Module 47: Business Continuity Management (BCM)
If DR is about getting systems back online, BCM is about keeping the business running while you do it.
Business Continuity Management ensures that:
- Critical business processes continue during disruption
- Impact is minimized
- Stakeholders are informed
- Decision-making is structured
- Resilience aligns with business priorities
BCM is enterprise-wide — not IT-only.
CRISC evaluates alignment between impact tolerance and continuity capability.
What the exam is really testing
When BCM appears, CRISC is asking:
- Were critical processes identified?
- Was a Business Impact Analysis (BIA) performed?
- Are recovery strategies aligned to impact?
- Are roles defined?
- Are plans tested?
- Is executive oversight active?
- Are lessons learned integrated?
BCM reduces impact severity — not likelihood.
Business Impact Analysis (BIA)
The BIA identifies:
- Critical business functions
- Maximum Tolerable Downtime (MTD)
- Financial impact
- Operational impact
- Reputational impact
- Regulatory impact
- Resource dependencies
Everything in BCM flows from the BIA.
CRISC frequently tests BIA alignment.
Key BCM concepts
Maximum Tolerable Downtime (MTD)
The longest time a business process can be disrupted before severe harm occurs.
Recovery Time Objective (RTO)
Maximum time to restore a system.
Must align with MTD.
Recovery Point Objective (RPO)
Maximum acceptable data loss.
Aligned with operational and regulatory requirements.
Critical process identification
Not all processes are equal.
BCM requires prioritization.
CRISC may test over-protection of low-impact processes.
BCM components
A mature BCM program includes:
- Governance structure
- Crisis management plan
- Communication plan
- Recovery strategies
- Resource allocation
- Alternate site planning
- Vendor continuity review
- Periodic testing
- Plan maintenance
- Post-incident review
Continuity must be integrated across departments.
Governance & oversight
BCM requires:
- Executive sponsorship
- Defined accountability
- Board-level reporting
- Escalation procedures
- Funding alignment
- Integration with risk management
Continuity without governance is unreliable.
Example scenario
A company maintains an IT disaster recovery plan but has no documented business continuity procedures for operational staff.
What is the PRIMARY weakness?
A. Lack of enterprise continuity integration
B. Strong resilience
C. Reduced inherent risk
D. Strong KPI
Correct answer:
A. Lack of enterprise continuity integration
BCM extends beyond IT systems.
Try this one
A BIA identifies a process MTD of 12 hours. However, no recovery strategy exists to meet that target.
What governance principle is MOST compromised?
A. Strong mitigation
B. Reduced inherent risk
C. Misalignment between impact tolerance and recovery capability
D. Effective architecture
Correct answer:
C. Misalignment between impact tolerance and recovery capability
Continuity capability must align with tolerance.
Crisis management vs BCM
Crisis Management:
- Executive decision-making
- External communication
- Reputation management
- Legal coordination
Business Continuity:
- Operational sustainment
- Process continuation
- Resource management
CRISC may test confusion between the two.
Third-party & supply chain continuity
BCM must consider:
- Vendor dependency
- Supplier concentration risk
- Cloud provider outage scenarios
- Contractual continuity requirements
- Shared responsibility model
Third-party failure can disrupt operations.
Vendor continuity is organizational risk.
Testing & validation
BCM plans must be:
- Tested regularly
- Updated after changes
- Validated against real scenarios
- Reviewed by leadership
- Adjusted after lessons learned
Untested plans provide false confidence.
CRISC frequently tests lack of testing discipline.
Common BCM testing methods
- Tabletop exercises
- Simulation drills
- Partial recovery tests
- Full operational exercises
- Crisis communication drills
Testing maturity increases reliability.
The most common exam mistakes
The single most common mistake: treating BCM as if it were just another name for DR. DR restores IT systems. BCM sustains business operations — which includes people, processes, communications, and vendor dependencies, not just servers. If your answer focuses only on IT recovery, you are likely picking the wrong one. Also, having a binder full of BCM documentation means nothing if the plans have not been tested or updated after organizational change.
Here's where it gets tricky
BCM plans exist but are not updated after major organizational restructuring.
What risk emerges?
A. Strong governance
B. Improved monitoring
C. Reduced inherent risk
D. Outdated dependency and process assumptions
Correct answer:
D. Outdated dependency and process assumptions
Continuity plans must reflect current structure.
Quick knowledge check
1) The foundation of Business Continuity Management is:
A. Incident response
B. Business Impact Analysis (BIA)
C. KPI monitoring
D. Encryption
Answer & reasoning
Correct: B
BIA defines priorities and tolerances.
2) BCM primarily reduces:
A. Likelihood of attack
B. Impact of disruption
C. Inherent risk
D. Risk appetite
Answer & reasoning
Correct: B
Continuity reduces impact.
3) Failure to test continuity plans most directly increases:
A. KPI performance
B. Inherent risk reduction
C. Risk avoidance
D. False assurance and operational exposure
Answer & reasoning
Correct: D
Untested plans cannot be trusted.
Final takeaway
Business Continuity Management must:
- Be driven by BIA
- Align RTO/RPO/MTD to impact
- Integrate enterprise-wide
- Include crisis management
- Address third-party dependencies
- Be tested regularly
- Be updated continuously
- Have executive oversight
- Trigger escalation when misaligned
The exam is testing whether you think about resilience at the enterprise level. BCM protects operations, DR restores systems, and governance ensures both align to risk appetite. That chain of alignment is what matters.