Business Continuity Management (BCM): Definition & Benefits

But that is not enough: When an emergency occurs, it must also be managed (= response).

This is where emergency management comes into play: crisis or emergency management describes the response to non-preventable incidents with significant financial or legal consequences for business operations, reputation or life/limb of people.

Learn more about emergency and crisis management here.

BCM is usually a management responsibility and is often set up as part of an ISMS (Information Security Management System). Nevertheless, it is important to note that BCM is a holistic concept that must also be supported by the employees. More on this later.

When creating a BCM management system, it is common to proceed in several phases, starting with the identification of critical business processes and assets, evaluating them in the context of risk management, and then deriving preventive and reactive measures.

Here we show you step-by-step how to build a BCM.

An effective BCM has many advantages.

On the one hand, there are partly mandatory regulations that provide for BCM. Especially in the area of critical infrastructures. In addition, BCM is a must for companies seeking certain certifications such as ISO 27001.

Beyond that, however, BCM is rewarding even without regulations and certification, because a well thought-out BCM can protect critical business processes and ensure continuity of operations in the event of an emergency. And this can make or break the existence of a company, if we recall the initial example of the glass manufactory.

Beyond that, however, a functioning BCM serves not only the company's own operations, but also its customers, who in case of doubt depend on a functioning operation. This applies in particular to operators of critical infrastructures such as power and water generators, but also to software providers, for example, without whose software a company cannot accept payments or make reservations, for example.

Managers and crisis teams are responsible for preventing failures (=BCM), but in the event of an emergency they must also manage them in a way that limits damage as much as possible (= emergency and crisis management). No easy task - but not impossible.

Tips for crisis teams & management:

• Develop emergency plans: Responsible parties can create action plans in the event of an emergency and brief all responsible parties on a regular basis.
• Emergency simulations: Theory is good, practice is better! Regular emergency & crises drills help test the team's responses, identify weaknesses and improve the effectiveness of emergency plans.
• Emergency communication plans: A clearly structured communication plan ensures that relevant information is passed on quickly and reliably to the right people through the right channels in an emergency.
• Cyber security training for employees: Well-trained employees know how to act in an emergency in order to minimize damage and not endanger the security of all involved by acting recklessly. Additionally, they are less likely to be a target of cyber attacks that could result in emergencies. 

Tips for employees: 

Even though managers and crisis teams bear a great responsibility for business continuity: In an emergency, it depends on each individual. That's why we at IS-FOX have created an e-learning that explains to all employees in an easy-to-understand way what BCM is and what it is important for.

We also show how employees can support in an emergency, but also in preparing for a possible emergency:

• Knowing where to find information: Employees need access to the most important contact data (in an emergency).
• Not leaving mobile work devices at he office: Especially if emergency information is only accessible via these devices.
• Participate in training and education: Training on BCM should be offered and completed.
• Report incidents: Employees should be sure to report an incident or suspected incident in a timely manner.
• Follow instructions from the crisis team: In an emergency, employees should remain calm and follow the crisis team - avoiding unnecessary chaos.
• No uncoordinated communication: A crisis situation should never be communicated uncoordinated to third parties (e.g., the press). It is better to leave communication to the professionals.