As business continuity standards continue to develop and mature, most are shifting (or already have shifted) to a Management System methodology and structure. And, since this methodology is relatively new to the business continuity profession, many practitioners have one question: “How do I transition my existing business continuity program to align with a management systems methodology?” Luckily, for many high quality business continuity programs, the transition is not as difficult as one may expect. Once a business continuity professional understands the purpose of management systems and underlying Plan-Do-Check-Act (PDCA) model, it will quickly become apparent that the benefits outweigh the concerns.
This article provides an introduction to the differences and similarities between a Business Continuity Program (BCP) and a Business Continuity Management System (BCMS) and offers insight regarding how to successfully make the transition.
Compare and Contrast
To understand the transition between a Business Continuity Program and a Business Continuity Management System, it is first important to define the two structures and then understand the differences and similarities. The following table provides two high level definitions.
The next table displays how many of the activities in the “Do” category of the PDCA model, are shared between a Program and a Management System. Assessment, Analysis, Strategy Development and Plan Documentation are traditionally the focus of activities in a Program. These activities are also very important in a Management System; however, they are not exclusively the focus of management’s activities because they do not work to align the business continuity activities with organizational objectives.
While a Program traditionally focuses heavily on the “Do” activities of a Management System, it risks misalignment with the overall business strategy because formal and recurring engagement with management isn’t defined. Conversely, with a Management System, a portion of the activities in “Plan,” “Check” and “Act” reach outside of the Business Continuity Program and require cross-functional management interaction, which begins during the setting of objectives and continues throughout the activities until program performance is evaluated.
In addition to the overall focus on organizational alignment and performance evaluation, a Management System requires that personnel operating within the system be competent to perform their roles. A Management System asks that the system personnel be competent primarily in the areas of the system more than they are educated in the operations of the business. Specifically, in a Business Continuity Management System, it is being asked that the Business Continuity Practitioners be competent in the areas of business continuity first and that their knowledge of the organization be secondary. This provides a level of competency in the system by the system personnel and lays the responsibility of competency of the business on the business participants.
Making the Transition
After understanding the differences between a Program and a Management System, a practitioner should, first, evaluate how the organization’s Program compares and, if warranted, make the transition. Some organizations will find that their Program already aligns with many of the requirements of a Business Continuity Management System because the Program was developed using other best practices advocating repeatability, management involvement and continuous improvement. Some of the key questions to ask in evaluating a program’s readiness include:
- Does your organization regularly involve executive management in the form of a steering committee and seek feedback on planning activities and outcomes (using a management review processes)? Are the list of topics presented to the Steering Committee documented and consistent?
- Is there a preparedness scope statement and listing of objectives that align to the organization’s core Products/Services and its business strategy?
- Does governance documentation exist that describes management’s expectations and roles/responsibilities?
- Are personnel competencies described, evaluated and are educational tools provided?
- Does management involve Internal Audit or an independent entity to provide commentary on alignment between expectations and performance?
- Does the organization capture and prioritize corrective actions in order to drive continuous improvement?
Second, where differences exist, be sure to establish the value proposition for moving forward. Based on the questions above, the organization will realize benefit in the following ways.
After obtaining support to move forward, the third step is to establish something similar to a project plan to implement each Management System process. Avalution recommends that the Management System implementation effort begin as close to the initiation of a new planning cycle as possible, so as to avoid confusion among BCMS participants – meaning, implement Management System principles when your organization is ready to revisit the activities found in the Plan component of PDCA. This will also enable the organization to build upon the outcomes of management involvement, especially when changes to Program-level scope and objectives are identified.
For more specific details on how to complete the transition through all four of the PDCA steps, read our full whitepaper titled Implementing ISO 22301, which is expected to be available on avalution.com Fall 2011.
Are Your Personnel “Competent” in Performing Their Business Continuity Responsibilities?
Susan Giffin, Managing Consultant
Avalution Consulting: Business Continuity Consulting