BCM manual

Is that a general requirement to have manual for BCMS too? (My organization has manual for all the other certifications such as QMS, EMS, OHSMS and EnMS.) It is a very common question from my colleague as they are expecting a manual before any other documents.

Answer: There is no requirement in ISO 22301 to have a BCM manual, and most companies do not create such a document. In my opinion, BCM manual is not really needed because business continuity plans should not be bundled into some integrated document since they have to be stored in departments that will use them in case of an emergency.

However, if you want to create a document which will list how your company will comply with all the clauses of the standard, this is something you can do; but frankly - I don't see a practical use of such document.

Developing a BCM manual might be a good idea as an educational tool for executives and business managers to understand the Business Continuity PROCESS. Business Continuity is owned by the business, and the business determines the level of risk it wants to accept. Operations and IT then just execute upon a strategy to mitigate upon this risk. Writing a short manual, directed to business owners, focuses BCM to the right audience. A BCM manual should describe the steps of the process:
Policy, and Regulatory Compliance - if required
1. Risk Analysis - what are the risks to your business?
2. Business Impact Analysis - What are YOUR mission critical process? And what MTPD (Maximum Tolerable Period of Disruption) are you willing to accept?
3. What is your recovery strategy? - It will cost to implement this, so if your MTPD is too aggressive, you may find yourself more willing to accept a longer MTPD or a a less costly recovery strategy?
4. Implementing the recovery strategy - (building it) and documenting the recovery plans.
5. Conducting annual exercises and testing - for certification, verification, improvement and awareness and training.
I recommend a BCM be short and speak directly to the business owner's responsibility to provide planning for business resiliency. It can be a useful tool.

Thanks for your comment, dmikulsk - I understand your point that BCM manual can be a useful document to describe the business continuity process; however, wouldn't the ISO 22301 standard itself be a better document for that purpose?