media/Research%20Report%20Downloads/Weathering_the_storm_CMI_BCM2013_1.pdf

Below, we have combined the data for 2013 from the two tables which describe the perception of threats and actual disruptions. This was taken from a study of 637 managers.

What do you think the table shows about where people choose to focus and what do you think this means for the focus of business continuity management?

  Threat %
Perception of Threat
%
Actual Disruptive Events
Change in position between tables
1 Loss of IT 63 40 ⯆ 2
2 Loss of access to site 53 24 ⯆ 4
3 Loss of telecommunications 52 27 ⯆ 1
4 Loss of electricity 49 20 ⯅ 4
5 Loss of skills 48 18 ⯅ 4
6 Loss of people 47 42 ⯅ 4
7 Fire 46 4 ⯆ 12
8 Damage to image 45 8 ⯆ 6
9 Extreme weather 43 54 ⯅ 1
10 Terrorist incident 40 2 ⯆ 10
11 Negative publicity 39 10 ⯆ 2
12 Health and Safety incident 35 12 ⯅ 1
13 Transport disruption 34 27 ⯅ 8
14 Loss of water 32 10 ⯅ 1
15 Supply chain disruption 30 14 ⯅ 5
16 Environmental incident 30 6 ⯅ 1
17 Loss of gas 27 4 ⯆ 1
18 Customer safety incident 27 12 ⯅ 6
19 Industrial action 26 8 ⯅ 5
20 School closure 20 20 ⯅ 13
21 Pressure group protest 20 6 ⯅ 4

References

ISO (2014) Societal Security-business Continuity Management Systems-requirements.BS EN ISO 22301:2014 International Organization for Standardization.

Share this article:

This article is from the free online course:

Business Continuity Management and Crisis Management: An Introduction

Coventry University