Business Continuity Management (BCM) ensures that critical functions of an organization remain operational to minimize the impact of disruptions on stakeholders. Let’s explore the practical steps to implement Business Continuity Management within the context of strategic planning.
An approach to business continuity management according to ISO 22301 involves:
- Identifying critical business elements
- Analyzing threats and risks
- Creating prevention and response plans, including training and simulations
- Tracking and learning from incidents
To integrate these elements into strategic planning:
- We will employ a value-based decomposition method
- Quantify strategies and plans with performance metrics
- Maintain actionable records in the form of initiatives, risks, and comments
Identification of Critical Business Elements
Our goal is to identify key business elements critical for business continuity. We use the following perspectives as a starting point:
- Information Systems
- Facilities and Locations
- Partners and Stakeholders
- Human Resources
- Physical Assets
- Financial Resources
Once the elements and sub-elements are defined, we can quantify their susceptibility to risk events by establishing Recovery Time Objectives (RTO).
For the Recovery Time Objective, we define:
- Measurement units (e.g., hours or days)
- The “Baseline” as the catastrophic recovery time
- The “Target” as the desired recovery time
- The current value, as the estimated recovery time based on technologies and policies in place
With this data, we can calculate the performance of each business element in terms of susceptibility or readiness in case of an emergency event.
In this context:
- A lower value (e.g., faster recovery time) will result in higher performance
- The performance function should not be linear; the extensive area next to the “catastrophic” baseline should be the red zone
In BSC Designer:
- Define the required recovery baseline, target, and current value on the Data tab.
- Use the “Exponential decay” function to create a performance function with a relatively small green zone for recovery times near the target and a significant red zone for longer recovery times.
The software enables the tracking of RTOs for each business element over time.
Threats and Risks Analysis
Analyze potential threats using these perspectives as a starting point:
- Operational
- Technological
- Economic
- Workforce
- Safety and security
- Environmental
- Reputation
- Legal
For each relevant threat, perform a decomposition into specific risks and conduct a Business Impact Analysis (BIA).
For instance, you can break down Technological threats into ‘Cybersecurity threats’ and further into a ‘Ransomware attack.’
The risk in this case can be quantified through a simple risk estimation formula, such as probability multiplied by impact. Various ways to define risks were discussed in a separate article.
Response Scenarios
Develop response scenarios for threats with the highest risk impact estimation scores.
A typical scenario will include:
- Business continuity plans (prevention, response, recovery)
- Communication plan
- Train and test plans
These plans can be quantified by:
Regular update metric
Training coverage
Simulations / Exercises success
Consider ‘Scenario 1 – Ransomware Attack,’ which is broken down into:
- Business Continuity Plans
- Train and Test
The ‘Business Continuity Plans’ section includes several initiatives:
- Prevention Strategy
- Response Strategy
- Recovery Strategy
- Communication Plans
Within the ‘Communication Plans,’ the ‘Plan revised regularly’ metric quantifies the frequency of updates. The metric owner receives regular reminders to revise communication plans, ensuring that contact persons and their details remain up-to-date.
To validate the effectiveness of the ‘Response Strategy’ initiative, we quantify it with the ‘Simulations / Exercises’ indicator.
The ‘Train and Test’ section includes the ‘Phishing attack training and simulation’ initiative, along with two metrics:
- Training coverage
- Simulations / Exercises
While these continuity plans are presented as initiatives, further decomposition is possible. We can break them down into more specific sub-goals and metrics.
Mapping Incidents or Disruptions
To map active incidents, include disruption details and root cause analysis.
To quantify the impact, we can use the weighted impact assessment index consisting of:
Financial impact
Impact on customer relationships (quantified as a percentage of affected customers)
Impact on operations (quantified as a percentage of critical operations affected)
Legal and compliance impact (quantified by fines and other legal consequences)
Long-term reputation impact (quantified as a percentage of customers lost over a 1-year period attributed to the crisis)
After resolving an incident:
- Update the finishing date in the ‘Disruption details and analysis’ element
- Change its status to ‘Completed’
- Map lessons learned and improvement initiatives
- Move the ‘Incident 1’ group to the ‘Past Incidents’ section.
Inheritance and Update Intervals for Indicators
Depending on the nature of quantification, indicators in the business continuity scorecard need to be configured in various ways.
Metrics Reusing Previous Values (Inherited)
Indicators quantifying the RTO (Recovery Time Objective) are set to use inherited values. In practice, this means that the RTO defined for the current year will automatically be applied for the next year unless redefined. The update interval for these indicators is set to annual or semiannual updates.
Indicators used for quantifying BIA (Business Impact Analysis) are also configured to use inherited values. The update intervals in this case can be adjusted according to the expected dynamic of the threat, using monthly for more dynamic threats and quarterly/annual intervals for stable threats.
Metrics Not Reusing Previous Values (Entered Values)
Metrics used to quantify business continuity plans, such as ‘plans revised regularly,’ ‘training coverage,’ and ‘simulation exercises,’ are configured for quarterly or annual update intervals. The inheritance option in this case is configured as ‘Use entered values,‘ meaning that we do not reuse the previous value for the next period.
For instance, if plans are marked as revised for the current year, for the next year, we would need to revise plans again and update the state of the corresponding metric.
Metrics with No Scheduled Update
Finally, the update interval of metrics used for impact assessment of incidents is configured as ‘Never,’ indicating that we are interested in capturing only the current state of the indicator with no intention to monitor its evolution over time.
Linking by Context and Data
The fundamental concept of business continuity management involves establishing connections among:
- Critical business elements
- Threats and risks
- Scenarios
- Actual incidents
By creating these connections, we equip our team with all the necessary details to effectively respond to threats and learn from incidents.
To implement this concept in strategic planning, we link all the mentioned elements by context. This way, we can navigate from actual incidents to the corresponding scenarios and, if necessary, explore threats and risk analysis.
To establish context in BSC Designer:
- Copy the source item (e.g., relevant scenario) to the clipboard.
- Select the destination item (e.g., incident covered by the scenario).
- Paste from the clipboard and choose between ‘Link by Context’ or ‘Link by Data.’
Contextual connections will be available on the ‘Context’ tab for both items.
To navigate between items, double-click on the relevant connection.
Applying the same logic, response strategies with dedicated strategy scorecards can be aligned with incidents, risk assessments, and critical business elements.
A Strategy Scorecard for Crisis Response: Using COVID-19 as an Example
Business continuity strategy ensures the overall readiness of an organization for a crisis event. Depending on the scale of the crisis, a specific response strategy can be designed. The COVID-19 pandemic was one such example, where such a strategy helped to focus efforts and ensure strategic alignment.
Let’s review the COVID-19 strategy as an example of a crisis response strategy. The strategy scorecard followed the classical Balanced Scorecard approach:
In the Learning and Growth perspective, we focus on the skills and infrastructure needed to execute the business continuity strategy:
- Educating employees on COVID-19 (as measured by leading indicator “Awareness program penetration, %” and lagging indicator “% of practices actually implemented“)
- Conducting global scenario planning (with some specific initiatives aligned)
- Aligning IT systems with the challenges of remote work
- Introducing employees to the principles of remote work
In the Internal perspective, we formulate the goals related to the internal business systems that will help to execute the business continuity strategy effectively:
- Workforce protection
- Supply-chain stabilization
- Informing stakeholders
- Implementing remote work (including strategy meetings for a distributed team)
In the stakeholders’ perspective, we focus on the needs of our stakeholders (employees, customers, partners). Here, we map such goals as:
- Anticipating impact on healthcare needs
- Anticipating impact on education needs
- Anticipating impact on daily needs
Another important stakeholder is the community and its needs. If you have a dedicated non-profit scorecard, then you will find a similar goal there.
The business continuity strategy map template includes several initiatives aligned with the “Community needs” goal. These initiatives describe possible ways how an organization can contribute:
- Repurposing production lines. For example, Inditex, owner of retail chain Zara, starts manufacturing hospital gowns.
- Repurposing products and services. For example, Decathlon is donating snorkeling masks to hospitals. MSC Group’s Splendid was converted into a hospital ship.
- Contributing to social distancing. For example, Czech Post allows sending free registered mail via its “Datová schránka” during the duration of the declared emergency.
Due to travel limitations, many companies have shifted from in-person event formats to online events. While the costs of streaming platforms are lower, organizations need to fight for the attention of the attendees. In this article, we share our approach to the online events that proved to deliver stable outcomes in terms of customer engagement and long-term business impact.
Finally, in the finance perspective, we map the relevant financial goals and expected outcomes. In this case, we are talking about:
- Impact on revenue
- Applicable insurance policies
Use Business Continuity Management Template
BSC Designer helps organizations implement their complex strategies:
- Sign up for a free plan on the platform.
- Use the
Business Continuity Management template as a starting point. You will find it in New > New Scorecard > More Templates.
- Follow our Strategy Implementation System to align stakeholders and strategic ambitions into a comprehensive strategy.
Get started today and see how BSC Designer can simplify your strategy implementation!
Alexis is a Senior Strategy Consultant and CEO at BSC Designer, with over 20 years of experience in strategic planning. Alexis developed the “5 Step Strategy Implementation System” that helps companies with the practical implementation of their strategies. He is a regular speaker at industry conferences and has published over 100 articles on strategy and performance management, including the book “10 Step KPI System”. His work is frequently cited in academic research.