We recently received a question from one of our Tandem Business Continuity Planning software users.
"I just attended a webinar in which a regulator spoke. He made reference to 'Business Continuity Management' and said 'BCM' a couple times. Is this an indicator that regulators are making the switch and will the Tandem product name be changed accordingly, if that's the case?"
This is a great question and goes back to the Federal Financial Institution Examination Council's (FFIEC) November 2019 release of the updated Business Continuity Management booklet. While the title of the book included a name change from "Planning" to "Management," the shift may not be as substantial as it seems on the surface.
What does the FFIEC say?
According to the FFIEC's Information Technology Examination Handbook, Business Continuity Management Booklet:
"The change from business continuity planning to business continuity management reflects the changes in customer and industry expectations for the resilience of operations. […] The focus of this revised booklet is on enterprise-wide, process-oriented approaches that consider technology, business operations, testing, and communication strategies critical to the continuity of the entire entity. However, business continuity should not be focused only on the planning process to recover operations after an event, but rather it should include the continued maintenance of systems and controls for the resilience of operations."
To provide further clarification, the booklet features a diagram of a 10-step business continuity management process, with the establishment of the plan being featured in step six.
In other words
"Planning" is still a very important part of the business continuity process, but the agencies indicate the term implies the development of a written restoration guide. The booklet's name change reflects the idea that the development of a BCP is not a standalone event. Rather, true planning for business continuity is one part of a larger process which involves enterprise-wide strategic planning, effective communication, and focus not only on restoration but resilience.
One cannot successfully exist without the other. A business continuity plan without effective management processes would not be a functional plan in the event of a business disruption. On the other hand, business continuity management processes would be of little value during an adverse event without the development of a well-documented plan.
There are several instances where we see business continuity planning and management processes working together.
- Your business continuity plan includes a documented business impact analysis (BIA). The BIA documentation is designed to help you determine maximum tolerable downtimes, recovery objectives, and resilience controls. That said, your business continuity management includes all the activities that happened around the documentation of the BIA. These activities are things like the conversations you have to determine values for your BIA, exercises, and testing you perform to validate your BIA assumptions, reports to management over the BIA, etc.
- Your business continuity plan includes exercises and testing. The documented results of exercises and testing are used to demonstrate thorough analysis, validate the ability to meet identified metrics, and highlight areas where the plan may need improvement. That said, your business continuity management includes all the activities related to your exercises and testing. These activities are things like determining the scope of your exercises, coordinating exercises with applicable stakeholders, and actual performance of the exercises.
- Your business continuity plan includes reporting your BCP documentation to senior management and the board of directors. These individuals are responsible and will be held accountable for the success or failure of the plan. That said, your business continuity management includes all activities related to reporting. These activities are things like the delivery and presentation of the information, credible challenges presented by the board, and approval of content.
How does this apply to Tandem?
Tandem Business Continuity Planning is an application designed to supplement your business continuity management practices by providing a framework to facilitate the documentation of your plan.
Tandem is feature-rich, designed to help you:
- Perform a business impact analysis and help you assess the impact of potential disasters on your business functions.
- Mitigate disruptions to business operations by establishing recovery objectives and identifying dependencies.
- Plan for resilience with exercises and testing, preparedness controls, emergency checklists, and more.
If you are ready to take your BCP to the next level, check out our blog on Three Ways to Ensure Your Business Continuity Plan is Ready.