Skip content
Are you looking for?

What are the key differences between Crisis Management Plans (CMPs) and Business Continuity Plans (BCPs)?

A Crisis Management Plan (CMP) focuses on strategic decision-making, leadership, escalation, and internal and external communications during high impact events that may threaten organisational reputation, confidence, or long term viability. ISO 22361 emphasises crisis governance, leadership roles, stakeholder communication, and strategic coordination.

A Business Continuity Plan (BCP), as required by ISO 22301, is operational in nature. It aims to maintain or restore critical activities within defined recovery time objectives (RTOs) through predefined continuity and recovery strategies. The two are complementary: crisis management sets direction and priorities, while business continuity ensures operational recovery.

How can supply chain disruptions be addressed within a Business Continuity Management System (BCMS)?

Supply chain disruptions should be managed proactively within the BCMS by:

  • Identifying critical suppliers and outsourced activities during Business Impact Analysis (BIA)
  • Assessing risks related to supplier failure and interdependencies
  • Defining strategies such as alternate suppliers, dual sourcing, or geographic diversification
  • Including continuity requirements within supplier contracts
  • Periodically reviewing and testing supplier continuity arrangements

ISO 22301 requires organisations to consider dependencies on external parties when defining continuity strategies.

How should organisations maintain their BCMS during major organisational change?

Major changes such as mergers, restructurings, technology changes, or outsourcing can significantly affect continuity arrangements. To maintain an effective BCMS, organisations should:

  • Integrate BCM considerations into change management processes
  • Review and update the BIA and risk assessments
  • Reassess continuity strategies and resource requirements
  • Update plans, roles, and responsibilities
  • Validate changes through exercises or tests

This ensures the BCMS remains suitable, adequate, and effective in line with ISO 22301 requirements.

Is it still realistic to classify processes as critical when all functions can operate remotely?

Yes. ISO 22301 requires organisations to identify critical activities based on impact over time, not solely on the ability to work remotely. While remote working has improved resilience, some processes still have greater impact on customers, regulatory obligations, revenue, or strategic objectives. Support and non critical functions may also enable critical processes and should be assessed accordingly.

What is the recommended frequency for testing Business Continuity Plans?

ISO 22301 does not prescribe a fixed testing frequency but requires organisations to exercise and test plans at planned intervals and following significant changes. Good practice commonly includes:

  • Annual tabletop or scenario based exercises
  • More frequent testing for high risk or regulated activities
  • Additional exercises following incidents or major organisational changes

The objective is to validate readiness, roles, decision making, and effectiveness.

What specific elements should organisations consider in their BCP considering current geopolitical tensions?

Organisations should expand their risk assessments to consider geopolitical instability by:

  • Evaluating potential regional or international impacts on operations
  • Identifying critical activities and dependencies on infrastructure such as power, telecommunications, and transport
  • Assessing reliance on government controlled or monopolised services
  • Developing strategies such as alternate locations, alternate suppliers, remote work capability, and manual workarounds

The goal is to ensure recovery of critical operations even during widespread or prolonged disruption.

Is it more effective to maintain a single organisational risk register or separate registers for critical processes?

Both approaches are valuable. An organisation wide risk register supports strategic oversight, while process level risk assessments provide detailed insight into risks that could cause failure of individual critical activities. ISO 22301 encourages a risk based approach that supports BIA outcomes and continuity strategies, and many organisations adopt a combination of both.

Is crisis management the same as disaster management?

No. Disaster management typically focuses on response to specific events such as natural disasters or site based incidents. Crisis management, as described in ISO 22361, is broader and addresses any abnormal or extraordinary situation that threatens strategic objectives, reputation, or organisational survival. Crisis management includes leadership, decision making, communication, and coordination across multiple response functions.

What critical requirements should organisations review when relying heavily on external providers during geopolitical instability?

Organisations should:

  • Identify critical activities dependent on external services (e.g. power, internet, telecommunications, cloud services)
  • Assess the resilience and continuity capabilities of key providers
  • Define alternate sourcing or fallback options where possible
  • Include continuity requirements within contracts
  • Establish manual or remote working arrangements to maintain minimum service levels

This reduces reliance on single points of failure and enhances organisational resilience.

Does “back to normal” in business continuity include recovery of revenue levels?

Yes. Within a BCMS context, “back to normal” means returning to pre disruption performance levels, including service delivery, operational capacity, and revenue where applicable. Recovery is only considered complete once the organisation is again meeting its intended business objectives.

How can organisations align BCP with Enterprise Risk Management (ERM) and ESG objectives? Are AI tools relevant?

Alignment can be achieved by:

  • Establishing cross functional collaboration between BCM, ERM, and ESG teams
  • Using common risk criteria and aligned risk appetite
  • Incorporating sustainability and social impact considerations into continuity strategies
  • Leveraging digital and AI enabled tools for risk monitoring, scenario analysis, and early warning

This integrated approach supports stronger organisational resilience and long term sustainability.

Can risk registers or FMEA be used to demonstrate continuity and crisis management?

Yes, both tools can support continuity and crisis management by identifying and prioritising risks. However, they do not replace the need for a Business Impact Analysis (BIA) or defined continuity strategies required by ISO 22301. They should be used as complementary tools within a structured BCMS.

How should management respond to a cyber attack resulting in data leakage?

A cyber attack constitutes a disruptive incident and should trigger both business continuity and crisis management processes. Management should:

  • Activate incident response and crisis management arrangements
  • Contain the attack by isolating affected systems
  • Coordinate with IT security, legal, and communications teams
  • Assess operational, regulatory, and reputational impacts
  • Restore systems in line with IT disaster recovery and continuity plans

This coordinated response aligns with ISO 22301 and ISO 22361 principles for managing disruptive incidents.