The evolution of the business continuity lifecycle

In the previous step, you learned about the Plan Do Check Act (PDCA) cycle used in management system standards, such as BS EN ISO 22313:2014 and BS ISO 28002:2011.

Now, we’ll review how that cycle has been adapted for implementation in the context of Business Continuity Management (BCM).

The BCM lifecycle is an:

‘Ongoing cycle of activity of the business continuity programme, that builds organisational resilience.’

(BCI 2018: 7)

It adapts the PDCA model used in International Management System Standards but maintains the underlying principles. Over time the cycle has evolved from the original good practice model (Hotchkiss, 2010) to the cycle shown below:

Image of the lifecycle, select the image for an enlarged pdf version with alternative text.  the image is also available in the downloads section

The BCI’s BCM lifecycle (2018) is globally recognised and broken down into six key professional practices (steps); two which are management/governance focused and four that are technical. Their view is that this provides a more individual focus than the PDCA model employed in ISO 22313:2014 and allows individuals to demonstrate competency in developing, implementing and maintaining a Business Continuity Management System.

Steps in the BCM lifecycle

Programme management

This overarching professional practice involves setting the strategic intent needed to determine and implement policy through this cycle of activities. It requires the commitment of top management as well as leadership.

Requirements in establishing effective programme management include:

  • Establishing a policy (see ISO 22313:2014 Clause 5.3)
  • Defining the scope of the programme, for example, which activities, products, services, or locations will be included?
  • Establishing governance
  • Assigning roles and responsibilities
Role Responsibility
Top management Demonstrate commitment to the programme/management system, ensure that it is properly established, implemented and maintained, by ensuring that appropriate resources are allocated and that it is regularly reviewed (ISO 2014)
Business continuity manager Design, implement and maintain a programme/management system that is appropriate to the internal and external context of the organisation and that is appropriate to the nature, scale and complexity of the organisation
Incident response personnel Respond to an incident or crisis, in line with organisation policy and producers
Internal auditors Planning, conducting and reporting on the programme/management system audits (ISO 2014)

Embedding BCM

Business continuity practices and awareness need to be integrated (or embedded) into business as usual and the culture of the organisation in order to build resilience

What does embedding look like?

  • Raising awareness
  • Buy-in from interested parties
  • Building skills and competency

Analysis

Impact analysis for activities, products, services, processes – an organisation won’t necessarily do all four all of these types – it will depend on the nature and scale of the business.

Design

Design solutions and mitigation options to manage risks identified in the previous step. These need to take into account compliance obligations, resources, strategic direction and should be signed off by top management. Design plans at strategic, technical, operation level (one plan or maybe several plans).

Implementation

Plans may be needed for different geographic locations, different departments, for different services, activities and so on. This will be organisation-specific.

Validation

Testing your plans and reviewing the outcome.

Further reading

For further details of the steps in the BCI’s BCM lifecycle access the Good Practice Guidelines Lite Edition. This is an external resource and downloading the document requires registration, but it is a free resource.

BCI (2018) Good Practice Guidelines 2018 Lite Edition [online] available from https://www.thebci.org/training-qualifications/gpg-lite-2018.html

Your task

Can you still see the PDCA model in this lifecycle? Where?

In your own organisation (or organisations you have worked for in the past) what evidence of business continuity can you see and what practices highlighted in the lifecycle do you see being followed? What was your involvement?


References

BCI (2018) Good Practice Guidelines 2018 Lite Edition [online] available from https://www.thebci.org/training-qualifications/gpg-lite-2018.html

Engemann, K.J., Henderson, Douglas M, (2012) Business Continuity and Risk Management: Essentials of Organizational Resilience. Connecticut, USA: Rothstein Associates Inc.

Hotchkiss, S. (2010) Business Continuity Management in Practice. Swindon, UK: BCS, the Chartered Institute for IT.

ISO (2014) Societal Security-business Continuity Management Systems-requirements.BS EN ISO 22301:2014 International Organization for Standardization.

Share this article:

This article is from the free online course:

Business Continuity Management and Crisis Management: An Introduction

Coventry University