Everybody’s favourite pastime: comparing themselves with others! Complete the KPMG-Continuity Insights BCM Program Benchmarking survey and maybe win this Amazon Kindle Fire.

They say it takes twenty (20) minutes to complete; the deadline is 15 January 2012. To hear how your BCM program compares to everyone else’s, register for the Continuity Insights conference in Scottsdale, Arizona (USA) in April 2012. Or just read the May 2012 issue of Continuity Insights magazine. Here are the 2007 KPMG-CI Benchmarking Survey results, for comparison.

The British Business Continuity Institute‘s Technical Director Lyndon Bird wrote in the July/August issue of BCI’s Continuity magazine that the new AS/NZ 5050 standard “does not follow…a generally accepted international view of business continuity management” and that 5050′s underlying principles were “not in line with progressive BCM thinking.”

Perhaps he can be forgiven for staging an unexpected  suicide attack on the Unbelievers from Down Under, as he was severely provoked. The SAI Global web site says AS/NZ 5050 “goes beyond many of the concepts that in the past may be been described as ‘Business Continuity Management’ or ‘BCM’”, and the Standards New Zealand web site said 5050 “[builds] on earlier concepts (often called ‘business continuity management’).”

Clearly intolerable provocation. So can we all agree that the Aussies and Kiwis started it by declaring a professional intifada? Those troublemakers.

I teach the BCI’s five-day entry-level training course, and I believe the BCI-prepared slides for that course reflect the BCI catechism on risk management (RM) and business continuity management. The orthodox BCI worldview is that RM is part of BCM, not the other way around (course module 2). On the right is the BCI’s “umbrella” slide from an earlier version of the course; note RM over there on the far left under the BCM umbrella. BCI acolytes also learn in the course that “formal risk management has limitations in dealing with unlikely but feasible catastrophic risks.” Lyndon Bird’s comment just reiterates the BCI’s long-held belief that BCM’s “progressive” priesthood focuses on consequences, not causes.
 Read more... (558 words, 1 image, estimated 2:14 mins reading time)

Add Australia/New Zealand Standard 5050 to your growing collection of BCM standards.

As I wrote in January, you have to be amused by any risk-related standard nicknamed “fifty-fifty.” 5050′s ‘Big Feature’: it complies with new ISO/AS/NZ 31000 standard for risk management. Here’s what Australia’s Business Continuity Forum has to say about 5050. Standards New Zealand touts 5050 this way: “Building on earlier concepts (often called ‘business continuity management’), this new Standard [sic] ensures that all aspects of the risk are considered – from the factors which can lead to a disruptive event and influence the size of the event, to the factors that influence the nature and scale of the effects.”

BCM is now an ‘earlier concept’? I missed that memo. But that sentence reminds me of the way music writers refer to “the artist formerly known as Prince” (right).

5050 ain’t free, of course. Buy AS/NZ 5050 from Standards New Zealand (NZD $134 print, NZD $120 digital) or buy it from SAI Global (USD $99 print, USD $89 digital). Take two, they’re small.

You have to love a risk management standard called “fifty-fifty”. All three (3) parts of Australia & New Zealand’s proposed AS/NZ 5050 standard for risk management and BCM are available for free: Part 1 is the Specification (what to do, “shall” do this, “may” do that); Part 2 is the Practice (how to do, why you “should”); Part 3 is called Assurance (controls & verification, and the first audit guidance for a BCM standard). The comment period ended last year; keep  New Zealand or Australia on your watch list for a final release.

The Sphere Handbook lists minimum standards for disaster response by NGO’s, governments and relief agencies. 400 organizations in 80 countries contributed in many languages to 8 common standards (participation of the affected individuals in response planning, for example) and specific standards in water & sanitation, food, shelter and health services. The Sphere Project also published a Humanitarian Charter in 2004 that expresses the commitment of relief agencies to the Sphere minimum standards.

Not enough standards for you? The ISO 31000:2009 standard was released in November “to harmonize risk management processes in existing and future standards.” A standard for standards? That sounds like a tough sell. The Institute of Risk Management warned that ISO 31000 “is not intended as a standard against which an organisation can be certified.” So, maybe just wait until your hear ISO 31000 mentioned about 10 times, then you’ll know it’s important enough to buy it for USD 110.  Read more... (2077 words, 0 images, estimated 8:18 mins reading time)

I have upbraided SPRING Singapore and the Singapore Business Federation for failing to promote effectively Singapore’s erstwhile business continuity management (BCM) standard TR 19 between its birth in 2005 and its demise in 2008. But for stealth and invisibility, it’s hard to beat the clandestine work of Malaysia’s national standards company, SIRIM Berhad, on behalf of MS1970, Malaysia’s national BCM standard.

Yes, there is one. Surprised? Me, too. I discovered it in January. The chairman of the committee that developed it wrote me that it was released in May 2007, but I couldn’t find it anywhere in the SIRIM catalog of standards published since 2007 (searching for “1970″). If you search for “Malaysia BCM standard” in your browser, the committee chairman’s presentation slides about MS1970 comes up with a link to the Malaysian government’s Computer Emergency Response Team web site. It takes some effort to discover that you can buy MS1970 at the Malaysian Standards Online site.

Note the warning at the bottom of that screen that the standard can only be downloaded in Malaysia, which may explain why its existence has been unknown to the outside world.  Read more... (1844 words, 0 images, estimated 7:23 mins reading time)

In July 2008, I wrote that Technical Reference 19 (TR 19:2005), Singapore’s proposed international standard for business continuity management (BCM), appeared to be dying a slow death and suggested that the prognosis for it might be terminal. I was wrong.

It turns out that the patient just needed cosmetic surgery. Singapore’s standards body SPRING revealed in October a new Asian face for BCM, Singapore Standard 540 (SS540). Like TR19, SS540 is a BCM standard for certification of organizations, not practitioners, but unlike TR 19, which was to be an international standard, SS540 is specifically aimed at Singapore companies and organizations.

You can buy a printed or digital copy of SS540 for SGD $47 (USD 31.00) at the SPRING Standards Shop. Here is a preview of the first five pages.

The content of SS540 is very similar to that of TR 19. The foundation matrix of policy, process, people and infrastructure considerations for each component of BCM – risk and business impact assessments, strategies, plans, testing and program management – remains the same in SS540. There are some grammatical corrections and word replacements, too.  Read more... (2603 words, 0 images, estimated 10:25 mins reading time)

This month, U.S. credit rating agency Standard & Poor’s (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers. This is S&P’s announcement, and here are their answers to common questions about it.

Extrapolating a risk evaluation to a logical, eventual conclusion, if a company doesn’t have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence.

S&P already evaluates risk management at the banks, insurance, energy and agribusiness companies that it rates, and now wants to do so at companies in other sectors. These are the Asian corporates that S&P rates and these are the U.S. corporates. You’ve probably heard of their S&P 500 index of American companies. S&P also rates companies, governments and debt instruments all over the world.

Suppose one of those companies wanted to issue a bond for $200 million to build a new plant in, say, India. Suppose also that, in part to its assessment of the company’s risk management, S&P lowered its credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company was forced to pay a 4.1% coupon instead of 3.9% to make the bond attractive to investors or underwriters. On $200 million, two-tenths of one percent (the difference between 4.1% and 3.9%) is $400,000.  Read more... (885 words, 0 images, estimated 3:32 mins reading time)

The authors of the Alfred P. Sloan Foundation’s Framework for Voluntary Preparedness report of January 2008 refer to Singapore’s Technical Reference for Business Continuity Management (TR19 ) as an “authoritative source” for “best practices” (page 4).

That’s pretty ironic, because here in Singapore, TR 19 has been mostly a source of derision since its release in 2005.

The marketing of TR 19 has been catastrophically bad. The target market was apparently local, small- and medium-sized enterprises (SME’s) and manufacturing companies, none of whom have paid much attention to BCP in Singapore or anywhere else world. TR 19’s promoters, local standards body SPRING Singapore and industry group Singapore Business Federation (SBF), bickered for years over the responsibility to promote the standard – so neither of them did. Outreach to individuals certain to be interested, if not supportive – local consultants and practitioners, other than those who wrote it – was, in my personal experience, half-hearted tending toward hostile. When consultants were contacted, it was to get us to work for free to draft audit guidelines for TR 19 – without support, facilities or coordination of any kind. I was in that group. We failed miserably.  Read more... (1272 words, 0 images, estimated 5:05 mins reading time)

Bank Negara Malaysia (BNM) has new BCM guidelines that became effective in January.Banks in Malaysia have until 30 June 2008 to comply with the guidelines.

Download the guidelines here (Adobe® Acrobat® PDF file, 42 pages). The document number is BNM/RH/GL 013-3, but I cannot find it on the BNM web site.

There are 17 principles in 5 categories that banks must follow: BCM framework (4 principles) and methodology (10 principles), communication with internal and external constituencies, internal audit review of a bank’s plan and responsibility for outsourced functions. There is also a glossary of terms and several appendices.

In that glossary, BNM introduces yet another abbreviation – Maximum Tolerable Downtime (MTD) – that means the same thing as the Business Continuity Institute’s obscure Maximum Tolerable Period of Disruption (MTPD). Neither term should be confused with the commonly-used “Recovery Time Objective” (RTO), which is shorter than MTD, as shown in this BNM diagram.

Do you see the “DRP” and “System Recovered” in that diagram? Even in 2008, after a decade of lexicographic struggle between I.T. and business professionals, BCM principles are still illustrated by examples of system recovery instead of business processes recovery. Will BCP ever breathe free of its technical past?  Read more... (425 words, 1 image, estimated 1:42 mins reading time)

The Bank of Thailand (BoT) released a BCM/BCP policy for financial institutions in January 2007. This is the 15-page English version from Thailand’s Foreign Bankers’ Association and this is the Thai version of BOT Notification No. 118-2550 (23-01-07).

Banks have 12 months to comply: the deadline is January 2008.

This final policy does not differ significantly from BoT’s proposed BCM guidelines to which I linked in my post of September 2006 when they were released for comment. The policy requires board-level involvement, identification and recovery plans for “Critical Business Functions,” writing plans and testing them at least once every 12 months. Pretty standard stuff.

An appendix (page 15) to the policy lists sixteen (16) “Examples of Disruptive Events” for which continuity plans should be made, in five categories: natural, reputation, economy/physical, human resources and man-made. Tsunami is listed, of course, but so are “volcanic eruption” and “hostage taking,” which I haven’t seen in other national guidelines. Are there volcanoes in Thailand?

I don’t recommend limiting planning to “Critical Business Functions,” defined in the policy as those that could “significantly impact operations, business, reputation, status and performance.”

A business continuity plan should list and plan continuity of all functions of a bank or any other enterprise. Some functions will be determined “critical,” others won’t be, in a business impact analysis (BIA). In a proper BIA, the business impact of failure of all functions – big and small – is assessed.  Read more... (485 words, 0 images, estimated 1:56 mins reading time)