The Plan-Do-Check-Act cycle is not unique to BCMS. It is the operating model for any functioning management system. For BCMS it is particularly important because business continuity capability degrades without active maintenance. Threat landscapes change, staff turnover occurs, systems are upgraded, business processes are redesigned. A BCMS left in place without ongoing review and improvement will slowly become obsolete.
This article walks through each phase of the PDCA cycle as it applies to BCMS, identifies the key activities and outputs at each stage, and explains how the cycle repeats to maintain continuous improvement. Understanding PDCA is essential to implementing a BCMS that is not just compliant but actually functional.
The PDCA cycle is not a one-time project with an end date. It is the operating model. The organisation will plan, implement, measure, and improve continuously. The certification audit assesses the current state at a point in time, but the BCMS is a permanent operational reality.
Why BCMS Requires a Lifecycle, Not a Project
Business continuity is sometimes approached as a project: "We will develop the BCMS, achieve certification, and then it’s done." This approach is incorrect. Certification is a milestone, not the end state. A certified BCMS that is not continuously maintained will degrade.
Why? Because organisations change. New business units are acquired or divested. Technologies are upgraded. Suppliers are switched. Staff leave and are replaced. Customer contracts change. Regulatory requirements shift. Threat landscapes evolve. A BCP that was accurate when it was written becomes inaccurate when the organisation’s processing locations change, or when key staff retire, or when a critical supplier relationship ends.
The PDCA cycle is the mechanism that keeps the BCMS current. The Check phase (internal audit, management review) identifies gaps. The Act phase (corrective action, improvement) closes them. Without this continuous cycle, the BCMS becomes a static artifact—documentation that looks current but procedures that no one has validated in two years.
Plan — Establishing the BCMS Foundation
The Plan phase is where the BCMS is designed. This phase encompasses: understanding the organisation’s context (internal and external), defining the BCMS scope, conducting the Business Impact Analysis, assessing risks, developing the business continuity strategy, setting BCMS objectives, and establishing the BC Policy.
Context analysis answers: What is our business? What is our competitive environment? What are our regulatory obligations? Who are our stakeholders? What is our risk appetite? Scope definition answers: Which activities, locations, functions, and systems are in or out of scope? The BIA answers: Which activities are critical? What are our RTO, RPO, MAO, and MBCO targets? Risk assessment identifies threats and existing controls. Strategy development determines whether we will recover in place, use a hot site, work from home, or use multiple location strategies.
The Plan phase produces the foundational documents: the BCMS scope statement, the critical activity register, the BIA output, the risk register, the continuity strategy, and the BC Policy approved by top management. These documents drive everything that follows.
| Plan Stage Activity | Key Input | Key Output |
|---|---|---|
| Context and stakeholder analysis | Organisational strategy, regulatory requirements, stakeholder interviews | Context document, stakeholder register, interested party requirements |
| BCMS scope definition | Context analysis, top management input | Scope statement—what is in and out of the BCMS |
| Business Impact Analysis | Business process inventory, financial data, SLA obligations | Critical activity register, MAO/RTO/RPO/MBCO per activity |
| Risk assessment | Threat environment, critical activity register, existing controls | Risk register, threat scenarios for exercise design |
| Business continuity strategy | BIA outputs, risk assessment, resource constraints | Strategy decisions: people, premises, technology, supplier strategies |
| BCMS objectives | Strategy, stakeholder requirements, regulatory baseline | Measurable BCMS objectives linked to KPIs |
| KEY IDEA | The Plan phase is where most BCMS implementations either succeed or fail. An organisation that invests in a rigorous BIA—one that is based on actual business data, validated with process owners, and reviewed by management—has a BCMS built on solid ground. An organisation that conducts a BIA by circulating a template and accepting the first responses builds a BCMS on assumptions that will be exposed under audit or during an actual disruption. |
Do — Implementing Business Continuity Capability
The Do phase is where the BCMS moves from planning to implementation. This phase encompasses: developing business continuity plans for each critical activity, establishing the crisis management framework, planning ICT continuity, conducting training and awareness, and designing and implementing the exercise programme.
Each critical activity identified in the BIA requires a business continuity plan. The BCP is a procedure document that describes how to restore that activity if normal operations are disrupted. The BCP includes: activation criteria (what triggers deployment), roles and responsibilities, escalation procedures, communication protocols, recovery procedures, alternative work arrangements, and recovery testing requirements.
ICT continuity plans are typically the largest component of the overall BCP. ICT continuity specifies: critical systems and their RTO/RPO targets, backup mechanisms and testing, recovery runbooks, failover procedures, supplier communication plans, and testing schedules. Exercise design and conduct is critical: the BCP remains untested theory until it has been exercised under realistic conditions.
| Do Stage Activity | ISO 22301 Clause | Evidence Required |
|---|---|---|
| Business Continuity Plan development | Clause 8.4 | Documented BCPs with activation criteria, roles, procedures, and communication scripts |
| Crisis management framework | Clause 8.4 | Crisis management procedures, command structure, escalation protocols |
| ICT continuity planning | Clause 8.5 | ICT continuity plans with RTO targets and recovery procedures |
| Competence and awareness training | Clause 7.2/7.3 | Training records, competency assessments, awareness programme documentation |
| Exercise programme implementation | Clause 8.5 | Exercise schedule, exercise records, post-exercise improvement actions |
| Supplier BCM integration | Clause 8.4 | Supplier BCM contractual requirements, supplier BCP assessments |
Check — Monitoring, Measurement, and Internal Audit
The Check phase is where the BCMS is assessed for performance and compliance. This phase encompasses: establishing and tracking BCMS KPIs, conducting internal audits, and conducting management review.
BCMS KPIs are metrics that indicate whether the BCMS is effective. Examples: percentage of critical activities with documented BCPs, percentage of BCPs with evidence of annual exercise, time from incident detection to BCP activation, percentage of staff who have completed BC awareness training, or average time to restore against RTO targets. KPIs are tracked and reported, typically monthly or quarterly, to management.
Internal audit is the primary mechanism for assessing BCMS compliance and effectiveness. The internal audit is conducted by personnel independent of the areas being audited (or by external auditors). The audit assesses all areas of the BCMS—from context and scope through operations and improvement. Audit findings are categorized as observations (areas for improvement), minor nonconformities (failures to meet the standard that do not have major impact), or major nonconformities (failures that fundamentally undermine BCMS effectiveness).
Act — Continual Improvement
The Act phase is where findings from monitoring, audit, and exercise are converted to improvement. This phase encompasses: root cause analysis of nonconformities, corrective action implementation, tracking of improvement actions, and lessons-learned capture from disruption events and exercises.
When an internal audit finds a nonconformity, the organisation must determine the root cause and implement corrective action. Root cause analysis prevents the same nonconformity from recurring. Corrective actions are tracked in a corrective action register, with assigned owners and target completion dates. Effectiveness is verified when the action is closed.
Exercise debriefs and actual disruption events generate lessons learned. These might be documented in a lessons-learned register, discussed in management review, and converted to improvement actions. Over time, this continuous improvement process raises the maturity and effectiveness of the BCMS.
| IMPORTANT | The most common weakness in operational BCMSs is a Plan-Do cycle that never completes the Check-Act loop. Plans are written and exercises are conducted, but findings are not tracked, corrective actions are not implemented, and the BCMS does not improve. ISO 22301 Clause 10 is explicit: nonconformities require root cause analysis and corrective action. An internal audit that produces no findings and an exercise that generates no improvement actions are not signs of a perfect BCMS—they are signs of an audit and exercise programme that is not looking hard enough. |
The BCMS Annual Calendar
A well-run BCMS is integrated into the annual business calendar. Typical timing: BIA updates are conducted in Q1 aligned with business planning. Risk assessments are refreshed. Exercise programmes are conducted in Q2 and Q4 to avoid year-end and Ramadan peaks. Internal audits are scheduled to provide findings for the annual management review. Management review is held in Q4 and considers the annual results of monitoring, KPIs, audit findings, and exercise outcomes.
The annual calendar prevents the BCMS from becoming a project that consumes resources unpredictably. Instead, stakeholders know when to expect BIA interviews, when exercises will occur, when training will happen. The rhythm of the BCMS becomes embedded in organisational operations.
| BITLION INSIGHT | The most efficient BCMS maintenance model we observe in Indonesian organisations integrates BCMS activities into existing business rhythms: the annual BIA update runs alongside the annual business planning cycle; the exercise programme is scheduled in Q2 and Q4 to avoid year-end and Ramadan peaks; management review is attached to the board risk committee agenda. Integration reduces the perceived overhead of the BCMS and ensures that the people who need to participate—department heads, IT directors, HR—are already in the room. |