If you believe that business continuity (BC) and technology disaster recovery (DR) plans are "living documents"...
and need to be regularly reviewed and updated, then you understand the fundamental concept of a continuous improvement process. The Plan-Do-Check-Act (PDCA) process model is based largely on a philosophy of continual improvement of management systems.
A business continuity management system (BCMS) is that collection of regularly performed activities that supports a corporate business continuity management -- and also a technology disaster recovery -- activity. These can include project planning and management, staffing, scheduling, forecasting, budgeting, research and development, resource management, communications, meetings, educational activities, awareness and promotional activities, website activities, performance assessment activities, day-to-day handling of inquiries, and many others.
The BCMS also facilitates a variety of project-based activities, such as performing business impact analyses and risk analyses, conducting assessments, developing and documenting BC/DR plans, planning and executing BC/DR exercises, preparing and conducting emergency team training, preparing and documenting incident response plans, and defining BC/DR strategies.
According to the global business continuity guidance standard ISO 22313:2012, "Continual improvement operates at all levels within the PDCA cycle and should be driven by the business continuity policy and objectives, audit results, analysis of monitored events, corrective actions and management review."
ISO 22313:2012 states that a continuous improvement process should perform the following steps for identifying problems and issuing corrective actions:
- Identify what is not performing according to policy, procedure or plans and the present status of the situation (non-conformance)
- Identify how the process currently works (or should work) and a description of the present process(es) and controls (root cause)
- Determine the changes and remediation needed to fix the problem (corrective action)
- Test the changes to verify that the problem has been addressed and corrected (validation)
- Update policies, procedures and other relevant documents (recording)
- Report the results to management (reporting)
Continual improvement assumes the presence of processes for reviewing BC/DR and BCMS performance, identifying what works and what doesn't work, and defining and implementing remedies to address and fix those issues. Make sure that these kinds of change-related activities are fully documented and sent to senior management as part of normal reporting procedures.
Such a continuous improvement process, as defined above, examines the nature of a problem and the environment within which the problem exists. If performed properly, the resulting changes to the existing BCMS environment should hopefully ensure that the problem doesn't recur. Try and address problems in the context of the ongoing performance and success of the BCMS, rather than simply as isolated incidents.
Policies and procedures may need to be updated from the results of these activities. This is an important and desirable outcome, as it demonstrates that the BCMS is maturing.
Establish a process of regular monitoring and review of BCMS activities, as this will help identify out-of-normal activities that may need to be addressed. Discuss BCMS performance hits and misses at department meetings. These and other initiatives become part of daily BCMS administrative activities. These continuous improvement process actions will ensure that the BCMS functions as intended and, more importantly, identifies issues and recommends solutions that, when implemented, will elevate the BCMS to a higher level of efficiency and effectiveness.
Free disaster recovery and business continuity planning templates
How to choose the right DR/BC planning tools for you
Embrace continuous improvement