Skip main navigation

The evolution of the business continuity lifecycle

In this article we are introduced to the Business Continuity Management Life cycle.
© Coventry University. CC BY-NC 4.0
In the previous step, you learned about the Plan Do Check Act (PDCA) cycle used in management system standards, such as BS EN ISO 22313:2014 and BS ISO 28002:2011.
Now, we’ll review how that cycle has been adapted for implementation in the context of Business Continuity Management (BCM).
The BCM lifecycle is an:
‘Ongoing cycle of activity of the business continuity programme, that builds organisational resilience.’
(BCI 2018: 7)
It adapts the PDCA model used in International Management System Standards but maintains the underlying principles. Over time the cycle has evolved from the original good practice model (Hotchkiss, 2010) to the cycle shown below:
Image of the lifecycle, select the image for an enlarged pdf version with alternative text. the image is also available in the downloads section
The BCI’s BCM lifecycle (2018) is globally recognised and broken down into six key professional practices (steps); two which are management/governance focused and four that are technical. Their view is that this provides a more individual focus than the PDCA model employed in ISO 22313:2014 and allows individuals to demonstrate competency in developing, implementing and maintaining a Business Continuity Management System.

Steps in the BCM lifecycle

Programme management

This overarching professional practice involves setting the strategic intent needed to determine and implement policy through this cycle of activities. It requires the commitment of top management as well as leadership.
Requirements in establishing effective programme management include:
  • Establishing a policy (see ISO 22313:2014 Clause 5.3)
  • Defining the scope of the programme, for example, which activities, products, services, or locations will be included?
  • Establishing governance
  • Assigning roles and responsibilities
RoleResponsibility
Top managementDemonstrate commitment to the programme/management system, ensure that it is properly established, implemented and maintained, by ensuring that appropriate resources are allocated and that it is regularly reviewed (ISO 2014)
Business continuity managerDesign, implement and maintain a programme/management system that is appropriate to the internal and external context of the organisation and that is appropriate to the nature, scale and complexity of the organisation
Incident response personnelRespond to an incident or crisis, in line with organisation policy and producers
Internal auditorsPlanning, conducting and reporting on the programme/management system audits (ISO 2014)

Embedding BCM

Business continuity practices and awareness need to be integrated (or embedded) into business as usual and the culture of the organisation in order to build resilience
What does embedding look like?
  • Raising awareness
  • Buy-in from interested parties
  • Building skills and competency

Analysis

Impact analysis for activities, products, services, processes – an organisation won’t necessarily do all four all of these types – it will depend on the nature and scale of the business.

Design

Design solutions and mitigation options to manage risks identified in the previous step. These need to take into account compliance obligations, resources, strategic direction and should be signed off by top management. Design plans at strategic, technical, operation level (one plan or maybe several plans).

Implementation

Plans may be needed for different geographic locations, different departments, for different services, activities and so on. This will be organisation-specific.

Validation

Testing your plans and reviewing the outcome.

Further reading

For further details of the steps in the BCI’s BCM lifecycle access the Good Practice Guidelines Lite Edition. This is an external resource and downloading the document requires registration, but it is a free resource.
BCI (2018) Good Practice Guidelines 2018 Lite Edition [online] available from https://www.thebci.org/training-qualifications/gpg-lite-2018.html

Your task

Can you still see the PDCA model in this lifecycle? Where?
In your own organisation (or organisations you have worked for in the past) what evidence of business continuity can you see and what practices highlighted in the lifecycle do you see being followed? What was your involvement?

References

BCI (2018) Good Practice Guidelines 2018 Lite Edition [online] available from https://www.thebci.org/training-qualifications/gpg-lite-2018.html
Engemann, K.J., Henderson, Douglas M, (2012) Business Continuity and Risk Management: Essentials of Organizational Resilience. Connecticut, USA: Rothstein Associates Inc.
Hotchkiss, S. (2010) Business Continuity Management in Practice. Swindon, UK: BCS, the Chartered Institute for IT.
ISO (2014) Societal Security-business Continuity Management Systems-requirements.BS EN ISO 22301:2014 International Organization for Standardization.
© Coventry University. CC BY-NC 4.0
This article is from the free online

Business Continuity Management and Crisis Management: An Introduction

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education