BUSINESS CONTINUITY MANAGEMENT BETH3 (BUILDING, EQUIPMENT, TECHNOLOGY, HUMAN RESOURCES AND 3RD PARTY): A CONCEPTUAL FRAMEWORK IN BANKING SECTOR

 

Arief Hadiwibowo1, Aditya Pranata Ganda Dimulya2, Gabriela Arum Handayani3, Tantowi Jauhari4, Dewi Hanggraeni5

University of Indonesia1,2,3,4, University of Indonesia & University of Pertamina, Indonesia5

[email protected]1,[email protected]2, [email protected]3, [email protected]4, [email protected]5

 

ARTICLE INFO

ABSTRACT

Keywords: Business Continuity Management

Risk Management.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This study analyzes the challenges of Business Continuity Management (BCM) for the banking sector, especially conventional commercial banks in facing various operational challenges. BCM serves as a framework to help minimize the impact of disruption on the banking sector in the face of risks such as natural disasters, pandemics, and cyberattacks. The methods used include Business Impact Analysis (BIA), development of recovery strategies, and implementation of sustainable mitigation measures with the implementation of the BETH3� framework and international standards such as ISO 22301, so as to provide systematic guidance in identifying critical assets and designing integrated mitigation measures, which include building elements, equipment, technology, human resources, and third parties in the bank Conventional. The results of the study show that BCM not only allows the banking sector to survive and adapt to the crisis, but also accelerates operational recovery. With a focus on continuous improvement, the implementation of the BETH3� framework in BCM can prepare the Bank to face challenges more prepared and adaptive. The need for stronger collaboration with external parties, such as regulators and technology providers, as well as the importance of regular training for employees to ensure readiness to deal with crisis situations. Thus, the banking sector can be better prepared to face challenges and maintain competitiveness in a dynamic market.

 

 

 

INTRODUCTION

Risk is an inseparable part of every business activity in the decision-making process (Alekseev et al., 2023). As in the banking business, of course, it contains various risks inherent in every activity and decision-making. Various kinds of risks faced in the banking sector, ranging from credit, operational, market, legal, reputational risks, etc. that can come from internal industries and external factors (Ghosh, 2012).

In the context of increasingly complex globalization, the banking sector faces various challenges that can threaten their operational continuity. These threats include natural disasters, cyberattacks, and economic crises that can disrupt services to customers and damage the organization's reputation (Bylund & McCaffrey, 2017). Previous research has shown that companies in the banking sector that do not have an effective risk mitigation strategy are at risk of significant losses, both financially and reputationally (Zsidisin & Ritchie, 2008). Therefore, it is important for financial institutions to adopt a systematic approach to managing risk and ensuring operational continuity.

Strict regulations from supervisory authorities, such as the Financial Services Authority (OJK) in Indonesia, further emphasize the importance of Business Continuity Management (BCM) in the financial industry. Banking (dhi. Conventional Commercial Banks) are required to have an effective BCM plan as part of compliance with applicable regulations (OJK, 2016). This shows that BCM is not just a best practice, but also a must to maintain stability and public trust.

Business Continuity Management (BCM) is a systematic approach designed to ensure the operational continuity of an organization in the face of various threats and disruptions. According to ISO 22301:2019, BCM includes the planning, management, and recovery processes necessary to protect and restore critical business functions (ISO, 2019). The basic concepts of BCM focus on risk identification, impact analysis, and the development of effective recovery strategies.

BCM not only serves as a risk mitigation tool, but also as a framework that assists organizations in building resilience. This includes the development of a culture of risk awareness at all levels of the organization, as well as the involvement of top management in the planning and implementation process (Herbane, 2010). As such, BCM becomes an integral part of a broader risk management strategy, which aims to protect the organization's assets, reputation, and sustainability.

Banking operates in a highly dynamic environment and is vulnerable to a wide range of risks, including operational risk, market risk, and reputational risk. In this context, BCM has become very important to ensure that financial services can continue to operate despite disruptions (Bylund & McCaffrey, 2017). Research shows that financial institutions that have a well-thought-out BCM plan can reduce the impact of the crisis and increase customer confidence (Zsidisin & Ritchie, 2008).

This shows that BCM is not just a best practice, but also a must for the banking sector to maintain stability and public trust. The BCM process can be divided into several stages that make up the BCM lifecycle (BCM Lifecycle).

 

These stages include:

1.      Business Impact Analysis (BIA): This stage aims to identify critical business functions and analyze the impact of disruption on those functions. BIA assists organizations in determining recovery priorities and necessary resources (Farnham, 2015).

2.      Risk Assessment: At this stage, the organization identifies and analyzes the risks that may be faced. Risk assessment includes an evaluation of the likelihood of a threat and its impact on business operations (Solutions, 2017).

3.      Recovery Strategy Development: After conducting BIA and risk assessment, organizations need to develop an effective recovery strategy. This strategy must include a clear plan of action to restore disrupted business functions (Hiles, 2010).

4.      Implementation and Testing: This stage involves implementing a BCM plan and testing to ensure that the plan can be implemented effectively. Periodic testing is essential to evaluate the readiness of organizations in dealing with disruptions (Pettit et al., 2010).

5.      Maintenance and Continuous Improvement: BCM is an ongoing process. Organizations need to regularly review and update their BCM plans to ensure that they remain relevant and effective in the face of changing threats (Bylund & McCaffrey, 2017).

This study aims to explore the concept of BCM BETH3� as a framework that can be applied in financial institutions. Through an in-depth analysis of the definition, context, and life cycle of BCM, it is hoped that this research can provide valuable insights for practitioners and academics in developing more effective and sustainable BCM strategies.

 

Research Methods

The research methodology in this journal includes business impact analysis (BIA), development of recovery strategies, and implementation of sustainable mitigation measures with the application of the BETH3� framework and international standards such as ISO 22301, so as to provide systematic guidance in identifying critical assets and designing integrated mitigation measures, which include building elements, equipment, technology, human resources, and third parties in conventional banks.

(Yin, 2009) explained that case studies can be an effective method in exploring the implementation of BCM in various sectors. This study will examine case studies in the banking sector to analyze the challenges faced and how the BETH3� framework can help companies in the banking sector practice BCM implementation in dealing with risks and disruptions both from within and outside the company.

 

Results and Discussion

This journal aims to show that Business Continuity Management (BCM) is the key to construction that helps companies in the banking sector to be able to survive, adapt and recover quickly (recovery) from crisis situations and events that disrupt business operations. With the formulation and use of a systematic framework, BCM can help the Bank to prepare itself to overcome potential disruptions, so that business operations can be maintained and can continue to provide services to customers. Especially in times of global uncertainty such as the pandemic, climate change and cyber security threats in the current digital era (Nurlaili, 2023).

Conventional commercial banks are one of the key players in the financial industry in every country, which of course has a vital role and plays a role in supporting the country's economic growth. With its intermediary function, funds that have been successfully collected from the community will be channeled to productive sectors of various scales (industry, trade and services) that can encourage the growth of a country's economy. With this vital function, the implementation of BCM is very important to be applied in the institution to survive various threats and disturbances that can disrupt business operations.

BCM will provide a guide on how a Bank can prepare and plan strategies to maintain business continuity over the risk of disruption that occurs, so that it continues to run according to its functions, both during the disruption and after the disruption occurs (Yani et al., 2025). The Basel Committee on Banking Supervision (BCBS) has also implicitly provided principles in supporting the implementation of BCM in the financial industry, for example as stated in Basel III regarding capital adequacy (minimum fixed CAR of 8% with the addition of buffer obligations) and minimum liquidity ratio requirements (LCR & NSFR). This provision can be interpreted as an incentive for financial services institutions to have a strong recovery plan with high capital and liquidity if there are disruptions that have an impact on business operations.

In addition, the implementation of BCM is also guided through an international standard, namely ISO 22301 which focuses on business continuity. These international standards encourage the implementation of risk mitigation and regulatory compliance to increase customer trust and increase their competitive advantage. ISO 22301 was first published in 2012 with the last revision in 2019 known as ISO 22301:2019 with a stronger and more systematic risk-based approach, the result of the integration of other management system standards such as ISO 9001 and ISO 27001 (source: https://rwi.co.id/iso-22301/ ). This standard has been adopted and published by the Indonesian government through the National Standardization Agency (BSN) under the name SNI ISO 22301:2019 on safety and resilience � business continuity management system � requirements.

In addition to the standards in the implementation of BCM above, in the financial industry in Indonesia itself there are several regulations that encourage the implementation of BCM in Conventional Banks, namely:�

 

Table 1 regulations that encourage the implementation of BCM in Conventional Banks

 

It

Regulation

Condition Points

1

POJK No. 1/POJK.05/2015

Implementation of Risk Management for Non-Bank Financial Services Institutions

2

POJK No. 18/POJK.03/2016

Application of Risk Management for Commercial Banks

3

Law No. 4 of 2023

Development and Strengthening of the Financial Sector (PPSK Law)

4

POJK No. 5 of 2024

Determination of the Status of Supervision and Handling of Commercial Bank Problems.

�

This POJK contains 4 (four) main provision topics, namely related to the determination of systemic banks and capital surcharges, recovery action plans (recovery plans), determination of the status and follow-up of bank supervision, and intermediary banks.

Source: data processing results, 2024

 

The BETH3� framework also complements the implementation of BCM implementation in an organization or company. BETH3� is a framework developed by The Business Continuity Institute from the UK that summarizes the types of assets that can be affected by disasters and ultimately interfere with the ability to carry out certain business processes. This framework consists of several elements, namely:

a.       Building or building, Physical infrastructure that supports business operations. The existence of alternative locations and adequate facilities is essential to ensure that operations can continue despite disruptions at key locations (Hiles, 2010).

b.      Equipment or Equipment required to carry out business operations. It includes hardware and software that support critical functions. Regular maintenance and testing of equipment is essential to ensure that all systems are functioning properly when needed (Bylund & McCaffrey, 2017).

c.       Technology (IT Hardware/Software/Infrastructure), information technology that supports business operations. In the digital age, reliance on technology is increasing, so it is important to have a recovery plan that includes data recovery and IT systems (Zsidisin & Ritchie, 2008).

d.      Human Resources or Human Resources who are trained and ready to deal with emergency situations. Training and awareness of the importance of BCM among employees is essential to ensure that everyone knows their role in crisis situations (Pettit et al., 2010).

e.       3rd parties or third parties that contribute to business operations, such as vendors and service providers. Good cooperation with third parties is essential to ensure that all aspects of BCM can be implemented effectively (Solutions, 2017).

In its implementation, the BETH3� BCM framework is divided into 3 (three) stages, namely analysis, development and implementation. In the BCM cycle in the banking sector, the implementation of this framework is based on the concept of continuous improvement to provide space and monitor the initiatives implemented to continue to develop and be updated according to the needs and business dynamics of the industry. In the first stage of the cycle, namely the analysis, there are 3 (three) points with each explanation as follows (Sarabacha, 2008):

a.       Current State Assessment, which is to assess the current condition of the company. This aims to provide an overview of the current conditions in the management of BCM in a bank, as well as an in-depth understanding of existing business processes, ranging from infrastructure, equipment, technology, human resources and dependence on third parties.

b.      Risk Threat Assessment, which is the process of identifying and measuring various risks that can disrupt business operations. These risks can come from both inside and outside the industry, such as natural disasters, cyberattacks, or system failures.

c.            Business Impact Analysis, an activity to determine the business impact that may occur if a risk becomes a reality. Identify the criticality of a business service, work unit and application for the business continuity of a financial institution in the event of a disruption. This analysis will help determine priorities in developing the BCM plan.

�

Furthermore, in the second phase of the cycle, namely development or development, there are also 3 (three) main points, namely (Sarabacha, 2008):�

a.      Validation, which is the selection of recovery strategy options for a service, work unit or application by considering the speed of recovery time and inherent risks during the recovery process. This aims to ensure that the plan that has been developed is in accordance with the objectives of BCM and can be implemented effectively.

b.      Recovery Strategy, the development of a strategy with the most appropriate approach to ensure the availability and recovery of critical assets, data, and services over a certain period of time.

c.            Incident Management Plan, is an effort to develop procedures and activities that must be carried out to implement the BCM plan, including:�

1.      Crisis Management Plan (CMP), which is a comprehensive guide that contains systematic steps taken in emergency or crisis situations. In the context of banking, CMP covers various crisis scenarios such as cyber security, natural disasters, and operational failures. The objectives of this CMP itself are 4 (four), namely preventing or minimizing the impact of the crisis, preparing the necessary resources in dealing with the crisis, controlling the situation and coordinating accurate information to related parties, and restoring business operations as quickly as possible.

2.      Emergency Responses, is an immediate action that must be taken to overcome the existing crisis situation by activating the emergency response team, sending accurate and timely information to all relevant parties, minimizing the negative impact of the crisis (protecting physical and digital assets), and increasing the level of response (escalation) if the situation worsens.

3.      Business Continuity, is the ability of financial institutions to continue operating or recover quickly after a crisis situation. Business continuity covers the entire life cycle of a business, from risk identification, business impact analysis, planning development, exercise & stress test, to post-crisis recovery monitoring and evaluation.

4.      IT Disaster Recovery, focuses on the recovery of information technology systems after a crisis situation which includes data backup, system recovery and testing.

Furthermore, in the third stage cycle, namely implementation, there are 3 (three) main point quantities, namely (Sarabacha, 2008):�

a.       Resource Acquisition & Implementation, the process of identifying and managing, acquiring in providing the necessary resources to execute the BCM plan, such as budget, personnel, equipment and technology.

b.      Training & awareness, conducting training for all personnel involved in the implementation of BCM to increase their ability and awareness of the implementation of BCM.

c.            Exercising/Testing, ensuring the readiness of continuity plans in responding to crisis conditions by conducting periodic trials to ensure that the BCM plan is still relevant and effective. Then evaluate the employee's understanding of duties and responsibilities when facing crisis conditions.

The entire described cycle will be repeated to create continuous improvement so that it can be adjusted to the needs and business dynamics of the banking industry.

 

Conclusion

Frameworks such as BETH3� and the international standard ISO 22301 provide important guidance in identifying critical assets and designing integrated mitigation measures. This is also supported by regulations such as POJK, which requires implementing BCM to increase financial institutions' resilience. By integrating BCM into risk management strategies, financial institutions can be better prepared to face global challenges such as pandemics, natural disasters, or technology risks. The implementation of BCM provides significant benefits, ranging from increasing customer trust and strengthening reputation in the market to ensuring competitiveness in the midst of a dynamic business environment. To increase the effectiveness of BCM, financial institutions need to strengthen collaboration with external parties, such as regulators and technology providers, and ensure regular employee training. That way, companies can face internal and external challenges more prepared, adapt to technological changes, and maintain operational sustainability more efficiently.

 

References

 

Alekseev, A., Mingaleva, Z., Alekseeva, I., Lobova, E., Oksman, A., & Mitrofanov, A. (2023). Developing a Numerical Method of Risk Management Taking into Account the Decision-Maker�s Subjective Attitude towards Multifactorial Risks. Computation, 11(7), 132.

Bylund, P. L., & McCaffrey, M. (2017). A theory of entrepreneurship and institutional uncertainty. Journal of Business Venturing, 32(5), 461�475.

Farnham, D. (2015). Human resource management in context: Insights, strategy and solutions. Kogan Page Publishers.

Ghosh, A. (2012). Managing risks in commercial and retail banking. John Wiley & Sons.

Herbane, B. (2010). The evolution of business continuity management: A historical review of practices and drivers. Business History, 52(6), 978�1002.

Hiles, A. (2010). The definitive handbook of business continuity management. John Wiley & Sons.

Nurlaili, N. (2023). What are the challenges of the Indonesian halāl industry in the 5.0 era? Tirtayasa Ekonomika, 18(1), 23�41.

OJK. (2016). Financial Services Authority Regulation Number 38/POJK.03/2016 concerning Risk Management for Commercial Banks.

Pettit, T. J., Fiksel, J., & Croxton, K. L. (2010). Ensuring supply chain resilience: development of a conceptual framework. Journal of Business Logistics, 31(1), 1�21.

Sarabacha, D. M. (2008). Simplifying the BCM Strategy Selection Process. (Presentation).

Solutions, A. O. N. R. (2017). Global Risk Management Survey�Executive Summary. Aon Plc (NYSE: AON): London, UK.

Yani, M. F., Muhdiantini, C., & Aini, S. N. (2025). Risk Management in Financial Technology: A Systematic Literature Review to Support Sustainability and Security of Digital Financial Services. SITEKNIK: Information Systems, Engineering and Applied Technology, 2(1), 149�158.

Yin, R. K. (2009). Case study research: Design and methods (Vol. 5). sage.

Zsidisin, G. A., & Ritchie, B. (2008). Supply chain risk: a handbook of assessment, management, and performance (Vol. 124). Springer Science & Business Media.

 

� 2025 by the authors. Submitted for possible open access publication under the terms and conditions of the Creative Commons Attribution (CC BY SA) license (https://creativecommons.org/licenses/by-sa/4.0/)