Professional Documents
Culture Documents
net/publication/280007358
CITATIONS READS
5 1,390
1 author:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Moh Heng Goh on 13 July 2015.
Prof S Jayakumar, Deputy Prime Minister and Coordinating Minister for National Security.
Business Continuity (BC) is about the ability of an organization Business Continuity Management (BCM) is defined as a
to operate its business in a manner that upholds its holistic management process that identifies potential impacts
accountabilities to its customers, itself and its suppliers despite which threaten an organization and provides a framework for
occurrence of events that disrupt its usual business activities in building resilience and the capability for an effective response
a significant fashion. Organizations have to face their external that safeguards the interests of its key stakeholders, reputation,
stakeholders it has to answer to include the authorities, brand and value creating activities (SS540:2008).
shareholders and the public at large. It is no easy task in
general to balance between the demands of these parties. For
example, how should an organization organize and operate its Potential disruptions to the interests of these stakeholders would
business activities in a way that is acceptable to stakeholders have to be identified, pre-empted or kept to a minimum.
upon a disruption? What alternate methods of operations for Business functions supporting value creating activities would
the delivery of its products and services least inconvenienced its have to be identified. Processes and resources would need to be
customers? established to ensure the continued operation of these functions
due to disruptions.
Page 1
BCM Institute Meet-The-Expert, BCM Implementation SS 540, 21 st January 2009 Holiday Inn Atrium Hotel, Singapore
BCM Implementation for Organizations using the Singapore Standard SS540:2008, Dr Goh Moh Heng
Recovery Strategy
Plan Development
Risk Analysis and
Business Impact
to support, if not sustained on a moderated basis, the
Management
Management
Testing and
Exercising
BCM Planning
Analysis
Program
Review
Project
identified interests Process
Page 2
BCM Institute Meet-The-Expert, BCM Implementation SS 540, 21 st January 2009 Holiday Inn Atrium Hotel, Singapore
BCM Implementation for Organizations using the Singapore Standard SS540:2008, Dr Goh Moh Heng
of risks due to external operating environment include terrorist 4.6 Programme Management (This terms are
attacks, floods, political turmoil and disruption of supply chain.
similar for SS540 and BCM Planning
Methodology)
4.2 Business Impact Analysis (This terms are
similar for SS540 and BCM Planning Besides an established and thoroughly tested BC Plan the
Methodology) organization should demonstrate commitment in maintaining
the currency of its plan through regular and systematic review
of its risks and business impacts, realigning of its BCM
The potential impacts of risks actually occurring to an strategies and revalidating of its BC Plan on a continuous basis.
organization and affecting its ability to achieve its business BCM should become an integral part of the organization‟s
operation and service can be obtained by conducting a business operations, audit, testing, quality assurance, change
impact analysis. The later would include, where possible, management and culture. Ownership of BCM becomes
quantifying the loss impact from both a number of days of embedded in individual business units where BCM risks reside.
business disruption and a financial standpoint. For example, a
fire which destroys the finished inventory at the warehouse can BCM is an ongoing management process and can be examined
result in delay of shipment to key customers for a few days and from 2 standpoints. Firstly, the impacts of issues and concerns
incurring impact such as contractual penalty. arising from each of the 7 BCM areas identified above need to
be examined. For example, the risk impacts upon people and
physical infrastructure. Secondly, the direction and support
4.3 Strategy (Recovery Strategy) needed to ensure that BCM efforts can be implemented and
sustained. For example, organizational policies direct BCM
processes to support BCM on an ongoing basis.
Based on these potential loss impacts the organization would
deliberate and select the appropriate strategy or strategies to
safeguards its interests. These strategies can be preventive or 4.7 Missing Phase
pre-emptive in nature. For example, outsourcing the risks to
third parties or setting up of alternate facilities at another
location would be efforts towards preventing and pre-empting I am often asked about the missing phase within the BCM
potential loss impact. The rationale behind these strategies is to Areas. It is important to note that the project management area
build resilience for the organization against impact of loss. is not part of the 6 BCM areas. The reason is that the BC
project is completed when it is due for certification by the
organization and hence, this phase Project management is
4.4 Business Continuity Plan (Plan omitted from the SS540:2008.
Development)
4.7.1 Project Management
From the selected strategies a detail business continuity plan
(BC Plan) should be instituted in place to respond to risks The project to establish the BC Plan for the organization needs
which can occur and impact its business operation and service. the approval from Executive Management at the onset and
The BC Plan would specify and allocate the resources and ongoing support thereafter till completion. Foremost Executive
thereby building up the capability of the organization to respond Management needs to be convinced of the importance and need
to risk occurrences. For example, by specifying the BC roles for business continuity. The reader may notice that this phase is
and responsibilities of staff in the BC Plan the organization is not part of the standard. The reason will be explained later as
better adapt to respond to occurrence of risks. the standard assumed that the BC plan is written and hence the
project management phase is completed.
5.1 Policies
Page 3
BCM Institute Meet-The-Expert, BCM Implementation SS 540, 21 st January 2009 Holiday Inn Atrium Hotel, Singapore
BCM Implementation for Organizations using the Singapore Standard SS540:2008, Dr Goh Moh Heng
For example, a policy requiring all business units to appoint and Policies Processes People Infrastructure
Risk Analysis and
assign BCM responsibility to a specific staff to participate in Review
the organization BCM Programme. In addition, policies Business Impact
BCM Areas
provide the rationale for establishing the necessary Analysis
Strategy
infrastructure to support BCM on an ongoing basis. BC Plan Development
Tests and Exercises
Programme
5.2 Processes Management
These processes are set of activities with defined outcomes, Figure 3: The BCM Framework
deliverables and evaluation criteria to attain BCM policies on
an ongoing basis. They include formal change control and
documentation processes. For example, changes to keep the BC Figure 3 presents each of the 6 BCM areas in a chronological
Plan current should be controlled and documented in a formal sequence, from top to bottom, it should not be misconstrued
manner. In addition, BCM efforts go towards reducing the risks that implementation of BCM should rigidly adhere to the same
and their impacts on the operation processes in the organization. chronological sequence. In particular, for the BCM areas of
For example, the risk of disruption of raw material supply and Risk Analysis and Review and Business Impact Analysis,
its impact on production needs to be addressed as part of BCM. individual organizations may choose to alter the sequence.
Participation and the skill sets of participants in various BCM The standard adopted a process approach, the “Plan-Do-Check-
activities are crucial to the success of BCM in an organization. Act” (PDCA) methodology. The figure below illustrates how a
For example, a BCM steering committee comprising BCM system obtain inputs from the BCM requirements and
representatives from various business units and headed by a expectations of stakeholders, through the PDCA and produces
member of Executive Management should be established to various risk management outcomes that aims to meet those
oversee BCM efforts in the organization. In addition, BCM requirements and expectations. Figure 4 is the PDCA diagram
efforts go towards reducing the risks and their impacts on staff and Figure 5 is the description for each of the PDCA phases.
in the organization. For example, the health risk associated
with handling of hazardous materials needs to be addressed as
part of BCM.
5.4 Infrastructure
In addition, BCM efforts go towards reducing the risks and their Figure 4: PDCA Methodology
impacts on physical organization infrastructure. For example,
the impact of a risk occurrence on production equipment and
facilities need to be addressed as part of BCM. Phase Description
Establish BCM policy, objectives, processes and procedures
Plan relevant to managing risk and improving prevention, preparedness,
response, continuity and recovery Programmes.
6. BCM FRAMEWORK Do
Implement and operate the BCM policy, controls, processes and
procedures.
Assess and, where applicable, measure process performance
The following Figure 1 summarizes the preceding BCM Check against BCM policy, objectives and practical experience and report
discussion in a matrix format. A matrix BCM framework the results to management for review.
allows potential gaps in an organization‟s BCM efforts to be Take corrective and preventive actions, based on the results of the
Act internal BCM audits and management review or other relevant
identified and located. For example, the implications of information, to achieve continual improvement of the BCM.
selecting a particular recovery strategy should be linked to the
corresponding policies set forth by Executive Management.
Implementation of the recovery strategy should be supported by Figure 5: Description of the PDCA phase
corresponding infrastructure, training of recovery personnel and
establishing the associated recovery processes.
Page 4
BCM Institute Meet-The-Expert, BCM Implementation SS 540, 21 st January 2009 Holiday Inn Atrium Hotel, Singapore
BCM Implementation for Organizations using the Singapore Standard SS540:2008, Dr Goh Moh Heng
8. BCM as Corporate Governance and Risk Management (BCM) that is being embraced by both the
international and local businesses operating within Singapore.
Management This Singapore Standard and its BCM framework is highly
rigorous in its coverage of the BCM areas. The 6 major BCM
BCM is often related to Corporate Governance and Risk areas and also the four major BCM components form the BCM
Management. There is a strong correlation between this two framework matrix which makes the SS540:2008 a
areas and it should be clear demarked to its relationship. comprehensive BCM standard.
9. Conclusion
Page 5