business continuity management institute resilience newsletter q2 2008
DESCRIPTION
Welcome to our second Edition of BCM Institute’s Resilience newsletter and I am glad that the newsletter is still on time in spite of the many initiatives that is presently underway. Just to highlight three major breakthroughs. The initial good news is that the number of certified professionals from BCM Institute had risen to past 1000 professionals from 34 countries. Beside the courses running throughout Asia, we have begun our course offerings in the Middle East starting with Bahrain. We hoped to see our Gulf Cooperation Council (GCC) attending the institute’s course within 2008. Last but not least, we have the BCM Institute’s forum running on groupsite platform, http://bcmi.groupsite.com. I am glad that it had passed the 915 participants starting the recruitment only on first April 2008. It is remarkable to have so many professionals participating in a relatively new BC and DR related forum. Your support is most heartening to us. With this issue of Resilience we hope to highlight to friends and past participants the continued support of you and our instructors who this institute is indebted to.TRANSCRIPT
ISSUE 2 YEAR 2008
RESILIENCE NEWSLETTER
President Speaks
Dear friends
This is the 2nd Edition of Resilience and I am glad that the
newsletter is still on time in spite of the many initiatives
that is presently underway. Just to highlight three major
breakthroughs. The initial good news is that the number
of certified professionals from BCM Institute had risen to
past 1000 professionals from 34 countries. Beside the
courses running throughout Asia, we have begun our
course offerings in the Middle East starting with Bahrain.
We hoped to see our Gulf Cooperation Council (GCC)
attending the institute’s course within 2008. Last but not
least, we have the BCM Institute’s forum running on
CollectiveX platform. I am glad that it had passed the 915
participants starting the recruitment only on 1st April 2008.
It is remarkable to have so many professionals
participating in a relatively new BC and DR related forum.
Your support is most heartening to us.
With this issue of Resilience we hope to highlight to
friends and past participants the continued support of you
and our instructors who this institute is indebted to. I look
forward to bringing you more updates during our next
issue.
Dr Goh Moh Heng
President
BCM Institute
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933 Email: [email protected] Website: www.bcm-institute.org
Resources
Global Home Search Jobs Upcoming course
Jul/Aug/Sept o BCM-300
Singapore (10/09/08)
o BCM-350 Pune (03/05/08)
Chennai ( 25/08/08) Hyderabad ( 27/08/08)
o DRP-400
Singapore(14/07/08)
o BCM-810 Singapore(04/08/08)
o BCM-830
Singapore(18/09/08)
o BCM-5000 Bangalore(15/07/08) Singapore(18/08/08)
Qatar(21/08/08)
o DRP-5000 Chennai (12/08/08)
Singapore(22/09/08)
Newsletter Options
Unsubscribe Newsletter Contact Us
BOOK REVIEWS Analyzing & reviewing the risks for business
continuity planning
Reviewed by Yvonne Leong
This is another book of Dr Goh Moh Heng’s BCM series – The
Risk Analysis and Review for Business Continuity Planning.
The term Risk Analysis (RA) is self-explanatory and has
always been associated with Risk Management (RM). In fact,
it is one of the very critical steps to accomplish the intended
functions of RM.
Following the Business Continuity Management (BCM) being
put in the limelight in the past decades, grey areas were
introduced between RA of RM and RA of BCM. This book
reiterates the embraced concept of RA and addresses the
above grey areas from the BCM perspective. It explains the
integrations between BCM and RM, using the Australia/NZ RM
Standards that defined BCM as part of RM. Since the BCM
addresses incident, emergency and disaster situation, the RM
in BCM should restrict to events that impact the minimum
service level of a business. Some books documents BCM as
the process of handling the residue risk identified in RM.
However, this book recommends the relationship best to be
viewed as an overlap relationship that has no definite
boundary. In essence, RA from both the BCM and RM has the
similar concepts and objectives.
Learn more
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
BS25999
The launch of BS 25999 standard is a milestone for the global
BCM industry. The importance of Business Continuity
Management (BCM) is increasing day by day. Be it natural
disasters or man-made, at some point of time we all have been
affected by these disasters in some shape and form.
Therefore, we have to admit that having a robust BCM in place
does not only talk about good corporate governance but also
establishes the fact, that the organization is committed to all its
stakeholders. We all know that it’s not really the financial loss
of the transaction that causes a problem – it’s really the
customer loss of faith, trust and confidence that the disruption
causes. In past, there have been various instances of several
organizations, where the operations were disrupted beyond a
reasonable period of time resulting in business volumes
dropping and market share getting eroded. Very soon, the
costs become too high and revenues too low, and the
operations remain no longer viable – so the organization
closes down. The message is very clear. Business continuity is
critical to ensure the survival of the organization!
Learn more
Creating Competitive Advantage and unparallel
BCM leadership – A perspective from BCMI India
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
Personal Interview With Salma Desenta From IBM Indonesia
What is your key take away for you at this training?
“Actually for me the key take away at this training was the
network built with both instructors and other participants. From
material point of view, it enriches me with best practices
methodology being used outside my current organization.”
What did you like best?
“I like the arrangement of different instructors for each day. By
doing so, the participants can learn much more experiences
from those instructors. The arrangement of the instructors that
have experience from both vendor and end-user perspective
also serves different point of view that enriches the participants
as well”
What is the DR strategy you would take back to help
implement?
“I believe for those who have been involved in real, practical
DR world, they’ve been familiar with the DR strategy
presented. But from practical point of view, we did share
experiences and creative ideas on how o achieve certain
target on each phases of the DR methodology”
(Editor’s note: The 6 participants rated the 4 BCM Institute
instructors very highly, but they particularly appreciated the
enriching instruction from 2 instructors, namely Ms Carolyn
Lock and Mr David Tay, and asked BCM Institute to echo their
feedback. Overall, their heightened learning is result of the
number of trainers fielded and their diverse experience plus
ability to teach made their trip to the course more than
worthwhile)
Mr Desenta was a course participant at the
recent DRP5000 course held in May 2008 at
Furama Riverfront Hotel in Singapore. Here is
the excerpt from the interview:
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
DRP 5000 in house
training for regional
SHELL participants
BCM Institute is very appreciative of SHELL’s continued
reliance on our institute and our instructors to teach BCM and
DRP to their expanding BC & DR practitioners. The 4th in a
series of in-house training, the participants came from all over
Malaysia, Brunei and Singapore. BCM Institute fielded 3
instructors – Ms Serena Chan from Hongkong, Ms Yvonne
Leong, a BC practitioner in a large Malaysian bank, and Mr
Lim Sek Seong, Managing Consultant from GMH Continuity
Architects in Singapore.
Cyberjaya, Kuala Lumpur,
in June 2008
BCM 300 In Bangkok
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
Trainer: Serena Chan Standing
Trainer: Lim Sek Seong in Tie
Several of BCM Institute’s
instructors met for several
causal get-togethers at Crystal
Jade Restaurant/Great World
City, hosted by BCM Institute.
It was a good time to talk about
non-BC matters and catch up
with each other
Singapore
Meet The Experts
On Friday 27th June 2008, BCM Institute in Singapore held
another Meet-The-Expert session at the Furama Riverfront
Hotel. It was well received and attended by over 70
participants from the BC & DR Community in Singapore. 3
experts were in attendance that afternoon, and their topics
were:
a) Crisis Communication & the need for BC practitioners to
know its importance. The speaker was Ms Farah Rahim
who heads the Crisis Communications PR team at Hill &
Knowlton.
b) Business Impact Analysis and its practice in other MNCs
overseas. The speaker was Dr Goh Moh Heng, President
of BCM Institute.
c) SSxxx/TR19, and its proposed requirements and their
impact on the BCM process in Singapore. The speaker
was Mr Lim Sek Seong, Managing Consultant of GMH
Continuity Architects and one of the original co-authors of
the TR19 coding.
Typically, the speakers would speak for 30 minutes, and the
following 30 minutes was given to the floor, and for each
session, there was an overwhelming response as participants
queried the experts with subject matters and ‘what ifs’
scenarios (which were largely their experiences or difficulties
at work).
Meet the Expert sessions would continue bi-monthly in
Singapore, and the main intent is to field subject matter
experts who would speak about a given topic (usually topics
raised by past participants in their feedback forms), and time
given for Q&A to enhance the technical session’s learning
focus.
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933
Analyzing & Reviewing the Risks for Business Continuity
Planning by Dr Goh Moh Heng
Reviewed by Yvonne Leong
This is another book of Dr Goh Moh Heng’s BCM series – The Risk Analysis and Review for Business Continuity
Planning. The term Risk Analysis (RA) is self-explanatory and has always been associated with Risk Management
(RM). In fact, it is one of the very critical steps to accomplish the intended functions of RM.
Following the Business Continuity Management (BCM) being put in the limelight in the past decades, grey areas were
introduced between RA of RM and RA of BCM. This book reiterates the embraced concept of RA and addresses the
above grey areas from the BCM perspective. It explains the integrations between BCM and RM, using the
Australia/NZ RM Standards that defined BCM as part of RM. Since the BCM addresses incident, emergency and
disaster situation, the RM in BCM should restrict to events that impact the minimum service level of a business.
Some books documents BCM as the process of handling the residue risk identified in RM. However, this book
recommends the relationship best to be viewed as an overlap relationship that has no definite boundary. In essence,
RA from both the BCM and RM has the similar concepts and objectives.
Following the above grey areas between RM and BCM, the persons in charge of RA process often asks who should
do the job; if it’s the responsibility of the BCM team, second question is raised - when to do it: before, during or after
the Business Impact Analysis (BIA). In real life, the scope of RA exercise depends on who coordinates the job.
1. If RA is coordinated by the RM team.
It covers overall risks of the organization and may include other types of risks like credit, market and operations
risks. This is the preferred execution model for RA as the RM team is the subject matter expert in conducting RA
and they could have a wider scope of RA which does not only confine to critical operations and assets. The
result would then provide an overall view of risk profile of the organization.
FULL ARTICLES
2. If RA is coordinated by a BC planner of the BCM team.
It covers risks that impact the operations of the organization. The RA would identify the threats and magnitude of
risk against the critical assets that have been earlier identified in the BIA. This also means that the RA should
best be conducted during or after the BIA stage.
In some organizations in this region, there are few personnel, if any, manning the BCM department. In view of the
scarce resources, the approach to complete the different phases in BCM aims to be the shortest and fastest with
somewhat compliance to the minimum requirements. As the saying goes: compliance to the general standard and
guidelines does not guarantee the resilience of the organization, but the actual exercise and test result make one feel
comfortable of the readiness of BCM. Having this in mind and the ultimate objectives of BCM, one would do the
simplest possible steps to achieve its end goals. Therefore the in-depth information, templates, guidelines
documented in the book may not be fully appreciated but in contrast, it may confuse some readers.
In the absence of an external consultant or risk expert, the completeness of threats identified, depends very much on
the knowledge and experience of the members attending the brainstorming workshops or discussion groups. As
such, appendix 9 helps by providing a list of possible threats, risks and phenomena for considerations. Studies
consistently show that human are responsible for more than 60% of the data center downtime through accidents or
mistakes. This book urges the considerations of character deficiency threats and other human factors that may
cause disaster. Such as, deteriorating work ethics, absence of loyalty, lacks of direct control over service personnel
and stress of being required to do more with less personnel resources, etc. Appendix 10 complements the above
discussion by describing the common threats faced by most organizations and listed some control measure and
consideration to reduce, mitigate or accept the risks.
Though this book is largely a “how-to” book, it also forcefully argues one important point over and over again: We
must pay attention to how to present the findings to the executive management and get their buy-in to proceed to the
next phase. In the last chapter of the book, it explains the preparations requirement of necessary information and
findings for an executive management presentation; lots of thoughts and experience has been shared to close the RA
phase. As much hard work has been put in with tones of findings, one tends to be lengthy and thorough in
presentation. This chapter shares the critical elements that made up a good presentation session, it provides hints to
present the right information to keep the excitement going during an executive management presentation, in order to
get their buy-in to adopt the risk controls and of course their nods for funding to proceed to the next actions required
in RA phase, i.e. execution for risk mitigation, endorsement for risk rejection and acceptance or continue with the BIA
phase and developing recovery strategy phase of BCM.
Information documented in the book is utmost important to handhold any new BC planners in their journey in BCM or
to remind the professional BC planners of the basis of BCM. It serves as a very good source reference to kick off a
BCM project or initiate a continual improvement plan in the BCM journey. Therefore, it should undoubtedly find a
place on the bookshelves of every BC planners.
[Editor’s Note: This book is currently in the process of being published, and should be available soon for purchase at
the BCM Institute’s Singapore office, or online via the www.bcm-institute.org shopping cart or at www.amazon.com .]
BS 25999 – Creating Competitive Advantage and unparallel BCM leadership – a perspective from BCMI India.
The launch of BS 25999 standard is a milestone for the global BCM industry. The importance of Business Continuity
Management (BCM) is increasing day by day. Be it natural disasters or man-made, at some point of time we all have
been affected by these disasters in some shape and form. Therefore, we have to admit that having a robust BCM in
place does not only talk about good corporate governance but also establishes the fact, that the organization is
committed to all its stakeholders. We all know that it’s not really the financial loss of the transaction that causes a
problem – it’s really the customer loss of faith, trust and confidence that the disruption causes. In past, there have
been various instances of several organizations, where the operations were disrupted beyond a reasonable period of
time resulting in business volumes dropping and market share getting eroded. Very soon, the costs become too high
and revenues too low, and the operations remain no longer viable – so the organization closes down. The message is
very clear. Business continuity is critical to ensure the survival of the organization!
Most BCM and DR professionals would probably be aware that the BS 25999 was launched globally in Tokyo,
London and New York on Oct 31, 2007. This launch was attended by several renowned industry professionals in the
BCM domain representing various private and public organizations.
Over the last couple of months, the British Standards Institute (BSI) has held a series of road shows on the BS 25999
standard across the Middle East in Dubai, Abu Dhabi, etc. The India launch took place in 3 Indian cities - New Delhi,
Mumbai and Bangalore. The launch was jointly organized and co-ordinated by Confederation of Indian Industry (CII)
and BSI. CII is a non-government, not-for-profit, industry led and industry managed organization, playing a proactive
role in India's development process.
So what exactly is BS 25999? BS 25999 is the world’s first internationally recognized standard for Business
Continuity Management (BCM). This was developed by the BSI - which has a history of over 100 years in developing
standards. The BS 25999 is based substantially on the PAS 56 (Publicly Available Specification 56) - released in
2003. The objective has been to define a Management Systems approach to BCM, based on best practices.
Importantly, the BS 25999 is applicable to any organisation (large, medium and small) operating in any industry (e.g.
healthcare, professional services, manufacturing, retail, oil industry etc), having any ownership whatsoever (private
sector, public sector, government, voluntary etc).
A standard provides independent third-party validation of competence – that you are as good as the best in the world.
Standards also give confidence to existing and potential customers about an organization’s capabilities. They help
demonstrate market leadership and create competitive advantage. All things being equal, a buyer will choose the
certified organisation – and maybe even be willing to pay more for the peace of mind that a certification, such as BS
25999 brings. Importantly, standards are based on Best practices – which mean doing the right thing in the right way.
Standards also help equip your organizations with a strong foundation for further scaling up – more so in cases where
the organization is looking at expanding its operations to new geographies and starting to bring new people on board.
It may be wise to ensure that your BCM program is in compliance with the BS 25999 standard. Only then can you
FULL ARTICLES
have true peace of mind.
A standard adds value in terms of its universal applicability and implementation structure. It can be used to meet
strategic, organizational, regulatory and legislative requirements. The BS 25999 standard provides an effective BCM
framework and can fit with your existing processes and systems. Also, it can work along and audit your existing
business continuity plans. I believe the rollout of BS25999 would give a major boost towards achieving quality and
compliance in the BCM domain. The adherence to the standard will definitely enhance customer confidence resulting
in improved business and overall profitability.
The India launch event was sponsored by BCM Institute and National Disaster Management Authority (NDMA). The
NDMA, headed by the Prime Minister of India, is the Apex Body for Disaster Management in India. Within nearly 6
months of the launch, 9 organizations worldwide have been certified. The largest of these organizations has been
Accenture, which got certified for its India operations, where it has 37 thousand employees in multiple locations.
Presently, I sense that there is lot of action happening particularly in India. And my guess is that lot of organizations in
other countries have already started appreciating the intrinsic as well as extrinsic value that BS 25999 brings to an
organization’s BCM programme.
Friends, in my experience I have observed that lot of corporate organizations/personnel are under the fallacy that ‘it
will never happen to me’. In fact, ‘It’ is happening all around us. In India or any country of the world, the need for
business continuity has been vividly demonstrated again and again.
At the launch, Mr. Robin Pilcher (Global Marketing Director-BSI) pointed out that because of high interest and
awareness BS 25999 has become the fastest selling standard in the world, after ISO 9000, which was introduced 20
years ago. There have been more than 5000 downloads until date on the BSI website. This phenomenon clearly
demonstrates the growing need and importance in Business Continuity Management field around the world. In fact,
he also shared that maximum number of comments/feedback during the public draft review came from India.
As a critical element of corporate governance and survival, BCM is not an overhead, and it should be implemented
because it is the right thing to do - not simply because a customer, regulator or any other stakeholder wants it. If an
organization recognizes the strategic criticality of BCM, they must find the time and resources to implement BCM on
priority basis. Therefore, we can safely assume that a robust Business Continuity Management System (BCMS) is
important to ensure the continued existence and survival of the organization.
During the technical session, Mr. Venkatraman Arabolu (India MD-BSI) drew the audience attention to the fact that in
most of the organizations, the weakest link in their continuity strategy, planning and recovery efforts is the People
issue with 35% of the total falling under this risk category. Other major categories included Process risk (27%)
Technology risk (18%) Supply chain partner risk (9%). And I think that the supply chain risk applies to all of us in
some form or shape. In uncertain times to come, this risk can get bigger and dangerous for the business survival.
Mr. Anupam Kaul from CII highlighted the need of greater preparedness and shared his experience on Union Carbide
accident where all the six safety features had failed and thousands of innocent people lost their lives. Prof. Vinod
Menon from NDMA rightly mentioned – “The Business of Business is to stay in Business”.
One of the main speakers – Mr. P.G. Kakodkar, former Chairman of SBI group, which is India’s largest Bank shared
his perspective on BCM criticality in the banking sector and strongly supported the BS 25999 applicability.
Mr. Dhiraj Lal (Country Manager-BCM Institute) who is the Asia’s first technical expert on BS 25999 shared that the
BCM process is the core responsibility of the CEO and the Board of Directors of an organization. Therefore, not
thinking or opting for BCM can put the organization’s survival at stake. And in case disaster happens to an
unprepared organization then image, brand, trust may take a beating.
Application of BS 25999 would result in assurance to an organization’s Top Management that their business has the
needed capability to continue and deliver in case of any emergency/disaster. The Standard implementation would
ultimately attract more customers, will demonstrate market leadership and will create competitive advantage in
today’s dynamic market scenario. We all would agree that service disruptions, delays in responding to customer
requests, inability to process transactions in a timely manner or being unable to resume business in the face of a
disaster can all have significant impacts on an organization's effective operation.
BSI has partnered with BCM Institute (domain experts in BCM only) to impart the training and guidance, which an
organization requires to prepare for the BS 25999 audit and certification. BCM Institute also took part in the first 2 BS
25999 technical audits, which were carried out for Citigroup Global Services and Accenture, who were also awarded
with the BS 25999 certification during the seminar
BS 25999 clearly states that the responsibility for the BCM programme implementation and success lies with the
CEO of the organization. After all, CEO is the person, who leads the whole organization to the path of success and
profitability. I believe it is critical that a CEO/Board member should think of BCM as ‘The right thing to do’ rather than
searching for the reasons for doing it. Ultimately, it’s their responsibility towards the organization’s customers,
shareholders and all other stakeholders. After all, corporate governance is all about having confidence in what you do
and how transparently you do it. In my personal viewpoint, BS 25999 is the right tool, which definitely gives a
CEO/Board member the needed confidence and trust that his/her business is following the right BCM process,
ultimately ensuring Business survival in testing times.
It’s an uncertain world, lifeguard your business.
Harsh Garg
Note: In case of any queries, please feel free to drop an email at [email protected]