Guide to Effective Business Continuity Planning in Singapore
Just within the span of 2020’s first 3 months, businesses around the world have had to face both localised threats like the Australian bushfires and Iran-US hostilities, as well as threats on a global scale like the Coronavirus Disease 2019 (COVID-19) pandemic. Many businesses were disrupted, leading to their closure.
Therefore, businesses should always be prepared for events that may disrupt day-to-day business operations, interrupt supply chains and damage critical infrastructure. This can be done through the implementation of a Business Continuity Plan (BCP) which serves to mitigate the impact of disruptive events on businesses.
This article targets leaders of organisations who are able to initiate BCPs on behalf of their organisations, offering them insights into the value of BCPs to their organisations and guidance on how to implement BCPs within their organisations.
What is a BCP and the Purpose of It?
As its literal meaning suggests, BCP is the process of maintaining the flow of business activities and transactions. It serves as a countermeasure to disruptive events that inhibit business functions, such as cyber-attacks, natural disasters, pandemics and terror incidents.
Why is a BCP Necessary?
You continue to accrue revenue
You develop a stable way of accruing revenue despite the onset of disruptive events
Businesses may possess some measure of cash reserves to tide themselves through short-term downturns. However, such reserves will eventually be depleted if disruptive events bring business activities to a standstill for protracted periods. Even if businesses enjoy insurance coverage, it is unlikely for all losses suffered from disruptive events to be covered wholly by insurers.
The implementation of BCP helps businesses continue with their contractual obligations and ensures that some revenue continues to accrue to them from their clients, when disruptive events occur. Such revenue flows will help businesses cover their immediate operating expenses, thus keeping businesses afloat and providing business owners with a lifeline to re-organise and adapt to the disruptive situation.
You adhere to legal obligations owed to employees
Under section 12 of the Workplace Safety and Health Act in Singapore, employers have a legal obligation to ensure the health and safety of their employees at work. For businesses that hire foreign employees, the First Schedule of the Employment of Foreign Manpower Act imposes a further legal obligation on employers for the “upkeep and maintenance of (foreign employees)”.
Disruptive events can expose workplaces to health and safety hazards. For example, a terror incident in Singapore’s city centre, like what has been witnessed in Mumbai (2008) and Paris (2015), may result in damaged and inhabitable workspaces.
For employers that have already contemplated such events and prepared contingency arrangements, such as alternative workspaces and work from home arrangements (discussed below) as part of BCP, their employees will be able to safely continue working at these alternative locations and support the continued functioning of the business. This also reduces employers’ risks of breaching workplace safety-related legal obligations when disruptive events occur.
What is Included in a BCP?
Given that a combination of disruptive effects may arise from any one event, there is no “template” BCP for businesses to follow, and each BCP will have to be constituted according to the disruptive events that businesses plan to respond to.
Nevertheless, a BCP can be designed to include a system that:
- Provides for alternative work arrangements
- Draws on detailed plans for the restoration of any damage caused to critical infrastructure
- Seeks out alternative supplies to minimise business disruption
Providing alternative work arrangements
Disruptive events may hinder day-to-day workplace operations. For example, in response to the ongoing COVID-19 pandemic, reduced interaction in the workplace is being emphasised to reduce the spread of the virus.
Hence, in order to ensure smooth continuance of business, while not disconnecting communication between employees, alternative work arrangements such as “remote working” or “work from home” could be implemented as part of your BCP.
In doing so, your BCP could also provide policies for the separation of employees into office and home-based teams, with teams alternating between working from home and at the workplace, and for the prohibition of interactions between members of different teams.
Restoration of any damage caused to critical infrastructure
Disruptive events may result in damage to critical infrastructure. In such cases, BCPs will first have to focus on restoring the functions of such infrastructure, so as to enable other functions of the business to resume.
For example, BCPs for businesses in earthquake-prone regions of the world may include detailed plans to restore communications systems, since telecommunications cables are easily damaged by earthquakes. Restoration of communications systems will then make it possible for the implementation of other BCP measures like work from home arrangements.
Seeking out alternative supply sources
Disruptive events may result in interruptions to supply chains of raw materials. In such cases, BCPs should ensure alternative supply sources for businesses to tap on.
For example, if a food and beverage business primarily obtains its ingredients from drought-prone regions, it should ensure alternative supply sources such as geographical regions with greater precipitation or hydroponics farms.
How to Design and Implement a BCP
There are 5 general guidelines in preparing a BCP. These guidelines may be summed up as the 5As, to be discussed in the order in which they should be contemplated.
1. Appoint a BCP team
A BCP team should be appointed in advance of any crisis. This team can be split into a “command” group and an “action” group, to avoid duplication of roles and to ensure that plans are seamlessly translated into actions.
The “command” group should comprise members of the organisation’s leadership team who have an overarching view of how the various moving parts of an organisation function together.
On the other hand, the “action” group should comprise team members with specialised skill sets critical for the functioning of the organisation, such as corporate communications personnel, IT personnel and legal advisers.
The BCP team should meet at regular intervals to review existing plans, and revise them as necessary.
2. Assess potential threats to the business
The BCP team should brainstorm on a list of potential threats to the organisation. They should follow up on this initial brainstorm with a consultation of the wider organisation through surveys and interviews, so as to avoid blind spots in this assessment.
Once a list of potential threats to the organisation has been compiled, the BCP team should then explore how these threats would affect day-to-day operations of the organisation. Here, the different perspectives and knowledge of the “command” group and “action” groups will help to ensure an all-round insight into the effects of the potential threats.
Ideally, all levels of disaster severity ranging from minor disturbances to total losses should be considered, so that appropriate responses can be devised for each crisis level.
The findings from this assessment should be compiled into a report that remains accessible to personnel of the organisation, and open to their input at all times.
3. Action plan
Steps 1 and 2 will lay the groundwork for the creation of an action plan, which should comprise 3 phases:
Certain disruptive events may be prevented from the outset. For example, cyber-attacks may be averted by strengthening existing cyber defences. Therefore, as part of the “prevention” phase, the BCP team should refer to the list of potential threats assessed in step 2, and consider if any of these threats can be avoided in the first place.
For unavoidable threats such as natural disasters, pandemics and terror incidents, the BCP team should then consider how best the organisation may respond to these threats, so business activities can continue notwithstanding the occurrence of such threats.
For example, in the event of a pandemic, having two separate teams alternating between working from home and at the office reduces interaction, and therefore the risk of transmission of highly-contagious viruses, among employees and will not result in the entire organisation having to halt work completely.
If time and resources permit, organisations can conduct regular drills of BCP responses. In preparing for a future pandemic, for example, employees may be given the option of working from home once every few weeks, so that they would be familiar with the process of telecommuting.
Most importantly, employees should be made aware of the rationale behind BCP arrangements, so as to increase their willingness to comply with such arrangements and minimise the efforts needed to ensure their compliance.
Finally, as part of the “recovery” phase of the action plan, the organisation should be prepared to take steps to restore operations when the situation stabilises and an eventual reversion to the norm is in sight.
For example, organisations may have interim facilities and back-up systems ready for employees to continue their functions as before. In practice, there may already be substantial overlap with the “response” phase of the action plan if the disruptive events are short-lived in nature.
When disruptive events occur, any action plan should first be approved by members of the BCP team’s “command” group before implementation.
Existing action plans will always be based on hypothetical scenarios, and the “command” group will be able to refine the chosen action plan in accordance with any ongoing business developments.
A regular audit of the BCP should either be conducted internally, or by external consultants. The results of such audits will form the basis for the regular review of BCP that the BCP team is expected to undertake as part of step 1.
In summary, the 5As of appointing a BCP team are guidelines that may be relevant to organisations in formulating their BCPs, and can be applied regardless of their business activities and the type of disruptive event occurring.
However, the details of each organisation’s BCP will depend on the threats facing each organisation’s industry, as well as the resources available to each organisation.
We believe that an investment of time and resources into devising BCPs now will provide organisations with stability in future.
Given that the implementation of BCP may have implications on your employees’ work arrangements and your compliance with workplace-safety related legislation, you may wish to engage a corporate lawyer for legal advice on implementing a BCP.
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- Does Your Company Need a Legal Team (In-House Counsel)?
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Must You Notify PDPC About a Data Breach in Your Business?
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Insolvency: Claw-Back of Assets From Unfair Preference and Undervalued Transactions
- Validation of Payments Made by Companies Being Wound Up