Business Continuity Management

BCP/DR planning, risk assessment, testing, incident response

View the interactive project page →

Business Continuity Management

Part of the worlds-biggest-software-project initiative.

An AI-native platform for the full business continuity lifecycle -- from risk assessment and impact analysis through plan authoring, exercise management, and real-time incident response.

Business Continuity Management (BCM) is a platform that replaces static, document-driven BCP/DR processes with a structured, always-accessible system covering every phase of organisational resilience. It is built for continuity practitioners, risk managers, and operations leaders who need plans that stay current, exercises that actually run, and an incident command interface that works under pressure. The project targets the gap between expensive, closed enterprise platforms and the spreadsheets and SharePoint sites most organisations still rely on.


Why Business Continuity Management?

  • Plans rot in documents. Most organisations maintain BCP/DR plans in Word documents or SharePoint that go stale within months as org structures, technology stacks, and supplier relationships change. No incumbent fully automates plan currency from live system data.
  • Testing is too rare. Tabletop exercises and DR drills are infrequent because scheduling, execution, and follow-up are manual. Platforms like Castellan and Quantivate offer exercise modules, but friction remains high enough that most organisations test far less than standards recommend.
  • RTO/RPO targets are untested assumptions. Current tools capture recovery objectives during BIA workshops but do not validate them against actual exercise results, leaving dangerous gaps hidden until a real incident.
  • Vendor lock-in and cost barriers. Every major BCM platform (Archer, ServiceNow BCM, Fusion, MetricStream) is proprietary SaaS with quote-only pricing, no published open API standards, and total cost of ownership that excludes SMEs entirely.
  • AI opportunity is untapped. Incumbents use static wizard templates for plan authoring. None offer AI-driven dependency discovery, plan gap detection, scenario generation, or automated regulatory change monitoring.

Key Features

Business Impact Analysis

  • Structured BIA with RTO/RPO capture, criticality scoring, and department/process hierarchy
  • Risk register with likelihood/impact scoring and heat maps, linked directly to BIA outcomes
  • Dependency mapping across processes, resources, technology, and suppliers
  • AI-assisted continuous recalculation of criticality scores as organisational data changes

Plan Authoring and Management

  • Rich-text recovery plan builder with version history, approval workflows, and one-click activation
  • AI-guided plan gap detection comparing plan content against risk register, CMDB, and regulatory checklists
  • Automated review reminders and plan currency checks triggered by dependency changes
  • ISO 22301 compliance dashboard with maturity assessment and gap indicators

Exercise and Testing

  • Tabletop exercise scheduling, execution tracking, participation logging, and after-action report generation
  • AI-generated disruption scenarios tailored to the organisation's industry, geography, and threat landscape
  • RTO/RPO validation comparing planned recovery objectives against actual exercise results
  • Post-exercise gap logging with direct linkage to plan amendment workflows

Incident Activation and Crisis Command

  • Real-time incident activation portal with task assignment, status dashboard, and communication log
  • Mass notification integration across email, SMS, Teams, and Slack channels
  • Crisis command interface surfacing relevant plan sections and communication templates during active incidents
  • Post-incident learning loop extracting lessons from incident logs and suggesting plan amendments

Compliance and Reporting

  • ISO 22301, NIST, DORA, and FFIEC compliance reporting packs
  • Audit trail and evidence management for regulatory examinations
  • Regulatory change monitor alerting when new guidance affects active plans
  • Role-based dashboards for practitioners, approvers, and executive stakeholders

AI-Native Advantage

Unlike incumbent platforms that rely on static templates and manual surveys, this project uses AI across the entire BCM lifecycle. ML models over CMDB, network flow, and procurement data propose dependency maps without manual entry. LLM-based analysis detects gaps in plan content by cross-referencing risk registers, infrastructure records, and regulatory requirements. AI generates realistic exercise scenarios calibrated to the organisation's specific threat profile, and NLP over incident logs extracts recurring themes to drive continuous plan improvement. These capabilities transform BCM from a periodic compliance exercise into a continuously adaptive resilience system.


Tech Stack & Deployment

The platform targets cloud-first deployment with self-hosted and hybrid options for regulated industries. Integration with enterprise data sources (CMDB, HRMS, procurement systems) via REST APIs enables automated dependency maintenance. Authentication supports SSO/SAML 2.0 for enterprise identity management. Notification channels integrate with Microsoft Teams, Slack, email, and SMS providers. A public OpenAPI specification and webhook framework are planned to address the vendor lock-in problem that defines the current market. Mobile access with offline plan availability is targeted for field incident response.


Market Context

The BCM platform market is an active Gartner-reviewed category with strong demand driven by increasing regulatory requirements (DORA in the EU, FFIEC in the US) and rising disruption frequency from cyber, climate, and supply chain events. Incumbent pricing is exclusively quote-based and oriented toward large enterprises, with platforms like Archer, ServiceNow BCM, and MetricStream carrying significant implementation and licensing costs that place them out of reach for SMEs. Primary buyers are business continuity managers, risk and compliance officers, and CISOs in financial services, healthcare, critical infrastructure, and government sectors.


Project Status

This project is in the research and specification phase.
Contributions, feedback, and domain expertise are welcome.


Contributing

We welcome contributions from developers, domain experts, and potential users. See CONTRIBUTING.md for guidelines.

Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.


Licence

Licence to be determined. See discussion for context.