Skip to main content

Maintain BCM Plan Resiliency with Regular Maturity Assessments

Business continuity management (BCM) is all about the planning and preparation an organization takes to survive should crisis strike. It identifies risk and quantifies its impact to an organization’s critical business processes, customer satisfaction, financial stability, contractual and regulatory compliance, operational capabilities and brand reputation.

With an ongoing COVID-19 pandemic, escalating cyber threats, climate and supply chain risks and more, a well-developed BCM plan is more critical than ever. And so is the importance of measuring its resiliency and preparedness to respond to key threats and protect the business interests of the organization via rational, effective, and timely recovery protocols.

 

Driving Maturity in Business Continuity Management Programs

Change is constant in all business environments, and your BCM plan must be flexible to remain effective as well. Performing regular maturity assessments on your BCM plan is extremely important to test the plan’s effectiveness to mitigate key exposures and ultimately drive operational resiliency in the organization. 

A BCM assessment is a formalized method for evaluating how business continuity processes are being managed. A goal of the assessment is to determine whether the program/plan has been developed and is managed according to industry best practices, identify weaknesses, and provide recommendations for business continuity plan improvements, as/if warranted.  Why invest valuable time, resources and expenses to develop a business continuity plan to simply let it become outdated?

While BCM program assessments can be time-consuming, up-front and proactive planning can help drive efficiencies and accelerate the process for keeping the plan current with organizational needs.

An effective business continuity assessment requires a structured framework and access to a qualified staff or external consultants to generate high-quality results. Your broker is a strong resource to help you through the maturity assessment process.

Maturity assessment activities of a BCM program may include but are not limited to the following:

  • Interviewing key stakeholders and participants in the program
  • Reviewing plan development documents including business impact analysis and risk assessments
  • Verifying current state of recovery strategies
  • Verifying recovery time objectives and recovery point objectives
  • Reviewing individual business unit continuity planning and disaster recovery plans to ensure that they are complete, accurate and up to date
  • Reviewing communication/notification protocols among management, staff and external stakeholders
  • Examining training materials, procedures, and guidelines
  • Reviewing plan exercise results and exercise criteria
  • Reviewing contractor and service provider contingencies
  • Verifying senior management sign-off responsibility and accountability

If you have a Business Continuity Management Program in place, you want to be confident that your investment in business continuity planning will respond effectively in the event of a disaster. A viable plan should not only help protect your organization’s interests but should also consider the extent of a company’s responsibilities to other entities and be cognizant of supply chain exposures. 

It is critical that measures are developed and implemented to track your risks and assure that management is regularly informed of, and ready to assess and improve, the organization’s preparedness and continuity capabilities in the event of a disaster.

 

Where many businesses’ BCM plans are today:

  • Sponsorship and steering committee defined
  • Risk assessment/business impact analysis is performed regularly
  • IT asset criticality and recovery time objectives in place for initial framework for recovery/restoration
  • Critical dependencies are documented
  • Documentation exists but may not be validated for various plan types:(EAPs, CMPs, DRPs, BCPs)
  • Program testing for both business and IT is on a limited basis
  • Communications tools are in place. May not be fully tested.
  • Objective program review occurs periodically

Goal is to reach this stronger BCM plan level:

  • Business continuity program policies and standards are documented
  • Detailed business impacts and risks are identified, quantified and regularly reviewed
  • Fully documented plans exist, including up-to-date contact information, recovery resource requirements, critical function listings and identified dependencies
  • Detailed plans for failover and failback of all critical systems are developed
  • Employees aware of program and involved in drills to successfully demonstrate recovery within stated RTOs
  • Pre-defined maintenance triggers are in place and followed for automatic plan updates
  • Formal test schedule is in place for business and technology tests

 

Putting the Standards to Work to Develop an Effective BCM Approach

Today, many organizations are seeking formal accreditation and certification for their BCM programs.  The standards are:

ISO 22301:2012: Societal security -- Business continuity management systems
ISO 22330:2017 Guidelines for people aspects of business continuity
NFPA 1600: Disaster/Emergency Management and Business Continuity Programs, 2013 edition
ASIS International SPC.1-2009, Organizational Resilience:  Security, Preparedness and Continuity Management Systems – Requirements with Guidance for Use Standards

Aon’s BCM Maturity Assessment Workbook is based on three of the recognized industry standards (NFPA 1600, ISO 22301, and ISO 22330). It enables organizations to implement an assessment benchmark against best practices. The workbook consists of a menu of requirements, benchmark/comparisons and a best practice compliance aggregation dashboard founded upon recognized standards.


Note: The BCM Maturity Assessment is designed to determine whether the applicable best practice processes have been followed as part of the preparedness plan. It is not intended to validate the viability or effectiveness of the plan. Beyond these standards, there are other codes and standards that address the technical aspects of planning, such as evacuation and sheltering in place, among other critical components, that need to be considered as part of business continuity plan development, depending on specific organizational requirements.

References:

ISO 22301:2012: Societal security -- Business continuity management systems 
NFPA 1600: Disaster/Emergency Management and Business Continuity Programs, 2013 edition
Disaster Recovery International
FEMA