BCM Focal Point's Diagnostic Tool on BCM Readiness for Singapore Companies As of 4 March 2016

COMPANY'S SELF-ASSESSMENT CHECKLIST ON BCM-READINESS

This is a self-assessment checklist that is based on ISO 22301:2012 (Societal Security - Business Continuity Management Systems) framework, published by the Singapore Business Federation. While
this was originally meant for Singapore logistics companies in cold chain and warehousing & storage vertical, companies from other sectors are welcomed to use this checklist on their own. Please refer
to the BCM-Readiness Framework handbook for logistics sector in BCM Portal's Resources section (www.bcm.org.sg).
Based on what you know, please rate your company (from score: 1 to 4) based on the following description:

No Description Awareness (1) Recovery (2) Continuity (3) Sustainability (4) Self-Rating
Requirement 1: Context of Organisation
1 The organisation has established a BCM policy; that is linked to A BCM policy helps the A business continuity policy A BCM policy manual is being developed The BCM policy is reviewed on a
organisational objectives and other policies (including risk organisation achieve the BCM statement is established and and will be communicated - which regular basis (e.g. every 3 years),
management); which has been communicated to all employees and objectives and outcomes. communicated to all management includes a BCM framework to identify and and updated to ensure relevance. 4
relevant stakeholders. and employees. review risks.

2 The organisation defines the risk criteria based on the risk appetite; The management and Management has defined the key The risks and impact will be evaluated and Regular reviews of risk assessment
with which the risk external and internal factors are determined. employees are aware of the business, product, environmental analysed based on the framework and and business impact analysis are
threat of potential risks and the and regulatory risks. crisk criteria that have been or will be based on the estbalished
corresponding impact over established. framework and criteria.
time; but they are not
1
evaluated.

3 The legal, regulatory and contractual requirements are identified; The managers understand the Management has determinded the The applicable legal, regulatory and The annual review of the BCMS
which also takes into consideration the interests of relevant applicable legal, regulatory and key legal and regulatory contractual requirements will be includes the review of the
stakeholders - especially service level agreements and other contractual requirements that requirements; services will be identified, evaluated and those relevant applicable legal regulatory and
commitments forthe company's services pertaining to specific are relevant to their jobs and delivered based on the contractual will be communicated; which are contractual requirements.
products. responsibilities. requirements that are specified in documented as the business continuity
[In the case of logistics sector, this would concern logistics, shipping the service level agreements with objectives, and impact criteria are defined [For logistics companies, this also
and warehousing services for cold chain and pharmaceutical key clients and business partners - with reference to the requirements - with takes into consideration supply
products.] especially regular clients engaging priority being accorded to contracted and chain management services that
the organisation. regular clients engaging the company. may be embedded with the client 3
business and order fulfillment
processes.]

4 The scope of the BCMS takes into account the following factors: Annual drills (e.g. fire The business recovery plan and The needs of the key interested parties, The BCMS scope and objectives,
̵ organisation mission, vision and objectives; evacuation plan) are conducted procedures are or will be the organisation’s mission, vision and and organisation minimum BC
̵ parts of the organisation included in the scope; that is, size, nature based on an established established for one or a few key objectives, and the key products and objectives defined are reviewed
and complexity with respect to the organisation; company emergency response functions that supports one or services will be considered when annually or whenever needed, to
̵ products and services; plan. several key clients and to deliver establishing the BCMS scope. ensure compliance
̵ needs of relevant interested parties the services as specified in the with applicable legal, regulatory
service level agreements. [For logistics companies, this will include and contractual requirement.
making advance arrangements with other
[For logistics companies, this service providers to store and ship frozen [For logistic companies, this
includes contingent arrangements and chilled food, and pharmaceutical includes the continuity of supply
for logistics and warehousing for products.] chain management services for 2
frozen and chilled food stuff, and clients that have outsourced this
pharmaceutical products.] function to the company. ]

© 2016 Singapore Business Federation. Written permission must be sought from SBF (bcm@sbf.org.sg) before the contents are reproduced in full or parts. Please visit www.bcm.org.sg for details.
BCM Focal Point's Diagnostic Tool on BCM Readiness for Singapore Companies As of 4 March 2016

5 Some parts and/or services are excluded from the scope of BCM, and No known exclusions have been The exclusions to the scope are or Exclusions to the BCMS scope are 2
such exclusions do not have a significant impact to the organisation determined. will be identified, but are not reviewed annually or whenever
during major incidents (including the ability to continue, recover and necessarily documented. there are significant changes.
resume critical services for key clients).

Total Rating for Requirement 1: Context of Organisation 12

(sum of individual ratings)

No Description Awareness (1) Recovery (2) Continuity (3) Sustainability (4) Self-Rating
Requirement 2: Leadership and Commitment
6 The organisation has established a BCM policy; that is linked to Top management has approved A business continuity policy A BCM policy manual is being developed The BCM policy is reviewed on a
organisational objectives and other policies (including risk the BCM policy, framework and statement is established and and will be communicated - which regular basis (e.g. every 3 years),
management); which has been communicated to all employees and BC objectives – minimum BC communicated to all management includes a BCM framework to identify and and updated to ensure relevance.
relevant stakeholders. objectives (MBCOs) shall include and employees. review risks.
minimum service levels for
order fulfilment ; as well as staff
competency in industry-specific
requirements e.g. HACCP and
GDP for cold chain and 4
pharmaceutical logistics.

7 Top management is fully committed - as demonstrated in the setting Top management understands Top management is establishing the BCM Top management annually reviews
up of the BCM organisational structure with the appointment of the relevance of establishing organisation structure - consisting of both the BCM organisation structure to
appropriate staff; including appointing a member of the top the formal BCM organisational operation and support functions - that is ensure appropriate level of staffing
management as the project director and management structure; but have not relevant to the BCMS scope, and assigning that is appropriate and relevant to
representative. established a timeframe to staff with the appropriate level of the BCMS scope.
establish it. The BCM resources documented in competence.
the BC plan consists of operational 2
departments supporting the
contingency or recovery processes
- which focus on recovery
operational processes supporting
specific clients and/or services.
8 Top management has communicated to all staff (including BCM staff) Top management understands The BCM roles, responsibilities and The BCM roles, responsibilities and Annual training and awareness
their respective roles, responsibilities and accountabilities, the the importance of accountabilities will be established accountabilities will be established, and activities are conducted to
importance of BCM to stakeholders, and communicating the BCM roles, and communicated only to the communication sessions will be conducted reinforce the staff’s understanding
the BCM policy and objectives; as well as communicated the BCM responsibilities and operations personnel responsible regularly throughout the organisation; of their BCM roles, responsibilities
policy statement to key external interested parties. accountabilities; however, there to execute the recovery with targeted external communications and accountabilities that are
are no immediate procedures. with key clients and business partners. relevant to their BCM roles.
communication sessions 1
scheduled.

9 BCM matters are discussed in the regular management review Key risk and BCM issues may be The BC plan and procedures are The BCM project implementation BCM matters, strategic and tactical
meetings; directions for supporting and improving BCM are decided raised in top management discussed during contract schedule includes scheduled management (or operational) actions are
during these meetings. meetings; however, there are negotiations; or following a major review meetings to review the project decided at the regular
no planned follow-up actions to incident disrupting the operation status and progress; as well as to make management review meetings.
study the issues and design or service to the specific clients or decisions on BCM matters. 3
mitigation measures. group of clients.

Total Rating for Requirement 2: Leadership and Committment 10

(sum of individual ratings)
© 2016 Singapore Business Federation. Written permission must be sought from SBF (bcm@sbf.org.sg) before the contents are reproduced in full or parts. Please visit www.bcm.org.sg for details.
BCM Focal Point's Diagnostic Tool on BCM Readiness for Singapore Companies As of 4 March 2016

Total Rating for Requirement 2: Leadership and Committment 10

(sum of individual ratings)

No Description Awareness (1) Recovery (2) Continuity (3) Sustainability (4) Self-Rating
Requirement 3: Planning
10 The BC plan takes into consideration activities to address the Top management is aware of The key risks and issues that are The key risks will be evaluated and The annual review process
identified issues and risks that are relevant to the context of the some of the key risk issues; relevant to specific clients, group of analysed in the risk assessment, business includes a formal review of the key
organisational BCM requirements; emphasising the need to continue, however, no actions are taken clients and/or services are impact analysis and BC strategy risks and the treatment
recover and resume services for customers. to address the risks. identified and addressed; priority development - where the control or approaches – actions will be taken
will be given to actions that will treatment measures to address the risks to mitigate potential issues with a
facilitate the recovery and will be identified and evaluated; priority significant impact on the supply
resumption of cold chain and will be given to actions that will improve chain management services for key
pharmaceutical logistics, shipping the continuity, recovery and resumption contracted customers.
and warehousing services for of services. 2
contracted and key clients.

11 The BC plan specifies the work activities or tasks, identifies the Top management understands The BCM tasks are shared and The BC plan schedule specifies the tasks The ongoing BCM programme
responsibilities and the targets for completion. there are several key stages in executed by the senior manager with the resources and timeline for specifies an annual BC plan
the BCM implementation and the assisting managers. completion - as outlined in the BCM schedule; which identifies detailed
process; but have not organisation structure and framework. activities that are essential to
established a detailed plan. ensure the BCMS remain current
1
and effective.

Total Rating for Requirement 3: Planning 3

(sum of individual ratings)

No Description Awareness (1) Recovery (2) Continuity (3) Sustainability (4) Self-Rating
Requirement 4: Support
12 BCM resources to establish, implement, maintain and continually Top management understands The BCP will be developed and The BCM programme includes an annual The annual review process
improve the BCMS have been allocated – including provisioning for the importance of allocating the maintained by a senior manager BCM review that also specifies the BCM includes a formal review of the key
the alternate sites supporting the cold chain and pharmaceutical appropriate BCM resources to and the assisting managers; the resource types and levels, and BCM risks and the treatment
clients, and the recovery of the supporting IT disaster recovery for support the BCMS. recovery team consists of activities required to ensure the BCMS approaches – actions will be taken
critical application systems; which shall also include training for BCM operation staff supporting the remains relevant; staff competencies are to mitigate potential issues with a
staff, as well as cross training employees who may be redeployed to specific clients or group of clients reviewed and reinforced through further significant impact on the supply
other functions e.g. operations or delivery. and/or services. education, training and experiential chain management services for key 2
learning. contracted customers.

13 The organisation has established a process for the creation, updating Top management understands The BCP documents are updated The document control and change The document control and change
and control of documented information - which includes an annual the importance of establishing after new requirements are management processes are established management specifications in the
review, or whenever there are major or significant changes; as well and implementing document identified in the service contract and implemented according to the BCM policy are enforced in the
as accessibility on a need to basis - including communications with controls and change negotiations; or whenever new specifications in the BCM policy. annual BCM activities and BCM
external parties. management processes to requirements are established as programme.
support the BCM programme post-incident improvement 1
and BCMS. actions.

Total Rating for Requirement 4: Support 3

(sum of individual ratings)

© 2016 Singapore Business Federation. Written permission must be sought from SBF (bcm@sbf.org.sg) before the contents are reproduced in full or parts. Please visit www.bcm.org.sg for details.
BCM Focal Point's Diagnostic Tool on BCM Readiness for Singapore Companies As of 4 March 2016

No Description Awareness (1) Recovery (2) Continuity (3) Sustainability (4) Self-Rating
Requirement 5: Operations
14 The critical business functions with the associated impact over time Top management understands Business impact analysis identifies Business impact analysis identifies all The annual BCM planned schedule
(due to the loss or unavailability of these functions) are identified the importance of identifying a few key business functions critical business (and support) functions, and BCM programme requires the
and evaluated - based on the established business impact analysis the critical business functions or required to support and deliver with the corresponding assessment of the business impact analysis to be
framework; which shall include giving higher priorities to functions processes, and evaluating the critical services based on specific impact over time, interdependencies and conducted to review the critical
fulfilling and supporting the cold chain and pharmaceutical logistics, impact over time for their loss service level agreements with a resource requirements business functions, and analyse
shipping and warehousing services. or unavailability. few clients. required to achieve the minimum BC (update) the impact over time and
objectives defined by top management. other critical BIA information. 2

15 The business continuity strategy with the resources requirements for Top management understands In the business continuity strategy The business continuity strategy findings The annual BCM planned schedule
each approach are identified and evaluated - based on the the importance of identifying stage, the organisation develops and recommendations are evaluated and and BCM programme requires the
established BC strategy framework - so as to continue, recover and and evaluating business the approaches to recover critical implemented in the corporate wide business continuity strategy and
resume critical business functions, and return to normal business continuity strategies to services for key clients with business continuity plan. plans to be reviewed, evaluated
operations. Minimally, there should be alternate sites for the continue, recover, resume, reference to the specifications in and updated; including
fulfilment of cold chain and pharmaceutical logistics, shipping and restore and return stages. the service level agreements. implementation of continual
warehousing services, recover the supporting critical IT and improvements. 2
technology infrastructure, and contingent shipment route plans.

16 The relevant BC exercises and tests are planned and conducted at Top management understands BCP exercises are conducted only BCM exercises are conducted annually or Regular (or annual) BCM exercises
regular intervals (annually or whenever necessary) – which include the importance of conducting when requested by a specific whenever appropriate to improve the are planned and designed to
activating and mobilisation to the alternate warehouse site, exercises and tests to assess the client; or based on the frequency BCM capabilities and competencies of identify areas for improvements as
transport arrangements to and from the alternate site, activation of BCM capabilities and improve as specified by the key clients or staff assigned roles during the continuity, part of the organisation’s continual
the alternate route plan, and IT disaster recovery test for critical the BCM staff competencies. group of clients during service recovery and resumption stages. improvement efforts to strengthen
application systems. contract negotiations. the BCM programme and
organisational resilience. 1

Total Rating for Requirement 5: Operations 5

(sum of individual ratings)

No Description Awareness (1) Recovery (2) Continuity (3) Sustainability (4) Self-Rating
Requirement 6: Performance Evaluation
17 The organisation has established a process and a set of procedures to Top management understands The BCP procedures are reviewed The established BCM framework includes The BCM programme enforces an
monitor, measure, analyse and evaluate the performance of the the relevance and importance and updated as and when needed - a process to monitor, measure, analyse annual review process; which
BCMS – the evaluation shall assess the achievement of the MBCOs of establishing a process to like after a review or contract and evaluate the includes the activities to monitor,
established for services supporting cold chain and pharmaceutical monitor, measure, analyse and negotiations with specific clients, performance of the BCMS. measure, analyse and evaluate the
logistics, shipping and warehousing, and staff competency in related evaluate the performance of or after a post-incident review. performance of the BCMS. 2
areas e.g. HACCP and GDP. the BCMS.

© 2016 Singapore Business Federation. Written permission must be sought from SBF (bcm@sbf.org.sg) before the contents are reproduced in full or parts. Please visit www.bcm.org.sg for details.
BCM Focal Point's Diagnostic Tool on BCM Readiness for Singapore Companies As of 4 March 2016

18 An annual internal audit is conducted to assess the BCMS, BCM Top management understands The internal audit will be The internal audit will be conducted to The BCM programme specifies an
programme - including the BCM readiness, capabilities and the relevance and importance conducted when requested by a assess the BCM readiness, capabilities and annual internal audit shall be
competency. of the annual internal audit. key client or group of clients; or competency after the integrated response enforced; which will include
before the clients conduct a structure and plans are implemented. identifying where nonconformities
second party audit. and areas for improvements will
be identified to strengthen the
BCM readiness, capabilities and 1
competency.

19 Management reviews are conducted at planned intervals to review Top management understands The senior management Regular management review meetings are The BCM programme incorporates
BCM – which shall also include identifying initiatives to improve the the relevance and importance representative will review the BCP or will be conducted during the BCM a governance structure that
management capabilities to deal with supply chain disruptions. This of the regular management with the assisting managers when implementation project. requires regular management
may include review of new developments in IT for cyber security reviews at planned intervals. there are new or changes to the meetings to review the progress
requirements, as well as improvements to productivity and BCP arising from new or revised and status of the annual BCM
organisational resilience. requirements from project, and the findings for the
key clients or group of clients. risk assessment, business impact
analysis, BC strategy, plan
development, exercising (and
testing), and internal audit. 3
Management will finalise the
decisions on the next follow-ups at
these meetings.

Total Rating for Requirement 6: Support 6

(sum of individual ratings)

No Description Awareness (1) Recovery (2) Continuity (3) Sustainability (4) Self-Rating
Requirement 7: Continual Improvement
20 The organisation maintains a process to review and address Top management understands BCM corrective actions are The established BCM framework includes The BCM programme specifies an
nonconformities; including the identification and evaluation of the relevance and importance implemented usually after the processes to review and address annual BCMS review; which
corrective actions. of audits by external parties or nonconformities. includes activities to identify,
addressing nonconformities. customers are completed. evaluate and implement approved
corrective actions to address
2
nonconformities.

21 Continual improvements are implemented whenever necessary to Top management understands The final project management review The BCM programme specifies that
improve the suitability and adequacy of the BCMS; which shall that continual improvements in meeting will include the review and the organisation shall identify
consider improving the business continuity and resilience for the BCM are important to ensure approval of the recommended continual areas in the BCMS that will be
company's services – including improving resilience in supporting IT the BCM documents, improvements. improved to ensure they remain
and transport infrastructure. This would also strengthen competency capabilities and competencies The BC plan, processes and relevant and effective to support
of support staff as well. remain effective and relevant to procedures will be updated after the organisation’s current business
the organisation. the BCP requirements to support and value creation activities. 1
operation and service delivery are
reviewed in the contract
negotiations with key clients or
group of key clients; or after the
post-incident reviews, if any.

Total Rating for Requirement 7: Continual Improvement 3

(sum of individual ratings)

© 2016 Singapore Business Federation. Written permission must be sought from SBF (bcm@sbf.org.sg) before the contents are reproduced in full or parts. Please visit www.bcm.org.sg for details.
BCM Focal Point's Diagnostic Tool on BCM Readiness for Singapore Companies As of 4 March 2016

Self-Assessment Diagnostic Summary

Requirements Rating
1) Context of Organisation 12
2) Leadership 10
3) Planning 3
4) Support 3
5) Operations 5
6) Performance Evaluation 6
7) Continual Improvement 3
TOTAL SCORE 42

Your Organisation's BCM Readiness Level Total Score

© 2016 Singapore Business Federation. Written permission must be sought from SBF (bcm@sbf.org.sg) before the contents are reproduced in full or parts. Please visit www.bcm.org.sg for details.
BCM Focal Point's Diagnostic Tool on BCM Readiness for Singapore Companies As of 4 March 2016

The organisation’s response to disasters and incidents should be improved and formalised. If the organisation suffers a major incident or
disaster, the damage is likely to be severe, and may result in a long term disruption. Your organisation needs to know the risks that results
in a significant impact, and start considering the control measures that would reduce the impact; enabling the organisation to continue, 0 to 42
recover and resume critical prioritised business activities with acceptable time frames.

Your organisation is aware of the key risks that could disrupt the business value creation process, and formalised steps have been taken.
However, the steps are primarily reactive - that is, focuses on recovery and resumption. The organisation may still potentially be exposed
to severe damage or significant losses; because of the weakness in the BCM system or programme. Additional improvement measures 43 to 63
could be implemented to enhance BCM and organisational resilience.

Your organisation has established the BCM programme that provides a coordinated response to major incidents, i.e. business interruption
risks are mitigated. The BCM programme follows the ISO 22301 BCMS requirements, which enables your organisation to enhance its BCM
readiness progressively and continually. Thus the organisation has the ability to respond to changing risks and unexpected incident events 64 to 84
or disasters.

© 2016 Singapore Business Federation. Written permission must be sought from SBF (bcm@sbf.org.sg) before the contents are reproduced in full or parts. Please visit www.bcm.org.sg for details.