Business Continuity Management System implementation is fundamentally a programme, not a project. A project has a defined endpoint; a BCMS has a defined beginning (certification audit clearance) and an indefinite future (continuous improvement, exercise cycles, maintenance). Understanding BCMS implementation as a structured but ongoing programme shapes every sequencing decision.
The 12-month implementation roadmap described in this article is premised on a critical dependency: the sequencing of activities is constrained by the Business Impact Analysis. The BIA is the foundational analysis from which all other BCMS components flow. Strategy decisions depend on BIA outputs. BCP development depends on strategy. Exercise design depends on BCPs. The internal audit evidence base depends on all of the above. Accordingly, delays in the BIA cascade into delays across the entire programme.
This article describes the four implementation phases, the mandatory deliverables at each phase, the critical path activities that drive timeline risk, and the resource patterns that Indonesian organisations typically encounter during implementation.
The 12-Month Implementation Programme
The ISO 22301 implementation roadmap divides the 12-month journey into four phases, each with distinct objectives and deliverables. Phase 1 (months 1-2) establishes the foundation: a gap assessment that benchmarks current BCM maturity against the ISO standard, a defined scope statement, stakeholder mapping, and the BCM policy that governs the entire programme. Phase 2 (months 3-5) conducts the critical path activities: the BIA that identifies critical activities and their dependencies, the risk assessment that prioritises disruption scenarios, and the strategy approval that determines the continuity approach for each critical resource. Phase 3 (months 6-9) is the build phase: BCP development, ICT continuity planning, training programme launch, and the establishment of document control processes. Phase 4 (months 10-12) is the verification and certification phase: the exercise programme that tests BCM capability, the internal audit that verifies compliance, and the Stage 1 and Stage 2 certification audits that award the ISO 22301 certificate.
Each phase is designed to flow into the next: gap assessment findings inform the scope statement; scope statement determines BIA scope; BIA findings drive strategy decisions; strategy decisions are embedded in BCPs; BCPs are exercised and refined; and exercise findings and internal audit observations are closed before the certification audit. The dependencies between phases are rigid. Starting Phase 2 before Phase 1 is complete, or attempting Phase 3 without a completed BIA, will produce rework and delay.
The 12-month timeline assumes an organisation with 500-5,000 employees, sufficient internal BCM expertise or external consultancy support, and executive commitment to allocate process owner time for the BIA. Larger organisations, those with geographically dispersed critical activities, or those beginning from zero BCM maturity may require 16–24 months. Smaller organisations or those with existing partial BCM frameworks may complete the programme in 9–10 months.
| Phase | Months | Key Activities | Key Deliverables |
|---|---|---|---|
| Phase 1: Gap & Foundation | 1-2 | Gap assessment against ISO 22301, scope definition, stakeholder mapping, project planning, BCM policy draft | Gap report, BCMS scope statement, BCM Policy, project plan |
| Phase 2: Analysis & Strategy | 3-5 | Business Impact Analysis, BC risk assessment, strategy development, top management strategy approval | BIA report, risk assessment, BC strategy document, approved MAO/RTO/RPO targets |
| Phase 3: Build & Document | 6-9 | BCP development, ICT continuity plan, crisis management procedures, training programme, document management setup | Full BCP suite, ICT continuity plans, crisis management framework, training records |
| Phase 4: Test & Certify | 10-12 | Exercise programme (tabletop + functional), internal audit, management review, Stage 1 audit, Stage 2 audit | Exercise reports, internal audit report, management review minutes, ISO 22301 certificate |
Phase 1 — Gap Assessment and Foundation
The gap assessment is the activity that should receive the most rigorous attention and the most senior project management during the first phase. The purpose of the gap assessment is to benchmark the current state of BCM maturity in the organisation against the requirements of ISO 22301 — sub-clause by sub-clause, looking at what BCM activities exist, what is documented, what is operational, and what is missing entirely. A thorough gap assessment produces a prioritised backlog of implementation activities: foundational work (policies, governance, defined roles) before building work (BCPs, procedures, records).
Scope definition is the second critical Phase 1 activity. The BCMS scope statement answers: which business activities are in scope, which are explicitly excluded and why, which sites or geographic locations are included, and what is the organisational boundary — does the scope include subsidiaries, joint ventures, franchises, or only direct operations? The scope statement is essential because it determines BIA scope (which activities will be analysed), BCP scope (which activities will have written plans), exercise scope (which activities will be exercised), and audit scope (what the auditors will assess). Organisations that enter Phase 2 without a clear, agreed scope statement will experience scope creep: the BIA team will receive conflicting signals about which activities to include; process owners will disagree about dependencies; and the resulting BIA will be neither complete nor bounded. The gap assessment and scope statement should be completed in weeks 2–4 of Phase 1, with any major scope clarifications resolved before the BIA project plan is finalised.
The BCM policy is the governance document that establishes the mandate for the BCMS, commits top management to the programme, allocates responsibility for BCM across the organisation, and defines the objectives that the BCMS is designed to achieve. The policy draft is usually quite short (2–3 pages) and is refined through Phase 1, but it must be approved by top management before the BIA begins in Phase 2. Without policy-level approval, the BIA team will lack clear authority to demand process owner time and to require business activity data from departments that may be reluctant to participate.
| KEY IDEA | The gap assessment is the most important investment in the implementation programme. An organisation that enters a BCMS implementation without understanding its current BCM maturity — what exists, what is missing, what needs to be built from scratch — will misallocate resources, miss critical dependencies, and encounter surprises at the Stage 1 audit. A structured gap assessment against each sub-clause of ISO 22301 produces a prioritised implementation backlog that drives the rest of the programme. |
Phase 2 — BIA and Strategy
The BIA is the critical path activity of the entire implementation programme. Every day the BIA is delayed shifts the entire remaining programme by the same period. The BIA depends on process owner time and attention — and process owners are operational staff with day-to-day responsibilities who will deprioritise BCM interviews if top management has not explicitly committed to unblocking their calendars. The BCM programme manager must secure a commitment from each department head that process owners will be available for BIA interviews during a defined window (typically 4–8 weeks), and that the business will not schedule competing priorities during that window.
The risk assessment runs in parallel with the BIA (weeks 3–5 of Phase 2). Risk assessment in a BCMS context is distinct from IT security risk assessment — it focuses on identifying external and internal threats to critical business activities (natural disasters, cyber incidents, supplier failure, staffing disruptions, regulatory change) and assessing the likelihood and consequence of disruption scenarios. Risk assessment informs two things: the strategy that will be chosen to protect critical activities, and the exercise scenarios that will be used to test the BCMS.
Strategy approval (end of Phase 2) is the moment at which top management endorses the continuity approach for each critical activity. For each activity, strategy decisions address: what people strategy will enable staff to work (cross-training, contractors, mutual aid), what premises strategy will provide working space if the primary site is unavailable (alternate site, work-from-home, hot standby), what technology strategy will maintain system availability (cloud, redundancy, manual workaround), and what supplier strategies will protect the organisation if critical suppliers fail (dual sourcing, contractual requirements, in-house fallback). These are not technical details — they are business decisions with cost, timeline, and operational implications, and they require top management approval. Strategy decisions made without top management visibility will later be found to conflict with board-level risk appetite or budget constraints, forcing rework and delay.
Phase 3 — Build and Document
Phase 3 is BCP development — the translation of strategy decisions into operational procedures. BCP development runs in parallel across multiple plans: a master plan covering the crisis management framework and decision-making authority; activity-specific plans for each critical activity identified in the BIA; ICT continuity plans covering system recovery and alternative technology access; and premises recovery procedures covering evacuation, alternate site activation, and return to primary site. The quality of BCPs is uneven across organisations; many BCPs are written at a level of generality (""restore systems, notify clients"") that provides no practical guidance when actually activated under pressure. The expectation for Phase 3 is that BCPs are written at an operational level of detail, with named roles, specific contact numbers, step-by-step procedures, and pre-written communication scripts. This level of detail requires BCP owners to work closely with process owners to verify procedures against current operational reality.
Document control must be established before BCPs are released. Document control includes version control (each BCP version is numbered and dated), approval authority (who must sign off on a BCP before it is released), and change management (how changes to BCPs are requested, approved, and distributed). Too many organisations allow BCPs to circulate in draft form without clear ownership; without document control processes, BCPs become stale within months as organisations change and process owners depart.
Training programme development begins in Phase 3, with awareness training targeted at all in-scope staff (explaining the BCMS, personal roles, and the need to maintain BCP currency) and role-specific training for BCP activation teams (crisis management leadership, communication teams, recovery procedure owners). Training must occur before exercises; untrained staff cannot execute BCPs effectively, and exercises become tests of training adequacy rather than plan adequacy.
Phase 4 — Exercise, Audit, and Certify
The exercise programme is the quality assurance mechanism for the entire BCMS. Organisations that skip exercises and proceed directly to certification audit are gambling; exercises discover gaps (inaccurate contact lists, procedures written for staff who have left, alternate sites that are unavailable, resource shortages) that must be corrected before certification. A typical Phase 4 exercise programme includes at least one tabletop exercise (discussion-based scenario) per BCP in weeks 1–4, one functional exercise (partial activation) for high-criticality activities in weeks 5–8, and one full simulation or technical recovery test in weeks 8–10. Each exercise is debriefed, findings are logged, and improvement actions are tracked to closure.
Internal audit (weeks 9–11) is the organisation’s final verification before certification audit. The internal audit is structured against ISO 22301 clauses, examines evidence (BCPs, training records, exercise reports, BIA documentation), and interviews process owners and crisis management team members. The internal audit identifies any gaps that must be closed before the certification auditor arrives. Internal audit finding closure should be completed by end of week 11; findings still open at the start of week 12 create pressure that often leads to incomplete remediation.
The Stage 1 and Stage 2 certification audits (weeks 10–12) are conducted by an external certification body. Stage 1 is a document and process review; Stage 2 is an implementation audit that verifies the BCMS is actually operational and that BCPs can be activated. Stage 2 auditors interview staff, review exercise records, test staff knowledge, and verify that critical procedures described in BCPs are known and understood by the people who will execute them.
| Milestone | Prerequisite | Common Delay Cause |
|---|---|---|
| BIA kick-off | Scope statement approved, process owner list confirmed | Scope creep; insufficient executive sponsorship to secure process owner time |
| BIA completion | All critical activities interviewed and validated | Incomplete process inventory; process owners unavailable; validation workshops not scheduled |
| Strategy approval | BIA completed, top management review scheduled | Management review not in calendar; strategy options not prepared in advance |
| BCP first draft | Strategy approved, BCP template agreed | Template disagreement; plan writers without BIA outputs |
| First exercise | BCPs drafted, exercise scenario designed | Exercise deferred; scenario design not started until BCP complete |
| Internal audit | Full clause coverage achieved, exercise completed | Auditor not identified; audit scope too narrow |
| Stage 1 audit | Internal audit completed, all mandatory documents exist | Documentation gaps found late; management review not conducted |
| Stage 2 audit | Stage 1 observations closed, implementation evidence ready | Stage 1 findings not addressed; exercise records insufficient |
| IMPORTANT | The Stage 2 audit is an implementation audit, not a documentation audit. Auditors will interview process owners, review exercise records, test staff awareness, and verify that BCPs reflect current operations. Organisations that spend Phase 3 writing documents and skip rigorous exercises, cross-functional training, and BCP validation with process owners will pass Stage 1 and fail Stage 2. Exercise and awareness are not optional pre-certification activities — they are what the Stage 2 auditor is specifically assessing. |
Resource Planning for ISO 22301 Implementation
The resource question in most organisations is whether to build BCMS capability internally or engage external consultancy support. The answer is typically both: external expertise for the high-leverage activities (BIA, strategy development, audit readiness review), internal resources for the building and maintenance activities (BCP development, document control, exercise coordination). A typical 500-person organisation with moderate BCM maturity requires approximately 15–20 person-months of effort across the 12-month programme: 3–4 months for a BCM programme manager working full-time, 6–8 months of effort from department heads and process owners contributing to BIA and strategy (spread across a 6-week window), 4–5 months of effort for BCP development (by process owners and BCM team), and 2–3 months for exercise coordination and internal audit.
External consultancy is most efficiently deployed during Phase 1 (gap assessment, scope definition, policy drafting) and Phase 2 (BIA facilitation, strategy development, target setting). External consultants are typically more efficient at these activities than internal teams, because they bring cross-organisation experience and are not embedded in the political dynamics of internal decision-making. External costs are typically 40–50% of total implementation cost; internal effort is 50–60%.
Budget for Indonesian organisations should assume USD 50,000–100,000 for external expertise (gap assessment, BIA, strategy), plus USD 30,000–50,000 for certification auditor fees, plus internal costs (salaries for BCM programme manager, BCP writers, and process owner contributions). The largest variable cost is BIA scope: a BIA covering 30 critical activities across 3 sites will cost significantly more in external time than a BIA covering 10 critical activities at one site. Budget planning should be based on realistic BIA scope, not on aspirational scope that will be scaled back during Phase 2.
| BITLION INSIGHT | The most common implementation failure pattern in Indonesian BCMS programmes is BIA delay. The BIA depends on process owner time — and process owners are operational staff with day jobs who deprioritise BCM interviews. Every week the BIA is delayed shifts the entire programme timeline. The highest-leverage action a BCM programme manager can take in Phase 1 is securing top management commitment to block process owner calendars for BIA interviews. Without that commitment, the BIA will take three months instead of six weeks and the certification timeline will slip by the same margin. |