Over the past eighteen months, many business continuity professionals learned of a new term – management system.  First introduced to many of us in British Standard (BS) 25999 as a Business Continuity Management System (BCMS), the concept continues to gain traction in our profession through a number of draft organizational resilience-related standards authored by the International Standards Organization (ISO), as well as a new American standard whose development is currently being facilitated by ASIS International. 

Although widely used in other professional disciplines for many years (e.g. quality, environmental, and occupational health and safety management), the term “management system” is a relatively new concept to business continuity professionals.  So what is a management system?   A management system is the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve a set of related business objectives.  Management system standards provide a model for setting up and operating a management system. The purpose of this perspective is to introduce the management system concept and offer reasons why this relatively simple concept can be a powerful tool in capturing and keeping management’s support for a business continuity program. 

Why Should Business Continuity Professionals Care?

Did you know: 

Even more importantly, your executive leadership team may already be familiar with management system concepts and understand their role in operating within a management system.  As you’re about to find out, a management system is a great way to capture leadership support – and keep it.

Key Characteristics

A management system exists to continuously improve key business processes and outcomes in order to meet core objectives.  But how?  What are some of the key characteristics of a management system, regardless of its focus?

Types of Management System Models

Anyone with exposure to management systems often equate them to something known as a “Plan, Do, Check, Act” systems methodology, or PDCA.  This iterative, flexible methodology and its general concepts originated with Total Quality Management (TQM).  PDCA weaves decision making into the fabric of an organization’s overall operational and business practices.  It makes the organization more efficient and better able to meet important challenges.  It provides a set of problem identification and problem-solving tools that can be implemented by an organization in many different ways, depending on its unique activities and needs. 

By incorporating a risk-based process into continuity management, organizations can make informed decisions tailored to their unique needs.  As has been demonstrated with environmental and quality management standards, the TQM approach instills an organizational culture that drives continual improvement.

The following diagram and explanation offer additional detail on PDCA, specific to business continuity management.

Figure One: Plan-Do-Check-Act (PDCA)

1. Plan
   Establish objectives based on your organization's situation; set targets and develop strategic plans to achieve these objectives.
1. Project initiation: definition and scope, project resource allocation, management support
2. Policy and management commitment
3. Risk assessment and impact analysis
4. Developing management strategies
2. Do
   Implement your strategic plans.
1. Develop and implement operational and control strategies, plans, procedures and programs, including:
1. Awareness, competence and training strategies, plans and programs 
2. Definition of roles and responsibilities
3. Communication strategies, plans and programs 
4. Allocation of human, physical and financial resources 
3. Check
   Measure your results.
1. Performance assessment and evaluation and system maintenance
4. Act
   Correct and improve your plans and how they are put into practice.
1. Review and improve the management system to incorporate required adjustments based on the “Check” phase

The PDCA model is commonly combined with a process approach model to ensure that the organization: 

1. Identifies business continuity planning processes
2. Decides the order in which they are carried out
3. Provides appropriate resources
4. Establishes appropriate methods needed to operate and control planning efforts 

Figure Two illustrates the synergy between the PDCA and Process models:

Overall, despite the common perspective that a management system follows either a PDCA or a process model, the reality is that the best management systems contain attributes from both, working together to enable continuous improvement.  Regardless of model, all management systems include six key elements: 

1. Policy
   A document summarizing management’s expectations
2. Planning
   Developing requirements, identifying solutions and documenting procedures to ensure repeatability
3. Implementation and Operation
   A method of implementing the management system, as well as a description of long-term operations
4. Performance Assessment
   Evaluating performance based on management’s expectations, and creating processes to communicate feedback
5. Improvement
   Internalizing performance feedback in order to improve key processes, thus more closing meeting business objectives
6. Management Review
   Formal methods of communicating management system characteristics and performance in order to capture management feedback and approval 

How Does This Apply to Business Continuity?

Risk management efforts are greatly enhanced with management-oriented models that avoid professional jargon and focus on business outcomes.  As described above, PDCA is simple to understand, proven and widely accepted as a management approach.  It also lends itself to multi-disciplinary application.  Management systems offer a series of processes wrapped around a common objective – in this case, mitigating business continuity risk, which includes protecting people, property, business activities and the overall reputation of the organization.  Many standards, including BS 25999 and other emerging ISO standards, focus on the “what” rather than the “how”, thus affording organizations the opportunity to implement these management systems in a way suitable to their unique needs. 

But most importantly, management systems connect business continuity planning efforts to the most senior leaders in an organization, using structured approaches that align requirements and strategies (“Plan”) with resources, processes and procedures (“Do”), reviews and assessments (“Check”) in order to standardize performance and constantly improve (“Act”). 

What's the Relationship Between a Business Continuity Program and a Business Continuity Management System?

As the graphic below indicates, a management system is the set of processes designed to keep the program’s solutions current and relevant.  Despite the common misconception, it’s not just one-or-the-other.  Rather, traditional business continuity solutions become more current, aligned and complete when business continuity professionals develop and apply repeatable management system processes that fully connect with the business.

When you read BS 25999-2, or review a public comment copy of the new organizational resilience standard, you’ll see some of the more common business continuity program solutions, including risk assessments and impact analyses, exercises, plans and maintenance processes.  But unlike older standards and many regulatory requirements, these solutions will be addressed within standard ISO management system processes, or the PDCA model.

Figure Three - Defining PDCA and Business Continuity Program Interaction

Review these models with an open mind and imagine yourself as an inexperienced business continuity practitioner (perhaps even your new program sponsor).  Management systems, and management systems-oriented standards, make business sense and are relatively straightforward. 

Where can I go for more information?

A number of resources are available to further describe management systems.  Consider purchasing a copy of ISO Guide 72, which offers considerable information on key management system components and characteristics.  Also, review existing management systems-oriented standards (BS 25999, ISO 9001, ISO 14001, ISO 27001), or consult with Quality or EHS personnel in your organization with experience developing, implementing or operating management systems.  Lastly, review the numerous management system case studies posted on-line in order to further understand the value of the concept and how organizations have achieved success.

Overall, management systems are now part of the business continuity profession, and we’re lucky to have them.  Organizations struggling with capturing and keeping senior leadership’s attention will realize value when implementing management system concepts.  Positive input and feedback will increase, as will the resources necessary to meet management expectations.    

Note: Avalution Consulting would like to thank Dr. Marc Siegel (ASIS International) for his review and input to this perspective.