CONSTRUCTION INDUSTRY DEVELOPMENT BOARD MALAYSIA

Facilities Management Training Module – Level 5

FACILITIES
MANAGEMENT - L5
LP05 - Risk Management
Control
Table of Contents

1.0 MAIN CONTENT ............................................................................................................................. 1

1.1 Purpose ................................................................................................................................. 1
1.2 Introduction ........................................................................................................................ 1
1.3 Occupational Definition .................................................................................................. 2
1.4 Roles and Responsibility ................................................................................................ 3
1.5 Learning Outcome ............................................................................................................. 3
1.6 Assessment .......................................................................................................................... 3
2.0 INTRODUCTION TO RISK MANAGEMENT IN FM ................................................................ 4
2.1 Risk Management Framework ..................................................................................... 4
2.1.1 Establish the Context ..................................................................................................... 4
2.1.2 Identify the Risk ............................................................................................................... 5
2.1.3 Analyze the Risk............................................................................................................... 5
2.1.4 Assess the Risk ................................................................................................................. 5
2.1.5 Respond to the Risk ........................................................................................................ 6
2.1.6 Monitoring and Review................................................................................................. 7
2.2 Step 1: Establish Context................................................................................................. 8
2.3 Step 2: Identify the Risk .................................................................................................. 9
2.4 Step 3: Analyse the Risk ............................................................................................... 10
2.5 Step 4: Assess the Risk .................................................................................................. 11
2.6 Step 5: Respond to the Risk (Risk Mitigation) ..................................................... 12
2.6.1 Risk Mitigation Planning ............................................................................................ 12
2.6.2 Risk Mitigation Strategies .......................................................................................... 13
2.6.3 Avoidance (Terminate) ............................................................................................... 13
2.6.4 Prevention (Treat) ........................................................................................................ 14
2.6.5 Segregation (Treat) ...................................................................................................... 14
2.6.6 Reduction (Take) ........................................................................................................... 15
2.6.7 Outsourcing (Transfer) ............................................................................................... 16
3.0 BUSINESS CONTINUITY PLAN ............................................................................................... 17
3.1 The Value of Business Continuity Plan ................................................................... 17
3.2 Business Continuity Framework .............................................................................. 18
3.3 Developing the Business Continuity Plan .............................................................. 19
3.3.1 Step 1: Identify the Scope of the Plan .................................................................... 19
3.3.2 Step 2: Form the Business Continuity Team....................................................... 19
3.3.3 Step 3: Conduct a Business Impact Analysis (BIA)........................................... 20
3.3.4 Step 4: Strategizing and Planning ........................................................................... 20
3.3.5 Step 5: Compilation and Documentation ............................................................. 21
3.3.6 Step 6: Implementation and Testing...................................................................... 21
3.3.7 Step 7: Adjustments and Improvements .............................................................. 21
3.4 Communicating the Business Continuity Plan ..................................................... 22
 Learning
RISK Package

05
MANAGEMENT
CONTROL

1.0 MAIN CONTENT

1.1 Purpose

This Information Sheet is designed to provide the fundamental and key principles of Risk
Management for FM Manager. This Information Sheet will cover about Risk Management
related activities to enable the FM Manager to describe on the basic knowledge required to:

1. Identify FM project risk

2. Prepare risk mitigation plan

3. Implement risk mitigation control

4. Develop Business Continuity Plan (BCP) procedures

1.2 Introduction

Organisations nowadays operate in an increasingly competitive, dynamic and yet uncertain

environment. Due to uncertainty, the outcome cannot be predicted; therefore, the element
of risk at every stage of the plan needs to be managed.

Risk Management is a process to identify, assess and priorities of risk followed with
coordinated and economical application of resources to minimize, monitor, and control the
probability or impact of unfortunate incidences that may affect the businesses or people
that associates with the business. Risk Management’s objective is to assure that business
objectives and goals does not affect by the uncertainties that may occur within the business
processes and activities.

Risks can come from various sources including threats from project failures at any phase of
its life-cycles (design, development, production, or operations, maintenance and disposal),
or events of uncertain or unpredictable root-cause. Risk in a facility can be understood as
the potential for facility related failures to result in business disruption and losses. In
Facilities Management, the FM Manager must prevent threats to human health and safety
that can arise from poorly maintained life safety equipment, improper handling of
hazardous materials and other workplace issues.

1
Both risk management and Facilities Management have firmly established as the key-
drivers of the facilities to perform at its intended purposes. Practically, by having the risk
management activities within the organisation, it will enable the organisation to protect
and benefit the organisation and stakeholders by striving to achieve the organisation’s
objective through the followings:

a. Preparing a framework that outlines an organisation’s activities in a consistent

and controlled manner;

b. Enhancing decision making, planning and prioritisation with exhaustive and

methodical understandings of business activity, volatility and project
opportunity or threat;

c. Contributing to more efficient use or allocation of the organisation’s capital and

resources;

d. Reducing volatility in unnecessary elements in the business;

e. Preserving and augmenting company assets and image; and

f. Evolving and supporting people and organisation’s knowledge to optimise the

operational efficiency.

1.3 Occupational Definition

The FM Manager is responsible for the part of the workplace management team that
directly manages the facilities.

As an FM Manager, he will be responsible for the monitoring of services and processes

encompasses within the Facilities Management scope that support the core business of an
organisation. He will ensure that the Facilities management services were executed in
accordance to the best practices of service for maximum efficiency.

This is a diverse field with a range of responsibilities, which are dependent on the structure
and size of the organisation. He will be involved in implementation of the strategic
planning through the day-to-day operations, particularly in relation to buildings and
premises.

2
1.4 Roles and Responsibility

The FM Manager roles include the following tasks:

• Initiate risk analysis and promote change management in the organization.

• Implementation and monitoring of the risk management plan and ensuring all
processes and activities are aligned with the organization strategy.

• Maintain the Risk Management Data Base

• Distribute updates on the status of risks

• Implement methodologies to reduce moderate and high risks

• Facilitate risk assessments

• Prepare risk briefings, reports, and documents required for Project Reviews.

1.5 Learning Outcome

Risk Management is the identification, classification and prioritization of risks done in

tandem with efforts to monitor, control and mitigate the risks. Risks themselves can be
from factors internal to the project, such as the adoption of a new technology, team
members that are new to the project manager, or resource constraints and internal
dependencies. Additionally, risks can also be external, such as the health of the financial
markets, competitive pressures, legal liabilities or even accidents.

The person who is competent shall be able to plan FM Risk Management plan, implement
the plan and provide conducive working environment to the people.

The outcome of this coordination competency is to ensure the FM Manager is able to

understand and able to develop Risk Management plan according to stakeholder
requirements.

1.6 Assessment

Knowledge Assessment Sheet (KAS) and Practical Assessment Sheet (PAS).

3
2.0 INTRODUCTION TO RISK MANAGEMENT IN FM

2.1 Risk Management Framework

Risk Management Framework seeks to protect an organization's capital base and earnings
without hindering growth. Risk Management Framework provides a structured, yet flexible
approach for managing the portion of risk resulting from the incorporation of systems into
the mission and business processes of the organization.

The diagram below illustrates the risk management framework:

Establish Context
Scope External Internal

Identify Risks
Types of risks Source of risks Location risks

Analyze Risks
Likelihood Impact

Assess Risks
Risk Rating

Respond / Mitigation
Mitigation Plan Mitigation Strategy

2.1.1 Establish the Context

Establishing the context defines the basic parameters for managing risk and sets the scope
and criteria for the rest of the process.

a) Establishing the external context involves familiarisation with the environment

in which the organisation and the system operates including:

i. Cultural, political, legal, regulatory, financial, economic and competitive

environment factors, whether international, national, regional or local;

ii. Key drivers and trends having impact on the objectives of the
organisation; and

iii. Perceptions and values of external stakeholders.

4
 b) Establishing the internal context involves understanding of:

i. Capabilities of the organisation in terms of resources and knowledge;

ii. Information flows and decision-making processes;

iii. Internal stakeholders;

iv. Objectives and the strategies that are in place to achieve them;

v. Perceptions, values and culture;

vi. Policies and processes;

vii. Standards and reference models adopted by the organisation; and

viii. Structures (for example, governance, roles and accountabilities).

2.1.2 Identify the Risk

Risk identification is the process of identifying the specific risks associated with the
identified hazards. For instance, the presence of inflammable substances is a hazard and it
catching fire is a specific risk. The identification of risk does not imply a situation where the
management has to factor in distant possibilities. During these identification processes, risk
is recognized and describe as activities that may affect the project or its outcomes. There
are a number of techniques that can be used to identify the project risks. During this step,
all identified risk need to be registered for the next process.

2.1.3 Analyze the Risk

Once risks are identified, the FM Manager shall determine the likelihood and consequence
of each risk. He then develops an understanding of the nature of the risk and its potential to
affect project goals and objectives. This information is also input to his Project Risk
Register.

2.1.4 Assess the Risk

Risk assessment or evaluation involves understanding the various risks identified and
determining how dangerous and how likely that particular risk is. The assessment takes
two factors into account Severity and Likelihood. A highly severe and a very likely risk will
be critical and a highly severe and not very likely risk will be moderate and so on.

5
Rank the risk by determining the risk magnitude, which is the combination of likelihood
and consequence. Decide about whether the risk is acceptable or whether it is serious
enough to warrant treatment.

Risk assessment provides an understanding of risks, their causes, consequences and their
probabilities. This provides input to decisions about:

a) Whether an activity should be undertaken;

b) How to maximise opportunities;

c) Whether risks need to be treated;

d) Choosing between options with different risks;

e) Prioritising risk treatment options; and

f) The most appropriate selection of risk treatment strategies that will bring
adverse risks to a tolerable level.

2.1.5 Respond to the Risk

Risk response involves selecting and agreeing to one or more relevant options for changing
the probability of occurrence, the effect of risks, or both, and implementing these options.

These options provide different solutions for different levels of risks which were identified
in the previous steps:

1. Accepting the risk for instance participating in a sporting event has an inherent
risk of witnessing minor injuries.

2. Avoiding the risk is the decision of either proceeding in the planned direction or
option for an alternate route which has less risk and is in line with the final
objective.

3. Reducing the risk occurrence probability or impact of its consequences or both

can be considered while facing a risk, for instance, utilization of complete safety
kit for players in a particular sporting event.

4. Transferring the risk is another option, mostly done through buying insurances.

5. Retaining the risk can be another strategy where one knows that it is an
inherent part of the event.

6
 6. Financing the risk means allocating financial allowances to absorb the
consequences of the risk in case it happens. This is a scenario where risk impact
is manageable and is not as big as to cause bankruptcy or the like situations for
any organization.

After the control measures are implemented it has to be documented. This has multiple
benefits such as understanding what was done to tackle a risk thereby allowing similar
risks to be tackled in that fashion, to prove that sufficient measures were taken to minimize
and eliminate risks and due diligence were exercised etc.

2.1.6 Monitoring and Review

As part of the risk management process, risks and controls should be monitored and
reviewed on a regular basis to verify that:

a) Assumptions about risks remain valid;

b) Assumptions on which the risk assessment is based, including the external and
internal context, remain valid;

c) Expected results are being achieved;

d) Results of risk assessment are in line with actual experience;

e) Risk assessment techniques are being properly applied; and

f) Risk treatments are effective.

Accountability for monitoring and performing reviews should be established.

7
2.2 Step 1: Establish Context

The scope of FM services in an organisation is derived by the internal demand on the

services to the primary activities of the facilities. These are the Context (scope) of the Risk
Management in FM.

There are two basic demand generated by the activities. Table below rephrasing the
demand of the client for their facilities:

Demand Category Services

Space and Accommodation 1. Programming, design and acquisition of
Infrastructure and space demand space
2. Administration and management of
space
Workplace demand 1. Internal and external environment
2. Fit out (furniture, equipment and
tenants)
Technical Comfortable, lighting, thermal comfort,
infrastructure and water, electricity and gas
utilities demand
Cleanliness, hygiene 1. Maintain proper clean working
demand environment
2. Help maintain assets in good condition
People and Health, safety, and 1. Protect from external dangers or risk
Organisation security demand 2. Manage well-being of the people
3. Disaster planning and recovery
4. Security management
5. Fire safety and protection
Hospitality Providing hospitable environment for
people to work and feel comfort
ICT Providing information, and communication
through technology
Logistic Transportation and storage of goods and
information

8
2.3 Step 2: Identify the Risk

Table below shows the different types of Risk associates with Facilities Management:-

Risk Type Characteristics Examples

Pure risks: It is the risk 1. Will result in negative 1. Legionella outbreaks from
associated with a source outcomes air conditioning
of potential harm or a 2. Are usually known 2. Management and usage of
situation with the hazardous chemicals
potential to cause harm. 3. Are readily quantifiable
It can be thought of as 3. Confined space entries
4. Are tangible
operational (or 4. Manual handling
5. Impact predominantly on
insurable) risk
safety

Uncertainty risks: It is 1. Are unknown or extremely 1. Building damage by flash

the risk associated with difficult to quantify flooding
unknown and 2. Are catastrophic or 2. Arson
unexpected events. disastrous in nature
These events are usually 3. Acts of sabotage or
catastrophic in nature 3. Can be very costly terrorism to a major
and include accidents facility.
4. Are associated with a
and acts of God. negative outcome
5. Are outside the manager’s
sphere of control or
influence

Opportunity risks: It is 1. There are two main 1. Business expansion and/or

the potential gain or the aspects, namely risks property acquisition
positive impact to associated with taking an 2. Change in business
objectives. An opportunity and risks location
opportunity risk occurs associated with not taking
when there is an the opportunity 3. Sub-letting
uncertainty of loss or 2. Can be tangible and or
gain intangible
3. Are often quantified in
dollar terms
4. Can have a positive or
negative outcome

Table 1: Risk Type, Characteristics and Examples

9
2.4 Step 3: Analyse the Risk

Once risks are identified, the next step is to determine the likelihood that the potential
vulnerability can be exploited. Several factors need to be considered when determining this
likelihood. First, the FM Manager needs to consider the source of the threat and the
capability of the source. Next, need to determine the nature of the vulnerability and, finally,
the existence and effectiveness of current controls to deter or mitigate the vulnerability.

The likelihood that a potential vulnerability could be exploited can be described as high,
medium, or low, as noted below:-.

1. High - The threat's source is highly motivated and sufficiently capable, and
controls that prevent the vulnerability from being exercised are ineffective.

2. Medium - The threat's source is motivated and capable, but controls are in place
that may impede a successful exercise of the vulnerability.

3. Low - The threat's source lacks motivation or capability, and controls are in
place to prevent or significantly impede the vulnerability from being exercised.

Determining the impact level to operation is important for the FM Manager to understand
that not all threats will have the same impact. This is because each system in the
organization most likely will have a different value.

One area that may involve operational risk in Facilities Management is the maintenance of
necessary systems and equipment. If maintenance activities are required, but it is
determined certain limitation like time or maintenance budget, making the choice to
perform one over the other alters the operational risk. If a system fails, the negative impact
is associated directly with the operational risk.

The impact to operations can give direct impact to facility operation. The magnitude of
impact also can be categorized as high, medium, or low as shown below.

1. High impact risks may result in the high and costly loss of assets; risks that
significantly violate, harm, or impede operations; or risks that cause human
death or serious injury.

2. Medium impact risks may result in the costly loss of assets; risks that violate,
harm, or impede operations; or risks that cause human injury.

3. Low impact risks may result in the loss of some assets or may noticeably affect
operations.

10
2.5 Step 4: Assess the Risk

The risk ratings identified during the analysis process with previously established risk
criteria are then compared, deciding which risks are more significant and assess whether
the current risk levels are acceptable. The final risk ratings are determined from the
relationship between impact and likelihood as shown in table below. The risks levels are
High, Significant, Moderate and Low.

Almost
Significant Significant High High High
LEVEL OF LIKELIHOOD

certain

Likely Moderate Significant Significant High High

Moderate Low Moderate Significant High High

Unlikely Low Low Moderate Significant High

Rare Low Low Moderate Significant Significant

Insignificant Minor Moderate Major Catastrophic

LEVEL OF IMPACT

The general action plans for each risk rating shall be as below:

Risk Rating Action Plan

The risks may probably not occur or having a less chance of

High Risk occurring. Must be managed by senior management with a
detailed risk response plan. Board attention is required.

Risks should be treated using one or more of the risk response

Significant Risk options as specified in STEP 6. Senior management attention
required and management responsibility specified.

Risks should be treated using one or more of the risk response

Moderate Risk options as specified in STEP 6. Manage by specific monitoring or
response procedures.

Accepted with minimal treatment. List will be monitored and

Low Risk periodically reviewed to ensure they remain acceptable. To
manage by routine procedures.

11
2.6 Step 5: Respond to the Risk (Risk Mitigation)

In FM, Risk Mitigation is the reduction of potential emergency situations which mainly aim
to avoid hazardous circumstances and reduce risk. This stage of risk management requires
the preparation of plans, identification of management teams and the assignment of
responsibilities for managing the process.

Mitigation involves measures which are incorporated into the design or implementation of
a development project for the purpose of avoiding, reducing, and remedying as well as
compensating for its adverse environmental impacts. Mitigation can be defined as a
sustained action to reduce or eliminate risk to people and property from hazards and their
effects.

There are two major elements in FM Risk Mitigation:

i) Risk mitigation plan

ii) Risk mitigation strategy

2.6.1 Risk Mitigation Planning

In FM, Risk Management needs to be an ongoing effort that cannot stop after a qualitative
risk assessment, or the setting of contingency levels. Risk Management includes front-end
planning of how major risks will be mitigated and managed once identified. Therefore, risk
mitigation strategies and specific action plans should be incorporated in the project
execution plan, or risk analyses are just so much wallpaper.

Risk mitigation plans should:

• Characterize the root causes of risks that have been identified and quantified in
earlier phases of the risk management process.

• Evaluate risk interactions and common causes.

• Identify alternative mitigation strategies, methods, and tools for each major risk.

• Assess and prioritize mitigation alternatives.

• Select and commit the resources required for specific risk mitigation
alternatives.

• Communicate planning results to all project participants for implementation.

12
Although risk mitigation plans may be developed in detail and executed by contractors, the
FM Manager should develop standards for a consistent risk mitigation planning process. If
needed, the FM Manager should have independent, unbiased outside expert’s review the
project’s risk mitigation plans before final approval. In FM service contract, Risk Mitigation
planning should continue beyond the end of the contract by capturing data and lessons
learned that can benefit of future contracts.

2.6.2 Risk Mitigation Strategies

Risk mitigation is risk treatments that deal with negative consequences which are
sometimes referred to as risk elimination, risk prevention and risk reduction. Mitigation
measures are indicated as essential concepts of mitigation strategies which include actions
that require financing and matters that demand innovative idea implementation. The
strategies are such as to prevent the hazard form occurring, limit the amount or size of the
hazard, separate the hazard from what is intended to be protected, prevent the release of
the existing hazard, modify the basic component of the hazard and disseminate the
information. It is concluded that these strategies are based on the risk assessment and
identification of hazards.

The following outlines the strategies for applying mitigation actions in Facilities
Management. These five generic risk controls or mitigation strategies are almost always
used in a combination in managing risk in Facilities Management. This is a beneficial
approach to ensure a comprehensive and systematic review of the overall exposure and the
spectrum of possible solution.

2.6.3 Avoidance (Terminate)

Avoidance focuses on eliminating the risk completely. It changes the probability of the
occurrence to avoid the risk from occurring by making decision not to create a particular
loss exposure or to completely eliminate an existing exposure. Such a decision will reduce
the probability of given loss to zero but it has a very limited application.

This option enhances the probability of beneficial outcomes and reduces the possibility of
loss. This is the most basic strategy since it involves ensuring conformance with the local
ordinances such as the requirement for sprinkler in all public buildings.

Examples of avoidance risk mitigation plan are:

• The implementation of building inspections to ensure conformance with the

building codes or building by-laws.

13
 • Pure and strategic risks are associated with being in a particular industry or
occupation which requires never entering or immediately leaving that industry
or occupation.

• The nature of this solution may be engineering, technological, financial and

political or whatever else addresses the cause of the risk.

Uncontrolled or inappropriate risk avoidance may result in missed opportunities and an

increase in the significance of other risks, it is considered as a very difficult control
strategy.

2.6.4 Prevention (Treat)

Risk prevention is focused on reducing the probability of risk occurrence though risk is not
completely eliminated. This can be done through limiting the amount or size of the hazard
where effective prevention measures can be undertaken so that the risk can be minimised
to an acceptable level of probability or frequency.

For example, in Facilities Management for a manufacturing company, it is to prevent the

release of existing risks and to ensure hazardous material containers are properly marked
and in good operating condition.

Risk prevention also attempts to reduce the probability of risk but not as ambitiously as
exposure avoidance. Prevention focuses on reducing the loss frequency and not the severity
where minimising the number of times a risky activity is undertaken, or the exposure of
facility, staff or service delivery functions to a risk, will reduce the probability of a loss from
occurring.

Another example of risk prevention in which fire safety engineers speak of the ‘fire
triangle’, where the three elements of fuel, oxygen and ignition source must be present for a
fire to occur. Removing one of the three elements will prevent fire from occurring.

2.6.5 Segregation (Treat)

Risk segregation is to modify the basic component of the risks. Segregation focuses on the
division of exposed entities to achieve risk diversification and reduce the aggregate effect
from event.

Risk segregation strategy encompasses two different but closely related risk management
techniques which are separation or duplication of the exposed units. The purpose of both is
to reduce an organisation’s dependency on any single asset, activity or person and at the
same time make individual risks smaller and more predictable. Thus, the risks may be
diversified for the organisation’s benefit.

14
Two categories of risk segregation:

1. Separation of risk - dividing assets or preparation into two or more separate

units (Example: dividing stock into two warehouses instead of one).

2. Duplication risk - a complete reproduction of an organisation’s own standby

asset or facility to keep in reserve. Duplication will only be used when the
primary asset or facility is damaged, for example, ensuring back up of computer
files and keeping spare parts for key machinery in stock.

2.6.6 Reduction (Take)

Risk reduction involves the possibilities that change the consequences of risk. This will
increase the size of gains and reduce the size of losses. This may include business continuity
plans and emergency and contingency plans. Risk reduction can be a way of separating the
risks from what is intended to be protected.

Reduction strategy tries to reduce the severity associated with the events and it is different
from risk prevention because reduction focuses on reducing severity of a loss that
eventually will occur.

For an example, limit the location where hazardous material can be used or stored, this can
be done through zoning ordinance (planning). Mostly, for locations where hazardous
material is stored openly, such as gasoline tank farms, they should have a containment
facility surrounding the possible hazards.

An example of risk reduction is a fire suppression system. As there is always never enough
funding to do everything the FM Manager wants to do, he or she must act to reduce risk.
Therefore, there are several initiatives as actions to reduce risk factors and ultimately help
the organisation, such as:

a) Implement a preventive maintenance programme;

b) In conjunction with the security department, implement an access control

system to manage the physical access to the organisation’s space;

c) Install emergency power systems such as generators, inverter batteries and

uninterruptible power supplies;

d) Inspect and test fire protection systems in accordance with fire regulation and
standards;

e) Install a closed circuit television (CCTV) system, in coordination with the

security department to improve security;

15
 f) Develop contracts or agreement that can be immediately implemented when an
emergency occurs;

g) Estimate down time and notify occupants and customers as to what to expect
and situations for which they should plan;

h) Locate potential offsite storage locations and initiated pre-emergency contacts

or agreements; and

i) Identify critical equipment and materials needed in an emergency. Have them on

hand and easily accessible.

2.6.7 Outsourcing (Transfer)

Transferring risk is to disseminate the information where information concerning risks is

made available to the public. Risk transfer is to ensure that a good hazard communication
programme is in place. It relates the ultimate liability (not just financial burden) to another
or other organisation(s) such as process of shifting the ultimate responsibility of an
exposure to another legal entity outside the company such as outsourcing.

Transferring risk can be partial or mostly to another party who will share the responsibility
for it. Risks can never be completely transferred, because there is always the possibility of
failures that may impact the organisation.

Transferring or contracting the risks to a third party is generally agreeing to take risks only
in exchange for adequate rewards. Risk transfer can be appropriate when both parties fully
understand the risks compared to the rewards. This strategy may be applied to contracts,
insurance, partnerships and business alliances. The party assumes the risk because it has
knowledge, skills or other attributes that will reduce the risk to the original organisation
without changing the overall level of risk and after all, it has to be equally economically
beneficial from the exchange.

16
3.0 BUSINESS CONTINUITY PLAN
As we know, Facilities Management deals with integration of all services to support the
core business of an organisation. Therefore, strategies and efforts shall be put in place to
ensure continued business activity in the event of a major disaster or catastrophe. This
involves identifying and assessing potential risks to the organisation and setting up
measures that could either mitigate these risks or rescue the business in the event of a
disaster.

Organisations face many risks ranging from loss of material resources and property to loss
of personnel. Some of the risks include:

a) Loss of buildings;

b) Loss of personnel;

c) Loss of proprietary data or information;

d) Loss of telephone systems; and

e) Loss of corporate stationery.

3.1 The Value of Business Continuity Plan

Organisations cannot possibly prepare for every scenario but the more extensive planning
and preparation, the better-prepared is the organisation to react to the unexpected. A
robust Business Continuity Plan (BCP) documents the steps to be taken, the resources
needed and the procedures to be followed before, during and after the crisis.

Strong BCP offers the following:

• Increased levels of employee readiness to ensure safety of personnel and an

organised organisational response

• Compliance with applicable regulatory requirements and fiduciary

responsibilities to avoid potential penalties and litigation

• Prioritised recovery of the organisation's business processes to achieve optimal

allocation of resources focused on protecting revenue and containing costs

• Facilities/workspace management solutions that balance the high cost of real

estate against the need to disperse the organisation's intellectual capital

17
 • Customised response strategies focused on high probability scenarios that
ensure the efficient and effective allocation of the organisation's Business
Continuity Plan (BCP) budget

• Well-planned incident response/communications framework designed to

address internal and external requirements

• Awareness of business partner/third party continuity plans to ensure

uninterrupted service and protection of the entire value chain

3.2 Business Continuity Framework

The Framework consists of 4 pillars, which are:

1. Business Vision and Strategy refers to the alignment of the BCP Programme to
the corporate vision and strategy.

2. Senior Management Commitment (from the user side) is essential to ensure that
the BCP Programme is given the support and right level of importance and
priority as there are many competing demands for time and resources within an
organisation.

3. BCP Structure refers to the importance of the people component in the

establishment of an organisation structure with defined roles and
responsibilities for both BCP development and recovery. It is to ensure a
comprehensive workable plan which is able to effectively mitigate the effects of
a disaster. In the chaos of a disaster, there must be proper command, control
and co-ordination of the many teams of people involved in the recovery process;
and

4. Training and Awareness Programme refers to the continual education

programme for the people to respond to a disaster and also to develop the
plans. This also includes the change management programme which is essential
to ensure sustainability of the BCP Programme.

18
3.3 Developing the Business Continuity Plan

3.3.1 Step 1: Identify the Scope of the Plan

As in most business planning processes, the first thing that must be done is to define the
scope and objectives of the plan being made.

In addition, there is also a need to define the assumptions that will prevail in the conduct of
BCP. It is also during this phase that budgeting is conducted, with the initial program
budget taking into consideration the expenses that may be incurred in the process of
developing the plan. These include costs of research, trainings and seminars, and other
services sought in the process of moving the plan along.

3.3.2 Step 2: Form the Business Continuity Team

There is a need to establish a governance structure within the BCP in order for
management to have order and control in its conduct.

This involves identification of the key roles in the team, and their functions or roles and
responsibilities. In addition, the qualifications for each role should also be identified, in
order to justify the choice of personnel to fill the roles within the team. Lines of authority
and accountability, as well as management succession, should also be defined clearly.

The usual composition of a typical BCP team includes:

• BCP senior or executive manager – He is the overall leader of the committee,

and the major link between top management and the BCP team.

• Program Coordinator – His responsibility includes BCP budgeting and budget

implementation and monitoring, development of BCP policies, and coordination
of BCP activities, such as the conduct of BIA, quality assurance, staffing, and
training of BCP team members. In short, he is the team leader.

• Information officer – He will be responsible in ensuring the smooth and steady

flow, as well as access to and retrieval of data to be used in BCP.

• Representatives from the various business units or divisions of the

organisation (user side) – They are excellent sources of input and relevant
information, and will also aid in the analysis of BCP data. Usually, there is a
representative for every critical process or function, as well as support
processes or functions, including the FM Manager and his key team members.

19
There is no limit to how many people should comprise the business continuity team or
committee. A team could have only five people on board, or it could have as much as 20 or
even 30 members. The number of people and the size of the team will largely depend on
the nature of the business and the size and scale of its operations.

3.3.3 Step 3: Conduct a Business Impact Analysis (BIA)

Conducting a BIA is crucial since its results will be the major input in business continuity
planning. Through BIA, the team will be able to predict or forecast the potential impacts or
consequences of business operations. It will also aid the team in gathering information that
will be helpful when it comes to developing strategies that can be adopted by the company
for its recovery from the crisis.

Briefly, the core concerns of BIA are as follows:

• Key business areas (core business), or the core operations of the business;

• Core functions and processes of the business that are considered critical and/or
time-sensitive;

• The resources required to ensure the continuity of these key business areas and
critical processes and functions (user side);

• The dependencies (and interdependencies) between and among the business

areas and functions or processes – this includes the building systems and
installations;

• The acceptable or tolerable downtimes for each critical process or function

The BIA will facilitate the prioritization of critical processes and functions (or critical
products and services) of the company, so management will have a clearer idea on which
areas need more resource allocation in case of an emergency. Usually, estimates and
approximations are made with respect to financial variables, such as lost revenues,
additional costs, and other possible losses.

3.3.4 Step 4: Strategizing and Planning

Based on the results of BIA, the team will then identify response and recovery strategies
and plans to address the effects of the disruption, and present them in detail. It is in this
phase where the team will provide details on the arrangements and measures that the
company will undertake in order to mitigate threats and risks.

For every critical function, process, service, or product, there should be corresponding
continuity responses, measures or plans. Cost estimates should also be included. That is
how detailed this phase should be.

20
It should also talk about the readiness procedures that must be implemented, and how they
will be implemented.

3.3.5 Step 5: Compilation and Documentation

This involves the writing of the Business Continuity Plan. Usually, there will be a first draft,
since the succeeding steps involve testing the recovery plans and strategies, making
adjustments and re-testing until such time that The Plan can be finalized.

Also, it is important to note that BCP is an ongoing process. That means that The Plan must
be tested frequently, and updated when necessary. Thus, The Plan is subject to changes, as
applicable.

3.3.6 Step 6: Implementation and Testing

The prevention and mitigation strategies formulated in Step 4 will now be implemented.
This involves communication of the plan to all members of the organization, making them
aware of their part in it. This involves training them on their roles if the event does happen.
External stakeholders should also be made aware of the plan.

The emergency response and recovery strategies will undergo testing, mostly through
drills and scenario exercises that will require the participation of the concerned employees
or members of the organization. Through testing, the business continuity team will be able
to assess whether the plan will be effective or not. This is their opportunity to make the
necessary adjustments and corrections.

Testing and evaluation must be done periodically in order to take into account the ever-
changing nature of businesses.

3.3.7 Step 7: Adjustments and Improvements

The program may need to be adjusted due to the following:

• Evaluation and testing of the strategies may reveal that they are ineffective or
inefficient

• There may be deficiencies in the strategies

• Some roles and responsibilities are vague and need clarification

• Change in the roles and members of the business continuity team

21
 • Introduction or occurrence of new or additional factors or circumstances, such
as new equipment, opening of a new branch, relocation of operations, and new
technology or system that modified critical processes.

Since testing and evaluations are done periodically, there is an equal chance that the
program has to be adjusted several times. It follows that the Business Continuity Plan will
have to be rewritten to accommodate or reflect these adjustments.

3.4 Communicating the Business Continuity Plan

Communication planning is a complex part of preparedness and any business continuity

process. Clear and effective communication channels must remain available in order to
disseminate information to employees, assess and relay damage, and coordinate a recovery
strategy. Failed communication often results in failed business continuity efforts.

A thoroughly planning, testing, and exercising communication procedure is essential to

ensure effective business continuity and viability of critical business operations. It can be
seen in the following phases:

1. Notification
The notification process begins upon the anticipation or discovery of a business continuity
situation. Appropriate personnel and applicable business unit managers should be initially
notified and updated on the current scenario. The initial notification format can be dictated
by company policy, however all known information should be provided at that time,
including:

i. Location of impact or potential impact

ii. Scenario details (fire, explosion, etc.)

iii. Implementation timeline

The person responsible for each critical business process should begin documenting
response actions. Necessary continuity information should be maintained and updated as
necessary to ensure all management and affected personnel can quickly initiate proper
actions.

In the planning phase, initial communication procedures, available communications

equipment, and alternative communication formats should be evaluated. Initial and back
up communication formats should be agreed upon during training and exercises to certify
those managers, continuity personnel, external suppliers, and possibly the public receive
pertinent messages.

22
Primary and alternate resources contact information should be included in the business
continuity plan (BCP) to ensure consistent delivery and continued operations in the event
suppliers are subjected to business continuity circumstances. Up-to-date contact
information for internal and external responders should be verified for accuracy.

2. Verification
Verification of contact information for personnel, continuity supervisors, and external
responders should be done on a periodic basis. Business continuity planners must be
certain that new employees are included in the plan, as necessary, and that notifications
are being delivered to accurate e-mail addresses and/or contact numbers.

If maintaining accurate contact information is challenging, consider opting for an e-mail

notification verification system that enables the contact to verify their information through
hyperlinks. Companies can also offer incentives, such as drawings or prizes, to encourage
all personnel to verify contact information as requested.

3. Stabilisation
Stabilisation is the result of the corrective actions initiated by the business continuity
coordinator, business unit managers, and response personnel. Stabilisation includes such
actions as initiating proper notifications and implementing a procedural course of action.
FM Manager should identify and procure necessary communication equipment and
establish processes for continued operations and recovery of the building systems and
installation. This will prevent unnecessary downtime and additional recovery efforts.
Effective communication is the bridge to stabilisation.

4. Recovery
Recovery begins once the affected area, personnel, equipment, and/or operations are
accounted for and stabilized. Recovery communications includes actions such as damage
assessment reporting, interactions with response personnel, removal and disposal of
disruptive element, and safety verification prior to reentry or a return to operations. The
lines of communications need to remain open in order to return to a “business as usual”
level.

Developing relationships and common understandings of roles and responsibilities prior to

a continuity event increases overall communication, post-disaster collaboration, and
unified decision-making, streamlining the recovery process.

Upon termination of the incident and restoration of operations, an oral and written critique
of the response should be conducted among personnel and the key business continuity
members. Communicating through evaluations and post-incident summaries can lead to
the identification of continuity challenges and procedural obstacles. Items requiring action
should be documented, communicated to involved parties, and tracked to ensure that
potential corrective actions are identified and mitigation efforts are completed.

23