How to plan business continuity activities, with a template
Many activities comprise a business continuity plan. The better they are managed, the more successful the overall business continuity program will be.
A business continuity management system requires several important activities scheduled throughout a calendar year. The schedule sets a clear time frame that facilitates resilience planning and provides evidence for future business continuity and resilience audits.
Business continuity management system (BCMS) activities help ensure the program performs optimally and complies with the requirements of the global business continuity standard, ISO 22301:2019, Security and Resilience -- Business Continuity Management Systems -- Requirements.
According to the standard, a BCMS is "part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity."
In addition, the standard states, "The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes and resources."
The standard describes the many activities required for compliance, but it does not specifically mandate the creation of an annual schedule or framework to perform the business continuity activities outlined in the standard. However, the standard frequently mentions the need for planning.
Many activities can be part of a BCMS or set of resilience-focused activities, so organizations that wish to comply with the standard should prepare an annual schedule of business continuity activities and review and update it periodically.
Click here to download
our free template to get
started with creating a
schedule of business
continuity activities.
Depending on where business continuity and operational resilience activities are positioned within an enterprise, business leaders must commit to executing BCMS activities, and a schedule helps ensure they are completed.
Advances in technology since the 2019 update to ISO 22301 must be factored into schedule planning activities. These include the following:
- Emergence and evolution of resilience activities. These go beyond simply recovering the business following a disruption. Moving to resilience means lessons learned from an incident are used to adapt the BCMS so it can respond more effectively in the next event.
- Cloud-based technologies supporting BCMS. In addition to cloud-based data storage, backup and recovery tools, and intelligent as-a-service platforms addressing business continuity can also streamline the BCMS process.
- Increased use of IT service management (ITSM) strategies. Business continuity and resilience activities are increasingly included in ITSM frameworks and technologies. It is no longer a boutique discipline.
- AI. The rapid growth of AI has affected business continuity and resilience disciplines. A growing number of BCMS platforms include AI to streamline the planning process, improve the execution of risk analysis and business impact analysis activities, and optimize BCMS plan response, recovery and restoration processes.
Understanding core business continuity activities
ISO 22301:2019 includes the same fundamental areas in which a BCMS should function. Its companion standard, ISO 22313:2020, Security and Resilience -- Business continuity management systems -- guidance on the use of ISO 22301, provides greater detail on the activities outlined in ISO 22301.
Both documents were used to prepare Table 1, which lists key BCMS activities, organized by the standard's framework, and includes suggested scheduling timeframes.
Activities in Table 1 ensure the BCMS complies with the standards and addresses current technology and operational resilience considerations.
The table lists sufficient activities to make compliance with ISO 22301 requirements easier from an audit perspective. The activities also represent good BCMS and resilience practices and should be tailored to specific organizational requirements.
Implementation best practices
Successful implementation of scheduled activities starts with support and funding approved by senior management.
Additional best practices to ensure optimum performance of the BCMS include the following:
- Ensure all members of the BCMS team support the program.
- Consider scheduling specific activities -- for example, risk assessments that should be more frequent than suggested in Table 1.
- Include discussions of BCMS activity in weekly IT department or other relevant department staff meetings.
- Establish relevant performance metrics and monitor them.
- Monitor developments in the business continuity and resilience industry to identify new and advanced technologies.
- Use advanced technologies where possible to enhance the overall level of business continuity and operational resilience.
- Report to management on the state of continuity and resilience at least quarterly.
- Establish a process to continuously monitor the performance of all systems and technology used to support the BCMS.
- Identify ways to inform and engage stakeholders, vendors and other third parties on the importance of continuity and resilience.
- Develop a budget for the BCMS and related activities and get senior management approval.
Using the planning template
The BCMS schedule planning template is formatted as a 12-month calendar with space in each month for a check mark. This approach can help indicate when to perform specific activities. From that starting point, progress to assigning specific calendar dates. When additional activities are identified, insert them in the planning template.
Editor's note: This article was originally published in 2020 and was updated to reflect changes in ISO standards and business continuity best practices.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
