SS 540 is Singapore Standard in the field of Business Continuity Management (BCM). This standard replaces TR 19:2005, a Technical Reference, published in 2005 on the same subject. Refer to SS540 website for more information.
The project was initiated by Economic Development Board (EDB) with the collaboration of Singapore Business Federation (SBF) and SPRING in 2004. The standard was guided by the Business Continuity Management (BCM) Council and supported by the BCM Technical Committee to develop the Technical Reference. The Technical Reference or TR19:2005 was launched on September 2005 during the international ISO meeting. The TR19:2005 was subsequently reviewed and published as the Singapore Standard for BCM and was it officially launched on 31st October 2008.
The SS540:2008 structure is based on a matrix BCM framework. It allows potential gaps in an organization’s BCM efforts to be identified and located. For example, the implications of selecting a particular Business Continuity strategy should be linked to the corresponding policies set forth by Executive Management. Implementation of the Business Continuity strategy should be supported by corresponding infrastructure, training of recovery personnel and establishing the associated recovery processes.
The BCM Framework is divided into 6 major BCM Areas and 4 major BCM components.
Major BCM Areas
This framework divides into 6 broad BCM areas:
The potential threats and risks to an organization can be uncovered via a risk analysis and review of its internal operations and external operating environment. Examples of risks due to internal operations include malfunction of critical manufacturing processes, failure of Information Technology (IT) systems and fire which destroys plant facilities. Examples of risks due to external operating environment include terrorist attacks, floods, political turmoil and disruption of supply chain.
The potential impacts of risks actually occurring to an organization and affecting its ability to achieve its business operation and service can be obtained by conducting a business impact analysis. The later would include, where possible, quantifying the loss impact from both a number of days of business disruption and a financial standpoint.
- Business Continuity strategy Selection (Strategy)
Based on these potential loss impacts the organization would deliberate and select the appropriate strategy or strategies to safeguards its interests. These strategies can be preventive or pre-emptive in nature.
- Plan Development (Business continuity plan)
From the selected strategies a detail business continuity plan (BC Plan) should be instituted in place to respond to risks which can occur and impact its business operation and service. The BC Plan would specify and allocate the resources and thereby building up the capability of the organization to respond to risk occurrences.
- Testing and Exercising (Tests and exercises)
An established BC Plan should be subject to verification via Tests and exercises. Tests and exercises expose probable errors and omissions in carrying out the established plan. It examines if the resources committed are accessible, available and adequate for undertaking the recovery efficiently and effectively. It checks if staff in the organization are familiar with recovery procedures. Overall Tests and exercises validate if the BC Plan indeed meet its recovery objectives.
Besides an established and thoroughly tested BC Plan the organization should demonstrate commitment in maintaining the currency of its plan through regular and systematic review of its risks and business impacts, realigning of its BCM strategies and revalidating of its BC Plan on a continuous basis. BCM should become an integral part of the organization’s operations, audit, testing, quality assurance, change management and culture. Ownership of BCM becomes embedded in individual business units where BCM risks reside.
BCM is an ongoing management process and can be examined from 2 standpoints. Firstly, the impacts of issues and concerns arising from each of the 6 BCM areas identified above need to be examined. Secondly, the direction and support needed to ensure that BCM efforts can be implemented and sustained.
BCM activities in each of the 6 BCM areas identified above therefore can be further examined in terms of the following 4 components:
Executive Management of the organization needs to stipulate policies to guide BCM efforts to be carried out by staff in the organization. Policies underlie the process events and people involvement in BCM activities. For example, a policy requiring all business units to appoint and assign BCM responsibility to a specific staff to participate in the organization BCM Programme. In addition, policies provide the rationale for establishing the necessary infrastructure to support BCM on an ongoing basis.
These processes are set of activities with defined outcomes, deliverables and evaluation criteria to attain BCM policies on an ongoing basis. They include formal change control and documentation processes. For example, changes to keep the BC Plan current should be controlled and documented in a formal manner. In addition, BCM efforts go towards reducing the risks and their impacts on the operation processes in the organization. For example, the risk of disruption of raw material supply and its impact on production needs to be addressed as part of BCM.
Participation and the skill sets of participants in various BCM activities are crucial to the success of BCM in an organization. For example, a BCM steering committee comprising representatives from various business units and headed by a member of Executive Management should be established to oversee BCM efforts in the organization. In addition, BCM efforts go towards reducing the risks and their impacts on staff in the organization. For example, the health risk associated with handling of hazardous materials needs to be addressed as part of BCM.
The organization should allocate resources to support critical business functions against risk events. This invariably requires a good understanding and application of available technology and equipment, and physical facilities to respond to risk occurrences. For example, installing a standby power generator and uninterrupted power supply (UPS) to ensure uninterrupted supply of power during electrical outage. In addition, BCM efforts go towards reducing the risks and their impacts on physical organization infrastructure. For example, the impact of a risk occurrence on production equipment and facilities need to be addressed as part of BCM.
The content of the Singapore Standard (SS540:2008) is as follows:
- Introduction to the BCM framework
- Process approach
- Requirements of the BCM system
- Risk analysis and review
- Business impact analysis
- Business continuity plan
- Test and exercises
- Programme management
Opening Address by Prof S Jayakumar, Deputy Prime Minister and Coordinating Minister for National Security at the National Security Seminar on Friday, 7 November 2008 at 9.25am at Singapore Management University Conference Hall 1