Business Continuity Management: Sounds boring yet saves lives, companies, butts

Lately, I've been revisiting an area of information security into which I have dived deeply on several occasions over the years: Disaster Recovery, which is pretty much the same as Business Continuity Management or BCM, which includes Business Continuity Planning (BCP). Along the way I have assembled a list of high quality BCM resources and articles that folks might find useful (and available for free in most cases). You will find the list at the end of this article. Here's a scene-setting quote from one of the articles:

Disasters can strike at any time – often with little or no warning – and the effects can be devastating. The cost in human lives and property damage is what makes the evening news because of the powerful tug of human interest. Much less coverage, however, is given to the disruption, struggle and survivability of business operations. A study fielded by the Institute for Business and Home Safety revealed that 25 percent of all companies that close due to disasters – hurricanes, power failures, acts of terror and others – never reopen. (Disaster Preparedness Planning: Maintaining Business Continuity During Crisis, Disruption and Recovery)

What is BCM? 

The scope of BCM encompasses or is adjacent to Disaster Recovery (DR), Disaster Preparedness, Incident Response Management, Business Technology Resiliency, and Emergency Response Planning. You could say the goal of BCM is to "make sure you survive and thrive despite the bad things that are bound to happen at some point, where you = your organization, its people, and its mission." In fact, I did say that once, when asked for an informal definition.

A more formal definition of BCM is: "Those management disciplines, processes, and techniques which seek to provide the means for continuous operation of essential business functions under all circumstances" (Jim Burtles, Principles and Practice of Business Continuity, see resource list for more details).

Another formal definition of BCM would be: "Strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level." That's from BS 25999, where BS stands for British Standards Institute and BS 25999 was the "Business Continuity Management Standard".

BS 25999 was replaced by ISO 22301 and ISO 22313, which are Societal Security—Business continuity management systems—Requirements and Guidance, respectively. As ISO puts it: "While ISO 22301 may be used for certification and therefore includes rather short and concise requirements describing the central elements of BCM, a more extensive guidance standard (ISO 22313) is being developed to provide greater detail on each requirement in ISO 22301."

Incidents and accidents...

One way to get a better picture of the things that can test your organization's resilience and interrupt its march towards its objectives is to see what type of event or incident causes a business continuity plan to be invoked. Fortunately, Forrester Research has surveyed executives on the question of "invocations." You click on this chart to enlarge it.

Another way for companies to look at BCP/BCM is that revenues, profits, reputation, market position, and share price are intrinsically linked and widely seen as the pillars of corporate resilience, however: "a blow to any of these props could cause serious problems for a company and its management team." That's from a booklet available in PDF from the Allianz insurance company: Managing Business Interruption: An insurer’s perspective on supply chain risks. I'm not always a big fan of big insurance companies, but this is an excellent read because it brings into focus the huge challenges to resilience that arise from outsourcing, foreign suppliers, and supply chain inter-dependency.

Helpful Business Continuity Resources:

• OFB-EZ: Stay open for business. This is a streamlined disaster protection and recovery planning toolkit for the small to medium size business, with lists, forms, and templates. A great place for your SMB to start the BCM proces
• https://www.disastersafety.org/disastersafety/open-for-business-ez
• Disaster Preparedness Planning: Maintaining Business Continuity During Crisis, Disruption and Recovery is a good introduction to the subject (from Chase he noted with some surprise)
• https://www.chase.com/online/commercial-bank/document/Perspective_DisasterPreparedness.pdf
• BCI Horizon Scan 2014: the definitive annual report on the state of play in BCP, free from the Business Continuity Institute (light registration required)
• http://www.thebci.org/index.php/the-2014-bci-horizon-scan
• Open for Business, an earlier version of OFB-EZ disaster protection and recovery planning toolkit, a great place for your SMB to start the BCP process 
• https://www.disastersafety.org/wp-content/uploads/open-for-business-english.pdf
• BCI Good Practice Guidelines: Considered by many to be the bible of BCP, free with annual membership of BCI (Affiliate membership is a good investment for your organization at about $135 for the year)
• http://www.thebci.org
• NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs: free from the National Fire Protection Association (with registration) this document lists all the things you need to cover in a full BCP program 
• https://www.nfpa.org
• Disaster Recovery Journal: One of the top websites to know if you are working on BCP
• http://www.drj.com
• The IBM Business Continuity Self-Assessment Tool: a great first step for your organization to determine current standing with respect to BCP 
• http://www-935.ibm.com/services/ae/bcrs/self-assessment/index.html
• TechTarget Business Impact Analysis template: one of several free templates to help you tackle the crucial BIA that is part of every good BC program 
• http://searchdisasterrecovery.techtarget.com/feature/Using-a-business-impact-analysis-BIA-template-A-free-BIA-template-and-guide
• ISACA Business Impact Analysis template: helps you tackle the crucial BIA that is part of every good BC program  
• http://www.isaca.org/Groups/Professional-English/business-continuity-disaster-recovery-planning/GroupDocuments/Business_Impact_Analysis_blank.doc
• Continuity Central US: a good website to know if you're doing BCP 
• http://www.continuitycentral.com/namerica.htm
• Continuity Central UK: a good website to know if you're doing BCP 
• http://www.continuitycentral.com
• NIST Business Impact Analysis Template http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_bia_template.docx
• Contingency Planning Guide for Federal Information Systems: because government agenices need BCP too  
• http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf
• MIT Business Continuity Plan: because schools need BCP too 
• http://web.mit.edu/security/www/pubplan.htm
• Business Continuity Planning Booklet, Federal Financial Institutions Examination Council (FFIEC) 
• http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx
• Latest Business Continuity Testing and Exercising News Headlines, Continuity Central 
• http://www.continuitycentral.com/bctenews.htm
• Principles and Practice of Business Continuity, Tools & Techniques: if you're going to buy a book on BCP, this is the one, by Jim Burtles
•  http://www.amazon.com/gp/product/1931332398

Footnote: My previous BCP deep dives 

I did a fair bit of research on disaster recovery and business continuity about 10 years ago when I worked on a project to create an incident response tool for SMBs and regional offices of larger enterprises. That experience dovetailed nicely into a contract to work with Prof. Michael Miora on the development of a Masters degree BCM curriculum for Norwich University in Vermont.