What you will learn in this tip: If you’ve been following the developments in business continuity standards, you’ve probably seen references to business continuity management
systems (BCMS). Learn how to navigate the requirements of business continuity management systems in this tip.
A management system is typically a framework of processes and procedures that are used to structure the performance of activities that fulfill corporate business objectives. In short, it’s another way of describing how businesses operate.
The process of “continuous improvement” is a key component of management systems. For example, an information security management system (ISMS) helps organizations improve their internal and external information security capabilities through a process of continuous improvement. The management system may also include provisions for accountability; a schedule for activities to be completed; and auditing tools to implement corrective actions.
Examples of standards with management systems include:
- ISO 9001 Quality Management
- ISO 14001 Environmental Management
- ISO/IEC 27001 Information Security Management
What is a business continuity management system?
So what actually happens in a business continuity management system? According to ISO 22301, a business continuity management system emphasizes the importance of:
- Understanding continuity and preparedness needs, as well as the necessity for establishing business continuity management policy and objectives
- Implementing and operating controls and measures for managing an organization’s overall continuity risks
- Monitoring and reviewing the performance and effectiveness of the business continuity management system
- Continual improvement based on objective measurements
Structural components of a management system framework with a business continuity management system include:
- A policy
- People with defined roles and responsibilities
- Management processes relating to policy, planning, implementation and operation, performance assessment, management review, and improvement
- Documentation that provides auditable evidence
- Business continuity management processes relevant to the organization
One key premise of a business continuity management system as stated in the standards is that the BCMS should be designed to reflect an organization’s needs and meet its stakeholders’ requirements. The standards do not mandate uniformity in the structure of a business continuity management system. Organizations developing a new BCM plan can use the BCMS framework as an effective starting point. Organizations with established BCM programs can use the BCMS framework to support program improvement activities.
Business continuity management system content is governed by many elements, such as regulatory, organizational and industry requirements; the firm’s products and services; the processes employed; the size and structure of the organization; and the requirements of its stakeholders.
Implementing a BCMS
Assuming your organization already has a business continuity program in place, it’s a relatively simple matter of comparing your existing BCM organization and its structure with BCMS components as stated in a standard such as BS 25999 Part 2 or ISO 22301. Make sure you have a process in place for continuous improvement of your BCM program and associated plans. This is not the same as exercising plans, although exercising is a key aspect of continuous improvement.
If you are about to embark on a BCM program, take a look at any of the three PS-Prep standards to properly organize and structure your BCMS. In BS 25999, a BCMS is stated as such; in NFPA 1600:2010 it’s called a management system; and in ASIS SPC.1-2009 it’s called an organizational resilience management system.
A business continuity management system is a structured framework around which a BCM program can be built. Despite the apparent simplicity of a BCMS, it has many components that work together to produce a BCM program that is auditable, plus in compliance with the PS-Prep standards and the new global BCM standard.
About this author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at firstname.lastname@example.org.
This was first published in September 2011