Defining business continuity management
We will now define what Business Continuity Management (BCM) is and explore the role of impact based planning.
BCM is defined by the International Organization for Standardization as:
‘A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.’
Examples of stakeholders (or interested parties) are:
- The community or communities within which an organisation operates
In basic terms, BCM identifies what needs to be done before an incident occurs in order to protect people, premises, technology, information, supply chains, stakeholders and reputation.
An incident is defined as:
‘A situation that might be or could lead to disruption, loss, emergency or crisis.’
BCM enables the identification and development of strategies and contingency plans to manage the effects of disruption, to mitigate the impact on critical activities or outputs and recover the business back to normal levels of operation as soon as possible within what is acceptable to the business.
BCM impact-based planning
BCM rationalises the uncertainty of what the disruptive incident will be and when it will occur by accepting that the possible causes of disruption are innumerate but the impacts will broadly be the same irrespective of the cause - referred to as common consequences.
The possible impacts which form the basis of the planning assumptions for BCM can be equated to four broad categories:
|Impact||Disruptive incident||Example BCM strategy|
|Loss of or denial of access to premises
Loss of or denial of access to information and communication technology
Failed system patching
|Work area recovery site
Secondary data centres
Bank up regimes
|Loss of staff||Swine flu
|Redeployment of non-critical staff
|Loss of or disruption to supply chain||Extreme weather
|Loss of financing or funding||Banking crash
Cash flow challenges
Non-renewal of grants
Diversification of income streams
An organisation could choose to focus on the causes, such as fire or flood, which are difficult to anticipate in terms of timing and scale or it could choose to focus on the impact of disruptive events such as loss of access to premises.
There is an interesting article by the Avaluation Team on resource-based vs scenario-based planning.
Avaluation Team (2016) Business Continuity Plans: Resource Loss-Based vs Scenario-Based [online] available from https://avalution.com/business-continuity-plans-resource-loss-based-vs-scenario-based/
Read section 2 (pages 6-8) of the following Chartered Management Institute white paper:
CMI (2013) Weathering the storm [online] available from https://www.managers.org.uk/~/media/Research%20Report%20Downloads/Weathering_the_storm_CMI_BCM2013_1.pdf
Below, we have combined the data for 2013 from the two tables which describe the perception of threats and actual disruptions. This was taken from a study of 637 managers.
What do you think the table shows about where people choose to focus and what do you think this means for the focus of business continuity management?
Perception of Threat
Actual Disruptive Events
|Change in position between tables|
|1||Loss of IT||63||40||⯆ 2|
|2||Loss of access to site||53||24||⯆ 4|
|3||Loss of telecommunications||52||27||⯆ 1|
|4||Loss of electricity||49||20||⯅ 4|
|5||Loss of skills||48||18||⯅ 4|
|6||Loss of people||47||42||⯅ 4|
|8||Damage to image||45||8||⯆ 6|
|9||Extreme weather||43||54||⯅ 1|
|10||Terrorist incident||40||2||⯆ 10|
|11||Negative publicity||39||10||⯆ 2|
|12||Health and Safety incident||35||12||⯅ 1|
|13||Transport disruption||34||27||⯅ 8|
|14||Loss of water||32||10||⯅ 1|
|15||Supply chain disruption||30||14||⯅ 5|
|16||Environmental incident||30||6||⯅ 1|
|17||Loss of gas||27||4||⯆ 1|
|18||Customer safety incident||27||12||⯅ 6|
|19||Industrial action||26||8||⯅ 5|
|20||School closure||20||20||⯅ 13|
|21||Pressure group protest||20||6||⯅ 4|
ISO (2014) Societal Security-business Continuity Management Systems-requirements.BS EN ISO 22301:2014 International Organization for Standardization.
© Coventry University. CC BY-NC 4.0