Business Continuity Management Software Selection Guide
Navigate a mature market to find the best fit.
Developing a business continuity plan is one of the largest and most complex projects an organization will take on because it touches every aspect of the organization and can involve mounds of data. When you add disaster recovery, crisis management, and other resilience planning, the effort can be overwhelming, especially if you plan on using just MS Office tools.
A BCM tool will help streamline plan development and maintenance, but navigating such a deep and mature market can be challenging.
Our Advice
Critical Insight
- A BCM tool is not a silver bullet. You still need to follow a practical, structured process to generate the plan elements that will be recorded in the BCM tool.
- All leading vendors in this space offer the same core features, so focus on usability, price, and differences in key features that are most relevant to your requirements.
- Look for options to simplify the experience (e.g. an entry-level software package or the ability to customize views to hide content that is not yet applicable) until you are ready to take full advantage of the solution.
Impact and Result
- Understand key trends and differentiating features in the BCM marketspace.
- Review the strengths and weaknesses of major BCM vendors.
- Follow a process to define your requirements and evaluate vendors in a structured manner to identify the best fit.
Business Continuity Management Software Selection Guide
Navigate a mature market to find the best fit.
Analyst Perspective
|
This is a highly mature market with little to separate leading vendors when it comes to feature lists. Focus on usability and vendor support, and let price be the tiebreaker when the first two requirements are met. |
Any decent business continuity management (BCM) software will have a business impact analysis (BIA) component, templates for developing plans, and the ability to integrate with other relevant software such as emergency/mass notification tools, human resource information system (HRIS) tools, and so on. To evaluate vendors and find the right fit for your organization, focus on usability because the feature lists are likely to look very similar. For usability, factor in not only the end-user perspective but also the ease of implementation, integration, and administration, particularly as BCM vendors continue to expand their offerings in real-time incident management and overall resilience planning (e.g. crisis management, operational resilience planning, and so on). With greater complexity comes greater need for usability. Vendor support to streamline implementation (including customizations), integrations, and administration is also critical, but harder to determine from a vendor’s response to an RFP or a demo. The Net Emotional Footprint in our SoftwareReviews reports can provide an indicator of what to expect, and drive questions to ask prospective vendors beyond feature considerations. Finally, usability is subjective. Use our SoftwareReviews scores as a guide to help shortlist vendors, but ultimately you need to see these products and ensure they meet your specific requirements. Usability in specific areas critical to your goals can tip the balance. |
|
Frank Trovato |
Executive Summary
|
Your Challenge |
Common Obstacles |
Info-Tech’s Solution |
|---|---|---|
|
|
This trends and buyers guide will help you:
|
Info-Tech Insight
All leading vendors in this space offer the same core features, so focus on usability, price, and differences in key features that are most relevant to your requirements.
Info-Tech’s methodology for selecting an appropriate BCM solution
| 1. Understand BCM Software Capabilities and Trends | 2. Define Your Requirements |
3. Select Your Vendor |
|
|---|---|---|---|
|
Phase Steps |
|
|
|
|
Phase Outcomes |
|
|
|
Combine this research with our Rapid Application Selection Framework (RASF) to accelerate the process
Book a call with an analyst to help you with your software selection:
- Combine expert analyst guidance with the vendor analysis and tools in this blueprint.
- Follow a structured, efficient process using the RASF framework to identify your use cases and key requirements to find the best fit.
- Leverage our contract review services to level the playing field through the negotiation process.
Evaluate solutions
Determine the best fit for your needs by scoring against features.
Features
Determine which features will be key to your success.
Use Cases
Create use cases to ensure your needs are met as you evaluate features.
High-Level Requirements
Use the high-level requirements to determine use cases and shortlist vendors.
CLICK HERE to book your Selection Engagement
Phase 1
Understand BCM Software Capabilities and Trends
|
Phase 1 |
Phase 2 |
Phase 3 |
|---|---|---|
|
1.1 Define BCM software 1.2 Review table stakes & differentiating capabilities 1.3 Explore BCM market trends |
2.1 Streamline requirements gathering 2.2 Build your vendor evaluation workbook |
3.1 Discover key players in the BCM software landscape 3.2 Make your selection 3.3 Prepare for implementation |
This phase will walk you through the following activities:
- Level set an understanding of what is BCM software.
- Define which BCM software features are table stakes (standard) and which are key differentiating functionalities.
- Review key trends in the BCM software market.
This phase involves the following participants:
- Business continuity manager (or whoever is taking on that role, if not a full-time role).
- GRC representative. The BCM solution will support overall GRC efforts.
- Other stakeholders who will be responsible for creating or maintaining BCM-related plans (e.g. IT DRP, BCP, Crisis Management Plan).
What exactly is BCM software?
BCM software supports the development and maintenance of an organization's BCP and related resilience plans. This includes features to facilitate core activities such as identifying business processes and dependencies, executing a BIA, and documenting incident response plans.
BCM software typically can be used to develop, maintain, and/or support a wide range of resilience plans and related objectives including, but not limited to:
- Business Continuity Plan (BCP)
- IT Disaster Recovery Plan (DRP)
- Emergency Response Plans (ERP)
- Crisis Management Plans (CMP)
- Governance, Risk, and Compliance (GRC)
Info-Tech Insight
BCM software offerings continue to expand, and the wide range of capabilities and types of plans they support can be overwhelming. Look for options to simplify the experience (e.g. entry-level software package or the ability to customize views to hide content that is not yet applicable) until you are ready to take full advantage of the solution.
BCM software table stakes
Effective BCM solutions streamline the development and maintenance of your BCP and related plans (e.g. DRP, crisis management). That starts with these core features:
|
Business Process Dependency Identification |
IT System Dependency Identification |
Business Impact Analysis |
Incident Response Planning |
Plan Management |
|---|---|---|---|---|
|
Records business processes and their dependencies. This informs incident response plans for business disruptions and supports more advanced features to visually identify business operations affected by an incident. |
Records IT applications/ systems and their dependencies. This informs incident response plans for system recovery and supports more advanced features to visually identify systems affected by an incident. |
Gathers input from a wide range of stakeholders to estimate impact of a business disruption. Uses that analysis to prioritize business processes and IT systems and define acceptable recovery timelines. |
Documents the steps from detection/notification onward to recover from a critical IT and/or business disruption. |
Identifies and monitors tasks to be completed by all stakeholders to create and maintain your BCP and related plans. This includes automated reminders to stakeholders and reporting plan completion status. |
Beyond table stakes
This is a mature market. Most leading vendors have these same features, but the usability and effectiveness can vary.
Incident Response Management
Facilitates response by identifying affected systems/business processes, relevant plans, and recovery status.
Visual Representation
Illustrates response workflows, dependency mapping, incident impact, etc.
Interface Customization
Customizes input forms, field labels, menu items, etc.
Role-Based Access and Views
Customizes views based on role to improve usability (only see what you need) and manage data security.
Data Encryption
Encrypts data in-flight (i.e. while it's being uploaded/entered) and at rest (after it's uploaded/entered).
Compliance Reporting
Creates predefined reports for common BCM standards (e.g. ISO 22301) and customizable reports to align with other standards.
Vendor Security Compliance
Complies with security standards such as FEDRAMP and SOC2
Integrations to facilitate automation
Seamless integrations to import data such as contact information and system dependencies streamline implementation and ongoing plan maintenance.
GRC Integration
Shares common information between your BCM tool and your overall GRC solution to streamline plan development and reporting.
Customized Integrations
Ensures flexibility to integrate with a wide range of products and not be limited to product-specific connectors.
Mass Notification Capability
Customizes mass notification to relevant groups (e.g. leadership, IT, users) via built-in capabilities or integration with EMNS products.
Roles and Users Information Management
Leverages HRIS, AD, or related systems to pre-populate and maintain user lists, contact info, department, location, etc.
ITSM Integration – Source Data
Leverages ITSM tools to identify systems and dependencies.
ITSM Integration – Critical Incident Management
Enables ITSM tool to leverage your BCM tool to coordinate and manage response (e.g. targeted notifications, incident tracking).
DR Orchestration Software Integration
Ensures alignment of system criticality, RTOs, and RPOs between the BCM tool and DR orchestration software.
Key trend – Operational resilience (OpRes)
OpRes planning improves day-to-day resilience for critical services as opposed to only preparing for traditional large-scale disruptions.
|
OpRes depends on better understanding the dependencies and risks for individual critical services to better prepare appropriate incident response plans at the critical service level as well as for the overall organization. This includes being able to better coordinate related plans to focus on resumption of critical services – for example, to ensure business workarounds and security incident response plans are better aligned. UK Financial Services are already subject to OpRes regulations, and other countries around the world have followed suit or are preparing to do so. BCM vendors have specifically added “Operational Resilience” modules to their software suite to address this need. This includes enabling organizations to: Identify critical services, related dependencies, and risks at a more granular level (including internal and external risks). Identify opportunities to proactively mitigate risks to critical services. Incorporate specific requirements outlined by relevant regulations (e.g. “Impact Tolerance” in addition to the traditional measures such as RTOs/RPOs). |
"[OpRes] extends beyond business continuity and disaster recovery. Financial firms and FMIs must have robust plans in place to deliver essential services, no matter what the cause of the disruption. This includes man-made threats such as physical and cyber attacks, IT system outages and third-party supplier failure. And it also includes natural hazards such as fire, flood, severe weather and pandemic." Source: Bank of England, 2023 |
Future trend – AI streamlining BCM efforts
Organizations across all industries are scrambling to understand the potential and risks of AI, especially generative AI. The BCM market is no different. Examples of potential enhancements that we expect will be (or already are) part of BCM product roadmaps include:
- Generate plan summaries: A common challenge for BCM tools is generating a prose-style summary of the massive amount of data and planning captured within the tool, as opposed to provide what appears to be a database dump. AI is a potential solution to create a BCP summary aimed at executives, third-parties, and auditors to provide a high-level, concise, and readable summary of the current state of your BCM program.
- Generate recovery procedures: Similar to the above, leverage information in the tool (e.g. systems and dependencies) and from related sources to generate draft recovery procedures.
- Automate plan updates (beyond the basics): Existing automation will maintain contact and dependency information. AI or automation improvements can potentially identify more significant updates due to new service offerings, organizational changes, network changes, and so on.
Risks:
- Data security: Using third-party tools (e.g. ChatGPT) can expose your data. BCM vendors are addressing this by building their own AI solutions to enable control over data usage.
- Inaccuracies: AI is only as good as the data it can access and how it interprets that data. AI potentially provides a starting point to create draft content that still needs to be reviewed.
- AI treated as a silver bullet: Similar to the above, AI has the potential to streamline BCM efforts, not replace foundational BCM practices that ensure an effective and accurate overall BCM program.
A BCM solution supports a sound BCM process; it does not replace it
There are many BCM process frameworks; at its core, it comes down to these three activities – with governance oversight and support by relevant technology (which can include a BCM solution):
- Define Requirements: Determine scope (business functions, locations, legal and regulatory requirements, etc.), recovery targets (e.g. RTOs, RPOs), and relevant organizational objectives.
- Implement: Create and implement incident response strategies, including people, process, and technology considerations.
- Maintain: Review and update requirements; test and update solutions; maintain governance oversight to keep the BCM program current and aligned with organizational objectives.
Phase 2
Define Your Requirements
Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
1.1 Define BCM software 1.2 Review table stakes & differentiating capabilities 1.3 Explore BCM market trends | 2.1 Streamline requirements gathering 2.2 Build your vendor evaluation workbook | 3.1 Discover key players in the BCM software landscape 3.2 Make your selection 3.3 Prepare for implementation |
This phase will walk you through the following activities:
- Identify requirements, with a focus on use cases to drive practical evaluation of prospective vendors.
- Complete the BCM Vendor Evaluation Workbook to document your requirements to support your evaluation process. This workbook can be used as a supplement to your RFP to drive detailed responses relevant to your requirements.
This phase involves the following participants:
- Business continuity manager (or whoever is taking on that role, if not a full-time role).
- GRC representative. The BCM solution will support overall GRC efforts.
- Other stakeholders who will be responsible for creating or maintaining BCM-related plans (e.g. IT DRP, BCP, Crisis Management Plan).
Elicit and prioritize requirements for your BCM solution
Understanding business needs through requirements gathering is key to defining everything about what is being purchased, yet it is an area where people often make critical mistakes.
|
Signs of poorly scoped requirements |
Best practices |
|---|---|
|
|
Info-Tech Insight
Review Info-Tech’s requirements gathering methodology to improve your requirements gathering process.
Activity: Complete the vendor evaluation workbook
- Review each tab of Info-Tech’s BCM Vendor Evaluation Workbook to ensure you have a good understanding of the different areas of evaluation.
- As a team, collaborate to identify relevant use cases, technical requirements, qualifications, and implementation deliverables.
- Modify the example criteria to suit your requirements. This would include adding, changing, and/or deleting criteria where appropriate for your needs.
Note: After you finalize the criteria in the workbook, you can choose to send the workbook to vendors to provide their responses or use your RFP and/or demos to collect the required information to complete the vendor responses.
Download the BCM Vendor Evaluation Workbook
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Choose your route: RFP or otherwise?
As you gather requirements, decide which procurement route best suits your situation.
|
RFI (Request for Information) |
RFQ (Request for Quotation) |
RFP (Request for Proposal) |
|
|---|---|---|---|
|
Purpose and Usage |
Gather information about products/services when you know little about what’s available. Often followed by an RFP. |
Solicit pricing and delivery information for products/services with clearly defined requirements. Best for standard or commodity products/services. |
Solicit formal proposals from vendors to conduct an evaluation and selection process. Formal and fair process; identical for each participating vendor. |
|
Level of Intent |
Fact-finding – there is no commitment to engage the vendor. Vendors are often reluctant to provide quotes. |
Committed to procure a specific product/service at the lowest price. |
Intent to buy the products/services in the RFP. Business case/approval to spend is already obtained. |
|
Level of Detail |
High-level requirements and business goals. |
Detailed specifications of what products/services are needed. Detailed contract and delivery terms. |
Detailed business requirements and objectives. Standard questions and contract term requests for all vendors. |
|
Response |
Generalized response with high-level product/services. Sometimes standard pricing quote. |
Price quote and confirmation of ability to fulfill desired terms. |
Detailed solution description, delivery approach, customized price quote, and additional requested information. Product demo and/or hands-on trial. |
Phase 3
Select Your Vendor
Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
1.1 Define BCM software 1.2 Review table stakes & differentiating capabilities 1.3 Explore BCM market trends | 2.1 Streamline requirements gathering 2.2 Build your vendor evaluation workbook | 3.1 Discover key players in the BCM software landscape 3.2 Make your selection 3.3 Prepare for implementation |
This phase will walk you through the following activities:
- Review profiles of leading BCM software vendors, including representative customers, vendor history, and analyst insights.
- Follow a structured, efficient process to evaluate vendors to find the best fit.
This phase involves the following participants:
- Business continuity manager (or whoever is taking on that role, if not a full-time role).
- GRC representative. The BCM solution will support overall GRC efforts.
- Other stakeholders who will be responsible for creating or maintaining BCM-related plans (e.g. IT DRP, BCP, Crisis Management Plan).
Discover key players through our SoftwareReviews rankings and reports
|
The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions. Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform. |
|
The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions. Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution. |
Leading BCM Solutions
Product summaries driven by SoftwareReviews and analyst insights.
The vendors profiled in this section are listed below, in order of their SoftwareReviews ranking as of November 2023.
|
Vendor |
Product |
Rank (as of November 2023) |
|---|---|---|
|
Premier Continuum Inc. |
ParaSolution |
1 |
|
Controllit AG |
[alive-IT] |
2 |
|
CLDigital |
CLDigital 360 |
3 |
|
Fusion Risk Management |
Fusion Framework System |
4 |
|
Riskonnect |
Riskonnect BCM |
5 |
This is a mature market, which makes for a crowded leaderboard. Although some products rank higher than others, all the products profiled in this report are among the leaders in this market and are worthy of consideration. The key is to find the right fit for your requirements.
Also note that this is not an exhaustive list. Several well-known vendors such as Archer and Quantivate are not listed here due to insufficient recent reviews to make a fair comparison.
Use the profiles in this section along with our BCM SoftwareReviews reports to help you determine the best fit.
For the latest scores as well as the downloadable category and product reports, please see SoftwareReviews' BCM category.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Talk to an Analyst
Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.
Book an Analyst Call on This Topic
You can start as early as tomorrow morning. Our analysts will explain the process during your first call.
Get Advice From a Subject Matter Expert
Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.
Unlock Sample Research
What is a right-sized disaster recovery plan?
Develop a Business Continuity Plan
Mitigate the Risk of Cloud Downtime and Data Loss
Ensure DRP and BCP Compliance With Industry Standards
Select the Optimal Disaster Recovery Deployment Model
Take a Realistic Approach to Disaster Recovery Testing
Implement Crisis Management Best Practices
Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
Document and Maintain Your Disaster Recovery Plan
First 30 Days Pandemic Response Plan
10 Secrets for Successful Disaster Recovery in the Cloud
Develop a COVID-19 Pandemic Response Plan
Reinforce End-User Security Awareness During Your COVID-19 Response
Execute an Emergency Remote Work Plan
Prepare Your Organization to Successfully Embrace the “New Normal”
Responsibly Resume IT Operations in the Office
Tech Trend Update: If Contact Tracing Then Distributed Trust
Microsoft Teams Cookbook
Business Continuity Management Software Selection Guide
Maintain Continuity in a Power Outage