You are on page 1of 12

ISSUE 2 YEAR 2008

315 Outram Road #15-04
Tan Boon Liat Building
Singapore 169074
Tel: +65 6323 1500
Fax: +65 6323 0933
Email: info@bcm-institute.org

RESILIENCE Website: www.bcm-institute.org

NEWSLETTER
Resources
 Global Home
President Speaks
 Search Jobs
 Upcoming course

Jul/Aug/Sept
o BCM-300
Singapore (10/09/08)

o BCM-350 Dear friends
Pune (03/05/08)
Chennai ( 25/08/08)
Hyderabad ( 27/08/08) This is the 2nd Edition of Resilience and I am glad that the
newsletter is still on time in spite of the many initiatives
o DRP-400
Singapore(14/07/08) that is presently underway. Just to highlight three major
breakthroughs. The initial good news is that the number
o BCM-810
Singapore(04/08/08) of certified professionals from BCM Institute had risen to
past 1000 professionals from 34 countries. Beside the
o BCM-830
Singapore(18/09/08) courses running throughout Asia, we have begun our
course offerings in the Middle East starting with Bahrain.
o BCM-5000 We hoped to see our Gulf Cooperation Council (GCC)
Bangalore(15/07/08)
attending the institute’s course within 2008. Last but not
Singapore(18/08/08)
Qatar(21/08/08) least, we have the BCM Institute’s forum running on
CollectiveX platform. I am glad that it had passed the 915
o DRP-5000 participants starting the recruitment only on 1 st April 2008.
Chennai (12/08/08)
It is remarkable to have so many professionals
Singapore(22/09/08)
participating in a relatively new BC and DR related forum.

Newsletter Options Your support is most heartening to us.
 Unsubscribe Newsletter With this issue of Resilience we hope to highlight to
Contact Us
friends and past participants the continued support of you
and our instructors who this institute is indebted to. I look
forward to bringing you more updates during our next
issue.

Dr Goh Moh Heng
President
BCM Institute
BOOK
REVIEWS
Analyzing & reviewing the risks for business
continuity planning
Reviewed by Yvonne Leong

This is another book of Dr Goh Moh Heng’s BCM series – The

Risk Analysis and Review for Business Continuity Planning.

The term Risk Analysis (RA) is self-explanatory and has

always been associated with Risk Management (RM). In fact,

it is one of the very critical steps to accomplish the intended

functions of RM.

Following the Business Continuity Management (BCM) being

put in the limelight in the past decades, grey areas were

introduced between RA of RM and RA of BCM. This book

reiterates the embraced concept of RA and addresses the

above grey areas from the BCM perspective. It explains the

integrations between BCM and RM, using the Australia/NZ RM

Standards that defined BCM as part of RM. Since the BCM

addresses incident, emergency and disaster situation, the RM

in BCM should restrict to events that impact the minimum

service level of a business. Some books documents BCM as

the process of handling the residue risk identified in RM.

However, this book recommends the relationship best to be

viewed as an overlap relationship that has no definite

boundary. In essence, RA from both the BCM and RM has the

similar concepts and objectives.

Learn more

315 Outram Road #15-04
Tan Boon Liat Building
Singapore 169074
Tel: +65 6323 1500
Fax: +65 6323 0933
BS25999
Creating Competitive Advantage and unparallel
BCM leadership – A perspective from BCMI India

315 Outram Road #15-04
Tan Boon Liat Building
Singapore 169074
Tel: +65 6323 1500
The launch of BS 25999 standard is a milestone for the global Fax: +65 6323 0933

BCM industry. The importance of Business Continuity

Management (BCM) is increasing day by day. Be it natural

disasters or man-made, at some point of time we all have been

affected by these disasters in some shape and form.

Therefore, we have to admit that having a robust BCM in place

does not only talk about good corporate governance but also

establishes the fact, that the organization is committed to all its

stakeholders. We all know that it’s not really the financial loss

of the transaction that causes a problem – it’s really the

customer loss of faith, trust and confidence that the disruption

causes. In past, there have been various instances of several

organizations, where the operations were disrupted beyond a

reasonable period of time resulting in business volumes

dropping and market share getting eroded. Very soon, the

costs become too high and revenues too low, and the

operations remain no longer viable – so the organization

closes down. The message is very clear. Business continuity is

critical to ensure the survival of the organization!

Learn more

315 Outram Road #15-04
Tan Boon Liat Building
Singapore 169074
Tel: +65 6323 1500
Fax: +65 6323 0933
Personal Interview
With Salma Desenta
From IBM Indonesia 315 Outram Road #15-04
Mr Desenta was a course participant at the Tan Boon Liat Building
Singapore 169074
recent DRP5000 course held in May 2008 at Tel: +65 6323 1500
Furama Riverfront Hotel in Singapore. Here is Fax: +65 6323 0933
the excerpt from the interview:

What is your key take away for you at this training?
“Actually for me the key take away at this training was the
network built with both instructors and other participants. From
material point of view, it enriches me with best practices
methodology being used outside my current organization.”

What did you like best?
“I like the arrangement of different instructors for each day. By
doing so, the participants can learn much more experiences
from those instructors. The arrangement of the instructors that
have experience from both vendor and end-user perspective
also serves different point of view that enriches the participants
as well”

What is the DR strategy you would take back to help
implement?
“I believe for those who have been involved in real, practical
DR world, they’ve been familiar with the DR strategy
presented. But from practical point of view, we did share
experiences and creative ideas on how o achieve certain
target on each phases of the DR methodology”

(Editor’s note: The 6 participants rated the 4 BCM Institute
instructors very highly, but they particularly appreciated the
enriching instruction from 2 instructors, namely Ms Carolyn
Lock and Mr David Tay, and asked BCM Institute to echo their
feedback. Overall, their heightened learning is result of the
number of trainers fielded and their diverse experience plus
ability to teach made their trip to the course more than
worthwhile)

315 Outram Road #15-04
Tan Boon Liat Building
Singapore 169074
Tel: +65 6323 1500
Fax: +65 6323 0933
DRP 5000 in house
training for regional
Trainer: Lim Sek Seong in Tie
SHELL participants
Cyberjaya, Kuala Lumpur,
in June 2008

BCM Institute is very appreciative of SHELL’s continued
reliance on our institute and our instructors to teach BCM and
DRP to their expanding BC & DR practitioners. The 4th in a
Trainer: Serena Chan Standing
series of in-house training, the participants came from all over
Malaysia, Brunei and Singapore. BCM Institute fielded 3
instructors – Ms Serena Chan from Hongkong, Ms Yvonne
Leong, a BC practitioner in a large Malaysian bank, and Mr
Lim Sek Seong, Managing Consultant from GMH Continuity
Architects in Singapore.

BCM 300 In Bangkok

315 Outram Road #15-04
Tan Boon Liat Building
Singapore 169074
Tel: +65 6323 1500
Fax: +65 6323 0933
Meet The Experts
Singapore

On Friday 27th June 2008, BCM Institute in Singapore held
another Meet-The-Expert session at the Furama Riverfront
Hotel. It was well received and attended by over 70
participants from the BC & DR Community in Singapore. 3
experts were in attendance that afternoon, and their topics
were:

a) Crisis Communication & the need for BC practitioners to

know its importance. The speaker was Ms Farah Rahim

who heads the Crisis Communications PR team at Hill &

Knowlton.

b) Business Impact Analysis and its practice in other MNCs

overseas. The speaker was Dr Goh Moh Heng, President

of BCM Institute.

c) SSxxx/TR19, and its proposed requirements and their

impact on the BCM process in Singapore. The speaker

was Mr Lim Sek Seong, Managing Consultant of GMH

Continuity Architects and one of the original co-authors of

the TR19 coding.
Several of BCM Institute’s
instructors met for several Typically, the speakers would speak for 30 minutes, and the

causal get-togethers at Crystal following 30 minutes was given to the floor, and for each

Jade Restaurant/Great World session, there was an overwhelming response as participants

City, hosted by BCM Institute. queried the experts with subject matters and ‘what ifs’

It was a good time to talk about scenarios (which were largely their experiences or difficulties

non-BC matters and catch up at work).

with each other
Meet the Expert sessions would continue bi-monthly in
Singapore, and the main intent is to field subject matter
experts who would speak about a given topic (usually topics
raised by past participants in their feedback forms), and time
given for Q&A to enhance the technical session’s learning
focus.

315 Outram Road #15-04
Tan
315Boon LiatRoad
Outram Building
#15-04
Singapore
Tan Boon169074
Liat Building
Tel: +65 6323
Singapore 1500
169074
Fax:
Tel:+65
+656323
63230933
1500
FULL ARTICLES

Analyzing & Reviewing the Risks for Business Continuity
Planning by Dr Goh Moh Heng
Reviewed by Yvonne Leong

This is another book of Dr Goh Moh Heng’s BCM series – The Risk Analysis and Review for Business Continuity

Planning. The term Risk Analysis (RA) is self-explanatory and has always been associated with Risk Management

(RM). In fact, it is one of the very critical steps to accomplish the intended functions of RM.

Following the Business Continuity Management (BCM) being put in the limelight in the past decades, grey areas were

introduced between RA of RM and RA of BCM. This book reiterates the embraced concept of RA and addresses the

above grey areas from the BCM perspective. It explains the integrations between BCM and RM, using the

Australia/NZ RM Standards that defined BCM as part of RM. Since the BCM addresses incident, emergency and

disaster situation, the RM in BCM should restrict to events that impact the minimum service level of a business.

Some books documents BCM as the process of handling the residue risk identified in RM. However, this book

recommends the relationship best to be viewed as an overlap relationship that has no definite boundary. In essence,

RA from both the BCM and RM has the similar concepts and objectives.

Following the above grey areas between RM and BCM, the persons in charge of RA process often asks who should

do the job; if it’s the responsibility of the BCM team, second question is raised - when to do it: before, during or after

the Business Impact Analysis (BIA). In real life, the scope of RA exercise depends on who coordinates the job.

1. If RA is coordinated by the RM team.

It covers overall risks of the organization and may include other types of risks like credit, market and operations

risks. This is the preferred execution model for RA as the RM team is the subject matter expert in conducting RA

and they could have a wider scope of RA which does not only confine to critical operations and assets. The

result would then provide an overall view of risk profile of the organization.
2. If RA is coordinated by a BC planner of the BCM team.

It covers risks that impact the operations of the organization. The RA would identify the threats and magnitude of

risk against the critical assets that have been earlier identified in the BIA. This also means that the RA should

best be conducted during or after the BIA stage.

In some organizations in this region, there are few personnel, if any, manning the BCM department. In view of the

scarce resources, the approach to complete the different phases in BCM aims to be the shortest and fastest with

somewhat compliance to the minimum requirements. As the saying goes: compliance to the general standard and

guidelines does not guarantee the resilience of the organization, but the actual exercise and test result make one feel

comfortable of the readiness of BCM. Having this in mind and the ultimate objectives of BCM, one would do the

simplest possible steps to achieve its end goals. Therefore the in-depth information, templates, guidelines

documented in the book may not be fully appreciated but in contrast, it may confuse some readers.

In the absence of an external consultant or risk expert, the completeness of threats identified, depends very much on

the knowledge and experience of the members attending the brainstorming workshops or discussion groups. As

such, appendix 9 helps by providing a list of possible threats, risks and phenomena for considerations. Studies

consistently show that human are responsible for more than 60% of the data center downtime through accidents or

mistakes. This book urges the considerations of character deficiency threats and other human factors that may

cause disaster. Such as, deteriorating work ethics, absence of loyalty, lacks of direct control over service personnel

and stress of being required to do more with less personnel resources, etc. Appendix 10 complements the above

discussion by describing the common threats faced by most organizations and listed some control measure and

consideration to reduce, mitigate or accept the risks.

Though this book is largely a “how-to” book, it also forcefully argues one important point over and over again: We

must pay attention to how to present the findings to the executive management and get their buy-in to proceed to the

next phase. In the last chapter of the book, it explains the preparations requirement of necessary information and

findings for an executive management presentation; lots of thoughts and experience has been shared to close the RA
phase. As much hard work has been put in with tones of findings, one tends to be lengthy and thorough in

presentation. This chapter shares the critical elements that made up a good presentation session, it provides hints to

present the right information to keep the excitement going during an executive management presentation, in order to

get their buy-in to adopt the risk controls and of course their nods for funding to proceed to the next actions required

in RA phase, i.e. execution for risk mitigation, endorsement for risk rejection and acceptance or continue with the BIA

phase and developing recovery strategy phase of BCM.

Information documented in the book is utmost important to handhold any new BC planners in their journey in BCM or

to remind the professional BC planners of the basis of BCM. It serves as a very good source reference to kick off a

BCM project or initiate a continual improvement plan in the BCM journey. Therefore, it should undoubtedly find a

place on the bookshelves of every BC planners.

[Editor’s Note: This book is currently in the process of being published, and should be available soon for purchase at
the BCM Institute’s Singapore office, or online via the www.bcm-institute.org shopping cart or at www.amazon.com .]
FULL ARTICLES

BS 25999 – Creating Competitive Advantage and unparallel
BCM leadership – a perspective from BCMI India.
The launch of BS 25999 standard is a milestone for the global BCM industry. The importance of Business Continuity
Management (BCM) is increasing day by day. Be it natural disasters or man-made, at some point of time we all have
been affected by these disasters in some shape and form. Therefore, we have to admit that having a robust BCM in
place does not only talk about good corporate governance but also establishes the fact, that the organization is
committed to all its stakeholders. We all know that it’s not really the financial loss of the transaction that causes a
problem – it’s really the customer loss of faith, trust and confidence that the disruption causes. In past, there have
been various instances of several organizations, where the operations were disrupted beyond a reasonable period of
time resulting in business volumes dropping and market share getting eroded. Very soon, the costs become too high
and revenues too low, and the operations remain no longer viable – so the organization closes down. The message is
very clear. Business continuity is critical to ensure the survival of the organization!

Most BCM and DR professionals would probably be aware that the BS 25999 was launched globally in Tokyo,
London and New York on Oct 31, 2007. This launch was attended by several renowned industry professionals in the
BCM domain representing various private and public organizations.

Over the last couple of months, the British Standards Institute (BSI) has held a series of road shows on the BS 25999
standard across the Middle East in Dubai, Abu Dhabi, etc. The India launch took place in 3 Indian cities - New Delhi,
Mumbai and Bangalore. The launch was jointly organized and co-ordinated by Confederation of Indian Industry (CII)
and BSI. CII is a non-government, not-for-profit, industry led and industry managed organization, playing a proactive
role in India's development process.

So what exactly is BS 25999? BS 25999 is the world’s first internationally recognized standard for Business
Continuity Management (BCM). This was developed by the BSI - which has a history of over 100 years in developing
standards. The BS 25999 is based substantially on the PAS 56 (Publicly Available Specification 56) - released in
2003. The objective has been to define a Management Systems approach to BCM, based on best practices.
Importantly, the BS 25999 is applicable to any organisation (large, medium and small) operating in any industry (e.g.
healthcare, professional services, manufacturing, retail, oil industry etc), having any ownership whatsoever (private
sector, public sector, government, voluntary etc).

A standard provides independent third-party validation of competence – that you are as good as the best in the world.
Standards also give confidence to existing and potential customers about an organization’s capabilities. They help
demonstrate market leadership and create competitive advantage. All things being equal, a buyer will choose the
certified organisation – and maybe even be willing to pay more for the peace of mind that a certification, such as BS
25999 brings. Importantly, standards are based on Best practices – which mean doing the right thing in the right way.
Standards also help equip your organizations with a strong foundation for further scaling up – more so in cases where
the organization is looking at expanding its operations to new geographies and starting to bring new people on board.
It may be wise to ensure that your BCM program is in compliance with the BS 25999 standard. Only then can you
have true peace of mind.

A standard adds value in terms of its universal applicability and implementation structure. It can be used to meet
strategic, organizational, regulatory and legislative requirements. The BS 25999 standard provides an effective BCM
framework and can fit with your existing processes and systems. Also, it can work along and audit your existing
business continuity plans. I believe the rollout of BS25999 would give a major boost towards achieving quality and
compliance in the BCM domain. The adherence to the standard will definitely enhance customer confidence resulting
in improved business and overall profitability.

The India launch event was sponsored by BCM Institute and National Disaster Management Authority (NDMA). The
NDMA, headed by the Prime Minister of India, is the Apex Body for Disaster Management in India. Within nearly 6
months of the launch, 9 organizations worldwide have been certified. The largest of these organizations has been
Accenture, which got certified for its India operations, where it has 37 thousand employees in multiple locations.
Presently, I sense that there is lot of action happening particularly in India. And my guess is that lot of organizations in
other countries have already started appreciating the intrinsic as well as extrinsic value that BS 25999 brings to an
organization’s BCM programme.

Friends, in my experience I have observed that lot of corporate organizations/personnel are under the fallacy that ‘it
will never happen to me’. In fact, ‘It’ is happening all around us. In India or any country of the world, the need for
business continuity has been vividly demonstrated again and again.

At the launch, Mr. Robin Pilcher (Global Marketing Director-BSI) pointed out that because of high interest and
awareness BS 25999 has become the fastest selling standard in the world, after ISO 9000, which was introduced 20
years ago. There have been more than 5000 downloads until date on the BSI website. This phenomenon clearly
demonstrates the growing need and importance in Business Continuity Management field around the world. In fact,
he also shared that maximum number of comments/feedback during the public draft review came from India.

As a critical element of corporate governance and survival, BCM is not an overhead, and it should be implemented
because it is the right thing to do - not simply because a customer, regulator or any other stakeholder wants it. If an
organization recognizes the strategic criticality of BCM, they must find the time and resources to implement BCM on
priority basis. Therefore, we can safely assume that a robust Business Continuity Management System (BCMS) is
important to ensure the continued existence and survival of the organization.

During the technical session, Mr. Venkatraman Arabolu (India MD-BSI) drew the audience attention to the fact that in
most of the organizations, the weakest link in their continuity strategy, planning and recovery efforts is the People
issue with 35% of the total falling under this risk category. Other major categories included Process risk (27%)
Technology risk (18%) Supply chain partner risk (9%). And I think that the supply chain risk applies to all of us in
some form or shape. In uncertain times to come, this risk can get bigger and dangerous for the business survival.
Mr. Anupam Kaul from CII highlighted the need of greater preparedness and shared his experience on Union Carbide
accident where all the six safety features had failed and thousands of innocent people lost their lives. Prof. Vinod
Menon from NDMA rightly mentioned – “The Business of Business is to stay in Business”.

One of the main speakers – Mr. P.G. Kakodkar, former Chairman of SBI group, which is India’s largest Bank shared
his perspective on BCM criticality in the banking sector and strongly supported the BS 25999 applicability.
Mr. Dhiraj Lal (Country Manager-BCM Institute) who is the Asia’s first technical expert on BS 25999 shared that the
BCM process is the core responsibility of the CEO and the Board of Directors of an organization. Therefore, not
thinking or opting for BCM can put the organization’s survival at stake. And in case disaster happens to an
unprepared organization then image, brand, trust may take a beating.

Application of BS 25999 would result in assurance to an organization’s Top Management that their business has the
needed capability to continue and deliver in case of any emergency/disaster. The Standard implementation would
ultimately attract more customers, will demonstrate market leadership and will create competitive advantage in
today’s dynamic market scenario. We all would agree that service disruptions, delays in responding to customer
requests, inability to process transactions in a timely manner or being unable to resume business in the face of a
disaster can all have significant impacts on an organization's effective operation.

BSI has partnered with BCM Institute (domain experts in BCM only) to impart the training and guidance, which an
organization requires to prepare for the BS 25999 audit and certification. BCM Institute also took part in the first 2 BS
25999 technical audits, which were carried out for Citigroup Global Services and Accenture, who were also awarded
with the BS 25999 certification during the seminar

BS 25999 clearly states that the responsibility for the BCM programme implementation and success lies with the
CEO of the organization. After all, CEO is the person, who leads the whole organization to the path of success and
profitability. I believe it is critical that a CEO/Board member should think of BCM as ‘The right thing to do’ rather than
searching for the reasons for doing it. Ultimately, it’s their responsibility towards the organization’s customers,
shareholders and all other stakeholders. After all, corporate governance is all about having confidence in what you do
and how transparently you do it. In my personal viewpoint, BS 25999 is the right tool, which definitely gives a
CEO/Board member the needed confidence and trust that his/her business is following the right BCM process,
ultimately ensuring Business survival in testing times.

It’s an uncertain world, lifeguard your business.

Harsh Garg
Note: In case of any queries, please feel free to drop an email at harsh@bcm-institute.org