Building Your Business Continuity Management System (BCMS)
Posted October 5, 2022 by Kevin Finch
The next important step in building a mature Business Continuity Program is establishing a Business Continuity Management System (BCMS). If up to this point creating our Business Continuity Program has been like building a house, then establishing your BCMS is like your book of building codes. It is a set of rules and guidelines that you follow, and it’s the set of words that you live (or die) by.
Up to this point in the conversation I’ve been talking about establishing a framework for the Business Continuity Program to run in. I’ve talked about establishing the program, collecting data, and then making decisions about system recovery with that data. Establishing a BCMS is the process of explaining how all those pieces fit together and deciding how they are governed. Business Continuity can be one of those things that people don’t work on unless they have to and establishing your BCMS to govern the work ensures that the work actually gets done.
Establishing the BCMS starts with writing policy. That policy should outline the overarching Business Continuity mandate to the business, and that policy needs to be communicated to all staff. Policy should also establish some sort of oversight team that includes executive participation, a team leader, and departmental representatives from both the business and from IT. Policy should also define an IT Disaster Recovery Team and a Crisis Management Team.
“There are no shortcuts to building a team each season. You build the foundation brick by brick.Bill Belichick
Establishing teams is more than just putting down names on a piece of paper. People on those teams will have roles in a crisis that they will need to fulfill in order to make sure that the business can continue to operate, or can recover appropriately, following some type of incident. Those people will also have roles inside the committee, to perform on a periodic basis. They need to attend meetings, report status to management, and review planning documentation, among other things. Ideally when the policies are written to establish these teams, these responsibilities are enumerated in the policy.
There’s more to policy than creating teams though. Policy also needs to cover all the aspects of maintaining the data in your Business Continuity Program. Are you following best practices and reviewing your Business Continuity Plans, Disaster Recovery Plans and Crisis Management Plans annually? Put it in your policy. Are certain teams required to collaborate with other teams in writing Business Continuity Plans? That definitely needs to be put down in policy. Audit needs to see a copy of the Crisis Management Plans after they’re reviewed by management? Put it in the policy. Are we creating metrics to show progress and track improvement in the quality of the business continuity program? Those metrics need to be included in the policy. What happens if some team doesn’t meet their metrics? The repercussions of those actions need to be addressed in corporate policy.
Another importance aspect of establishing the BCMS is performing an internal evaluation of the current status of the Business Continuity Program. Ideally, some sort of Maturity Assessment would be done so that a baseline could be established. Such an assessment would look at the state of the teams, the state of your data, and the state of your policies. With that assessment data in hand, then one of the first duties of the BCMS should be to start projects to close any program gaps identified.
“Give ordinary people the right tools, and they will design and build the most extraordinary things.”
Neil Gershenfeld, Director – The Center for Bits and Atoms · MIT
At this point it’s also worth mentioning that every Business Continuity Program would realize some benefit from the use of Business Continuity Program Management tools. The tools are not really designed to help you write the policies themselves, but they can absolutely help you in making sure that they are followed. Not only are BCM Tools helpful to establish guidelines for consistency, completeness and documentation, but they can also be helpful in making sure the documentation is reviewed and approved by management on a regular basis. Business Continuity Management tools can also help manage the tremendous amount of data created when you complete that BIA showing all the interconnected processes that make up your business. They can even help manage the data related to interconnected systems and the way your Disaster Recovery runbooks are written, and they can help manage employee contact data to be included in response plans. Many tools will even alert you when a key team member leaves, so you can reassign their duties to someone else immediately, eliminating that gap in coverage.
I have personally managed programs both with and without Business Continuity Program Management tools, and it is practically impossible for a company to establish and maintain a mature Business Continuity Program without using some sort of program management tool. Program management tools are also tremendous labor-saving devices, and they allow one person to do the work of many if configured appropriately. Any company that considers themselves serious about Business Continuity should budget for a tool as a part of establishing their program. It’s way easier to implement one in the beginning than it is to try and import all your data later on.
“It’s always cheaper to do the job right the first time.”
Phil Crosby, Author “Quality is Free: The Art of Making Quality Certain”
Putting together your Business Continuity Management System is one of those things that you want to make sure you do right the first time. Sayers is here to help. We have experience building Business Continuity Programs from the ground up and can help you write your policies. We can also help you decide when it makes sense to invest in Business Continuity Program Management Tools. And, our Business Continuity Maturity Assessment Tool can help show you what state your BCMS is in, how mature your Business Continuity Program really is, and what might need a little attention.