Question: Has the organization defined a Business Continuity Management (BCM) policy, scope, and objectives?
Why This Matters
A clear BCM policy ensures the organization can sustain critical operations during disruption and fulfil legal and contractual obligations.
Maturity
No BCM policy or defined objectives.
Continuity activities informal and uncoordinated.
BCM policy approved with scope and responsibilities.
Objectives mapped to critical functions and reviewed annually.
BCM aligned with risk and incident programs.
Continuous resilience governance with dashboards and KPIs.
How to Level Up
| From → To | Actions | |—|—| | 0 → 1 |Identify business functions and dependencies. | | 1 → 2 |Draft and approve BCM policy and scope. | | 2 → 3 |Set continuity objectives and review frequency. | | 3 → 4 |Integrate BCM into enterprise risk register. | | 4 → 5 |Automate reporting and dashboards. |
Enablers
- People: BCM Manager, CISO, Operations Head
- Process: Define → Approve → Review
- Technology: Policy repository, dashboard tool
Evidence
- Approved BCM policy
- Scope statement and objectives
- Review meeting minutes
KPIs
- Number of functions covered under BCM
- Percentage with defined objectives
- Last review date of BCM policy
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes | |—|—|—| | Policy storage | Nextcloud | Version control | | Tracking | Airtable | Objective register | | Visualization | Metabase | Status dashboard |
Common Pitfalls
- Policy approved once then forgotten
- Scope omits key business processes
- Objectives not measurable
Compliance Mapping
| Standard | Clauses / Notes | |—|—| | ISO/IEC 22301 | 4–8 (BCM framework) | | ISO/IEC 27001 | A.5.30 | | NIST CSF 2.0 | RS.RP | | NIRMATA Mapping | BC-Q01 defines the foundation of organizational resilience. |