BCM (Business Continuity Management)
Acronym for Business Continuity Management; the discipline of maintaining critical service during disruption.
Definition
BCM stands for Business Continuity Management. It is the discipline of planning and maintaining the capability to continue critical service during disruption: site loss, system failure, cyber incident, key staff absence, supply chain breakdown. BCM is a recognised professional discipline with ISO 22301 as the international standard. Public sector contracts often require evidence of BCM capability at the bid stage and tested continuity plans during delivery, particularly for critical contracts in health, emergency services, and critical infrastructure.
How it works in practice
See the detailed Business Continuity glossary entry for substantive coverage. The short version: BCM typically covers risk identification (what could disrupt service), response (how to respond, including roles and communication), recovery (how to restore service, with recovery time and point objectives), and testing (how plans are exercised). Effective BCM requires the BCMS to be live and tested rather than aspirational: tabletop exercises annually, technical recovery tests at least annually, and post-incident reviews for any major incident or near-miss. Cyber incidents are increasingly important in BCM scope: WannaCry-style ransomware can disrupt operations as effectively as physical incidents. Public sector buyers expect BCM evidence proportional to contract criticality; routine services need basic continuity capability while critical services need comprehensive BCMS with ISO 22301 certification or equivalent. The Civil Contingencies Act 2004 adds statutory continuity duties for category 1 responders. The KimonBids contract management module supports BCM by tracking continuity commitments against contract requirements.
For UK public sector suppliers, BCM evidence at the bid stage typically covers named continuity plan, recent tabletop exercise outcome, recovery time objectives by service area, and any external accreditation (ISO 22301, BS 25999) held. Strong bids treat BCM as a live programme with recent activity rather than a documentary commitment dating from initial certification. The Civil Contingencies Act 2004 imposes statutory continuity duties on category 1 responders (emergency services, NHS trusts, local authorities, Environment Agency), so suppliers into those buyer categories should expect particularly substantive BCM evaluation.
Common questions
Is BCM the same as disaster recovery?
Disaster recovery (DR) is a subset of BCM focused on IT system restoration. BCM covers the broader organisational continuity capability including people, processes, and supply chains as well as systems. DR is one workstream within BCM rather than a synonym.
How does BCM relate to incident management?
They are complementary. Incident management handles routine operational incidents within SLAs. BCM handles major disruption affecting the organisation's ability to operate. Strong organisations implement both: ITIL-style incident management for routine, BCM for major disruption.
When is ISO 22301 certification required?
For critical contracts (health, emergency services, critical infrastructure) certification is increasingly required. For routine services certification may not be mandatory but evidence of continuity capability is widely expected.