Business Continuity Management
Agenda
1. What is Business Continuity
Management (BCM)?
2. Current standards - International
and Singapore.
3. How is it applied to Corporations?
4. How is it linked to Facilities
Management?
2
What is Business Continuity
Management (BCM)?
Introduction
• No-one in business wants to be affected by a major incident or
disaster. However, if one does occur, we hope that there is
someone, somewhere who knows what to do. In the initial response
to an incident such as fire or flooding, we know that the Emergency
Services will play a major role.
• But what happens beyond the initial response? Or what
happens, for example, in the case of IT failure or widespread staff
sickness when disruption occurs that the Emergency Services would
not be expected to respond to?
• This is where a Business Continuity Management (BCM)
programme comes in. Its purpose is to ensure that everyone in your
business is capable of responding to and recovering from an
incident, both individually and collectively, to get the business
back on its feet as quickly as possible with the minimum of
fuss to minimize financial and non-financial impacts.
4
Business Continuity Management (BCM)
• BCM is a process that improves the ability of businesses to function
despite internal or external disruption. It is a management process
put in place to consider, and prepare for, the 'what ifs' that might
affect a business on any given day.
• The Business Continuity Institute (BCI) defines this process as
follows:
"BCM is an holistic management process that identifies
potential business impacts that threaten an organization
and provides a framework for building resilience with
the capability for an effective response that safeguards
the interests of its key stakeholders, reputation, brand
and value creating activities."
5
What Threats are we facing?
6
Terror Acts
Major Terror Acts of the last 10 years
7
Dates Events Deaths
11 Sep 2001 New York - Attack on World Trade Center (9/11) 2,997
12 Oct 2002 Bali Bombings 202
05 Aug 2003 Jakarta - Bombing of the JW Marriott Hotel 12
11 Mar 2004 Madrid Train Bombings 191
09 Sep 2004 Jakarta - Australian Embassy Bombed 9
07 Jul 2005 London Bombings 52
11 Jul 2006 Mumbai Train Bombings 209
31 Dec 2006 Bangkok - Eight bomb explosions in seven areas 3
25 Aug 2007 Hyderabad bombings. 44
26-29 Nov 2008 Mumbai - Armed terrorists opened fire at eight different sites in a coordinated attack
173
07 Jul 2009 Jakarta - Bombing of the JW Marriott Hotel and Ritz-Carlton
9
What Threats are we facing?
8
Natural Disasters
Major Natural Disasters of the last 10 years
9
Dates Events Deaths
Nov 2002 – May 2003 SARS (Severe Acute Respiratory Syndrome) 775
Feb 2003 H5N1 (Avian / Bird Flu) 287
26 Dec 2004 Indian Ocean Earthquake / Tsunami 230,000
08 Oct 2005 Kashmir Earthquake (Pakistan) 79,000
29 Aug 2006 Hurricane Katrina (Gulf coast from central Florida to Texas, USA)
1,836
Jan 2007 Jakarta Floods. Whole city is affected. 80
02 May 2008 Cyclone Nargi (Myanmar - Tidal Waves and Floods) 140,000
12 May 2008 Sichuan Earthquake 68,000
Mar 2009 H1N1-2009 (Swine Flu) 16,000
12 Jan 2010 Haiti Earthquake 232,000
27 Feb 2010 Chile Earthquake 497
Why should your business consider BCM?
• Implementing BCM and making it part of your core business
processes will help prepare your long term business to survival
when faced with anything from a flood to a fire. It will assist in
preparing your business quickly resume 'business as usual' in a
logical and controlled manner.
• Without effective BCM, a natural or man-made disaster, such as:
10
Natural / Man-Made Disasters
Epidemic / Pandemic Act of Terrorism
Earthquake / Tremor Flood
Computer / Network Failure Power Failure
Equipment Failure Environmental Disaster
Product Contamination Failure of Critical Suppliers
Loss of Key Personnel Loss of Premises
• Could result in any one or more of the following impacts:
11
Why should your business consider BCM?
Reputation Financial Legal /Contractual
CustomerService
Staff
Loss of Image Loss of revenue
Legal Actionstaken
Customer loyalty
Morale
Loss of Brand value
Loss of market share
Contractualobligations
Customer may go to
competitors
Stress
Loss of investor
confidence
Regulatory Fines
Psychological
Important Slide
• It is essential that all businesses, large and small, plan ahead so
that they can continue to operate through and beyond a period of
disruption. A structured Business Continuity Plan (BCP), focusing on
the mission/time critical activities that all businesses have, could
help to identify the following examples of coping with sudden
disruption:
12
Why should your business consider BCM?
Recovery Strategies
Temporarily re-locating some staff to work out of another pre-identified office or building;
Temporarily moving the business to an alternate site;
Cross-training or multi-skilling existing staff;
Providing back-up IT and telecommunications systems;
Working remotely at home;
Transferring the business off-country.
6 Stages of the BCM Life Cycle
2
3
45
6
13
1
Understanding
your Organisation
Determining
BCM Options
Developing the
BCM Response
Embedding a
BCM Culture
Exercising,
maintenance,
auditing and
self-assessment BCM Programme
Management
Refer to Notes Also
6 Stages of the BCM Process
2
3
45
6
14
1Business Impact Analysis
Analysis of Critical Processes
Creation of BC PlanTesting of BCP
Updating of BCP
Initiation of BCP /
Risk Assessment
HW Notes
1. BCM Programme Management
Enables the business continuity capability to be both established
and maintained appropriate to the size of the business. The
strategy needs to be supported and driven from the very top of the
organization down.
2. Understanding your Organization
Identifies the critical products, services and functions in your
business. It also identifies the activities and resources required to
achieve these areas of your business.
3. Determining BCM options
Selecting an appropriate strategy to mitigate loss, thereby
maintaining your business' critical functions. The choices made
should take into account resilience and countermeasure options
already present within the business.
15
6 Stages of the BCM Life Cycle
Similar to – BIA / Analysis of Critical Processes
Similar to – Creation of BC Plan
4. Developing the BCM response
Building your business' risk tolerance by improving operational
procedures and practices and putting in place BCP to ensure that
interruptions to service can be dealt with as quickly as possible.
5. Embedding a BCM culture
Embedding a BCM culture in the business core values and daily
operational procedures ensures BCM principles are adopted
across your business processes. This will involve education and
awareness training for all stakeholders including employees,
suppliers and contractors.
6. Exercising, maintenance auditing and self-
assessment
Ensuring that your BCP is up to date, your staff are aware of it and
they are exercised in its use.
16
6 Stages of the BCM Life Cycle
Similar to – Creation of BC Plan/
Testing of BCP
Similar to – Updating BCP
Risk Assessment
• A Risk Assessment is identifying, analyzing, and weighing all the
potential risks, threats and hazards to an organization internal and
external environment.
• It discovers if a facility (building) is vulnerable to weather/man-made
related events, HVAC failure, Internal/External Security vulnerabilities
and local area hazards.
• It allows a business to document what mitigating actions have been
taken to manage these exposures.
• By identifying the threats that currently are being mitigated verses
threats that are not, a business can compile a list of recommendations
for improvement.
– Determine events that can impact the organization.
– Determine damage such events can cause.
– Determine controls needed to prevent or minimize the effects of potential
loss.
– Provide cost benefit analysis to justify investment in controls.
17
Business Impact Analysis
• The entire concept of business continuity is based on the
identification of all business functions within an organization, and
then assigning a level of importance to each business function.
• A business impact analysis is the primary tool for gathering this
information and assigning priorities, recovery point objectives (RPO ¹),
and recovery time objectives (RTO ²), and is therefore part of the basic
foundation of business continuity.
• It can be used to identify extend and timescale of the impact on
different levels of an organization.
– Identify impacts resulting from disruptions that could affect the
organization.
– Identify techniques that can be used to quantify/qualify such impacts.
– Establish critical functions, their recovery priorities and interdependencies.
– Establish recovery time objectives (RTO) and recovery point objectives
(RPO) based on the analysis.
18
¹ RPO – defines the maximum level of work in progress that can be lost.
² RTO – defines the tolerable maximum length of time that a business process can be unavailable.
• Cold SiteA cold site is rented space with power, cooling and connectivity that's
ready to accept equipment. With recovery times of a week or more, a cold
site is only an option for business processes that can be down for an
extended period. Cold sites are also used to complement hot sites and
warm sites in case of disasters that last a long time.
19
Recovery Strategies – Alternate Sites
Advantages Disadvantages
Low cost Recovery Time above 1 week
Able to complement Hot and/or Warm sites
May not be able to purchase equipments in a timely manner if there is a major wide-area incident.
• Hot SiteA hot site is a duplicate of the original site of the organization, with full
computer systems as well as near-complete backups of user data.
Real time synchronization between the two sites may be used to completely
mirror the data environment of the original site using wide area network
links and specialized software.
This type of backup site is the most expensive to operate. Hot sites are
popular with organizations that operate real time processes such as
financial institutions, government agencies and ecommerce providers.
20
Recovery Strategies – Alternate Sites
Advantages Disadvantages
Shortest Recovery Time (Below 2 hours)
Very costly to run and maintain
Fully equipped High maintenance required
• Warm SiteA warm site is, quite logically, a compromise between hot and cold.
These sites will have hardware and connectivity already established, though
on a smaller scale than the original production site or even a hot site.
Likely rented from vendors on a shared basis.
21
Recovery Strategies – Alternate Sites
Advantages Disadvantages
Offer cost vs. risk benefits Recovery Time between 1 day to 1 week
Balance between Cold and Hot sites
Partially equipped
Recovery Strategies – Alternate Sites
• Split SiteSplit sites enables the organization to operate concurrently at 2 office
locations. Critical business functions are separated to work in these
locations.
This minimizes the risk of loss of one premise and loss of key personnel.
This option is widely used in mitigating Pandemic risks.
22
Advantages Disadvantages
Fully redundant Normally require additional staff as there are someduplication of roles
Caters to loss of staff in one office
Very costly to run and maintain
Recovery Strategies – Alternate Sites
• Third Party Site (dedicated or shared)When contracting services from a commercial provider of backup site
capability organizations should take note of contractual usage provision and
invocation procedures, providers may sign up more than one organization
for a given site or facility, often depending on various service levels.
This is a reasonable proposition as it is unlikely that all organizations using
the service are likely to need it at the same time and it allows the provider to
offer the service at an affordable cost. However, in a large scale incident
that affects a wide area it is likely that these facilities will become over
subscribed
23
Advantages Disadvantages
Manage as an outsourcedvendor
Costly if it is a dedicated contract
vendor provides the expertise, facilities, equipment and infrastructure
Concentration Risk if several clients in area for shared contract
Recovery Strategies – Alternate Sites
• Working RemotelyHaving staff work remotely at home is also a cost effective strategy to
mitigate office inaccessibility due to floods, typhoons, snow storms, bush
fires, road closure (riots, bomb blasts), etc.
During Pandemic outbreaks, social distancing is often encouraged.
Working remotely will mitigate the risk of staff infections.
24
Advantages Disadvantages
Reduce risk of travelling to work
HR issues
Cost effective as facility costs are minimised
Security and control risks
Recovery Strategies – Alternate Sites
• Considerations for Alternate Sites– Choosing the type is mainly decided by an organisation’s cost vs.
benefit strategy.
– Distances between the Primary and Alternate Sites should be at least 3
to 5 Kilometers apart to minimize concentration risk of any wide-area
incidents.
– Training Centers and other non-essential offices in another location can
also be utilize as Alternate Sites.
– The BCP Team must be involved in facility/space planning to get
alignment on overall recovery strategy.
25
The Bottom Line
• Many businesses decide not to implement BCM because of
the perceived impact on the Bottom Line - the cost of re-
allocating existing staff to BCM planning, the cost of
exercises, audits and reviews to name but a few. In making
your decision on BCM, consider the hidden value of the
BCM process.
26
(Romano 1995) – “…within ten days of an extended
computer outage, a company loses an estimated 2 to 3% of
its gross sales and most companies will never fully recover
from 10days without computers.”
The Bottom Line
• Consider the hidden value of the BCM process:
– As a management process, BCM can highlight efficiencies and
economies in your business that you otherwise might not have been
aware of - it could save you money.
– BCM is scalable - it does not have to be a drain on resources.
– The cost of committing to BCM could well be minute when
compared to the cost of getting your business up and running
without BCM in place. In times of disruption, resources are scarce and
it takes time to procure extra resources if existing arrangements are not
in place through BCM. This could cost your business in downtime, lost
orders and reduced brand/customer loyalty.
– BCM improves your staff's awareness of the business. It promotes
innovation, integration and teamwork.
27
Current BCM Standards
International and Singapore
International Standards
• BS 25999 (UK)BS25999 is the British Standard published by the British Standards
Institute for Business Continuity Management. It is published in two
parts:
– The first, "BS 25999-1:2006 Business Continuity Management. Code of
Practice", takes the form of general guidance and seeks to establish
processes, principles and terminology for Business Continuity
Management.
– The second, "BS 25999-2:2007 Specification for Business Continuity
Management", specifies requirements for implementing, operating and
improving a documented Business Continuity Management System
(BCMS), describing only requirements that can be objectively and
independently audited.
29
International Standards
• BS 25777 (UK)Information and Communications Technology (ICT) continuity
management ‘s code of practice .
ICT continuity management supports the overall business continuity
management (BCM) process of an organization. BCM ensures that
your organization’s processes are protected from disruption and is
able to respond positively and effectively when disruption occurs.
• BS7799 (UK) /ISO17799 (International)BS7799 and ISO17799, which are respectively the British and
International standards for Information Security Management,
include the need to implement a business continuity management
process to help protect the organization’s information and computing
assets from harm.
30
International Standards
• ITIL (International)In respect of IT service provision, ITIL – the IT Infrastructure Library
– has produced a framework for IT service management which
includes Continuity Management as one of its five service delivery
disciplines.
• ISO/PAS 22399:2007 (International)ISO publishes international benchmark for incident preparedness
and operational continuity management.
• NFPA 1600:2007 (US)The North American standard on Disaster/Emergency Management
and Business Continuity Programs.
31
International Certifications
• Business Continuity Institute (UK)The Business Continuity Institute (BCI) was established in 1994 to
enable individual members to obtain guidance and support from
fellow business continuity practitioners. The BCI currently has over
4800+ members in 85+ countries.
– Associate Member of the BCI (AMBCI)
AMBCIs are Statutory Members giving them the same voting rights and eligibility to
stand for office as all other categories of professional membership.
– Member of the Business Continuity Institute (MBCI)
Applicants for the senior grade of Member (MBCI) need to demonstrate practical
application of their knowledge by submitting a further professional application
form which will be scored assessed by a panel of their peers appointed by the
BCI's Membership Council.
– Fellowship of the BCI (FBCI)
Applications or nominations for Fellowship of the BCI are accepted from MBCI or
SBCI with appropriate experience and responsibility. A minimum requirement of 6
years experience as a business continuity practitioner is required.
32
International Certifications
• Disaster Recovery Institute International (US)DRI International was founded in 1988 as the Disaster Recovery
Institute in order to develop a base of knowledge in contingency
planning and the management of risk, a rapidly growing profession.
DRI International administers the industry's premier educational and
certification programs for those engaged in the practice of business
continuity planning and management.
More than 3,500 individuals throughout the world maintain
professional certification through DRI International.
33
International Certifications
• Disaster Recovery Institute International (US)
– Associate Business Continuity Professional (ABCP)
The Associate Business Continuity Professional certification supports entry level
proficiency in our Professional Practices with less than 2 years experience in the
field. This is the entry level certification.
– Certified Business Continuity Professional (CBCP)
The Certified Business Continuity Professional is reserved for individuals who
have demonstrated knowledge and working experience of greater than 2 years.
They must be able to demonstrate practical experience in 5 of the subject matter
area’s of the Professional Practices.
– Master Business Continuity Professional (MBCP)
The Master Business Continuity Professional is reserved for individuals who have
demonstrated knowledge and working experience of greater than 5 years. They must
be able to demonstrate practical experience in 7 of the subject matter area’s of the
Professional Practices.
34
Singapore Standards
• Singapore BCM Standard SS540:2008
Background
The need for a standard of best practices has prompted the
Singapore Business Federation, the Economic Development Board
and SPRING Singapore to initiate the development of the Technical
Reference TR 19:2005. The work included the collaboration of key
industry and government contributors.
The Business Continuity Management Council of the Singapore
Business Federation provided strategic guidance to the Technical
Committee in the development of TR 19.
After a two-year trial implementation, TR 19 was reviewed by the
Technical Committee to determine the feasibility of its transition to a
Singapore Standard (SS), resulting in the development of SS 540:
2008 which replaces TR 19.
35
Singapore Standards
• National BCM ProgrammeThe National Business Continuity Management (BCM) Programme
aims to encourage early adoption of BCM by SMEs.
The Singapore Business Federation (SBF) has been appointed as
the Focal Point in this national initiative.
In this capacity, the SBF seeks to:
– Raise the awareness of the importance of BCM to businesses.
– Widen BCM standard implementation by the business community.
– Make BCM more accessible to the business community.
– Support our enterprises’ efforts to become BCM certified.
36
Singapore Standards
• National BCM ProgrammeIndividual SMEs or SMEs which are part of a consortium can apply
for support to help defray part of the cost to become BCM ready and
obtain SS540 certification.
Coverage includes part of the:
– Salary/training of staff involved in the BCM certification project.
– Cost of engaging 3rd party consultancy service to support the process
of SS540 or equivalent certification.
– BCM certification cost.
– IT Hardware/software needed to implement BCM.
37
How is it applied to Corporations?
Regulatory Compliance
• The Monetary Authority of Singapore (MAS)– Business Continuity Management Guidelines (June 2003)
7 Principles covering BCM framework and governance.
– Further Guidance on Business Continuity Management
(January 2006)
Additional guidance on Security/Infrastructure and Pandemic Measures.
• Stock Exchange Limited (SGX)– Business Continuity Management Rules (January 2009)
Similar to MAS BCM Guidelines.
39
Outsourcing Compliance
• The Monetary Authority of Singapore (MAS)– Guidelines on Outsourcing (October 2004)
Guidelines on Outsourcing framework and governance.
Includes governance on service provider’s BCM. (compliance with MAS BCM
Guidelines)
40
Government Tenders
• The Singapore government is already spreading the
word that companies bidding on certain government
contracts might eventually have to be SS540-certified.
41
Due Diligence
• Some companies (especially Financial Institutions) are
regularly performing due diligence on service providers’,
suppliers’ and vendors’ BCM resiliency (including
Pandemic preparedness).
42
How is it linked to Facilities
Management?
Analysis of Critical FM Processes
• What facilities are core and cannot be contracted out temporarily?
• What facilities can operate temporarily with minimal attention,
thereby allowing diversion to the critical?
• Space management and allocation is also an important issue
and under the FM control: what space is core and how is it used?
Could alternatives be created temporarily or sourced elsewhere?
Where are you space-critical? Could an IT/IS back-up allow remote
working of a significant portion of the process and allow re-shuffling
to support the site critical?
• Communication is another aspect under the control of the FM:
assess the critical and core communication routes? How is the
remainder of communications achieved? Could alternatives be
created temporarily or sourced elsewhere?
• Think about temporary outsourcing some of your IT system?
• How site/IT/HRM critical is the visible product / image of the
company?
44
Facilities Management’s Role - Crisis
• Business-as-usual– Update BCP Team of changes in Real Estate planning.
– Surveillance and monitoring of Security Threats and Risks.
– Conduct Evacuation Drills.
• During Crisis– Key member in Incident Assessment Team together with IT.
– Coordinate evacuation if necessary.
– Preliminary assessment of the impact on premise accessibility
and technical equipment.
– Coordinates security arrangements (secure premises).
– Coordinate salvage operations.
– Liaison with Insurers. (investigation and claims)
– Repair damaged premises/source for new premises.
45
Facilities Management’s Role - Pandemic
• Pre-Pandemic– Manage inventory and distribution of Personal Protective
Equipment (PPE). e.g. masks, gloves, gowns, etc.
– Review contracts with cleaning/decontamination vendors.
– Identify/maintain Quarantine/Isolation Rooms.
46
Facilities Management’s Role - Pandemic
• During Pandemic
– Infection Control• Implement Temperature Screening, Health/Travel History Declaration
and recording of contact details for visitors.
• Displayed health advisories to inform visitors on preventive
measures.
• Increased cleaning schedule.
– Management of Suspect Cases• Don PPE and direct sick staff to Quarantine/Isolation Room.
• Call ambulance or send staff to the nearest Pandemic Preparedness
Clinic.
• Institute deep cleaning of surrounding work area.
47
• In November 2003, the Security Watch Group (SWG) Scheme was
introduced as mainly a Police-networking platform for the
commercial sector to collaborate on the target-hardening of their
premises where they operate their businesses.
• Buildings are grouped into SWG clusters. Within each SWG cluster,
buildings undergo the three-step process of threat assessment,
auditing of systems and the streamlining of operations through the
pooling of resources.
• Beginning in November 2006, the SWG Scheme underwent an
upgrading exercise to incorporate both safety and security aspects
of the Police and SCDF, and become officially known as the Safety
and Security Watch Group (SSWG) Scheme.
48
Safety & Security Watch Group (SSWG) Scheme
Corporate First Responder (CFR) Scheme
• Business recovery and continuity is often contingent on access to
business premises after the incident. In the aftermath of a disaster
such as a terrorist attack or the collapse of a building, the incident
site and surrounding buildings would be cordoned off.
• Access to the incident site is restricted to authorized emergency
personnel such as the Singapore Civil Defence Force (SCDF) and
Singapore Police Force (SPF) who carry out rescue and recovery as
well as investigation operations.
• The Corporate First Responder (CFR) Scheme aims to forge a “win-
win” partnership between the Government and the business
community by allowing identified personnel from the business
community access into the restricted cordoned area to aid rescue
and recovery efforts as well as execute business continuity recovery
plans.
49
CORPORATE FIRST RESPONDER (CFR) SCHEME
– A PUBLIC - PRIVATE PARTNERSHIP –
• PLANNINGStrategizing
Choosing
Timing
Answering
Outline
• WRITINGQuality versus speed
Dun get lost. Follow the plan.
Skipping
Language
Bullet points?
• CHECKINGChanging answers
Did you answer the question?
PLANNINGStrategizing – download from your memory bank/ Chapter 2/1.
Choosing - do I answer this question first, 2nd or 3rd?
Timing – 120mins/3 = 40min – 30min/ 40min or 50min?
Answering – What is the action word? Report/ discuss. Key words? –
how FM contribute/ design and construction building/ qualified/
manage/
Outline – 34/2= 15 points.
PLANNINGAnswering – Report FM role and how contribute/manage construction/
is FM qualified to do so?
Outline –
Intro – role of FM – alignment with client/ strategic and total FM (4points)
Body/ Answer the question – (say 9 points) –
How /why FM contribute and manage construction
1. FM = process management/ FM principles can apply.
2. Natural point of contact/ facilities related / facilitate communication .
3. Compatible with FM operations/ Total FM value add to the design.
4. Can follow up easily after construction team exit/ knowledge management.
5. Align with client – value add with corporate in-house requirements.
6. Expertise in life cycle costing.
FM qualifications
1. Expertise in costing and finance.
2. Expertise in integration of facilities services.
3. Holistic understanding of relationship between biz and space/ IFMA 6
competencies.
Conclusion – how value for money can be achieved – 2 points