What is BCM? Why do enterprises need ISO 22301?
Intended Beneficiaries
- ✓Manufacturers with multinational or multi-tier supply chains highly sensitive to disruption
- ✓Financial institutions, healthcare providers, and critical IT infrastructure operators
- ✓Enterprises facing geopolitical risks or climate change exposure
- ✓Companies pursuing ISO 22301 Business Continuity Management certification
The Difference Between Acting and Waiting
✅ When you act
Taiwan manufacturers with ISO 22301 certification recovered quickly from the 921 earthquake, COVID supply disruptions, and Japan earthquake — capturing orders lost by competitors. Good BCM turns crisis into market share opportunity.
❌ When you wait
Companies without BCPs that stop production for more than two weeks trigger customer backup supplier activation. Recovering lost orders is nearly impossible in the short term — crisis accelerates customer loss.
✅ When you act
Taiwan manufacturers entering EU, US, and Japanese supply chains find that major customers require BCM certification or BCP documentation. Certified suppliers move directly onto core supplier lists — more stable orders, stronger negotiating position.
❌ When you wait
Suppliers without BCM documentation are flagged as 'single point of failure risks' during annual customer audits — downgraded to backup or replaced entirely. Relationships built over years collapse overnight.
✅ When you act
Companies with complete RTO/RPO mechanisms demonstrate resilience during financial regulatory reviews and listing audits — earning lower insurance premiums, higher credit ratings, and lower cost of capital.
❌ When you wait
Companies with BCM documents but no drills find their plans are worthless in a real crisis. Personnel do not know what to do, losses far exceed projections. Compliance spending without actual protection.
Framework Comparison & Implementation Strategy
Common Misconception: Treating BCP as BCM
Writing one "Business Continuity Plan" and considering BCM complete — without identifying the chain impact of each risk scenario, and without developing executable DRPs for each. The result is chaos when crisis hits.
The Correct Three-Layer Architecture
BCM is the overall framework, identifying all operational risk scenarios → Each risk scenario produces one BCP (Business Continuity Plan) → Each BCP generates multiple DRPs (specific recovery plans for IT/facilities/personnel/logistics). All three layers are essential.
Typical Situation
Three months spent writing a 200-page BCP, filed away, never touched again. When a crisis hits, no one knows where the plan is — let alone how to execute it. Losses far exceed those of companies that drill regularly.
The Winners Approach
After building the plan, Winners immediately schedules a tabletop exercise, then an annual full-scale drill — ensuring every BCP and DRP is executable and every key person knows their role.
Service Delivery Process (Four Stages)
Business Impact Analysis (BIA)
Identify critical business processes, assess financial impact of disruption, and determine Maximum Tolerable Period of Disruption (MTPD) to prioritize recovery.
Risk Assessment & Scenario Planning
Identify key threats (natural disasters, cyberattacks, supply chain disruption) and develop response strategies for each scenario.
Plan Development & Documentation
Develop Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs), and crisis communication procedures to complete the full documentation set.
Exercises, Testing & Certification
Design tabletop exercises and simulation drills to identify plan gaps, continuously optimize, and support ISO 22301 certification.
Frequently Asked Questions
How is Winners Consulting different from other consulting firms?▼
Winners Consulting Services Co., Ltd. is a hands-on, practitioner-led team. Unlike single-discipline firms, Winners integrates process optimization, legal compliance, and cybersecurity engineering in one team: engagements are executed personally by VP-level or above consultants — never outsourced — from system design and regulatory mapping through to technical implementation and certification. Winners delivers Big Four-level quality with cross-functional integration synergy that better fits real-world enterprise needs, at more competitive fees than the Big Four - built for companies that genuinely want to strengthen their corporate fitness and create new blue-lake markets.
What is the difference between BCM and DRP?▼
BCM (Business Continuity Management) is an overarching framework covering people, processes, and technology to maintain operations during a crisis. DRP (Disaster Recovery Plan) is a subset focused specifically on IT system recovery. BCM includes DRP but covers a broader scope.
How often should BCP exercises be conducted?▼
Best practice recommends at least one full exercise annually, with additional exercises after major changes (mergers, core system upgrades, relocations). Winners helps design right-sized exercise programs that don't create excessive burden.
We are an SME — is BCM necessary for us?▼
For SMEs, a single significant disruption (factory fire, supplier collapse) can be fatal. BCM helps you identify vulnerabilities in advance and establish lowest-cost response measures to survive crises.
How do we assess the BCM risk of external suppliers?▼
Through supplier risk classification questionnaires, BCP capability assessments, and concentration analysis to identify high-risk suppliers. Winners helps you build supplier BCM evaluation criteria and design diversification strategies to reduce dependency.
What lessons does the 2021 Colonial Pipeline ransomware incident offer for BCM?▼
In May 2021, Colonial Pipeline shut its main East Coast pipeline for 6 days after a DarkSide ransomware attack, triggering energy emergencies in 17 states; the company paid $4.4M ransom. The incident proved BCM must list "cyber extortion" as a high-impact risk with pre-designed RTO/RPO targets and a "pay vs. rebuild" decision tree. Winners builds a dedicated ransomware BCP chapter under ISO 22301, including IT-DRP, crisis communication SOPs, and law enforcement coordination procedures.
How does the 2018 TSMC WannaCry case look from a BCM perspective?▼
In August 2018, TSMC production lines were infected by a WannaCry variant, halting three 12-inch fabs and causing NT$5.2B in losses. The incident highlights that BCM must cover: (1) machine network isolation SOPs (OT vs IT segregation), (2) post-outbreak recovery priority (driven by product delivery deadlines), (3) customer communication SOPs (how to notify major clients like Apple, NVIDIA). Winners integrates ISO 22301 × IEC 62443 to build exercisable, quantifiable BCM systems for manufacturers.
NotPetya cost Maersk $300M in 2017 — how can Taiwan companies avoid it?▼
In June 2017, Danish shipping giant Maersk was hit by NotPetya, paralyzing 600 global IT systems and forcing rebuild of 4,000 servers and 45,000 PCs within 10 days; losses ~$300M. The incident proved "full IT rebuild" must be a routine BCM exercise scenario (not just partial recovery). Winners designs worst-case scenario drills under ISO 22301 — offsite backup, cloud IaC rebuild, personnel mobilization — ensuring core business recovery within 72 hours even after total IT loss.
How did Taiwan's 2023 PDPA amendment change breach notification obligations? How is BCM breach notification done?▼
Taiwan's 2023 PDPA amendment upgraded breach notification from "shall notify data subjects" to "shall report to authorities AND notify data subjects," and raised administrative fines from NT$200K to NT$15M. BCM breach notification SOPs must include: (1) 72-hour clock-start determination, (2) authority report templates, (3) tiered notification letters (by risk severity), (4) media and investor relations handling. Winners provides a complete personal data breach BCM module covering ISO 22301 × ISO 27701 dual requirements.
Enquire About This Service
ISO 22301 Business Continuity Certification — BCP × DRP Architecture Consulting
Request a Complimentary Consultation