Posts

Risk Assessment or Business Impact Analysis: What Comes First?

What Comes First? RA or BIA

Over the past few years, I have been asked this question and also noticed the many discussions among professionals on the topic of whether one should, when going through the BCM planning methodology, conduct Risk Assessment (RA) or Business Impact Analysis (BIA) first. Often, these discussions are long and go on with the hasty conclusion in sight. They are rife with inconsistencies, misconceptions, and opposing viewpoints that have resulted not necessarily from any error on the professional’s part, but from the conflicting national Business Continuity Management (BCM) standard, each practitioner subscribes to. I would like to shed some light on some of these inconsistencies and misconceptions, as well as offer my thoughts on the RA versus BIA discussion itself.

The Risk Assessment and Business Impact Analysis are fundamental components in ensuring the development of an effective BCM framework in an organisation. However, there has been much confusion about the difference between the two phases, and that should come first have been a long debated topic. To be able to determine the exemplary process, we must first understand the objectives and expected deliverables of each phase.

Getting definitions out of the way

I’ll like to start by saying that Risk Assessment (RA) and Business Impact Analysis (BIA) are not the same things. They have gradually been used more and more interchangeably as similar processes, and this is not only incorrect but not identifying the individual features in each process can prove detrimental to your organization’s business continuity.   The detailed definition can be found in BCMPedia.

Risk Assessment

RA Deliverables Goh Moh HengRisk Assessment (RA) is the process of identifying internal and external threats and vulnerabilities, identifying the likelihood and impact of an event arising from such threats or vulnerabilities, defining the controls in place or necessary to reduce exposure and evaluating the cost for such controls.

Risk Assessment is a phase within the BCM planning process. It is the overall process of risk identification, risk analysis and risk evaluation. It is NOT to be confused or conflated with risk management, which is similar but separately defined as the identification, assessment, and prioritization of risks, followed by coordinated and economical application of resources to minimize, monitor, and control the probability and impact of unfortunate events. The primary objective of Risk assessment is to lessen vulnerability and decrease risk.

Business Impact Analysis

Business Impact Analysis (BIA) is the process of analysing the effect of interruptions to business operations or processes on all business functions. The scope of Business Impact Analysis includes facilities, It Infrastructure, Hardware, and Data. The main objective of Business Impact Analysis is to identify the operational and financial impacts resulting from the major disruption of business functions and processes, and thus, BIA is incredibly crucial to Business Continuity Planning.  The outputs from RA are a bit different from those of BIA.

BIA Deliverables @ Goh Moh Heng

RA gives you a list of risks together with their values, whereas BIA gives you timing within which you need to recover (Recovery Time Objectives or RTO) and how much information you can afford to lose (Recovery Point Objectives or RPO). So, although these twos are related because they have to focus on the organization’s assets and processes, they are used in different contexts.

What does ISO22301 BCMS standard say?

The International Standard ISO 22301:2012 allows for both approaches, depending on the BCM planning methodology that is used. Organisations may choose to conduct BIA to identify their critical business functions followed by RA to analyse and mitigate the potential risks faced by each business operations and processes. The advantage of this approach is that it focuses on the identification and mitigation of specific business threats faced by each business unit. Another approach would be to conduct RA to identify threats and establish the risk landscape at the corporate level before conducting BIA. As the BCM framework is set up to prepare and build resiliency against corporate-wide disruptions, it is reasonable to assess threats and estimate the possible period of disruption at the corporate level. The outcome could be used to establish the Key Planning Scenario, which sets the basis for planning in the subsequent stages.

An effective Business Continuity Management framework ensures the capability of an organisation to continue delivery of products and services at an acceptable predefined minimum level and safeguard the interests of key stakeholders. The understanding of potential threats faced by the organisation and the determination of recovery priorities set the foundation for BCM implementation. Our preferred approach would be first to conduct an RA at the corporate level to establish the Key Planning Scenario, which could be used as a benchmark for determining the organisation’s critical business function in the BIA. To mitigate the RA not completed correctly, in ISO22301, a continuous review using RA is repeated in the BIA and then the BC Strategy phase.

What do the other standards say?

  1. Australia (HB221:2004): “Risk & Vulnerability Assessment” is step #2, whereas “Conduct BIA” is step #3
  2. Canada (Z1600-08): Risk Assessment precedes BIA as part of a continuity project planning activities
  3. Great Britain (BS25999-1:2006): BIA precedes the Risk Assessment
  4. U.S. (NFPA1600 2007): The Risk Assessment takes precedence, with the BIA being a subset of the RA
  5. Singapore Standard (SS540:2010): Risk Assessment precedes BIA as part of a continuity project planning activities

As you can see, every standard offers a different take or variant on what comes first, and some of these standards do not factor in Risk Assessment. Additionally, business impact analysis is mandatory for ISO 22301 implementation, but not for ISO 27001. Who, then, do we subscribe to for a universal take on what is right?

Why Risk Analysis first?

Some practitioners and most of the older international BCM standards believe that the RA should come first as it enables one first to identify exposure and risks, allowing the practitioner to develop the necessary mitigation measures to reduce the threat. It also allows the practitioner to perform BIA more quickly as the lists of assets in the organization have been completely identified.

Most of the international standards support this claim, with RA being regarded as the initial step to take before the BIA.

Additionally, will have a better impression of which incidents can happen which risks you are exposed to. Therefore, be better prepared for doing the business impact analysis that focuses on consequences of those incidents. Furthermore, if you choose the asset-based approach for risk assessment, you will have an easier time identifying all the resources later on in the business impact analysis.

Why BIA first?

The counter argument against using RA first is that in sufficiently large organizations, it can be quite difficult, if not flat out impossible, to access all the risks and their impact on the organization. Rather than going for RA first, it would be much easier to go for BIA first, evaluating all the critical functions (or prioritised activities as ISO22301) and assets of the business and how they will impact the organization.

Different business units or departments in large organizations often have their individual subcultures and approaches to work. By showcasing a complete list of risks to critical business functions that have been identified from all parts of the business, new thinking and debate almost always ensue. Thus, some would argue that employing BIA first saves everyone involved in the BCM process an enormous amount of time and effort.

Different business units or departments in large organizations often have their individual subcultures and approaches to work. By showcasing a complete list of risks to critical business functions that have been identified from all parts of the business, new thinking and debate almost always ensue. Thus, some would argue that employing BIA first saves everyone involved in the BCM process an enormous amount of time and effort.

BIA forces the practitioner to consider which assets are of most importance to your business and its continuation. RA will then be applied afterwards to access the potential risks against these critical functions, followed by forming a mitigation plan to counteract the risks involved.

Sometimes, practitioners start with BIA because they want the organisation to talk about business processes and assets. This is often a strategy, and it should not be part of this discussion.

RA vs BIAConclusion

It is a matter of preference and circumstance. It can be conducted before, after, or even concurrently with one another, depending on what the situation demands. Some implementers felt that the combined effort to gather the information combined with one interview was time saving. As a practitioner, the argument is what constitute RA – it may require you to conduct a field RA survey.

When RA and BIA are placed together, these two processes combined can easily tell how hard a potential disruption can impact a business, as well as how quickly and how damaging it can be.
It is always good to have a healthy discussion but the key message does we have the same understanding of the RA and BIA definitions, are you speaking when you are just starting a new BCM project or updating an existing program, do you have other standards already in place such as ISO9000, ISO27000, and consulting techniques to gain acceptance of organisation.

It is always good to have a healthy discussion but the key message does we have the same understanding of the RA and BIA definitions, are you speaking when you are just starting a new BCM project or updating an existing program, do you have other standards already in place such as ISO9000, ISO27000, and consulting techniques to gain acceptance of organisation.

I would expect comments, and there are strong opinions on both sides with justifications. However, having spent some time in this industry, I would like to take a middle ground that there is no true right or wrong position on this debate as it is from which perspectives you are starting from and essentially what meets the requirement of the internal or external customers’ needs.

About the Author

Dr Goh Moh Heng

Dr Goh Moh Heng is the President of BCM Institute and the Managing Director of GMH Continuity Architects – a specialized BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 20 organizations, particularly those operating in the Asia Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organization certification.  Before establishing BCM Institute and GMH BCM Consulting, Dr Goh held senior positions with some large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its BC and contingency planning. At Standard Chartered Bank, he saw to the global implementation of its BC management and planning. He also managed the BCM practice at PricewaterhouseCoopers.

Currently, Dr Goh is the senior advisor to the China BCM Forum, a quasi-government agency responsible for BCM throughout China and an expert panel member of the Asia-Pacific Economic Cooperation (APEC) Network on Improving SME Disaster Resilience (since 2011) and JICA-ASEAN study to enhance resiliency of industrial areas against natural disasters (since 2012).   He hold a Ph.D. and also been awarded the highest level of certification from the three major business continuity management institutes.  He is the author of nine business continuity management books.  Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org or moh_heng@gmhasia.com.

References

Goh, M. H. (2016). Risk Assessment or Business Impact Analysis: What Comes First? LinkedIn Pulse

Goh, M. H. (2015). Business Continuity Management Planning Methodology. International Journal of Disaster Recovery and Business Continuity, 6, 9–16. Retrieved from http://dx.doi.org/10.14257/ijdrbc.2015.6.02

Kosutic, D. (2014). Risk assessment vs. business impact analysis. Advisera, (Mar), 2–5.

Ross, S. (2010). A business impact analysis checklist: 10 common BIA mistakes. Search Disaster Recovery, (Oct).

Rupert, J. (2013). The Relationship Between the Business Impact Analysis and Risk Assessment. Avalution Perspective.

Zecuboy. (2013). Risk Assessment versus Business Impact Analysis. Information Security Cafe, 5–8.

Business continuity management implementation for small and medium-sized enterprise

In this article Dr. Goh Moh Heng and Jeremy Wong look at some of the difficulties that SMEs face when it comes to making business continuity plans and how a simplified methodology could make things easier.

Article was published at Continuity Central on 3 July 2015

Introduction

Business continuity has risen in focus in Asia and elsewhere over the last few years and this is especially true for companies operating in regulated industries.  The recent series of mega disasters in the Asia region has resulted in larger organizations investing heavily in improving their resilience against disruptions to business operations. However, despite the growing awareness of business continuity, small and medium-sized enterprises (SMEs) do not appear to be taking action to enhance their business resiliency.
Business continuity is still not widely understood in small and medium-sized enterprises.  Many relate it to emergency response or IT disaster recovery and even those that have heard of business continuity may see no relevance to themselves.
Unlike many large firms that have business continuity plans in place, SMEs often lack the time and the money to invest in their business continuity plans. But increasing pressure from larger organizations to secure the continuity of their supply chains, new government legislation, and the global acceptance and adoption of business continuity management  standards, mean that SMEs can no longer ignore business continuity and the growing need for it as part of mainstream business operations.

Working assumptions for SMEs

SMEs are often associated with the following characteristics when it comes to business continuity:

  • They have an entrepreneurial culture;
  • They have limited resources for ‘non‐productive’ investments;
  • They have limited or no knowledge of business continuity;
  • They are not in a position to develop a  business continuity plan to the fullest extent;
  • They have some IT‐knowledge, but usually not about systems availability and IT recovery.

Obstacles to implementation by SMEs

Lack of understanding of business continuity management
One of the main obstacles to successful business continuity plan implementation in SMEs is a lack of understanding of the importance of business continuity, the development processes involved and the maintenance activities that are needed to sustain the programme.  Many owners and managers vaguely acknowledge business continuity management’s place in large corporate organizations but see little relevance in their small businesses.   This lack of understanding inevitably leads to misconceptions about the importance of BCM:

  • Underestimating the impact.  SMEs owners tend to make the assumption that the business can survive financially and that customers will accept lack of service during a period of disruption.
  • Scenario assumptions.  There is an assumption that the many potential scenarios are either too small to require action, or are too large, and therefore are beyond their planning capability.
  • Time and manpower resource affordability.  There is a constant assumption that SMEs cannot afford the cost or management time to make business continuity plans.
  • Living within the comfort zone.  Many SMEs assume that the majority of disruptions can be managed when they happen, with no need for pre-planning.
  • No sense of urgency.  There is a lack of prioritization of business continuity because the SME has never experienced a crisis and therefore does not understand the priority that should be given to BCM.

BCM professionals do not share the message outside large corporations
Full-time BCM professionals focus exclusively on developing plans for their organizations and do little advocacy work with SMEs.

Making the process too complicated
Proponents of BCM often over-compensate for the lack of advocacy by overwhelming listeners with shovel loads of information, without regard to how much of the information can be understood. There are very few presenters who can present business continuity content in a very simple and concise way.

Providing a step-by-step process
The key for SMEs is to provide them with a simple and easy to implement approach.  This is often overshadowed by a complicated methodology that requires a team of specialists to implement.  The unnecessary expectation that a perfect business continuity is required is a daunting starting position for SMEs.

Too expensive to implement
For many SMEs, having a business continuity plan is often seen as an expensive luxury.

BCM has a higher return on investment for SMEs

The truth of the matter is that for SMEs, the development of business continuity plans is far more valuable, and simpler, than most think. Conversely, SMEs have more to lose should they be caught without a business continuity plan in a disaster. While large corporates may have resilience arising from the diversity and spread of income sources, and operational work locations, smaller organizations more often than not have none of these advantages. For most SMEs, the exposure is far greater due to an inherent and almost inevitable concentration of critical risk factors.  Due to a simpler structure, plans developed for SMEs are also often more straightforward and easily implementable.

SMEs need a new methodology

It is clear that although SMEs desperately need business continuity planning, the traditional methodology for developing them does not work.  It is too time-consuming, labour intensive and costly.  BCM practice should be a solution rather than problem focused.  As solutions for global corporates come with a hefty price tag, the more modestly priced solutions adopted by SMEs hold less interest for the business continuity and disaster recovery vendors, who continue to push for more sophisticated (and correspondingly higher priced) products;  hence the myth that business continuity is too costly for the smaller organization.  It simply is not attractive for many disaster recovery vendors to bother promoting their services to smaller organizations.

The starting point for a BCM framework for SMEs

Three questions need to be examined when first embarking on a business continuity planning project. They centre on:

  • Purpose: Why is your company introducing BCM?
  • Scope: Which parts of your business will introduce BCM?
  • Team: Who will lead and manage your BCM activities?

The answers to these questions will help frame the project and provide a grounded perspective that will drive management and project team members in a direction that will yield the most benefit to the organization.
Leadership in a business continuity project is crucial for success. Business continuity planning projects typically involve participants from across the organization. Without a strong mandate from management, many of these projects fade away after a brief period of activity, being superseded by ‘more pressing concerns’.  Leadership can also be demonstrated by way of a policy emphasizing the importance of business continuity to the organization, the purpose, scope and assumptions, an organizational framework and structure for the implementation and subsequent management of the BCM programme.

Start with the survival scenario

One way SMEs can accelerate the development of a business continuity plan is by focusing on the essentials. An SME with limited resources should look at mitigating its risks and containing any damage to as low a level as possible such that it would be able to resume operations at an acceptable level of functionality in a relatively short period. This is a company’s survival scenario. BCM is all about a company’s ability to achieve its survival scenario.
Here are some warm-up questions to get SMEs started:

  • Q1: What disaster scenarios might lead to bankruptcy of the company?
  • Q2: How quickly (in hours, days or weeks) does your company have to recover to ensure that it will survive a disaster-related disruption?
  • Q3: What are the critical resources whose availability determines the life or death of your company?
  • Q4: Within five to ten years, what kinds of disasters and accidents are most likely to impact you, potentially triggering a worst-case scenario?

Aligned to international standards?

There is much scepticism about whether or not international standards for BCM, such as ISO 22301, can be applied to the SME marketplace.  The answer to that lies in understanding why the standards exist in the first place. Many people misinterpret international standards to mean methodology.  This is not the case.  What standards do is to ensure that any business continuity plan produced will be based on a sensible evaluation of risk; a business understanding of consequences should key processes be lost; and a suitable strategy to mitigate damage and ensure recovery.
The ISO 22301 standard has been available since 2012.  SMEs are beginning to feel the pressure from major clients to adopt and comply with this standard.  Many compare its adoption with that for the ISO 9001, whereby SMEs are excluded from bidding for large contracts if they do not meet the ISO quality standard.  Procurement contracts are beginning to include business continuity readiness by the suppliers as part of the terms and conditions.  SMEs that implement ISO 22301 can improve their resilience in the same way as larger organizations. A smaller company may have tighter budgets and resources to put the necessary BCM processes and business risk management in place but by focusing only on the essentials, an SME can remove the unnecessary expense and complexity of implementing ISO 22301.

Manage emergencies and incidents

Before SMEs begin working on a business continuity plan they should first check that basic emergency procedures are in place, including:

  • Make sure that your employees understand emergency evacuation procedures;
  • Make certain that your employees know what to do if a fire breaks out;
  • Ensure your employees know what to do if a colleague is injured.

These are all part of essential occupational health and safety legislation and are a legal requirement for any businesses. It is imperative that all businesses have and follow basic emergency procedures to ensure safety at all times.

Define disasters and assess risks

It is vital to recognize that a disaster could happen to any organization – no matter the business size. Before looking at the risks in individual areas of the business, it is important to determine what would constitute a disaster. In simple terms, a disaster is an incident that has serious consequences for the company.
Frequent small business disasters include:

  • Fire/flooding.
  • Computer/telecoms failure.
  • Key equipment failure.
  • People issues such as illness/resignations/maternity leave.
  • Denial of access to the premises.
  • Product defects.
  • Bomb/terrorism threat.
  • Legal/regulatory action.
  • Utilities failure.

It is critical that SMEs understand the disruptions that would be disastrous to the running of their business when writing the business continuity plan. Take the time to identify all the risks your business faces and then rank them in order of likelihood and importance.
Once the risks have been identified, for any risk you can:

  • Transfer it via insurance.
  • Reduce it by less centralization and more resilience.
  • Eliminate it by changing procedures.
  • Accept it if the impact is relatively small.
  • Manage it.

Adequately assessing the disasters that could threaten your company will give you a fair idea of the business areas that are most critical to achieve. Usually, these will be the areas on which your business relies the most, and which are exposed to the greatest degree of risk. This is the most important part of your plan. The following checkpoints are essential when writing this stage of your plan. It is important to go systematically through each of the following areas and take a practical approach to tackling each of the threats that your business may face. Follow the same process for each:

  • Identify threats and resources.
  • Assign ownership.
  • Develop business continuity plans and policies.

Premises and key equipment

Clearly, premises are vital to any SME. So much so that SMEs often take them for granted. However, SMEs need to consider the long-term impact that damage to, or destruction of, premises would have on the business. The same applies to business-critical machinery. If a necessary piece of equipment is destroyed, damaged or stolen, what impact would it have on the business? Ask the following questions:

  • Would you be able to notify your workers and clients of disruption to the business?
  • What would happen to customer orders during the time that the premises were closed?
  • Would you be able to make alternative arrangements for regular orders, to keep loyal customers happy?

Test the plan

Once the business continuity plan has been agreed and endorsed by management, it should be communicated to your teams, preferably through a formal walkthrough session whereby team members are invited to comment. This will test the feasibility of the plan and expose any flaws. It will also ensure that key roles and responsibilities are understood. At some point in time, it might be worth conducting a physical simulation of the business continuity plan to ensure its smooth running should the plan need to be executed.

Regularly update the plan

Review the plan at least every six months. Monitor to see that contact details for the recovery site, suppliers and the team are up-to-date and correct. Similarly, review whether there have been changes in the organizational structure, or in a team’s functions, and update if necessary. Distribute the plan to staff involved in the execution of the plan and advise them to keep copies off-site. Team meetings are useful forums to remind all employees of the processes to follow.

Help for SMEs

Undoubtedly, SMEs need help if they are to implement BCM with any measure of success. The following suggestions could be considered to inch these companies towards greater resilience progressively:

  • Create more awareness programs amongst SMEs. Greater education about the importance of planning for a major disruption that could potentially cripple their business would certainly help.
  • Offer assistance for SMEs to build BCM capability, either by sending key staff for relevant training on managing a BCM programme, or by engaging an external consultant to advise and guide the organization towards mitigating its risk and putting in place response and recovery mechanisms.
  • Establish and enforce industry guidelines and regulations to require companies to implement BCM.
  • Provide incentives to companies to achieve industry standards.

Conclusion

Achieving ISO 22301 BCMS certification in itself is not the solution. Over-emphasis on certification may well lead to a tick-box audit mentality that leaves the typical SME with additional costs of compliance without any of the real advantages of a proper BCM. A well-rounded programme, incorporating a healthy dose of education mixed with incentives, regulation and enforcement, is necessary to bring about the real benefits of BCM to SMEs.
The authors understand the difficulties that a busy manager in a typical SME faces when it comes to implementing business continuity.  Hopefully this article will make his or her job a little more enjoyable and easier to undertake successfully.  If not, at least, he or she will know they are not alone.

The authors

Dr Goh Moh HengDr Goh Moh Heng, BCCLA BCCE CMCE CCCE DRCE, is the president of the BCM Institute and the managing director of GMH Continuity Architects – a specialized BCM Jeremy Wong
consulting firm. Dr Goh has assisted organizations, particularly those operating in the Asia Pacific and Middle East Region in the successful implementation of their business continuity management system (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organizational certification.

Jeremy Wong BCCLA BCCE CMCE DRCE is the senior vice president of the BCM Institute. He is also the senior vice president for GMH Continuity Architects and is a senior management staff member responsible for all training and consulting initiatives.
http://www.bcm-institute.org/

References

APEC SMEWG. (2013). Guidebook on SME Business Continuity Planning. BCP Guidebook.

BSI Group. (2013). ISO 22301 for small and medium-sized businesses (SMEs). BSI. Retrieved from ISO 22301 for small and medium-sized businesses (SMEs)

ENISA. (2010). IT Business Continuity Management An approach to Small Medium Sized Organization. ENISA: BCM: An Approach for SMEs, 127.

European Commission. (2014). What is an SME? European Commission Enterprise and Industry. Retrieved from http://ec.europa.eu/enterprise/policies/sme/facts-figures-analysis/sme-definition/

ISO 22301. (2012). ISO22301:2012 Societal Security – Business Continuity Management Systems – Requirements. Societal Security – Business Continuity Management Systems – Requirements (1st ed.). Switzerland: International Organization for Standardization.

Marinos, L. (2010). Strengthening the weakest link: Business Continuity Management for SMEs. ENISA, (Oct).

Maruya, H. (2008). BCP in Japan: Diffusion and Expectation. The concept of Business Continuity, 1–4.

Ministry of Economy, Trade and Industry, J. (2006). Guidelines on Formulating and Implementing BCPs for Small and Medium Enterprises. Preparations to Ensure the Business Can Survive Any Emergency Situation, 1–117. Retrieved fromhttp://www.chusho.meti.go.jp/keiei/antei/download/110728JapanBCP_SME_Eng.pdf

Price, R. (2005). The personal side of Business Continuity. Continuity Forum, 1–2.

Wiltshire County Council. (2006). Business continuity guide for small businesses. Business Continuity Guide for Small Business, 1–19.

Singapore Standard SS540

BCM Implementation for Organizations using the Singapore Standard SS540:2008

Business Continuity aims to safeguard the interests of an organization and its key stakeholders by protecting its critical business functions against predetermined disruptions.
“ … the Government views corporate resilience as a national priority. An
inter-agency task force was formed to formulate implementation strategies to enhance our corporate resilience through adopting the processes of Business Continuity Management.”

Prof S Jayakumar,
Deputy Prime Minister and Coordinating Minister for National Security.

Synopsis

SS540:2008 is a Singapore Standard for Business Continuity Management (BCM) that is being embraced by both the international and local businesses operating within Singapore. With the support of a thirty million dollar grant from the government for the implementation of BCM within their organization, the initiative to implement BCM is now given a tremendous boost by the government. This paper starts with a history of the standard implementation, an introduction to the concept of BCM and BC and summing up with the framework within the SS540:2008 standard. The BCM framework within the SS540:2008 is highly rigorous as it contains the 6 major BCM areas and also the four major BCM components. The BCM framework matrix provides a coverage which makes the SS540:2008 a comprehensive BCM standard. An overview of the each BCM area cross referencing to its major component is elaborated in detail.

1. Introduction

Business Continuity (BC) is about the ability of an organization to operate its business in a manner that upholds its accountabilities to its customers, itself and its suppliers despite occurrence of events that disrupt its usual business activities in a significant fashion. Organizations have to face their external stakeholders it has to answer to include the authorities, shareholders and the public at large. It is no easy task in general to balance between the demands of these parties. For example, how should an organization organize and operate its business activities in a way that is acceptable to stakeholders upon a disruption? What alternate methods of operations for the delivery of its products and services least inconvenienced its customers?

The key to achieving the balance lies in the organization consulting its stakeholders and establishing a set of ‘acceptable’ business behaviour and operations when a disruption occurred. This set of behaviour and operations then form the critical objectives which the organization should attain as it responds to a disruption. Such BC planning brings the organization a step closer to answer the question – “Is your organization ready for an event that would disrupt your usual business activities in a significant fashion?” Alternatively, “Is your organization BC Ready?”

1.1 Background of SS540:2008

Singapore Standard SS540

Singapore Standard SS540

The project was initiated by Economic Development Board (EDB) with the collaboration of Singapore Business Federation (SBF) and SPRING in 2004. The standard was guided by the Business Continuity Management (BCM) Council and supported by the BCM Technical Committee to develop the Technical Reference. The Technical Reference or TR19:2005 was launched on September 2005 during the international ISO meeting. The TR19 was subsequently reviewed and published as the Singapore Standard for BCM and was it officially launched on 31st October 2008.

1.2 What is BCM?

Business Continuity Management (BCM) is defined as a holistic management process that identifies potential impacts which threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities (SS540:2008).

Potential disruptions to the interests of these stakeholders would have to be identified, pre-empted or kept to a minimum. Business functions supporting value creating activities would have to be identified. Processes and resources would need to be established to ensure the continued operation of these functions due to disruptions.

1.3 What is BC?

From the above definition of BCM, BC seeks to ensure the following concerns are managed on a perennial basis.

  • Identify the interests of the organization and its key stakeholders.
  • Safeguard the identified interests by:
  •  Identify the critical business functions supporting these interests
  • Identify potential disruptions to these critical business functions
  • Minimize the number of potential disruptions
  • Reduce the impact of disruptions to these critical business functions
  • Ensure these critical business functions can continue to support, if not sustained on a moderated basis, the identified interests

In short, BCM is an ongoing management process employ by organizations to identify potential impacts and establish the necessary arrangements and plans to maintain their BC capability.

2. A Framework to Undertake BCM

A framework should be employed to guide the processes used to identify, establish and maintain an appropriate plan to deal with the items in each of the above concerns. The following is a framework that can be used to guide BCM processes in organizations. It contains the BCM areas and the major BCM components.

2.1 The BCM Activities

Figure 1: BCM Planning Methodology

Figure 1: BCM Planning Methodology

As part of the training curriculum for BCM Institute, this is the BCM planning methodology and it is as shown in Figure 1.

Based on the BCM planning methodology, a comparison is made with the SS540:2008 major BCM areas. Figure 2 show the correlations between the methodology and the BCM areas.

Main BCM Area of SS540:2008 being mapped against the BCM Planning Methodology

Figure 2: Main BCM Area of SS540:2008 being mapped against the BCM Planning Methodology

 

2.2 Major BCM Areas

This framework (Figure 2) divides into 6 broad BCM areas:

2.2.1 Risk Analysis and Review (This terms are similar for SS540 and BCM Planning Methodology)

The potential threats and risks to an organization can be uncovered via a risk analysis and review of its internal operations and external operating environment. Examples of risks due to internal operations include malfunction of critical manufacturing processes, failure of Information Technology (IT) systems and fire which destroys plant facilities. Examples of risks due to external operating environment include terrorist attacks, floods, political turmoil and disruption of supply chain.

2.2.2 Business Impact Analysis (This terms are similar for SS540 and BCM Planning Methodology)

The potential impacts of risks actually occurring to an organization and affecting its ability to achieve its business operation and service can be obtained by conducting a business impact analysis. The later would include, where possible, quantifying the loss impact from both a number of days of business disruption and a financial standpoint. For example, a fire which destroys the finished inventory at the warehouse can result in delay of shipment to key customers for a few days and incurring impact such as contractual penalty.

2.2.3 Strategy (Recovery Strategy)

Based on these potential loss impacts the organization would deliberate and select the appropriate strategy or strategies to safeguards its interests. These strategies can be preventive or pre-emptive in nature. For example, outsourcing the risks to third parties or setting up of alternate facilities at another location would be efforts towards preventing and pre-empting potential loss impact. The rationale behind these strategies is to build resilience for the organization against impact of loss.

2.2.4 Business continuity plan (Plan Development)

From the selected strategies a detail business continuity plan (BC Plan) should be instituted in place to respond to risks which can occur and impact its business operation and service. The BC Plan would specify and allocate the resources and thereby building up the capability of the organization to respond to risk occurrences. For example, by specifying the BC roles and responsibilities of staff in the BC Plan the organization is better adapt to respond to occurrence of risks.

2.2.5 Tests and exercises (Testing and Exercising)

An established BC Plan should be subject to verification via Tests and exercises. Tests and exercises expose probable errors and omissions in carrying out the established plan. It examines if the resources committed are accessible, available and adequate for undertaking the recovery efficiently and effectively. It checks if staff in the organization are familiar with recovery procedures. Overall Tests and exercises validate if the BC Plan indeed meet its recovery objectives.

2.2.6 Programme Management (This terms are similar for SS540 and BCM Planning Methodology)

Besides an established and thoroughly tested BC Plan the organization should demonstrate commitment in maintaining the currency of its plan through regular and systematic review of its risks and business impacts, realigning of its BCM strategies and revalidating of its BC Plan on a continuous basis. BCM should become an integral part of the organization’s operations, audit, testing, quality assurance, change management and culture. Ownership of BCM becomes embedded in individual business units where BCM risks reside.

BCM is an ongoing management process and can be examined from 2 standpoints. Firstly, the impacts of issues and concerns arising from each of the 7 BCM areas identified above need to be examined. For example, the risk impacts upon people and physical infrastructure. Secondly, the direction and support needed to ensure that BCM efforts can be implemented and sustained. For example, organizational policies direct BCM processes to support BCM on an ongoing basis.

2.3 Missing Phase

I am often asked about the missing phase within the BCM Areas. It is important to note that the project management area is not part of the 6 BCM areas. The reason is that the BC project is completed when it is due for certification by the organization and hence, this phase Project management is omitted from the SS540:2008.

2.3.1 Project Management

The project to establish the BC Plan for the organization needs the approval from Executive Management at the onset and ongoing support thereafter till completion. Foremost Executive Management needs to be convinced of the importance and need for business continuity. The reader may notice that this phase is not part of the standard. The reason will be explained later as the standard assumed that the BC plan is written and hence the project management phase is completed.

Examples include positive company’s image and shareholder value with the organization being able to withstand and continue its business activities despite environment disruption such as typhoons would help to highlight the importance of provision for BC and gain Executive Management support.

2.4 Major Components

BCM activities in each of the 6 BCM areas identified above therefore can be further examined in terms of the following 4 components:

2.4.1 Policies

Executive Management of the organization needs to stipulate policies to guide BCM efforts to be carried out by staff in the organization. Policies underlie the process events and people involvement in BCM activities. For example, a policy requiring all business units to appoint and assign BCM responsibility to a specific staff to participate in the organization BCM

Programme. In addition, policies provide the rationale for establishing the necessary infrastructure to support BCM on an ongoing basis.

2.4.2 Processes

These processes are set of activities with defined outcomes, deliverables and evaluation criteria to attain BCM policies on an ongoing basis. They include formal change control and documentation processes. For example, changes to keep the BC Plan current should be controlled and documented in a formal manner. In addition, BCM efforts go towards reducing the risks and their impacts on the operation processes in the organization. For example, the risk of disruption of raw material supply and its impact on production needs to be addressed as part of BCM.

2.4.3 People

Participation and the skill sets of participants in various BCM activities are crucial to the success of BCM in an organization. For example, a BCM steering committee comprising representatives from various business units and headed by a member of Executive Management should be established to oversee BCM efforts in the organization. In addition, BCM efforts go towards reducing the risks and their impacts on staff in the organization. For example, the health risk associated with handling of hazardous materials needs to be addressed as part of BCM.

2.4.4 Infrastructure

The organization should allocate resources to support critical business functions against risk events. This invariably requires a good understanding and application of available technology and equipment, and physical facilities to respond to risk occurrences. For example, installing a standby power generator and uninterrupted power supply (UPS) to ensure uninterrupted supply of power during electrical outage.

In addition, BCM efforts go towards reducing the risks and their impacts on physical organization infrastructure. For example, the impact of a risk occurrence on production equipment and facilities need to be addressed as part of BCM.

3. BCM Framework

Figure 3: The BCM Framework

Figure 3: The BCM Framework

The following Figure 1 summarizes the preceding BCM discussion in a matrix format. A matrix BCM framework allows potential gaps in an organization’s BCM efforts to be identified and located. For example, the implications of selecting a particular recovery strategy should be linked to the corresponding policies set forth by Executive Management. Implementation of the recovery strategy should be supported by corresponding infrastructure, training of recovery personnel and establishing the associated recovery processes.

Figure 3 presents each of the 6 BCM areas in a chronological sequence, from top to bottom, it should not be misconstrued that implementation of BCM should rigidly adhere to the same chronological sequence. In particular, for the BCM areas of Risk Analysis and Review and Business Impact Analysis, individual organizations may choose to alter the sequence.

4. PDCA Cycle

The standard adopted a process approach, the “Plan-Do-Check-Act” (PDCA) methodology. The figure below illustrates how a BCM system obtain inputs from the BCM requirements and expectations of stakeholders, through the PDCA and produces various risk management outcomes that aims to meet those requirements and expectations. Figure 4 is the PDCA diagram and Figure 5 is the description for each of the PDCA phases.

Figure 4: PDCA Methodology

 

Figure 5: Description of the PDCA phase

5. BCM as Corporate Governance and Risk Management

BCM is often related to Corporate Governance and Risk Management. There is a strong correlation between this two areas and it should be clear demarked to its relationship.

5.1 BCM as Part of Corporate Governance

Corporate governance has been variously defined. Specifically, pertaining to BCM, the following definitions of corporate governance provide a good link to what have been defined and discussed above, namely BC and BCM.

Corporate governance is the system by which business corporations are directed and controlled. It spells out the rules and procedures for making decisions on corporate affairs. It also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance can be defined narrowly as the relationship of a company to its shareholders.

In terms of the BCM framework above, the policies and procedures established in each of the 7 broad areas serve as rules and procedures to direct and control decision making for an organization’s BC efforts.

5.1.2 BCM as Part of Risk Management

Risks are inherently present in decisions and activities in organizations. Some of these risks could disrupt critical business functions and thereby business continuity. While the management of risk encompasses the whole spectrum ranging from risk identification, assessment, treatment, monitor and review, BCM focuses only on those risks that affect its BC interests and associated critical business functions supporting these interests. This is reflected in the two areas of the BCM framework, namely Risk Analysis and Review and Business Impact Analysis.

6. Conclusion

SS54:2008 is a Singapore Standard for Business Continuity Management (BCM) that is being embraced by both the international and local businesses operating within Singapore. This Singapore Standard and its BCM framework is highly rigorous in its coverage of the BCM areas. The 6 major BCM areas and also the four major BCM components form the BCM framework matrix which makes the SS540:2008 a comprehensive BCM standard.

7. References

[1] BCMpedia (2008). Definition of Business Continuity and Disaster Recovery Terminologies, http://www.bcmpedia.org
[2] BCM SS540 (2009). Singapore Standard for Business Continuity Management, http://www.ss540.org
[3] Goh, Moh Heng (2009): A Manger’s Guide to SS540 Singapore Standard for Business Continuity Management, 160 pages.
[4] Goh, Moh Heng (2008). Managing Your Business Continuity Planning Project, 2nd Edition, 166 pages.
[5] Goh, Moh Heng (2008): Conducting Your Impact Analysis for Business Continuity Planning, 130 pages.
[6] Goh, Moh Heng (2008): Analyzing & Reviewing the Risk for Business Continuity Planning, 162 pages.
[7] Goh, Moh Heng (2005): Developing Recovery Strategy for Your Business Continuity Plan, 104 pages.
[8] Goh, Moh Heng (2004): Implementing Your Business Continuity Plan, 104 pages.
[9] Goh, Moh Heng (2006): Testing & Exercising Your Business Continuity Plan, 2nd Edition, 160 pages.
[10] Goh, Moh Heng (2007): Managing & Sustaining Your Business Continuity Management Programme, 190 pages.
[11] Goh, Moh Heng (2006): Developing Your Pandemic Influenza Business Continuity Plan, 128 pages
[12] SPRING Singapore (2008): Singapore Standard for Business Continuity Management (SS540:2008)
[13] SPRING Singapore, (2005) Technical Reference for Business Continuity Management for Manufacturing,

The Author

Dr Goh Moh HengDr Goh Moh Heng is the President of BCM Institute and is regarded as one of the leading practitioner in the area of business continuity. Dr Goh is also the Managing Director of an Asia Pacific BCM consultancy firm. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. Dr Goh and his team are instrumental in the development of the TR19:2005 and subsequently in the publishing of the SS540:2008. Besides the writing the two national standards, he had authored nine business continuity management books, created the first Wikipedia for BC and disaster recovery www.BCMpedia.org.

Dr Goh Moh Heng is the President of and is regarded as one of the leading practitioner in the area of business continuity. He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. He is the author of nine business continuity management books. Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at moh_heng@bcm-institute.org.

21 Jan 2009