Risk Assessment or Business Impact Analysis: What Comes First?

What Comes First? RA or BIA

Over the past few years, I have been asked this question and also noticed the many discussions among professionals on the topic of whether one should, when going through the BCM planning methodology, conduct Risk Assessment (RA) or Business Impact Analysis (BIA) first. Often, these discussions are long and go on with the hasty conclusion in sight. They are rife with inconsistencies, misconceptions, and opposing viewpoints that have resulted not necessarily from any error on the professional’s part, but from the conflicting national Business Continuity Management (BCM) standard, each practitioner subscribes to. I would like to shed some light on some of these inconsistencies and misconceptions, as well as offer my thoughts on the RA versus BIA discussion itself.

The Risk Assessment and Business Impact Analysis are fundamental components in ensuring the development of an effective BCM framework in an organisation. However, there has been much confusion about the difference between the two phases, and that should come first have been a long debated topic. To be able to determine the exemplary process, we must first understand the objectives and expected deliverables of each phase.

Getting definitions out of the way

I’ll like to start by saying that Risk Assessment (RA) and Business Impact Analysis (BIA) are not the same things. They have gradually been used more and more interchangeably as similar processes, and this is not only incorrect but not identifying the individual features in each process can prove detrimental to your organization’s business continuity.   The detailed definition can be found in BCMPedia.

Risk Assessment

RA Deliverables Goh Moh HengRisk Assessment (RA) is the process of identifying internal and external threats and vulnerabilities, identifying the likelihood and impact of an event arising from such threats or vulnerabilities, defining the controls in place or necessary to reduce exposure and evaluating the cost for such controls.

Risk Assessment is a phase within the BCM planning process. It is the overall process of risk identification, risk analysis and risk evaluation. It is NOT to be confused or conflated with risk management, which is similar but separately defined as the identification, assessment, and prioritization of risks, followed by coordinated and economical application of resources to minimize, monitor, and control the probability and impact of unfortunate events. The primary objective of Risk assessment is to lessen vulnerability and decrease risk.

Business Impact Analysis

Business Impact Analysis (BIA) is the process of analysing the effect of interruptions to business operations or processes on all business functions. The scope of Business Impact Analysis includes facilities, It Infrastructure, Hardware, and Data. The main objective of Business Impact Analysis is to identify the operational and financial impacts resulting from the major disruption of business functions and processes, and thus, BIA is incredibly crucial to Business Continuity Planning.  The outputs from RA are a bit different from those of BIA.

BIA Deliverables @ Goh Moh Heng

RA gives you a list of risks together with their values, whereas BIA gives you timing within which you need to recover (Recovery Time Objectives or RTO) and how much information you can afford to lose (Recovery Point Objectives or RPO). So, although these twos are related because they have to focus on the organization’s assets and processes, they are used in different contexts.

What does ISO22301 BCMS standard say?

The International Standard ISO 22301:2012 allows for both approaches, depending on the BCM planning methodology that is used. Organisations may choose to conduct BIA to identify their critical business functions followed by RA to analyse and mitigate the potential risks faced by each business operations and processes. The advantage of this approach is that it focuses on the identification and mitigation of specific business threats faced by each business unit. Another approach would be to conduct RA to identify threats and establish the risk landscape at the corporate level before conducting BIA. As the BCM framework is set up to prepare and build resiliency against corporate-wide disruptions, it is reasonable to assess threats and estimate the possible period of disruption at the corporate level. The outcome could be used to establish the Key Planning Scenario, which sets the basis for planning in the subsequent stages.

An effective Business Continuity Management framework ensures the capability of an organisation to continue delivery of products and services at an acceptable predefined minimum level and safeguard the interests of key stakeholders. The understanding of potential threats faced by the organisation and the determination of recovery priorities set the foundation for BCM implementation. Our preferred approach would be first to conduct an RA at the corporate level to establish the Key Planning Scenario, which could be used as a benchmark for determining the organisation’s critical business function in the BIA. To mitigate the RA not completed correctly, in ISO22301, a continuous review using RA is repeated in the BIA and then the BC Strategy phase.

What do the other standards say?

  1. Australia (HB221:2004): “Risk & Vulnerability Assessment” is step #2, whereas “Conduct BIA” is step #3
  2. Canada (Z1600-08): Risk Assessment precedes BIA as part of a continuity project planning activities
  3. Great Britain (BS25999-1:2006): BIA precedes the Risk Assessment
  4. U.S. (NFPA1600 2007): The Risk Assessment takes precedence, with the BIA being a subset of the RA
  5. Singapore Standard (SS540:2010): Risk Assessment precedes BIA as part of a continuity project planning activities

As you can see, every standard offers a different take or variant on what comes first, and some of these standards do not factor in Risk Assessment. Additionally, business impact analysis is mandatory for ISO 22301 implementation, but not for ISO 27001. Who, then, do we subscribe to for a universal take on what is right?

Why Risk Analysis first?

Some practitioners and most of the older international BCM standards believe that the RA should come first as it enables one first to identify exposure and risks, allowing the practitioner to develop the necessary mitigation measures to reduce the threat. It also allows the practitioner to perform BIA more quickly as the lists of assets in the organization have been completely identified.

Most of the international standards support this claim, with RA being regarded as the initial step to take before the BIA.

Additionally, will have a better impression of which incidents can happen which risks you are exposed to. Therefore, be better prepared for doing the business impact analysis that focuses on consequences of those incidents. Furthermore, if you choose the asset-based approach for risk assessment, you will have an easier time identifying all the resources later on in the business impact analysis.

Why BIA first?

The counter argument against using RA first is that in sufficiently large organizations, it can be quite difficult, if not flat out impossible, to access all the risks and their impact on the organization. Rather than going for RA first, it would be much easier to go for BIA first, evaluating all the critical functions (or prioritised activities as ISO22301) and assets of the business and how they will impact the organization.

Different business units or departments in large organizations often have their individual subcultures and approaches to work. By showcasing a complete list of risks to critical business functions that have been identified from all parts of the business, new thinking and debate almost always ensue. Thus, some would argue that employing BIA first saves everyone involved in the BCM process an enormous amount of time and effort.

Different business units or departments in large organizations often have their individual subcultures and approaches to work. By showcasing a complete list of risks to critical business functions that have been identified from all parts of the business, new thinking and debate almost always ensue. Thus, some would argue that employing BIA first saves everyone involved in the BCM process an enormous amount of time and effort.

BIA forces the practitioner to consider which assets are of most importance to your business and its continuation. RA will then be applied afterwards to access the potential risks against these critical functions, followed by forming a mitigation plan to counteract the risks involved.

Sometimes, practitioners start with BIA because they want the organisation to talk about business processes and assets. This is often a strategy, and it should not be part of this discussion.

RA vs BIAConclusion

It is a matter of preference and circumstance. It can be conducted before, after, or even concurrently with one another, depending on what the situation demands. Some implementers felt that the combined effort to gather the information combined with one interview was time saving. As a practitioner, the argument is what constitute RA – it may require you to conduct a field RA survey.

When RA and BIA are placed together, these two processes combined can easily tell how hard a potential disruption can impact a business, as well as how quickly and how damaging it can be.
It is always good to have a healthy discussion but the key message does we have the same understanding of the RA and BIA definitions, are you speaking when you are just starting a new BCM project or updating an existing program, do you have other standards already in place such as ISO9000, ISO27000, and consulting techniques to gain acceptance of organisation.

It is always good to have a healthy discussion but the key message does we have the same understanding of the RA and BIA definitions, are you speaking when you are just starting a new BCM project or updating an existing program, do you have other standards already in place such as ISO9000, ISO27000, and consulting techniques to gain acceptance of organisation.

I would expect comments, and there are strong opinions on both sides with justifications. However, having spent some time in this industry, I would like to take a middle ground that there is no true right or wrong position on this debate as it is from which perspectives you are starting from and essentially what meets the requirement of the internal or external customers’ needs.

About the Author

Dr Goh Moh Heng

Dr Goh Moh Heng is the President of BCM Institute and the Managing Director of GMH Continuity Architects – a specialized BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 20 organizations, particularly those operating in the Asia Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organization certification.  Before establishing BCM Institute and GMH BCM Consulting, Dr Goh held senior positions with some large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its BC and contingency planning. At Standard Chartered Bank, he saw to the global implementation of its BC management and planning. He also managed the BCM practice at PricewaterhouseCoopers.

Currently, Dr Goh is the senior advisor to the China BCM Forum, a quasi-government agency responsible for BCM throughout China and an expert panel member of the Asia-Pacific Economic Cooperation (APEC) Network on Improving SME Disaster Resilience (since 2011) and JICA-ASEAN study to enhance resiliency of industrial areas against natural disasters (since 2012).   He hold a Ph.D. and also been awarded the highest level of certification from the three major business continuity management institutes.  He is the author of nine business continuity management books.  Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org or moh_heng@gmhasia.com.

References

Goh, M. H. (2016). Risk Assessment or Business Impact Analysis: What Comes First? LinkedIn Pulse

Goh, M. H. (2015). Business Continuity Management Planning Methodology. International Journal of Disaster Recovery and Business Continuity, 6, 9–16. Retrieved from http://dx.doi.org/10.14257/ijdrbc.2015.6.02

Kosutic, D. (2014). Risk assessment vs. business impact analysis. Advisera, (Mar), 2–5.

Ross, S. (2010). A business impact analysis checklist: 10 common BIA mistakes. Search Disaster Recovery, (Oct).

Rupert, J. (2013). The Relationship Between the Business Impact Analysis and Risk Assessment. Avalution Perspective.

Zecuboy. (2013). Risk Assessment versus Business Impact Analysis. Information Security Cafe, 5–8.

Business continuity management implementation for small and medium-sized enterprise

In this article Dr. Goh Moh Heng and Jeremy Wong look at some of the difficulties that SMEs face when it comes to making business continuity plans and how a simplified methodology could make things easier.

Article was published at Continuity Central on 3 July 2015

Introduction

Business continuity has risen in focus in Asia and elsewhere over the last few years and this is especially true for companies operating in regulated industries.  The recent series of mega disasters in the Asia region has resulted in larger organizations investing heavily in improving their resilience against disruptions to business operations. However, despite the growing awareness of business continuity, small and medium-sized enterprises (SMEs) do not appear to be taking action to enhance their business resiliency.
Business continuity is still not widely understood in small and medium-sized enterprises.  Many relate it to emergency response or IT disaster recovery and even those that have heard of business continuity may see no relevance to themselves.
Unlike many large firms that have business continuity plans in place, SMEs often lack the time and the money to invest in their business continuity plans. But increasing pressure from larger organizations to secure the continuity of their supply chains, new government legislation, and the global acceptance and adoption of business continuity management  standards, mean that SMEs can no longer ignore business continuity and the growing need for it as part of mainstream business operations.

Working assumptions for SMEs

SMEs are often associated with the following characteristics when it comes to business continuity:

  • They have an entrepreneurial culture;
  • They have limited resources for ‘non‐productive’ investments;
  • They have limited or no knowledge of business continuity;
  • They are not in a position to develop a  business continuity plan to the fullest extent;
  • They have some IT‐knowledge, but usually not about systems availability and IT recovery.

Obstacles to implementation by SMEs

Lack of understanding of business continuity management
One of the main obstacles to successful business continuity plan implementation in SMEs is a lack of understanding of the importance of business continuity, the development processes involved and the maintenance activities that are needed to sustain the programme.  Many owners and managers vaguely acknowledge business continuity management’s place in large corporate organizations but see little relevance in their small businesses.   This lack of understanding inevitably leads to misconceptions about the importance of BCM:

  • Underestimating the impact.  SMEs owners tend to make the assumption that the business can survive financially and that customers will accept lack of service during a period of disruption.
  • Scenario assumptions.  There is an assumption that the many potential scenarios are either too small to require action, or are too large, and therefore are beyond their planning capability.
  • Time and manpower resource affordability.  There is a constant assumption that SMEs cannot afford the cost or management time to make business continuity plans.
  • Living within the comfort zone.  Many SMEs assume that the majority of disruptions can be managed when they happen, with no need for pre-planning.
  • No sense of urgency.  There is a lack of prioritization of business continuity because the SME has never experienced a crisis and therefore does not understand the priority that should be given to BCM.

BCM professionals do not share the message outside large corporations
Full-time BCM professionals focus exclusively on developing plans for their organizations and do little advocacy work with SMEs.

Making the process too complicated
Proponents of BCM often over-compensate for the lack of advocacy by overwhelming listeners with shovel loads of information, without regard to how much of the information can be understood. There are very few presenters who can present business continuity content in a very simple and concise way.

Providing a step-by-step process
The key for SMEs is to provide them with a simple and easy to implement approach.  This is often overshadowed by a complicated methodology that requires a team of specialists to implement.  The unnecessary expectation that a perfect business continuity is required is a daunting starting position for SMEs.

Too expensive to implement
For many SMEs, having a business continuity plan is often seen as an expensive luxury.

BCM has a higher return on investment for SMEs

The truth of the matter is that for SMEs, the development of business continuity plans is far more valuable, and simpler, than most think. Conversely, SMEs have more to lose should they be caught without a business continuity plan in a disaster. While large corporates may have resilience arising from the diversity and spread of income sources, and operational work locations, smaller organizations more often than not have none of these advantages. For most SMEs, the exposure is far greater due to an inherent and almost inevitable concentration of critical risk factors.  Due to a simpler structure, plans developed for SMEs are also often more straightforward and easily implementable.

SMEs need a new methodology

It is clear that although SMEs desperately need business continuity planning, the traditional methodology for developing them does not work.  It is too time-consuming, labour intensive and costly.  BCM practice should be a solution rather than problem focused.  As solutions for global corporates come with a hefty price tag, the more modestly priced solutions adopted by SMEs hold less interest for the business continuity and disaster recovery vendors, who continue to push for more sophisticated (and correspondingly higher priced) products;  hence the myth that business continuity is too costly for the smaller organization.  It simply is not attractive for many disaster recovery vendors to bother promoting their services to smaller organizations.

The starting point for a BCM framework for SMEs

Three questions need to be examined when first embarking on a business continuity planning project. They centre on:

  • Purpose: Why is your company introducing BCM?
  • Scope: Which parts of your business will introduce BCM?
  • Team: Who will lead and manage your BCM activities?

The answers to these questions will help frame the project and provide a grounded perspective that will drive management and project team members in a direction that will yield the most benefit to the organization.
Leadership in a business continuity project is crucial for success. Business continuity planning projects typically involve participants from across the organization. Without a strong mandate from management, many of these projects fade away after a brief period of activity, being superseded by ‘more pressing concerns’.  Leadership can also be demonstrated by way of a policy emphasizing the importance of business continuity to the organization, the purpose, scope and assumptions, an organizational framework and structure for the implementation and subsequent management of the BCM programme.

Start with the survival scenario

One way SMEs can accelerate the development of a business continuity plan is by focusing on the essentials. An SME with limited resources should look at mitigating its risks and containing any damage to as low a level as possible such that it would be able to resume operations at an acceptable level of functionality in a relatively short period. This is a company’s survival scenario. BCM is all about a company’s ability to achieve its survival scenario.
Here are some warm-up questions to get SMEs started:

  • Q1: What disaster scenarios might lead to bankruptcy of the company?
  • Q2: How quickly (in hours, days or weeks) does your company have to recover to ensure that it will survive a disaster-related disruption?
  • Q3: What are the critical resources whose availability determines the life or death of your company?
  • Q4: Within five to ten years, what kinds of disasters and accidents are most likely to impact you, potentially triggering a worst-case scenario?

Aligned to international standards?

There is much scepticism about whether or not international standards for BCM, such as ISO 22301, can be applied to the SME marketplace.  The answer to that lies in understanding why the standards exist in the first place. Many people misinterpret international standards to mean methodology.  This is not the case.  What standards do is to ensure that any business continuity plan produced will be based on a sensible evaluation of risk; a business understanding of consequences should key processes be lost; and a suitable strategy to mitigate damage and ensure recovery.
The ISO 22301 standard has been available since 2012.  SMEs are beginning to feel the pressure from major clients to adopt and comply with this standard.  Many compare its adoption with that for the ISO 9001, whereby SMEs are excluded from bidding for large contracts if they do not meet the ISO quality standard.  Procurement contracts are beginning to include business continuity readiness by the suppliers as part of the terms and conditions.  SMEs that implement ISO 22301 can improve their resilience in the same way as larger organizations. A smaller company may have tighter budgets and resources to put the necessary BCM processes and business risk management in place but by focusing only on the essentials, an SME can remove the unnecessary expense and complexity of implementing ISO 22301.

Manage emergencies and incidents

Before SMEs begin working on a business continuity plan they should first check that basic emergency procedures are in place, including:

  • Make sure that your employees understand emergency evacuation procedures;
  • Make certain that your employees know what to do if a fire breaks out;
  • Ensure your employees know what to do if a colleague is injured.

These are all part of essential occupational health and safety legislation and are a legal requirement for any businesses. It is imperative that all businesses have and follow basic emergency procedures to ensure safety at all times.

Define disasters and assess risks

It is vital to recognize that a disaster could happen to any organization – no matter the business size. Before looking at the risks in individual areas of the business, it is important to determine what would constitute a disaster. In simple terms, a disaster is an incident that has serious consequences for the company.
Frequent small business disasters include:

  • Fire/flooding.
  • Computer/telecoms failure.
  • Key equipment failure.
  • People issues such as illness/resignations/maternity leave.
  • Denial of access to the premises.
  • Product defects.
  • Bomb/terrorism threat.
  • Legal/regulatory action.
  • Utilities failure.

It is critical that SMEs understand the disruptions that would be disastrous to the running of their business when writing the business continuity plan. Take the time to identify all the risks your business faces and then rank them in order of likelihood and importance.
Once the risks have been identified, for any risk you can:

  • Transfer it via insurance.
  • Reduce it by less centralization and more resilience.
  • Eliminate it by changing procedures.
  • Accept it if the impact is relatively small.
  • Manage it.

Adequately assessing the disasters that could threaten your company will give you a fair idea of the business areas that are most critical to achieve. Usually, these will be the areas on which your business relies the most, and which are exposed to the greatest degree of risk. This is the most important part of your plan. The following checkpoints are essential when writing this stage of your plan. It is important to go systematically through each of the following areas and take a practical approach to tackling each of the threats that your business may face. Follow the same process for each:

  • Identify threats and resources.
  • Assign ownership.
  • Develop business continuity plans and policies.

Premises and key equipment

Clearly, premises are vital to any SME. So much so that SMEs often take them for granted. However, SMEs need to consider the long-term impact that damage to, or destruction of, premises would have on the business. The same applies to business-critical machinery. If a necessary piece of equipment is destroyed, damaged or stolen, what impact would it have on the business? Ask the following questions:

  • Would you be able to notify your workers and clients of disruption to the business?
  • What would happen to customer orders during the time that the premises were closed?
  • Would you be able to make alternative arrangements for regular orders, to keep loyal customers happy?

Test the plan

Once the business continuity plan has been agreed and endorsed by management, it should be communicated to your teams, preferably through a formal walkthrough session whereby team members are invited to comment. This will test the feasibility of the plan and expose any flaws. It will also ensure that key roles and responsibilities are understood. At some point in time, it might be worth conducting a physical simulation of the business continuity plan to ensure its smooth running should the plan need to be executed.

Regularly update the plan

Review the plan at least every six months. Monitor to see that contact details for the recovery site, suppliers and the team are up-to-date and correct. Similarly, review whether there have been changes in the organizational structure, or in a team’s functions, and update if necessary. Distribute the plan to staff involved in the execution of the plan and advise them to keep copies off-site. Team meetings are useful forums to remind all employees of the processes to follow.

Help for SMEs

Undoubtedly, SMEs need help if they are to implement BCM with any measure of success. The following suggestions could be considered to inch these companies towards greater resilience progressively:

  • Create more awareness programs amongst SMEs. Greater education about the importance of planning for a major disruption that could potentially cripple their business would certainly help.
  • Offer assistance for SMEs to build BCM capability, either by sending key staff for relevant training on managing a BCM programme, or by engaging an external consultant to advise and guide the organization towards mitigating its risk and putting in place response and recovery mechanisms.
  • Establish and enforce industry guidelines and regulations to require companies to implement BCM.
  • Provide incentives to companies to achieve industry standards.

Conclusion

Achieving ISO 22301 BCMS certification in itself is not the solution. Over-emphasis on certification may well lead to a tick-box audit mentality that leaves the typical SME with additional costs of compliance without any of the real advantages of a proper BCM. A well-rounded programme, incorporating a healthy dose of education mixed with incentives, regulation and enforcement, is necessary to bring about the real benefits of BCM to SMEs.
The authors understand the difficulties that a busy manager in a typical SME faces when it comes to implementing business continuity.  Hopefully this article will make his or her job a little more enjoyable and easier to undertake successfully.  If not, at least, he or she will know they are not alone.

The authors

Dr Goh Moh HengDr Goh Moh Heng, BCCLA BCCE CMCE CCCE DRCE, is the president of the BCM Institute and the managing director of GMH Continuity Architects – a specialized BCM Jeremy Wong
consulting firm. Dr Goh has assisted organizations, particularly those operating in the Asia Pacific and Middle East Region in the successful implementation of their business continuity management system (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organizational certification.

Jeremy Wong BCCLA BCCE CMCE DRCE is the senior vice president of the BCM Institute. He is also the senior vice president for GMH Continuity Architects and is a senior management staff member responsible for all training and consulting initiatives.
http://www.bcm-institute.org/

References

APEC SMEWG. (2013). Guidebook on SME Business Continuity Planning. BCP Guidebook.

BSI Group. (2013). ISO 22301 for small and medium-sized businesses (SMEs). BSI. Retrieved from ISO 22301 for small and medium-sized businesses (SMEs)

ENISA. (2010). IT Business Continuity Management An approach to Small Medium Sized Organization. ENISA: BCM: An Approach for SMEs, 127.

European Commission. (2014). What is an SME? European Commission Enterprise and Industry. Retrieved from http://ec.europa.eu/enterprise/policies/sme/facts-figures-analysis/sme-definition/

ISO 22301. (2012). ISO22301:2012 Societal Security – Business Continuity Management Systems – Requirements. Societal Security – Business Continuity Management Systems – Requirements (1st ed.). Switzerland: International Organization for Standardization.

Marinos, L. (2010). Strengthening the weakest link: Business Continuity Management for SMEs. ENISA, (Oct).

Maruya, H. (2008). BCP in Japan: Diffusion and Expectation. The concept of Business Continuity, 1–4.

Ministry of Economy, Trade and Industry, J. (2006). Guidelines on Formulating and Implementing BCPs for Small and Medium Enterprises. Preparations to Ensure the Business Can Survive Any Emergency Situation, 1–117. Retrieved fromhttp://www.chusho.meti.go.jp/keiei/antei/download/110728JapanBCP_SME_Eng.pdf

Price, R. (2005). The personal side of Business Continuity. Continuity Forum, 1–2.

Wiltshire County Council. (2006). Business continuity guide for small businesses. Business Continuity Guide for Small Business, 1–19.

WCC 2015 Singapore

Is Business Continuity Management one of the keys to Cybersecurity?

I had this conversation a decade ago, and I remarked that business continuity is NOT information security (IS) as cybersecurity was then called IT security.  This issue was then, more closely related to IT disaster recovery planning.  Having said that, the world has since evolved and moved on.  This is primarily due to the proliferation of IT usage and its heavy dependency. Hence, it is the time I revisit this remark taking into account the numerous changes that had taken place over the last decade.

Cybersecurity as a top threat to business continuity

Recent surveys conducted over the last two years had rated cyber-attacks as the top threat to business continuity.  The most prominent case being Sony.  It starts to make both BCM and IS professionals’ question: Are BCM and Cybersecurity related? If so, how are they related?

Before any IS or BCM professionals start to take their positions, it is important for one to understand and look at what your background, prior experience or in academic terms, your “World View”?  Do you have a strong IT or IS experience or are you a physical security or facility person designated to manage BCM?  The latter will say, it is not part of his or her responsibility as there is a constraint in term of IS competency.  However, the IT or IS-literate person may agree that BCM is part of cybersecurity because of his or her high knowledge in IT and IT security.

Cybersecurity: Is it just about technology or is it truly part of business continuity?

I recently read Paul Kirvan’s discussion on Search Disaster Recovery regarding the integration of cybersecurity practices into a BCM program.  Paul explained why the BCM program should be part of the information security and corporate Cybersecurity strategies.  Immediately upon posting the comment, a rebuttal arose. The argument was that the discussion is creating artificial distinctions between “cyber security” and “business continuity” and this demarcation does not help.  My observation is firstly to take a close look at how the organization views its overall resilience framework. We need to understand how the organization is structured to operate effectively under the respective functional roles such as IT, IS, and BCM.  It is always an “organizational structure issue” when it comes to “Whose roles and responsibilities is it?”

When Does a Cybersecurity Incident become a Business Continuity Issue?

One may think that cybersecurity is strictly the jurisdiction of the IS unit. From a technical perspective, the IS specialist will provide an initial response to resolve security breaches.  However, should the breach results in operational disruptions for the business to function normally and has an operational impact on the business, the emphasis may need to shift to business continuity.

NIST Framework Can Help Business Continuity Professionals Prepare for Cyber Attacks

Recently, NIST had released its framework (exactly a year ago to be precise).  Though it is not similar to an ISO22301 BCM standard and hence, cannot be compiled with, it made a significant change in approach whereby, the concept of recovery is included in a necessary process.  Even though, it is not auditable, the strength of this framework is that it get the various interested parties to come together to view the challenges and to develop a holistic standard approach amongst the different functional groups and industries.

One of the key features of a business continuity life cycle or execution process is to understand the six “Rs”.  They are Reduce, Response, Recover, Resume, Restore and Return (Home).  NIST’s framework is tied to BCM’s “recovery” process. This is where business continuity and disaster recovery professionals are involved in any cybersecurity incidents.  As most Cybersecurity threats that cannot be prevented tend to fall into the “recovery” stage, it becomes critical to understand how to manage such disruptions.  If it is business disruptions, this entails the right BCM skillset and knowledge to assure the continuity of mission critical functions or processes affected by the cyber disruptions.

Change of Mind toward Cybersecurity

I started this discussion with the prior disagreement that BCM does not have a role to play in cybersecurity unless the critical business functions or processes are disrupted.  I will now add to highlight that organizations have to relook at its entire framework so as to ensure resiliency not only to its IT system but also the entire business.  I can only conclude by saying “When the mission critical functions are disrupted, the entire organization is now disrupted, and it does not matter who is solely responsible.”  The key is to get all the IT, IS, DR and BCM teams is to work together to prevent it from happening and if it happens, ensure that the business continue regardless of disruptions. It is all about working as a team.

About the Author

Dr Goh Moh Heng

Dr Goh Moh Heng is the President of BCM Institute and the Managing Director of GMH Continuity Architects – a specialized BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 20 organizations, particularly those operating in the Asia Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organization certification.  Prior to establishing BCM Institute and GMH BCM Consulting, Dr Goh held senior positions with a number of large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its BC and contingency planning. At Standard Chartered Bank, he saw to the global implementation of its BC management and planning. He also managed the BCM practice at PricewaterhouseCoopers.

Currently, Dr Goh is the senior advisor to the China BCM Forum, a quasi government agency responsible for BCM throughout China and an expert panel member of the Asia-Pacific Economic Cooperation (APEC) Network on Improving SME Disaster Resilience (since 2011) and JICA-ASEAN study to enhance resiliency of industrial areas against natural disasters (since 2012).   He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes.  He is the author of nine business continuity management books.  Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org or moh_heng@gmhasia.com.

Product Recall Preparedness – Key Considerations

As global supply chains evolve to become increasingly integrated, government regulators and consumers are more concerned and aware of product safety issues. It is evident from the rising number of product recalls and government intervention particularly in the food, children products and automotive-related industries. The management of product recalls are further complicated by regulators, who in the name of adhering to safety guidelines, are given greater autonomy to intervene and impose product recalls. Coupled with developments in the social media sphere, consumers are able to get instantaneously access to information and news. This makes the management of product recall becomes more challenging and critical to an organisation’s survivability.

The ability to execute recalls in a timely and coordinated manner is crucial in maintaining the organisation’s credibility. To do so, the company must be able to track the end-to-end product distribution. Timely communication and updates to inform or assist consumers’ enquiries should be provided. Below are some of the key action steps to take into consideration in developing a product recall plan for the organisation.

1. Identify Roles and Responsibilities

The roles involved in a product recall and their responsibilities should be clearly identified and communicated. A recall crisis management team, comprising various functional heads, should be formed to make decisions on initiating product recalls based on information coming from credible sources. The organisation should appoint a recall coordinator, who is responsible for coordinating the collection and analysis of information and overseeing the complete execution of the product recall.

2. Develop a Clear Incident Notification and Escalation Flow

The potential channels of incident notification and their respective points of contact in the organisation should be identified pre-crisis. Upon notification of a potential crisis, information should be escalated to the key stakeholders. In particular, customer-fronting and authorities handling functions should be informed and follow-up actions should be communicated to them. To aid information collection and gathering, it may be useful for a standardized questionnaire to be developed and distributed to various touchpoints. This will help ensure that relevant information is collected regardless of the input channel.

3. Establish Product Recall Trigger Criteria

Criteria for assessing organisational impact should be established. This would provide a reference for effective decision making. These criteria should take into consideration the type of defect, number of reported cases, the severity of symptoms, location spread, legal and regulatory implication. The potential financial impact and costs incurred from the follow-up actions (such as stop-sale, batch or full market recall) should be estimated to inform decision making.

4. Develop a Track-and-Trace Mechanism in Product Distribution

A clear and visible distribution network of products is key to a successful product recall. Information of the affected product or batch including description, brand, product code, batch number and date of manufacture should be provided to the retailers. These products should be clearly indicated and isolated from other stock to prevent distribution back into the market.

5. Notify and Communication Recall Messages to Customers

Customer hotlines or various forms of communication channels including corporate website and social media accounts, should be established. To manage the expected influx of enquiries from the emergency hotlines, an emergency customer management team comprising staff from various functions could be identified pre-crisis. Customer handling procedures should include guidance on identifying affected products, the steps to return these products and the compensation in place for consumers. Messages should seek to disseminate factual information, while at the same time, calm, pacify and re-assure irate customers that the management is doing its best to resolve the situation.

6. Implement Strategies to Rebuild Consumers’ Confidence

The organisation should explore possible strategies that could be implemented to rebuild the public confidence in the recall product. Such strategies may include the introduction of a new packaging to distinguish the old, potentially unsafe product from new batches that are certified safe for consumption.

A company’s ability to conduct a timely and coordinated recall has a strong impact on consumers’ attitude on the brand. Although challenging, these considerations are necessary in ensuring an organisation’s recall preparedness and securing sustainable growth for the organisation in the long run.

7. About the Author

Kai Wei

Kai Wei is currently an Associate Consultant for GMH Continuity Architects Singapore. She has assisted clients from both the public and private sectors in the implementation and maintenance of their Business Continuity Management framework and processes. With her BCM experience, she has helped clients successfully convert their existing BCM framework to align with the International Standard ISO22301 requirements. As an instructor with BCM Institute, Kai Wei has trained and facilitated BCM courses for professionals from diverse backgrounds and industries.

CAYLON Investment Bank

Major European Bank Case Study

Major European Bank

This customer is a major European financial institution with its regional HQ located in Singapore and Hong Kong.  It has other operations includes Bangkok and Tokyo, Japan.

History

The customer needed to implement a BC plan for its business units located in Singapore, Hong Kong, Bangkok and Tokyo. This included both the HQ and local Singapore operations. This is required to ensure that it complies with the corporate objectives.  Another essential requirement is to meet most of the Central Bank’s audit findings.

GMH’s Services and Solutions

Figure 1: BCM Planning Methodology

Figure 1: BCM Planning Methodology

The solution was to adopt an approach to standardize the organizational BCM framework.  The effort was decentralized initally and guidance is directed from European HQ.  From the start, it is established that there is a need to have a common framework and each operations to develop its Minimum Business Continuity Objective (MBCO).  GMH’s consultants adopted the fast-track approach based on the BCM planning methodology (Figure 1) to facilitate the development of the BCM framework and plan documents. The framework has to take into consideration the overseas offices also required BC plans to be developed in the future. Thus, the BCM framework ensured that it is consistent and applicable to all the regional offices.

Conclusion

The approach and solution implemented by GMH for this customer is flexible, adaptable and scalable to meet the customer’s requirements and expansion plans. This ensured that the customer benefited from an innovative and cost-effective approach.  The client had since acceded to the Central Bank’s audit requirement upon completion of the consultancy.

 

About the Author

Dr Goh Moh Heng

Dr Goh Moh Heng is the President of BCM Institute and the Managing Director of GMH Continuity Architects – a specialized BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 20 organizations, particularly those operating in the Asia Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organization certification.  Prior to establishing BCM Institute and GMH BCM Consulting, Dr Goh held senior positions with a number of large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its BC and contingency planning. At Standard Chartered Bank, he saw to the global implementation of its BC management and planning. He also managed the BCM practice at PricewaterhouseCoopers.

Currently, Dr Goh is the senior advisor to the China BCM Forum, a quasi government agency responsible for BCM throughout China and an expert panel member of the Asia-Pacific Economic Cooperation (APEC) Network on Improving SME Disaster Resilience (since 2011) and JICA-ASEAN study to enhance resiliency of industrial areas against natural disasters (since 2012).   He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes.  He is the author of nine business continuity management books.  Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org or moh_heng@gmhasia.com.

Simulation Exercise

Choices and Categories of Tests & Exercises

Abstract

In testing and exercising the BC plans, the terminology for the various type of tests and methodologies often poses a challenge for any BCM professionals when they are about to start their testing and exercising programmes. The paper is a summary of tests, and it is not intended to be comprehensive list, so as to provide a good foundation of the types of tests that a BCM professional is are likely to embark upon.

1. Introduction

Most BCM professionals find it challenging to identify the type of tests and exercises, that to be conducted for their organization. It is usually a long list and there are many variations within the discipline.

1.1 Categorization

There is several ways of categorizing the types of tests. One approach is to be based on the actions to be taken. An example would be: Desk check, simulation, procedure verification, communications and IT environment walkthrough. Another approach is to list all the possible types of tests to be conducted and then select the type of tests that is useful for testing the requirement outcome based on the readiness level needed by the organization. This includes component, integrated, simulation and live test.

The approach in this paper is to describe the techniques or methodology as the content and objective of the plan can be developed separately. Additional terminology relating to testing can be found in www.BCMPedia.org.

2. Component Tests

The following are sample of the type of tests that could be conducted as part of a component test for a typical business continuity plan.

2.1 Confirm Availability / Version of Plan

This test is designed to check that key staff in both business and support recovery teams can gain access to a hard-copy of their continuity plan at any time. As part of your maintenance program, you should include procedures to “visit” your plan at pre-defined intervals, to update personnel details and to ensure that recovery measures remain relevant.

2.2 Retrieve Vital Hard Copy Records from Offsite Locations

As a good practice, the hard-copy records of documents critical to business operations should be kept in an offsite location. This Component Test confirms that such records are indeed available offsite, are sufficiently up-to-date to be of use in a crisis and can be promptly retrieved within the expected time frame.  These documents may include copies of contracts, agreements, insurance policies, floor plans, title deeds as well as any special reference manuals required to conduct business operations in a crisis situation.

2.3 Contact Staff, Suppliers & Others

One of the most straightforward but important tests is the telephone notification procedure. This is typically carried out on three main groups of people:

  • Staff
  • Suppliers or vendors, who provide you goods and services
  • Other contacts, including customers or others to whom you provide goods and services

Whilst the principles of these tests are similar, you should consider differences in the relationships between your organization and the groups of people and tailor the approach of testing for each group accordingly.  The benefits of carrying out these tests are:

  • Establish that the contact telephone numbers in your plan are correct and up-to-date.
  • Confirm that the resources you require in a crisis, both human and otherwise e.g. equipment and supplies, can be obtained when and where needed.
  • Ensure that the targeted degree of recovery matches the expectations of your internal or external customers.

It is highly likely that you will need to modify your plans following each test. These tests play a very important role in the maintenance program and their value should not be under-estimated.

2.4 Check Lead Times for Critical Equipment

This is to establish the lead-times for the delivery of critical equipment. This differs from testing suppliers of services as it relates to availability of specific items rather than the ability to contact personnel. This is a simple test, which applies to both business and support units.

2.5 Confirm Alternate Site Readiness

This test is used to confirm the readiness of the personnel at the alternate site to receive people from a business unit or building who are displaced due to an incident.  The procedure will vary depending on location and on whether the recovery will be at a commercially operated alternate site or at another organization’s building. In any case, a Service Level Agreement (SLA) should be in place confirming the agreed relocation arrangements. This document will state the expected time frame for the relocation, where all relevant parties (Officials from the alternate site as well as the Central Support Business Units of the organization carrying out the recovery) must acknowledge, confirming that they find the time frame acceptable, reasonable and attainable.  Given that alternate site recovery contracts are usually held centrally and that only certain staff can invoke such plans, it will be assumed, for the purpose of this test, that recovery will be at a site controlled by the organization.

2.6 Test Staff Members’ Knowledge of Business Unit Plan

The person conducting the test visits the business unit BCM coordinator and staff members of a selected business unit and tests how much he/she knows about the procedures without the staff having access to the plan. This will confirm the business unit staff members’ knowledge of the plan and potential ability to ensure the recovery of the business unit if, for whatever reason, a copy of the plan is not initially available.

2.7 Spot Check of Vital Records

This test involved the business unit BCM coordinator and staff members of a selected business unit to visit the offsite location where the vital records are kept. While at offsite location, the team is required to perform a review using a checklist of the inventory of vital records.

2.8 Recall Offsite Storage

This relates mainly to support business units and should not be confused with the retrieval of vital hard-copy records, which is covered separately.
The list of support business units at a medium to large operation would normally include the following:
  • Premises/ Facilities
  • Information Technology
  • Telecommunication/ Networks
  • Security
  • Public Relations
  • Human Resources
  • Administration/ Correspondence
  • Legal/Compliance
  • Financial Control
  • Transport

In order to meet the everyday needs during a disaster, these business units are likely to have spare items such as furniture, equipment, cables, server tapes, back-up disks, stored offsite. In some cases they will be stored in another organization’s building premises and in others, an external storage contractor may be used.

The purpose of this test is to confirm that the business units can access and/or arrange delivery of the required items within the expected time frame stated in the plan.2.9 Check that Important Lists are Still CurrentThis ensures that important lists are up-to-date. Each business continuity plan contains a number of lists, e.g. list of key items or contacts required in a crisis. The information stated in the lists can be used to contain the impact and/or limit the damage to the business.  The following are key lists in a typical business continuity plan:

2.9.1 Personnel Contact List

In addition to a Telephone Call Tree chart, business unit coordinators should have an updated Personnel Contact List.

2.9.2 Initial Action by Business Units

Important business units should each have a brief list stating the tasks which key team members need to undertake in the opening stages of a disaster scenario. These members should have this list with them at all times.

2.9.3 Inventory of Resources

This lists all key resources. Regular checks should be done to confirm they accurately reflect the needs of each business unit.

2.9.4 PC Software Versions

The lists of IT hardware and software, (showing the version) should be kept up-to-date. “Systems” for unique software should be regularly tested and not just stored in an IT business unit.

2.9.5 “Grab” List

This is a list of small items, identified as being useful, which staff will try to take with them as they evacuate.

2.9.6 Priority Salvage List

This identifies items a business unit BCM coordinator might ask someone to hand-carry from the office, if that person was allowed back into a building for, say, 30 minutes.

2.9.7 Essential Forms / Stationery

If a business unit has any special stationery or printed forms without which the business cannot operate, a small supply of these should be stored offsite and the location recorded in the plan. The tests for confirming the contents of these key lists are simple and quick to conduct.

3. Notification Call Tree Test

Even though this is a Component Test, the critical importance of this test cannot be ignored. In a Telephone Notification Call Tree Test for recovery teams, the recovery team members will notify designated staff members as documented in the plan. This personnel communication network forms one of the most efficient and effective means of communicating any news or instructions to all relevant staff, and should include the entire organization.

4. Walk-through Test

In a Walk-through, recovery team members meet to verbally walk-through the steps of each component of the business continuity process as documented in the business continuity plan.

5. Integrated Test

An Integrated Test involves integrating any number of the components in the order that they would occur during actual recovery operations. Integrated test builds on test successes and increasing employee awareness generated during component testing. Organization BCM coordinator and business unit BCM coordinators should realize that the increased complexity, coordination of multiple teams, involvement of other interested personnel and budget considerations will limit the frequency of integrated testing.

6. Incident Simulation Test

This involves the development and use of pre-written test scenarios or test scripts for disaster events. The scenarios tell the team members how to react to such disasters and give organizations a baseline from which to start their recovery plans.

7. Partial Simulation Test

Similar to Full Simulation (below) except that only several business units will be involved. However, for these business units, the testing will be to the fullest detail and scope.

8. Full Simulation Test

Full Simulation test is the ultimate BC plan test which activates the total BC plan. Full Simulation test is also called Full Interruption test or Mock Disaster test. The purpose is to simultaneously test as many components as possible in the organization recovery structure. The test is likely to be costly and could disrupt normal operations, and therefore should be approached with caution. Adequate time must be scheduled for the testing.

To successfully test recovery capability, the tests must evaluate the recovery procedures and documentation, not the inherent knowledge of the staff.
Each test must have a set of primary and secondary objectives to define the direction of the test and to measure its success. An example of such objectives; the primary objective is to evaluate success or failure and the secondary objective is to test if extra time is available.

9. Live Test

Finally, this is the ultimate of all tests. It is perhaps, the most challenging test that any BCM professional would deemed to undertake as this is where anything can go wrong will go wrong. To worsen the situation, this errors of this test will be seen live in the presence organization-wide and especially with senior management.

10. Conclusion

The decision on the types of test to be conducted can be an uphill task initially for many BCM professionals. There is an pressing expectation from the management to test the BC plan to its readied state. Hence, the identification and implementation of correct series of tests for an organization becomes the key necessity for any organization who has a BC plan.

11. References

[1] BCMpedia (2008). Definition of Business Continuity and Disaster Recovery Terminologies, http://www.bcmpedia.org
[2] Goh, Moh Heng (2008). Managing Your Business Continuity Planning Project, 2nd Edition, 166 pages.
[3] Goh, Moh Heng (2008): Conducting Your Impact Analysis for Business Continuity Planning, 130 pages.
[4] Goh, Moh Heng (2008): Analyzing & Reviewing the Risk for Business Continuity Planning, 162 pages.
[5] Goh, Moh Heng (2005): Developing Recovery Strategy for Your Business Continuity Plan, 104 pages.
[6] Goh, Moh Heng (2004): Implementing Your Business Continuity Plan, 104 pages.
[7] Goh, Moh Heng (2006): Testing & Exercising Your Business Continuity Plan, 2nd Edition, 160 pages.
[8] Goh, Moh Heng (2007): Managing & Sustaining Your Business Continuity Management Programme, 190 pages.
[9] Goh, Moh Heng (2006): Developing Your Pandemic Influenza Business Continuity Plan, 128 pagesAbout

The Author

Dr Goh Moh HengDr Goh Moh Heng is the President of BCM Institute www.bcm-institute.org and the Managing Director for GMH Pte Ltd www.gmhasia.com , an Asia-Pacific BCM consultancy firm. During the last 20 years, Dr Goh had conducted several hundreds of tests and exercises for clients throughout the world.  It ranges from the many simple notification tests, walkthrough tests to the large simulation and live tests. Sometests worth mentioning include the enterprise-wide crisis management simulation, full simulation test and unannounced live tests for many international organizations. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes.  He is the author of nine business continuity management books.  Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org or moh_heng@gmhasia.com.

Pandemic Flu Exercise

Pandemic Flu Business Continuity Planning for Organizations

“Many organizations read about the possible pandemic flu, but cannot completely digest the issues and preparations needed to sustain its mission critical operations and services.”

Abstract

This paper discusses about the pertinent aspects of pandemic flu business continuity (BC) planning. In the last two years, there is an increase in organizations preparing themselves for the possible influenza (flu) pandemic outbreak. The key challenge in the preparatory process is the synchronization of the business continuity plan and procedures with the World Health Organization’s and the local health ministry’s pandemic alert phases. Several probable outbreak situations, and several more possible variations in responses to them, makes the planning process one of the most complicated challenges facing business continuity professionals. The key outcome is the understanding of the scope of implementation of contingency, BC or crisis management plans and the application of the BC execution stages to implement the necessary actions to prepare an organization of the impending pandemic flu outbreak.

1. Introduction

Even though we have experienced three previous pandemic flu outbreaks in the 20th century, no one knows precisely how a pandemic might unfold. However, the recent developments and discoveries about the virus provide some clues as to what we can expect. World Health Organization has warned that the risk of the avian flu becoming a human influenza pandemic is high. Most governments throughout the world have and will continue to take necessary precautionary measures and update their pandemic flu BC and/or preparedness plans.

2. Framework for Pandemic Flu Planning

Planning for the unthinkable pandemic flu may appear to be a humongous and complex set of tasks. It ranges from the possibilities of a small outbreak in any country to a global disaster that undermines the basic functions of life. Organizations without any existing BC or contingency plans will be overwhelmed by the planning complexity. Many of those without the necessary resources and BC planning capabilities have unwisely adopted the “wait-and-hope” approach. For organizations located in regions previously affected by the Several Acute Respiratory Syndrome (SARS) outbreak, a good and logical point for any organization to start is with the review of its Severe Acute Respiratory Syndrome (SARS) contingency or BC plan.

The concepts and approach contained in this paper does not follow the conventional BC planning methodology. It has been specially designed as a fast track planning approach to help organizations prepare against the impending pandemic flu threat. The consideration is based on the need to develop an immediate, simple and effective plan to manage this threat; especially for organizations that do not possess existing contingency or BC plans.

Health experts believe that the pandemic flu virus is continuously evolving. Hence, it is imperative for organizations to develop and implement a BC plan that is flexible and adaptable to the evolving threat; which can be easily and regularly updated as and when more information on the virus is available, through the joint efforts by the communities and governments.

2 Definitions

There is a constant debate on what to name the plans that we develop for this crisis. Some organizations call it pandemic flu BC plan while others call it pandemic flu contingency plan. For clarification, some of the definitions and terminologies of the components of these plans are discussed in the following subsections.

2.1 Contingency Planning

Contingency planning is the process of developing advance arrangements and procedures that enable organizations to respond to events happening by chance or to unforeseen circumstances.

2.2 Business Continuity Planning

Business continuity planning is the process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue without interruption or essential change. In this paper, contingency planning is a subset of BC planning.

2.3 Pandemic Flu Contingency Plan

A pandemic flu contingency plan is used by an organization and its business units to respond to disruptions to operations resulting from exposure of employee(s) to a pandemic flu incident.

2.4 Key Objectives of BCP for Pandemic Flu

  • Reduce the transmission rate or morbidity among employees and customers
  • Continue and/or recover mission critical operations and services

3. Non-conventional Business Continuity Planning

Pandemic flu BC planning differs from traditional BC planning or the Year 2000 or SARS BC planning because organizations:

  • Cannot afford to wait the next few months as the pandemic spreads rapidly, and the impact is significant and immediate
  • Cannot expect to follow a traditional business continuity event timeline
  • Need to react as quickly as possible
  • Need to execute BC plans immediately
  • Should expect some fatalities and high absenteeism within the workforce
  • Need to consider where the employees are residing, and possibly, relocate them back to their home country
  • Must expect closure of borders by the government; thus, critical operations for organizations highly dependent on cross-border workers will potentially be disrupted
  • Must understand that the magnitude of the damage cannot be clearly defined as it extends beyond the organizations and country’s boundaries
  • Should consider legal issues and risks as this is a predicted event
  • Expect outage/absenteeism for a protracted period of time
  • Should consider non-compliance of outsourcing agreements

4. Key Disaster Scenario

One of the business continuity (BC) best practices is to define the key disaster scenario. This scenario provides a common perspective to the executive management, BC project manager, BC team, IT Disaster Recovery Planning team and even the Crisis Management team.

The key disaster scenario should be based on the worst-case situation – occurring at the most vulnerable time; resulting in damages and losses of the most severe magnitude, like total loss of information, physical infrastructure and equipment.

The traditional BC planning focuses on denial of access to facilities. However, but the pandemic flu BC plan focuses on denial of access to facilities, and loss of key people. Hence, the assumptions to cope with a pandemic BC planning are very different. In addition to this basic difference, there are many other assumptions that a BC planner must quickly look into with regard to pandemic flu BC planning.

5 Pandemic Flu BC Planning Asumptions

5.1 Length of Disruptions and Absenteeism

Medical experts have projected that at least 25% of people will contract the virus during a full-scale pandemic. There are two possible levels of disruptions: short and medium term, and long term. In Figure 3, these assumptions are depicted as business disruption scenarios.

5.1.1 Short and Medium Term Disruption

  • The percentage will be higher than 25% as staff may be staying away from work to care for family members due to quarantine or closure of school.
  • An estimate of 25% absenteeism should be taken as a “low estimate” for medium term disruption. In larger cities, this percentage may increase to 50% or more for short periods.

5.1.2 Long Term Disruption

  • In the event of a full pandemic, it is predicted that business will not return to normal for a period of 6 to 18 months. The best case scenario is if the pandemic is relatively benign and handled effectively by national governments. The worst case scenario is the possibility of major financial centers being moderately impacted. A working assumption of a severe disruption lasting 12 months would be supportable.
  • There will be a huge reduction in international services such as tourism and offshore financial services.

5.2 Multiple Sites Disruptions

• Should there be a pandemic flu outbreak; the situation would be unpredictable as more than one business location could be impacted.

5.3 Maintain Separation of Personnel

  •  Authorities will discourage, or even prohibit, gatherings or concentration of large numbers of people so as to limit human-to-human transmission of the disease.
  • Decentralization (reduce human-to-human contact) of key personnel becomes mandatory i.e. autonomous decision making.

5.4 Continuous IT Operations

Provided that the continued operation of key infrastructure (data centers, networks and systems) is accorded highest priority, the major problem is one of managing the people resources.

5.5 Disruption to Supply Chain

During an outbreak, one part of the world may be mildly affected; but, their operations may still be impacted if their suppliers are in other countries that are seriously affected by the outbreak. One major concern for organizations is that the current supply chain and outsourcing arrangements may not operate at contracted service levels. Organizations that are highly automated, ‘just in time’ value chains, outsourcing core activities to third parties will be seriously at risk.

5.6 Local Denial of Access

In developing the pandemic flu BC plan, organizations should consider the following office closure scenario:

  • Staff affected by pandemic flu resulting in closure of office.
  • Staff members being quarantined for five days or more (subject to local health authorities’ guidelines).
  • Office closed for one to three days for cleaning.
  • Duration required by staff to recover from influenza (the minimum recovery duration will be at least two weeks).

5.7 Ineffectiveness of Temperature Checking

It is important to understand that infection cannot be detected by temperature checking as a person could carry the virus for more than a day before any sign of a fever appears.

5.8 Variation of Health Support and Preparedness

In reviewing the country’s pandemic flu health support, the level of preparedness forms an important consideration when developing your BC plan.

6 BC Execution Stages and Pandemic Timeline

The planning assumptions are a pre-requisite for the implementation of the pandemic flu BC plan. This is followed by the understanding of the typical BC execution process and the WHO’s pandemic stages.

6.1 BC Execution Stages

Figure 1: BC Execution Stages
The execution of a typical BC plan (Figure 1) includes the following stages:

  • Reduce
  • Respond
  • Recover/ Resume
  • Restore/ Return

6.2 WHO’s Pandemic Stage with BC Execution Stages

Those who are familiar with the WHO’s pandemic stage requires little explanation on the timeline. The key in pandemic flu BC planning is to match the various BC execution phases with the WHO’s pandemic flu timeline.

Figure 2: Pandemic Stages and BC Execution Stages

6.3 Pandemic Timeline and BC Execution Stages

Finally, the objectives is to show the correlation of each WHO’s pandemic stage and the BC execution phase. The mapping provides the BC professionals to map their professional BC knowledge and implementation to the possible disruption to business scenarios as shown in Figure 3.
Figure 3: Pandemic Timeline and BC Execution Stages

7. Types of Plans and Extend of Planning

There is a need to be aware of the types of plans that an organization will be implementation in preparation for the pandemic flu outbreak. The important difference is the scope and extends of implementation. They are the contingency plan, BC plan and crisis management (CM) plans.

7.1 Pandemic Flu Contingency Plan

A typical Pandemic Flu Contingency Plan consists of only the following components:

  • Reduce; which is to focus on the preventive measures
  • Respond; which is to focus on managing and containing the pandemic flu incident
  • Recover and Resume; which is to conduct limited planning for the outbreak except for some high level documentation process to handle the critical business functions

A pandemic flu contingency plan must handle:

  • Preventive measures to minimize contamination (pandemic flu prevention)
  • Immediate responses to a disaster (pandemic flu emergency response)

7.2 Pandemic Flu BC Plan

A Pandemic Flu BC Plan will include the pandemic flu contingency plan and in addition, it must handle:

  • Subsequent business recovery and resumption activities
  • The return of business to normalcy

It is essential to note that in some situations, the “business resumption” and “return to normal” processes can be conducted in parallel with the pandemic flu contingency plan.

7.3 Crisis Management Plan

Crisis Management (CM) plan is a plan used for the overall coordination of an organization’s response to a crisis in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation or ability to operate.
The definition of crisis and the crisis management team is provided below:

  • Crisis is a critical event such as pandemic flu, which, if not handled in an appropriate manner, may dramatically impact an organization’s profitability, reputation, or ability to operate.
  • A Crisis Management team will consist of key executives as well as key role players (i.e. media representative, legal counsel, facilities manager, disaster recovery coordinator, etc.) and the appropriate business owners of critical organization functions.

7.4 BC Execution Stages versus BC Planning, CP and CM

Figure 4: BCP Stages Mapped Against Planning Processes
The relationship among the various planning processes, namely, BC planning, contingency planning (CP) and crisis management (CM), is shown in the Figure 4.
It is essential for BC planners to fully understand the WHO’s pandemic framework and its corresponding stages and phases. The activation by the WHO may result in an escalation by the local government. It is suspected that the local governments and health authorities will escalate their pandemic flu alert status ahead of the WHO.

8. Conclusion

In summary, the pertinent aspects of pandemic flu business continuity (BC) planning were discussed. The key challenge for the businesses is in the preparatory process is the synchronization of the business continuity plan and procedures with the World Health Organization’s and the local health ministry’s pandemic alert phases. Several probable outbreak situations, and several more possible variations in responses to them, makes the planning process one of the most complicated challenges facing business continuity professionals. The key outcome is the understanding of the scope of implementation of contingency, BC or crisis management plans and the application of the BC execution stages to implement the necessary actions to prepare an organization of the impending pandemic flu outbreak.

9. About the Author

Dr Goh Moh HengDr Goh Moh Heng is the President of BCM Institute and is regarded as one of the leading practitioner in the area of business continuity. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. He is the author of nine business continuity management books. Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org.

10. References

[1] BCMpedia (2008). Definition of Business Continuity and Disaster Recovery Terminologies, http://www.bcmpedia.org
[2] Goh, Moh Heng (2008). Managing Your Business Continuity Planning Project, 2nd Edition, 166 pages.
[3] Goh, Moh Heng (2006). Developing Your Pandemic Influenza Business Continuity Plan, 128 pages.

Sendai Field Trip Japan

Business Continuity Strategies for Manufacturing Companies

1. Introduction

4_BC-StrategyThe considerations for Business Continuity Strategies occur in the fourth stage of the seven stage BCM planning process. Generally, there are three strategic areas for organisations to consider when developing a BC strategy: mitigation, recovery and its translation into the appropriate crisis response. For manufacturing companies, recovering plant operations is an important consideration when conducting BC planning. Unfortunately, setting aside alternate sites for this sector is usually avoided due to the high capital costs involved. An issue is also the practicability of having redundancies as back up as production efficiency is a key objective for manufacturers. Hence, many choose to focus on risk mitigation and reduction measures due to the difficulty in finding continuity solutions. To this end, three focus areas are identified for such organisations: recovery strategies, mitigation measures and unique environmental considerations.

2. Recovery Strategies

In the absence of alternate production sites, there are few recovery strategies available to manufacturers. Often, custom build equipment and assembly lines are used and cannot be easily substituted. The recovery options then available are; to delay when the impact is felt through use of buffer inventory / storage, selected recovery of production lines and ensuring that recovery / repair of operations is done quickly. Manufacturers typically focus on inventory controls and partial recoveries as it allows greater process control. In the event that the manufacturer’s operation is more skewed towards assembling semi-finished products from upstream suppliers, an additional option is available to them. Where some equipment found in their production line are similar to those of their suppliers’, manufacturers may attempt to resume limited production capabilities at their suppliers’ location. This arrangement is obviously limited to the availability of space and more importantly, the goodwill of the supplier to accommodate external personnel.

3. Mitigation Strategies

As mentioned, due to the general lack of alternatives faced by manufacturers, mitigation strategies are often prioritized. While measures taken should focus on either preventing or limiting the impact of a disruption, it should be done with floor operations in mind. A common example is the use of sprinkler systems to douse fires at the factory floor. As sprinkler systems typically activate all together, this would cause production equipment that were otherwise unaffected by the fire to be damaged. This can be avoided through the use of localised sprinkler discharges where each sprinkler needs to be independently activated. Further measures may include a dry delivery sprinkler system, where fluids are only directed to the discharge point upon activation. This prevents common problems like leakages which may be found in poorly maintained systems.

4. Unique Environmental Considerations

More uncommon mitigation strategies may place focus on the environmental regulations that the location may be subject to, where the direct costs incurred through a loss of production may be severely compounded by the costs of ‘cleaning up’. A recent example is the Deepwater Horizon oil spill, where the costs of fines, cleaning up and settlements reached approximately $40 billion. Perhaps a tweak in the old adage holds true for manufacturers; prevention is surely better than recovery.

 

5. About the Author

Jeremy WongJeremy Wong is the Senior Vice President for BCM Institute and deputizes the President in his absence. He is also the Senior Vice President for consulting firm GMH Continuity Architects and is a senior management staff member responsible for all training and consulting initiatives. Jeremy is highly experienced in technology and project management; information security management, business process re-engineering, disaster recovery and business continuity planning.  Prior to joining BCM Institute and GMH Continuity Architects, Jeremy Wong was the Head of Business Continuity Management for South Asia with Nomura, based in Singapore. He was responsible for planning and implementing BCM, developing policies, frameworks and standards to support BCM functions. Jeremy was also Vice President of Business Continuity Management with United Overseas Bank. He was a managing consultant with GMH Continuity Architects working on business continuity and disaster recovery projects such as the Asia Development Bank and the Stock Exchange of Thailand within the Asia Pacific region. Mr Wong was also a regional IT manager with Bax Global and spent a number of years working at JP Morgan and Anderson Consulting (now known as Accenture). At JP Morgan, he headed the IT Products and Services team in the Corporate Technology Group. He was instrumental in the set up of the Regional Hub Response Center for Asia-Pacific. Mr Wong was also a key member of their Business Continuity Planning team. At Anderson Consulting, he led in several major projects and implementation for property management, logistics and data warehousing solutions.

Citibank IWE Exercise

Planning basics for a crisis management simulation

How prepared are your people and teams for the pressure of a crisis?

Have we checked the effectiveness of our crisis management plan? Are our staff familiar with it? Have the procedures changed recently? Is it still current or is it sitting on a shelf? I strongly believe that these are some of the questions that many of the management have to deal with when it comes to Crisis Management.

All the above questions can be answered when an organisation is ready to go the extra mile in preparing simulation options to validate your plans, rehearse your procedures and prepare your people, from strategic senior management level to the tactical level and operational front line staff.

Simulation should be designed not as a test that can be failed but a process that enables an organisation to apply and minimise impact during any crisis situation and it should allow staff to develop and gain confidence in their roles.
Simulation should be developed and delivered to meet a specific crisis management objective or as part of a developmental programme designed to increase the crisis readiness of our organisation on an on-going basis. The scale of the simulation should be based on you organisation’s need, the complexity of your organisation and the maturity of your crisis management team.

Crisis Management Simulation Options

These are some of the methods that can be used to validate your plans, rehearse your procedures and prepare your people. You could start a simulation ranging from a simple walk-through of crisis response plans and table top simulations to multi-agency, resource-intensive simulations of crisis scenarios, played out in real-time.

  • Crisis Management Plan Walk-through
  • Scenario Based Workshops
  • Table Top Simulations
  • Full Simulation Simulations
  • Live Simulations

Methodology

The methodology you choose to perform your crisis management simulation is crucial as it will drive you through from the initial meeting, scope, objectives to the delivery of a post-simulation report and recommendations. This will also lead you in preparing the simulation architecture, design the scenario and plans, work on the supporting documentation and preparation of “players”, observers, and supporting staff as well as delivering the event on the day and gathering feedback.

About the Author

MuruganMurugan is currently the Assistant Vice President for GMH Continuity Architects office based in Malaysia.  Murugan has vast experience in development and deployment of Business Continuity Management Projects/Program/Workshops for Banks & Financial Institutions (Local & International), Information Technology, and World-Class Event Management. He has also managed and actively involved in IT Outsourcing engagement largely for financial institution and other industries namely Data Centre Services, Media Management, Service Desk and Contact Centre Services and was also responsible to drive performance across the organization, guiding collaborative teams, to implement strategic initiatives to protect the company’s business operation. Appointment within BCM Institute Murugan. M is an Instructor with BCM Institute.

 

Supply Chain Resiliency

Building Resiliency in the Supply Chain

In today’s globalized world, multinational corporations expand beyond their local scale to reap economies of scale and are becoming more dependent on emerging economies. As supply chains become more extensive and complex, the management of key suppliers is crucial in ensuring business continuity during a disruption along the supply chain. In the case of Thailand floods in 2011, widespread flooding has affected business in the world’s largest producer of hard disk drives. The dip in component supplies have resulted in rippling effects on multi-national companies particularly in the automotive and electronics industries including Toyota and Apple. Major production and shipment disruptions have also occurred during the Tohoku Earthquake and Tsunami and Icelandic volcanic eruption in 2011 and 2010 respectively. Exposure to social and environmental issues continue to pose a potential threat in many parts of the world.

Supply chains are expected to become more vulnerable with common organisational practices of procuring from sole supplier and decentralizing to keep costs low. Diversifying production chains and maintaining buffer stocks are strategies which could minimize the impact in the case of a disruption. Below are some of the key business continuity planning considerations in allowing organizations to overcome their vulnerabilities.

1. Maintain multiple manufacturing facilities

Locating manufacturing facilities in different geographical and political landscapes reduces the possibility of multiple facilities being affected at one time. The production process should be standardized and well documented across all facilities. Redundant resources could be stored at each facility to take on the additional production capacity during a disruption at a specific plant.

2. Store excess inventory

The storage of excess inventory and buffer stocks could minimize the impact of a disruption. This is advisable particularly for critical components which requires sole sourcing and longer lead time for production.

3. Ensure readiness of key suppliers

An in-depth supply chain study should be conducted to identify single points of failure and interdependencies on suppliers, contractors, logistics or warehousing operations essential to the organisation’s survival. Dual sourcing strategies could be considered for these interdependencies. Evaluation of their business continuity strategies and ensuring that they have Business Continuity Plans in place aligned to their requirements is essential. Risk assessment should also be conducted to determine if they are located in safe locations and the potential occurrence of catastrophes.

4. Enhance visibility and coordination in supply chain

Vertical coordination and sharing of information on production processes, demand, inventory levels and processing capabilities allows for better coordination and early detection of potential disruptions.

5. Arrange for flexible transportation

Organisations should prepare for alternative transportation arrangements to reduce transportation time from the suppliers and to their customers. These arrangements include multiple transport companies, alternative routes or methods and expedited services.

6. Influence consumers’ decision

The ability to influence and steer consumers’ decision in purchasing the products that the organisation wants to sell would help to ease shortage during a disruption. Price discounts or free gifts may be helpful in influencing demand.

Managing risks and implementing these strategies would inevitably lead to cost increase. However, this could potentially determine whether an organisation would be able to survive through a disruption. Although challenging, these considerations are necessary in reducing potential risks and securing sustainable growth for the organisation in the long run.

7. About the Author

Kai Wei

Kai Wei is currently an Associate Consultant for GMH Continuity Architects Singapore. She has assisted clients from both the public and private sectors in the implementation and maintenance of their Business Continuity Management framework and processes. With her BCM experience, she has helped clients successfully convert their existing BCM framework to align with the International Standard ISO22301 requirements. As an instructor with BCM Institute, Kai Wei has trained and facilitated BCM courses for professionals from diverse backgrounds and industries.