BCM Institute | Blog

Planning Steps for Implementing BCM for Security Company

Written by Moh Heng Goh | May 8, 2021 2:55:34 PM

What are the Key Steps Undertaken to Implement BCM for a Security Company?

 

One vital step before starting your Business Continuity Management (BCM) project is to have a good Understanding of Your Organization: Security Company in the context of business continuity management. Click the icon on the right to view the blog.

What is Business Continuity Management?

According to the ISO 22301 BCMS Standard, Business Continuity Management (Goh, 2015), or BCM, is a “Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities."

Source: ISO 22301:2019 – Societal Security – Business Continuity Management Systems - Requirements - clause 3.4

This definition can be simplified as an organization-wide discipline and a complete set of processes identifying potential impacts that threaten an organization. It provides a capability for an effective response that safeguards the interests of its major stakeholders and reputation.

What is BCM for Security Companies?

In the context of Security Companies, business continuity management is a complete set of processes identifying potential impacts that threaten their ability to continue their critical business functions and responsibilities.

It allows a security company, as an organisation, to be equipped to protect its reputation and deal with any incoming threats that may hinder its ability to perform its various daily security services such as guarding, monitoring, security for commercial and industrial, and event security.

BCM Planning Methodology

Security Companies are vulnerable to disruptions and threats. Any incident, if not appropriately managed, can escalate to become a disaster or crisis or even cause significant injuries to employees or even death.

Therefore, a Security Company should be prepared for an incident before it occurs to minimize its impact should it happen. One such way to prepare is to adopt a BCM Planning Methodology. Click the BCM Planning methodology icon to find out more.

Like any other planning process, the BCM planning methodology provides a framework for requirements, effort, and deliverables. Each phase leads into the next in an endlessly repeating cycle, and the roles and responsibilities are spelled out in the BCM framework.

The BCM Planning Methodology (Goh, 2015) is divided into various steps. The key is to divide the entire process into manageable steps.  

Risk Analysis and Review [RAR]

A wide array of risks can be identified within the context of a security company. One possible risk scenario is losing an office building or IT systems. The risk rating is determined by multiplying the risk likelihood and impact. In addition to these factors, controls are often present to reduce risks. Click the RAR icon for further explanation.

Because the facilities managed by the Security Company managing customers are geographically dispersed over a large area, the threats should be reviewed and analysed based on location.

The types of threats or "contingencies" as highlighted as part of the Security Agencies Competencies Assessment (SACE) are as follows:

  • Major disaster
  • IT-related incidents
  • Terror related incidents
  • Disease outbreak
Business Impact Analysis [BIA]

Business functions, such as security services such as guarding, monitoring, security for commercial and industrial, and event security, are analysed to determine whether they are critical or non-critical to the town council.

A set of criteria is developed to guide this analysis. Business function criticality will determine the priority and urgency with which the disruption is dealt with.

As mentioned in the earlier blog, examples of such business functions should include Administration, Human Resources, and Finance, which are not externally facing. These functions are often centralized or even outsourced; their identification and prioritization should be considered part of the BCM scope.

Business Continuity Strategy [BCS]

Once critical business functions are identified, interim recovery guidelines and procedures must be developed to allow Security Companies to operate between the “time of disaster” and “ready for routine business.” 

There is a need to develop strategies to provide alternate facilities and service providers and store backups of vital equipment and records in a safe place.

Plan Development [PD]

The BC plan and its associated procedures for recovering the Security Company after a crisis or disaster are documented in the development phase. This plan is based on all the essential details from the earlier business impact analysis and business continuity strategy phases.

Testing and Exercising [TE]

Once the BC plan is documented, tests and exercises are carried out to ensure it works and proves its validity. The plan from the plan development phase is run through simulations, where it is ultimately graded based on criteria. If a test or exercise's results are deemed unsatisfactory, any error or omission it might have will need to be corrected.

Program Management

Finally, once the security company's management team has approved the BC plan and the rest of the documentation, the assigned team will need to update and maintain the plan periodically to reflect organisational changes in the Security Company and prevailing threats in the environment.

 

Do you want to implement your BCM program via our government-funded training-led implementation?

Click the "Overview of Training-led BCM Implementation" for the detailed briefing.  Note that this course has value-added services to meet the minimum BCM requirement.

After the reading, you may want to know about the funding details from SkillsFuture Singapore (SSG).

 

Do You Want to be BCM Competent, and Where Do I Start?

If you are a Singapore-based company or Singaporean and Permanent Resident, you can opt to receive BCM training via:

WSQ BCM Course Funding: Course Code: BCM-310; BCM-320; BCM-330

Non-WSQ or SSG Funded BCM Course: BCM-5000 for assigned Project Manager

If you are interested in setting up your BCM program via training-led implementation, please get in touch with us.

References

Singapore Attorney-General's Chambers (2019) Singapore Statutes Online: Private Security Industry Act https://sso.agc.gov.sg/Act/PSIA2007

Goh, M. H. (2015). Business Continuity Management Planning Methodology. International Journal of Disaster Recovery and Business Continuity, 6, 9–16. Retrieved from http://dx.doi.org/10.14257/ijdrbc.2015.6.02