Posts

Business continuity management implementation for small and medium-sized enterprise

July 3, 2015/in Articles, BCM Methodology, Goh Moh Heng, SME/by Goh Moh Heng

In this article Dr. Goh Moh Heng and Jeremy Wong look at some of the difficulties that SMEs face when it comes to making business continuity plans and how a simplified methodology could make things easier.

Article was published at Continuity Central on 3 July 2015

Introduction

Business continuity has risen in focus in Asia and elsewhere over the last few years and this is especially true for companies operating in regulated industries. The recent series of mega disasters in the Asia region has resulted in larger organizations investing heavily in improving their resilience against disruptions to business operations. However, despite the growing awareness of business continuity, small and medium-sized enterprises (SMEs) do not appear to be taking action to enhance their business resiliency.
Business continuity is still not widely understood in small and medium-sized enterprises. Many relate it to emergency response or IT disaster recovery and even those that have heard of business continuity may see no relevance to themselves.
Unlike many large firms that have business continuity plans in place, SMEs often lack the time and the money to invest in their business continuity plans. But increasing pressure from larger organizations to secure the continuity of their supply chains, new government legislation, and the global acceptance and adoption of business continuity management standards, mean that SMEs can no longer ignore business continuity and the growing need for it as part of mainstream business operations.

Working assumptions for SMEs

SMEs are often associated with the following characteristics when it comes to business continuity:

They have an entrepreneurial culture;
They have limited resources for ‘non‐productive’ investments;
They have limited or no knowledge of business continuity;
They are not in a position to develop a business continuity plan to the fullest extent;
They have some IT‐knowledge, but usually not about systems availability and IT recovery.

Obstacles to implementation by SMEs

Lack of understanding of business continuity management
One of the main obstacles to successful business continuity plan implementation in SMEs is a lack of understanding of the importance of business continuity, the development processes involved and the maintenance activities that are needed to sustain the programme. Many owners and managers vaguely acknowledge business continuity management’s place in large corporate organizations but see little relevance in their small businesses. This lack of understanding inevitably leads to misconceptions about the importance of BCM:

Underestimating the impact. SMEs owners tend to make the assumption that the business can survive financially and that customers will accept lack of service during a period of disruption.
Scenario assumptions. There is an assumption that the many potential scenarios are either too small to require action, or are too large, and therefore are beyond their planning capability.
Time and manpower resource affordability. There is a constant assumption that SMEs cannot afford the cost or management time to make business continuity plans.
Living within the comfort zone. Many SMEs assume that the majority of disruptions can be managed when they happen, with no need for pre-planning.
No sense of urgency. There is a lack of prioritization of business continuity because the SME has never experienced a crisis and therefore does not understand the priority that should be given to BCM.

BCM professionals do not share the message outside large corporations
Full-time BCM professionals focus exclusively on developing plans for their organizations and do little advocacy work with SMEs.

Making the process too complicated
Proponents of BCM often over-compensate for the lack of advocacy by overwhelming listeners with shovel loads of information, without regard to how much of the information can be understood. There are very few presenters who can present business continuity content in a very simple and concise way.

Providing a step-by-step process
The key for SMEs is to provide them with a simple and easy to implement approach. This is often overshadowed by a complicated methodology that requires a team of specialists to implement. The unnecessary expectation that a perfect business continuity is required is a daunting starting position for SMEs.

Too expensive to implement
For many SMEs, having a business continuity plan is often seen as an expensive luxury.

BCM has a higher return on investment for SMEs

The truth of the matter is that for SMEs, the development of business continuity plans is far more valuable, and simpler, than most think. Conversely, SMEs have more to lose should they be caught without a business continuity plan in a disaster. While large corporates may have resilience arising from the diversity and spread of income sources, and operational work locations, smaller organizations more often than not have none of these advantages. For most SMEs, the exposure is far greater due to an inherent and almost inevitable concentration of critical risk factors. Due to a simpler structure, plans developed for SMEs are also often more straightforward and easily implementable.

SMEs need a new methodology

It is clear that although SMEs desperately need business continuity planning, the traditional methodology for developing them does not work. It is too time-consuming, labour intensive and costly. BCM practice should be a solution rather than problem focused. As solutions for global corporates come with a hefty price tag, the more modestly priced solutions adopted by SMEs hold less interest for the business continuity and disaster recovery vendors, who continue to push for more sophisticated (and correspondingly higher priced) products; hence the myth that business continuity is too costly for the smaller organization. It simply is not attractive for many disaster recovery vendors to bother promoting their services to smaller organizations.

The starting point for a BCM framework for SMEs

Three questions need to be examined when first embarking on a business continuity planning project. They centre on:

Purpose: Why is your company introducing BCM?
Scope: Which parts of your business will introduce BCM?
Team: Who will lead and manage your BCM activities?

The answers to these questions will help frame the project and provide a grounded perspective that will drive management and project team members in a direction that will yield the most benefit to the organization.
Leadership in a business continuity project is crucial for success. Business continuity planning projects typically involve participants from across the organization. Without a strong mandate from management, many of these projects fade away after a brief period of activity, being superseded by ‘more pressing concerns’. Leadership can also be demonstrated by way of a policy emphasizing the importance of business continuity to the organization, the purpose, scope and assumptions, an organizational framework and structure for the implementation and subsequent management of the BCM programme.

Start with the survival scenario

One way SMEs can accelerate the development of a business continuity plan is by focusing on the essentials. An SME with limited resources should look at mitigating its risks and containing any damage to as low a level as possible such that it would be able to resume operations at an acceptable level of functionality in a relatively short period. This is a company’s survival scenario. BCM is all about a company’s ability to achieve its survival scenario.
Here are some warm-up questions to get SMEs started:

Q1: What disaster scenarios might lead to bankruptcy of the company?
Q2: How quickly (in hours, days or weeks) does your company have to recover to ensure that it will survive a disaster-related disruption?
Q3: What are the critical resources whose availability determines the life or death of your company?
Q4: Within five to ten years, what kinds of disasters and accidents are most likely to impact you, potentially triggering a worst-case scenario?

Aligned to international standards?

There is much scepticism about whether or not international standards for BCM, such as ISO 22301, can be applied to the SME marketplace. The answer to that lies in understanding why the standards exist in the first place. Many people misinterpret international standards to mean methodology. This is not the case. What standards do is to ensure that any business continuity plan produced will be based on a sensible evaluation of risk; a business understanding of consequences should key processes be lost; and a suitable strategy to mitigate damage and ensure recovery.
The ISO 22301 standard has been available since 2012. SMEs are beginning to feel the pressure from major clients to adopt and comply with this standard. Many compare its adoption with that for the ISO 9001, whereby SMEs are excluded from bidding for large contracts if they do not meet the ISO quality standard. Procurement contracts are beginning to include business continuity readiness by the suppliers as part of the terms and conditions. SMEs that implement ISO 22301 can improve their resilience in the same way as larger organizations. A smaller company may have tighter budgets and resources to put the necessary BCM processes and business risk management in place but by focusing only on the essentials, an SME can remove the unnecessary expense and complexity of implementing ISO 22301.

Manage emergencies and incidents

Before SMEs begin working on a business continuity plan they should first check that basic emergency procedures are in place, including:

Make sure that your employees understand emergency evacuation procedures;
Make certain that your employees know what to do if a fire breaks out;
Ensure your employees know what to do if a colleague is injured.

These are all part of essential occupational health and safety legislation and are a legal requirement for any businesses. It is imperative that all businesses have and follow basic emergency procedures to ensure safety at all times.

Define disasters and assess risks

It is vital to recognize that a disaster could happen to any organization – no matter the business size. Before looking at the risks in individual areas of the business, it is important to determine what would constitute a disaster. In simple terms, a disaster is an incident that has serious consequences for the company.
Frequent small business disasters include:

Fire/flooding.
Computer/telecoms failure.
Key equipment failure.
People issues such as illness/resignations/maternity leave.
Denial of access to the premises.
Product defects.
Bomb/terrorism threat.
Legal/regulatory action.
Utilities failure.

It is critical that SMEs understand the disruptions that would be disastrous to the running of their business when writing the business continuity plan. Take the time to identify all the risks your business faces and then rank them in order of likelihood and importance.
Once the risks have been identified, for any risk you can:

Transfer it via insurance.
Reduce it by less centralization and more resilience.
Eliminate it by changing procedures.
Accept it if the impact is relatively small.
Manage it.

Adequately assessing the disasters that could threaten your company will give you a fair idea of the business areas that are most critical to achieve. Usually, these will be the areas on which your business relies the most, and which are exposed to the greatest degree of risk. This is the most important part of your plan. The following checkpoints are essential when writing this stage of your plan. It is important to go systematically through each of the following areas and take a practical approach to tackling each of the threats that your business may face. Follow the same process for each:

Identify threats and resources.
Assign ownership.
Develop business continuity plans and policies.

Premises and key equipment

Clearly, premises are vital to any SME. So much so that SMEs often take them for granted. However, SMEs need to consider the long-term impact that damage to, or destruction of, premises would have on the business. The same applies to business-critical machinery. If a necessary piece of equipment is destroyed, damaged or stolen, what impact would it have on the business? Ask the following questions:

Would you be able to notify your workers and clients of disruption to the business?
What would happen to customer orders during the time that the premises were closed?
Would you be able to make alternative arrangements for regular orders, to keep loyal customers happy?

Test the plan

Once the business continuity plan has been agreed and endorsed by management, it should be communicated to your teams, preferably through a formal walkthrough session whereby team members are invited to comment. This will test the feasibility of the plan and expose any flaws. It will also ensure that key roles and responsibilities are understood. At some point in time, it might be worth conducting a physical simulation of the business continuity plan to ensure its smooth running should the plan need to be executed.

Regularly update the plan

Review the plan at least every six months. Monitor to see that contact details for the recovery site, suppliers and the team are up-to-date and correct. Similarly, review whether there have been changes in the organizational structure, or in a team’s functions, and update if necessary. Distribute the plan to staff involved in the execution of the plan and advise them to keep copies off-site. Team meetings are useful forums to remind all employees of the processes to follow.

Help for SMEs

Undoubtedly, SMEs need help if they are to implement BCM with any measure of success. The following suggestions could be considered to inch these companies towards greater resilience progressively:

Create more awareness programs amongst SMEs. Greater education about the importance of planning for a major disruption that could potentially cripple their business would certainly help.
Offer assistance for SMEs to build BCM capability, either by sending key staff for relevant training on managing a BCM programme, or by engaging an external consultant to advise and guide the organization towards mitigating its risk and putting in place response and recovery mechanisms.
Establish and enforce industry guidelines and regulations to require companies to implement BCM.
Provide incentives to companies to achieve industry standards.

Conclusion

Achieving ISO 22301 BCMS certification in itself is not the solution. Over-emphasis on certification may well lead to a tick-box audit mentality that leaves the typical SME with additional costs of compliance without any of the real advantages of a proper BCM. A well-rounded programme, incorporating a healthy dose of education mixed with incentives, regulation and enforcement, is necessary to bring about the real benefits of BCM to SMEs.
The authors understand the difficulties that a busy manager in a typical SME faces when it comes to implementing business continuity. Hopefully this article will make his or her job a little more enjoyable and easier to undertake successfully. If not, at least, he or she will know they are not alone.

The authors

Dr Goh Moh Heng, BCCLA BCCE CMCE CCCE DRCE, is the president of the BCM Institute and the managing director of GMH Continuity Architects – a specialized BCM
consulting firm. Dr Goh has assisted organizations, particularly those operating in the Asia Pacific and Middle East Region in the successful implementation of their business continuity management system (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organizational certification.

Jeremy Wong BCCLA BCCE CMCE DRCE is the senior vice president of the BCM Institute. He is also the senior vice president for GMH Continuity Architects and is a senior management staff member responsible for all training and consulting initiatives.
http://www.bcm-institute.org/

References

APEC SMEWG. (2013). Guidebook on SME Business Continuity Planning. BCP Guidebook.

BSI Group. (2013). ISO 22301 for small and medium-sized businesses (SMEs). BSI. Retrieved from ISO 22301 for small and medium-sized businesses (SMEs)

ENISA. (2010). IT Business Continuity Management An approach to Small Medium Sized Organization. ENISA: BCM: An Approach for SMEs, 127.

European Commission. (2014). What is an SME? European Commission Enterprise and Industry. Retrieved from http://ec.europa.eu/enterprise/policies/sme/facts-figures-analysis/sme-definition/

ISO 22301. (2012). ISO22301:2012 Societal Security – Business Continuity Management Systems – Requirements. Societal Security – Business Continuity Management Systems – Requirements (1st ed.). Switzerland: International Organization for Standardization.

Marinos, L. (2010). Strengthening the weakest link: Business Continuity Management for SMEs. ENISA, (Oct).

Maruya, H. (2008). BCP in Japan: Diffusion and Expectation. The concept of Business Continuity, 1–4.

Ministry of Economy, Trade and Industry, J. (2006). Guidelines on Formulating and Implementing BCPs for Small and Medium Enterprises. Preparations to Ensure the Business Can Survive Any Emergency Situation, 1–117. Retrieved fromhttp://www.chusho.meti.go.jp/keiei/antei/download/110728JapanBCP_SME_Eng.pdf

Price, R. (2005). The personal side of Business Continuity. Continuity Forum, 1–2.

Wiltshire County Council. (2006). Business continuity guide for small businesses. Business Continuity Guide for Small Business, 1–19.

Is Business Continuity Management one of the keys to Cybersecurity?

May 8, 2015/in Articles, BCM Methodology, Cybersecurity/by Goh Moh Heng

I had this conversation a decade ago, and I remarked that business continuity is NOT information security (IS) as cybersecurity was then called IT security. This issue was then, more closely related to IT disaster recovery planning. Having said that, the world has since evolved and moved on. This is primarily due to the proliferation of IT usage and its heavy dependency. Hence, it is the time I revisit this remark taking into account the numerous changes that had taken place over the last decade.

Cybersecurity as a top threat to business continuity

Recent surveys conducted over the last two years had rated cyber-attacks as the top threat to business continuity. The most prominent case being Sony. It starts to make both BCM and IS professionals’ question: Are BCM and Cybersecurity related? If so, how are they related?

Before any IS or BCM professionals start to take their positions, it is important for one to understand and look at what your background, prior experience or in academic terms, your “World View”? Do you have a strong IT or IS experience or are you a physical security or facility person designated to manage BCM? The latter will say, it is not part of his or her responsibility as there is a constraint in term of IS competency. However, the IT or IS-literate person may agree that BCM is part of cybersecurity because of his or her high knowledge in IT and IT security.

Cybersecurity: Is it just about technology or is it truly part of business continuity?

I recently read Paul Kirvan’s discussion on Search Disaster Recovery regarding the integration of cybersecurity practices into a BCM program. Paul explained why the BCM program should be part of the information security and corporate Cybersecurity strategies. Immediately upon posting the comment, a rebuttal arose. The argument was that the discussion is creating artificial distinctions between “cyber security” and “business continuity” and this demarcation does not help. My observation is firstly to take a close look at how the organization views its overall resilience framework. We need to understand how the organization is structured to operate effectively under the respective functional roles such as IT, IS, and BCM. It is always an “organizational structure issue” when it comes to “Whose roles and responsibilities is it?”

When Does a Cybersecurity Incident become a Business Continuity Issue?

One may think that cybersecurity is strictly the jurisdiction of the IS unit. From a technical perspective, the IS specialist will provide an initial response to resolve security breaches. However, should the breach results in operational disruptions for the business to function normally and has an operational impact on the business, the emphasis may need to shift to business continuity.

NIST Framework Can Help Business Continuity Professionals Prepare for Cyber Attacks

Recently, NIST had released its framework (exactly a year ago to be precise). Though it is not similar to an ISO22301 BCM standard and hence, cannot be compiled with, it made a significant change in approach whereby, the concept of recovery is included in a necessary process. Even though, it is not auditable, the strength of this framework is that it get the various interested parties to come together to view the challenges and to develop a holistic standard approach amongst the different functional groups and industries.

One of the key features of a business continuity life cycle or execution process is to understand the six “Rs”. They are Reduce, Response, Recover, Resume, Restore and Return (Home). NIST’s framework is tied to BCM’s “recovery” process. This is where business continuity and disaster recovery professionals are involved in any cybersecurity incidents. As most Cybersecurity threats that cannot be prevented tend to fall into the “recovery” stage, it becomes critical to understand how to manage such disruptions. If it is business disruptions, this entails the right BCM skillset and knowledge to assure the continuity of mission critical functions or processes affected by the cyber disruptions.

Change of Mind toward Cybersecurity

I started this discussion with the prior disagreement that BCM does not have a role to play in cybersecurity unless the critical business functions or processes are disrupted. I will now add to highlight that organizations have to relook at its entire framework so as to ensure resiliency not only to its IT system but also the entire business. I can only conclude by saying “When the mission critical functions are disrupted, the entire organization is now disrupted, and it does not matter who is solely responsible.” The key is to get all the IT, IS, DR and BCM teams is to work together to prevent it from happening and if it happens, ensure that the business continue regardless of disruptions. It is all about working as a team.

About the Author

Dr Goh Moh Heng is the President of BCM Institute and the Managing Director of GMH Continuity Architects – a specialized BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 20 organizations, particularly those operating in the Asia Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organization certification. Prior to establishing BCM Institute and GMH BCM Consulting, Dr Goh held senior positions with a number of large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its BC and contingency planning. At Standard Chartered Bank, he saw to the global implementation of its BC management and planning. He also managed the BCM practice at PricewaterhouseCoopers.

Currently, Dr Goh is the senior advisor to the China BCM Forum, a quasi government agency responsible for BCM throughout China and an expert panel member of the Asia-Pacific Economic Cooperation (APEC) Network on Improving SME Disaster Resilience (since 2011) and JICA-ASEAN study to enhance resiliency of industrial areas against natural disasters (since 2012). He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. He is the author of nine business continuity management books. Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org or moh_heng@gmhasia.com.

Major European Bank Case Study

February 27, 2015/in Articles, BCM Methodology, Case Study, Goh Moh Heng/by admin

Major European Bank

This customer is a major European financial institution with its regional HQ located in Singapore and Hong Kong. It has other operations includes Bangkok and Tokyo, Japan.

History

The customer needed to implement a BC plan for its business units located in Singapore, Hong Kong, Bangkok and Tokyo. This included both the HQ and local Singapore operations. This is required to ensure that it complies with the corporate objectives. Another essential requirement is to meet most of the Central Bank’s audit findings.

GMH’s Services and Solutions

Figure 1: BCM Planning Methodology

The solution was to adopt an approach to standardize the organizational BCM framework. The effort was decentralized initally and guidance is directed from European HQ. From the start, it is established that there is a need to have a common framework and each operations to develop its Minimum Business Continuity Objective (MBCO). GMH’s consultants adopted the fast-track approach based on the BCM planning methodology (Figure 1) to facilitate the development of the BCM framework and plan documents. The framework has to take into consideration the overseas offices also required BC plans to be developed in the future. Thus, the BCM framework ensured that it is consistent and applicable to all the regional offices.

Conclusion

The approach and solution implemented by GMH for this customer is flexible, adaptable and scalable to meet the customer’s requirements and expansion plans. This ensured that the customer benefited from an innovative and cost-effective approach. The client had since acceded to the Central Bank’s audit requirement upon completion of the consultancy.

About the Author

Choices and Categories of Tests & Exercises

February 20, 2015/in Articles, BCM Methodology/by admin

Abstract

In testing and exercising the BC plans, the terminology for the various type of tests and methodologies often poses a challenge for any BCM professionals when they are about to start their testing and exercising programmes. The paper is a summary of tests, and it is not intended to be comprehensive list, so as to provide a good foundation of the types of tests that a BCM professional is are likely to embark upon.

1. Introduction

Most BCM professionals find it challenging to identify the type of tests and exercises, that to be conducted for their organization. It is usually a long list and there are many variations within the discipline.

1.1 Categorization

There is several ways of categorizing the types of tests. One approach is to be based on the actions to be taken. An example would be: Desk check, simulation, procedure verification, communications and IT environment walkthrough. Another approach is to list all the possible types of tests to be conducted and then select the type of tests that is useful for testing the requirement outcome based on the readiness level needed by the organization. This includes component, integrated, simulation and live test.

The approach in this paper is to describe the techniques or methodology as the content and objective of the plan can be developed separately. Additional terminology relating to testing can be found in www.BCMPedia.org.

2. Component Tests

The following are sample of the type of tests that could be conducted as part of a component test for a typical business continuity plan.

2.1 Confirm Availability / Version of Plan

This test is designed to check that key staff in both business and support recovery teams can gain access to a hard-copy of their continuity plan at any time. As part of your maintenance program, you should include procedures to “visit” your plan at pre-defined intervals, to update personnel details and to ensure that recovery measures remain relevant.

2.2 Retrieve Vital Hard Copy Records from Offsite Locations

As a good practice, the hard-copy records of documents critical to business operations should be kept in an offsite location. This Component Test confirms that such records are indeed available offsite, are sufficiently up-to-date to be of use in a crisis and can be promptly retrieved within the expected time frame. These documents may include copies of contracts, agreements, insurance policies, floor plans, title deeds as well as any special reference manuals required to conduct business operations in a crisis situation.

2.3 Contact Staff, Suppliers & Others

One of the most straightforward but important tests is the telephone notification procedure. This is typically carried out on three main groups of people:

Staff
Suppliers or vendors, who provide you goods and services
Other contacts, including customers or others to whom you provide goods and services

Whilst the principles of these tests are similar, you should consider differences in the relationships between your organization and the groups of people and tailor the approach of testing for each group accordingly. The benefits of carrying out these tests are:

Establish that the contact telephone numbers in your plan are correct and up-to-date.
Confirm that the resources you require in a crisis, both human and otherwise e.g. equipment and supplies, can be obtained when and where needed.
Ensure that the targeted degree of recovery matches the expectations of your internal or external customers.

It is highly likely that you will need to modify your plans following each test. These tests play a very important role in the maintenance program and their value should not be under-estimated.

2.4 Check Lead Times for Critical Equipment

This is to establish the lead-times for the delivery of critical equipment. This differs from testing suppliers of services as it relates to availability of specific items rather than the ability to contact personnel. This is a simple test, which applies to both business and support units.

2.5 Confirm Alternate Site Readiness

This test is used to confirm the readiness of the personnel at the alternate site to receive people from a business unit or building who are displaced due to an incident. The procedure will vary depending on location and on whether the recovery will be at a commercially operated alternate site or at another organization’s building. In any case, a Service Level Agreement (SLA) should be in place confirming the agreed relocation arrangements. This document will state the expected time frame for the relocation, where all relevant parties (Officials from the alternate site as well as the Central Support Business Units of the organization carrying out the recovery) must acknowledge, confirming that they find the time frame acceptable, reasonable and attainable. Given that alternate site recovery contracts are usually held centrally and that only certain staff can invoke such plans, it will be assumed, for the purpose of this test, that recovery will be at a site controlled by the organization.

2.6 Test Staff Members’ Knowledge of Business Unit Plan

The person conducting the test visits the business unit BCM coordinator and staff members of a selected business unit and tests how much he/she knows about the procedures without the staff having access to the plan. This will confirm the business unit staff members’ knowledge of the plan and potential ability to ensure the recovery of the business unit if, for whatever reason, a copy of the plan is not initially available.

2.7 Spot Check of Vital Records

This test involved the business unit BCM coordinator and staff members of a selected business unit to visit the offsite location where the vital records are kept. While at offsite location, the team is required to perform a review using a checklist of the inventory of vital records.

2.8 Recall Offsite Storage

This relates mainly to support business units and should not be confused with the retrieval of vital hard-copy records, which is covered separately.
The list of support business units at a medium to large operation would normally include the following:

Premises/ Facilities
Information Technology
Telecommunication/ Networks
Security
Public Relations
Human Resources
Administration/ Correspondence
Legal/Compliance
Financial Control
Transport

In order to meet the everyday needs during a disaster, these business units are likely to have spare items such as furniture, equipment, cables, server tapes, back-up disks, stored offsite. In some cases they will be stored in another organization’s building premises and in others, an external storage contractor may be used.

The purpose of this test is to confirm that the business units can access and/or arrange delivery of the required items within the expected time frame stated in the plan.2.9 Check that Important Lists are Still CurrentThis ensures that important lists are up-to-date. Each business continuity plan contains a number of lists, e.g. list of key items or contacts required in a crisis. The information stated in the lists can be used to contain the impact and/or limit the damage to the business. The following are key lists in a typical business continuity plan:

2.9.1 Personnel Contact List

In addition to a Telephone Call Tree chart, business unit coordinators should have an updated Personnel Contact List.

2.9.2 Initial Action by Business Units

Important business units should each have a brief list stating the tasks which key team members need to undertake in the opening stages of a disaster scenario. These members should have this list with them at all times.

2.9.3 Inventory of Resources

This lists all key resources. Regular checks should be done to confirm they accurately reflect the needs of each business unit.

2.9.4 PC Software Versions

The lists of IT hardware and software, (showing the version) should be kept up-to-date. “Systems” for unique software should be regularly tested and not just stored in an IT business unit.

2.9.5 “Grab” List

This is a list of small items, identified as being useful, which staff will try to take with them as they evacuate.

2.9.6 Priority Salvage List

This identifies items a business unit BCM coordinator might ask someone to hand-carry from the office, if that person was allowed back into a building for, say, 30 minutes.

2.9.7 Essential Forms / Stationery

If a business unit has any special stationery or printed forms without which the business cannot operate, a small supply of these should be stored offsite and the location recorded in the plan. The tests for confirming the contents of these key lists are simple and quick to conduct.

3. Notification Call Tree Test

Even though this is a Component Test, the critical importance of this test cannot be ignored. In a Telephone Notification Call Tree Test for recovery teams, the recovery team members will notify designated staff members as documented in the plan. This personnel communication network forms one of the most efficient and effective means of communicating any news or instructions to all relevant staff, and should include the entire organization.

4. Walk-through Test

In a Walk-through, recovery team members meet to verbally walk-through the steps of each component of the business continuity process as documented in the business continuity plan.

5. Integrated Test

An Integrated Test involves integrating any number of the components in the order that they would occur during actual recovery operations. Integrated test builds on test successes and increasing employee awareness generated during component testing. Organization BCM coordinator and business unit BCM coordinators should realize that the increased complexity, coordination of multiple teams, involvement of other interested personnel and budget considerations will limit the frequency of integrated testing.

6. Incident Simulation Test

This involves the development and use of pre-written test scenarios or test scripts for disaster events. The scenarios tell the team members how to react to such disasters and give organizations a baseline from which to start their recovery plans.

7. Partial Simulation Test

Similar to Full Simulation (below) except that only several business units will be involved. However, for these business units, the testing will be to the fullest detail and scope.

8. Full Simulation Test

Full Simulation test is the ultimate BC plan test which activates the total BC plan. Full Simulation test is also called Full Interruption test or Mock Disaster test. The purpose is to simultaneously test as many components as possible in the organization recovery structure. The test is likely to be costly and could disrupt normal operations, and therefore should be approached with caution. Adequate time must be scheduled for the testing.

To successfully test recovery capability, the tests must evaluate the recovery procedures and documentation, not the inherent knowledge of the staff.
Each test must have a set of primary and secondary objectives to define the direction of the test and to measure its success. An example of such objectives; the primary objective is to evaluate success or failure and the secondary objective is to test if extra time is available.

9. Live Test

Finally, this is the ultimate of all tests. It is perhaps, the most challenging test that any BCM professional would deemed to undertake as this is where anything can go wrong will go wrong. To worsen the situation, this errors of this test will be seen live in the presence organization-wide and especially with senior management.

10. Conclusion

The decision on the types of test to be conducted can be an uphill task initially for many BCM professionals. There is an pressing expectation from the management to test the BC plan to its readied state. Hence, the identification and implementation of correct series of tests for an organization becomes the key necessity for any organization who has a BC plan.

11. References

[1] BCMpedia (2008). Definition of Business Continuity and Disaster Recovery Terminologies, http://www.bcmpedia.org
[2] Goh, Moh Heng (2008). Managing Your Business Continuity Planning Project, 2nd Edition, 166 pages.
[3] Goh, Moh Heng (2008): Conducting Your Impact Analysis for Business Continuity Planning, 130 pages.
[4] Goh, Moh Heng (2008): Analyzing & Reviewing the Risk for Business Continuity Planning, 162 pages.
[5] Goh, Moh Heng (2005): Developing Recovery Strategy for Your Business Continuity Plan, 104 pages.
[6] Goh, Moh Heng (2004): Implementing Your Business Continuity Plan, 104 pages.
[7] Goh, Moh Heng (2006): Testing & Exercising Your Business Continuity Plan, 2nd Edition, 160 pages.
[8] Goh, Moh Heng (2007): Managing & Sustaining Your Business Continuity Management Programme, 190 pages.
[9] Goh, Moh Heng (2006): Developing Your Pandemic Influenza Business Continuity Plan, 128 pagesAbout

The Author

Dr Goh Moh Heng is the President of BCM Institute www.bcm-institute.org and the Managing Director for GMH Pte Ltd www.gmhasia.com , an Asia-Pacific BCM consultancy firm. During the last 20 years, Dr Goh had conducted several hundreds of tests and exercises for clients throughout the world. It ranges from the many simple notification tests, walkthrough tests to the large simulation and live tests. Sometests worth mentioning include the enterprise-wide crisis management simulation, full simulation test and unannounced live tests for many international organizations. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. He is the author of nine business continuity management books. Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org or moh_heng@gmhasia.com.

Certification audit of 9G by Certification Intenational

9G Elevator Continuity Case Study (Elevator & Escalator Industry)

February 13, 2015/in Case Study/by Goh Moh Heng

9G Elevator & Escalator Business Continuity Management Case Study

9G Elevator Pte Ltd is a thriving elevator and escalator maintenance company that provides elevator and escalator services to building owners and managing agents. 9G operates in Singapore, providing their services to a wide-range of client’s, from town councils – Aljunied and Ang Mo Kio – to hotels such as Pan Pacific Hotel Singapore. With expanding local operations, a resilient operational plan is essential to manage the business in the event of a disaster.

The Challenge

9G is mainly involved in the commissioning and installation of elevators and escalators, as well as follow up services such as elevator and escalator maintenance and repairs. One example is the provision of 24-hour call-back service and emergency breakdown repair, which means that 9G will have to be on constant standby to deal with any problems. Due to the fact that there is zero allowable downtime for these services, as contractually agreed, 9G realized that a Business

Business Continuity Plan will have to be developed to prepare for potential disasters such as fire, telecommunication failure and the absence of key staff.

“We were concerned that 9G might not be able to fulfil the contractually required terms and conditions should we be hit by a crisis or disaster. Our reputation is of utmost importance.

Therefore, we feel very strongly towards a Business Continuity Plan that is functional and resilient, so as to protect our business. ” says Loo Tien Hoe, Managing Director of 9G Elevator.

One of the key competitive issues, such as brand assurance (and perception) of local enterprises, as compared to foreign MNCs, also drove 9G to venture into Business Continuity. The Elevators and Escalators industry is still largely dominated by foreign brands such as Mitsubishi, Escamo and Hitachi. Therefore, to give themselves an edge over these foreign MNCs, 9G decided that it needs to assure clients that they can continue to rely and depend on 9G in times of crises or disasters. It is with all these in mind that 9G embarked on the project, with the objective of developing a comprehensive plan with minimal disruption to current business operations. They required a robust plan to satisfy management and clients’ concerns.

The Solution

Even though the company has about 70 personnel, most of them are maintenance staff who operate on-site. This leaves about 20 administrative staff in the office, who provide back-end direction and support. With such a lean organization structure, 9G did not consider recruiting in-house expertise to drive the BCM Program, but instead appointed a project team to explore and pursue alternative solutions. The appointed 9G project team immediately started to source for a consulting firm to develop the company’s Business Continuity skills and create an effective Business Continuity Plan.

“After some deliberation between the different approaches to BCM consulting, we decided to advance with GMH’s consulting services because it proposed a more holistic BCM implementation this involves developing BCM competency in the organisation, which goes hand in hand with the consultancy service. This arrangement is perfect for a company like ours with no prior BCM experience,” recalls Tien Hoe.

GMH, in conjunction with BCM Institute, developed a specialized training program to inculcate and develop BCM Competency in the organisation. GMH consultants aided in the development of an integrated BCM framework by setting up 9G’s BCM objectives and policies, together with the management and project team. This set the stance of the management and provided clear directions for all staff in the organisation. Consultants also led the BCM team and management through the various phases in the BCM Planning Methodology.

For example, in the Risk Analysis and Review (RAR) phase, a list of potential threats was identified and each of these threats was rated according to their likelihood and impact on 9G’s people, processes and infrastructure.

In the Business Impact Analysis (BIA) phase, the Minimum Business Continuity Objectives for each business unit in 9G was documented. The team managed to identify the financial and non-financial impact of not performing a particular business function, as well as the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each business function. As previously noted, all Maintenance business functions were identified as highly critical to the 9G, evident with their 4-hour RTO. This is followed closely by Admin/Accounts and IT’s business functions, some of which have RTOs of only 1-day.Therefore 9G had to come up with strategies to recover critical maintenance functions like call-back and hotline services so as be able to continue to respond to clients.

9G came up with three main recovery options after a cost benefit analysis – Provision of a remote site, establishment of a private alternate site and continuation of operations from clients’ site. 9G’s favoured operating from a private alternate site during a disaster as there is readily available infrastructure and utilities. Hence, this reduces the set-up time and any extra maintenance costs.

Due to the nature of the business, Logistics, Maintenance and Installation will have to continue its operations at the clients’ site, since these personnel are the ones performing the immediate/emergency repair, maintenance and installation jobs. Logistics will have to support Maintenance services with spare parts during a crisis. It was also decided during the Recovery

Strategy workshop that 9G’s IT data be backed up daily. All systems and data will have to be backed up weekly for the entire organisation and kept at the alternate site. As part of pre-crisis preparation, cross training will also be conducted for key personnel.

Armed with these strategies in mind, 9G, together with GMH consultants, then proceeded to write the Business Continuity Plan with more detailed recovery procedures for each business unit, including the roles and responsibilities of those in the BCM Team. Assembly points, alternate and remote site layouts and 9G’s organization and individual business unit call trees were inserted into the plan. The plan was consolidated by the consultants and the result was a comprehensive plan which can be easily understood by all. A call tree test and walkthrough exercise was conducted so that the staff are aware of the organization’s BCM efforts. “This BCM initiation really brought out the other side of 9G – one which is forward thinking and always planning for a disaster. A culture of non-complacency and service continuity in the face of disasters has also been embedded in the organisation,” remarked a very pleased Tien Hoe.

The Result

Certification audit of 9G by Certification International

9G developed operational and IT recovery procedures to overcome a seven day disaster (planning assumption). The project ensured that the company identified and prepared an alternate location as the headquarters for its management and operations. The Business Continuity Management System developed under GMH’s guidance allowed 9G to be certified SS540 compliant from Certification International. 9G is now the first company in its industry to attain BCM certification. This means that it will have the ability to create added value while tendering for key projects, especially those from government agencies, such as Housing Development Board (HDB). 9G is also able to ensure its corporate governance as an organisation and as a Service Level Agreement (SLA) provider by being prepared and certified in terms of service continuity. Loo Tien Hoe best sums up the project, “management and our clients now feel comfortable knowing that 9G’s operations are secure, which definitely gives us an edge over the other elevator and escalator companies.”

At A Glance

What they wanted to do:

Develop a robust business continuity plan
Create internal Business Continuity expertise

What they did:

Provided managers and staff the necessary knowledge to develop a business continuity plan
Jointly created a plan with GMH consultants

What they accomplished:

Achieved SS540 certification from Certification International
Developed a disaster headquarters
Implemented resilient IT and operational procedures
Satisfied management and clients’ concerns
First company in its industry to attain BCM certification

Statement:

“GMH provided us the necessary guidance to develop our Business Continuity plan and internal training program. We now feel confident to manage our own Business Continuity program.”

9G Elevator Pte Ltd

Managing Director

About GMH:

GMH offers a total business continuity solution for organizations of any size. GMH, in conjunction with its clients, develops comprehensive business continuity plans. Its partnership with BCM Institute ensures that clients will gain domain Business Continuity knowledge and the ability to develop future Business Continuity plans.

DTS Marketing Case Study (Specialized Industry)

February 6, 2015/in BCM Methodology, Case Study, News/by Goh Moh Heng

DTS Marketing Business Continuity Management Case Study

DTS Marketing Pte Ltd is a leading company that provides Information Technology solutions and services to the banking financial sector and the hospitality and retail sector. Headquartered in Singapore, DTS operates worldwide with subsidiaries and satellite offices in Malaysia, Cambodia and China. With expanding global operations, a resilient operational plan is essential to manage its international businesses in the event of a disaster, especially to the banking financial sector.

The Challenge

DTS provides IT support and services to banks for machines such as the TK Personalisation MICR Encoder, Teller Scan Cheque Scanner and Talaris System, which involves the scanning and encoding of cheques. The company also provides Point of Sales System, Tracker Tenant Management Solution and Voucher Management System to the hospitality and retail industry. DTS core business is not only to market the products listed above, but to also provide after sales services that will help business owners manage their businesses from the front of the house operation to the back of the house operation.

For this reason, they are frequently governed by Service Level Agreements (SLAs). It was then that they realized a Business Continuity Plan would have to be developed in order to maintain their support operations to these clients in times of crises and disasters. “The Management concern was that DTS would not be able to meet the stringent SLAs, especially for the banking financial sector, in the face of crises. This would cause DTS to incur huge financial and reputational losses,” says Janet Ong, Managing Director of DTS Marketing.

DTS embarked on the project with the objective to quickly develop a comprehensive plan with minimal disruption to current business operations. It required a robust plan to satisfy management and clients’ concerns.

Solution

DTS does not have any prior Business Continuity Plans or any kind of Business Continuity Management program. Due to its lean organization structure and lack of BC-skilled personnel, DTS’ Management looked to a consulting firm to develop the company’s Business Continuity skills and to help create a plan. “After some deliberation between different companies, we decided to move ahead with GMH’s consulting services because its two-pronged approach – consulting and training –provided the assurance that we would not only have a plan but also the expertise to maintain an organization BCM program,” recalls Janet.

GMH, in conjunction with BCM Institute, developed a specialized training program to increase the project team’s level of Business Continuity competency. It deployed consultants to oversee the project, aiding the DTS team in the analysis of the impact of potential threats to their business operations. Minimum Business Continuity Objectives were written for business units which were identified as critical during a disaster. Support and IT business functions were identified as the most critical ones with only a 4-hour Recovery Time Objective (RTO), as IT is almost always required to back-up Support’s operations.

Recovery strategies were weighed accordingly and it was concluded that DTS operate from a private alternate site during crises and disasters because of minimal setup cost and time required and convenient access to and activation of controls. It will be considered a “warm” recovery site with readily available infrastructure and utilities. Business units operating from the recovery site and remote sites were also considered. For example, to counter the stringent SLAs, it was decided that Support would operate directly from the client’s site for the first 2 days, keep their work logs manually until the recovery site is set up, monitor the situation and provide periodical updates to the command centre. IT, on the other hand will immediately proceed to set up the IT infrastructure at the recovery site, retrieve the backup files and provide support to the rest of the business units.

Business Continuity Plans were then created for each business unit, with detailed recovery procedures documented by the business unit representatives, under the supervision and guidance of the consultants. Other considerations like assembly points, call tree, key contacts and detailed directions to the alternate site were also determined by the DTS BCM Team. The team also performed a walkthrough exercise to familiarise themselves with the recovery procedures, as well as a company-wide notification call tree test to ensure its effectiveness. The result was a 100% success rate of attempted contacts within 1 hour, with 95% of relayed messages returning accurate.

One of the key success factors of the whole consulting project was the fact that the management and business unit heads were present for all workshops, allowing the entire project team to be able to effectively iron out any discrepancies on the spot. The training was highly beneficial to DTS, resulting in the creation of a Business Continuity culture among employees and management. “Due to the rigorous process of implementing BCM in our organization, the BCM Team and Management had to meet frequently to iron out any problems and to discuss about the BC Plans. This really brought the (DTS) team together. We became more unified and BCM became a concept embedded in the employees, evident in the incorporation of backup procedures in their daily routines,” remarked Janet.

The Result

GMH assisting DTS in achieving its SS540 and ISO22301 BCMS certification

DTS developed operational and IT recovery procedures to overcome a seven day disaster. The project ensured that the company identified and prepared an alternate location for headquarters management and operations. The Business Continuity Management System developed under GMH’s guidance allowed DTS to be certified SS540 compliant from British Standards Institute. Janet Ong best sums up the project, “management and our clients are now assured that DTS’ business operations are secure and will continue in times of crises or disasters.”

At A Glance

What they wanted to do:

Develop a robust business continuity plan to manage client expectations
Create internal Business Continuity expertise

What they did:

Provided managers and staff the necessary knowledge to develop a business continuity plan
Jointly created a plan with GMH consultants

What they accomplished:

Achieved SS540 certification from BSI
Developed a disaster headquarters
Implemented resilient IT and operational procedures
Satisfied management and clients’ concerns

Statement:

“GMH provided us the necessary guidance to develop our Business Continuity plan and internal training program. We now feel confident to manage our own Business Continuity program.”

DTS Marketing Pte Ltd

Managing Director

About GMH:

Afternote: In 2015, DTS with the help of GMH had successfully assisted DTS and they have successfully achieved their ISO22301:2012 certification.

Business Continuity Strategies for Manufacturing Companies

January 23, 2015/in Articles/by Goh Moh Heng

1. Introduction

The considerations for Business Continuity Strategies occur in the fourth stage of the seven stage BCM planning process. Generally, there are three strategic areas for organisations to consider when developing a BC strategy: mitigation, recovery and its translation into the appropriate crisis response. For manufacturing companies, recovering plant operations is an important consideration when conducting BC planning. Unfortunately, setting aside alternate sites for this sector is usually avoided due to the high capital costs involved. An issue is also the practicability of having redundancies as back up as production efficiency is a key objective for manufacturers. Hence, many choose to focus on risk mitigation and reduction measures due to the difficulty in finding continuity solutions. To this end, three focus areas are identified for such organisations: recovery strategies, mitigation measures and unique environmental considerations.

2. Recovery Strategies

In the absence of alternate production sites, there are few recovery strategies available to manufacturers. Often, custom build equipment and assembly lines are used and cannot be easily substituted. The recovery options then available are; to delay when the impact is felt through use of buffer inventory / storage, selected recovery of production lines and ensuring that recovery / repair of operations is done quickly. Manufacturers typically focus on inventory controls and partial recoveries as it allows greater process control. In the event that the manufacturer’s operation is more skewed towards assembling semi-finished products from upstream suppliers, an additional option is available to them. Where some equipment found in their production line are similar to those of their suppliers’, manufacturers may attempt to resume limited production capabilities at their suppliers’ location. This arrangement is obviously limited to the availability of space and more importantly, the goodwill of the supplier to accommodate external personnel.

3. Mitigation Strategies

As mentioned, due to the general lack of alternatives faced by manufacturers, mitigation strategies are often prioritized. While measures taken should focus on either preventing or limiting the impact of a disruption, it should be done with floor operations in mind. A common example is the use of sprinkler systems to douse fires at the factory floor. As sprinkler systems typically activate all together, this would cause production equipment that were otherwise unaffected by the fire to be damaged. This can be avoided through the use of localised sprinkler discharges where each sprinkler needs to be independently activated. Further measures may include a dry delivery sprinkler system, where fluids are only directed to the discharge point upon activation. This prevents common problems like leakages which may be found in poorly maintained systems.

4. Unique Environmental Considerations

More uncommon mitigation strategies may place focus on the environmental regulations that the location may be subject to, where the direct costs incurred through a loss of production may be severely compounded by the costs of ‘cleaning up’. A recent example is the Deepwater Horizon oil spill, where the costs of fines, cleaning up and settlements reached approximately $40 billion. Perhaps a tweak in the old adage holds true for manufacturers; prevention is surely better than recovery.

5. About the Author

Jeremy Wong is the Senior Vice President for BCM Institute and deputizes the President in his absence. He is also the Senior Vice President for consulting firm GMH Continuity Architects and is a senior management staff member responsible for all training and consulting initiatives. Jeremy is highly experienced in technology and project management; information security management, business process re-engineering, disaster recovery and business continuity planning. Prior to joining BCM Institute and GMH Continuity Architects, Jeremy Wong was the Head of Business Continuity Management for South Asia with Nomura, based in Singapore. He was responsible for planning and implementing BCM, developing policies, frameworks and standards to support BCM functions. Jeremy was also Vice President of Business Continuity Management with United Overseas Bank. He was a managing consultant with GMH Continuity Architects working on business continuity and disaster recovery projects such as the Asia Development Bank and the Stock Exchange of Thailand within the Asia Pacific region. Mr Wong was also a regional IT manager with Bax Global and spent a number of years working at JP Morgan and Anderson Consulting (now known as Accenture). At JP Morgan, he headed the IT Products and Services team in the Corporate Technology Group. He was instrumental in the set up of the Regional Hub Response Center for Asia-Pacific. Mr Wong was also a key member of their Business Continuity Planning team. At Anderson Consulting, he led in several major projects and implementation for property management, logistics and data warehousing solutions.

Learning Roadmap to Sustain and Upgrade Your Organisational Business Continuity Management Competencies

January 2, 2015/in Articles/by Goh Moh Heng

In today’s workforce, employee engagement, and opportunities for learning and career growth are key determinants of an organisation’s ability to retain staff. A new generation of workers now expect training to be relevant and tailored towards their job needs leading to ever faster career growth; a one size fits all training model simply will not do.

This expectation of delivering relevant, just-in-time training extends to the area of Business continuity management. Business continuity management, or BCM, is a holistic approach in managing crises and disasters that could disrupt an organisation’s operations and potentially cripple its ability to deliver key products and services. As organisations become increasingly aware of the importance of BCM and organisation resilience, the urgent need to provide qualified BCM training , for employees often falls squarely on the shoulders of the Human Resource (HR) management or Learning and Development (L&D) team. This is particularly problematic since BCM is a specialised area of management and training on proper business continuity planning and execution processes is not usually readily available. Moreover it is difficult for HR or L&D to develop a learning framework that addresses diverse BCM learning requirements at different levels of the organisation. For example, a crisis manager (or some time referred to as the Organization BCM Coordinator) responsible for managing a company-wide crisis would probably need to develop a different toolkit of skills as compared to a Business Unit (BU) CM Coordinator focused on recovering only his or her department in a disaster.

BCM Stakeholders

To address this situation, BCM Institute has developed a comprehensive Learning Roadmap that helps organisations systematically chart its BCM learning journey. This Roadmap emphasises a 3-year learning cycle providing a full suite of BCM training courses for 4 major stakeholder groups. They are,

Senior Management
Organisation BCM Coordinators
Business Unit BCM Coordinators
General Staff members

A full spectrum of training ranging from awareness sessions, half-day management briefings, and specialist training programmes at foundation, intermediate, and advanced levels. If desired, participants could earn for themselves internationally recognised BCM certifications by going through an assessment backed by relevant working experience. In introducing this Learning Roadmap to organisations, BCM Institute works with the responsible HR or L&D departments to customise the roadmap to best fit the organisation.

To enhance the learning journey, all trainings are facilitated by senior and experienced BCM industry practitioners who will share best practices and current trends in BCM, and tips on how to best fulfil various roles in planning and executing BCM for the organisation. Participants who opt to join our public courses can look forward to learning from fellow practitioners from different industries on the challenges faced in implementation and how issues were resolved. All certification-level courses are supplemented with an online revision portal allowing for self learning at their own pace.

To know more about the BCM Institute’s Learning Roadmap, please contact sales.sg@bcm-institute.org or call our office at 6748 1528 to obtain a complimentary whitepaper on Organisational Business Continuity Management Learning Roadmap. Visit us at www.bcm-institute.org to see our full range of BCM, disaster recovery, and crisis management courses.

About the Author

Fistri Abdul Rahim

Fistri has been a sales and marketing professional for 14 years, spending the last 3 years assisting clients from a whole spectrum of industries in upgrading their Business Continuity, Crisis Management and Disaster Recovery competencies. Fistri is responsible for providing solution to the training and development requirement of clients in ASEAN region. Recently, she was also involved in various crisis simulation exercises and infectious diseases business continuity planning. Fistri is a graduate of Murdoch University with a Bachelor’s in Marketing and hold the Business Continuity Certified Planner (BCCP) certification.

Leading Multilateral Financial Institution Case Study

December 24, 2014/in Case Study/by admin

Leading Asian Multi-lateral Financial Institution

This customer is an international multi-lateral development bank whose mission is to help its developing member countries reduce poverty and improve the quality of life of their people. Headquartered in Manila, and established in 1966, this institution is owned and financed 67 member Asian and global. Its main partners are governments, the private sector, nongovernment organizations, development agencies, community-based organizations, and foundations.

History

This institution is not required to meet any regulatory requirements. However, it is committed to adopting good corporate government policies in line with international best practices, and maintain stakeholders’ confidence. The policies also required it to develop and implement a BCP.

GMH’s Services and Solutions

Although this customer is not bound to comply with any regulatory requirements, it had many key stakeholders. Their BC planning requirements had to take into consideration the multi-facet threats and also address any potential incidents or events that may arise. GMH’s consultants interviewed the Executive and Senior Management teams to ensure the key business objectives, critical business functions and strategy for recovery are addressed when BCP is activated.

Conclusion

This project involved the review of the critical business functions and the identifcation of the recovery strategies. This is concluded with the summary of strategic BC plan implementation of the BCP within the country and also in another location outside of the host country. The business continuity objectives had to be carefully identified and evaluated due to the unique ownership structure of this institution. This was possible as GMH’s BC planning methodology and approach was flexible and adaptable to meet the unique requirements.

BCM Implementation for Organizations using the Singapore Standard SS540:2008

January 21, 2009/in Articles, BCM Methodology/by admin

Business Continuity aims to safeguard the interests of an organization and its key stakeholders by protecting its critical business functions against predetermined disruptions.
“ … the Government views corporate resilience as a national priority. An
inter-agency task force was formed to formulate implementation strategies to enhance our corporate resilience through adopting the processes of Business Continuity Management.”

Prof S Jayakumar,
Deputy Prime Minister and Coordinating Minister for National Security.

Synopsis

SS540:2008 is a Singapore Standard for Business Continuity Management (BCM) that is being embraced by both the international and local businesses operating within Singapore. With the support of a thirty million dollar grant from the government for the implementation of BCM within their organization, the initiative to implement BCM is now given a tremendous boost by the government. This paper starts with a history of the standard implementation, an introduction to the concept of BCM and BC and summing up with the framework within the SS540:2008 standard. The BCM framework within the SS540:2008 is highly rigorous as it contains the 6 major BCM areas and also the four major BCM components. The BCM framework matrix provides a coverage which makes the SS540:2008 a comprehensive BCM standard. An overview of the each BCM area cross referencing to its major component is elaborated in detail.

1. Introduction

Business Continuity (BC) is about the ability of an organization to operate its business in a manner that upholds its accountabilities to its customers, itself and its suppliers despite occurrence of events that disrupt its usual business activities in a significant fashion. Organizations have to face their external stakeholders it has to answer to include the authorities, shareholders and the public at large. It is no easy task in general to balance between the demands of these parties. For example, how should an organization organize and operate its business activities in a way that is acceptable to stakeholders upon a disruption? What alternate methods of operations for the delivery of its products and services least inconvenienced its customers?

The key to achieving the balance lies in the organization consulting its stakeholders and establishing a set of ‘acceptable’ business behaviour and operations when a disruption occurred. This set of behaviour and operations then form the critical objectives which the organization should attain as it responds to a disruption. Such BC planning brings the organization a step closer to answer the question – “Is your organization ready for an event that would disrupt your usual business activities in a significant fashion?” Alternatively, “Is your organization BC Ready?”

1.1 Background of SS540:2008

Singapore Standard SS540

The project was initiated by Economic Development Board (EDB) with the collaboration of Singapore Business Federation (SBF) and SPRING in 2004. The standard was guided by the Business Continuity Management (BCM) Council and supported by the BCM Technical Committee to develop the Technical Reference. The Technical Reference or TR19:2005 was launched on September 2005 during the international ISO meeting. The TR19 was subsequently reviewed and published as the Singapore Standard for BCM and was it officially launched on 31st October 2008.

1.2 What is BCM?

Business Continuity Management (BCM) is defined as a holistic management process that identifies potential impacts which threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities (SS540:2008).

Potential disruptions to the interests of these stakeholders would have to be identified, pre-empted or kept to a minimum. Business functions supporting value creating activities would have to be identified. Processes and resources would need to be established to ensure the continued operation of these functions due to disruptions.

1.3 What is BC?

From the above definition of BCM, BC seeks to ensure the following concerns are managed on a perennial basis.

Identify the interests of the organization and its key stakeholders.
Safeguard the identified interests by:
Identify the critical business functions supporting these interests
Identify potential disruptions to these critical business functions
Minimize the number of potential disruptions
Reduce the impact of disruptions to these critical business functions
Ensure these critical business functions can continue to support, if not sustained on a moderated basis, the identified interests

In short, BCM is an ongoing management process employ by organizations to identify potential impacts and establish the necessary arrangements and plans to maintain their BC capability.

2. A Framework to Undertake BCM

A framework should be employed to guide the processes used to identify, establish and maintain an appropriate plan to deal with the items in each of the above concerns. The following is a framework that can be used to guide BCM processes in organizations. It contains the BCM areas and the major BCM components.

2.1 The BCM Activities

Figure 1: BCM Planning Methodology

As part of the training curriculum for BCM Institute, this is the BCM planning methodology and it is as shown in Figure 1.

Based on the BCM planning methodology, a comparison is made with the SS540:2008 major BCM areas. Figure 2 show the correlations between the methodology and the BCM areas.

Figure 2: Main BCM Area of SS540:2008 being mapped against the BCM Planning Methodology

2.2 Major BCM Areas

This framework (Figure 2) divides into 6 broad BCM areas:

2.2.1 Risk Analysis and Review (This terms are similar for SS540 and BCM Planning Methodology)

The potential threats and risks to an organization can be uncovered via a risk analysis and review of its internal operations and external operating environment. Examples of risks due to internal operations include malfunction of critical manufacturing processes, failure of Information Technology (IT) systems and fire which destroys plant facilities. Examples of risks due to external operating environment include terrorist attacks, floods, political turmoil and disruption of supply chain.

2.2.2 Business Impact Analysis (This terms are similar for SS540 and BCM Planning Methodology)

The potential impacts of risks actually occurring to an organization and affecting its ability to achieve its business operation and service can be obtained by conducting a business impact analysis. The later would include, where possible, quantifying the loss impact from both a number of days of business disruption and a financial standpoint. For example, a fire which destroys the finished inventory at the warehouse can result in delay of shipment to key customers for a few days and incurring impact such as contractual penalty.

2.2.3 Strategy (Recovery Strategy)

Based on these potential loss impacts the organization would deliberate and select the appropriate strategy or strategies to safeguards its interests. These strategies can be preventive or pre-emptive in nature. For example, outsourcing the risks to third parties or setting up of alternate facilities at another location would be efforts towards preventing and pre-empting potential loss impact. The rationale behind these strategies is to build resilience for the organization against impact of loss.

2.2.4 Business continuity plan (Plan Development)

From the selected strategies a detail business continuity plan (BC Plan) should be instituted in place to respond to risks which can occur and impact its business operation and service. The BC Plan would specify and allocate the resources and thereby building up the capability of the organization to respond to risk occurrences. For example, by specifying the BC roles and responsibilities of staff in the BC Plan the organization is better adapt to respond to occurrence of risks.

2.2.5 Tests and exercises (Testing and Exercising)

An established BC Plan should be subject to verification via Tests and exercises. Tests and exercises expose probable errors and omissions in carrying out the established plan. It examines if the resources committed are accessible, available and adequate for undertaking the recovery efficiently and effectively. It checks if staff in the organization are familiar with recovery procedures. Overall Tests and exercises validate if the BC Plan indeed meet its recovery objectives.

2.2.6 Programme Management (This terms are similar for SS540 and BCM Planning Methodology)

Besides an established and thoroughly tested BC Plan the organization should demonstrate commitment in maintaining the currency of its plan through regular and systematic review of its risks and business impacts, realigning of its BCM strategies and revalidating of its BC Plan on a continuous basis. BCM should become an integral part of the organization’s operations, audit, testing, quality assurance, change management and culture. Ownership of BCM becomes embedded in individual business units where BCM risks reside.

BCM is an ongoing management process and can be examined from 2 standpoints. Firstly, the impacts of issues and concerns arising from each of the 7 BCM areas identified above need to be examined. For example, the risk impacts upon people and physical infrastructure. Secondly, the direction and support needed to ensure that BCM efforts can be implemented and sustained. For example, organizational policies direct BCM processes to support BCM on an ongoing basis.

2.3 Missing Phase

I am often asked about the missing phase within the BCM Areas. It is important to note that the project management area is not part of the 6 BCM areas. The reason is that the BC project is completed when it is due for certification by the organization and hence, this phase Project management is omitted from the SS540:2008.

2.3.1 Project Management

The project to establish the BC Plan for the organization needs the approval from Executive Management at the onset and ongoing support thereafter till completion. Foremost Executive Management needs to be convinced of the importance and need for business continuity. The reader may notice that this phase is not part of the standard. The reason will be explained later as the standard assumed that the BC plan is written and hence the project management phase is completed.

Examples include positive company’s image and shareholder value with the organization being able to withstand and continue its business activities despite environment disruption such as typhoons would help to highlight the importance of provision for BC and gain Executive Management support.

2.4 Major Components

BCM activities in each of the 6 BCM areas identified above therefore can be further examined in terms of the following 4 components:

2.4.1 Policies

Executive Management of the organization needs to stipulate policies to guide BCM efforts to be carried out by staff in the organization. Policies underlie the process events and people involvement in BCM activities. For example, a policy requiring all business units to appoint and assign BCM responsibility to a specific staff to participate in the organization BCM

Programme. In addition, policies provide the rationale for establishing the necessary infrastructure to support BCM on an ongoing basis.

2.4.2 Processes

These processes are set of activities with defined outcomes, deliverables and evaluation criteria to attain BCM policies on an ongoing basis. They include formal change control and documentation processes. For example, changes to keep the BC Plan current should be controlled and documented in a formal manner. In addition, BCM efforts go towards reducing the risks and their impacts on the operation processes in the organization. For example, the risk of disruption of raw material supply and its impact on production needs to be addressed as part of BCM.

2.4.3 People

Participation and the skill sets of participants in various BCM activities are crucial to the success of BCM in an organization. For example, a BCM steering committee comprising representatives from various business units and headed by a member of Executive Management should be established to oversee BCM efforts in the organization. In addition, BCM efforts go towards reducing the risks and their impacts on staff in the organization. For example, the health risk associated with handling of hazardous materials needs to be addressed as part of BCM.

2.4.4 Infrastructure

The organization should allocate resources to support critical business functions against risk events. This invariably requires a good understanding and application of available technology and equipment, and physical facilities to respond to risk occurrences. For example, installing a standby power generator and uninterrupted power supply (UPS) to ensure uninterrupted supply of power during electrical outage.

In addition, BCM efforts go towards reducing the risks and their impacts on physical organization infrastructure. For example, the impact of a risk occurrence on production equipment and facilities need to be addressed as part of BCM.

3. BCM Framework

Figure 3: The BCM Framework

The following Figure 1 summarizes the preceding BCM discussion in a matrix format. A matrix BCM framework allows potential gaps in an organization’s BCM efforts to be identified and located. For example, the implications of selecting a particular recovery strategy should be linked to the corresponding policies set forth by Executive Management. Implementation of the recovery strategy should be supported by corresponding infrastructure, training of recovery personnel and establishing the associated recovery processes.

Figure 3 presents each of the 6 BCM areas in a chronological sequence, from top to bottom, it should not be misconstrued that implementation of BCM should rigidly adhere to the same chronological sequence. In particular, for the BCM areas of Risk Analysis and Review and Business Impact Analysis, individual organizations may choose to alter the sequence.

4. PDCA Cycle

The standard adopted a process approach, the “Plan-Do-Check-Act” (PDCA) methodology. The figure below illustrates how a BCM system obtain inputs from the BCM requirements and expectations of stakeholders, through the PDCA and produces various risk management outcomes that aims to meet those requirements and expectations. Figure 4 is the PDCA diagram and Figure 5 is the description for each of the PDCA phases.

Figure 4: PDCA Methodology

Figure 5: Description of the PDCA phase

5. BCM as Corporate Governance and Risk Management

BCM is often related to Corporate Governance and Risk Management. There is a strong correlation between this two areas and it should be clear demarked to its relationship.

5.1 BCM as Part of Corporate Governance

Corporate governance has been variously defined. Specifically, pertaining to BCM, the following definitions of corporate governance provide a good link to what have been defined and discussed above, namely BC and BCM.

Corporate governance is the system by which business corporations are directed and controlled. It spells out the rules and procedures for making decisions on corporate affairs. It also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance can be defined narrowly as the relationship of a company to its shareholders.

In terms of the BCM framework above, the policies and procedures established in each of the 7 broad areas serve as rules and procedures to direct and control decision making for an organization’s BC efforts.

5.1.2 BCM as Part of Risk Management

Risks are inherently present in decisions and activities in organizations. Some of these risks could disrupt critical business functions and thereby business continuity. While the management of risk encompasses the whole spectrum ranging from risk identification, assessment, treatment, monitor and review, BCM focuses only on those risks that affect its BC interests and associated critical business functions supporting these interests. This is reflected in the two areas of the BCM framework, namely Risk Analysis and Review and Business Impact Analysis.

6. Conclusion

SS54:2008 is a Singapore Standard for Business Continuity Management (BCM) that is being embraced by both the international and local businesses operating within Singapore. This Singapore Standard and its BCM framework is highly rigorous in its coverage of the BCM areas. The 6 major BCM areas and also the four major BCM components form the BCM framework matrix which makes the SS540:2008 a comprehensive BCM standard.

7. References

[1] BCMpedia (2008). Definition of Business Continuity and Disaster Recovery Terminologies, http://www.bcmpedia.org
[2] BCM SS540 (2009). Singapore Standard for Business Continuity Management, http://www.ss540.org
[3] Goh, Moh Heng (2009): A Manger’s Guide to SS540 Singapore Standard for Business Continuity Management, 160 pages.
[4] Goh, Moh Heng (2008). Managing Your Business Continuity Planning Project, 2nd Edition, 166 pages.
[5] Goh, Moh Heng (2008): Conducting Your Impact Analysis for Business Continuity Planning, 130 pages.
[6] Goh, Moh Heng (2008): Analyzing & Reviewing the Risk for Business Continuity Planning, 162 pages.
[7] Goh, Moh Heng (2005): Developing Recovery Strategy for Your Business Continuity Plan, 104 pages.
[8] Goh, Moh Heng (2004): Implementing Your Business Continuity Plan, 104 pages.
[9] Goh, Moh Heng (2006): Testing & Exercising Your Business Continuity Plan, 2nd Edition, 160 pages.
[10] Goh, Moh Heng (2007): Managing & Sustaining Your Business Continuity Management Programme, 190 pages.
[11] Goh, Moh Heng (2006): Developing Your Pandemic Influenza Business Continuity Plan, 128 pages
[12] SPRING Singapore (2008): Singapore Standard for Business Continuity Management (SS540:2008)
[13] SPRING Singapore, (2005) Technical Reference for Business Continuity Management for Manufacturing,

The Author

Dr Goh Moh Heng is the President of BCM Institute and is regarded as one of the leading practitioner in the area of business continuity. Dr Goh is also the Managing Director of an Asia Pacific BCM consultancy firm. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. Dr Goh and his team are instrumental in the development of the TR19:2005 and subsequently in the publishing of the SS540:2008. Besides the writing the two national standards, he had authored nine business continuity management books, created the first Wikipedia for BC and disaster recovery www.BCMpedia.org.

Dr Goh Moh Heng is the President of and is regarded as one of the leading practitioner in the area of business continuity. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. He is the author of nine business continuity management books. Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org.

21 Jan 2009