Business Continuity Management (BCM): Four Key Dimensions for Success

Business continuity management (BCM) is four areas that come together that help keep your business resilient in the face of disaster. 

A successful BCM program administration ensures the success of Crisis Management, Business Recovery, and IT Disaster Recovery. 

At MHA, we divide up the Business Continuity Management (BCM) program into four (4) key dimensions that include:

1. Program Administration
2. Crisis Management
3. Business Recovery
4. IT Disaster Recovery

We believe that when these 4 dimensions are operating optimally, individually and in an integrated fashion, the BCM program will have a high level of sophistication, maturity and capability. 

Each of these dimensions have components that must be implemented successfully to ensure success of the dimension itself as well as the other three (3) dimensions. 

1. BCM Program Administration

Program Administration is defined as the management of the underpinnings of the program to ensure success across the other dimensions. The components of the Program Administration dimension are: 

  • Management Oversight – Does the program have committed support and guidance on an ongoing basis? 
  • Budget – Does the program have adequate funding on a multi-year basis? 
  • Policy – Does my documented policy direct enterprise BCM efforts? 
  • Business Impact Analysis – Do we know what business processes and systems/applications are critical? 
  • Business and IT Alignment – Are our business technology requirements aligned with the current IT recovery capabilities? 
  • Threat and Risk Assessment – Have our relevant threats and risks been identified? 
  • Plan Development Standards – What standards have been set for developing comprehensive plans to recover? 
  • Recovery Strategy Standards – Are we setting best practices for identifying relevant strategies for recovery? 
  • Recovery Exercise Standards – Do we set increasingly complex testing requirements based on criticality? 
  • Maintenance Standards – Are we mandating updates of our program in a timely manner? 
  • Pandemic Planning – Do we have documented strategies to deal with a pandemic? 
  • Training and Awareness Program – Are all levels of our organization trained in the BCM program? 
  • Metrics – Do we have a tool to measure current state of our maturity and capability? 
  • Document Repository – Do we have a secure, organized, highly-available site to store our critical documents and plans? 

The successful implementation and ongoing administration of the BCM Program Administration dimension and its key components ensures the success of its three dependent dimensions (Crisis Management, Business Recovery and IT Disaster Recovery). 

Should I work equally as hard on all the components or are some more important than others?  What we believe as priority of implementation based on our experience is as follows: 

High Priority – Critical to Success and Functional Recovery Capability 

  • Management Oversight 
  • Budget 
  • Business Impact Analysis 
  • Business & IT Alignment 
  • Threat & Risk Assessment 
  • Pandemic Planning 
  • Training and Awareness 

Medium Priority – Essential to Success and Functional Recovery Capability 

  • Plan Development Standards 
  • Recovery Exercise Standards 
  • Recovery Strategy Standards 
  • Maintenance Standards 
  • Document Repository 

Low Priority – Needed but not Critical or Essential to Functional Recovery Capability 

  • Policy 
  • Metrics 

By implementing and maintaining these components in a systematic fashion, you will have set the critical foundation and infrastructure in place for success of your enterprise BCM program. 

2.Crisis Management

Crisis Management is defined as the advanced preparedness of the senior management of an organization to effectively respond and recover from a critical disruption to the business.   The components of the Crisis Management dimension are as follows: 

  • Team – Are primary and alternate team members identified for each key role?  Are team members capable of managing their role on the team? 
  • Crisis Management Team Plan – Does a comprehensive plan, consistent with industry best practices, direct the team and its response? 
  • Crisis Communications Plan – Does a documented plan outline the guidelines and steps to effectively communicate during a crisis? 
  • Command Centers – Do we have physical and virtual command centers in place for team members to assemble at during a declared event? 
  • Pandemic Planning – Does the Crisis Management plan reference pandemic planning guidelines and standards? 
  • Exercises –  Are regular mock disaster exercises held to heighten team sophistication and maturity? 
  • Training & Awareness – Is the team regularly trained on the process and how to effectively respond? 
  • Maintenance –  Is the Crisis Management process and associated documents regularly updated and maintained? 

The successful implementation and ongoing administration of the Crisis Management dimension and its key components ensures the success of its dependent dimensions (Business Recovery and IT Disaster Recovery) in a declared event. 

Should I work equally as hard on all the components or are some more important than others?  What we believe as priority of implementation based on our experience is as follows: 

High Priority – Critical to Success and Functional Recovery Capability 

  • Team 
  • Crisis Management Team Plan 
  • Crisis Communications Plan 
  • Exercises 

Medium Priority – Essential to Success and Functional Recovery Capability 

  • Command Centers 
  • Pandemic Planning 
  • Training and Awareness 
  • Maintenance 

By implementing and maintaining these components in a systematic fashion, you will have set the critical foundation and infrastructure in place for success of your Crisis Management program. 

3. Business Recovery 

Business Recovery is defined as the advanced preparedness of the business of an organization to effectively respond and recover from a critical disruption to its critical processes.   The components of the Business Recovery dimension are as follows: 

  • Business Impact Analysis Integration – The Business Impact Analysis study and its results are integrated with and drive the BRP process, its recovery strategies and exercises. 
  • Maintenance – The BRP process is regularly maintained and updated to ensure currency of plan data and information. 
  • Pandemic Planning – Pandemic planning is integrated with the Business Recovery planning process. 
  • Recovery Plan Development – A comprehensive plan, consistent with industry best practices, details the steps and actions the Business Recovery Teams will take to respond to a crisis. 
  • Recovery Exercises – Regular, increasingly complex recovery exercises are conducted for the critical business units of the organization. 
  • Recovery Strategy – Well-defined and appropriate strategies consistent with the criticality of the business units, as defined by the Business Impact Analysis, are followed and implemented to ensure recovery of critical processes and operations. 
  • Training & Awareness – Regular training sessions heighten the sophistication and maturity of the Business Recovery Teams. 

Business Recovery Table:

Area of Focus Importance Description
Business Impact Analysis Integration High The Business Impact Analysis study and its results are integrated with and drive the BRP process, its recovery strategies and exercises.
Maintenance Moderate The BRP process is regularly maintained and updated to ensure currency of plan data and information.
Pandemic Planning High Pandemic planning is integrated with the Business Recovery planning process.
Recovery Plan Development High A comprehensive plan, consistent with industry best practices, details the steps and actions the Business Recovery Teams will take to respond to a crisis.
Recovery Exercises High Regular, increasingly complex recovery exercises are conducted for the critical business units of the organization.
Recovery Strategy High Well-defined and appropriate strategies consistent with the criticality of the business units, as defined by the Business Impact Analysis, are followed and implemented to ensure recovery of critical processes and operations.
Training & Awareness High Regular training sessions heighten the sophistication and maturity of the Business Recovery Teams.

Should I work equally hard on all the components or are some more important than others?  From our experience, we believe the priority of implementation is as follows: 

High Priority – Critical to Success and Functional Recovery Capability 

  • BIA Integration 
  • Pandemic Planning 
  • Plan Development 
  • Recovery Exercises 
  • Recovery Strategy 
  • Training and Awareness  

Medium Priority – Essential to Success and Functional Recovery Capability 

  • Maintenance 

By implementing and maintaining these components in a systematic fashion, you will have set the critical foundation and infrastructure in place for success of your Business Recovery program. 

 

4. IT Disaster Recovery 

IT Disaster Recovery is the technology component of Business Recovery. It is the preparedness to effectively respond and recover the IT processes and technologies which support of critical business processes. The components of the IT Disaster Recovery dimension are similar to Business Recovery and are as follows: 

  • Recovery Strategy – Well-defined and appropriate strategies consistent with the criticality of technologies, systems, and applications as defined by the Business Impact Analysis. 
  • Business Impact Analysis Integration – The Business Impact Analysis study and its results are integrated with recovery strategy and implementation. 
  • Maintenance – The IT Recovery components are regularly maintained and updated to ensure currency of strategy, plans, recovery technologies, data and information. 
  • Recovery Plan Development – A comprehensive plan, consistent with industry best practices, details the steps and actions the IT Recovery Teams will take to respond and recover systems and applications. 
  • Recovery Exercises – Regular, increasingly complex recovery exercises are conducted for the IT systems, technologies, applications and dependent processes. 
  • Training & Awareness – Regular training sessions heighten the sophistication and maturity of the IT Recovery Teams. 

The successful implementation and ongoing administration of the IT Disaster Recovery dimension and its key components ensures the success of the business processes – which is the point to Business Continuity in a declared event. 

None of the areas above are more or less important that the others but priority changes from implementation to on-going preparedness.  

Implementation perspective:  

High Priority – Critical to Initial Implementation and Functional Recovery Capability 

  • Recovery Strategy 
  • BIA Integration 
  • Technology Implementation 

Medium Priority – Essential to Implementation and Functional Recovery Capability 

  • Plan Development 
  • Recovery Exercises 
  • Training and Awareness 

On-going program perspective: 

High Priority – Critical to Continued Functional Recovery Capability 

  • Maintenance of: 
  • Recovery Strategy 
  • BIA Integration 
  • Technology Implementation 
  • Plan Development 
  • Recovery Exercises 
  • Training & Awareness 

The four areas above are often worked as separate phases of a program. Where possible, they should all be implemented and coordinated as an overall program.

Depending on the level of maturity, any of the above could be the weak link during a crisis or recovery event. While potentially feeling overwhelming, using the priorities above should help in the implementation and maintenance to provide the functional capability you need to stay in business.

About
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.