Business Continuity Management: What You Will and WON’T Get From a BCM Tool
Understand what you will and won’t get from a business continuity management (BCM) tool, and then evaluate your options based on your specific requirements. Due to the maturity of the market, many products will check your boxes, so your evaluation will often come down to usability and cost.
The more-sophisticated BCM tools provide clients the ability to customize workflows, templates, and even terminology to accommodate their BCP process. Remember that a tool does not replace a sound process. Organizations that take a fill-in-the-blanks approach end up with a lot of data, but no plan – certainly not an effective plan.
For guidance on an effective BCP process, please refer to our BCP blueprint. In the meantime, to assist with BCM tool evaluation, below is a summary of common features followed by recommended next steps.
BCM Tools: Features Summary
Note: The specific features will vary by product. Use this list as a guide to understand what might be possible, but also define your requirements and use cases to assist with evaluating products. Focus on the features relevant to your requirements.
Integrations
Integrations can facilitate data gathering and maintenance. Below are examples of integration targets:
- Active Directory: to support SSO and gathering employee lists.
- HRIS: to support gathering more-detailed employee information for notification and planning (e.g. home phone number, work location if there are multiple sites).
Note: Due to privacy concerns, HRIS integration is not always possible. Some tools will offer portals to allow users to provide personal contact info, rather than pulling information from an HRIS. - MS Office and other BCM tools: to migrate existing plans into the new tool.
- CMDBs or equivalent: to import IT asset details.
Plan Development Features
This is the core set of features associated with a BCM – features to help develop the plan. Common examples include:
- Risk assessment tools
- Business impact analysis (BIA) tools
- Incident response plan templates
- Dependency mapping tools (i.e. if system ABC goes down, what other systems and/or business processes are impacted)
- Ability to assign tasks to users (e.g. to provide BIA input), monitor task status, and automate sending reminders
Monitoring/Incident Management Features
These are features leveraged during an event to facilitate incident management. For example:
- Dynamic monitoring of recovery or test event status (i.e. users can indicate task status, which is centrally reported through a dashboard)
- Plan filtering to focus on specific business processes, systems, or people
- Geographic mapping of staff and asset locations (for this to be dynamic, it depends on being able to track when users are at their normal worksite, an alternate worksite, or not at work at all)
- Emergency notification systems (ENS) that automate contacting BC/DR teams and general staff
Note: Many BCM tools will instead support integrations with separate ENS tools.
Audit Management
These features facilitate meeting audit requirements. For example:
- Report templates for specific regulatory standards (FFIEC, FDIC, etc.)
- Status dashboards for audit compliance
- Controls for document management (versioning, role-based access, etc.)
SaaS/Hosting Conditions
BCM tools are typically SaaS based, which aligns with the need to have plans hosted outside of your business or data center location.
SaaS considerations from a client perspective include:
- Control over your data (e.g. ability to download or transfer your data at no extra cost)
- Whether data is encrypted in-flight and at rest
- Uptime SLAs
- Compliance with cloud security standards such as FedRAMP or SSAE 16 SOC 2, and compliance with security certifications such as ISO 27001 and 27002
Recommendations
- Understand that BCM software is not a silver bullet.
You still need a process to:
- Identify critical business functions and their dependencies to prioritize recovery efforts and investments.
- Determine your current recovery capabilities (e.g. through tabletop planning exercises and more-functional testing depending on your readiness for testing).
- Create an incident response plan from event detection to recovery and validation.
A BCM tool will help you record, track, and distribute the above information. It will not help you create it (yes, it will have templates, but you have to do the work, and that goes back to process).
- Assess whether you actually need a BCM tool.
If you have a complex environment and requirements, a BCM tool may be worth the cost and can save time vs. developing a plan in MS Office. When complexity is not a factor, purchasing a BCM tool can be looked at as a convenience vs. cost decision.
- If you think you need a BCM tool, evaluate products based on your specific requirements:
- The BCM market has matured to the point where most reputable vendors provide the features outlined above, to some degree.
- Identify your specific requirements so you can go deeper in your evaluation where it matters. For example, if compliance reporting is key for you, evaluate whether the tool provides easy-to-generate reports and to what extent it tracks compliance status.
For assistance with vendor evaluation, schedule a call with an Info-Tech analyst, and leverage our BCM Tool RFP Selection Criteria template. - You will typically find multiple vendors that meet your requirements (again, due to the maturity of the market). At that point, it becomes a usability and cost decision.
Bottom Line
Understand what you will and won’t get from a BCM tool, and then evaluate your options based on your specific requirements. Due to the maturity of the market, many products will check your boxes, so your evaluation will often come down to usability and cost.
Want to Know More?
Develop a Business Continuity Plan