FAQ

We have provided answers to some frequently asked questions. You may submit your questions and we will upload it with our answers. Just send your questions to enquiry@bki.com.my


Recovery time objective (RTO) is the set maximum time a business function or service can be disrupted / not available before it causes serious and irreversable impact on the organization. RTO is set after taking into consideration all the business functions and their respective dependencies.

Maximum Tolerable Disruption (MTD) on the other hand is the maximum time a business functions can disrupted for but without taking into consideration other dependencies. Thus, it is safe to say that RTO <=MTD.

Maximum Tolerable Point of Disrutpion (MTPoD) is the same as MTD. It is a timeframe set by the process owners for their own business functions.

Maximum Allowable Outage (MAO) is the timeframe during which a recovery mist become effecctive before an outage compromises the ability of an organization to achieve its business objectives and or survival. Thus MAO is the same as RTO.


There are several certification schemes for organization to be certified as business continuity ready. The most common standard used to certify organization at present is the British Standard BS 25999 part 2 - Business Continuity Management System - Requirement.

In Malaysia, SIRIM QAS and BSI, offers certification schemes for organisation base on the BS 25999 standard.

Currently, an ISO standard on Business Continuity Management System is being develop. This standard is expected to be published in 2012 / 2013.


BCM does cost money to implement. However, the cost should not out weigh the benefit. If your solution cost more then the potential savings, then your strategy is wrong.

A key process in implementing a BCM framework is the Business Impact Analysis (BIA). This process provides relevant information regarding impact to the business based on the window of disruption. BCM strategies should be build based on the BIA findings.


You may decide to limit the scope of your project to a particular department, service or product. However, to ensure that the particular department, service or product recovers successfully, all its dependencies ( internal and external) has to be included in the scope.

In other words, if your primary scope is the operations department, then all business services, activities or function provided by other departments in support of the operation department must also be included in the scope.


Today there are many guidelines or standards on BCM. This indicates how important BCM has become. Many countries have developed their own requirement or guidelines on BCM. The following is a none exhaustive list of standards or guidelines available on BCM.

1. BCM Framework, MS1970:2007, Department of Standards, Malaysia

2. Business Continuity Management System - Code of Practice, BS25999-1:2006, British Standards Institute, UK

3. Business Continuity Management System - Requirements, BS25999-2:2007, British Standards Institute, UK

4. Guidelines for incident preparedness and operational continuity management, ISO/PAS 22399:2007, International Organization for Standardization

5. Guidelines for Information and Communication technology disaster recovery services, ISO/IEC 24762, International Organization for Standardization

6. ICT readiness for business continuity, ISO/IEC 27031, International Organization for Standardization

7. Standards on disaster / emergency management and business continuity programs, NFPA 1600:2010, National Fire Protection Association (NFPA)

8. Organization Resilience : Security, preparedness, and Continuity Managements Systems - Requirement with Guideance for Use, ASIS SPC.1-2009, ASIS

9. Singapore Standard for Business Continuity Management, SS540:2008

10. Security and continuity management systems - Requirements and guidance for use, SI 24001:2007, Standards Institute of Israel


As we see it BCM can be look at as 3 groups of processes. The first group is called the Development group. This is the processes involved in the development and implementation of a BCM framework into the organization.

The second group is the Maintenance group. As the name implies, the process here relate to enhancement, reviews, updates, testings, rehearsal, audits and training.

The third group is the Execution group. These are the processes which activate and execute the plans that have been put in place and practices in the event of an incident.

In our opinion, the activities relating to the Development group and Maintenance group, to some extend can be outsourced to a third party.

The Execution of the plans should be handled by the organization themselves. Only some portions of the Execution can be outsourced and even then not fully as it is vital that the management and personnel of the effected organization manage its disaster. Relying fully on 3rd parties could be disasterous as they are not in the right position to make certain crucial decisions.


It is a common preception that BCM is only suitable for large organizations or organizations with high financial turnovers. Medium to small companies do not need BCM. This is a wrong preception. This is like saying only large organization's need to purchase insurance.

The principles and practices of BCM is applicable to organization's of all types and sizes. It is suitable for commercial and non commercial or governmental organizations. The amount of money and effort spend on an organization's BCM is directly proportional to the impact of its disruption.

In fact a small organization with just 10 staff members can only implement BCM if they wanted to.

BCM is an issue of organizational sustenance, of corporate governance and of corporate responsibility.


There are many reasons which drive an organization to implement BCM practices. Some of the common ones are:-

  1. Experience - organization that have suffered from an incident or a near disaster would typically start to take BCM seriously. We find that many multi-national organization incorporate the need for BCM within their organization's policies.
     
  2. Requirements - to comply with regulatory requirements or business requirements. It is quite common these days for business partners or high net clients requiring their service providers or business partners to show some level of resilience in their business operations. We saw thing when SOX was imposed on New York stock exchange companies and their subsidiaries around the world. We are also seeing this with Bank Negara Malaysia's BCM requirements for outsource partners and critical support vendors.
     
  3. Certification - certain certification schemes like ISO 14000, ISO 27001, ITIL, COBIT, etc have BCM requirements in their certification criteria. Thus forcing organizations to adopt BCM best practices.
     
  4. Competitive Advantage - some organization employ BCM practices to give them a better advantage to their competitors.


Recovery Time Objective (RTO) is the time set and agreed by top management on the maximum duration a particular service or business function is allowed to be disrupted for after an incident.

RTO is set after taking into consideration all the critical activities and their respective dependencies.

RTO can be measured in seconds, minutes, hours, days, weeks, etc

RTO is an important parameter in determining an organization's continuity strategies. RTO on one organization may have bearing on the continuity strategies of another organization's which depends on the first organization's services.


The MS1970:2007 defines BCM as follows:-

"Management process that safeguards the interest of its key stakeholders, reputation, brand and value-creating activities by identifying potential impacts that threathen the organization and provides a framework for building resilience and the capability for an effective response"

In the above definition it is clear that:-

  1. BCM requires the active involvement of all levels of management, from the board of directors right down to the line managers and supervisors.
  2. BCM's goal is to implement a level of resilience within the organization to ensure its sustainability
  3. BCM looks are any type of incident which may affect its immediate or long term well being. Thus BCM looks are all type of incidents and not just physcial disasters.
  4. BCM is a framework made up of processes, people, policies, procedures and  infrastructure.
  5. BCM is a process and not a project. Hence it is live and dynamic. It evolves with the organization.