Business Continuity Management for Singapore s Logistics Sector. By Singapore Business Federation and Singapore Logistics Association

Transcription

1 Business Continuity Management for Singapore s Logistics Sector By Singapore Business Federation and Singapore Logistics Association

2 Are You Ready? In today s highly connected business landscape, disruptions and threats can cause considerable damages to Singapore and our companies. Companies face multi-faceted challenges and risks in their operating environment and this is further complicated when Singapore companies trade extensively with their overseas counterparts. Companies will need to be responsive and resilient to potential global economic threats or environmental, operational and cyber-related risks that can disrupt their operations. Businesses that are not prepared are at risk of costly disruptions, financial losses and loss of credibility. Singapore Business Federation (SBF) has been appointed by SPRING Singapore to promote and drive the adoption of enterprise resilience standards among SMEs. SBF will also be a partner to administer financial incentives for the following standards adoption projects under SPRING s Capability Development Grant Scheme from 1 April 2015 to 31 March ISO Societal Security Business Continuity Management System. Enables organisations to identify potential threats and provides a framework for your organisation to build up its resilience and capabilities for an effective response. 2. ISO Information Security Management Systems. Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system in an organisation. 3. ISO Certification on Security Management Systems for Supply Chain. Provides the framework for the identification of security risks and the implementation of processes for continues security management improvements within the supply chain. 4. SS 584 Specification for Multi-Tiered Cloud Computing Security. Covers the requirements that cloud service providers shall meet, recognising that individual users may have additional requirements. Singapore enterprises have a critical role in supporting larger companies in the region, as well as fulfilling their customers requirements. Being certified in enterprise resilience standards not only enables our companies to elevate their capabilities and reputation to a higher level, but also for them to compete more effectively against international companies. SBF will also work closely with their members from the trade associations and chambers as well as other industry partners to encourage business to strengthen their enterprises resilience. Please visit our website for more information.

3 Table of Contents 1. Foreword by SBF and SLA Council Chairmen 2 2. Introduction 3 3. Frequently Asked Questions 7 4. Self-Assessment Context of Organisation Leadership Planning Support Operations Performance Evaluation Continual Improvement Common Good Practices Case Study: Yusen Logistics (Singapore) Pte Ltd Case Study: Kawasaki-Rikuso Transportation Co., Ltd Case Study: TNT Logistics Glossary of Terms Acknowledgement 51 1

4 JOINT FOREWORD We are pleased that the Singapore Business Federation (SBF) and the Singapore Logistics Association (SLA) have teamed up to develop a Business Continuity Management (BCM) Sectoral Drawer Plan for Singapore s logistics sector to help companies become more resilient and responsive. The outcome of the drawer plan is a BCM-Readiness Framework handbook for companies to plan and implement their contingency plans. Singapore s prime location in the region, world-class infrastructure and excellent global connectivity have made it an important logistics hub and conduit for world trade. To preserve its standing as a leading logistics and supply chain management hub, it is critical for companies to embrace BCM to guard against unforeseen events. In SBF s 2013 BCM survey, nearly 60% of respondents have not activated their business continuity plan. Many also agreed that an assessment or diagnostic tool would be helpful in building business resilience. This BCM-Readiness Framework handbook includes a simple checklist for companies to ascertain their business resilience, follow sequential steps to move across the four tiers of Awareness, Recovery, Continuity and Sustainability to become BCM-ready, as well as learn from case studies in Singapore and overseas. The Framework was built based on input from SLA Council and focus group discussions involving SLA s member companies. Within the next three years, SBF will be working closely with other trade associations and chambers to develop specific sectoral plans. We hope the Singapore logistics sector will benefit from this SBF-SLA joint initiative and together, we can build a stronger and more resilient logistics community for Singapore. Mr S.S. Teo Chairman Singapore Business Federation Mr Stanley Lim Chairman Singapore Logistics Association 6 January

5 INTRODUCTION What is BCM? Business Continuity Management (BCM) is about identifying those parts of your organisation that you cannot afford to lose such as information, stock, premises, staff and planning how to maintain these, if an incident occurs. Any incident, large or small, whether it is natural, accidental or deliberate, can cause major disruption to your organisation. But if you work on a contingency plan now, rather than waiting for it to happen, you will be able to get back to business in the quickest possible time. Delays could mean you lose valuable business to your competitors, or that your customers lose confidence in you. As governments and regulators began to recognise the role of business continuity in mitigating the effects of disruptive events, they increasingly sought to gain assurance that key players had appropriate business continuity arrangements in place. Similarly, businesses recognised their dependence on each other and sought assurance that key suppliers and partners would continue to provide key products and services, even when incidents occurred. A recognised benchmark of good practice in BCM was therefore needed and several national standards sought to address this issue, including the SS540:2008 from Singapore. When organisations operating internationally started calling for a single International Standard, ISO/TC 223, Societal security, the International Organization for Standardization responded by developing ISO 22301:2012, Societal security Business continuity management systems Requirements. The ISO is a certifiable management systems standard for BCM which can be used by organisations of all sizes and types. About the BCM Drawer Plan The Singapore Business Federation (SBF) has developed this logistics drawer plan for business continuity management (BCM), specifically for the SMEs operating in the verticals - cold chain logistics and warehousing & storage services. To ensure the BCM drawer plan is meaningful to our logistics SMEs, SBF has partnered the Singapore Logistics Association (SLA) for its outreach to Singapore s logistics sector. This initiative is supported by SPRING Singapore. In this handbook, there is a Self-Assessment Checklist for you to determine your organisation s degree of sophistication against the BCM and Organisational Resilience Maturity Framework. The BCM-Readiness Framework also guides you through the steps to develop and enhance business resilience in your organisation. The framework is based on the seven requirements of ISO (Clauses 4 to 10): Context of the organisation Leadership Planning Support Operations Performance Evaluation Continual Improvement Risks with significant impact over time on the value creation process should be considered when establishing the context of the organisation that will be relevant to BCM. This is may be a high level or strategic assessment. The detailed risk analysis is performed in the Operations stage. 3

6 ISO BCMS Key Elements & Implementation Process Context of the organisation Leadership Planning Support Operation Performance evaluation Improvement Understanding of the organisation & its context Leadership & commitment Actions to address risks & opportunities Resources Operational planning & control Monitoring, measurement, analysis & evaluation Nonconformity & corrective action Understanding the needs & expectations of interested parties Management commitment BC objectives & plans to achieve them Competence Business impact analysis & risk assessment Internal audit Continual improvement Determining the scope of the BCMS Policy Awareness BC strategy Management review Organisational roles, responsibilities & authorities Communication Establish & implement BC procedures Documented information Exercising & testing Key Clauses and Description Clause Description 4 Context of the organisation 4.1 Understanding of the organisation and its context 4.2 Understanding the needs and expectations of interested parties Legal and regulatory requirements 4.3 Determining the scope of the business continuity management system (BCMS) Scope of the BCMS 4.4 Business continuity management system 5 Leadership 5.1 Leadership and commitment 5.2 Management commitment 5.3 Policy 5.4 Organisational roles, responsibilities and authorities 6 Planning 6.1 Actions to address risks and opportunities 6.2 Business continuity objectives and plans to achieve them 7 Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 4

7 ISO BCMS 7.5 Documented information Creating and updating Control of documented information 8 Operation 8.1 Operational planning and control 8.2 Business impact analysis and risk assessment Business impact analysis Risk assessment 8.3 Business continuity strategy Determination and selection Establishing resource requirements Protection and mitigation 8.4 Establish and implement business continuity procedures Incident response structure Warning and communication Business continuity plans 8.5 Exercise and testing 9 Performance Evaluation 9.1 Monitoring, measurement, analysis and evaluation Evaluation of business continuity procedures 9.2 Internal audit 9.3 Management review 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement Document Checklist BCMS Area Context of organisation Understanding of the organisation & its context Understanding the needs & expectations of interested parties What would this be? External context & factors; supply chain Internal context & factors; standards; policies Risks to value creation process List of legal & regulatory agencies; requirements; consequences for non-compliance List of other interested parties & requirements; consequences not meeting the expectations Determining the scope of the BCMS Parts of organisation, products & services included (& excluded) Minimum BC objectives contract terms; regulations; business objectives Leadership Leadership & commitment All management levels demonstrate leadership Communications motivation, engagement & empowerment Management commitment BCM Steering Committee Management review meetings Policy Policy statement Minimum BC objectives; complement other policies BCM framework 5

8 ISO BCMS Organisational roles, responsibilities & authorities Planning Actions to address risks & opportunities BC objectives & plans to achieve them Support BCM organisation structure roles, responsibilities & authorities Meet BC objectives Documented information to address issues & risks identified in the context of the organisation BC objectives BC project plan schedule Resources BCM resources to support ongoing BCM programme BCM resources to support BCM response activities Competence Training for BCM staff maintaining the BCMS Training for staff assigned BCM roles for response, recovery & resumption Awareness Activities to increase BCM awareness Activities to embed BCM in organisation culture Communication Establish communication process with interested parties Monitoring, adapting & integrating national & regional advisories into internal & external communications Documented information Creating & updating BCMS documents Document control & change management Operation Operational planning & control Meet BCM policy & objectives; achieve applicable needs & requirements BCM framework & planned control processes are executed Business impact analysis (BIA) & risk assessment (RA) Conduct RA & establish key disaster scenario Conduct BIA assess impact over time BC strategy Establish BC strategy Established prioritisation for BC continuity, recovery & resumption Establish & implement BC procedures Establish appropriate BCM responses BC plans Internal and external incident communication procedures Exercising & testing Establish BCM exercise programme Conduct appropriate BCM exercises Performance evaluation Monitoring, measurement, analysis & evaluation Establish BCM performance measures Evaluate BCM exercises Internal audit Establish BCM internal audit plan Conduct internal audit Management review Regular schedules to review BCM in management meetings Documented management review meetings Improvement Nonconformity & corrective action Identify nonconformities Corrective action plan to address issues Continual improvement Continually improve BCMS corrective actions Identify strategic improvements to enhance organisational resilience 6

9 FREQUENTLY ASKED QUESTIONS 1. Why is Business Continuity Management (BCM) important? Any major incident or disaster occurring could have a significant business impact over time on the organisation. BCM enables an organisation to establish, implement and maintain a policy and framework to minimise the impact of such incidents, and improve organisational resilience. With BCM, the organisation will identify the key risks, impacts and critical business functions - including the essential minimum resources which will enable the organisation to continue, recover, resume, restore and resume critical business value creation processes during a disaster. 2. What is the difference between emergency response planning (ERP) and BCM? ERP may be considered an integral component of BCM - which focuses on immediate response actions to limit the impact of incidents to the organisation, human lives and key assets. BCM includes complementary plans and processes - like those for crisis management, crisis communications, damage assessment, business continuity, business recovery, IT disaster recovery, salvage assessment and so on. BCM also provides a framework for the organisation to prepare the organisation before a major incident. This includes the risk assessment and business impact analysis. 3. How does the IT Disaster Recovery Plan (DRP) differ from BCM? The IT DRP is an integral component of BCM. It contains information, processes and procedures that will guide the organisation to recover and resume critical IT application systems, databases and services; which will also include the technology and telecommunications (for voice and data) infrastructure services. The document that contains the information, processes and procedures for the organisation s business, operation and support functions (other than IT) is typically titled the business continuity plan (BCP). 4. What are the main contents of a Business Continuity Plan (BCP)? The BCP contains information on the key risks, results or summary of the business impact analysis, the business continuity strategy, detail business continuity, recovery and resumption procedures, high level strategy to restore (repair or rebuild) and return the organisation to normal operations after the incident. The BCP contains other important information - like call tree for the business unit, key external contacts, location for recovery and so on. The BCP is considered one of the key documents in BCM. 5. How is a critical business function identified? Critical business functions consists of important business activities that an organisation needs to continue, recover and resume; so that the critical business value creation processes can resume, and the impact (on the organisation, key clients and other key stakeholders) over time is minimised. The earlier a critical business function need to resume, the higher the priority for that function; which allows the organisation to focus and better deploy the critical resources. 6. What are the criteria that will identify a business function to be deemed critical during a disaster or major incident? The unavailability of a business function will have an impact over time to the organisation and its business value creation process. The more significant the impact, and the earlier this impact has on the value creation process, the higher the criticality of the business function. In the supply chain for the cold chain and pharmaceutical sector, the critical business functions are those responsible for shipping, logistics (transportation) and warehousing. Other critical business functions are the functions that provide essential shared services support - like IT, facilities, security, HR, finance, etc. Some of these functions may require support from external agencies and service providers. Some of the business functions that have lesser impact which are felt after a longer period, may be temporarily suspended. 7. What are the top three key areas that logistics companies in cold chain and warehousing vertical should take note when it comes to disruptions in general? The continued ability to maintain a temperature-controlled environment for warehouses and transport operations is a key concern for logistics companies in the cold chain and warehousing vertical. It is crucial for these companies to understand their critical operations and first secure those from single points of failure, particularly for smaller enterprises relying on only one refrigerated warehouse or one refrigerated truck. A business continuity plan could consider reciprocal agreements with other refrigerated warehouse operators and contracting arrangements for backup refrigeration units and transport in the event of major power outages and equipment breakdowns. 7

10 FREQUENTLY ASKED QUESTIONS In certain situations, onsite disruptions could render a perfectly operational refrigerated warehouse inaccessible. For example, the area could be declared a crime scene by the police, a pandemic quarantine zone by health authorities, or have road closures that lead to the premises. The concern here would be when access to the premises can be regained to retrieve or relocate outbound cargo, and how to re-route inbound cargo especially those involving complex cross-border supply chain. To address cross-border supply chain re-routing, companies could develop contingency arrangements with their overseas offices or partner agents in region. For companies that offer and rely on online cargo tracking and processing, the failure of real-time information or information security is another key concern. Companies with high availability and accessibility requirements should place particular emphasis on their technology infrastructure and outsourced service providers for internet access and backup server. 8. What are some examples of service level agreements relevant to cold chain and warehousing vertical, such as service continuity, penalties for service lapses that logistics companies should pay attention to? Customer service level agreements typically specify service availability requirements for third party logistics (3PL) providers. Such requirements tend to be more stringent for time and temperature-sensitive cargos, particularly when there are regulatory requirements on product protection. For example, a product could be placed on hold, be recalled, or deemed spoiled by the Food and Drug Administration (FDA) in the United States (U.S) or equivalent non-u.s. agency if the service provider is unable to meet the temperature regulatory requirements. These requirements may be back-to-back obligations undertaken by customers. For example, the licensing requirements for food establishments in Singapore (under the Sale of Food Act Chapter 283) specifies among other things the requirements for cold stores, mode of food transportation and Hazard Analysis Critical Control Points (HACCP) plan for food safety. In order to prevent or minimise any lapses in service following a major business disruption, a robust BCM programme enables logistics service providers to respond swiftly and effectively. This is why pharmaceutical and biologics customers insist on detailed Standard Operating Procedures (SOPs) with contingency or business continuity plans (BCP) from logistics service providers who handle their products. That is, the procedures for such plans will still enable the logistics and warehouse service providers to comply with the requirements specified by their clients, HACCP, FDA and other local regulatory requirements. It is also advisable for logistics service providers to include service continuity or BCP requirements into vendor service agreements, particularly for critical business functions that are outsourced to third party vendors. For example, part of the services will be handled by overseas agents and transport providers. As such, the primary service provider contracted by the client should have back-to-back service level agreements with these agents. Alternatively, if back-to-back agreements are not feasible to ensure service continuity, the primary service provider should have documented advance arrangements and contacts for other agencies that could provide the services upon activation. 9. Who are responsible for business continuity management (BCM)? The overall accountability to ensure BCM is effective for the organisation lies with the top management in the organisation. However, every employee is responsible to ensure that he or she is responsible to ensure the he or she is capable of performing the BCM tasks assigned to them. 10. What is a risk assessment (RA) in BCM? Does it conflict with the organisation s existing risk management (RM) framework? The RA for BCM is a process to determine and evaluate the key risks that will potentially have a significant impact over time on the organisation s business value creation process. The RA for BCM shall be aligned to the existing internal RM framework; as well as be aligned to the international RM frameworks like ISO 31000, OHSAS 18001, ISO and RA for Workplace Safety and Health. 8

11 FREQUENTLY ASKED QUESTIONS 11. What are the resources required to implement and maintain the BCM? BCM is typically implemented with a formal BCM organisation structure. Top or senior management forms the BCM Steering Committee - which sets directions and corporate objectives, approves the policy and makes strategic decisions. The BCM Working Committee is tasked with the development and implementation of BCM. This committee is usually made up of the representatives from all departments. A senior management representative is appointed to lead the BCM Working Committee. He or she will be assisted by an appointed organisation BCM manager or coordinator. 12. What are the departments and functions that should be included in the BCM scope? All departments and functions should be included in the scope of BCM. During a disaster, there will be some functions that are more critical and accorded higher priority with resources being allocated to support their activities. Whereas there are other functions that are deemed not critical during a disaster; which may be temporarily suspended until such time management decides that the function becomes critical. 13. How long will it take to implement BCM? BCM is often implemented based on the ISO International Standard for BCM - which requires organisations to adopt a Plan-Do-Check-Act implementation approach. This standard specifies the requirements that will enable the organisation to implement a practical BCM programme. The overall elapsed time may take 4 to 6 months for an organisation to complete the implementation. The actual cumulative time for each BCM representative will be significantly lower. 14. Can BCM enable my organisation to mitigate all known and unknown risks? It is a common best practice to develop and implement a business continuity plan that enables the organisation to continue, recover and resume critical business functions during a disaster - which will have a significant impact over time on the business value creation process. An event that disrupts the business, operations and/or shared services, causes IT and facilities to be inaccessible, or disrupts the critical supply chain - is deemed as a disaster. The disaster may arise due to any known or unknown risks. Best practices also assume that known risks may change over time too. However, organisations that develop and implement BCM by focusing efforts to mitigate the impact will be assured that the BCM programme will be effective. 15. What are the main assumptions when implementing BCM? The first assumption will be the key disaster scenario - which constitutes the inaccessibility of the premises, unavailability of critical IT and technology services, loss of key staff and disruption of the supply chain. The occurrence of either one or any combination of the situations constitutes a disaster to the organisation. Other important assumptions may include: Availability of the primary or deputy of staff assigned important BCM roles Availability of the alternate facilities and services Availability of critical resources required to support BCM IT DRP is implemented, regularly tested and maintained. BCM teams possess the relevant BCM knowledge and skills. Inter-related incident response measures - like emergency response plan, crisis management plan, crisis communications guidelines, IT cyber incident response plan and so on are implemented. 9

12 SELF-ASSESSMENT BCM Readiness BCM and Organisation Resilience Maturity Framework Under Developed Awareness Tier 1 Recovery Tier 2 Maturity Categories Increasing degree of sophistication Continuity Tier 3 Sustainability Tier 4 4 RM & BCM framework does not exist 0 I Reactive action based on Incidences that occur, discrete roles and responsibilities identified for specific sets of risk and compliance requirements Senior Management buy in obtained, communicated policies, procedures are defined and rolled out for specific operations or functions 2 3 Implementation & practices BCM; reporting is driven bottom up rather than top down, performance matrices are linked to risk drivers and incident mitigation measures Resilience & sustainability programme integrated Governance, Risk, & Compliance model incorporating ERM, HSE, BCM & ISMS measures; cause and effects are built into decision making processes, conformance of framework are incentivised ; pre-emptive risk mitigation as ERM & BCM is everyone s responsibility Self-Assessment Checklist Requirement 1: Context of Organisation No. Description 1. The organisation has established a BCM policy; that is linked to organisational objectives and other policies (including risk management); which has been communicated to all employees and relevant stakeholders. 2. The organisation defines the risk criteria based on the risk appetite; with which the risk external and internal factors are determined. Awareness (Tier 1) A BCM policy helps the organisation achieve the BCM objectives and outcomes. The management and employees are aware of the threat of potential risks and the corresponding impact over time; but they are not evaluated. Recovery (Tier 2) A business continuity policy statement is established and communicated to all management and employees. Management has defined the key business, product, environmental and regulatory risks. Continuity (Tier 3) A BCM policy manual is being developed and will be communicated - which includes a BCM framework to identify and review risks. The risks and business impact will be evaluated and analysed based on the framework and risk criteria that have been or will be established. Sustainability (Tier 4) The BCM policy is reviewed on a regular basis (e.g. every 3 years), and updated to ensure relevance. Regular reviews of risk assessment and business impact analysis are based on the established framework and criteria. Rating (Tier) 10

13 SELF-ASSESSMENT 3. The legal, regulatory and contractual requirements are identified; which also takes into consideration the interests of relevant stakeholders especially service level agreements and other commitments for logistics, shipping and warehousing services for cold chain and pharmaceutical products. 4. The scope of the BCMS takes into account the following factors: organisation mission, vision and objectives parts of the organisation included in the scope; that is, size, nature and complexity with respect to the organisation; products and services; needs of relevant interested parties The managers understand the applicable legal, regulatory and contractual requirements that are relevant to their jobs and responsibilities. Annual drills (e.g. fire evacuation plan) are conducted based on an established company emergency response plan. Management has determined the key legal and regulatory requirements; services will be delivered based on the contractual requirements that are specified in the service level agreements with key clients and business partners especially regular clients engaging the organisation to provide logistics and warehousing for cold chain and pharmaceutical products. The business recovery plan and procedures are or will be established for one or a few key functions that supports one or several key clients and to deliver the services as specified in the service level agreements; including contingent arrangements for logistics and warehousing for frozen and chilled food stuff, and pharmaceutical products. The applicable legal, regulatory and contractual requirements will be identified, evaluated and those relevant will be communicated; which are documented as the business continuity objectives, and impact criteria are defined with reference to the requirements with priority being accorded to contracted and regular clients engaging the company for logistics and warehousing services for cold chain and pharmaceutical products. The needs of the key interested parties, the organisation s mission, vision and objectives, and the key products and services will be considered when establishing the BCMS scope; which will include making advance arrangements with other service providers to store and ship frozen and chilled food, and pharmaceutical products. The annual review of the BCMS includes the review of the applicable legal, regulatory and contractual requirements; also taking into consideration supply chain management services that may be embedded with the clients business and order fulfilment processes. The BCMS scope and objectives, and organisation minimum BC objectives defined are reviewed annually or whenever needed, to ensure compliance with applicable legal, regulatory and contractual requirements including the continuity of supply chain management services for clients that have outsourced this function to the company. 11

14 SELF-ASSESSMENT 5. Some parts and/ or services are excluded from the scope of BCM, and such exclusions do not have a significant impact to the organisation during major incidents (including the ability to continue, recover and resume critical services for key clients). No known exclusions have been determined. The exclusions to the scope are or will be identified, but are not necessarily documented. Requirement 2: Leadership and Commitment The exclusions to the scope will be identified and documented when the BCMS scope is being defined. Exclusions to the BCMS scope are reviewed annually or whenever there are significant changes. Total Rating for Requirement 1: Context of Organisation (sum of individual ratings) No. Description 6. Top management has approved the BCM policy, framework and BC objectives minimum BC objectives (MBCOs) shall include minimum service levels for the fulfilment of cold chain and pharmaceutical logistics, shipping and warehousing services; as well as staff competency in HACCP and GDP. 7. Top management is fully committed - as demonstrated in the setting up of the BCM organisational structure with the appointment of appropriate staff; including appointing a member of the top management as the project director and management representative. Awareness (Tier 1) Top management understands the importance and usefulness of the policy and framework manual. Top management understands the relevance of establishing the formal BCM organisational structure; but have not established a timeframe to establish it. Recovery (Tier 2) The qualitative BC objectives - like protecting employee health and safety - are or will be documented; measurable business continuity objectives relating to product and service levels have not been defined. The BCM resources documented in the BC plan consists of operational departments supporting the contingency or recovery processes - which focus on recovery operational processes supporting specific clients and/or services. Continuity (Tier 3) Top management is reviewing (and in the process of approving) the draft policy and framework manual; which includes both qualitative and measurable business continuity objectives linked to product and service levels. Top management is establishing the BCM organisation structure - consisting of both operation and support functions - that is relevant to the BCMS scope, and assigning staff with the appropriate level of competence. Sustainability (Tier 4) Top management reviews the policy and framework at a frequency defined in the change management section of the policy manual. Top management annually reviews the BCM organisation structure to ensure appropriate level of staffing that is appropriate and relevant to the BCMS scope. Rating (Tier) 12

15 SELF-ASSESSMENT 8. Top management has communicated to all staff (including BCM staff) their respective roles, responsibilities and accountabilities, the importance of BCM to stakeholders, and the BCM policy and objectives; as well as communicated the BCM policy statement to key external interested parties. 9. BCM matters are discussed in the regular management review meetings; directions for supporting and improving BCM are decided during these meetings. Top management understands the importance of communicating the BCM roles, responsibilities and accountabilities; however, there are no immediate communication sessions scheduled. Key risk and BCM issues may be raised in top management meetings; however, there are no planned follow-up actions to study the issues and design mitigation measures. Requirement 3: Planning The BCM roles, responsibilities and accountabilities will be established and communicated only to the operations personnel responsible to execute the recovery procedures. The BC plan and procedures are discussed during contract negotiations; or following a major incident disrupting the operation or service to the specific clients or group of clients. The BCM roles, responsibilities and accountabilities will be established, and communication sessions will be conducted regularly throughout the organisation; with targeted external communications with key clients and business partners. The BCM project implementation schedule includes scheduled management review meetings to review the project status and progress; as well as to make decisions on BCM matters. Annual training and awareness activities are conducted to reinforce the staff s understanding of their BCM roles, responsibilities and accountabilities that are relevant to their BCM roles. BCM matters, strategic and tactical (or operational) actions are decided at the regular management review meetings. Total Rating for Requirement 2: Leadership and Commitment (sum of individual ratings) No. Description 10. The BC plan takes into consideration activities to address the identified issues and risks that are relevant to the context of the organisational BCM requirements; emphasising the need to continue, recover and resume shipping, logistics and warehousing services for cold chain and pharmaceuticals. Awareness (Tier 1) Top management is aware of some of the key risk issues; however, no actions are taken to address the risks. Recovery (Tier 2) The key risks and issues that are relevant to specific clients, group of clients and/or services are identified and addressed; priority will be given to actions that will facilitate the recovery and resumption of cold chain and pharmaceutical logistics, shipping and warehousing services for contracted and key clients. Continuity (Tier 3) The key risks will be evaluated and analysed in the risk assessment, business impact analysis and BC strategy development - where the control or treatment measures to address the risks will be identified and evaluated; priority will be given to actions that will improve the continuity, recovery and resumption of cold chain and pharmaceutical logistics, shipping and warehousing services. Sustainability (Tier 4) The annual review process includes a formal review of the key risks and the treatment approaches actions will be taken to mitigate potential issues with a significant impact on the supply chain management services for key contracted customers. Rating (Tier) 13

16 SELF-ASSESSMENT 11. The BC plan specifies the work activities or tasks, identifies the responsibilities and the targets for completion. Requirement 4: Support Top management understands there are several key stages in the BCM implementation process; but have not established a detailed plan. The BCM tasks are shared and executed by the senior manager and the assisting managers. The BC plan schedule specifies the tasks with the resources and timeline for completion - as outlined in the BCM organisation structure and framework. The ongoing BCM programme specifies an annual BC plan schedule; which identifies detailed activities that are essential to ensure the BCMS remains current and effective. Total Rating for Requirement 3: Planning (sum of individual ratings) No. Description 12. BCM resources to establish, implement, maintain and continually improve the BCMS have been allocated including provisioning for the alternate sites supporting the cold chain and pharmaceutical clients, and the recovery of the supporting IT disaster recovery for critical application systems; which shall also include training for BCM staff, as well as cross training employees who may be redeployed as drivers and operation staff incorporating HACCP and GDP. Awareness (Tier 1) Top management understands the importance of allocating the appropriate BCM resources to support the BCMS. Recovery (Tier 2) The BCP will be developed and maintained by a senior manager and the assisting managers; the recovery team consists of operation staff supporting the specific clients or group of clients and/or services. Continuity (Tier 3) The appropriate types and level of BCM resources have or will be identified and deployed to support the BCMS and BCM activities; education, training and experiential learning which constitutes important activities in the BCM framework, have or will be carried out as important BCM activities in the BCM implementation project. Sustainability (Tier 4) The BCM programme includes an annual BCM review that also specifies the BCM resource types and levels, and BCM activities required to ensure the BCMS remains relevant; staff competencies are reviewed and reinforced through further education, training and experiential learning. Rating (Tier) 14

17 SELF-ASSESSMENT 13. The organisation has established a process for the creation, updating and control of documented information - which includes an annual review, or whenever there are major or significant changes; as well as accessibility on a need to basis - including communications with external parties. Top management understands the importance of establishing and implementing document controls and change management processes to support the BCM programme and BCMS. The BCP documents are updated after new requirements are identified in the service contract negotiations; or whenever new requirements are established as post-incident improvement actions. The document control and change management processes are established and implemented according to the specifications in the BCM policy. The document control and change management specifications in the BCM policy are enforced in the annual BCM activities and BCM programme. Total Rating for Requirement 4: Support (sum of individual ratings) Requirement 5: Operations No. Description 14. The critical business functions with the associated impact over time (due to the loss or unavailability of these functions) are identified and evaluated - based on the established business impact analysis framework; which shall include giving higher priorities to functions fulfilling and supporting the cold chain and pharmaceutical logistics, shipping and warehousing services. Awareness (Tier 1) Top management understands the importance of identifying the critical business functions or processes, and evaluating the impact over time for their loss or unavailability. Recovery (Tier 2) Business impact analysis is identifies a few key business functions required to support and deliver critical services based on specific service level agreements with a few clients. Continuity (Tier 3) Business impact analysis identifies all critical business (and support) functions, with the corresponding assessment of the impact over time, interdependencies and resource requirements required to achieve the minimum BC objectives defined by top management. Sustainability (Tier 4) The annual BCM planned schedule and BCM programme requires the business impact analysis to be conducted to review the critical business functions, and analyse (update) the impact over time and other critical BIA information. Rating (Tier) 15

18 SELF-ASSESSMENT 15. The business continuity strategy with the resources requirements for each approach are identified and evaluated - based on the established BC strategy framework - so as to continue, recover and resume critical business functions, and return to normal business operations. Minimally, there should be alternate sites for the fulfilment of cold chain and pharmaceutical logistics, shipping and warehousing services, recover the supporting critical IT and technology infrastructure, and contingent shipment route plans. 16. The relevant BC exercises and tests are planned and conducted at regular intervals (annually or whenever necessary) which include activating and mobilisation to the alternate warehouse site, transport arrangements to and from the alternate site, activation of the alternate route plan, and IT disaster recovery test for critical application systems. Top management understands the importance of identifying and evaluating business continuity strategies to continue, recover, resume, restore and return stages. Top management understands the importance of conducting exercises and tests to assess the BCM capabilities and improve the BCM staff competencies. In the business continuity strategy stage, the organisation develops the approaches to recover critical services for key clients with reference to the specifications in the service level agreements. BCP exercises are conducted only when requested by a specific client; or based on the frequency as specified by the key clients or group of clients during service contract negotiations. The business continuity strategy findings and recommendations are evaluated and implemented in the corporate wide business continuity plan. BCM exercises are conducted annually or whenever appropriate to improve the BCM capabilities and competencies of staff assigned roles during the continuity, recovery and resumption stages. The annual BCM planned schedule and BCM programme requires the business continuity strategy and plans to be reviewed, evaluated and updated; including implementation of continual improvements. Regular (or annual) BCM exercises are planned and designed to identify areas for improvements as part of the organisation s continual improvement efforts to strengthen the BCM programme and organisational resilience. Total Rating for Requirement 5: Operations (sum of individual ratings) 16

19 SELF-ASSESSMENT Requirement 6: Performance Evaluation No. Description 17. The organisation has established a process and a set of procedures to monitor, measure, analyse and evaluate the performance of the BCMS the evaluation shall assess the achievement of the MBCOs established for services supporting cold chain and pharmaceutical logistics, shipping and warehousing, and staff competency in related areas like HACCP and GDP. 18. An annual internal audit is conducted to assess the BCMS, BCM programme - including the BCM readiness, capabilities and competency. Awareness (Tier 1) Top management understands the relevance and importance of establishing a process to monitor, measure, analyse and evaluate the performance of the BCMS. Top management understands the relevance and importance of the annual internal audit. Recovery (Tier 2) The BCP procedures are reviewed and updated as and when needed - like after a review or contract negotiations with specific clients, or after a postincident review. The internal audit will be conducted when requested by a key client or group of clients; or before the clients conduct a second party audit. Continuity (Tier 3) The established BCM framework includes a process to monitor, measure, analyse and evaluate the performance of the BCMS. The internal audit will be conducted to assess the BCM readiness, capabilities and competency after the integrated response structure and plans are implemented. Sustainability (Tier 4) The BCM programme enforces an annual review process; which includes the activities to monitor, measure, analyse and evaluate the performance of the BCMS. The BCM programme specifies an annual internal audit shall be enforced; which will include identifying where nonconformities and areas for improvements will be identified to strengthen the BCM readiness, capabilities and competency. Rating (Tier) 17

20 SELF-ASSESSMENT 19. Management reviews are conducted at planned intervals to review BCM which shall also include identifying initiatives to improve the supply chain management capabilities for cold chain and pharmaceutical logistics, shipping and warehousing. This may include review of new developments in IT for cyber security requirements, as well as improvements to productivity and organisational resilience. Top management understands the relevance and importance of the regular management reviews at planned intervals. The senior management representative will review the BCP with the assisting managers when there are new or changes to the BCP arising from new or revised requirements from key clients or group of clients. Requirement 7: Continual Improvement Regular management review meetings are or will be conducted during the BCM implementation project. The BCM programme incorporates a governance structure that requires regular management meetings to review the progress and status of the annual BCM project, and the findings for the risk assessment, business impact analysis, BC strategy, plan development, exercising (and testing), and internal audit. Management will finalise the decisions on the next follow-ups at these meetings. Total Rating for Requirement 6: Performance Evaluation (sum of individual ratings) No. Description 20. The organisation maintains a process to review and address non-conformities; including the identification and evaluation of corrective actions. Awareness (Tier 1) Top management understands the relevance and importance of addressing nonconformities. Recovery (Tier 2) BCM corrective actions are implemented usually after the audits by external parties or customers are completed. Continuity (Tier 3) The established BCM framework includes processes to review and address nonconformities. Sustainability (Tier 4) The BCM programme specifies an annual BCMS review; which includes activities to identify, evaluate and implement approved corrective actions to address nonconformities. Rating (Tier) 18

21 SELF-ASSESSMENT 21. Continual improvements are implemented whenever necessary to improve the suitability and adequacy of the BCMS; which shall consider improving the business continuity and resilience for cold chain and pharmaceutical logistics, shipping and warehousing services including improving resilience in route plans and supporting IT and transport infrastructure. This would also strengthen competency of support staff as well. Top management understands that continual improvements in BCM are important to ensure the BCM documents, capabilities and competencies remain effective and relevant to the organisation. The BC plan, processes and procedures will be updated after the BCP requirements to support operation and service delivery are reviewed in the contract negotiations with key clients or group of key clients; or after the post-incident reviews, if any. The final project management review meeting will include the review and approval of the recommended continual improvements. The BCM programme specifies that the organisation shall identify areas in the BCMS that will be improved to ensure they remain relevant and effective to support the organisation s current business and value creation activities. Total Rating for Requirement 4: Support (sum of individual ratings) Self-Assessment Diagnostic Summary Requirement 1) Context of Organisation 2) Leadership 3) Planning 4) Support 5) Operations 6) Performance Evaluation 7) Continual Improvement Total Score Rating 19

22 SELF-ASSESSMENT Your Organisation s BCM Readiness Level The organisation s response to disasters and incidents should be improved and formalised. If the organisation suffers a major incident or disaster, the damage is likely to be severe, and may result in a long term disruption. Your organisation needs to know the risks that results in a significant impact, and start considering the control measures that would reduce the impact; enabling the organisation to continue, recover and resume critical prioritised business activities with acceptable time frames. Your organisation is aware of the key risks that could disrupt the business value creation process, and formalised steps have been taken. However, the steps are primarily reactive - that is, focuses on recovery and resumption. The organisation may still potentially be exposed to severe damage or significant losses; because of the weakness in the BCM system or programme. Additional improvement measures could be implemented to enhance BCM and organisational resilience. Your organisation has established the BCM programme that provides a coordinated response to major incidents, i.e. business interruption risks are mitigated. The BCM programme follows the ISO BCMS requirements, which enables your organisation to enhance its BCM readiness progressively and continually. Thus the organisation has the ability to respond to changing risks and unexpected incident events or disasters. Total Score 0 to to to 84 20

23 REQUIREMENT 1: CONTEXT OF ORGANISATION Determine BCM Purpose, Scope and Team Purpose The key purpose of implementing a Business Continuity Plan will be to protect the following against disasters and major disruptive events: People ensure safety and protect health of employees, visitors, contractors, suppliers and customers Key informational and physical assets Key stakeholders and interested parties shareholders, investors, customers, business partners, employees and their families Business value creation process business operations and supply chain The corporate level minimum business continuity objectives (MBCOs) should be established based on the key purpose. The key purpose of BCP and the corporate MBCOs provides the key criteria with which the BCP will be implemented. Therefore, these should be clearly communicated to and understood by employees, key business partners and essential service providers. Scope The overall BCP scope shall enable the organisation to achieve the key purpose and the corporate MBCOs. To meet these requirements, the organisation shall establish BCP capabilities and competency which will enable it to continue, recover and resume critical business activities. The BCP scope may be established for a limited scope covering important business and support operations at specific sites. The BCP should be flexible, adaptable and scalable to progressively increase the BCP capabilities and competency over time. For example, the BCP may be implemented for the warehouses site that generates the significant proportion of the organisation s business activities or revenues. That is, the BCP shall enable the organisation to continue, recover and resume the critical activities performed at this warehouse. Interested Parties and Related Risks Name of Interested Stakeholders, e.g. government agency, key clients MOM NEA AVA HSA For example, JTC For example, GSK Abbreviation MOM Ministry of Manpower NEA National Environment Agency AVA Agri-Food & Veterinary Authority HSA Health Sciences Authority Relationship, Key Interests & Expectations (e.g. Service Level Agreements) Regulator: manpower matters; work injury reporting & matters Regulator: licensing for transporting & storing chemicals & hazardous materials Regulator: licensing for handling of food related materials Regulator: licensing & certification for transporting and storage of health supplements, pharmaceutical & clinical products Landlord; managing agent for leased property Customer: collection & shipping of pharmaceuticals; GDP Key Risks & Consequences Non-compliance; penalties Non-compliance; loss of license Non-compliance; loss of license Non-compliance; loss of license Non-compliance; lease termination or nonrenewal Non-compliance (GDP); product degradation; loss of future business 21

24 REQUIREMENT 2: LEADERSHIP BCM Leader Leadership is essential to ensure the BCP is relevant and applicable to the organisation. Strategic decisions and directions will guide the team to develop and implement a BCP that meets the key purpose and the corporate MBCOs. Good leadership will provide assurance that essential resources and budget to support the development, implementation and maintenance of the BCP. A senior management representative, with the appropriate level of responsibilities and authorities, should be appointed to lead the team implementing or maintaining the BCP; make key decisions and provide guidance BCM Policy & Framework Commitment and ownership at top management and respective stakeholders level are essential. Resources committed to the project are available throughout the entire project life-cycle. Active participation from the parties identified are required. All team members are expected to carry out their responsibilities until project completion. Preparation, review and signoff of required documentation are duly completed as scheduled by all parties. 22

25 REQUIREMENT 3: PLANNING Document Control & Change Management The BCP contains confidential company information. Access to the BCP document and information should be granted based on as needed basis. BCP documents and information is shared with the right people, in the right format and at the right time. That is, the appropriate level of BCP information should be communicated to empower those tasked with critical BCP roles and responsibilities with the competency and knowledge to carry them out. Change management is essential to ensure that amendments to the BCP are approved by the appropriate and authorised management level. The change management process for BCP may adopt the same process used by the organisation for other ISO standards (like ISO 9001 and 14001) may be used. The typical format for the change management records is illustrated in the table below. Document Type Update Frequency Updated by Approved by BC Objectives For example, it could be to implement the BC plan based on the SBF-SLA BCM-Readiness Framework by the end of Q Plan Schedule An illustration of the BCM Project Plan is as follows: No. Task Description M1 M2 M3 M4 M5 M6 1.0 Project Planning & Initiation 1.1 Document scope & BC objectives 1.2 Establish BCM policy & framework 1.3 Establish BCM organisation structure 1.4 Conduct briefing 2.0 Establish BCM Requirements 2.1 Risk assessment 2.2 Business impact analysis 2.3 BC strategy development 3.0 Develop/Update & Implement BCM Responses 3.1 Corporate BCP 3.2 Department BCP procedures 4.0 Conduct BCM Exercise 4.1 Prepare BCP exercise materials 4.2 Conduct organisatio-wide BCP exercise 5.0 Management Review Meeting 6.0 Project Close & Handover 23

26 REQUIREMENT 3: PLANNING Prioritised Activities In the planning phase, you will consider your company s lifeline product or service that requires contingency measures. You may wish to consider the following, where applicable to your trade: 1. Which product or service should be recovered (be delivered) as the first priority when a natural disaster or an accident disrupts the company s operations? 2. Which business activity makes a top selling product? Which shop sells most in your company? Those critically important business activities are called Prioritised Activities (PAs) which you have to identify for your company. Recovery Time Objective As the second step, you should know the impact and timeline of total disruption to the main activities listed. For instance, 1. How soon would the total disruption of these activities become unacceptable to your company? (This period is called Maximum Tolerable Period of Disruption (MTPD)). 2. What must be done to get your business operational again in the shortest possible timeframe, before heading towards exiting the business or filing for bankruptcy? Business Impact Analysis Completing a Business Impact Analysis (BIA) will enable you to better understand your business and priorities. A BIA identifies and documents your key functions and services, what activities and resources are required to deliver these, and the impact that a disruption of these activities would have on your organisation. You should fill in a BIA for each of your key functions and services. Within the BIA there is an Impact Description column. The table on the right will assist you in deciding the Impact Description over time. You can add or amend this table to reflect your organisation. This information will assist you in prioritising your key functions and services. Impact Ratings 1 (Minor) 2 (Moderate) 3 (Major) Impact Category Operation Reputation Financial Business People Operation Reputation Financial Business People Operation Reputation Financial Business People Consequences Description Little or no disruption to service. Little or no damage to reputation. Loss of up to 5% of revenues*. Minimum or negligible effect on achieving organisations objectives. Non-reportable minor injuries; simple first-aid Slight disruption to service. Coverage in local media and/or some damage to reputation. Loss of 5% to 30% of revenues*. Partial failure to achieve organisations objectives. Reportable injury requiring medical treatment Loss of service for more than 48 hrs*. Extensive media coverage and/or damage to reputation. Loss of over 30% of revenues*. Non-delivery of organisations objectives. Temporary disability; hospitalisation; fatality *This is observed by Marsh Risk Consulting in their past consulting projects on top management risk appetite/tolerance levels. 24

27 REQUIREMENT 4: SUPPORT What Do You Need to Resume Key Activities? Prioritised Activities are supported by various internal and external resources. When disrupted, Prioritised Activities are going to be resumed and those supporting resources should be available and ready. To have support, you need to identify and list the necessary resources. In the subsequent steps, you will review risks to the listed resources, and their vulnerabilities. You will consider what measures are necessary to protect, secure availability, or prepare alternative options. Therefore, this list is very important and basic information in your BCP planning. The first category is Internal Resources, which are usually under your company s control. These include buildings, equipment, machinery, tools, stock, materials, IT systems, documents and drawings, etc. It is also important that human resources be reviewed from the perspective of employees special skills and expertise. The second group is essential utilities such as electricity, gas, fuel, water and sewage etc. Communication network (phone and internet) and transportation network (roads, railroads and ports) are included. These resources are provided by public entities. They are not usually under your control. Typically, ordinary companies cannot afford to arrange alternative sources for essential services, due to the prohibitively high costs, and their availability. Therefore, these would become a basic condition for resumption of your Prioritised Activities. The third group is your company s business partners and your upstream and downstream business chains. This group (direct and indirect partners) are not only your suppliers, but also your customers. In the two catastrophic natural disasters, the East Japan earthquake and Thailand s floods which occurred in 2011, many companies were seriously affected by disruption to their supply chains. Many companies, which were not directly hit by the natural disasters, were seriously affected indirectly. BCM Organisation Various individuals, teams and committees have roles in BCM before, during and after a crisis event - developing strategies, establishing the operation requirements and identifying resources needed. The BCM organisational structure selected should be functionally scalable and ready to expand or contract to meet the needs of all crises. All relevant organisational functions should be analysed and represented. Some teams may be organisation-wide while others are designated for particular locations. Teams may be comprised of sub-teams suitable to various organisational situations. Teams play a major role in BCM. Each business continuity team has a designated team leader and alternates. To keep the size of the teams to manageable levels, certain employees will often be assigned multiple responsibilities. It should also be kept in mind that some individuals may not be available to perform certain responsibilities during a crisis due to personal situations and alternates should be identified. 25

28 REQUIREMENT 4: SUPPORT BCP Project Team Primary BCM Representative Name / Department / BCM Role Deputy BCM Representative Name / Department / BCM Role 26

29 REQUIREMENT 4: SUPPORT Disaster Lifecycle & RACI Matrix RACI Roles MD / CEO Finance Dir Operation Dir / COO Head, PR, Marketing & Sales Head, Admin & Legal Head, HR Head, Warehouse Head, Logistics & Transport Head, QEHS IT Head Head, Facilities & Asset Head, Purchasing Areas Crisis Management A&R C C C C C C C C C I I Crisis Communications (external) A C C R C I C C C C I I Crisis Communications (internal) A C C C R C I I C C I I Emergency Response A C C I I C I I R C C I Damage Assessment C C A I I I C I C C R I Disaster Declaration A&R C C I I C I I I C C I Business Continuity & Recovery A C R C C C C C C C C C IT DRP I C A I I I I I I R C C Salvage Assessment I C A I I I R A C C I I Rebuild/Repair I I A I I I C C C C R C Role Abbrev. Description of Role Responsible R Employee entrusted to lead and/or execute the activities. Accountable A Senior management representative entrusted and accountable to ensure the required actions are executed. Consulted C Employees who will provide advice in their subject matter areas of expertise and responsibilities. Informed I Employees who will be informed of the situation and events. 27

30 REQUIREMENT 4: SUPPORT BCM Response Teams Primary BCM Response Representative Name / Department / BCM Team / BCM Role Deputy BCM Response Representative Name / Department / BCM Team / BCM Role Supplier and Partner Contact List Some questions for reference: Who are your priority suppliers and partners whom you depend on to undertake your critical activities? Do you tender key services out to another organisation, to whom and for what? Do you have any reciprocal arrangements with other organisations? BCM Key External Contacts Primary BCM Key External Contact Name / Organisation / Department / / Mobile / DID Deputy BCM Key External Contact Name / Organisation / Department / / Mobile / DID 28

31 REQUIREMENT 5: OPERATIONS Risk Assessment Know Your Disaster Scenarios You need to clearly identify risks which may seriously threaten your company. The BCM team should identify and evaluate the key risks that have significant impact over time. You also need to analyse and estimate to what extent your critical resources may be impacted by such risks, and how long it will take to recover and resume them. These scenarios could be based on firm-level disruptions; such as refrigerated warehouses destroyed by a large fire, or equipment breakdown of refrigeration units, major power outages on the national grid, or internet service disruptions (similar to the fire at Bukit Panjang Exchange in 2013). Do Not Forget Pre-Disaster Protection and Mitigation Implementing the BCP constitutes part of the organisation s risk mitigation approach. The organisation shall implemented adequate risk control measures to limit the impact over time caused by major incidents. Such integrated risk management methods reduces the possibility of a total loss situation where it may become impossible for the organisation to recover from the financial, business and economic losses. Identify Business Functions For example, Name of Function Receiving & sorting Inventory management Picking & packing Logistics & transport Facilities & engineering QEHS & security Employee welfare & relations Payroll processing Working capital management Purchasing Sales, marketing & BD PR & communications Admin shared essential services IT services & support Dept. Code OPN OPN OPN OPN FAC EHS HRD HRD FIN FIN SBD COM ADM ITD Key Function Activities Business Impact Analysis (BIA) You will need to complete a BIA for each of your key function or services. The BIA enables the organisation to determine the critical business functions (CBFs) with recovery time objectives (RTOs) for which forms the basis for the prioritisation of business continuity, recovery and resumption timeframes, and allocation of critical BCP resources. A business function is deemed as critical if the impact over time is significant, if one or more of the key risks occurs. The determination of the impact over time should also take into consideration the internal and external dependencies; as well as the minimum people, technology and infrastructure resources requirements. 29

32 REQUIREMENT 5: OPERATIONS Dept Function Name MAO RTO Timesensitive Activities Internal & External Dependent Services BC Priority Explanations & Remarks Abbreviations MAO: Maximum allowable outage; first instance when impact reaches moderate RTO: Recovery time objective Critical Business Function BC Resource Requirements Dept Code Function Name Alternate Site Loc** No. of BC Staff* No. of Desks* No. of PCs* IT applications & services (RPO#) List vital (physical) records Name & quantity of other resources External Resources & Services with quantities if applicable RPO # - time point in time to which the last instance of a file or data record is required ** State an identifiable alternate site location * Specify the minimum number of staff, desks, PCs and other quantifiable resources like printers, faxes, phones, etc.; typically, this number should be 50% of normal staff strength or lesser Emergency Response to Disaster When a major incident occurs, the organisation need to take immediate response actions to gain control of the incident and limit the impact. Such actions are referred to as emergency response or incident response. The organisation should establish an emergency operations centre (EOC) for the crisis (senior) management team or CMT to assert command, control and coordinate the emergency or crisis. If the primary EOC is inaccessible for any reason, then the CMT should relocate to a secondary EOC. 30

33 REQUIREMENT 5: OPERATIONS The key activities related to emergency responses should include the following: Key activities Remarks and follow up actions 1. Immediate response actions to incident Take actions to bring the incident under control and limit impact if the situation is worsening 2. Assess if the situation possesses health and safety issues Evacuate people from areas that health and safety cannot be assured due to the incident; account for employees and visitors 3. Stabilise situation Continue actions and work with relevant government agencies, landlord, building management and service providers to bring the situation under control 4. Conduct initial damage assessment usually by assigned first responders and damage assessment teams 5. Activate BCP, if required; otherwise, continue to monitor the situation and activate if necessary 6. Mobilisation of people and activation of alternate site and other service providers Estimate the overall impact over time If the impact is significant and disrupts the operations for a significant period (which is anticipated to be longer than the recovery time objectives for BCP), then BCP should be activated. Activate BCP resources 7. Set up alternate site(s) Get alternate site(s) ready to support the BCP Call Tree Guidelines Guide when notifying staff of BC Plan activation and the action to be taken: Each person should not call more than 3 names. Keep each call to less than 3 minutes so that 40 people can be contacted in less than 30 minutes. Upon activation, the staff is to contact his or her Head of Department, and proceed to activating the other staff in the business unit call tree. If person called is available, relay the following information: o Disaster status o Action to be taken: Stand by until contacted with further instructions OR Report to (location) at (time) o Emphasise that the situation should not be publicised. If person called is not available, leave a message for the person to return call. If leaving a message is not possible, call back every 5 minutes. If person remains non-contactable for 20 minutes, call the next person that this person is assigned to notify. List the names of non-contactable staff in a Status Report. No. Contact By 1.0 CMT Name Title Mobile Home 31

34 REQUIREMENT 5: OPERATIONS BCP Activation This section includes your internal policies for BCP activation. Please include your guidelines and criteria, BCP escalation, damage assessment, BCP activation & monitoring high-level process flow chart in the table below. Plan Activation Procedure This plan can be activated by the following people: Examples of trigger events that would necessitate the activation of the plan include the following: Note this is a guide only and the list is not exhaustive. Primary location for the response to be managed from is: Alternative location for the response to be managed from is: Staff that can be requested to form an Incident Response Team: Staff trained in the role of Incident Manager: BC Strategies to Early Resumption The organisation shall determine Business Continuity Strategy (BC Strategies) that enables critical business functions (CBFs) to continue, or be recovered and resumed based on established prioritisations derived from the impact over time, recovery time objectives and inter-dependencies. The minimum resources required to support the BCP activities should be determined. The BC strategies should be determined based on the most probable loss or credible worst case key disaster scenario. Typical strategies to evaluate include: Strategy 1: Resume CBFs at the damaged/affected warehouse site Strategy 2: Resume CBFs at an alternate warehouse site (either in-house or external facility) or transport services Strategy 3: Resume CBFs by other workaround methods like repacking at supplier side, and shipping direct to clients Your BC Strategies might be a combination of the above three or any other strategies. The evaluation should take into consideration the time frames when essential IT, technology and utility resources will be recovered and resume after the incident. For example, when the alternate sites for cold or refrigeration rooms will be available, and where should they be located should be assessed. Another example will be to assess the feasibility of shipping via different land, air and sea routes and ports. 32

35 REQUIREMENT 5: OPERATIONS If external business partners or service providers are used, then there should be documented memorandum of understandings or agreements which should set out the services that will be provided to the organisation when the business partner or service provider is activated. The common BC strategies constitute good practices for the industry sector (like the logistics, warehouse and cold chain services). Industry members should be encouraged to discuss and share them during sectoral meetings. Be Financially Prepared Organisations should anticipate additional expenses and costs related to BCP. This may be expenses and costs associated with pre and post incidents BCP activities. The budget to support the BCP activities should be determined and allocated. Some of the expenses and costs arising from an actual incident may be mitigated by the appropriate property protection and business interruption insurance policies. Key factors to consider in your financial analysis include: Estimate how much revenue will decrease caused by the business disruption Estimate how much the recovery costs are to recover and resume the critical business operations Calculate the level of funds needed to support the BCP Calculate the working capital required to support the organisation for three months (for example) BC Plan Key Assumptions List Key Assumptions Only one major location will be affected by a major incident at any one time. The alternate site for BCP will be accessible and available to users. Only critical business functions will be accorded priority for recovery. Critical IT application systems and data will be protected; that is backed up and stored offsite. BC Plan Key Constraints & Exclusions List Key Constraints Single cold storage warehouse. Refrigerated storage of perishable goods can only last 4 hours of refrigerator downtime. List Exclusions (if appropriate) IT disaster recovery plan (DRP) will facilitate the recovery of the critical application systems and databases, TradeNet maintained by CrimsonLogic. Additional 2 7 days for manual processing and 3 to 6 times in permit fees. BC Strategies Data protection for IT disaster recovery plan Replication or back up in office building (i.e. locally stored) Files centrally stored in network drives. Files are replicated to a second network drive or backed up to secondary media (e.g. magnetic tapes) both of which are stored locally. Offsite storage Removable discs or magnetic tape media are stored offsite. Last version of tiles stored is usually the files stored at the end of the previous business day. Replication to offsite network disc storage Files centrally are stored in network drives. Files in local network drives are replicated to offsite network disc storage. 33

36 REQUIREMENT 5: OPERATIONS Backup for offsite network disc storage Files stored in offsite network disc storage are backed up to secondary data storage media (e.g. magnetic tape or CDs). BC Strategies System Recovery for IT disaster recovery plan DR server procured after BCP & IT DRP are activated Servers are procured and delivered to alternate IT DRP site. Servers will be set up and configured within 24 hours including loading of operating systems, installation of application software and database. Standby DR servers are set up before BCP & IT DRP are activated Servers are procured and delivered to alternate IT DRP site in advance. Servers will be set up and configured in advance including loading of operating systems, installation of application software and database. Outsourced hosted services for critical applications and data Hosted services may be subscribed from external service providers. Service providers may provide virtual private servers or private cloud services. Services may include provisioning of secondary servers for DR of main virtual private servers. BC Strategies services for IT disaster recovery plan Recovery for servers internally in office premises servers and files will be set up and configured within 8 or 24 hours. Approach will be similar for the server recovery for all other critical applications. Outsourced services services are subscribed from external service providers. Physical servers are hosted in external data centres which have better power telecommunications network infrastructure resilience. Service providers may also provide secondary servers or host services in a virtual private cloud environment. BC Strategies Pandemics & Haze response Common responses for pandemics (infectious diseases) & haze Issue personal protective equipment (PPE). Pandemics (infectious diseases) specific responses Implement alternative working arrangements. Designate a medical quarantine area. Haze specific responses Limit outdoor activities to reduce exposure to haze. Increase frequency of replacing air filters. 34

37 REQUIREMENT 5: OPERATIONS Simple BCP What When Where Who How Name of function &/ or title of main task RTO : time within which the function need to recover Elapsed time from incident start tasks need to commence Location where tasks are executed Person or team responsible to execute task Tasks to execute Emergency Response Stage (RESPOND) Time** Name of Activity Action by Description of Tasks in Main Activity Function Name / Department T ERP Emergency response ERT < Describe tasks > T STB Stabilisation ERT <Describe tasks leading to a stable environmental condition conducive for DAT to enter as first responders > T DAT Damage assessment DAT Report to CMT extent of actual and potential damage T BCP Activate BCP CMT CMT activates and declares BCP T LAJ Loss adjustment ADM / FIN < Describe tasks> < Describe tasks> ** Elapsed time from start of incident T DAT time elapsed when damage assessment team (DAT) commences damage assessment tasks T BCP time elapsed when crisis management team (CMT) activates and declares company-wide BCP T BLAD time elapsed when activities for loss adjustments and assessment commences Business Continuity Stage (RECOVER & RESUME) Time** Name of Activity Action by Description of Tasks in Main Activity Function Name / Department T BCP Activate BCP Receives instruction that CMT activated and declared BCP < List tasks before RTO > T RTO Achieved RTO Notify CMT RTO met ** Elapsed time from start of incident T RTO time elapsed equals RTO < List tasks continue after RTO > 35

38 REQUIREMENT 5: OPERATIONS Salvage Assessment Stage (RESTORE & RETURN) Time** Name of Activity Action by Description of Tasks in Main Activity Function Name / Department < Describe tasks > T SAT Salvage assessment Report to CMT extent of actual and potential damage < Describe tasks> ** Elapsed time from start of incident TDAT time elapsed when damage assessment team (DAT) commences damage assessment tasks TBCP time elapsed when crisis management team (CMT) activates and declares company-wide BCP 36

39 REQUIREMENT 6: PERFORMANCE EVALUATION Exercise Makes Your Plan Functional How confident can you answer Yes to the following questions? Can all employees and customers evacuate promptly and safely, following your evacuation plan? Can all employees call your emergency phone number to report safety confirmation? Can EOC members gather properly and immediately at the meeting place and undertake their designated role? Planning and executing plans are different tasks. Your company s Business Continuity Plans should effectively work in the case of an emergency as planned. The purpose of exercise is to ensure that your company s plans work effectively and achieve its objectives. Exercise is intended to not only test its performance, but also to empower employees and provide them with education and training to enhance their knowledge and expertise. Some examples of the main exercises are listed below. Evacuation Drill: test and practice safe and prompt evacuation to the designated location. Safety Confirmation Exercise: test and practice employees emergency calls and safety confirmation. Launching Emergency Operation Centre (EOC) Exercise: test and practice starting up EOC launch and conducting designated roles by EOC members. Backup Data Recovery Exercise: test and practice recovery by backing up data. Re-starting Operation Exercise: test and practice resuming operations after disruption. Launching Alternative Site Exercise: test and practice starting up operations at an alternative site. Performance Measures Department Business Function Assessment Area Measurement Criteria Observation BC procedures BCP Missing or redundant RTO Approved RTO RTO recorded in exercise IT application services List in BIA with RPO Measure time to recover apps & the time of last record Vital (physical) List in BIA records BC staff numbers No. of staff in BIA No. of staff in test BC workspace BC resources Quantity in BIA Organisation may want to consider the number of staff and scale of BC operations/activities involved, when determining the quantity. Quantity in BIA Organisation may want to consider the number of staff and scale of BC operations/activities involved, when determining the quantity. Workspace count in test Type and count in test Conclusions Next Actions (By Whom) 37

40 REQUIREMENT 6: PERFORMANCE EVALUATION Internal dependencies External dependencies BIA & BCP BIA & BCP Activities performed in exercise Activities performed in exercise BCM Governance & Reporting Planning & Programme Stage BCM Steering Committee BCM Programme Office (Organisation BCM Coordinators) BCM Working Committee (BU BCM Coordinators) During Disasters Crisis Management Team (physical &/or virtual presence in EOC) Crisis Management Support Team BU BCP Teams Roles & Responsibilities Approve BCM Policy Statement & BCM Framework Make strategic decisions and issue guidelines for BCM Allocate budget and resources for BCM projects implementation Approve recovery strategies and Business Continuity Plan (BCP) Establish BCM policy and Framework Monitor, track and report status of BCM project Coordinate overall BCM project implementation Participate in the project implementation by :- Attending the BCM training and workshop Facilitate the collection of BCM information and updating various templates Liaise with HODs for BCM validation and approval Execute BCP activities during disasters 38

41 REQUIREMENT 7: CONTINUAL IMPROVEMENT Review and Check your BCP To make your company s BCP most effective, you should monitor and review your company s BCP activities. Your entire BCP activities - before, during and after an incident - should be reviewed. You should ask the following questions for the review of each step. Are BC activities (which have been decided and planned) effectively done? Are there any tasks and problems for improvement? Are there any changes to internal and external circumstances which are needed to be considered? Are there any areas or items which were not included in your BCP, but should be included? This review and check process should be conducted periodically, at least once per year. If there is any business environmental change in your company such as, change of partner companies (suppliers or vendors), core business operations (products or services), IT system or mergers & acquisitions, location changes, you should pay attention to possible effects of these changes. These factors may have not been considered or may have been omitted in your reviews, and therefore, you may need to reconsider and make the necessary changes to your BCP activities. It is important to periodically review and not miss the opportunity to update your BCP. These internal reviews are usually done by BCP teams, lead departments and internal audit departments. Management Review In addition to the above Review and Check processes, senior management have to proactively initiate a review of the company s BCP at least annually, and ensure that your company s BCP has been managed effectively and the PDCA cycle is working. It should be understood that management review works as strong drive to circle PDCA cycle. Business Continuity Management System Act Maintain and improve Check Monitor and review BCM Business Continuity Management PDCA Cycle Plan Establish Do Implement and operate PDCA - Continuous Improvement Business Continuity Management is your company-wide activities to establish capability to resume critical operations (Prioritised Activities) after disruption caused by an accident. It is not easy to establish such capability in a short period of time but it is essential to continuously improve and enhance your capability like ascending spiral staircase. It is highly recommended that you utilise the PDCA Cycle (Plan, Do, Check, Action) Mode for your company s continuous improvement of BCM. 39

42 EXAMPLES: COMMON GOOD PRACTICES IT & Technology Common Current Practices Critical systems & databases; file servers Local redundancy RAID hard discs; local NAS Back up to secondary media Store back up media off site Offsite recovery facility Server with hard discs procured during recovery initiation Electronic data interchange (EDI) Organisations will frequently rely on the EDI portals (like Singapore Custom s TradeNet ) to exchange trade and shipping information. services Hosted externally with no redundancy Expected downtime 24 hours; no committed SLA Recommended (minimum) Practices Offsite NAS data replicated once or twice a day Offsite back up to secondary media VPN for replication to offsite storage Offsite location sometimes with minimum physical security and access control (e.g. Director s home) Access rights and privileges controls and enforcement Access to the computer room or data centre should be restricted to authorised internal and external support staff. Supply chain management service providers may consider integrating critical internal application systems and databases with the external EDI systems minimises information exchange errors. Key clients may be required to enter order information and instructions via a browser based portal application which is usually access via the internet (with SSL) or VPN. Hosted externally with offsite redundancy Expected downtime 2 or 4 hours; depending on SLA Resilient Practices Virtualization, private cloud or hybrid cloud services hosted internally or externally in 2 or more physically separate data centres (DC) Strong cyber security protection Good physical security and access control 24x7x365 monitoring and support Leverage on web and/ or cloud based application service providers (including software application as a service) minimise IT set up and operating costs; through cost-sharing of application development and IT support services Supply chain management service providers may consider integrating critical internal application systems and databases with the external EDI systems and with the manufacturing resource planning applications for key clients. Data should be transmitted in a secure manner like VPN, encryption and/or 2-factor authentication. Hosted externally database mirrored locally & to other data centres (DC) Expected downtime less than 30 minutes or negligible message loss 40

43 EXAMPLES: COMMON GOOD PRACTICES Common Current Practices Data & voice communications infrastructure services Dependent on sole ISP No alternative or back up for internet access Will rely on mobile devices for internet if office internet service is unavailable IT / Cyber security Firewall simple firewall; often using firewall feature built into ISP router AV simple server and client AV software; sometimes include basic intrusion detection (IDS) features Mobile devices access; devices do NOT have AV Recommended (minimum) Practices Dependent on sole ISP Alternative uses business mobile wireless access Service may be restricted to key users with critical processes. Policy ISMS ISO Firewall physical devices; 2 stages File encryption Secure file transfer Mobile devices install AV software with features to wipe out critical applications and data remotely when devices are lost or stolen Resilient Practices 2 or more ISP connections Uses different service providers; using structurally independent infrastructure IDS dedicated devices implemented to detect and automatically react to malicious activities Endpoint protection Risk assessment regular and annual review of IT and cyber risks, evaluation of existing controls, and improvement relevant to changing cyber threats and business requirements External domain name services (DNS) Hosted externally with no redundancy Recovery best effort basis IT Disaster Recovery Plan (DRP) & Data Protection Data backup sets created; but NOT tested. No formal recovery arrangements for critical application systems and data (including s). External DNS services hosted externally; redundant secondary DNS in a separate DC Expected downtime between 2 to 24 hours Documented IT DRP Annually tested results validated against plan Backup data recovery included in annual tests. VPN access for critical applications and databases, including s. Hosted externally No perceived downtime Strong cyber security protection Annual IT DRP tests incorporated into overall corporate BCP exercises. Risk Transfer IT outsourcing Outsourcing of IT and technology services Especially services services like Microsoft s Outlook 365 improves availability of services Services also provides the option for external cloud storage Organisations should evaluate the business impact of risks and the benefits of outsourcing IT services 41

44 EXAMPLES: COMMON GOOD PRACTICES Physical Accessibility, Availability & Security Common Current Practices Availability of transport vehicles Transport vehicles are parked alongside other vehicles after operation hours. Limited number of vehicles specially fitted to transport chilled or frozen food stuff and pharmaceuticals especially for small companies. Typically, no arrangements for alternative vehicles to be prequalified. Accessibility of roads Road leading to premises 2-way single lane traffic. Sometimes obstructed by (heavy) vehicles parked by the side of the road. Accidents may render the road impassable which may last for several hours if there are fatalities during the accident. Only 1 entry gate is passable to vehicles; that is, no alternate gates and roads are available. Skilled Human Capital Recommended (minimum) Practices Make advance arrangements with other organisations with similar requirements provision for alternate vehicles that would be pre-qualified to be suitable to transport for cold chain and pharmaceutical products. Park vehicles in different areas within the premises avoid all vehicles being damaged by the same incident. Make advance arrangements with suppliers customising the vehicles to expedite the supply of replacement vehicles. Make advance arrangements with the landlord, building management and Government agencies to create and open a temporary gate to an alternate road for vehicles. Resilient Practices Maintain multi-vehicle fleet preconfigured and pre-qualified to transport cold chain and pharmaceutical products. Park vehicles in different locations. A permanent alternate gate should be constructed; but may be locked during normal operations. Access roads to both gates should not be concurrently impassable to vehicles. Access roads should be wide to allow heavy vehicles to pass by if one lane is totally impassable. Common Current Practices Availability of skilled personnel Skilled personnel include drivers and logistics personnel who are trained and prequalified to handle food and/or pharmaceutical products. Employees supporting clients that have outsource the supply chain management process are trained including employees tasked with order processing, inventory management. Recommended (minimum) Practices Document skills competency records Maintain split team operations to prevent cross infection during epidemics or pandemics. Enable minimum operations through split team planning and deployment during such times. Resilient Practices Identify potential employees with interests and capabilities to be cross trained to cover the duties of skilled personnel. 42

45 EXAMPLES: COMMON GOOD PRACTICES Common Current Practices Training & Awareness Training for personnel is provided ad hoc, possibly on job training, and as needed basis. Formal training records are maintained only for record purposes to meet customers and regulatory requirements. Recommended (minimum) Practices Conduct awareness training cyber security risks Training to familiarise employees to support business continuity (or contingency) plans and protect business value creation processes should be formerly established and conducted. Specific employees are trained and familiarised with GDP and HACCP. Resilient Practices Cross train employees to cover duties of skilled personnel. For example, train additional drivers/delivery personnel; pre-qualify them for handling cold chain and pharmaceutical products. Employees should be trained on internationally accepted good distribution practices (GDP) to facilitate support for pharmaceutical business. Employees could also be familiarised with good practices aligned to HACCP. Organisations that are providing critical supply chain management services should also cross train other employees to support the client. Supply chain (Business Value Creation Process) Common Current Practices Certification to Good Distribution Practices (GDP) & HACCP HACCP and GDP are essential certifications for companies involved in cold chain and pharmaceutical logistics. Most local SMEs supporting cold chain logistics subscribes to HACCP A few of the companies handling shipments of pharmaceutical products are certified to the GDP requirements from the local Health Sciences Authority (HSA). HACCP and GDP are typically focused on services that are related to specific clients and product groups. Recommended (minimum) Practices HACCP and GDP programmes to be more widely practice within the organisation. Resilient Practices The organisation could adopt expand the processes and services to enable the organisation to be certified to GDP, for example, on an international or regional level This makes the company more competitive, and expands the business to compete with established international service providers. 43

46 EXAMPLES: COMMON GOOD PRACTICES Common Current Practices Route planning; cross border arrangements Only some routes are prearranged with clients so as to conform to GDP. Route planning for other shipments are based on the knowledge gained from past experiences; that is, route planning is commonly undocumented. Local and smaller SMEs are primarily focused on logistics and warehousing services serving the local market, or within the South East Asia region. International and larger local SMEs to provide international and region wide services. Such organisations will work with overseas agents or business partners to provide and support overseas shipments and transportation; very often the arrangements only when required for a shipment. Time sensitive air freight or cargo Shipments are arranged ad hoc with the overseas agents and carriers. Services may be disrupted when aircraft is grounded either due to technical fault, worker strikes, or adverse weather conditions. Inventory & warehouse management services Provide storage space for key clients Support limited to shipment sorting and inventory management, as well as picking and packing for outbound shipments. Services are requested by clients on as needed basis. Recommended (minimum) Practices Route planning for major clients could be pre-arranged; which should include contingent routes in the event that the preferred routes are disrupted or impassable. Established formal arrangements with business partners and agents to collect and ship packages. 2 or more agents are sourced and pre-qualified; to limit the impact of service failures. The arrangements typically assume the ports in Singapore are still operational. That is, no formal contingency plans are established to transport the shipment overland to and from the ports in Malaysia. Service failure or disruption is minimised by maintaining contingency plans consisting of support from 2 or more agents, and also 2 or more carriers. Monitor, track and order replenishment services offered to 1 or a few clients requiring support only in Singapore or within South East Asia. Key clients may rely on the organisation as one of a few core supply chain service providers; sometimes processes and requirements are established in SLAs. Resilient Practices Major routes that caters for the majority of the shipments (handled by the organisation), and for key clients should be pre-arranged and documented; including the contingent routes. International logistics and warehouse service providers may have established contingency processes to coordinate with their overseas operations (e.g. Malaysia). to ship through the overseas ports in the event that the air and sea ports in Singapore are unavailable to handle inbound and outbound shipments. Service Level Agreements (SLAs) are established with 2 or more agents (business partners) and 2 or more carriers. Internal alternative teams and arrangements may also be implemented to handle inventory and shipments; with support from 2 or more carriers. Monitor, track and order replenishment services for major clients requiring service support across multiple countries and regions Services are embedded as critical and core supply chain process for key clients. BCPs and contingency plans are exercised annually or as an whenever necessary. 44

47 EXAMPLES: COMMON GOOD PRACTICES Facilities & Infrastructure Common Current Practices Facilities Single or compartmentalised warehouses; but with limited capacity in the cold room; constructed for storage of frozen and chilled food stuff, and pharmaceutical products Electrical power supply Emergency electricity supply does not provide electrical power to the cold room. The cold room will protect chilled and/or frozen food during a power failure prevent thawing through a good thermal insulation Proper packing of the pharmaceutical products will prevent deterioration for a short period Recommended (minimum) Practices 2 or more warehouses Secondary warehouse may be operated by organisation or business partner Alternate warehouses may be certified suitable for storage for cold-chain and pharmaceutical products Make advance arrangements with PowerGrid and electric power suppliers to recover and restore electrical power within a few hours during an emergency If the substation electrical equipment is damaged, the repairs may take a significantly long period; thereby causing a significant disruption period. Uninterruptible power supply equipment to enable critical application and work files to be saved; critical server, PCs and equipment can be safely shutdown. Resilient Practices 2 or multiple facilities operated by the organisation; usually situated not within the same locale, so as to avoid being affected by the same incident. Certified suitable for cold-chain and/or pharmaceutical products Backup generator systems (including diesel supplies SLAs with suppliers) providing electrical power to continue cold room operations; including specially temperature control areas for storage of pharmaceutical products Make advance arrangements with Singapore Power and PowerGrid to provide temporary electrical supplies while the defective substation equipment are repaired Alternative power sources (like solar power generation systems) should be considered. 45

48 YUSEN LOGISTICS Annual Fire Drill Practise, this was taken in 2014 Founded in Singapore in 1979, Yusen Logistics (Singapore) Pte Ltd provides freight forwarding and solutions which range from stand-alone operations to control-tower managed global supply chains, combining our expertise with unique technology capabilities and our global service network. The company strives to attain recognised standards and licenses throughout the years, such as ISO 9001:2008 Quality Management Systems, accreditation in TAPA and GDPMDS, with the aim to provide undisrupted and consistent service and support to its key clients globally. Yusen Logistics puts in place industry specialists throughout its teams so as to create solutions throughout the supply chain, sharing state-of-the-art best practice across different industry sectors to optimise flows. Its industry-specific expertise includes lean principles and Just-in-Time for manufacturing; OCM (Origin Consolidation Management) support and buyer s consolidation services in retail; Healthcare certified GDP (Good Distribution Practice) temperature controlled, multi-modal solutions for pharmaceuticals; and AOG (Aircraft On Ground) response, aircraft service parts inventory management in aerospace. Encouraged by its shareholders Yusen Logistics Co., Ltd and Nippon Yusen Kabushiki Kaisha in Japan, Yusen Singapore adopted a Business Continuity (BC) Basic Policy for its operations even though the company was not certified in Business Continuity Management (BCM). The company s BCP policy specifies that Yusen Logistics will be able to maintain important functions where possible, or quickly restore them if interrupted during a disaster or catastrophic event. Some of these important functions include Commissioning, Human Resource, Information Management and Technology, Finance and Operation. The plans in place provide for work-from-home arrangement, how to implement the necessary supporting information infrastructure, and ways to review and replenish emergency supplies. The five policies adopted by Yusen are as follow: 1. To give the highest priority to the lives and safety of the company s employees, their families, and all other parties concerned. 2. To protect the company s assets, and maintain capacity for customs clearance, transportation, storage, information, etc., so that Yusen Logistics can continue to provide logistics services for its customers. 3. To rapidly grasp the situation and prevent the spread of damage, returning operations to normality as soon as possible. 4. To fulfill the company s social responsibilities in the event of a disaster by logistics services. 5. To implement regular disaster education and training, and to be committed to review and improve the company s business continuity plan (BCP) at all times. (From Yusen Logistics website ( under Planned Emergency Response for Effective Business Recovery ) To ensure its BCP is sufficiently robust, Yusen Logistics conducts annual drills within its organisation to identify any possible gaps in its contingency measures. This also enables the company to deepen its capabilities for future expansion. Mr Hiromitsu Kuramoto, President of Yusen Logistics shared his vision as follow, We will expand our business further in ocean freight forwarding, air freight forwarding and logistics businesses. Along with sales expansion with a growing economy in the U.S. in the background, we will continuously expand our businesses in the areas including Asia designated for enhancing sales as stated in the medium-term Business Plan. We will do our utmost to ensure sustainable growth and achieve our long-term objectives of combining our strengths to be No. 1 in Asia and one of the top 5 logistics providers worldwide. 46

49 KAWASAKI-RIKUSO TRANSPORTATION CO., LTD Kawasaki-Rikuso Transportation (KRT) Co., Ltd. was founded on 21 February 1924 to offer logistic solutions for clients in Japan. It has since grown into a large organisation with more than 500 employees in Japan, connecting its clients to the rest of the world. It prides itself in maintaining high standards for its food clients as a thirdparty logistics service provider and a reliable one-stop solutions provider from customs clearance to bonded warehouse. Japan is well-known worldwide for its strict standards for food safety, and accordingly, KRT ensures its policies and processes fulfill expectations of the most discerning and demanding customers when it comes to order fulfillment. As a logistics company, KRT is keenly Solar panels on the roof of KRT Sakado Distribution Center, Saitama, Japan aware that their team cannot afford to stop logistics regardless of disruptions and disasters. A number of its clients are in the food industry and offer food suppliers to a large number of customers. In addition, Japan has been experiencing a number of disasters and crises such as major earthquakes, tsunamis and floods. To ensure the company will be resilient during crises and disruptions, KRT President Keiichi Higuchi has initiated a Business Continuity Program (BCP) after the Great East Japan Earthquake and the resulting Fukushima Daiichi Nuclear Power Plan crisis took place in The BCP s mission is never to stop the shipment of KRT s clients. Higuchi-san purchased generators from Korea which were installed in temperature-controlled warehouses in Japan to ensure the food supplies remain of quality. These warehouses are powered by diesel, in the event of electrical outage. He subsequently established two data centres in Okinawa and Saitama prefectures respectively which are largely unaffected by earthquakes in Tokyo, so as to maintain the data availability for ongoing logistics operations. These centres depend on solar power generation and the company stores excess power as backup. In addition, the centres can use battery power backup in the form of warehouse forklift batteries. As part of an ongoing effort to strengthen BCM capability and knowledge, Higuchi-san travelled to the United States and studied BCM materials available. As there are limited BCM materials available in Japan, he translated useful information into Japanese as a BCM manual and documentation for KRC employees. To ensure KRT is prepared ahead for unexpected crises, evacuation drills are conducted six times a year in each of the two warehouses; the norm is once or twice a year in Japan. KRT drills include all employees part-timers as well, so that everyone is prepared for emergency. President Keiichi Higuchi said, As a third party logistics service provider, KRT will provide services satisfying our clients at the time of not only ordinary times but also emergency situation. KRT s BCP can show our commitment to deliver for our clients no matter what happens. To further enhance their BCP, the company would like to install generators to operate a refuelling control system from underground tank of in-house gas station during the blackout in the future. Please refer to KRT corporate website for more details: 47

50 TNT LOGISTICS As one hurricane after another took aim at Florida during summer in 2004, officials at TNT Logistics hunkered down in meetings to determine how best to keep their customers goods moving in spite of the wind, rain, and floods battering the region. Once the expected path of a hurricane grew clear, we got together regularly usually once a day to discuss what plans to put in action, says Jeff Hurley, then-chief operating officer of TNT Logistics North America. For example, when the National Hurricane Center predicted Hurricane Frances would pass directly through Jacksonville, TNT s North American headquarters city, the company set up a contingency command center in Atlanta. High-profile events such as hurricanes and blackouts pose only part of the risk to the supply chain. Many other disruptions keep goods and materials from reaching factories, distribution centers, and stores. A technology interruption is the first thing that comes to most people s minds, says Hurley. That s an important focus for TNT, he says, because the 3PL relies so heavily on information technology to support its clients. Keys to planning for supply chain continuity also include risk assessment on the potential disruptions, developing backup processes and contingency plans, and importantly, reviewing and updating plans as circumstances require. Contingency strategies might include: installing generators in case power goes out; installing backup servers to run key software applications; securing backup vendors for crucial supplies; making sure vendors have alternative plans for delivering goods; and cross-training employees so they can take over one another s work. To make sure the plan is effective, a company can test its strategies through table-top exercises or live drills. For example, periodically, we conduct a variety of tests on our technology, including shutting down the systems and allowing backup to take place, Hurley says. For TNT Logistics, 2004 summer s hurricanes brought ample opportunity to test its business continuity plans. In addition to setting up a contingency facility in Atlanta, the company scrambled to complete the week s work at its Jacksonville headquarters before it released employees to prepare their homes for Hurricane Frances expected landfall. We estimated payroll, ran it early, and shipped checks to the field locations prior to any sort of immediate impact, Hurley says. TNT also made sure officials could communicate if the storm knocked out the landline phone network. The impending storms put special pressure on one of TNT s customers, Florida Power and Light (FP&L), based in Juno Beach, Fla. TNT operates a call center in Jacksonville to manage the utility s shipments from suppliers to its service depots throughout south Florida. As a storm approached, TNT moved some of that center s staff to another TNT location outside the impact zone so they could continue working, Hurley says. In addition, TNT moved the parts and supplies FP&L would need to fix power lines downed by the storms. We brought in external management from other locations to help support the higher demand that occurred once the storms passed through, Hurley says. To make sure fresh drivers were available as needed, TNT shared trucks between FP&L and Home Depot, another Florida customer that saw a storm-inspired surge in demand. The above is an abridged version based on the article wrote by Merrill Douglas in January Please refer to the full article via 48

51 GLOSSARY OF TERMS Business Continuity Management (BCM) A management process that helps manage the risks to the smooth running of an organisation or delivery of a service, ensuring that it can operate to the extent required in the event of a disruption. Business Continuity Plan (BCP) A document containing all of the information required to ensure that your business is able to resume critical business activities should a crisis/disaster occur. Business Continuity Management Standard (ISO 22301:2012) An international certifiable standard that that establishes the process, principles and terminology of BCM. Business Impact Analysis The process of gathering information to determine basic recovery requirements for your key business activities in the event of a crisis/disaster. Exercise A simulation to validate a plan, rehearse key staff or test systems and procedures. Maximum Allowable Outage (MAO) Time it will take for adverse impacts, which might arise as a result of not providing a product/ service or performing an activity, to become unacceptable. Maximum Tolerable Period of Disruption (MTPD) Duration after which an organisation s viability will be irrevocably threatened if product and service delivery cannot be resumed. Minimum Business Continuity Objective (MBCO) The minimum level of services and/or products that is acceptable to the organisation to achieve its business objectives during a disruption. Key Business Activities Activities the continuity of which an organisation needs to ensure, in order to meet its business objectives. Recovery Time Objective (RTO) Time from which you declare a crisis/disaster to the time that the critical business functions must be fully operational in order to avoid serious financial loss. Resources The means that support delivery of an identifiable output and/or result. Resources may be money, physical assets, or most importantly, people. Risk Risk measures the significance of a potential event in terms of likelihood and impact. Risk Assessment A structured and auditable process of identifying significant events, assessing their likelihood and impacts, and then combining these to provide an overall assessment of risk, as a basis for further decisions and action. 49

52 GLOSSARY OF TERMS Risk Management The process of defining and analysing risks, and then deciding on the appropriate course of action in order to minimise these risks, whilst still achieving business goals. Version Control Technique to control access to and modification of documents and to track versions of a document when it is revised. 50

53 ACKNOWLEDGEMENTS The Singapore Business Federation would like to thank the Singapore Logistics Association for encouraging their member companies to contribute towards this BCM Drawer Plan, and to SPRING Singapore for supporting this sectoral initiative. Special thanks to the following company representatives who contributed to the development of this BCM Drawer Plan through their participation in focus group discussions: Griffin Kinetic Pte Ltd Schenker (Asia Pacific) Pte Ltd Seo Eng Joo Frozen Food Pte Ltd Mandai Link Logistics Pte Ltd SFS Global Logistics Pte Ltd Additional Resources For government assistance for enterprise-resilience-related standards (ISO 22301, ISO 27001, ISO and SS 584), please visit Your Feedback We would welcome your feedback on the BCM Drawer Plan. In particular we would like your comments on how useful you found the BCM Drawer Plan and any suggestions to make it more relevant to your sector or enhancing it. Please send your feedback to 51

54 Notes 2015 Singapore Business Federation All Rights Reserved Written permission must be sought from the Singapore Business Federation before the contents from this publication are reproduced in full or parts. 52

55 Formed in 1901, BSI was the world s first National Standards Body and over a century later is globally recognized as champions of best practice. BSI is responsible for originating many of the world s most commonly used management systems standards and publishes over 2,500 standards annually. BSI works with over 90,000 clients in 150 countries worldwide to help them adopt and cultivate the habits of best practice. BSI is the leading global Certification Body specializing in ISO certification and training solutions. Certification Action Manager Training Academy Entropy Standards CE Marking BSOL BSI Kitemark Supply Chain BSI Verifeye Directory Product Certification 1 Robinson Road #15-01 AIA Tower Singapore T: E: sgp@bsigroup.com W: bsigroup.sg