It is essential to understand that whether you adopt an international BCM standard like ISO 22301 or a national BCM standard, if your program is based on generally accepted good practices and principles, there should not be significant changes to your program when you move from one standard to another.
The BCM Planning Methodology is a common approach that satisfies the requirements of most, if not all, BCM standards. It should be used as a central guide for BCM methodology within your organization. Click the icon for Video explanation.
Alternatively, the seven phases of the BCM planning methodology are elaborated below.
As the basis for a successful project, it communicates the needs for business continuity [BC], crisis management [CM], crisis communication [CC] or IT disaster recovery [DR] planning.
These include project expectations, commitments to clear roles and responsibilities, establishing an efficient work plan and realistic timeline, and a budget based on an optimal estimate of resource requirements.
[CM and CC] This process is similar for CC and CM. The significant difference is the risk assessment will include not only the identification of threats but also the crisis scenarios. The RAR phase during the implementation is renamed "Crisis Risk Assessment." When implementing IT Disaster Recovery [DR], the RAR is known as IT DR RAR.
Other significant deliverables include determining the tolerable downtime and minimum resources needed to recover these critical business functions.
[CM and CC] When implementing the CM and CC project and program, there is no requirement to implement the BIA phase as the inputs can be transferred from the BCM team implementing the BIA phase.
[DR] The IT DR Team will conduct their IT version of the BIA called "Application Impact Analysis."
This would include determining recovery strategies for business units, corporate-wide functions, information technology and communications.
A cost-benefit analysis would be conducted to select the most appropriate strategy. The strategy developed in this phase is overarching and directional and does not concern detailed procedures.
[DR] The IT DR Team will conduct their IT version of the BCS called "IT Disaster Recovery Strategy."
This phase involves carefully choreographing a sequence of actions that counteract or mitigate the effects of the threats or risks identified in the RAR phase, recovering the critical business functions identified in the BIA phase and implementing the strategies developed in the BCS phase.
[CM and CC] The significant difference in the delivery of this phase is that in BC, there are many business units (BU) BCM coordinators involved in the implementation.
In the context of CC and CM, the final product is a "Crisis Management (CM) plan" and a "Crisis Communication (CC) plan." However, the planning process is usually conducted by a small team that assists the crisis management team and the corporate communication or Public Relations team in implementing the crisis communication plan.
[DR] IT Disaster Recovery (DR) Plan is the final product of the IT DR planning process.
This involves coordinating, planning, evaluating and validating the testing of a documented BC, CC, CM or DR plan.
One common concern is how relevant this planning methodology is to the current international organisation (ISO) standard for business continuity management systems (BCMS).
You may want to read the "Mapping of BCM Planning Methodology with the ISO 22301 Elements in BC Program".