BCI GPGs: no such thing as a “critical business process”

You will not find the words “critical business process” anywhere in The BCI’s new 2013 Good Practice Guidelines (GPGs). That’s good, because there is no such thing.

The BCI devotes half a page (page 51) to addressing the erroneous assertion that BCM is only for “critical” or “key” or “important” activities. That’s wrong. It’s folklore, a superstition. It is a shibboleth, a canard, a lie told by charlatans to deceive unbelievers. It is the first step on a road to perdition and professional damnation. At the end of that road, here be dragons!

Come on, even Internal Audit becomes urgent eventually.

Sinners! Fall to your knees and repeat after me: ‘I believe that BCM is for all business products, services, processes and activities!’ The purpose of business impact analysis (BIA) is, specifically, to prioritize them. The 2013 GPGs state that the outcome of a BIA is “a list of the organization’s most urgent groups of products and services” (page 54).

In my world, the outcome of a BIA is a list of all products and services (and processes and activities), prioritized in descending order of urgency, which is generally – but not always! -n reflected in their recovery time objectives (RTOs): the longer the RTO, the lower the priority. There is no process so “critical” that its failure will by itself cause a company to collapse.

‘My RTO is smaller than your RTO’

Everybody’s favourite pastime: comparing themselves with others! Complete the KPMG-Continuity Insights BCM Program Benchmarking survey and maybe win this Amazon Kindle Fire.

They say it takes twenty (20) minutes to complete; the deadline is 15 January 2012. To hear how your BCM program compares to everyone else’s, register for the Continuity Insights conference in Scottsdale, Arizona (USA) in April 2012. Or just read the May 2012 issue of Continuity Insights magazine. Here are the 2007 KPMG-CI Benchmarking Survey results, for comparison.

BCI Launches Suicide Attack on Australia AND New Zealand!

The British Business Continuity Institute‘s Technical Director Lyndon Bird wrote in the July/August issue of BCI’s Continuity magazine that the new AS/NZ 5050 standard “does not follow…a generally accepted international view of business continuity management” and that 5050′s underlying principles were “not in line with progressive BCM thinking.”

Perhaps he can be forgiven for staging an unexpected  suicide attack on the Unbelievers from Down Under, as he was severely provoked. The SAI Global web site says AS/NZ 5050 “goes beyond many of the concepts that in the past may be been described as ‘Business Continuity Management’ or ‘BCM’”, and the Standards New Zealand web site said 5050 “[builds] on earlier concepts (often called ‘business continuity management’).”

Clearly intolerable provocation. So can we all agree that the Aussies and Kiwis started it by declaring a professional intifada? Those troublemakers.

Business Continuity Institute umbrellaI teach the BCI’s five-day entry-level training course, and I believe the BCI-prepared slides for that course reflect the BCI catechism on risk management (RM) and business continuity management. The orthodox BCI worldview is that RM is part of BCM, not the other way around (course module 2). On the right is the BCI’s “umbrella” slide from an earlier version of the course; note RM over there on the far left under the BCM umbrella. BCI acolytes also learn in the course that “formal risk management has limitations in dealing with unlikely but feasible catastrophic risks.” Lyndon Bird’s comment just reiterates the BCI’s long-held belief that BCM’s “progressive” priesthood focuses on consequences, not causes.

“The Concept Formerly Known As Business Continuity Management”

Add Australia/New Zealand Standard 5050 to your growing collection of BCM standards.

As I wrote in January, you have to be amused by any risk-related standard nicknamed “fifty-fifty.” 5050′s ‘Big Feature’: it complies with new ISO/AS/NZ 31000 standard for risk management. Here’s what Australia’s Business Continuity Forum has to say about 5050. Standards New Zealand touts 5050 this way: “Building on earlier concepts (often called ‘business continuity management’), this new Standard [sic] ensures that all aspects of the risk are considered – from the factors which can lead to a disruptive event and influence the size of the event, to the factors that influence the nature and scale of the effects.”

BCM is now an ‘earlier concept’? I missed that memo. But that sentence reminds me of the way music writers refer to the artist formerly known as Prince” (right).

5050 ain’t free, of course. Buy AS/NZ 5050 from Standards New Zealand (NZD $134 print, NZD $120 digital) or buy it from SAI Global (USD $99 print, USD $89 digital). Take two, they’re small.

BCM standards, and standards for standards

You have to love a risk management standard called “fifty-fifty”. All three (3) parts of Australia & New Zealand’s proposed AS/NZ 5050 standard for risk management and BCM are available for free: Part 1 is the Specification (what to do, “shall” do this, “may” do that); Part 2 is the Practice (how to do, why you “should”); Part 3 is called Assurance (controls & verification, and the first audit guidance for a BCM standard). The comment period ended last year; keep  New Zealand or Australia on your watch list for a final release.

The Sphere Handbook lists minimum standards for disaster response by NGO’s, governments and relief agencies. 400 organizations in 80 countries contributed in many languages to 8 common standards (participation of the affected individuals in response planning, for example) and specific standards in water & sanitation, food, shelter and health services. The Sphere Project also published a Humanitarian Charter in 2004 that expresses the commitment of relief agencies to the Sphere minimum standards.

Not enough standards for you? The ISO 31000:2009 standard was released in November “to harmonize risk management processes in existing and future standards.” A standard for standards? That sounds like a tough sell. The Institute of Risk Management warned that ISO 31000 “is not intended as a standard against which an organisation can be certified.” So, maybe just wait until your hear ISO 31000 mentioned about 10 times, then you’ll know it’s important enough to buy it for USD 110.

BCM standard discovered in Malaysia

I have upbraided SPRING Singapore and the Singapore Business Federation for failing to promote effectively Singapore’s erstwhile business continuity management (BCM) standard TR 19 between its birth in 2005 and its demise in 2008. But for stealth and invisibility, it’s hard to beat the clandestine work of Malaysia’s national standards company, SIRIM Berhad, on behalf of MS1970, Malaysia’s national BCM standard.

Yes, there is one. Surprised? Me, too. I discovered it in January. The chairman of the committee that developed it wrote me that it was released in May 2007, but I couldn’t find it anywhere in the SIRIM catalog of standards published since 2007 (searching for “1970″). If you search for “Malaysia BCM standard” in your browser, the committee chairman’s presentation slides about MS1970 comes up with a link to the Malaysian government’s Computer Emergency Response Team web site. It takes some effort to discover that you can buy MS1970 at the Malaysian Standards Online site.

Note the warning at the bottom of that screen that the standard can only be downloaded in Malaysia, which may explain why its existence has been unknown to the outside world.

Singapore BCM standard SS540: TR19 gets a facelift

In July 2008, I wrote that Technical Reference 19 (TR 19:2005), Singapore’s proposed international standard for business continuity management (BCM), appeared to be dying a slow death and suggested that the prognosis for it might be terminal. I was wrong.

It turns out that the patient just needed cosmetic surgery. Singapore’s standards body SPRING revealed in October a new Asian face for BCM, Singapore Standard 540 (SS540). Like TR19, SS540 is a BCM standard for certification of organizations, not practitioners, but unlike TR 19, which was to be an international standard, SS540 is specifically aimed at Singapore companies and organizations.

You can buy a printed or digital copy of SS540 for SGD $47 (USD 31.00) at the SPRING Standards Shop. Here is a preview of the first five pages.

The content of SS540 is very similar to that of TR 19. The foundation matrix of policy, process, people and infrastructure considerations for each component of BCM – risk and business impact assessments, strategies, plans, testing and program management – remains the same in SS540. There are some grammatical corrections and word replacements, too.

Getting credit for having a BCP

This month, U.S. credit rating agency Standard & Poor’s (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers. This is S&P’s announcement, and here are their answers to common questions about it.

Extrapolating a risk evaluation to a logical, eventual conclusion, if a company doesn’t have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence.

S&P already evaluates risk management at the banks, insurance, energy and agribusiness companies that it rates, and now wants to do so at companies in other sectors. These are the Asian corporates that S&P rates and these are the U.S. corporates. You’ve probably heard of their S&P 500 index of American companies. S&P also rates companies, governments and debt instruments all over the world.

Suppose one of those companies wanted to issue a bond for $200 million to build a new plant in, say, India. Suppose also that, in part to its assessment of the company’s risk management, S&P lowered its credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company was forced to pay a 4.1% coupon instead of 3.9% to make the bond attractive to investors or underwriters. On $200 million, two-tenths of one percent (the difference between 4.1% and 3.9%) is $400,000.

Singapore TR 19 BCM standard: a diagnosis & prescription

The authors of the Alfred P. Sloan Foundation’s Framework for Voluntary Preparedness report of January 2008 refer to Singapore’s Technical Reference for Business Continuity Management (TR19 ) as an “authoritative source” for “best practices” (page 4).

That’s pretty ironic, because here in Singapore, TR 19 has been mostly a source of derision since its release in 2005.

The marketing of TR 19 has been catastrophically bad. The target market was apparently local, small- and medium-sized enterprises (SME’s) and manufacturing companies, none of whom have paid much attention to BCP in Singapore or anywhere else world. TR 19’s promoters, local standards body SPRING Singapore and industry group Singapore Business Federation (SBF), bickered for years over the responsibility to promote the standard – so neither of them did. Outreach to individuals certain to be interested, if not supportive – local consultants and practitioners, other than those who wrote it – was, in my personal experience, half-hearted tending toward hostile. When consultants were contacted, it was to get us to work for free to draft audit guidelines for TR 19 – without support, facilities or coordination of any kind. I was in that group. We failed miserably.

Malaysia BCM guidelines 2008

Bank Negara Malaysia (BNM) has new BCM guidelines that became effective in January.Banks in Malaysia have until 30 June 2008 to comply with the guidelines.

Download the guidelines here (Adobe® Acrobat® PDF file, 42 pages). The document number is BNM/RH/GL 013-3, but I cannot find it on the BNM web site.

There are 17 principles in 5 categories that banks must follow: BCM framework (4 principles) and methodology (10 principles), communication with internal and external constituencies, internal audit review of a bank’s plan and responsibility for outsourced functions. There is also a glossary of terms and several appendices.

In that glossary, BNM introduces yet another abbreviation – Maximum Tolerable Downtime (MTD) – that means the same thing as the Business Continuity Institute’s obscure Maximum Tolerable Period of Disruption (MTPD). Neither term should be confused with the commonly-used “Recovery Time Objective” (RTO), which is shorter than MTD, as shown in this BNM diagram.

BNM MTD diagram

Do you see the “DRP” and “System Recovered” in that diagram? Even in 2008, after a decade of lexicographic struggle between I.T. and business professionals, BCM principles are still illustrated by examples of system recovery instead of business processes recovery. Will BCP ever breathe free of its technical past?