Business Continuity Management

In times of crisis, business processes must be resistant to internal and external influences to ensure business success. This is precisely where Business Continuity Management (BCM) comes into play. BCM ensures that in the event of unforeseeable business interruptions, the affected activities are restored within an acceptable timeframe.

Recent experiences with the vulnerability of society and the economy to pathogens such as Covid-19 have made the dependencies of (IT) technology, organisation and personnel abundantly clear. The “water pipe damage” in the server room, which was often the focus of attention in the past, is clearly receding into the background. This is not only due to Covid-19, but also in particular due to increasing cybersecurity risks and the growing dependence on digitalised business processes and increasing regulation (e.g. EU NIS 2 Directive, KRITIS umbrella law, etc.).

Effective and practicable BCM should ensure that companies are able to continue their time-critical activities at a minimum level (emergency operation) in the event of (IT) emergencies and crises and achieve a rapid restoration of normal operations - reliably, routinely and ideally without consequential damage.

In times of high digitalisation, the information security management system (ISMS), (IT) emergency management and crisis management are the most important components of a comprehensive company-wide BCM to strengthen the overall resilience of any organization.

REQUIREMENTS FOR BUSINESS CONTINUITY MANAGEMENT

A company-wide BCM must also include existing (IT) emergency risks, as these can jeopardize the existence of the company.

The following three key objectives have the highest priority:

Prevention: well-planned and structured BCM processes increase an organisation’s resilience to existing threats,
Reaction: targeted and well-planned emergency response measures and
Effectiveness: the fastest possible restoration of “vital” business activities after an (IT) emergency or crisis has occurred.

THE PROCEDURE FOR ESTABLISHING HOLISTIC BUSINESS CONTINUITY MANAGEMENT

The objectives and strategies are described by the company management in a BCM guideline. At the same time, it assumes overall responsibility and undertakes to provide the necessary resources for a holistic BCM that fulfils the requirements. This forms the basis for the development of (IT) emergency preparedness, consisting of guidelines, concepts and preparatory measures. This must also include a description of the (IT) emergency organization.

Another critical success factor is the Business Impact Analysis (BIA). It determines for which critical business processes a BCM needs to be established, which resources are required for this and which (IT) emergency plans therefore need to be drawn up. The (IT) emergency plans - together with business continuation or restart plans - ensure (IT) emergency management and support the emergency staff or crisis teams in their actions. A PDCA cycle (Plan-Do-Check-Act) ensures that the BCM is tested, adapted and further developed. In terms of methodology, recognized standards such as ISO 22301/ ISO 2236 can be used as a guide.