Business Continuity Planning (BCP) Community

Official Blog for Dr Goh Moh Heng

May 27, 2012
by moh_heng

ISO 22301: Terms and Definitions

These are the terms and definitions that were revised for the ISO standard. It is important those who are new to business continuity management systems or existing BCM practitioners to look out for the following terms.  The reason is to make sure the readers consider the implications any change.

The definitions are from terms defined under BCM Institute’s BCMPedia  and also ISO 22301 glossary.  The list of related terms includes:

The explanation of each definition can be found in BCMPedia “ISO 22301” Glossary (Source: ISO 22301).

Reference: ISO 22301:2012 – Societal Security – Business Continuity Management Systems – Requirements

April 27, 2015
by moh_heng

How Business Continuity Professionals Can Play a Useful Role in Crisis Communications?

Over the last two months, I had the privilege of speaking to senior executives with business continuity responsibilities who also facilitated several crisis and business continuity management exercises.  Through these interactions, I am still getting the vibe that many organisations are pre-disposed to thinking that “crisis will not happen” to them or they can deal with the crisis when it happens.  Another misconception is that, it is sufficient to release information via press conferences.  The lack of concern about the need to proactively release information can be damaging as shortening of the story’s news cycle could actually lessen the damage to their reputation. It got me to reflect on these issues:

Shouldn’t there be a standalone crisis communication team?

The challenge in setting up a crisis communication team is perceived by management as a public relations or crisis communication concern.  Often, the situation is made complicated with the requirement of the incumbent crisis communication professionals having to operate with other teams such as the crisis management team and business continuity team.  It is further complicated when this team has to operate within a command or emergency operations centre.

Personally, I felt that it is good to have a formal structure. I believe this is how any organisation can operate within a crisis framework.   A formal structure would allow the designated crisis communication person to assume the role of a “point” person to relay the right messages across to the right persons.  The senior executive will assume the decision-making authority while the business continuity team (or equivalent) will operate the command, control and information management capability.  The rest of the team will assume their communication roles and responsibilities to both internal and external stakeholders.

How do we notify our interested parties?

In 2012, the international standard organisation or better known as ISO launched the first business continuity management standard.  I understand that for subsequent ISO standards, the term “stakeholder” has been replaced by “interested parties.”  Simply put, there is more coverage of “affected people” in interested parties than in stakeholders.  An example is the requirement to look at “competitors” which was not addressed before ISO became the standard.

For each group of interested parties categorised, a specific mode of communication should be determined to ensure timely communication of information.  This includes both conventional channels such as the telephone, emails and press conferences, and the not so conventional, such as dark websites, videos, SMSes, Whatsapp messaging and social media.  The need to expand these delivery channels requires extra resources to be deployed above the current manpower allocated.   Moreover, the types of social media coverage can be very challenging.

Unintentional ‘denial of service’ attack on the call centres and corporate website

I recalled an aviation accident that suffered as a result of the inability to handle the volume of internet traffic.  The unexpected volume increase in traffic or I call it, an unintentional ‘denial of service’ attack, on the call centres literally brought the call centre capability to a standstill.

Having a pre-assigned telephone number with routing to alternate site capability is one means of handling this increased influx of enquiries.   This pre-assigned number must remain as one of the means of communication.  I called it as an expectation from the customers and the general public.

When the call centre is ‘not accessible’ because the telephone is constantly engaged, the next logical approach of those who are seeking information about the incident will be to visit your organisation’s website.  With today’s technological advancements, deployment of more bandwidth in a short time may be feasible, though it is important to understand that the one hampering its fast deployment is usually graphics on the website and not the bandwidth itself.

This leads to the development of a dark website in advance to handle enquiries and to provide just-in-time information.  Dark websites allows prompt customization to meet the demands of the stakeholders and public.

Showing care and empathy

One year later, the on-going crisis management and crisis communication issues plaguing the sank ferry in Sewol, off South Korea’s south-west coast, on April 16, 2014 continues to haunt the Korean government.   This is perhaps a “large crisis” with its massive crisis communication requirements, but the incident provides organisations good learning points especially if they are going through such similar incidents, albeit at a smaller scale.  In the corporate environment, it is usually a message from senior management in sharing the sympathy in the loss of lives. There should also be other considerations to take into account in such tragedies that involves the lives of families and communities.  Unfortunately, it often stopped with a statement in the crisis communication and management plan and nothing more.  I will be criticised for this statement, but the extra care and concern are usually done on their own initiatives and are not pre-planned.

Although I am heartened to say that I have seen organisations taking extra care of their staff members and their family during floods by relocating them to acceptable accommodation before recovery takes place for the organisation.

So what’s in store for crisis communications in May?

For the upcoming World Continuity Congress to be held in Singapore on 19 May at Suntec Singapore Convention and Exhibition Centre, I am glad to have Dean Dacko, Senior Vice President of Malaysia Airlines share his experiences.  I was fortunate to have met him in Kuala Lumpur earlier this year and to have the opportunity to listen to his candid sharing on the crisis communication aspect of the Malaysian Airlines twin incidents.  I sympathise the loss of lives and the humongous task of responding and now, reassuring the brand’s value.


Besides Dean’s speech, I will be sharing more on the crisis communication challenges faced by business continuity professionals and how we can overcome it.  The key message is business continuity professionals in their capability to implement and develop business continuity and crisis management plans, are expected to work with the corporate communications or the public relations team.

For our Malaysian friends, there will be a Meet-the-Expert (MTE) seminar on May 7, 2015 at Furama Hotel, Kuala Lumpur.  The MTE is centred on the theme “Is Your Organisation Ready to Manage and Communicate during a Crisis?”  This was in response to numerous requests from Malaysian professionals as more of its regulatory agencies step up their crisis communication capabilities with stricter requirements.


Every day is a learning experience for me, I am learning many things on crisis communication from everybody that I have not learnt before , the key message to the “unbelievers” in crisis communication is “Having a crisis communication plan will make the difference between a business that survives and one that does not.”

Dr Goh Moh-Heng, President BCM Institute;

November 3, 2014
by moh_heng

Mapping of BCM Planning Methodology with the ISO 22313 Elements in BC Program

Comparison of BCM Planning Methadology

Comparison of BCM Planning Methodology with ISO22313 Elements of BC Program

One key to implementing and managing your BC program is to understand that irregardless of whatever international or national BCM standard is adopted, as an BCM Implementer or Auditor, you should be able to adapt and to adopt a common approach without making major changes to your current BC program. The key is to use the BCM Planning Methodology as a common approach within your organization.

Having had the chance to write the Singapore BCM standard SS540, what I have learn is that most BCM standards are similar except that they tend to be written to look different from each other. However, the content is usually similar, especially the BC program elements.

In the ISO 22301 standard, this will not differ as the BCMS is mapped to its corresponding BCM planning methodology.

In the ISO 22301 Requirement document, the BC program element is highlight as the “DO” component of the PDCA cycle.  The details of the “DO” component is clearly highlighted as the BC program element in the ISO 22313 standard – guidance.

Finally, a comparison chart to mapped the BCM Planning Methodology (Top row in Blue color) to the elements of BC Program as spelled out in ISO 22313 (Left column in diagram colored in red ).  This is to help professionals mapped the ISO22313 elements into a formal planning methodology.

December 24, 2013
by moh_heng

ISO 22301 Documentation Requirements

Recently, I have been reading about ISO documentation as I venture deeper into the implementation of BCM with ISO as the backdrop.  It is pretty difficult for me to

PCDA Cycle Applied to BCMS Processess

PCDA Cycle Applied to BCMS Processess

move away from the BCM practice rarther than focusing on the true meaning and principles behind ISO.

It is concluded that the ISO 22301 documentation is at the core of any ISO 22301 business continuity management system (BCMS). What makes the ISO 22301 documentation so important? There are two important aspects your organization has to:

(1)  document its entire ISO 22301 BCMS (the ISO 22301:2012 standard contains precise requirements for the various documents); and

(2) do everything that is contained in your organization’s ISO 22301 documentation.

It is important to note that your organization not only needs to have a pretty set of ISO 22301 documents but also needs to actually conduct its business continuity practices according to these documents, it is crucial that the ISO 22301 documentation not only meets ISO 22301:2012 requirements but that the ISO 22301 documentation is efficient and does not increase the bureaucracy at your organization.  This is where I need to claibrate between what is a good BCM and what is a good ISO BCMS documentation.

I would like to continue this journey and share more as we implement more ISO 22301 BC management systems.