Singapore BCM Standard SS540: TR19 with a facelift

In July 2008, I wrote that Technical Reference 19 (TR 19:2005), Singapore's proposed international standard for business continuity management (BCM), appeared to be dying a slow death and suggested that the prognosis for it might be terminal. I was wrong.

It turns out that the patient just needed cosmetic surgery. Singapore's standards body SPRING revealed in October a new Asian face for BCM, Singapore Standard 540 (SS540). Like TR19, SS540 is a BCM standard for certification of organizations, not practitioners, but unlike TR19, which was to be an international standard, SS540 is specifically aimed at Singapore companies and organizations.

You can buy a printed or digital copy of SS540 for S$47 (US$31) at the SPRING Standards Shop. Here is a preview of the first five pages.

The content of SS540 is very similar to that of TR 19. The foundation matrix of policy, process, people and infrastructure considerations for each component of BCM--risk and business impact assessments, strategies, plans, testing and program management--remains the same in SS540. There are some grammatical corrections and word replacements, too.

In addition, according to its primary author Dan Steele, SS540 contains practical examples to guide an organization’s BCM implementation. Section 2.4.4 explains: "To help illustrate the rationale and intent of certain statements of requirements, examples may be suggested. They are typically provided in the sentence immediately following a statement of requirement. Organizations may or may not implement the suggested examples." By including examples inside the standard, SS540 seeks to eliminate the need for voluminous companion documents like The British Continuity Institute's Good Practice Guidelines (GPG, 199 pages) and the American Disaster Recovery Journal Editorial Advisory Board's recent release of its Generally Accepted Practices (GAP, 165 pages). That approach might save a few trees, if nothing else.

As I guessed in my July article, SS540 contains a new section about the internationally-standard process improvement methodology, Plan-Do-Check-Act (PDCA), also called the "Shewhart Cycle", after the American statistician Walter Shewhart who developed it, or the "Deming Cycle" after American quality guru W. Edwards Deming who popularized it. By incorporating PDCA, SPRING reinforces the notion of SS540 as a "system" for continuous improvement of business continuity management practices, as ISO 9001 is for quality management and IS 14001 is for environmental management.

PDCA is also included in the British Standards Institute's BCM standard BS 25999 and in the recent release of the BCI's Good Practice Guidelines. PDCA is not included in the recent release of the DRJ EAB’s GAP, even though they were developed with advice from DRI International (DRII), the Association of Records Management Administration (ARMA), the Financial Services Technology Consortium (FSTC), the U.S. National Fire Protection Association (NFPA), and Standards Australia/Standards New Zealand.

So who’s certified, and by whom?
Only four Singapore companies are rumored to have been certified to TR19, and who they are and who certified them is so difficult to find out that it must be a state secret. Neither SPRING nor the Singapore Business Federation keeps a list of the companies certified to TR19.

Three of the companies--National Heart Centre (NHC), Singapore General Hospital (SGH) and Changi General Hospital (CGH)--are owned by healthcare conglomerate Singapore Health Services (SingHealth). NHC and SGH say they "received the Business Continuity Management (BCM) certification" (NHC) or "achieved BCM certification" (SGH) in 2005. Neither says what certification authority issed the certification, but it must have been astonishingly quick work because TR19 was only published in September of 2005. The program for a 2008 BCM conference at which NHC COO James Toi discussed NHC’s BCM certification says (Page 6) that NHC was "the first healthcare institution to be BCM certified in 2005 and is now TR-19 certified, too", indicating that its 2005 certification was to some other standard.

CGH says it "was awarded the BCM Certificate by SPRING (Singapore) for meeting the BCM TR19 standards” in September 2007, but SPRING does not certify organizations to its standards, so far as I know.

Semiconductor fabricator Systems on Silicon Manufacturing Company (SSMC), the fourth company, said in a November 2008 press release that "on 31 October (2008) SPRING issued a press release that mentioned SSMC as one of the companies which had implemented TR19". That doesn't really sound like certification to me, and referring to someone else's press release about your own company is certainly the strangest way to announce an achievement that I've ever seen.

Management systems certification body TÜV SÜD PSB Pte Ltd (formerly Singapore's PSB Corporation) says on its Web site that it "has already certified many organisations in various business sectors including critical service businesses such as the Singapore General Hospital and the National Heart Centre". No word on CGH or SSMC, but if you know who certified them, please post a comment below.

What’s different this time?
Among the reasons so few Singapore companies adopted TR19 was the absence of commercial incentives to do so. A company that is ISO 9001--or ISO 14001--certified trumpets that accomplishment and gains advantage over competitors that are not similarly certified. But a company that was TR19-certified? No one cared, no one gained any advantage, no one lost business over it. That's going to change, at least in Singapore, too.

The Singapore government is already spreading the word sotto voce that companies bidding on certain government contracts might eventually have to be SS540-certified. I talked last month with a small construction contractor that provides explosion-resistant glass for government buildings. When I asked why they were interested in BCM, they said they'd been "advised" by their government contacts to investigate BCM certification. I'd call that a serious commercial incentive; even BS25999 doesn't have a government hammer behind it.

To further motivate the recalcitrant and the unbelievers, SPRING and SBF also plan--again-–to splash around a pool of some millions of dollars to reimburse companies for the costs of achieving certification to SS540. Reimbursement funding by itself will never motivate any company to initiate a BCM, and SPRING and SBF have threatened for years to spend money on BCM without ever actually doing so, so I'll believe it when I see it, but government funding for BCM is a potentially-powerful financial incentive that is unique to Singapore among all other countries in the world.

I also expect to see some prominent Singapore companies-–Singapore Exchange Ltd, Singapore Airlines or one of the Singapore Technologies companies, perhaps even one of the local banks DBS, UOB or OCBC-–go for SS540 certification. Some of them already have mature BCM programs, and while they don't need the money from the incentive pool, its availability and tacit peer pressure to address to the government's obvious desire to increase corporate resilience should be enough to spur one or more of them to action. And what one of them does, others will surely do in due course.

Back to the future
You might reach the conclusion that SPRING gave up its ambition to promulgate a global standard. I believe such a conclusion would be premature. With its transmogrification from TR19, SS540 joins BS25999 as the only other possible international standard for business continuity management. Both SS540 and BS25999 were proposed by accredited national standards bodies (SPRING and BSI, respectively) that are authorized to propose standards to the International Standards Organization (ISO). Both contain the continuous-improvement PDCA methodology that characterizes international standards. The main difference between them has been marketing: BSI launched a marketing blitz in 2006 for BS25999, while the marketing for TR19 over the same period has been abysmal. But SPRING has apparently gotten the technical content right, and that will count for something.

Could SS540 become the basis of a global standard? I recommend you keep an eye on the American National Standards Institute (ANSI) BCM standard being floated by American security association ASIS. As an ANSI member, ASIS is also authorized to propose national standards to the ISO. ASIS was an erstwhile partner of DRII in developing the GAP, but is now DRII's nemesis in developing a BCM standard. Behind the scenes, an ASIS standards representative has been Singapore at least twice to talk to SPRING about SS540.

ASIS needs an attractive face to put up against the Brits trendy model. Singapore did pretty well with the face of the Singapore Girl. A facelift for our BCM standard may be just what the judges will want to see.

• Talkback (1)
• Print
• E-mail
• Share
• Alerts

Slashdot

Digg

Facebook

Twitter

Delicious

reddit

Google

StumbleUpon

close this

Talkback 1 comments

• Is business continuity a dead-end?
• BCM standards, and standards for standards
• Ultimate 2012 recovery site: the moon
• Sample influenza business continuity plan
• No blood test for influenza

• Sample influenza business continuity plan
• Getting tested for H1N1 flu in Singapore
• Is Tamiflu 'better' than Relenza?
• Singapore BCM Standard SS540: TR19 with a facelift
• Ultimate 2012 recovery site: the moon

2010

2009

2008

2007

2006

• Open source blog reloaded!
• How the Sun continues to rise
• No room for e-polls failure
• Tiger Woods and his SMS
• Why aren't product recalls popular in India?

Nathaniel Forbes

Nathaniel Forbes is the director of Forbes Calamity Prevention, a Singapore-based consulting firm providing business continuity, crisis management and emergency response advice and training to multinational companies, with a focus on companies with offices in Asia. The firm is 10 years old. FCP's current and past clients include Singapore Exchange Ltd, OCBC Bank, AXA Insurance, The Gillette Company, Siemens and ABN Amro Bank. A former President of the Singapore Computer Society’s Business Continuity Group, Nathaniel passed the DRII’s Certified Business Continuity Planner (CBCP) examination in 1997. He has lived, traveled or worked in Asia since 1973.