what is the business continuity management

Processing Payment

• Take Courses
• Get Certified
• Attend Events
• Explore Resources
• The Foundation
• On-Demand Training

We offer a mix of in-person and online, instructor-led courses. Search courses for more information.

• Business Continuity
• Business Continuity Review
• Advanced Continuity
• Mastering Business Continuity
• Continuity Audit
• Auditing a Business Continuity Program: ISO 22301
• Auditing a Business Continuity Program: NFPA 1600
• Cyber Resilience
• Cyber Resilience Review
• Healthcare Continuity
• Business Continuity for Healthcare
• Business Continuity for Healthcare Review
• Public Sector Continuity
• Public Sector Continuity Review
• Risk Management
• Risk Management for Business Continuity
• Risk Management for Business Continuity Review
• BCOE 0100: Understanding Professional Practice One
• BCOE 0200: Understanding Professional Practice Two
• BCOE 0300: Understanding Professional Practice Three
• BCOE 0400: Understanding Professional Practice Four
• BCOE 0500: Understanding Professional Practice Five
• BCOE 0600: Understanding Professional Practice Six
• BCOE 0700: Understanding Professional Practice Seven
• BCOE 0800: Understanding Professional Practice Eight
• BCOE 0900: Understanding Professional Practice Nine
• BCOE 1000: Understanding Professional Practice Ten
• Instructor-Led Training
• Healthcare Continuity Review
• Risk Management Continuity Review
• Master's Case Study Review
• IT Disaster Recovery Planning
• Crisis Communications
• Business Continuity for Insurance Professionals
• Managing BC Team Burnout
• Business Continuity Metrics
• Exercising a Business Continuity Plan
• What's New in Business Continuity?
• Business Impact Analysis
• Pandemic Preparedness for Organizations
• Business Continuity Overview
• Professional Examinations
• Qualifying Exam 2017 Version - English
• Qualifying Exam 2017 Version - English (ADA Compliant)
• Qualifying Exam 2017 Version - Español
• Qualifying Exam 2017 Version - Français
• Qualifying Exam 2017 Version - Hebrew
• Qualifying Exam 2017 Version - Italian
• Qualifying Exam 2017 Version - Japanese
• Qualifying Exam 2017 Version - Português
• Master's Case Study Examination
• Specialty Examinations
• Audit Exam - CSA Z1600-17
• Audit Exam - ISO 22301
• Audit Exam - NFPA 1600
• Cyber Resilience Exam
• Cyber Resilience Exam - Japanese
• Healthcare Exam
• Public Sector Exam
• Risk Management Exam
• Workshop Examinations
• BCP BIA Exam
• BCP COMMS Exam
• BCP EXR Exam
• BCP MET Exam
• BCP MET Exam - Español
• BCP MND Exam

See a summary of all our training options one page. All courses are currently available online.

The leader in business continuity education and certification across many industries, DRI International offers team training designed to fit the needs of every organization, from private corporations to the public sector and everywhere in-between.

DRI International offers colleges and universities the opportunity to familiarize their students with information on business continuity professions and certifications recognized by private and public sector organizations around the world.

• Individual Certification
• Organizational Certification
• Honor Society
• Center of Excellence in Resilience
• Resilient Enterprise

* DRI's three levels of certification are associate certified, certified and master certified. Certifications beginning with "A" are associate, "C" certified and "M" master.-->

Certification is a two-part process; verification of knowledge and confirmation of experience.

A DRI International certification is the most widely recognized and respected business continuity certification in the world. DRI only certifies professionals that have demonstrated both knowledge and experience in the business continuity and/or disaster recovery profession.

Learn more about how to unlock your DRI digital badge and display your DRI certification to enhance your online professional profile today.

Maintaining your DRI International certification carries two requirements; an annual maintenance fee as well as Continuing Education Activity Points (CEAP).

• Annual DRI Conference
• Agenda/Program
• Awards of Excellence
• Submit a Nomination
• Past Award of Excellence Winners
• Collegiate Conferences
• Past Webinars
• Resilience Excellence Summit

Learn more and register for this free online event March 1-3, 2021!

Be a part of the premier business continuity conference. Join us at DRI2024 in New Orleans, Mar. 3-6, 2024. Check back for more information.

We speak at numerous industry events around the globe and engage with our community in a variety of ways. Find out where you can meet DRI at these upcoming events.

Join us for the must-attend DRI annual conference for business continuity and resilience professionals taking place in Las Vegas, Nevada Feb 17-20, 2019.

• Professional Practices
• Government/Policymakers
• Digital Badges
• Drive en Español
• Advertising in Drive
• Scholarships
• High School/College
• Veterans Outreach Program
• Women in Business Continuity Management
• Certified Professionals
• Certified Vendors
• Hiring Resources
• Hiring Guide
• Local Language Information

Through committees and other initiatives, we publish research and insights about the profession. Explore our library and other resources.

DRI International webinars cover vital resilience issues, engaging and informing professionals in the field. See what's coming up next and view previously broadcast presentations here.

Learn how to hire the right business continuity professionals that will enable your organization to withstand any crisis and come through even stronger with the DRI Hiring Guide. Download now.

• Our Mission
• Letter from the President
• Leadership and Staff
• Testimonials
• International Partners
• United Kingdom
• Collaborative Partner Organizations
• DRI in the News
• Press Releases
• What is BCM?

BCM is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience.

We reach out and engage as many audiences as possible using broad media coverage to provide a forum for discussion. We serve as a trusted resource to other professions and the general public.

We speak at numerous industry events around the globe and engage with our community in a variety of ways. Find out where you can meet DRI.

DRI International Accessibility Statement

DRI International is committed to ensuring that individuals with disabilities can access the content offered through our website, www.drii.org .

If you are having trouble accessing www.drii.org , you can email [email protected] for assistance. Please put "ADA Inquiry" in the subject line of your email and we will assist you.

Payment Receipt

Conference orders, business continuity management.

What is Business Continuity Management?

Business Continuity Management is defined as a: Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. ( International Glossary for Resiliency )

Business Continuity Management (BCM) integrates the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity (organizational/operational relocation).

Throughout the profession, definitions of Business Continuity Management abound. However, research conducted by the DRI International Glossary Committee identifies the most accurate description of Business Continuity Management as the definition from the ISO 22301 standard cited above. As part of an ongoing process to create and maintain an international glossary, the committee determined the best-in-class definitions for commonly used BCP/DR terms. Creation of the glossary document involved an independent body of highly respected volunteers examining existing recognized definitions and reaching a consensus on which source(s) reflected the most accurate meaning.

The Value of Business Continuity Management

The reasons to have a robust Business Continuity Management program are many and the scope of such a program is enterprise-wide. Here is a list of some of the top reasons that make Business Continuity Management a priority:

Legal and Regulatory Compliance

Regulation: There are over 120 regulations that mandate Business Continuity Management across a variety of industries, including but not limited to:

• Financial Services - Federal Financial Institution's Examination Council ( FFIEC ), Financial Industry Regulatory Authority ( FINRA ), Financial Services Authority ( FSA ), among others
• Energy - North American Electric Reliability Corporation ( NERC ) and Federal Energy Regulatory Commission ( FERC )
• Healthcare - Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) and Joint Commission on Accreditation of Healthcare Organizations ( JCAHO )
• International - The International Regulatory Framework for Banks ( BASEL III ) and all Central Banks have Business Continuity Management requirements

Negligence: Court decisions, the basis for common law, have ruled that "failure to prepare" as well as "failure to plan" are grounds for negligence. Negligence is defined as a part of tort or personal injury as "a failure to use that degree of care that any prudent person would use under the same or similar circumstances."

Demands by Organizations for their Vendors

Customer demand: Requests for Proposal (RFPs) now require potential vendors to demonstrate that they have Business Continuity Management programs in place.

Regulation: There are regulatory requirements that govern preparedness in the supply chain. Specifically, federally chartered banks are governed by the FFIEC and the OCC (Office of the Controller of the Currency), which charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. For healthcare organizations, the primary regulatory consideration in the supply chain is covered under HIPAA. All of these regulations call for ongoing monitoring of the third party's activities and performance.

Smart business: It is a competitive advantage for companies to have a resilient supply chain that will make them better able to respond to a disruption than their competition. This ability will make the prepared company a more attractive supplier to larger organizations that will benefit from the increased reliability of the smaller business.

To Maximize Insurance Coverage

Business Continuity Management increases an organization's ability to provide risk transfer information, including in the:

• Analysis Phase of Business Continuity Management: Organizations conducting a Business Impact Analysis (BIA) will be able to ascertain the profit losses as well as the amount of fixed costs that must be paid in the event of an incident that triggers an insured peril. This calculation will help quantify the proper amount of Business Interruption Insurance (BI). The BIA similarly helps to calculate Contingent Business Interruption Insurance (CBI) and Supply Chain Insurance reimburses lost profits resulting from an interruption of business at the premises of a customer or supplier.
• Strategy Phase of Business Continuity Management: Extra Expense Insurance provides for maintaining the operations of an insured item after an accident until normal operations can be restored.

Reputation and Resilience Management

Business Continuity Management can help organizations protect their reputation and increase their resilience in the face of adverse circumstances, whether internal or external. Business Continuity Management can help to protect the brand from a variety of risks, including cyber risks, deliver to customers as promised, and reduce downtime and the cost of recovery in the event of an incident.

• Data Center as a Service Overview
• Hardware as a Service Flexible Hardware Leasing
• Bare Metal Cloud API-Driven Dedicated Servers
• Object Storage S3 API Compatible Storage Service
• Meet-Me Room Overview
• AWS Direct Connect Dedicated Link to Amazon Cloud
• Google Cloud Interconnect Private Connectivity to Google Cloud
• Megaport Cloud Router Simplified Multi-Cloud Connections
• All Carriers Global Interconnectivity Options
• Data Center Locations Overivew
• Phoenix, AZ The Largest Fiber Backbone in the U.S.
• Ashburn, VA The Largest Fiber Backbone in the U.S.
• Atlanta, GA A Top Market for Bandwidth Access
• Amsterdam, NL The Connectivity Hub of Europe
• Belgrade, RS Strategic PoP in the Southeast Europe
• Singapore, SG Most Neutral Business-Friendly Climate
• Platform Overview
• Instance Pricing See All Configurations
• Infrastructure As Code DevOps Integrations
• BMC vs. Dedicated Servers Choose the Best Option
• Supermicro Servers Industry-Leading Hardware
• Rancher Deployment One-Click Kubernetes Deployment
• Intel Xeon E-2300 Entry-Level Servers
• 3rd Gen Intel Xeon Scalable CPUs Boost Data-Intensive Workloads
• Ecosystem Underlying Technologies
• Object Storage S3-Compatible Storage Solution
• Dedicated Servers Overview
• FlexServers Vertical CPU Scaling
• Intel Xeon-E Servers Intel Xeon 2200 Microarchitecture
• GPU Servers Servers with NVIDIA Tesla GPUs
• Dedicated Servers vs. BMC Compare Popular Platforms

What is Business Continuity Management (BCM)? Framework & Key Strategies

Home / Data Protection / What is Business Continuity Management (BCM)? Framework & Key Strategies

Business continuity management is a critical process. It ensures your company maintains normal business operations during a disaster with minimal disruption.

BCM works on the principle that good response systems mitigate damages from theoretical events .

What is Business Continuity Management? A Definition

Business continuity management is defined as the advanced planning and preparation of an organization to maintaining business functions or quickly resuming after a disaster has occurred.  It also involves defining potential risks including fire, flood or cyber attacks.

Business leaders plan to identify and address potential crises before they happen. Then testing those procedures to ensure that they work, and periodically reviewing the process to make sure that it is up to date.

Business Continuity Management Framework

Policies and strategies.

Continuity management is about more than the reaction to a natural disaster or cyber attack. It begins with the policies and procedures developed, tested, and used when an incident occurs.

The policy defines the program’s scope, key parties, and management structure. It needs to articulate why business continuity is necessary and governance is critical in this phase.

Knowing who is responsible for the creation and modification of a business continuity plan checklist is one component. The other is identifying the team responsible for implementation. Governance provides clarity in what can be a chaotic time for all involved.

The scope is also crucial. It defines what business continuity means for the organization.

Is it about keeping applications operational, products and services available, data accessible, or physical locations and people safe? Businesses need to be clear about what is covered by a plan whether it’s revenue-generating components of the company, external facing aspects, or some other subset of the total organization.

Roles and responsibilities need to be assigned during this phase as well.

These may be roles that are obvious based on job function, or specific,  given the type of disruption that may be experienced. In all cases, the policy, governance, scope, and roles need to be broadly communicated and supported.

Business Impact Assessment

The impact assessment is a cataloging process to identify the data your company holds, where it’s stored, how it’s collected, and how it’s accessed  It determines which of those data are most critical and what the amount of downtime is that’s acceptable should that data or apps be unavailable.

While companies aim for 100 percent uptime, that rate is not always possible, even given redundant systems and storage capabilities. This phase is also the time when you need to calculate your recovery time objective, which is the maximum time it would take to restore applications to a functional state in the case of a sudden loss of service.

Also, companies should know the recovery point objective, which is the age of data that would be acceptable for customers and your company to resume operations. It can also be thought of as the data loss acceptability factor.

Risk Assessment

Risk comes in many forms. A Business Impact Analysis and a Threat & Risk Assessment should be performed.

Threats can include bad actors, internal players, competitors, market conditions, political matters (both domestic and international), and natural occurrences. A key component of your plan is to create a risk assessment that identifies potential threats to the enterprise.

Risk assessment identifies the broad array of risks that could impact the enterprise.

Identifying potential threats is the first step and can be far-reaching. This includes:

• The impact of personnel loss
• Changes in consumer or customer preferences
• Internal agility and ability to respond to security incidents with a plan
• Financial volatility

Regulated companies need to factor in the risk of non-compliance, which can result in hefty financial penalties and fines , increased agency scrutiny and the loss of standing, certification, or credibility.

Each risk needs to be articulated and detailed. In the next phase, the organization needs to determine the probability of each risk happening and the potential impact of each one. Likelihood and potential are key measures when it comes to risk assessment.

Once the risks have been identified and ranked, the organization needs to determine what its risk tolerance is for each potentiality. What are the most urgent, critical issues that need to be addressed? At this phase, potential solutions need to be identified, evaluated, and priced. With this new information, which includes probability and cost, the organization needs to prioritize which risks will be addressed.

The ranked risks then need to be evaluated as to which risks will be addressed first. Note that this process is not static. It needs to be regularly discussed to account for new threats that emerge as technologies, geopolitics, and competition evolves.

Validation and Testing

The risks and their impacts need to be continuously monitored, measured and tested. Once mitigation plans are in place, those also should be assessed to ensure they are working correctly and cohesively.

Incident Identification

With business continuity, defining what constitutes an incident is essential . Events should be clearly described in policy documents, as should who or what can trigger that an incident has occurred. These triggering actions should prompt the deployment of the business continuity plan as it is defined and bring the team into action.

• Disaster Recovery

What’s the difference between business continuity and disaster recovery ? The former is the overarching plans that guide operations and establish policy. Disaster recovery is what happens when an incident occurs.

Disaster recovery is the deployment of the teams and actions that are sprung. It is the net results of the work done to identify risks and remediate them. Disaster recovery is about specific incident responses, as opposed to broader planning.

After an incident, one fundamental task is to debrief and assess the response, and revising plans accordingly.

Role of Communication & Managing Business Continuity

Communication is an essential component of managing business continuity. Crisis communication is one component, ensuring that there are transparent processes for communicating with customers, consumers, employees, senior-level staff, and stakeholders. Consistent communication strategies are essential during and after an incident. Messaging must be consistent, accurate, and coming from a unified corporate voice.

Crisis management involves many layers of communication, including the creation of tools to indicate progress, critical needs, and issues. The types of communication may vary across constituencies but should be based on the same sources of information.

Resilience and Reputation Management

The risks of not having a business continuity plan are significant. The absence of preparing means the company is ill-prepared to address pressing issues.

These risks can leave a company flat-footed and can lead to other significant problems, including:

• Downtime for cloud-based servers, systems, and applications. Even minutes of downtime can result in the loss of substantial revenue.
• Credibility loss to reputation and brand identity. Widespread, consistent, or frequent downtime can erode confidence with customers and consumers. Customer retention can plummet.
• Regulatory compliance can be at risk in industries such as financial services, healthcare, and energy. If systems and data are not operational and accessible, the consequences are severe.

Prepare Today, Establish a Business Continuity Management Program

Managing business continuity is about data protection and integrity, the loss of which can be catastrophic.

It should be part of organizational culture. With a systematic approach to business continuity planning, businesses can expedite the recovery of critical activity.

• Cloud Computing
• Company News
• Data Centers
• Data Protection
• Dedicated Servers
• Security Strategy
• Virtualization

Take Control of Your Multi-Cloud Environment

73% of enterprises use two or more public clouds today. While multi-cloud accelerates digital transformation, it also introduces complexity and risk.

Vmware cross-cloud™ services enable organizations to unlock the potential of multi-cloud with enterprise security and resiliency., build & operate cloud native apps give developers the flexibility to use any app framework and tooling for a secure, consistent and fast path to production on any cloud., connect & secure apps & clouds deliver security and networking as a built-in distributed service across users, apps, devices, and workloads in any cloud., run enterprise apps anywhere run enterprise apps and platform services at scale across public and telco clouds, data centers and edge environments., automate & optimize apps & clouds operate apps and infrastructure consistently, with unified governance and visibility into performance and costs across clouds., access any app on any device empower your employees to be productive from anywhere, with secure, frictionless access to enterprise apps from any device., anywhere workspace.

Access Any App on Any Device Securely

App Platform

Build and Operate Cloud Native Apps

Cloud & Edge Infrastructure

Run Enterprise Apps Anywhere

Cloud Management

Automate and Optimize Apps and Clouds

Desktop Hypervisor

Manage apps in a local virtualization sandbox

Security & Networking

Connect and Secure Apps and Clouds

Run VMware on any Cloud. Any Environment. Anywhere.

On public & hybrid clouds.

On Private Cloud & HCI

Anywhere Workspace Access Any App on Any Device Securely

App platform build and operate cloud native apps, cloud infrastructure run enterprise apps anywhere, cloud management automate and optimize apps and clouds, edge infrastructure enable the multi-cloud edge, networking enable connectivity for apps and clouds, security secure apps and clouds, by industry, manage your multi-cloud environment.

Multi-cloud made easy with a family of multi-cloud services designed to build, run, manage and secure any app on any cloud.

For Customers

For partners, working together with partners for customer success.

See how we work with a global partner to help companies prepare for multi-cloud.

Tools & Training

Marketplace, blogs & communities.

• Topics 
• VMware Glossary 
• Content 
• Business Continuity

What is business continuity?

Business continuity  is a business’s level of readiness to maintain critical functions after an emergency or disruption. These events can include:

• Security breaches
• Natural disasters
• Power outages
• Equipment failures
• Sudden staff departure

Anywhere Workspace For Dummies

Hindsight Is 2020 — The Pandemic Provides A Wake-Up Call: Integrated Solutions Future-Proof Organizations.

Why business continuity is important.

Leading organizations make business continuity a top priority because maintaining critical functions after an emergency or disruption can be the difference between the success and failure of a business. If key business capabilities fail, a quick  recovery time  to bring systems back up is crucial. Getting a business continuity strategy in place before disaster hits can save a tremendous amount of time and money. The plan for recovery needs to include roles and responsibilities, as well as which systems need to be recovered in which order. There are many aspects of business continuity to consider and test, which is another reason to plan ahead. For instance, large data sets can take an excruciatingly long time to restore from a backup, so failover to a remote data center might be a better solution for businesses with a large amount of data.

When resiliency and recovery plans fail, or when an unforeseen event occurs, a  contingency plan  can act as a last resort. A contingency plan includes a practiced strategy and plan for last-resort needs. These needs could range from asking third-party vendors for help to finding a second location for emergency office space or remote back-up servers.

What does business continuity include?

A business continuity and risk management plan usually involves three considerations:

• Contingency

There are many international standards and policies to guide the development of disaster recovery and  business continuity plans .

What is business continuity management?

Business continuity management is the process of planning for and dealing with potential threats and hazards to an organization’s ability to maintain business continuity. This management requires: 

• Evaluating  the importance of different business functions in a business impact analysis
• Creating  a plan for maintaining at least the most critical elements despite a disturbance

Business continuity and disaster recovery

Business continuity and disaster recovery are inextricably linked. Having a business continuity and crisis management plan in place can save businesses hundreds of thousands of dollars, and can even mean the difference between surviving the business repercussions from a natural disaster or folding. With a good business continuity strategy, and effectively managed disaster recovery tools, businesses have a much better chance of getting up and running faster after a disaster. Ideally, well-prepared businesses should be in a place to continue operations as if nothing had happened. Businesses without a disaster recovery strategy and business continuity plan in place are much more vulnerable to being wiped out by a natural disaster or cyber attack.

Business continuity tools

There are a wide variety of business continuity tools to choose from, which all perform slightly different functions:

• Back-up:  Backing up data is one of the simplest ways to ensure business continuity. Storing data off site or on a remote drive provides some business continuity, but other tools are needed to back up the IT infrastructure and keep it functioning in the event of a disaster.
• Backup as a Service:  Backup as a Service is similar to backing up data at a remote location, but a third-party provider performs the back-up. Again, only the data is backed up, not the IT infrastructure.
• Point-in-time and Instant Recovery Copies: Point-in-time copies or snapshots copy the entire database at regular intervals. Similar to point-in-time copies, instant recovery copies take snapshots of entire virtual machines. If these copies are stored off-site or on a virtual machine that is unaffected by the disaster, data can be restored from these backups.
• Cold Site:  Businesses can set up a basic infrastructure in a second facility known as a cold site, where employees can work after a natural disaster or fire. A cold site can help business operations to continue, but it must be combined with other methods of disaster recovery that protect or enable recovery of important data.
• Hot Site:  A hot site is a second business location that functions like a cold site and also maintains an up-to-date copy of data at all times. Hot sites dramatically reduce downtime, but they are more expensive than cold sites and more time-consuming to set up.
• Disaster Recovery as a Service (DRaaS):  A disaster recovery as a service (DRaaS) provider moves an organization’s computer processing to their own cloud infrastructure in the event of a disaster. Businesses pay for this service through a subscription or a pay-per-use model. One advantage of DRaaS is that businesses can continue to operate seamlessly from the vendor’s location, even if their own servers are down. Choosing a local DRaaS provider will ensure higher latency, but if the vendor’s servers are too close to the disaster location, their own servers may be affected by the same disaster.
• Physical Tools:  Physical disaster recovery tools can mitigate the effects of certain types of disasters, except cyber attacks. Physical elements that can support business continuity include fire suppression tools to help data and computer equipment survive a fire, and a back-up power source that supports businesses through short-term power outages.
• Virtualization:  Backing up an IT infrastructure is one of the trickiest parts of a business continuity strategy. Virtualization is one of the few ways to back up a working replica of an organization’s entire computing environment. Businesses can also automate some disaster recovery processes on off-site virtual machines that are unaffected by physical disasters, bringing everything back online faster. Frequent transfer of data and workloads is essential for virtualization to be an effective disaster recovery tool. IT teams must have a clear and current picture of how many virtual machines are operating within an organization at any given time.

Whichever tools an organization chooses to support their business continuity, it is important to test the tools and disaster recovery procedures before disaster strikes.

Recommended for You

• Remote-first
• Business Continuity Application
• Business Continuity Plan
• Disaster Recovery

Related Solutions and Products

Anywhere workspace solutions.

Enable employees to work from anywhere with secure, frictionless experiences.

Remote Work Solutions for Every Organization

Although working together no longer requires being in the same place, setting up a successful distributed workforce requires rethinking where and how teams work.

• Australasia
• Asia Pacific
• Middle East
• North America

What is business continuity?

• " onclick="window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no'); return false;" rel="nofollow"> Print

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'.

In other words it is about making proactive and reactive plans to help your organization  avoid  crises and disasters and to be able to quickly  return  to 'business as usual' should they occur.

Business continuity involves two distinct areas:

Business continuity planning - where a plan is developed that, when implemented, will help to prevent operational interruptions, crises and disasters happening and will help the organization quickly return to a state of 'business as usual' should any of these events occur. Once it has been prepared the business continuity plan must be tested and exercised to ensure that it will perform as anticipated.

Business continuity management - this is:

• The ongoing management of the business continuity plans to ensure that they are always current and available; and
• The ongoing management of operational resilience and process availability within an organization, with the aim of ensuring that the organization experiences the minimum possible day-to-day disruption.

What are the outputs of a business continuity program?

Business continuity achieves various things for organizations, with the degree of success in each area dependent on the amount of effort, skill, resource and commitment provided by the organization for business continuity activities. There will be a number of outcomes in every business continuity program which are specific to the organization in question, but the following are outcomes which should be achieved by every organization which takes business continuity seriously:

A deeper and clearer understanding of the organization The processes involved in developing the initial business continuity plan and then in maintaining and managing the BCP result in a clear overview of the overall organization; its structures, dependencies, suppliers and stakeholders. This information is not only essential for business continuity management it can also help planning and strategy in other non-related areas of organizational development and management.

Proactive measures Proactive measures are designed for the prevention of interruptions to organizational activities . The essence of good business continuity management is the identification and implementation of measures which can be put in place to proactively prevent operational interruptions taking place, and to prevent crises and disasters occurring. Business continuity management, at its highest level, is about keeping organizations operating at their maximum capability.

Reactive measures Reactive measures are designed for recovery from interruptions to organizational activities. Business continuity management programs includes plans for the reactive measures that will be taken should the proactive measures that are in place fail, become overwhelmed, or are bypassed by some unforeseen and unexpected crisis. Reactive measures enable the organization to return to an acceptable level of operations within a desired timescale following an interruption, disaster or crisis.

Culture change Business continuity management programs involve an exploration of organizational culture. Effective programs will utilise change management techniques to ensure that the organization encourages a culture where all employees are sufficiently aware of everyday risks and their individual responsibility to report, manage and mitigate risks.

Further resources

• Getting started with the business impact analysis
• The Business Continuity Business Case Template
• A step-by-step guide to writing a business continuity plan for your business
• What’s the difference between business continuity and disaster recovery?
• Business continuity and operational resilience – how different are they really?
• Five tips for successful business continuity planning
• Tips for improving your approach to business continuity exercises
• Business continuity training courses

Additional Resources

• 2023 predictions
• Operational resilience
• Cyber resilience
• Pandemic planning and response
• Business continuity standards

A website you can trust

Business continuity, get the latest news and information sent to you by email.

You are using an outdated browser. Please upgrade your browser or activate Google Chrome Frame to improve your experience.

Introduction to Business Continuity

Start here if you're new to business continuity.

What is Business Continuity?

Flood. Cyber attack. Supply chain failure or losing a key employee. Disruptions to your business can happen at any moment.

Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible.

Whether it’s a business, public sector organization, or charity, you need to know how you can keep going under any circumstances.

Potential incidents to consider

•  Supply chain failure - You don't have access to materials, goods or services
•  Utilities outage - You don't have access to electricity, water or internet
•  Cyber incident - You have suffered a cyber attack and your website is down

These are just some of the many incidents an organziation needs to consider and plan for.

Make a plan

A good BC plan recognises potential threats to an organization and analyses what impact they may have on day-to-day operations.

It also provides a way to mitigate these threats, putting in place a framework which allows key functions of the business to continue even if the worst happens.

Example: Do not rely on one supplier of raw materials, what if that supplier goes out of business? If you purchase raw materials from two suppliers then you are potentially halving your risk.

The BCI has designed a short, self-paced eLearning course that will help you understand the importance of business continuity and get you starting to think about the incidents that might impact your own organization and what you can do to mitigate them. This short course takes up to 30 minutes to complete.

Business Continuity Basics course

The BCI has many other free resources available to enhance your understanding of business continuity, see a few below to start ...

View free webinar to understand the basics of business continuity.

 This webinar takes you through the basic business continuity concepts and quick wins on where to start (aimed at SMEs)

View webinar

What threats do organizations face?

The BCI Horizon Scan report identifies threats organziations should be aware of. Free to download.

Download Report

Download the BCI Good Practice Guidelines Lite

The BCI Good Practice Guidelines (GPG) Lite gives your a brief introduction to the Business Continuity Management Lifecycle and the stages included. It will help you put a plan together and give you insight to what is included in the full edition of the GPG and the content of the CBCI Certification course  

Download GPG Lite

• Disaster recovery planning and management

business continuity plan (BCP)

• Vicki-Lynn Brunskill

What is a business continuity plan (BCP)?

A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event.

The BCP states the essential functions of the business, identifies which systems and processes must be sustained, and details how to maintain them. It should consider any possible business disruption.

A BCP covers risks including cyber attacks , pandemics, natural disasters and human error. The array of possible risks makes it vital for an organization to have a business continuity plan to preserve its health and reputation. A proper BCP decreases the chance of a costly power outage or IT outage.

IT administrators often create the plan. However, the executive staff participate in the process, providing knowledge of the company and oversight. They also ensure the BCP is regularly updated.

This article is part of

What is BCDR? Business continuity and disaster recovery guide

• Which also includes:
• Business resilience vs. business continuity: Key differences
• A free business continuity plan template and guide
• Preparing an annual schedule of business continuity activities

Download this entire guide for FREE now!

Importance of business continuity planning

Business continuity planning is a proactive business process that lets a company understand potential threats, vulnerabilities and weaknesses to its organization in times of crisis. The creation of a business continuity program ensures company leaders can react quickly and efficiently to business interruption .

A BCP enables a company to continue to serve customers during a crisis and minimize the likelihood of customers going to competitors. These plans decrease business downtime and outline the steps to be taken -- before, during and after an emergency -- to maintain the company's financial viability.

Elements of a business continuity plan

According to business continuity consultant Paul Kirvan, a BCP should contain the following items:

• initial data at the beginning of the plan, including important contact information;
• a revision management process that describes change management procedures;
• the purpose and scope;
• how to use the plan, including guidelines as to when the plan will be initiated;
• policy information;
• emergency response and management procedures;
• step-by-step procedures;
• checklists and flow diagrams;
• a glossary of terms used in the plan; and
• a schedule for reviewing, testing and updating the plan.

In the book Business Continuity and Disaster Recovery Planning for IT Professionals , Susan Snedaker recommends asking the following questions:

• How would the organization function if desktops, laptops, servers, email and internet access were unavailable?
• What single points of failure exist?
• What risk controls and risk management systems are in place?
• What are the critical outsourced relationships and dependencies?
• During a disruption, what workarounds are there for key business processes and internal functions, such as human resources?
• What is the minimum number of staff needed to run data center and other operations, and what functions would they need to carry out?
• What are the key skills, knowledge and expertise needed to recover?
• What critical security or operational controls are needed if computer systems are down?

Business continuity planning steps

The business continuity planning lifecycle contains these five steps:

• Information gathering and analysis, featuring business impact analysis (BIA) and risk assessment (RA);
• plan development and design;
• implementation;
• testing; and
• maintenance and updating.

BCP implementation

Once the business has started the planning process, it launches the BIA and RA processes to collect important data. The BIA defines the critical functions that must continue during a crisis and the resources needed to maintain those operations. The RA details the potential internal and external risks and threats, the likelihood of them happening, and the possible damage they could cause.

The next step determines the best ways to deal with the risks and threats outlined in the BIA and RA, and how to limit damage from an event. A successful business continuity plan defines step-by-step procedures for response.

The BCP should not be overly complex and does not need to be hundreds of pages long; it should contain just the right amount of information to keep the business running. Small businesses can use a one-page plan with all the necessary details. That can be more helpful than a long plan that is difficult to use. Those details should include the following:

• minimum resources needed for business continuity;
• locations where that can take place;
• personnel needed to accomplish it; and
• potential costs.

Key implementation steps

The four steps involved in implementing a BCP are the following:

• Oversight. Decide who will oversee the plan. Ideally, a BCP committee will include business, security and IT leaders.
• Analysis. Conduct the BIA.
• Who will be affected by a business disruption?
• Who holds a hard copy of contact information for top customers and clients?
• How and when will customers, employees and management be notified?
• What are the alternative means of communication if phones go down?
• Which employees are needed for the restoration of critical business functions and how will they be reached or relocated?
• Which critical products and services should the company focus on restoring first?
• What issues must be addressed within the first 24 to 48 hours?
• Does every team and department have its own BCP? Who is in charge of each?
• What is the emergency succession plan for senior staff, including the CEO?
• Which employees will perform emergency tasks?
• Where will off-site crisis meetings take place?
• Who will interact with local emergency responders, such as firefighters and police?
• Who are the key vendors, including data backup providers?
• Initial response. This defines how the company will respond to the business interruption within the first hours. This is the period when team members are contacted and the BCP is activated.
• Relocation. During this stage, alternate facilities are activated and work-at-home policies implemented.
• Recovery. Once personnel and equipment have been relocated, the assessment of damage and monitoring of business recovery begins. The recovery strategy must consider the organization's recovery time objective , or RTO, which is the maximum time IT systems can be down after a failure, as well as its recovery point objective , or RPO, which is the maximum data loss the organization can tolerate.
• Restoration. Personnel return to the original workplace or an alternate site. The company undertakes infrastructure verification, documents the incident and reviews lessons learned.

BCP testing

An organization's technology, processes, staff and facilities constantly change. Therefore, regular testing, reviewing and updating of a BCP is critical. Plan testing should be undertaken using tabletop exercises, walk-throughs, practice crisis management communications and emergency enactments to test the viability of the plan and to see how employees and executives react under stress.

Regular testing and maintenance ensure the BCP is current and accurate. A simple test of a business continuity plan might involve talking through it. A complex test requires a full run-through of what will happen in the event of a business disruption.

The test can be planned in advance or it can be done spur of the moment to better simulate an unplanned event. If issues arise during testing, the plan should be corrected accordingly during the maintenance phase. Maintenance also includes a review of the critical functions outlined in the BIA and the risks described in the RA, as well as plan updating if necessary.

A business continuity plan must be continually improved; updates should not wait for a crisis. Staff members involved in the plan must get regular updates and business continuity training . An internal or external business continuity plan audit should be used to evaluate the effectiveness of the BCP and highlight areas for improvement.

For specific BCP testing steps, download the guide Business continuity and disaster recovery testing templates .

Business continuity planning software, tools and trends

There is help available to guide organizations through the business continuity planning process, from consultants to tools to full software. Which approach an organization should take depends on the complexity of the business continuity planning task, the amount of time and personnel available, and the budget. Before making a purchase, it is advisable to research both products and vendors, evaluate demos, and talk to other users.

For more complicated functions, business continuity planning software uses databases and modules for specific exercises. The U.S. Department of Homeland Security, through its Ready.gov website, offers software in its Business Continuity Planning Suite. Other business continuity software vendors include Castellan, formed from the merger of Assurance, Avalution and ClearView in 2020; CLDigital, formerly Continuity Logic; Fusion Risk Management; Quantivate; and Sungard Availability Services.

The Federal Financial Institutions Examination Council's Business Continuity Management booklet contains guidance on plan development, testing, standards and training for both financial and nonfinancial organizations.

Free download of BCP template

The role of the business continuity professional has changed and continues to evolve. As IT administrators are increasingly asked to do more with less, it is advisable for business continuity professionals to be well versed in technology, security, risk management, emergency management and strategic planning.

Business continuity planning must also take into account emerging and growing technologies, such as the cloud and virtualization , as well as new threats, such as cyber attacks like ransomware .

One resource that combines all these elements is SearchDisasterRecovery's free, downloadable business continuity plan template . It provides guidance and insight for creating a successful BCP.

Business continuity planning standards

Business continuity planning standards provide a starting point.

The International Organization for Standardization (ISO) 22301:2019 standard is regarded as the global standard for business continuity management . ISO 22301 is often complemented by other standards, such as the following:

• ISO 22313 guidance on the use of ISO 22301;
• ISO 22317 guidelines for business impact analysis;
• ISO 22318 continuity of supply chains;
• ISO 22398 exercise guidelines; and
• ISO 22399 incident preparedness and operational continuity management.

Other standards include the following:

• National Fire Protection Association 1600 emergency management and business continuity;
• National Institute of Standards and Technology SP 800-34 IT contingency planning; and
• British Standards Institution BS 25999 standard for business continuity.

Emergency management and disaster recovery plans

An emergency management plan is a document that helps to lessen the damage of a hazardous event. Proper business continuity planning includes emergency management as an important component. The appointed emergency management team takes the lead during a business disruption.

An emergency management plan, like a BCP, should be reviewed, tested and updated regularly. It should be fairly simple and provide the steps needed to get through an event. The plan also should be flexible, because situations are often fluid. Teams involved in the event of a disaster should communicate frequently during the incident.

Disaster recovery (DR) and business continuity planning are often linked, but they are different. A DR plan is reactive, as it details how an organization recovers after a business disruption. A business continuity plan is a proactive approach that describes how an organization can maintain business operations during an emergency.

Learn more about responding to unplanned emergencies in this complete guide to managing crises .

Continue Reading About business continuity plan (BCP)

• Tips for obtaining BC/DR plan and resilience funding
• How to use AI for business continuity and disaster recovery planning
• Compare and contrast business resilience vs. business continuity
• Follow these standards for business continuity and resilience
• Cloud-era disaster recovery planning: Assessing risk and business impact

Related Terms

Dig deeper on disaster recovery planning and management.

6 reasons a business impact analysis is important

business impact analysis (BIA)

disaster recovery plan (DRP)

IBM is combining its data protection products and working with a new partner to address one of the biggest challenges for ...

Asigra's forthcoming SaaSBackup platform lets Asigra data protection technology protect SaaS backups. MSPs will be able to sell ...

A new SaaS backup specialist emerges from stealth to protect data in apps such as Trello, GitHub and GitLab, which CEO Rob ...

Persistent Kubernetes storage startups like Ondat are becoming extinct as enterprise IT vendors prow the market for container ...

Analytical capabilities of the data management vendor's flagship product are now available as a separate SaaS to help provide ...

Data reduction techniques have been difficult to achieve on SSDs, but vendors appear to be making progress. The more effective ...

While some 2022 ransomware statistics indicate a possible 'decline' in activity, threat researchers warn there's more to the ...

IceFire ransomware actors have shifted their attention to Linux servers and are actively exploiting a known vulnerability in ...

Adopting extended detection and response and employing managed detection and response services may be the missing pieces of the ...

As artificial intelligence adoption increases, experts believe it's time for Congress to enact AI regulations to safeguard ...

Agility, experimentation and empathy are critical drivers to a successful digital transformation. Learn why IT leaders should ...

U.S. senators showed concern for national security when it comes to popular tech platforms owned and operated by foreign entities...

Bosnia and Herzegovina

Czech Republic

Netherlands

North Macedonia

Philippines

Saudi Arabia

South Africa

Switzerland

United Arab Emirates

United Kingdom

• jobs and careers
• Testing & Assessment 
• Certification & Auditing 
• Training & Qualification 
• Inspection & Supervision 
• Consulting & Project Management 
• Mastering Risk & Compliance
• Business Continuity Management

Business Continuity Management System (BCMS)

React quickly in times of crisis with a business continuity management system

You want to resume productive operations as quickly as possible after disruption or failure of your business processes, particularly those that rely on critical IT systems? Our business continuity management system (BCMS) as per ISO/IEC 22301 and ISO/IEC 27031 allows you to react quickly and correctly with practical emergency plans, IT emergency concepts and recovery plans.

A BCMS bundles interrelated methods, procedures and rules to safeguard the continuation of critical processes and can be integrated in or based on existing management systems. We define an individual strategy, which we derive from your specific requirements. With these necessary resources in place, it becomes possible for you to restart operations in order to avoid unacceptable downtimes.

You want your employees and business operations to continue to function even in times of crisis? Contact our experts now.

Safeguard your productivity with business continuity management and IT emergency management

Business continuity management is the best way to prepare for potential crises and minimize the impact of disruption. Use effective emergency planning to ensure that everyone at your company follows the plan when an incident occurs. Our pragmatic emergency concepts and recovery plans enable you to return to productive operations as quickly as possible after disruption or failure of your business processes, services, IT services or systems.

You can effectively reduce disaster related costs, meet compliance requirements and create an integrated risk management system that offers you legal certainty and a market advantage. By improving your availability level you also gain a considerable competitive edge, as your customers and business partners can rely on your company to stay functional even in times of crisis.

We develop your business continuity management system in just three steps

In just a few steps, we determine the maturity of your business continuity, develop a shared procedure for its continuous improvement and work with you to develop shared emergency strategies and plans:

• GAP analysis We analyze the existing aspects of your business continuity management system or IT emergency management system and therefore its maturity level.
• Improvement planning Based on this analysis we identify the measures needed to improve the maturity of your business continuity management system. We develop pragmatic approaches and measures that help you establish a suitable business continuity management system that evolves and improves over time.
• Implementation We work with you to implement the improvement plan and coach BCM officers how to implement and establish management tasks. This will give you the tools you need to handle a disaster or major incident, so you can act and react precisely and effectively in the event of an emergency.

The BCMS is designed, implemented and operated based on the standards ISO/IEC 22301 and ISO/IEC 27031.

On-demand webinar | ISO/IEC 22301 Business continuity managerment

Resilience of your business processes especially during critical incidents.

Learn how to deal with risk situations and limit potential losses due to interrupted supply chains.

Active crisis management with business continuity management

Our experts have extensive experience in the field of business continuity management. We help you introduce comprehensive BCM solutions and provide quality assurance while the project is in progress. We also help you coach your BCM officer and create tests and training concepts.

In addition, our "survival mix – risk and business continuity management" offer can bring together various analyses of threats ensuring alignment of your BCMS with identified risks.

Learn more about BCM. Make an appointment with our experts.

FAQ: Questions and Answers about Business Continuity Management

What is a business continuity management system.

A business continuity management system, or BCMS for short, is a management system that bundles interrelated methods, procedures and rules to ensure that critical business processes keep running in the event of damage or emergencies and continuously develops and improves them.

What are the advantages of Business Continuity Management?

With our emergency concepts and restart plans you can return to productive operation quickly after disruption or failure of your business processes, whether they are IT-assisted or not, and thus reduce downtimes. This is an effective way to lower follow-up costs and create a risk management system that provides legal certainty. You also gain a considerable competitive edge through a high level of availability.

What are the requirements for a comprehensive Business Continuity Management System?

A comprehensive BCMS should pursue a process-oriented approach and requires interaction between management processes, business processes and support processes. A business impact analysis (BIA) identifies the essential processes and assesses their availability requirements. Once the company has been analyzed, strategies and plans are developed to counter potential risks and scenario-based tests and exercises are conducted.

What standards underpin a BCMS?

A BCMS is designed, implemented and operated on the basis of standards ISO/IEC 22301 and ISO/IEC 27031.

What are the stages of developing and operating a BCMS?

We analyze your business processes and identify potential threats. On this basis we identify your actual protection needs. As part of a business impact analysis (BIA) we assess your business processes and IT services in regard to their availability requirements in case of an incident. Then we work with you to develop a suitable and detailed emergency strategy. We help you implement and operate the BCM software and create test and training concepts. During the project you also receive quality assurance from our certified experts.

What main BCMS-related questions does a business need to ask?

• How heavily is our productivity affected in the event of an incident?
• How do my customers and business partners react to a production outage?
• What is our maximum tolerated outage time?
• How can we maintain critical processes?
• What are the legal and regulatory requirements that could be breached?
• How can losses and effects be minimized?

Our experts on business continuity management systems can answer all these questions for you. Contact us now to find a solution that is tailored to your business.

Will my business automatically have permanent protection once the BCMS has been implemented?

No, setting up and operating a BCMS is not a one-off process, it requires regular testing and adjustment. This process is referred to as a continuous improvement process (CIP for short). We offer suitable training courses to ensure that the employees involved also receive continuous training.

Can a BCMS only run as an isolated management system?

No, it can be integrated in or based on existing management systems (e.g. QMS, ISMS).

Can a BCMS be certified?

Yes, if a BCMS has been implemented in line with ISO/IEC 22301:2019 it can be certified by an accredited company. Certification as per standard ISO/IEC 27031 is not possible.

Our Sustainability Initiatives

Nothing less than the future is at stake. Companies, institutions, public authorities and each and every one of us can play a positive role in shaping the path to tomorrow. We provide you with comprehensive support to ensure that you operate safely, sustainably and efficiently for many years to come.

Sustainable Infrastructure

Comprehensive approaches for the long-term protection of infrastructure

Sustainability Service Search

Test, evaluate, certify, and more: our sustainability services

Sustainability Strategy 2025

Find out how we work with you to protect the future

Contact us to request a non-binding offer

Get in contact with us, this might also interest you, data protection management system as per eu gdpr.

Our experts help you develop a data protection management system.

Governance, Risk and Compliance

Strengthen your corporate governance with software-supported automation of your management systems.

ISMS According to ISO/IEC 27001

Improve systematic control over your company’s information security.

Information Security Strategy Consultation

Information security from strategic decision to technical implementation.

Last Visited Service Pages

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

• Investopedia

What Is a Business Continuity Plan (BCP), and How Does It Work?

Pete Rathburn is a copy editor and fact-checker with expertise in economics and personal finance and over twenty years of experience in the classroom.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's IT system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How to Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be identified and corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ," Pages 15 - 17. Accessed Sept. 5, 2021.

Business Essentials

Government & Policy

Tech Companies

Stocks & Bond News

• Terms of Use
• Editorial Policy
• Privacy Policy
• Do Not Sell My Personal Information

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

• Asia Pacific

Business Continuity Management (BCM)

• ISO 22301 – the international business continuity standard
• The benefits of ISO 22301
• ISO 22301 and business continuity consultancy
• ISO 22301 and business continuity gap analysis
• ISO 22301 policies and procedures
• Business resilience
• Speak to a business continuity expert

Speak to a BCM expert

Whatever the nature or size of your problem, we are here to help. Get in touch today using one of the contact methods below.

What is BCM (business continuity management)?

Business continuity management is a process that helps organizations ensure that their critical business functions will continue to operate in the event of an unexpected disruption.

The goal of business continuity management is to minimize the impact of disruptions on an organization and help it resume normal operations as quickly as possible.

A BCMS (business continuity management system) aligned to ISO 22301 is the best way to ensure effective business continuity.

Find out more about ISO 22301 >>

Why is BCM important?

BCM is about identifying potential threats early and planning for how business operations could be impacted.

An effective BCM program helps an organization maintain minimum acceptable operations during a disaster, preserving corporate reputation and revenue. It may also improve insurance rates and provide new contract opportunities.

The current cyber threat landscape has made business leaders more aware of the risks of cyber attacks and the importance of being able to respond to and recover from such attacks.

Effective BCM can protect organizations from widespread business disruptions, such as cyber attacks, industrial action, and natural disasters.

ISO 22301 – the international business continuity standard

The international standard ISO 22301 provides a best-practice framework for implementing an optimized BCMS, enabling you to minimize business disruption and continue operating in the event of an incident. An ISO 22301-aligned BCMS will help your organization recover critical operations as quickly as possible.

How BCM can meet regulatory requirements

A growing body of legislation also requires organizations in essential areas to demonstrate a degree of organizational resilience; implementing effective business continuity measurements would be a good start. 

The NIST CSF (Cybersecurity Framework)

In order to comply with the NIST CSF  (Cybersecurity Framework), organizations must first consider the five core funcations of the framework, all of which can be obtained by implementing strong BCM:

• Identify  potential cybersecurity risks to your information assets
• Protect  yourself against these risks by developing and implementing safeguards
• Detect  any irregular activity to determine if breaches have occurred
• Respond  to any detected breaches to contain their impact
• Recover  from these breaches by restoring any undermined assets

Learn more about NIST CSF >>

The EU's Network and Information Systems Directive 2018

Organizations offering essential services need to implement incident response capabilities in line with the requirements of the EU's Network and Information Systems Directive 2018 (NIS Regulations). Digital service providers (DSPs) within scope have the explicit requirement to put business continuity measures in place. Although not an explicit requirement for operators of essential services (OES), we strongly encourage them to consider implementing BCM measures; such measures would provide a well-defined structure for building incident response measures and effectively managing business interruptions.

Learn more about the EU's Network and Information Systems Directive 2018 >>

Free paper: Business Continuity and ISO 22301 – Preparing for disruption

Download this paper to learn about the fundamental components of best-practice business continuity management, including risk assessment, BIA (business impact analysis), and BCPs (business continuity plans), and discover our nine-step approach to implementing an effective BCMS aligned to ISO 22301:2019.

Download now

The BCM lifecycle

Effective BCM involves:

• Identifying critical activities
• Performing a BIA
• Performing a risk assessment
• Designing and implementing a BCP
• Testing and evaluating performance
• Putting a continual improvement process in place

Business continuity planning

Business continuity planning involves developing, testing and improving plans and procedures to enable an organisation to continue operating during a disaster and quickly return to normal operations.

The BCP is the key element of a BCMS, and ISO 22301 provides guidance on how to develop it.

Disaster recovery planning

Disaster recovery planning prioritises fully recovering and returning to full functionality in the event of an incident, whereas BCM focuses on preserving an organisation’s ability to function. Having said that, there is still a clear overlap, and disaster recovery does fit within an organisation’s business continuity framework.

Disaster recovery plans are often relatively technical and focus on the recovery of specific operations, functions, sites, services or applications. The BCP might contain or refer to a number of disaster recovery plans.

Let’s get started on your BCM project 

Let us share our expertise and support you on your journey to ISO 22301 compliance. Browse our range of bestselling products, services and simple solutions.

ISO 22301 - A Pocket Guide

A Manager’s Guide to ISO 22301

ISO 22301 2014 Standard

ISO 22301 BCMS Toolkit

Business Continuity Management / ISO 22301 Health Check