All Rights Reserved by Jacob Business Armour Pte Ltd

Conversion of BCM SystemConversion of BCM Systemfrom

SS540-2008 to ISO22301-2012

This presentation is prepared for organisations that intend totransit from SS540 to ISO22301 BCM Standards

General Presentation

All Rights Reserved by Jacob Business Armour Pte Ltd

ISO22301-2012A holistic management process that identifies potential threats to an organization and theimpacts to business operations those threats, if realized, might cause, and which provides aframework for building organizational resilience with the capability of an effective response thatsafeguards the interests of its key stakeholders, reputation, brand and value-creating activities

SS540-2008A holistic management process that identifies potential impacts which threaten anorganisation and provides a framework for building resilience and the capability for an effectiveresponse that safeguards the interests of its key stakeholders, reputation brand and valuecreating activities

ISO22301 has a more holistic approach to dealing with business continuity

threat impact disruption

SS 540

time

IS0 22301

norm

alnorm

al

Difference between SS540-2008 & ISO22301-2012

Slide 2 of 6

For assistance, please contact Jacob at jacob@jaba.com.sg

BCM Conversion: SS540-2008 to ISO22301-2012

Date: May 2014 page 1 of 3Jacob Business Armour Pte Ltd

All Rights Reserved by Jacob Business Armour Pte Ltd

ISO22301-2012A holistic management process that identifies potential threats to an organization and theimpacts to business operations those threats, if realized, might cause, and which provides aframework for building organizational resilience with the capability of an effective response thatsafeguards the interests of its key stakeholders, reputation, brand and value-creating activities

SS540-2008A holistic management process that identifies potential impacts which threaten anorganisation and provides a framework for building resilience and the capability for an effectiveresponse that safeguards the interests of its key stakeholders, reputation brand and valuecreating activities

What are the critical business functions “CBFs”?> how to recover damaged/disrupted CBF

What are the threats facing the organisation?> how to respond and deal with threats

threat CBF’s disruption

SS 540

time

IS0 22301

norm

alnorm

al- identify key threats- risk manage threats- top management of crisis situation (including communications)

- identify CBF- risk manage CBFs > recover damaged/disrupted CBFs

- identify CBF- risk manage CBFs > recover damaged/disrupted CBFs

Business Continuity approaches: SS540-2008 & ISO22301-2012

Slide 3 of 6

All Rights Reserved by Jacob Business Armour Pte Ltd

Standards Coverage: SS540-2008 & ISO22301-2012

Slide 4 of 6

For assistance, please contact Jacob at jacob@jaba.com.sg

BCM Conversion: SS540-2008 to ISO22301-2012

Date: May 2014 page 2 of 3Jacob Business Armour Pte Ltd

All Rights Reserved by Jacob Business Armour Pte Ltd

SS540 is very much process-based with systems andstructures e.g. damage assessment team, disasterdeclaration officer, etc to be followed during a time of crisis.It is quite a paper-based system.

ISO22310, without weighty processes will afford the crisismanagement team to respond quicker and more effectivelyaccording to the exigencies of the emerging crisis situation. Ithas a more tactical base.

SS540’s strategy is to have recovery plans made ready soas to recover Critical Business Function (CBF) should itbecome dysfunctional. Action control is thus located at thedepartment, and could become ‘silo’ in effect.

ISO22310 employs a more holistic strategy to locate crisismanagement at top management level, giving managementdirections to the dysfunctional function or to all department.This avails greater control enabling crisis communicationsand coordination with external involved stakeholders. This iseffective when the crisis affects the entire organisation.

System Impact: SS540-2008 & ISO22301-2012

ISO22301: higher response spontaneity

ISO22301: greater management control

Slide 5 of 6

All Rights Reserved by Jacob Business Armour Pte Ltd

1. Carry out a Risk Assessment to identify threats (internal and external) and their potentialimpacts to key business objectives.

2. Incorporate MPTD (“Maximum Tolerable Period of Disruption”), including other terms e.g. MAO,etc. into the BCM system. MPTD and MAO were not requirements of SS540. This requires all risks to be re-consideredin order to be given MPTD or MAO ratings.

3. Lighten and/or remove baseline processes/procedures. SS540 requires a lot of details, which will only weighdown crisis response and also increases system maintenance work.

4. Institute higher level of Management involvement (required by ISO 22301). This will ensuresufficiency and integrity of the BCM system, and that it is able to serve the interests of all key stakeholders.

5. Formalise a Crisis Management System with Top Management’s leadership This was not sufficientlyrequired by SS 540.

6. Establish a crisis communication system, with communication tools that will be sufficient toaddress the needs of all interested parties. This was not sufficiently required by SS540.

7. Review BC Plans to include risk management and to prepare situational IMPs. Paper-based BCPlans in SS540 are too restrictive to meet the fast-paced uncertainties of an emerging crisis situation.

8. Reset the Internal Audit system (audit criteria) to suit ISO22301 requirements.

9. Review systems and documentation to render them applicable to ISO22301, e.g. BCM PolicyManual, organisation teams, and appointees, etc.

Conversion from SS540-2008 to ISO22301-2012: what it takes?

Slide 6 of 6

For assistance, please contact Jacob at jacob@jaba.com.sg

BCM Conversion: SS540-2008 to ISO22301-2012

Date: May 2014 page 3 of 3Jacob Business Armour Pte Ltd