An annual schedule of business continuity activities can help an organization set a clear time frame that can aid with resilience planning, as well as provide evidence for future business continuity audits.
The international standard for business continuity management, ISO 22301:2019, Security and Resilience -- Business Continuity Management Systems -- Requirements, defines a business continuity management system (BCMS) as "part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity." In addition, the standard states, "The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes and resources."
While the standard provides details on the many activities to be performed for compliance with its requirements, it does not specifically mandate the creation of an annual schedule or framework for performing the business continuity activities stated in the standard. The standard does, however, frequently mention the need for planning.
Considering the many activities that can be part of a BCMS or set of resilience-focused activities, organizations that wish to demonstrate compliance with the standard are advised to prepare an annual schedule of business continuity activities.
Below, we provide guidance on the issues to incorporate in a schedule, recommended time frames for executing these activities and a template for creating a BCMS annual schedule.
Activities to include
Let's list items from the standard as a starting point and then fill in additional administrative activities. These may include tasks such as staff meetings and preparing necessary reports and assessments. The table below provides a starting list of activities with a suggested frequency of performance. In the ready-to-use template included with this article, we have adapted it to help you prepare an annual schedule of resilience activities.
Remember that the above table entries are based largely on the ISO 22301 standard. As you build your own annual schedule, you'll be including activities that are specific to your organization and its culture.
The table lists enough activities so that you will be able to comply with ISO 22301 requirements from an audit perspective. The activities also represent good BCMS practice and can be tailored to your organization as needed.
Using the planning template
Along with general guidance for creating a schedule of business continuity activities, we've also included a downloadable planning calendar. While the above table includes suggested time frames based on the ISO standard, these will differ by organization, so we encourage you to take your own company's needs and abilities into account when choosing the frequency of business continuity activities.
The BCMS schedule planning template is formatted as a 12-month calendar with space in each month to insert a check mark. This is how you indicate when you plan to perform specific activities. From that starting point, you can then progress to assigning specific calendar dates. As you identify additional activities required by your organization or industry, insert them in the planning template.