ISSUE 2 YEAR 2008

RESILIENCE NEWSLETTER

President Speaks

Dear friends

This is the 2nd Edition of Resilience and I am glad that the

newsletter is still on time in spite of the many initiatives

that is presently underway. Just to highlight three major

breakthroughs. The initial good news is that the number

of certified professionals from BCM Institute had risen to

past 1000 professionals from 34 countries. Beside the

courses running throughout Asia, we have begun our

course offerings in the Middle East starting with Bahrain.

We hoped to see our Gulf Cooperation Council (GCC)

attending the institute’s course within 2008. Last but not

least, we have the BCM Institute’s forum running on

CollectiveX platform. I am glad that it had passed the 915

participants starting the recruitment only on 1st April 2008.

It is remarkable to have so many professionals

participating in a relatively new BC and DR related forum.

Your support is most heartening to us.

With this issue of Resilience we hope to highlight to

friends and past participants the continued support of you

and our instructors who this institute is indebted to. I look

forward to bringing you more updates during our next

issue.

Dr Goh Moh Heng

President

BCM Institute

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933 Email: info@bcm-institute.org Website: www.bcm-institute.org

Resources

Global Home Search Jobs Upcoming course

Jul/Aug/Sept o BCM-300

Singapore (10/09/08)

o BCM-350 Pune (03/05/08)

Chennai ( 25/08/08) Hyderabad ( 27/08/08)

o DRP-400

Singapore(14/07/08)

o BCM-810 Singapore(04/08/08)

o BCM-830

Singapore(18/09/08)

o BCM-5000 Bangalore(15/07/08) Singapore(18/08/08)

Qatar(21/08/08)

o DRP-5000 Chennai (12/08/08)

Singapore(22/09/08)

Newsletter Options

Unsubscribe Newsletter Contact Us

BOOK REVIEWS Analyzing & reviewing the risks for business

continuity planning

Reviewed by Yvonne Leong

This is another book of Dr Goh Moh Heng’s BCM series – The

Risk Analysis and Review for Business Continuity Planning.

The term Risk Analysis (RA) is self-explanatory and has

always been associated with Risk Management (RM). In fact,

it is one of the very critical steps to accomplish the intended

functions of RM.

Following the Business Continuity Management (BCM) being

put in the limelight in the past decades, grey areas were

introduced between RA of RM and RA of BCM. This book

reiterates the embraced concept of RA and addresses the

above grey areas from the BCM perspective. It explains the

integrations between BCM and RM, using the Australia/NZ RM

Standards that defined BCM as part of RM. Since the BCM

addresses incident, emergency and disaster situation, the RM

in BCM should restrict to events that impact the minimum

service level of a business. Some books documents BCM as

the process of handling the residue risk identified in RM.

However, this book recommends the relationship best to be

viewed as an overlap relationship that has no definite

boundary. In essence, RA from both the BCM and RM has the

similar concepts and objectives.

Learn more

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

BS25999

The launch of BS 25999 standard is a milestone for the global

BCM industry. The importance of Business Continuity

Management (BCM) is increasing day by day. Be it natural

disasters or man-made, at some point of time we all have been

affected by these disasters in some shape and form.

Therefore, we have to admit that having a robust BCM in place

does not only talk about good corporate governance but also

establishes the fact, that the organization is committed to all its

stakeholders. We all know that it’s not really the financial loss

of the transaction that causes a problem – it’s really the

customer loss of faith, trust and confidence that the disruption

causes. In past, there have been various instances of several

organizations, where the operations were disrupted beyond a

reasonable period of time resulting in business volumes

dropping and market share getting eroded. Very soon, the

costs become too high and revenues too low, and the

operations remain no longer viable – so the organization

closes down. The message is very clear. Business continuity is

critical to ensure the survival of the organization!

Learn more

Creating Competitive Advantage and unparallel

BCM leadership – A perspective from BCMI India

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

Personal Interview With Salma Desenta From IBM Indonesia

What is your key take away for you at this training?

“Actually for me the key take away at this training was the

network built with both instructors and other participants. From

material point of view, it enriches me with best practices

methodology being used outside my current organization.”

What did you like best?

“I like the arrangement of different instructors for each day. By

doing so, the participants can learn much more experiences

from those instructors. The arrangement of the instructors that

have experience from both vendor and end-user perspective

also serves different point of view that enriches the participants

as well”

What is the DR strategy you would take back to help

implement?

“I believe for those who have been involved in real, practical

DR world, they’ve been familiar with the DR strategy

presented. But from practical point of view, we did share

experiences and creative ideas on how o achieve certain

target on each phases of the DR methodology”

(Editor’s note: The 6 participants rated the 4 BCM Institute

instructors very highly, but they particularly appreciated the

enriching instruction from 2 instructors, namely Ms Carolyn

Lock and Mr David Tay, and asked BCM Institute to echo their

feedback. Overall, their heightened learning is result of the

number of trainers fielded and their diverse experience plus

ability to teach made their trip to the course more than

worthwhile)

Mr Desenta was a course participant at the

recent DRP5000 course held in May 2008 at

Furama Riverfront Hotel in Singapore. Here is

the excerpt from the interview:

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

DRP 5000 in house

training for regional

SHELL participants

BCM Institute is very appreciative of SHELL’s continued

reliance on our institute and our instructors to teach BCM and

DRP to their expanding BC & DR practitioners. The 4th in a

series of in-house training, the participants came from all over

Malaysia, Brunei and Singapore. BCM Institute fielded 3

instructors – Ms Serena Chan from Hongkong, Ms Yvonne

Leong, a BC practitioner in a large Malaysian bank, and Mr

Lim Sek Seong, Managing Consultant from GMH Continuity

Architects in Singapore.

Cyberjaya, Kuala Lumpur,

in June 2008

BCM 300 In Bangkok

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

Trainer: Serena Chan Standing

Trainer: Lim Sek Seong in Tie

Several of BCM Institute’s

instructors met for several

causal get-togethers at Crystal

Jade Restaurant/Great World

City, hosted by BCM Institute.

It was a good time to talk about

non-BC matters and catch up

with each other

Singapore

Meet The Experts

On Friday 27th June 2008, BCM Institute in Singapore held

another Meet-The-Expert session at the Furama Riverfront

Hotel. It was well received and attended by over 70

participants from the BC & DR Community in Singapore. 3

experts were in attendance that afternoon, and their topics

were:

a) Crisis Communication & the need for BC practitioners to

know its importance. The speaker was Ms Farah Rahim

who heads the Crisis Communications PR team at Hill &

Knowlton.

b) Business Impact Analysis and its practice in other MNCs

overseas. The speaker was Dr Goh Moh Heng, President

of BCM Institute.

c) SSxxx/TR19, and its proposed requirements and their

impact on the BCM process in Singapore. The speaker

was Mr Lim Sek Seong, Managing Consultant of GMH

Continuity Architects and one of the original co-authors of

the TR19 coding.

Typically, the speakers would speak for 30 minutes, and the

following 30 minutes was given to the floor, and for each

session, there was an overwhelming response as participants

queried the experts with subject matters and ‘what ifs’

scenarios (which were largely their experiences or difficulties

at work).

Meet the Expert sessions would continue bi-monthly in

Singapore, and the main intent is to field subject matter

experts who would speak about a given topic (usually topics

raised by past participants in their feedback forms), and time

given for Q&A to enhance the technical session’s learning

focus.

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074 Tel: +65 6323 1500 Fax: +65 6323 0933

Analyzing & Reviewing the Risks for Business Continuity

Planning by Dr Goh Moh Heng

Reviewed by Yvonne Leong

This is another book of Dr Goh Moh Heng’s BCM series – The Risk Analysis and Review for Business Continuity

Planning. The term Risk Analysis (RA) is self-explanatory and has always been associated with Risk Management

(RM). In fact, it is one of the very critical steps to accomplish the intended functions of RM.

Following the Business Continuity Management (BCM) being put in the limelight in the past decades, grey areas were

introduced between RA of RM and RA of BCM. This book reiterates the embraced concept of RA and addresses the

above grey areas from the BCM perspective. It explains the integrations between BCM and RM, using the

Australia/NZ RM Standards that defined BCM as part of RM. Since the BCM addresses incident, emergency and

disaster situation, the RM in BCM should restrict to events that impact the minimum service level of a business.

Some books documents BCM as the process of handling the residue risk identified in RM. However, this book

recommends the relationship best to be viewed as an overlap relationship that has no definite boundary. In essence,

RA from both the BCM and RM has the similar concepts and objectives.

Following the above grey areas between RM and BCM, the persons in charge of RA process often asks who should

do the job; if it’s the responsibility of the BCM team, second question is raised - when to do it: before, during or after

the Business Impact Analysis (BIA). In real life, the scope of RA exercise depends on who coordinates the job.

1. If RA is coordinated by the RM team.

It covers overall risks of the organization and may include other types of risks like credit, market and operations

risks. This is the preferred execution model for RA as the RM team is the subject matter expert in conducting RA

and they could have a wider scope of RA which does not only confine to critical operations and assets. The

result would then provide an overall view of risk profile of the organization.

FULL ARTICLES

2. If RA is coordinated by a BC planner of the BCM team.

It covers risks that impact the operations of the organization. The RA would identify the threats and magnitude of

risk against the critical assets that have been earlier identified in the BIA. This also means that the RA should

best be conducted during or after the BIA stage.

In some organizations in this region, there are few personnel, if any, manning the BCM department. In view of the

scarce resources, the approach to complete the different phases in BCM aims to be the shortest and fastest with

somewhat compliance to the minimum requirements. As the saying goes: compliance to the general standard and

guidelines does not guarantee the resilience of the organization, but the actual exercise and test result make one feel

comfortable of the readiness of BCM. Having this in mind and the ultimate objectives of BCM, one would do the

simplest possible steps to achieve its end goals. Therefore the in-depth information, templates, guidelines

documented in the book may not be fully appreciated but in contrast, it may confuse some readers.

In the absence of an external consultant or risk expert, the completeness of threats identified, depends very much on

the knowledge and experience of the members attending the brainstorming workshops or discussion groups. As

such, appendix 9 helps by providing a list of possible threats, risks and phenomena for considerations. Studies

consistently show that human are responsible for more than 60% of the data center downtime through accidents or

mistakes. This book urges the considerations of character deficiency threats and other human factors that may

cause disaster. Such as, deteriorating work ethics, absence of loyalty, lacks of direct control over service personnel

and stress of being required to do more with less personnel resources, etc. Appendix 10 complements the above

discussion by describing the common threats faced by most organizations and listed some control measure and

consideration to reduce, mitigate or accept the risks.

Though this book is largely a “how-to” book, it also forcefully argues one important point over and over again: We

must pay attention to how to present the findings to the executive management and get their buy-in to proceed to the

next phase. In the last chapter of the book, it explains the preparations requirement of necessary information and

findings for an executive management presentation; lots of thoughts and experience has been shared to close the RA

phase. As much hard work has been put in with tones of findings, one tends to be lengthy and thorough in

presentation. This chapter shares the critical elements that made up a good presentation session, it provides hints to

present the right information to keep the excitement going during an executive management presentation, in order to

get their buy-in to adopt the risk controls and of course their nods for funding to proceed to the next actions required

in RA phase, i.e. execution for risk mitigation, endorsement for risk rejection and acceptance or continue with the BIA

phase and developing recovery strategy phase of BCM.

Information documented in the book is utmost important to handhold any new BC planners in their journey in BCM or

to remind the professional BC planners of the basis of BCM. It serves as a very good source reference to kick off a

BCM project or initiate a continual improvement plan in the BCM journey. Therefore, it should undoubtedly find a

place on the bookshelves of every BC planners.

[Editor’s Note: This book is currently in the process of being published, and should be available soon for purchase at

the BCM Institute’s Singapore office, or online via the www.bcm-institute.org shopping cart or at www.amazon.com .]

BS 25999 – Creating Competitive Advantage and unparallel BCM leadership – a perspective from BCMI India.

The launch of BS 25999 standard is a milestone for the global BCM industry. The importance of Business Continuity

Management (BCM) is increasing day by day. Be it natural disasters or man-made, at some point of time we all have

been affected by these disasters in some shape and form. Therefore, we have to admit that having a robust BCM in

place does not only talk about good corporate governance but also establishes the fact, that the organization is

committed to all its stakeholders. We all know that it’s not really the financial loss of the transaction that causes a

problem – it’s really the customer loss of faith, trust and confidence that the disruption causes. In past, there have

been various instances of several organizations, where the operations were disrupted beyond a reasonable period of

time resulting in business volumes dropping and market share getting eroded. Very soon, the costs become too high

and revenues too low, and the operations remain no longer viable – so the organization closes down. The message is

very clear. Business continuity is critical to ensure the survival of the organization!

Most BCM and DR professionals would probably be aware that the BS 25999 was launched globally in Tokyo,

London and New York on Oct 31, 2007. This launch was attended by several renowned industry professionals in the

BCM domain representing various private and public organizations.

Over the last couple of months, the British Standards Institute (BSI) has held a series of road shows on the BS 25999

standard across the Middle East in Dubai, Abu Dhabi, etc. The India launch took place in 3 Indian cities - New Delhi,

Mumbai and Bangalore. The launch was jointly organized and co-ordinated by Confederation of Indian Industry (CII)

and BSI. CII is a non-government, not-for-profit, industry led and industry managed organization, playing a proactive

role in India's development process.

So what exactly is BS 25999? BS 25999 is the world’s first internationally recognized standard for Business

Continuity Management (BCM). This was developed by the BSI - which has a history of over 100 years in developing

standards. The BS 25999 is based substantially on the PAS 56 (Publicly Available Specification 56) - released in

2003. The objective has been to define a Management Systems approach to BCM, based on best practices.

Importantly, the BS 25999 is applicable to any organisation (large, medium and small) operating in any industry (e.g.

healthcare, professional services, manufacturing, retail, oil industry etc), having any ownership whatsoever (private

sector, public sector, government, voluntary etc).

A standard provides independent third-party validation of competence – that you are as good as the best in the world.

Standards also give confidence to existing and potential customers about an organization’s capabilities. They help

demonstrate market leadership and create competitive advantage. All things being equal, a buyer will choose the

certified organisation – and maybe even be willing to pay more for the peace of mind that a certification, such as BS

25999 brings. Importantly, standards are based on Best practices – which mean doing the right thing in the right way.

Standards also help equip your organizations with a strong foundation for further scaling up – more so in cases where

the organization is looking at expanding its operations to new geographies and starting to bring new people on board.

It may be wise to ensure that your BCM program is in compliance with the BS 25999 standard. Only then can you

FULL ARTICLES

have true peace of mind.

A standard adds value in terms of its universal applicability and implementation structure. It can be used to meet

strategic, organizational, regulatory and legislative requirements. The BS 25999 standard provides an effective BCM

framework and can fit with your existing processes and systems. Also, it can work along and audit your existing

business continuity plans. I believe the rollout of BS25999 would give a major boost towards achieving quality and

compliance in the BCM domain. The adherence to the standard will definitely enhance customer confidence resulting

in improved business and overall profitability.

The India launch event was sponsored by BCM Institute and National Disaster Management Authority (NDMA). The

NDMA, headed by the Prime Minister of India, is the Apex Body for Disaster Management in India. Within nearly 6

months of the launch, 9 organizations worldwide have been certified. The largest of these organizations has been

Accenture, which got certified for its India operations, where it has 37 thousand employees in multiple locations.

Presently, I sense that there is lot of action happening particularly in India. And my guess is that lot of organizations in

other countries have already started appreciating the intrinsic as well as extrinsic value that BS 25999 brings to an

organization’s BCM programme.

Friends, in my experience I have observed that lot of corporate organizations/personnel are under the fallacy that ‘it

will never happen to me’. In fact, ‘It’ is happening all around us. In India or any country of the world, the need for

business continuity has been vividly demonstrated again and again.

At the launch, Mr. Robin Pilcher (Global Marketing Director-BSI) pointed out that because of high interest and

awareness BS 25999 has become the fastest selling standard in the world, after ISO 9000, which was introduced 20

years ago. There have been more than 5000 downloads until date on the BSI website. This phenomenon clearly

demonstrates the growing need and importance in Business Continuity Management field around the world. In fact,

he also shared that maximum number of comments/feedback during the public draft review came from India.

As a critical element of corporate governance and survival, BCM is not an overhead, and it should be implemented

because it is the right thing to do - not simply because a customer, regulator or any other stakeholder wants it. If an

organization recognizes the strategic criticality of BCM, they must find the time and resources to implement BCM on

priority basis. Therefore, we can safely assume that a robust Business Continuity Management System (BCMS) is

important to ensure the continued existence and survival of the organization.

During the technical session, Mr. Venkatraman Arabolu (India MD-BSI) drew the audience attention to the fact that in

most of the organizations, the weakest link in their continuity strategy, planning and recovery efforts is the People

issue with 35% of the total falling under this risk category. Other major categories included Process risk (27%)

Technology risk (18%) Supply chain partner risk (9%). And I think that the supply chain risk applies to all of us in

some form or shape. In uncertain times to come, this risk can get bigger and dangerous for the business survival.

Mr. Anupam Kaul from CII highlighted the need of greater preparedness and shared his experience on Union Carbide

accident where all the six safety features had failed and thousands of innocent people lost their lives. Prof. Vinod

Menon from NDMA rightly mentioned – “The Business of Business is to stay in Business”.

One of the main speakers – Mr. P.G. Kakodkar, former Chairman of SBI group, which is India’s largest Bank shared

his perspective on BCM criticality in the banking sector and strongly supported the BS 25999 applicability.

Mr. Dhiraj Lal (Country Manager-BCM Institute) who is the Asia’s first technical expert on BS 25999 shared that the

BCM process is the core responsibility of the CEO and the Board of Directors of an organization. Therefore, not

thinking or opting for BCM can put the organization’s survival at stake. And in case disaster happens to an

unprepared organization then image, brand, trust may take a beating.

Application of BS 25999 would result in assurance to an organization’s Top Management that their business has the

needed capability to continue and deliver in case of any emergency/disaster. The Standard implementation would

ultimately attract more customers, will demonstrate market leadership and will create competitive advantage in

today’s dynamic market scenario. We all would agree that service disruptions, delays in responding to customer

requests, inability to process transactions in a timely manner or being unable to resume business in the face of a

disaster can all have significant impacts on an organization's effective operation.

BSI has partnered with BCM Institute (domain experts in BCM only) to impart the training and guidance, which an

organization requires to prepare for the BS 25999 audit and certification. BCM Institute also took part in the first 2 BS

25999 technical audits, which were carried out for Citigroup Global Services and Accenture, who were also awarded

with the BS 25999 certification during the seminar

BS 25999 clearly states that the responsibility for the BCM programme implementation and success lies with the

CEO of the organization. After all, CEO is the person, who leads the whole organization to the path of success and

profitability. I believe it is critical that a CEO/Board member should think of BCM as ‘The right thing to do’ rather than

searching for the reasons for doing it. Ultimately, it’s their responsibility towards the organization’s customers,

shareholders and all other stakeholders. After all, corporate governance is all about having confidence in what you do

and how transparently you do it. In my personal viewpoint, BS 25999 is the right tool, which definitely gives a

CEO/Board member the needed confidence and trust that his/her business is following the right BCM process,

ultimately ensuring Business survival in testing times.

It’s an uncertain world, lifeguard your business.

Harsh Garg

Note: In case of any queries, please feel free to drop an email at harsh@bcm-institute.org