Module 47: Business Continuity Management (BCM)

Disaster Recovery restores systems.
Business Continuity sustains operations.

Business Continuity Management ensures that:

• Critical business processes continue during disruption
• Impact is minimized
• Stakeholders are informed
• Decision-making is structured
• Resilience aligns with business priorities

BCM is enterprise-wide — not IT-only.

CRISC evaluates alignment between impact tolerance and continuity capability.

What the exam is really testing

When BCM appears, CRISC is asking:

• Were critical processes identified?
• Was a Business Impact Analysis (BIA) performed?
• Are recovery strategies aligned to impact?
• Are roles defined?
• Are plans tested?
• Is executive oversight active?
• Are lessons learned integrated?

BCM reduces impact severity — not likelihood.

Business Impact Analysis (BIA)

The BIA identifies:

• Critical business functions
• Maximum Tolerable Downtime (MTD)
• Financial impact
• Operational impact
• Reputational impact
• Regulatory impact
• Resource dependencies

Everything in BCM flows from the BIA.

CRISC frequently tests BIA alignment.

Key BCM concepts

Maximum Tolerable Downtime (MTD)

The longest time a business process can be disrupted before severe harm occurs.

Recovery Time Objective (RTO)

Maximum time to restore a system.

Must align with MTD.

Recovery Point Objective (RPO)

Maximum acceptable data loss.

Aligned with operational and regulatory requirements.

Critical process identification

Not all processes are equal.

BCM requires prioritization.

CRISC may test over-protection of low-impact processes.

BCM components

A mature BCM program includes:

• Governance structure
• Crisis management plan
• Communication plan
• Recovery strategies
• Resource allocation
• Alternate site planning
• Vendor continuity review
• Periodic testing
• Plan maintenance
• Post-incident review

Continuity must be integrated across departments.

Governance & oversight

BCM requires:

• Executive sponsorship
• Defined accountability
• Board-level reporting
• Escalation procedures
• Funding alignment
• Integration with risk management

Continuity without governance is unreliable.

Example scenario

A company maintains an IT disaster recovery plan but has no documented business continuity procedures for operational staff.

What is the PRIMARY weakness?

A. Strong resilience
B. Lack of enterprise continuity integration
C. Reduced inherent risk
D. Strong KPI

Correct answer:

B. Lack of enterprise continuity integration

BCM extends beyond IT systems.

Slightly harder scenario

A BIA identifies a process MTD of 12 hours. However, no recovery strategy exists to meet that target.

What governance principle is MOST compromised?

A. Strong mitigation
B. Misalignment between impact tolerance and recovery capability
C. Reduced inherent risk
D. Effective architecture

Correct answer:

B. Misalignment between impact tolerance and recovery capability

Continuity capability must align with tolerance.

Crisis management vs BCM

Crisis Management:

• Executive decision-making
• External communication
• Reputation management
• Legal coordination

Business Continuity:

• Operational sustainment
• Process continuation
• Resource management

CRISC may test confusion between the two.

Third-party & supply chain continuity

BCM must consider:

• Vendor dependency
• Supplier concentration risk
• Cloud provider outage scenarios
• Contractual continuity requirements
• Shared responsibility model

Third-party failure can disrupt operations.

Vendor continuity is organizational risk.

Testing & validation

BCM plans must be:

• Tested regularly
• Updated after changes
• Validated against real scenarios
• Reviewed by leadership
• Adjusted after lessons learned

Untested plans provide false confidence.

CRISC frequently tests lack of testing discipline.

Common BCM testing methods

• Tabletop exercises
• Simulation drills
• Partial recovery tests
• Full operational exercises
• Crisis communication drills

Testing maturity increases reliability.

The most common exam mistakes

Candidates often:

• Confuse BCM with DR.
• Assume documentation equals readiness.
• Ignore executive accountability.
• Forget vendor continuity.
• Overlook BIA alignment.
• Focus only on IT recovery.

CRISC evaluates enterprise-level resilience thinking.

Slightly uncomfortable scenario

BCM plans exist but are not updated after major organizational restructuring.

What risk emerges?

A. Strong governance
B. Outdated dependency and process assumptions
C. Reduced inherent risk
D. Improved monitoring

Correct answer:

B. Outdated dependency and process assumptions

Continuity plans must reflect current structure.

Quick knowledge check

1) The foundation of Business Continuity Management is:

A. Incident response
B. Business Impact Analysis (BIA)
C. KPI monitoring
D. Encryption

2) BCM primarily reduces:

A. Likelihood of attack
B. Impact of disruption
C. Inherent risk
D. Risk appetite

3) Failure to test continuity plans most directly increases:

A. KPI performance
B. False assurance and operational exposure
C. Risk avoidance
D. Inherent risk reduction

Final takeaway

Business Continuity Management must:

• Be driven by BIA
• Align RTO/RPO/MTD to impact
• Integrate enterprise-wide
• Include crisis management
• Address third-party dependencies
• Be tested regularly
• Be updated continuously
• Have executive oversight
• Trigger escalation when misaligned

BCM protects operations.
DR restores systems.
Governance ensures both align to risk appetite.

CRISC rewards enterprise-level resilience thinking — not binder management.