Business continuity management

Business Continuity Management ( BKM ; English business continuity management (BCM) ) referred to in the business administration to develop strategies, plans and actions to activities or processes - add the organization serious damage or devastating losses the interruption of which would (about malfunctions ) - to protect or to enable alternative processes. The aim is to ensure the continued existence of the company in terms of economic sustainability in the face of risks with a high degree of damage.

BKM summarizes a management method that uses a life cycle model to ensure the continuation of business activities under crisis conditions or at least unpredictably difficult conditions. There is a close relationship with risk management . In the German-speaking countries, the BKM is sometimes viewed as related to information security , IT emergency planning and facility management . There are also links to corporate governance ideas .

The military origin is historically proven in Chinese literature ( Sun Tzu , around 500 BC, cf. annotated translation "The Art of War", Ed. Lionel Giles, The British Museum 1910), later by German-speaking military theorists such as Clausewitz . The ongoing planning, implementation and the successful completion of own plans despite enemy influence and disruption was transferred to operational activities with the onset of the industrial revolution .

Characteristic for the transition from military terminology to civil use are a. ( USA ) civil defense, homeland security, ( D ) civil defense, civil protection. The development of the BKM took place from around 1950 mainly in the USA, but using the basics from Europe. From around 1980, the perception changed in the direction of information technology , the increasing importance of which in the company became a particular risk factor. IT operations are ensured through IT disaster recovery , in German "IT emergency planning".

In the recent past, the concept of the BKM was again extended to the entire operation, u. a. through legislation such as the (USA) Sarbanes-Oxley Act 2002 and the (GB) Civil Contingencies Act 2004. Implicitly, the BKM u. a. according to (D) Control and Transparency Act 1998, (D, A) Codes for Corporate Governance. The description of the BKM is supplemented by several norms and industry standards, for example (international) ISO 17799, ISO 22301: 2012, (USA) NFPA 1600, (AU, NZ) BCM Better Practice Guidelines, (GB) BS 7799: 2002 (2) , (A) ÖNORM A 7799, Publications of the Basel Committee with regard to the Second Basel Equity Regulation , (D) Minimum Requirements for Risk Management for Credit Institutions (MaRisk).

The method and framework of the BKM are published in the so-called “Good Practice Guide”, which is published by the (GB) Business Continuity Institute. Central competencies for practitioners are regulated in the (GB, USA) "Joint Standards", which are published jointly by the Business Continuity Institute and the Disaster Recovery Institute International.

The German Federal Office for Information Security (BSI) has developed the BSI 100-4 "Emergency Management" standard as a supplement to the basic IT protection . With the modernization of the IT-Grundschutz, the successor BSI 200-4 is already being worked on.

In order to be able to continue the processing of a company's business in the event of incidents (see also incident management ) or in the event of a disaster ( business continuity ), analyzes and planning must be carried out.

It is primarily to be determined

which processes must be maintained and
which measures are necessary for this.

To do this, priorities must be defined and required resources assigned. One measure in the course of business continuity planning is disaster recovery , but the entire process of business continuity has to deal with many other points.

Technical consideration

The Business Continuity Management is the organizational unit of a company , the construction and operation of an effective emergency and crisis management processes in order to systematically prepare for coping with loss events. This is intended to ensure that important business processes are not or only temporarily interrupted even in critical situations and emergencies and that the economic existence of the company is secured despite the loss event.

The aim of business continuity management is the generation and proclamation of process definitions and documentation of an operational and documented contingency plan that is precisely tailored to the individual company, as well as sensitizing all employees to the topic of "securing economic livelihood in a critical emergency situation".

Disaster scenarios

The type of incidents can be divided into different categories:

IT / system failure
Building failure
Loss of staff (e.g. pandemic)
Failure of suppliers / partners

Depending on the event, the company will react with a specific disaster scenario . In order to ensure the continuity of the company, the reaction to a system failure is different than to a sharp increase in sick staff. In the first case, the company will procure parallel IT systems in order to bridge the failure of a system using alternative resources. From the company's point of view, a major loss of staff should be treated with preventive measures. Examples include increased hygiene measures when a pandemic is announced.

Social security

In September 2007, ISO TC 223 “Societal Security” published the international standard ISO / PAS 22399 “Societal security - Guideline for incident preparedness and operational continuity management”. It was adopted by all 50 states represented in it and is based specifically on best practices (or standards) from five nations: the American NFPA 1600, the British BS 25999-1: 2006 , the Australian HB 211: 2004, the Israeli INS 24001 : 2007 and Japanese regulations.

The acronym IPOCM stands for Incident Preparedness and Operational (Business) Continuity Management. IPOCM is understood as an extension of the BKM. While BKM focuses on companies, IPOCM also involves both private and public organizations and administrations and focuses on maintaining or rebuilding vital infrastructures regardless of the type of event.

The International Organization for Standardization (ISO) finally adopted and published the new standard ISO 22301 : 2012 with the name “Societal security - Business continuity management systems - Requirements” in mid-May 2012 . The standard is used by companies to implement a business continuity management system and can serve as the basis for certification. Like the ISO 9001 quality standard , this standard can also be applied to companies of all sizes and in all sectors.

The technical committee ISO / TC 292 Security, formed in 2014, focuses on the topic of security and deals with the topics of security management, operational continuity management, resilience and emergency management, protection and control measures against fraud, security services and homeland security. The committee is chaired by the ISO member for Sweden, SIS (Swedish Standards Institute), and the first meeting took place in March 2015 in Japan for the UN World Conference on Disaster Risk Reduction (WCDRR Conference).

literature

Martin Wieczorek, Uwe Naujoks, Bob Bartlett (eds.): Business Continuity. Contingency planning for business processes. Springer, Berlin a. a. 2002, ISBN 3-540-44285-5 ( Xpert.press ).
Ulf Hinterscheid: Approaches to managing business risks that threaten the existence of the company. Securing global value creation processes through operational continuity. Pro BUSINESS, Berlin 2008, ISBN 978-3-86805-183-4 (also: Wuppertal, Univ., Diss., 2008).
Stefan Spörrer: Business Continuity Management: ISO 22301 and other standards in the context of information technology. Kölner Wissenschaftsverlag, August 2014, ISBN 978-3-942720-50-2 .

Web links

Individual evidence

^ The definitive Handbook of Business Continuity Management, 1st ed., Hiles, Barnes (2001).
↑ Current information on the further development of the BSI standard 200-4. Accessed January 30, 2020 .
↑ Note on the standard in the Compliance-Net, accessed January 23, 2014 ( Memento from May 5, 2010 in the Internet Archive )
^ Note from the Business Continuity Management Institute, accessed January 23, 2014
↑ http://www.iso.org/iso/iso_technical_committee?commid=5259148 ISO / TC 292 Security

[1] The definitive Handbook of Business Continuity Management, 1st ed., Hiles, Barnes (2001).

[2] Current information on the further development of the BSI standard 200-4. Accessed January 30, 2020 .

[3] Note on the standard in the Compliance-Net, accessed January 23, 2014 ( Memento from May 5, 2010 in the Internet Archive )

[4] Note from the Business Continuity Management Institute, accessed January 23, 2014

[5] ttp://www.iso.org/iso/iso_technical_committee?commid=5259148 ISO / TC 292 Security