What is BCM? Business Continuity Management to effectively respond to crises
At present, many organizations are placing greater emphasis on Business Continuity Management (BCM) and resilience, amid a business environment characterized by multidimensional uncertainty. This is particularly evident this year with rising geopolitical tensions, especially the conflict between the United States and Iran, which has had widespread impacts on supply chains, energy, logistics systems, and the operational stability of organizations. This article aims to help readers understand what BCM is and how it benefits organizations.
Key Takeaways
- BCM helps organizations systematically respond to and recover from unexpected incidents, reducing the risk of severe operational disruptions, and enabling businesses to continue providing services at an acceptable level even during a crisis.
- BIA and Risk Assessment are the core elements of effective BCM. Insights from both analyses help organizations understand what truly matters, identify priority risks, and make better strategic decisions.
- BCM is not just about creating a BCP, it is an ongoing process that requires continuous testing and improvement. Regular exercises and plan reviews help ensure the plan works in practice and reduce confusion during emergency situations.
Organizations with strong BCM capabilities are more resilient and gain a long-term competitive advantage. They can recover more quickly, reduce losses, and build confidence among customers, business partners, and other stakeholders.
BCM business risks
BCM stands for Business Continuity Management, or business continuity management. It is a holistic management process that organizations use to prepare for, respond to, and recover their business operations when disruptions or crises occur. This approach aligns with the principles of the ISO 22301 standard, which focuses on the Business Continuity Management System (BCMS), a framework that supports consistency in BCM implementation and enables organizations to assess, operate, and continuously improve their capabilities in a sustainable manner.
Implementing BCM principles helps organizations respond to and recover from various crises more quickly (resilience), reduce impacts on stakeholders, and enhance competitiveness in a business environment filled with risks.
BCM What are the components?
Business Continuity Management (BCM) consists of six key components, as illustrated in the figure below.
Planning and Control
This means ensuring that BCM is not merely a system documented on paper, but one that is actively implemented, controlled, and managed in a tangible way, enabling the organization to continue operating when disruptions occur. Examples include managing organizational changes that impact BCM and controlling outsourced procurement processes.
Business Impact Analysis (BIA) and Risk Assessment (RA)
Business Impact Analysis (BIA) and risk assessment are considered the first critical steps for organizations seeking to implement BCM. Conducting a BIA helps organizations identify key products, services, and critical activities, and answer important continuity-related questions such as: How long can operations be disrupted? Which activities must be restored first? What resources are required?
Meanwhile, risk assessment helps address questions such as: What sources of disruption does the organization face? How severe are those risks? Which risks require the development of Business Continuity Plans (BCPs)?
Business Continuity Strategy
This is the stage that follows the completion of the BIA and Risk Assessment. The organization defines various strategies to recover from or accommodate disruptions, such as establishing alternate work locations or identifying alternative suppliers, in order to ensure that critical activities can be resumed within the defined timeframe.
Making Business Continuity Plan (BCP)
It is a documented plan and set of procedures that define roles, responsibilities, and actions an organization must take to reduce impacts when emergencies or crises occur, as well as to restore critical activities after a disruption. The BCP is considered the core of BCM. However, an organization must first conduct a BIA and Risk Assessment, and define business continuity strategies, before developing a BCP.
BCP Exercise and Testing
This involves exercising and testing BCP in various formats, such as tabletop exercises or simulations, to assess the readiness of personnel, systems, and plans, as well as to identify areas for improvement before an actual incident occurs.
Business Continuity Capability Assessment
This involves reviewing and evaluating whether all BCM-related documentation and the organization’s capability to respond to disruptive incidents remain appropriate, up to date, and sufficient, in order to support continuous improvement.
Why do businesses need Business Continuity Management (BCM)?
BCM is a holistic management approach that focuses on reducing the impact of various risks that cannot all be fully prevented in today’s environment, and helps organizations recover quickly in order to survive in the modern business landscape. Below, we summarize the key reasons why organizations should implement BCM.
To ensure that the business can continue operating when unexpected incidents occur.
Businesses today face risks at all times, such as fires, natural disasters, and supply chain disruptions, especially issues arising from war and geopolitical tensions. Implementing BCM helps organizations manage these crises through Business Continuity Plans (BCPs) and continuity strategies.
Maintaining the trust and confidence of customers and business partners
BCM enables organizations to have plans in place to respond to disruptions, including measures that allow partial delivery of products or services to customers. It also provides clear communication plans for customers and business partners, thereby enhancing confidence that the organization can effectively manage situations or crises.
Compliance with laws, regulations, and contractual requirements
Many industries are legally required to have BCM and BCPs because they operate in sectors that cannot tolerate prolonged disruptions, such as banking, telecommunications, and critical infrastructure. This also includes organizations that impose business continuity requirements within service agreements (SLAs).
Improving workforce readiness in crisis situations
In emergency or crisis situations that require urgent problem-solving, involve high pressure, and may come with incomplete information for critical decision-making, having BCM and a well-defined BCP, with clearly assigned roles and responsibilities, allows personnel to practice response plans in advance. This helps increase familiarity and confidence when responding to real crisis situations.
Supporting risk management and long-term strategic decision-making
BCM helps organizations identify which products, services, and activities are critical, how long they can be disrupted, what resources are required, and what risks they face. The insights gained from Business Impact Analysis (BIA) and Risk Assessment (RA) enable organizations to manage risks in a structured and effective manner, resulting in a competitive advantage and superior long-term performance compared to other organizations.
. How to
InterRisk has summarized the BCM implementation steps in alignment with the ISO 22301 standard as outlined below.
It starts with understanding and support from senior management.
Before starting BCM or BCP, an organization should establish a shared understanding that BCM is not merely a documentation exercise, but a critical tool for risk management and business survival. A key first step is defining the objectives, why the organization needs BCM. This requires executive support, the establishment of policies and strategic direction, and the formal assignment of responsibility for BCM.
Determining scope of BCM
The organization should clearly define the scope of BCM such as which departments, locations, and critical products or services are included. Defining an appropriate scope from the outset helps ensure that BCM does not become overly broad and can be practically and successfully implemented.
Business Impact Analysis (BIA) and Risk Assessment (RA)
Once the scope of BCM has been defined, the organization must conduct the BIA and Risk Assessment together as the first step. Performing the BIA and RA in parallel enables the organization to identify business continuity requirements (BC requirements), which are then used to define appropriate recovery strategies.
Define Business Continuity Strategies
Once the organization understands the business continuity requirements identified through the BIA and Risk Assessment, the next step is to consider business continuity strategies (BC strategies) to restore critical activities and the required resources.
Develop a Business Continuity Plan (BCP) and procedures
Once a business continuity strategy has been established, it is then translated into a practical and actionable Business Continuity Plan (BCP). The BCP details key elements such as roles and responsibilities, emergency response plans, crisis communication, and recovery plans aligned with the previously defined strategy.
Exercise, test, and continuously improve the plan
BCM cannot be considered complete without testing the BCP. BCP testing not only helps organizations identify areas for improvement, but also serves as training that builds employees’ capabilities and confidence when real incidents occur.
Continuously manage BCM (evolving it into a BCMS )
When an organization systematically follows the steps outlined above, BCM will evolve into a Business Continuity Management System (BCMS) that includes policies, performance monitoring, and continuous improvement, in alignment with ISO 22301.
Examples of organizations that use BCM and BCP systems in Thailand
Most organizations in Thailand that are legally required to have BCM and BCP plans are banks, state-owned enterprises, and government agencies. InterRisk has compiled examples of organizations in Thailand that have implemented BCPs for readers below.
Government Housing Bank (GHB)
The Government Housing Bank has established a Business Continuity Management (BCM) Policy and a Business Continuity Plan (BCP) to serve as a framework for managing business continuity, in compliance with the requirements of the Bank of Thailand (BOT).
PTT Global Chemical Public Company Limited)
The BCM system has been integrated with the Occupational Health and Safety Management System (OHSMS), such as ISO 45001, and the GC Management System (GCMS), to manage emergencies and crises in a unified manner, ensuring maximum effectiveness in business continuity management.
Department of Airports (DOA)
The Department of Airports is another government agency that has implemented BCM alongside the development of BCPs, in line with public-sector business continuity management principles, to respond to various crises.
Frequently Asked Questions (FAQs)
Is BCM necessary for every organization?
BCM is essential for organizations of all types and sizes, whether small or large, as every business is exposed to unforeseen risks. BCM helps organizations systematically respond to incidents, reduce impacts, and recover critical activities.
How is BCM different from BCP?
BCM is a holistic process and approach to managing business continuity, whereas BCP is a specific plan or document under BCM that provides guidance for actions to be taken during emergencies. In other words, BCM is the “system and process,” while BCP is the “plan that is put into action.
(Summary) BCM is the lifeline for modern organizations. Consult with InterRisk Asia
In this article, InterRisk guides readers through an understanding of what BCM is, the benefits it brings to organizations, and the key components of BCM in accordance with the ISO 22301 standard. If you have further questions about BCM or your organization does not yet have a BCP, contact InterRisk’s consulting team today for a free initial consultation.
InterRisk Asia is a leading business continuity consulting firm in Thailand, operates under the MS&AD Group from Japan.
Experienced consultants with hands-on BCMS expertise
Customized planning tailored to your business context.
Practical tools and templates, with expert support for testing and improvement.
