Paul D. Jagger FBCS continues his assessment of information security from the perspective of one of its key principles, that of the availability of information. Here he looks at business continuity management.

BCM is concerned with ensuring that operations continue in both normal and abnormal circumstances such as when an incident occurs that would otherwise severely impact continuity of the business.

Business continuity management (BCM)

Business continuity management grew from the technology perspective of high availability and disaster recovery. Toward the end of the last century businesses realised that a broader perspective was required, one that considered a broader spectrum of incidents that could impact business operations from power to communications, transport to buildings.

As such, BCM is a big picture discipline concerned with the planning and testing of mitigating responses to a wide range of possible impacts to business continuity. It is beyond the scope of this article to provide a thorough exploration of BCM but the core concepts, principles and stages are outlined here.

The standard for BCM is ISO 22301:2012 (Business Continuity Management Systems) which evolved from an earlier UK government standard (BS 25999-2). ISO 222301 is concerned with 4 key aspects of a BCMS:

  • Organisational needs, business continuity policy and objectives;
  • Implementing and operating controls for managing disruption;
  • Monitoring and reviewing the performance of a BCM system (BCMS);
  • A process of continuous improvement in the BCMS.

In practical terms a BCMS will follow a simple cycle known as the plan-do-check-act (PDCA) model, which encompasses:

  1. Plan: A Business continuity management plan - policy, objectives, targets, controls;
  2. Do: Implementation and operation of the BCM plan - detailed processes and procedures;
  3. Check: Monitoring and checking the BCMS against objectives - determine actions for improvement;
  4. Act: Maintenance and continuous improvement - take action to correct or improve the BCMS, and revise the plan.

The practice of BCM involves a number of planning and analysis activities, including the conduct of a business impact analysis, an internal audit, a threat and risk assessment, the development of a business continuity plan - all before getting in to the hard work of implementation and operations.

As such, BCM may seem a daunting prospect for a small or medium enterprise, however the level of detail should be commensurate with the nature of the scale and nature of the business operations. A family owned florist concerned with the supply of fresh cut flowers requires a far simpler BCMS than a national power utility.

Let’s explore some of the planning activities in a little more detail:

Business impact analysis (BIA) - this is concerned with identifying and classifying critical and non-critical functions of the business. In this context ‘critical’ means any function that the business cannot operate without even in the short term (e.g. a butcher cannot operate without the ability to store and refrigerate meat). Alternatively a critical function may be mandated in law or regulatory instrument. Non critical functions are those that the business can operate without, either in the short or longer term (e.g. a train operator can survive without on-board catering). Prior to the BIA it is usual to exclude certain functions of the business as out of scope, for example, the staff sports and social club is unlikely to be considered in a BIA.

Embedding business continuity for the web (infographic)

Threat and risk assessment (TRA) - this is concerned with identifying potential threats to the continued operation of the business and evaluation of the associated risks. Threats can be external (e.g. adverse weather conditions, crop failure, power outage) or internal to the business (e.g. fraud, strikes, equipment failure).

Internal audit (IA) - this is conducted in a business where a business continuity management system already exists. It is intended to assess and report on the conformity of the BCMS to standards such as ISO 22301. Usually an external BCM audit specialist is engaged to conduct the audit and reports their findings to the business’ senior management.

Of course there is far more to BCM than planning; a full BCMS will involve the implementation, testing, regular review and ongoing improvement of the system as the business evolves and grows.

A vital point is that whilst BCM may seem like an exercise in applied paranoia planning it actually offers clear business benefits such as: stress testing the business’ reaction to unplanned events, competitive advantage (compared with businesses that have no BCMS), the potential for reduced insurance premiums, a stronger position in tendering negotiations and so on.

BCM is ultimately about preparing for the unexpected adverse event so that when it occurs the impact to the business is either reduced or eliminated.

Individual certification

BCS offer a practitioner level certificate in Business Continuity Management based upon a demanding 3-hour exam. A network of BCS Accredited Training Providers offers education in support of practical experience in BCM to prepare for the exam.

In conclusion

Business continuity management considers the needs of the whole enterprise, its customers, suppliers, employees and the environment within which it operates. The previously explored topics of disaster recovery and high availability are subjects within the domain of BCM but do not constitute a complete BCM plan or solution. Many organisations offer certification services that test businesses of all sizes to the ISO standard for BCM.

References

Professional Bodies

Standards

Publications

  • Business Continuity Management Systems: Implementation and Certification to ISO 22301 (Estall, 2012)
  • Business Continuity Management in Practice (Hotchkiss, 2010)

Qualifications (Awarding body in brackets)

  • BCS Practitioner Certificate in Business Continuity Management (BCS)
  • BCI Certificate (BCI)
  • BCI Diploma (BCI)
  • Certified Business Continuity Prof (DRII)
  • Master Business Continuity Prof (DRII)

SFIA Skills

  • Continuity Management - COPL
  • Availability Management - AVMT
  • Storage Management - STMG
  • Network Design - NTDS
  • IT Governance - GOVN
  • Information Security - ISCO
  • Bus. Risk Management - BURM