Business Continuity Management (BCM)
A management process that ensures an organization can continue delivering critical services during and after disruptive incidents.
Business Continuity Management (BCM) is the discipline of preparing an organization to withstand, respond to, and recover from disruptive incidents — whether caused by cyberattacks, natural disasters, power failures, or supply chain disruptions. The goal is to protect critical business functions and minimize the impact of any disruption on operations, customers, and stakeholders.
A BCM programme typically begins with a Business Impact Analysis (BIA), which identifies the organization's most critical processes and the maximum tolerable downtime for each. From this, recovery strategies are developed and documented in a Business Continuity Plan (BCP) and, where relevant, a Disaster Recovery Plan (DRP) for IT systems. These plans must be regularly tested through exercises and updated to reflect changes in the organization.
BCM is a required element under the NIS 2 Directive and is also addressed within ISO 27001 (Annex A controls on business continuity) and the ISO 22301 standard, which provides a dedicated certifiable framework for BCM. For organizations in the financial sector, BCM requirements are further reinforced by the DORA regulation.
Legal Basis
EU Directive 2022/2555 (NIS 2 Art. 21); ISO/IEC 27001:2022 Annex A; ISO 22301; EU Regulation 2022/2554 (DORA)
Practical Example
A regional bank conducts a Business Impact Analysis and identifies that its payment processing system must be restored within four hours of any outage. Based on this finding, the IT team implements a geographically separated backup data center and develops a tested Disaster Recovery Plan. During the annual BCM exercise, the plan is activated to simulate a ransomware attack — revealing gaps in the communication chain that are subsequently addressed.