ISO 22301 and ISO 31000

Answer: ISO 22301 and ISO 31000 are not very similar. ISO 31000 gives you the guidelines to develop risk management system for any type of risk on a corporate level. ISO 22301 defines the requirements for developing business continuity, including Business continuity policy, business impact analysis, business continuity strategy, planning, and much more. However, these two standards are very compatible - ISO 31000 provides guidelines for risk assessment which is required in ISO 22301, but not covered into detail.

2. What are the pitfalls of developing a basic BCMP first (incl identifying the biggest risks and associated action plans & crisis recovery process & procedures), and then developing a full blown BCMS & pursue certification second?  Background: our company is ISO9001 and RC14001 certified already.

Answer: I'm not sure what you mean by "BCMP", but I assume you refer to BCP (Business Continuity Plan). The pitfall of develop ing the BCP without the BCMS is that you won't have the management part of your business continuity: management support, defining requirements, setting the objectives, providing resources, controlling documents, measuring success, etc. In other words, you would have business continuity that would probably set completely out of context, with no understanding from the business part and no way to control it.

So if you develop your BCP first, and then the rest of the BCMS, chances are you would have to redo the whole BCP again.