Competency based training

Learning Roadmap to Sustain and Upgrade Your Organisational Business Continuity Management Competencies

In today’s workforce, employee engagement, and opportunities for learning and career growth are key determinants of an organisation’s ability to retain staff. A new generation of workers now expect training to be relevant and tailored towards their job needs leading to ever faster career growth; a one size fits all training model simply will not do.

This expectation of delivering relevant, just-in-time training extends to the area of Business continuity management. Business continuity management, or BCM, is a holistic approach in managing crises and disasters that could disrupt an organisation’s operations and potentially cripple its ability to deliver key products and services. As organisations become increasingly aware of the importance of BCM and organisation resilience, the urgent need to provide qualified BCM training , for employees often falls squarely on the shoulders of the Human Resource (HR) management or Learning and Development (L&D) team. This is particularly problematic since BCM is a specialised area of management and training on proper business continuity planning and execution processes is not usually readily available. Moreover it is difficult for HR or L&D to develop a learning framework that addresses diverse BCM learning requirements at different levels of the organisation. For example, a crisis manager (or some time referred to as the Organization BCM Coordinator) responsible for managing a company-wide crisis would probably need to develop a different toolkit of skills as compared to a Business Unit (BU) CM Coordinator focused on recovering only his or her department in a disaster.

BCM Stakeholders

BCM Stakeholders

To address this situation, BCM Institute has developed a comprehensive Learning Roadmap that helps organisations systematically chart its BCM learning journey. This Roadmap emphasises a 3-year learning cycle providing a full suite of BCM training courses for 4 major stakeholder groups. They are,

A full spectrum of training ranging from awareness sessions, half-day management briefings, and specialist training programmes at foundation, intermediate, and advanced levels. If desired, participants could earn for themselves internationally recognised BCM certifications by going through an assessment backed by relevant working experience. In introducing this Learning Roadmap to organisations, BCM Institute works with the responsible HR or L&D departments to customise the roadmap to best fit the organisation.

To enhance the learning journey, all trainings are facilitated by senior and experienced BCM industry practitioners who will share best practices and current trends in BCM, and tips on how to best fulfil various roles in planning and executing BCM for the organisation. Participants who opt to join our public courses can look forward to learning from fellow practitioners from different industries on the challenges faced in implementation and how issues were resolved. All certification-level courses are supplemented with an online revision portal allowing for self learning at their own pace.

To know more about the BCM Institute’s Learning Roadmap, please contact sales.sg@bcm-institute.org or call our office at 6748 1528 to obtain a complimentary whitepaper on Organisational Business Continuity Management Learning Roadmap. Visit us at www.bcm-institute.org to see our full range of BCM, disaster recovery, and crisis management courses.

About the Author

Fistri Abdul Rahim

Fistri Abdul Rahim

Fistri has been a sales and marketing professional for 14 years, spending the last 3 years assisting clients from a whole spectrum of industries in upgrading their Business Continuity, Crisis Management and Disaster Recovery competencies.  Fistri is responsible for providing solution to the training and development requirement of clients in ASEAN region.  Recently, she was also involved in various crisis simulation exercises and infectious diseases business continuity planning.  Fistri is a graduate of Murdoch University with a Bachelor’s in Marketing and hold the Business Continuity Certified Planner (BCCP) certification.

Singapore Standard SS540

BCM Implementation for Organizations using the Singapore Standard SS540:2008

Business Continuity aims to safeguard the interests of an organization and its key stakeholders by protecting its critical business functions against predetermined disruptions.
“ … the Government views corporate resilience as a national priority. An
inter-agency task force was formed to formulate implementation strategies to enhance our corporate resilience through adopting the processes of Business Continuity Management.”

Prof S Jayakumar,
Deputy Prime Minister and Coordinating Minister for National Security.

Synopsis

SS540:2008 is a Singapore Standard for Business Continuity Management (BCM) that is being embraced by both the international and local businesses operating within Singapore. With the support of a thirty million dollar grant from the government for the implementation of BCM within their organization, the initiative to implement BCM is now given a tremendous boost by the government. This paper starts with a history of the standard implementation, an introduction to the concept of BCM and BC and summing up with the framework within the SS540:2008 standard. The BCM framework within the SS540:2008 is highly rigorous as it contains the 6 major BCM areas and also the four major BCM components. The BCM framework matrix provides a coverage which makes the SS540:2008 a comprehensive BCM standard. An overview of the each BCM area cross referencing to its major component is elaborated in detail.

1. Introduction

Business Continuity (BC) is about the ability of an organization to operate its business in a manner that upholds its accountabilities to its customers, itself and its suppliers despite occurrence of events that disrupt its usual business activities in a significant fashion. Organizations have to face their external stakeholders it has to answer to include the authorities, shareholders and the public at large. It is no easy task in general to balance between the demands of these parties. For example, how should an organization organize and operate its business activities in a way that is acceptable to stakeholders upon a disruption? What alternate methods of operations for the delivery of its products and services least inconvenienced its customers?

The key to achieving the balance lies in the organization consulting its stakeholders and establishing a set of ‘acceptable’ business behaviour and operations when a disruption occurred. This set of behaviour and operations then form the critical objectives which the organization should attain as it responds to a disruption. Such BC planning brings the organization a step closer to answer the question – “Is your organization ready for an event that would disrupt your usual business activities in a significant fashion?” Alternatively, “Is your organization BC Ready?”

1.1 Background of SS540:2008

Singapore Standard SS540

Singapore Standard SS540

The project was initiated by Economic Development Board (EDB) with the collaboration of Singapore Business Federation (SBF) and SPRING in 2004. The standard was guided by the Business Continuity Management (BCM) Council and supported by the BCM Technical Committee to develop the Technical Reference. The Technical Reference or TR19:2005 was launched on September 2005 during the international ISO meeting. The TR19 was subsequently reviewed and published as the Singapore Standard for BCM and was it officially launched on 31st October 2008.

1.2 What is BCM?

Business Continuity Management (BCM) is defined as a holistic management process that identifies potential impacts which threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities (SS540:2008).

Potential disruptions to the interests of these stakeholders would have to be identified, pre-empted or kept to a minimum. Business functions supporting value creating activities would have to be identified. Processes and resources would need to be established to ensure the continued operation of these functions due to disruptions.

1.3 What is BC?

From the above definition of BCM, BC seeks to ensure the following concerns are managed on a perennial basis.

  • Identify the interests of the organization and its key stakeholders.
  • Safeguard the identified interests by:
  •  Identify the critical business functions supporting these interests
  • Identify potential disruptions to these critical business functions
  • Minimize the number of potential disruptions
  • Reduce the impact of disruptions to these critical business functions
  • Ensure these critical business functions can continue to support, if not sustained on a moderated basis, the identified interests

In short, BCM is an ongoing management process employ by organizations to identify potential impacts and establish the necessary arrangements and plans to maintain their BC capability.

2. A Framework to Undertake BCM

A framework should be employed to guide the processes used to identify, establish and maintain an appropriate plan to deal with the items in each of the above concerns. The following is a framework that can be used to guide BCM processes in organizations. It contains the BCM areas and the major BCM components.

2.1 The BCM Activities

Figure 1: BCM Planning Methodology

Figure 1: BCM Planning Methodology

As part of the training curriculum for BCM Institute, this is the BCM planning methodology and it is as shown in Figure 1.

Based on the BCM planning methodology, a comparison is made with the SS540:2008 major BCM areas. Figure 2 show the correlations between the methodology and the BCM areas.

Main BCM Area of SS540:2008 being mapped against the BCM Planning Methodology

Figure 2: Main BCM Area of SS540:2008 being mapped against the BCM Planning Methodology

 

2.2 Major BCM Areas

This framework (Figure 2) divides into 6 broad BCM areas:

2.2.1 Risk Analysis and Review (This terms are similar for SS540 and BCM Planning Methodology)

The potential threats and risks to an organization can be uncovered via a risk analysis and review of its internal operations and external operating environment. Examples of risks due to internal operations include malfunction of critical manufacturing processes, failure of Information Technology (IT) systems and fire which destroys plant facilities. Examples of risks due to external operating environment include terrorist attacks, floods, political turmoil and disruption of supply chain.

2.2.2 Business Impact Analysis (This terms are similar for SS540 and BCM Planning Methodology)

The potential impacts of risks actually occurring to an organization and affecting its ability to achieve its business operation and service can be obtained by conducting a business impact analysis. The later would include, where possible, quantifying the loss impact from both a number of days of business disruption and a financial standpoint. For example, a fire which destroys the finished inventory at the warehouse can result in delay of shipment to key customers for a few days and incurring impact such as contractual penalty.

2.2.3 Strategy (Recovery Strategy)

Based on these potential loss impacts the organization would deliberate and select the appropriate strategy or strategies to safeguards its interests. These strategies can be preventive or pre-emptive in nature. For example, outsourcing the risks to third parties or setting up of alternate facilities at another location would be efforts towards preventing and pre-empting potential loss impact. The rationale behind these strategies is to build resilience for the organization against impact of loss.

2.2.4 Business continuity plan (Plan Development)

From the selected strategies a detail business continuity plan (BC Plan) should be instituted in place to respond to risks which can occur and impact its business operation and service. The BC Plan would specify and allocate the resources and thereby building up the capability of the organization to respond to risk occurrences. For example, by specifying the BC roles and responsibilities of staff in the BC Plan the organization is better adapt to respond to occurrence of risks.

2.2.5 Tests and exercises (Testing and Exercising)

An established BC Plan should be subject to verification via Tests and exercises. Tests and exercises expose probable errors and omissions in carrying out the established plan. It examines if the resources committed are accessible, available and adequate for undertaking the recovery efficiently and effectively. It checks if staff in the organization are familiar with recovery procedures. Overall Tests and exercises validate if the BC Plan indeed meet its recovery objectives.

2.2.6 Programme Management (This terms are similar for SS540 and BCM Planning Methodology)

Besides an established and thoroughly tested BC Plan the organization should demonstrate commitment in maintaining the currency of its plan through regular and systematic review of its risks and business impacts, realigning of its BCM strategies and revalidating of its BC Plan on a continuous basis. BCM should become an integral part of the organization’s operations, audit, testing, quality assurance, change management and culture. Ownership of BCM becomes embedded in individual business units where BCM risks reside.

BCM is an ongoing management process and can be examined from 2 standpoints. Firstly, the impacts of issues and concerns arising from each of the 7 BCM areas identified above need to be examined. For example, the risk impacts upon people and physical infrastructure. Secondly, the direction and support needed to ensure that BCM efforts can be implemented and sustained. For example, organizational policies direct BCM processes to support BCM on an ongoing basis.

2.3 Missing Phase

I am often asked about the missing phase within the BCM Areas. It is important to note that the project management area is not part of the 6 BCM areas. The reason is that the BC project is completed when it is due for certification by the organization and hence, this phase Project management is omitted from the SS540:2008.

2.3.1 Project Management

The project to establish the BC Plan for the organization needs the approval from Executive Management at the onset and ongoing support thereafter till completion. Foremost Executive Management needs to be convinced of the importance and need for business continuity. The reader may notice that this phase is not part of the standard. The reason will be explained later as the standard assumed that the BC plan is written and hence the project management phase is completed.

Examples include positive company’s image and shareholder value with the organization being able to withstand and continue its business activities despite environment disruption such as typhoons would help to highlight the importance of provision for BC and gain Executive Management support.

2.4 Major Components

BCM activities in each of the 6 BCM areas identified above therefore can be further examined in terms of the following 4 components:

2.4.1 Policies

Executive Management of the organization needs to stipulate policies to guide BCM efforts to be carried out by staff in the organization. Policies underlie the process events and people involvement in BCM activities. For example, a policy requiring all business units to appoint and assign BCM responsibility to a specific staff to participate in the organization BCM

Programme. In addition, policies provide the rationale for establishing the necessary infrastructure to support BCM on an ongoing basis.

2.4.2 Processes

These processes are set of activities with defined outcomes, deliverables and evaluation criteria to attain BCM policies on an ongoing basis. They include formal change control and documentation processes. For example, changes to keep the BC Plan current should be controlled and documented in a formal manner. In addition, BCM efforts go towards reducing the risks and their impacts on the operation processes in the organization. For example, the risk of disruption of raw material supply and its impact on production needs to be addressed as part of BCM.

2.4.3 People

Participation and the skill sets of participants in various BCM activities are crucial to the success of BCM in an organization. For example, a BCM steering committee comprising representatives from various business units and headed by a member of Executive Management should be established to oversee BCM efforts in the organization. In addition, BCM efforts go towards reducing the risks and their impacts on staff in the organization. For example, the health risk associated with handling of hazardous materials needs to be addressed as part of BCM.

2.4.4 Infrastructure

The organization should allocate resources to support critical business functions against risk events. This invariably requires a good understanding and application of available technology and equipment, and physical facilities to respond to risk occurrences. For example, installing a standby power generator and uninterrupted power supply (UPS) to ensure uninterrupted supply of power during electrical outage.

In addition, BCM efforts go towards reducing the risks and their impacts on physical organization infrastructure. For example, the impact of a risk occurrence on production equipment and facilities need to be addressed as part of BCM.

3. BCM Framework

Figure 3: The BCM Framework

Figure 3: The BCM Framework

The following Figure 1 summarizes the preceding BCM discussion in a matrix format. A matrix BCM framework allows potential gaps in an organization’s BCM efforts to be identified and located. For example, the implications of selecting a particular recovery strategy should be linked to the corresponding policies set forth by Executive Management. Implementation of the recovery strategy should be supported by corresponding infrastructure, training of recovery personnel and establishing the associated recovery processes.

Figure 3 presents each of the 6 BCM areas in a chronological sequence, from top to bottom, it should not be misconstrued that implementation of BCM should rigidly adhere to the same chronological sequence. In particular, for the BCM areas of Risk Analysis and Review and Business Impact Analysis, individual organizations may choose to alter the sequence.

4. PDCA Cycle

The standard adopted a process approach, the “Plan-Do-Check-Act” (PDCA) methodology. The figure below illustrates how a BCM system obtain inputs from the BCM requirements and expectations of stakeholders, through the PDCA and produces various risk management outcomes that aims to meet those requirements and expectations. Figure 4 is the PDCA diagram and Figure 5 is the description for each of the PDCA phases.

Figure 4: PDCA Methodology

 

Figure 5: Description of the PDCA phase

5. BCM as Corporate Governance and Risk Management

BCM is often related to Corporate Governance and Risk Management. There is a strong correlation between this two areas and it should be clear demarked to its relationship.

5.1 BCM as Part of Corporate Governance

Corporate governance has been variously defined. Specifically, pertaining to BCM, the following definitions of corporate governance provide a good link to what have been defined and discussed above, namely BC and BCM.

Corporate governance is the system by which business corporations are directed and controlled. It spells out the rules and procedures for making decisions on corporate affairs. It also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance can be defined narrowly as the relationship of a company to its shareholders.

In terms of the BCM framework above, the policies and procedures established in each of the 7 broad areas serve as rules and procedures to direct and control decision making for an organization’s BC efforts.

5.1.2 BCM as Part of Risk Management

Risks are inherently present in decisions and activities in organizations. Some of these risks could disrupt critical business functions and thereby business continuity. While the management of risk encompasses the whole spectrum ranging from risk identification, assessment, treatment, monitor and review, BCM focuses only on those risks that affect its BC interests and associated critical business functions supporting these interests. This is reflected in the two areas of the BCM framework, namely Risk Analysis and Review and Business Impact Analysis.

6. Conclusion

SS54:2008 is a Singapore Standard for Business Continuity Management (BCM) that is being embraced by both the international and local businesses operating within Singapore. This Singapore Standard and its BCM framework is highly rigorous in its coverage of the BCM areas. The 6 major BCM areas and also the four major BCM components form the BCM framework matrix which makes the SS540:2008 a comprehensive BCM standard.

7. References

[1] BCMpedia (2008). Definition of Business Continuity and Disaster Recovery Terminologies, http://www.bcmpedia.org
[2] BCM SS540 (2009). Singapore Standard for Business Continuity Management, http://www.ss540.org
[3] Goh, Moh Heng (2009): A Manger’s Guide to SS540 Singapore Standard for Business Continuity Management, 160 pages.
[4] Goh, Moh Heng (2008). Managing Your Business Continuity Planning Project, 2nd Edition, 166 pages.
[5] Goh, Moh Heng (2008): Conducting Your Impact Analysis for Business Continuity Planning, 130 pages.
[6] Goh, Moh Heng (2008): Analyzing & Reviewing the Risk for Business Continuity Planning, 162 pages.
[7] Goh, Moh Heng (2005): Developing Recovery Strategy for Your Business Continuity Plan, 104 pages.
[8] Goh, Moh Heng (2004): Implementing Your Business Continuity Plan, 104 pages.
[9] Goh, Moh Heng (2006): Testing & Exercising Your Business Continuity Plan, 2nd Edition, 160 pages.
[10] Goh, Moh Heng (2007): Managing & Sustaining Your Business Continuity Management Programme, 190 pages.
[11] Goh, Moh Heng (2006): Developing Your Pandemic Influenza Business Continuity Plan, 128 pages
[12] SPRING Singapore (2008): Singapore Standard for Business Continuity Management (SS540:2008)
[13] SPRING Singapore, (2005) Technical Reference for Business Continuity Management for Manufacturing,

The Author

Dr Goh Moh HengDr Goh Moh Heng is the President of BCM Institute and is regarded as one of the leading practitioner in the area of business continuity. Dr Goh is also the Managing Director of an Asia Pacific BCM consultancy firm. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. Dr Goh and his team are instrumental in the development of the TR19:2005 and subsequently in the publishing of the SS540:2008. Besides the writing the two national standards, he had authored nine business continuity management books, created the first Wikipedia for BC and disaster recovery www.BCMpedia.org.

Dr Goh Moh Heng is the President of and is regarded as one of the leading practitioner in the area of business continuity. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. He is the author of nine business continuity management books. Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org.

21 Jan 2009