Cyber crisis? With Business Continuity Management (BCM) you Keep your Cool

Whether cyber attacks, natural disasters, pandemics or technical disruptions - the risks are many and varied and can have a massive impact on business processes. This is where business continuity management (BCM) comes into play: a systematic yet dynamic approach that ensures companies remain capable of acting even in crisis situations.

BCM describes the planning and implementation of measures aimed at maintaining essential business processes even in exceptional situations. To this end, risks must be identified, potential effects assessed and strategies developed to ensure the continuity of business activities.

The 4 pillars of an effective BCM system

An effective BCM system is based on the following four central core components:

• Risk assessment and analysis: identifying critical business processes and analyzing potential threats and assessing the impact of failures. The Business Impact Analysis (BIA) determines dependencies, prioritizes recovery measures and forms the basis for well-founded risk management decisions.
• Emergency and crisis plans: Development of action plans to deal with disruptions.
• Testing and review: Regular tests to ensure the effectiveness of the plans, in particular disaster recovery tests (DRT) for IT systems. DRTs test recovery processes, identify vulnerabilities and optimize the resilience of the IT infrastructure.
• Training: Raising awareness and preparing employees for crisis scenarios.

BCM or ITSCM?

Business continuity management (BCM) and IT service continuity management (ITSCM) are both essential disciplines in risk management, but differ in their focus and scope.

Business Continuity Management (BCM) ensures the continuation of critical business processes in the event of disruptions. IT Service Continuity Management (ITSCM) is a sub-area of this and focuses on the recovery and availability of the necessary IT systems. While BCM looks at the entire company, ITSCM focuses on technical solutions such as backup and disaster recovery.

BCM in current standards and regulations

The importance of BCM is not only underlined by its practical benefits, but also by the requirements of current regulations.

Companies that comply with the standards benefit from increased resilience and fulfill regulatory obligations at the same time. Here are some of the most important requirements:

1. NIS2 Directive: the revised EU Directive on the security of network and information systems (NIS2) requires companies to implement robust cyber security measures. BCM is a key component in ensuring that critical services do not fail in the event of cyber attacks.
2. DORA (Digital Operational Resilience Act): In the financial sector, DORA requires institutions to strengthen their operational resilience to digital threats. BCM plays a crucial role by ensuring that business continuity is maintained even in the event of IT failures or security incidents.
3. ISO/IEC 27001: The internationally recognized standard for information security management systems (ISMS) also requires the integration of BCM. As part of risk management, companies must ensure that critical information is also available in crisis situations.
4. National Strategy for Critical Infrastructure Protection (CIP): The Swiss government has developed the National Strategy for Critical Infrastructure Protection to strengthen the resilience of these essential systems. This strategy emphasizes the importance of BCM as an integral part of risk management for critical infrastructure operators.
5. Swiss Financial Market Supervisory Authority (FINMA): FINMA has introduced minimum standards for business continuity management in the financial sector that must be implemented by companies. These standards include specific requirements for crisis management and risk minimization.
6. Information Security Act (ISG): The Swiss Information Security Act (ISG) obliges operators of critical infrastructure to implement an information security management system (ISMS), which also includes aspects of business continuity management (BCM), in order to ensure the continuity of business processes.
   
   The relevant sections of the ISG that deal with these requirements are:
   
   1. Article 6: Assessment of information protection needs.
   2. Article 8: Risk management, including the identification and assessment of risks.
   3. Articles 11 to 15: Classification of information based on its need for protection.
   4. Articles 16 to 19: Definition of security procedures and measures in connection with IT resources.
   5. Articles 20 to 23: Ensuring personal and physical protection.
   6. Articles 24 to 26: Management of identity systems.
7. ISO 22301: This international standard for business continuity management systems is often used in Switzerland. It provides a framework for planning, implementing and monitoring effective BCM.

The benefits of a solidly implemented BCM

A functioning business continuity management system offers companies numerous advantages that ensure superior performance:

• Minimize downtime based on faster business resumption after disruptions.
• Preserving reputation by avoiding reputational damage through proactive crisis management.
• Customer satisfaction with continuity of services, even in difficult times.
• Adherence to regulatory requirements and compliance to avoid penalties or sanctions.

The 5 levers for maximum crisis resilience

InfoGuard offers comprehensive services to help companies implement, optimize and maintain their business continuity management. Our offerings include:

1. Program Management: our experience in consulting methodology helps you design and maintain ISO 22301 compliance.
2. BCM assessments: GAP assessments help to independently evaluate the current status and assess compliance. Interviews with employees and analyses of processes and technologies serve as the basis for determining the level of business continuity assurance.
3. Business impact analyses (BIA) are used to identify business-critical services and activities, determine their resilience and set priorities for recovery.
4. Disaster recovery tests and validation review existing disaster recovery plans and help companies carry out a comprehensive disaster recovery test.
5. Simulation: Only thoroughly tested business continuity plans prove their quality in an emergency. A series of tests are designed and carried out, including for example Crisis communication, cyber-attack simulation, IT recovery and restart.

Conclusion: BCM as a strategic success factor

BCM is therefore not just a compulsory exercise to meet regulatory requirements, but a decisive competitive advantage in an uncertain world. Companies that rely on BCM can react in a more targeted and effective manner in crisis situations. At the same time, they create trust with customers, partners and authorities and show that they are prepared for unexpected events.

If you would like to make your company more resilient for the future, we would be happy to support you in implementing a sound BCM system. Contact us for a non-binding consultation.

Caption: Image generated with AI