BCM standard discovered in Malaysia

I have upbraided SPRING Singapore and the Singapore Business Federation for failing to promote effectively Singapore's erstwhile business continuity management (BCM) standard TR 19 between its birth in 2005 and its demise in 2008.

But for stealth and invisibility, it's hard to beat the clandestine work of Malaysia's national standards company, SIRIM Berhad, on behalf of MS1970, Malaysia's national BCM standard.

Yes, there is one. Surprised? Me, too. I discovered it in January.

The chairman of the committee that developed it wrote me that it was released in May 2007, but I couldn't find it anywhere in the SIRIM catalog of standards published since 2007 (searching for "1970"). If you search for "Malaysia BCM standard" in a search engine, the committee chairman's presentation slides about MS1970 come up with a link to the Malaysian government's Computer Emergency Response Team Web site. It takes some effort to discover that you can buy MS1970 at the Malaysian Standards Online site.

Note the warning at the bottom of that screen that the standard can only be downloaded in Malaysia, which may explain why its existence has been unknown to the outside world.

When I bought MS1970 (28 pages plus a one-page annex) for 40 ringgit (US$11), the copy I received had my company's name and date of purchase in the margin of every page. That's a novel marketing ploy. The same people who think that charging 40 ringgit for a standard that no one is eager to adopt apparently also think that stamping the buyer's name on every copy is a good way to promote it.

Like the Business Continuity Institute's BCM lifecycle, there are five phases in the MS1970 BCM lifecycle (Figure 1, page 8). MS1970 lists and explains 11 BCM processes and describes objectives, assumptions, results and actions for each of those processes in a MS1970 Reference Matrix (Table 1, page 2) similar to, but much larger than, Singapore's SS540 BCM matrix. Processes in MS1970 include "Crisis management plan", "Establishment of alternate site" and "BCM audit", for example. Each cell of the matrix lists a section number for reference; that's very handy.

Every national standard seems to invent a BCM term found nowhere else in the world; in MS1970 that term is "System Recovery Time Objective" (SRTO) (Section 2.2), to differentiate computer system recovery from business process recovery. British Standard 25999 makes a similar distinction using "RTO" for system recovery and "Maximum Tolerable Period of Disruption" (MTPD) for business processes recovery, emphasizing the notion that computer systems must be restored before business activities that depend on them can resume. MS1970 otherwise adopts standard BCM jargon like Recovery Point Objective (RPO) and Minimum Operating Requirements (MOR).

This sentence in MS1970 caught my eye: "The BIA is a tedious process but is crucial for the success of the project." (Section 6.1) Now, you don't see that in many BCM guidelines. That's another novel marketing approach.

MS 1970 emphasizes that it "is NOT an Implementation Guideline hence DOES NOT discuss the issue of 'how to' implement" BCM (emphasis in the original). For that, there are consultants, trainers and writers, I suppose.

What is unique about BCM in Malaysia? Nothing. Was a Malaysian standard needed? No less than a British Standard 25999, an American Standard NFPA 1600 or an Australian Standard 221. Why were any of the existing Western standards considered inadequate? Perhaps only because they were not Asian. These days, confidence is growing everywhere in Asia not only that "we can do it ourselves", but maybe we can do it better, too. Although it is the mission of the International Organization for Standardization (ISO) to prevent proliferation of inconsistent national standards, the ISO hasn't published a proposed standard for BCM yet.

Maybe I am the only person in Southeast Asia who thinks that BCM standards should not be treated like state secrets. They should be given away freely and widely as a manifestation of your tax dollars at work. Charge me to get certified, but don't charge me for the certification standard. That's like a doctor charging me for his diagnosis--and for his medical textbook, too.

And I may also be the only person in Southeast Asia who thinks that basic principles of marketing-–clear, simple statements of features, advantages and benefits--should be employed to promote those standards. Instead, they are developed with strenuous effort by high priests of the profession, over years and years, and then buried like a Lost Ark in a bureaucratic Temple of Doom.

Where are you when we need you, Indiana Jones?

• Talkback (1)
• Print
• E-mail
• Share
• Alerts

Slashdot

Digg

Facebook

Twitter

Delicious

reddit

Google

StumbleUpon

close this

Talkback 1 comments

• Sample influenza business continuity plan
• No blood test for influenza
• Getting tested for H1N1 flu in Singapore
• Is Tamiflu 'better' than Relenza?
• BCM standard discovered in Malaysia

• Internationally-recognized BCM certifications for BCP professionals
• Sub-prime BCM certification in Asia
• Transportation Silliness at Airports
• Getting credit for having a BCP
• Tuning out supply chain risk

2009

2008

2007

2006

• What Y2K can teach us about 2012
• In remembrance: DRMs
• My favourite new features of Windows 7
• Learning to embrace Net without fear
• Changing of the IT guards

Nathaniel Forbes

Nathaniel Forbes is the director of Forbes Calamity Prevention, a Singapore-based consulting firm providing business continuity, crisis management and emergency response advice and training to multinational companies, with a focus on companies with offices in Asia. The firm is 10 years old. FCP's current and past clients include Singapore Exchange Ltd, OCBC Bank, AXA Insurance, The Gillette Company, Siemens and ABN Amro Bank. A former President of the Singapore Computer Society’s Business Continuity Group, Nathaniel passed the DRII’s Certified Business Continuity Planner (CBCP) examination in 1997. He has lived, traveled or worked in Asia since 1973.