First introduced to business continuity practitioners in British Standard (BS) 25999 as a Business Continuity Management System (BCMS), the management systems concept continues to gain traction in our profession through a number of “societal security” related standards authored by the International Standards Organization (ISO), as well as new and updated standards from the National Fire Protection Association (NFPA) and ASIS International.
Although widely used in other professional disciplines for many years (i.e., quality, environmental, security, and health and safety management), the term “management system” remains a relatively new concept to business continuity professionals. A management system is defined as the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve a set of related business objectives. Management system standards provide a model for establishing and operating a management system and executing capabilities that align to management’s expectations.
The purpose of this updated article is to introduce the management system concept and offer reasons why this relatively simple concept can be a powerful tool in capturing and keeping management’s support for a business continuity program.
Why Should Business Continuity Professionals Care?
Did you know:
- ISO released and is in the process of finalizing a number of standards (requirements and guidelines documents) that define expectations for business continuity using management system concepts?
- The British Standards Institution (BSI) developed BS 25999 based on management system concepts.
- All three of the DHS-selected PS-PREP standards are based on or reference management system concepts?
- Your organization may already be familiar with management system concepts and successfully using them to address complex quality or security problems?
Even more importantly, your executive leadership team may already be familiar with management system concepts and understand their role in operating within a management system. As you’re about to find out, a management system is a great way to capture leadership support – and keep it.
A management system exists to continuously improve key processes and outcomes in order to meet core business objectives. But how? What are some of the key characteristics of a management system, regardless of its focus?
A management system always outlines roles and responsibilities for its key interested parties, ranging from the most senior managers (often called “top management”) to employees in general.
- Repeatable Processes
Processes are not designed for one-time use; rather, they are designed to be revisited on a periodic basis in order to adapt the management system’s outputs to organizational change.
Management system repeatability is ensured through management-approved documentation outlining expectations and process characteristics. Organizations develop documentation in the form of standard operating procedures, or SOPs.
A management system has identified resources designed to enable alignment with business objectives.
- Performance Measurement and Review Mechanisms
With a focus on continual improvement, a management system includes methods of assessing performance based on senior leadership’s expectations.
A management system defines the role-specific skills and experiences necessary to meet senior leadership expectations.
- Cultural Change
Building, promoting and embedding a business continuity management culture within an organization through training and appropriate communications mechanisms ensures that it becomes part of the organization’s core values and possibly the corporate governance structure.
Types of Management System Models
Anyone with exposure to management systems often equate them to something known as a “Plan, Do, Check, Act” systems methodology, or PDCA. This iterative, flexible methodology and its general concepts originated with Total Quality Management (TQM). PDCA weaves decision making into the fabric of an organization’s overall operational and business practices, and often makes the organization more efficient and better positioned to meet important challenges. PDCA provides a set of problem identification and problem-solving tools that can be implemented by an organization in many different ways, depending on its unique activities and needs.
By incorporating a risk-based process into business continuity management, organizations can make informed decisions tailored to their unique needs. As has been demonstrated with environmental and quality management standards, the PDCA approach creates an organizational culture that drives continual improvement through performance measurement and feedback.
The following diagram and explanation offer additional detail on PDCA.
Figure 1: Plan-Do-Check-Act (PDCA)
Figure 2 below, as noted in the ASIS/BSI BCM.1.2010 standard, offers a mapping of PDCA to the BCMS.
Figure 2: Mapping of PDCA to the BCMS
As summarized above, most of what business continuity practitioners consider as “traditional” business continuity methodology resides in “Do”, whereas the set-up and continuous improvement of the management system resides in “Plan”, “Check” and “Act.”
The PDCA model is commonly combined with a process approach model to ensure that the organization:
- Identifies business continuity planning processes;
- Decides the order in which they are carried out;
- Provides appropriate resources; and
- Establishes appropriate methods needed to operate and control planning efforts.
Overall, despite the common perspective that a management system follows either a PDCA or a process model, the reality is that the best management systems contain attributes from both, working together to enable continuous improvement. Regardless of model, all management systems include six key elements:
A document summarizing management’s expectations
Developing requirements for the management system, confirming strategic objectives and scope, as well as identifying solutions and documenting procedures to ensure repeatability
- Implementation and Operation
A method of implementing the management system, as well as a description of long-term operations
- Performance Assessment
Evaluating performance based on management’s expectations, and creating processes to communicate feedback
Internalizing performance feedback in order to improve key processes, thus more closing meeting business objectives
- Management Review
Formal methods of communicating management system characteristics and performance in order to capture management feedback and approval
How Does This Apply to Business Continuity?
Risk management efforts are greatly enhanced with management-oriented models that avoid professional jargon and focus on business outcomes. As described above, PDCA is simple to understand, proven and widely accepted as a means of engaging management. It also lends itself to multi-disciplinary application. Management systems offer a series of processes wrapped around a common objective – in this case, mitigating business continuity-related risk, which includes protecting people, resources, business activities and the overall reputation of the organization. Many standards, including ISO 22301, focus on the “what” rather than the “how,” thus affording organizations the opportunity to implement management systems in a way suitable to their unique needs.
But, most importantly, management systems connect business continuity planning efforts to the most senior leaders in an organization, using structured approaches that align strategic scope and objectives (“Plan”) with resources, processes and procedures (“Do”) and audit and management review (“Check”) in order to apply management-approved continuous improvement actions (“Act”).
What’s the Relationship Between a Business Continuity Program and a Business Continuity Management System?
As Figure 3 below indicates, a management system is the set of processes designed to keep business continuity program outcomes current and relevant. Despite the common misconception, it’s not just one-or-the-other. Rather, traditional business continuity program solutions become more current, aligned and complete when business continuity professionals develop and apply repeatable management system processes that fully connect with the business.
When you read the new ISO business continuity management systems standard (ISO 22301), you’ll see some of the more common business continuity program solutions, including risk assessments and business impact analyses, exercises, plans and maintenance processes. But unlike older standards and many regulatory requirements, these solutions will be addressed within standard ISO management system processes, mapped to the PDCA model.
Figure 3: Defining PDCA and Business Continuity Program Interaction
Review management systems and PDCA with an open mind and imagine yourself as an inexperienced business continuity practitioner (perhaps even your program sponsor). Management systems, and management systems-oriented standards, make business sense and are relatively flexible and straightforward.
Where Can I Go for More Information?
A number of resources are available to further describe management systems. Consider purchasing a copy of ISO Guide 72, which offers considerable information on key management system components and characteristics. Also, review existing management systems-oriented standards (ISO 22301, ISO 9001, ISO 14001, ISO 27001), or consult with Security, Quality or EHS personnel in your organization with experience developing, implementing or operating management systems. Lastly, review the numerous management system case studies posted on-line in order to further understand the value of the concept and how organizations have achieved success.
Overall, management systems are now part of the business continuity profession, and we’re lucky to have them. Organizations struggling with capturing and keeping senior leadership’s attention will quickly realize value when implementing management system concepts – positive input and feedback will increase, as will the resources necessary to meet management expectations.
Brian Zawada, Director of Consulting
Avalution Consulting: Business Continuity Consulting