Implementing Business Continuity Management in Strategic Planning

Business Continuity Management (BCM) ensures that critical functions of an organization remain operational to minimize the impact of disruptions on stakeholders. Let’s explore the practical steps to implement Business Continuity Management within the context of strategic planning.

A template for business continuity management in BSC Designer.

A template for business continuity management in BSC Designer. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

An approach to business continuity management according to ISO 22301 involves:

  1. Identifying critical business elements
  2. Analyzing threats and risks
  3. Creating prevention and response plans, including training and simulations
  4. Tracking and learning from incidents

To integrate these elements into strategic planning:

  • We will employ a value-based decomposition method
  • Quantify strategies and plans with performance metrics
  • Maintain actionable records in the form of initiatives, risks, and comments

Identification of Critical Business Elements

Our goal is to identify key business elements critical for business continuity. We use the following perspectives as a starting point:

  • Information Systems
  • Facilities and Locations
  • Partners and Stakeholders
  • Human Resources
  • Physical Assets
  • Financial Resources

Critical business elements and their recovery time

Critical business elements and their recovery time. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

Once the elements and sub-elements are defined, we can quantify their susceptibility to risk events by establishing Recovery Time Objectives (RTO).

For the Recovery Time Objective, we define:

  • Measurement units (e.g., hours or days)
  • The “Baseline” as the catastrophic recovery time
  • The “Target” as the desired recovery time
  • The current value, as the estimated recovery time based on technologies and policies in place

Recovery time objective for user database

Recovery time objective for user database Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

With this data, we can calculate the performance of each business element in terms of susceptibility or readiness in case of an emergency event.

In this context:

  • A lower value (e.g., faster recovery time) will result in higher performance
  • The performance function should not be linear; the extensive area next to the “catastrophic” baseline should be the red zone

Performance function for RTO configured to exponential decay

Recovery time objective for user database Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

In BSC Designer:

  • Define the required recovery baseline, target, and current value on the Data tab.
  • Use the “Exponential decay” function to create a performance function with a relatively small green zone for recovery times near the target and a significant red zone for longer recovery times.

The software enables the tracking of RTOs for each business element over time.

Threats and Risks Analysis

Analyze potential threats using these perspectives as a starting point:

  • Operational
  • Technological
  • Economic
  • Workforce
  • Safety and security
  • Environmental
  • Reputation
  • Legal

For each relevant threat, perform a decomposition into specific risks and conduct a Business Impact Analysis (BIA).

Threats and risks analysis with risk estimation

Threats and risks analysis with risk estimation. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

For instance, you can break down Technological threats into ‘Cybersecurity threats’ and further into a ‘Ransomware attack.’

The risk in this case can be quantified through a simple risk estimation formula, such as probability multiplied by impact. Various ways to define risks were discussed in a separate article.

Response Scenarios

Develop response scenarios for threats with the highest risk impact estimation scores.

A typical scenario will include:

  • Business continuity plans (prevention, response, recovery)
  • Communication plan
  • Train and test plans

These plans can be quantified by:

KPI Regular update metric

KPI Training coverage

KPI Simulations / Exercises success

Business continuity plans defined for the scenario.

Business continuity plans defined for the scenario. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

Consider ‘Scenario 1 – Ransomware Attack,’ which is broken down into:

  • Business Continuity Plans
  • Train and Test

The ‘Business Continuity Plans’ section includes several initiatives:

  • Prevention Strategy
  • Response Strategy
  • Recovery Strategy
  • Communication Plans

Within the ‘Communication Plans,’ the ‘Plan revised regularly’ metric quantifies the frequency of updates. The metric owner receives regular reminders to revise communication plans, ensuring that contact persons and their details remain up-to-date.

Phishing attack training and simulation initiative

Business continuity plans defined for the scenario. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

To validate the effectiveness of the ‘Response Strategy’ initiative, we quantify it with the ‘Simulations / Exercises’ indicator.

The ‘Train and Test’ section includes the ‘Phishing attack training and simulation’ initiative, along with two metrics:

  • Training coverage
  • Simulations / Exercises

While these continuity plans are presented as initiatives, further decomposition is possible. We can break them down into more specific sub-goals and metrics.

Mapping Incidents or Disruptions

To map active incidents, include disruption details and root cause analysis.

To quantify the impact, we can use the weighted impact assessment index consisting of:

KPI Financial impact

KPI Impact on customer relationships (quantified as a percentage of affected customers)

KPI Impact on operations (quantified as a percentage of critical operations affected)

KPI Legal and compliance impact (quantified by fines and other legal consequences)

KPI Long-term reputation impact (quantified as a percentage of customers lost over a 1-year period attributed to the crisis)

Impact assessment with a weighted index.

Impact assessment with a weighted index. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

After resolving an incident:

  • Update the finishing date in the ‘Disruption details and analysis’ element
  • Change its status to ‘Completed’
  • Map lessons learned and improvement initiatives
  • Move the ‘Incident 1’ group to the ‘Past Incidents’ section.

Inheritance and Update Intervals for Indicators

Depending on the nature of quantification, indicators in the business continuity scorecard need to be configured in various ways.

Metrics Reusing Previous Values (Inherited)

Indicators quantifying the RTO (Recovery Time Objective) are set to use inherited values. In practice, this means that the RTO defined for the current year will automatically be applied for the next year unless redefined. The update interval for these indicators is set to annual or semiannual updates.

Two Options for Inheriting Previous State of an Indicator

Indicators used for quantifying BIA (Business Impact Analysis) are also configured to use inherited values. The update intervals in this case can be adjusted according to the expected dynamic of the threat, using monthly for more dynamic threats and quarterly/annual intervals for stable threats.

Value inheritance setting for plan revision indicator.

Value inheritance setting for plan revision indicator. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

Metrics Not Reusing Previous Values (Entered Values)

Metrics used to quantify business continuity plans, such as ‘plans revised regularly,’ ‘training coverage,’ and ‘simulation exercises,’ are configured for quarterly or annual update intervals. The inheritance option in this case is configured as ‘Use entered values,‘ meaning that we do not reuse the previous value for the next period.

For instance, if plans are marked as revised for the current year, for the next year, we would need to revise plans again and update the state of the corresponding metric.

Metrics with No Scheduled Update

Finally, the update interval of metrics used for impact assessment of incidents is configured as ‘Never,’ indicating that we are interested in capturing only the current state of the indicator with no intention to monitor its evolution over time.

Linking by Context and Data

The fundamental concept of business continuity management involves establishing connections among:

  • Critical business elements
  • Threats and risks
  • Scenarios
  • Actual incidents

By creating these connections, we equip our team with all the necessary details to effectively respond to threats and learn from incidents.

To implement this concept in strategic planning, we link all the mentioned elements by context. This way, we can navigate from actual incidents to the corresponding scenarios and, if necessary, explore threats and risk analysis.

A contextual link between an incident and a scenario.

Value inheritance setting for plan revision indicator. Source: View Business Continuity Management online in BSC Designer Business Continuity Management.

To establish context in BSC Designer:

  1. Copy the source item (e.g., relevant scenario) to the clipboard.
  2. Select the destination item (e.g., incident covered by the scenario).
  3. Paste from the clipboard and choose between ‘Link by Context’ or ‘Link by Data.’

Contextual connections will be available on the ‘Context’ tab for both items.

To navigate between items, double-click on the relevant connection.

Applying the same logic, response strategies with dedicated strategy scorecards can be aligned with incidents, risk assessments, and critical business elements.

A Strategy Scorecard for Crisis Response: Using COVID-19 as an Example

Business continuity strategy ensures the overall readiness of an organization for a crisis event. Depending on the scale of the crisis, a specific response strategy can be designed. The COVID-19 pandemic was one such example, where such a strategy helped to focus efforts and ensure strategic alignment.

Let’s review the COVID-19 strategy as an example of a crisis response strategy. The strategy scorecard followed the classical Balanced Scorecard approach:

COVID 19 - a strategy map template for Coronavirus response strategy

The Covid-19 response strategy presented across the four perspectives of the Balanced Scorecard. Source: View Covid-19 Strategy Scorecard online in BSC Designer Covid-19 Strategy Scorecard.

In the Learning and Growth perspective, we focus on the skills and infrastructure needed to execute the business continuity strategy:

  • Educating employees on COVID-19 (as measured by leading indicatorAwareness program penetration, %” and lagging indicator “% of practices actually implemented“)
  • Conducting global scenario planning (with some specific initiatives aligned)
  • Aligning IT systems with the challenges of remote work
  • Introducing employees to the principles of remote work

In the Internal perspective, we formulate the goals related to the internal business systems that will help to execute the business continuity strategy effectively:

In the stakeholders’ perspective, we focus on the needs of our stakeholders (employees, customers, partners). Here, we map such goals as:

  • Anticipating impact on healthcare needs
  • Anticipating impact on education needs
  • Anticipating impact on daily needs

Another important stakeholder is the community and its needs. If you have a dedicated non-profit scorecard, then you will find a similar goal there.

The business continuity strategy map template includes several initiatives aligned with the “Community needs” goal. These initiatives describe possible ways how an organization can contribute:

  • Repurposing production lines. For example, Inditex, owner of retail chain Zara, starts manufacturing hospital gowns.
  • Repurposing products and services. For example, Decathlon is donating snorkeling masks to hospitals. MSC Group’s Splendid was converted into a hospital ship.
  • Contributing to social distancing.  For example, Czech Post allows sending free registered mail via its “Datová schránka” during the duration of the declared emergency.

Due to travel limitations, many companies have shifted from in-person event formats to online events. While the costs of streaming platforms are lower, organizations need to fight for the attention of the attendees. In this article, we share our approach to the online events that proved to deliver stable outcomes in terms of customer engagement and long-term business impact.

Finally, in the finance perspective, we map the relevant financial goals and expected outcomes. In this case, we are talking about:

  • Impact on revenue
  • Applicable insurance policies

Use Business Continuity Management Template

BSC Designer helps organizations implement their complex strategies:

  1. Sign up for a free plan on the platform.
  2. Use the Scorecard Template Business Continuity Management template as a starting point. You will find it in New > New Scorecard > More Templates.
  3. Follow our Strategy Implementation System to align stakeholders and strategic ambitions into a comprehensive strategy.

Get started today and see how BSC Designer can simplify your strategy implementation!

Cite as: Alexis Savkín, "Implementing Business Continuity Management in Strategic Planning," BSC Designer, March 11, 2024, https://bscdesigner.com/business-continuity-management.htm.