As Business Continuity Management (BCM) practitioners know well, the business continuity plan (BCP), which helps ensure critical operations remain available and minimize business impacts, irrespective of the type of incident or disruption, is the cornerstone of any best-practice business continuity program. The BCP is absolutely essential to the business continuity manager’s task of identifying, quantifying, and minimizing potential business interruptions and risks.
Here, the data is clear. Business closure numbers are heavily weighted towards companies that fail to develop BCPs before major incidents; in fact, as many as three in every four organizations without a business continuity plan fail within three years of a disaster.
As dispositive as those numbers are, there’s still an element missing; for companies that have developed BCPs and disaster recovery plans aren’t out of the woods quite yet. Having a BCP during the prevention and preparedness phases is one thing, but executing the plan promptly once a disaster has taken place is the key business survival factor. After all, companies that are unable to resume operations within 10 days of a disaster striking are unlikely to survive. Further, 80 percent of companies that do not recover from a disaster within one month are likely to go out of business.
That’s why the best business continuity programs also develop business continuity management systems (BCMS), defined as the overall management system that establishes, implements, operates, monitors, reviews, maintains, and improves business continuity. Developing systems, rather than just plans, enables businesses to better understand needs and evaluate the necessity for establishing business continuity management policies and objectives. There is also growing evidence that organizations that have not implemented a Business Continuity Management system are more likely to fail after a major disruptive event.
What’s more, a BCMS reinforces the importance of implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents. Taking a systems-approach also helps ensure continual improvements based on objective metrics. The question remains, though: how to build a best-practice BCMS?