BCMS2: Begin from Minimum, but Keep Developing
Do you think developing Business Continuity Management System (BCMS) is a hard challenge? This may be because you know some BCMSs contain detailed processes and lots of documentation. I would like to say these BCMSs are too complicated. I have seen numerous unnecessarily complicated BCMSs.
What is worse, complicated frameworks tend to have problems in the data quality. Complexity can lead to a lack of information because it is not easy to convince busy information providers (for instance, representatives of each department) to fill in the templates. Also, the reviewers may get so tired that they skip some contents to review.
Let us use an example. Executing a Business Impact Analysis (BIA) is generally one of the most challenging processes in BCMS. If you use a questionnaire as many companies do today, regardless the format (IT tool or a MS Excel file), you must handle a variety of stakeholders and manage the consistency across the organization. Simplifying the questionnaire is one way. You may be also able to organize a workshop instead of questionnaire because critical activities are often obvious in the company.
Example Idea for Simple BIA
- Organize a workshop with key stakeholders
- Discuss a direct question such as “which business activities must we prioritize to continue”
- Arrange an external expert for facilitation to avoid biased decisions led by those that have internal power
- Focus on the consequence (= business interruption), forget about the cause and possibility
- Additional information such as resource requirements will be collected afterwards focusing on the high priority business activities
This method is not suitable for organizations that already have a mature BCMS (with good quality data) and large complexed organizations. But it should be a good starting point if you are just starting or you are tired of the current method.
However, the most important thing is to develop the BCMS continuously. This is essential in any management system. You do not have to develop a great system from the start because it is impossible to be perfect anyway. But you will be expected to improve over time.
In terms of BCMS, Business Continuity Plans (BCP) particularly need to be repeatedly tested and improved. That is why value of testing and exercising can not be emphasized enough.
ISO 22301:2019(en) Security and resilience — Business continuity management systems. (as of 16 Apr 2020, some ISO (International Organization for Standardization) standards including ISO 22301:2019 are freely accessible to support global efforts in dealing with the COVID-19 crisis)