Business continuity management

Business continuity management (BCM) is the discipline of preparing an organization to withstand disruption — whether from cyber incidents, supplier failures, natural disasters, pandemics, or geopolitical shocks — and to resume critical operations within defined tolerances. A mature BCM programme links risk identification to recovery planning, assigns clear accountabilities across the three lines of defence, and is continuously tested so that the plans on paper match what happens in practice.

At the core of any BCM programme is the business continuity management system (BCMS), most commonly structured around ISO 22301. The standard sets out a Plan–Do–Check–Act lifecycle built on four anchors: analysis, strategy, response, and validation. Analysis is grounded in the business impact analysis (BIA), which quantifies how quickly each process must recover and what it needs to function. Strategy translates those findings into recovery options, including workarounds, alternate sites, and IT disaster recovery arrangements. Response is codified in the business continuity plan (BCP) and supporting playbooks for specific scenarios. Validation happens through exercises, drills, and audits that turn documentation into muscle memory.

Several technical concepts tie the lifecycle together. Recovery time objective (RTO) sets the maximum acceptable downtime for a process; recovery point objective (RPO) sets the maximum acceptable data loss. Together they drive architecture decisions — from backup cadence to hot-site investment. Maximum tolerable period of disruption (MTPD) acts as an outer boundary beyond which recovery is no longer viable. Regulated firms increasingly overlay impact tolerances on top of RTO/RPO, particularly in financial services under DORA and operational resilience regimes.

BCM does not stand alone. It sits inside a wider resilience stack that includes enterprise risk management, information security, incident response, crisis communications, and supply chain risk. The posts below cover the full BCMS lifecycle — from BIA templates and BCP structure through to crypto-sector BCM, ransomware impact analysis, exercise scenarios, and post-incident review.

Related hubs

Enterprise Risk Management — ERM frameworks, risk registers, risk appetite, and risk assessment methodologies.
Information Security Management System — ISO 27001, NIST CSF, CIS Controls, and cyber incident response.
Business Continuity Plan — BCP templates, structure, testing, and industry-specific guidance.
Incident Management — Detection, triage, escalation, and post-incident review.
Supply Chain Risk Management — Third-party resilience, concentration risk, and supplier continuity.