TIEMS Newsletter: Latest Edition is Ready

24 03 2014

Hi all,

The latest edition of the TIEMS Newsletter is ready. Take note of some interesting conference announcements and even some opportunities to participate in some research projects. You can find the latest newsletter at the following link:

http://tiems.info/images/TIEMS%202014%20Newsletter%20March.pdf

Enjoy!

The StoneRoad Team





When is a Disaster Considered a Disaster?

22 02 2014

It’s kind of like the old question; ‘If a tree falls in the forest and no one is there to hear it, does it make a sound?’ A disaster isn’t a disaster if there’s no measureable impact. No impact to people’s perception of the situation. No impact to people’s lives. If there is a large fire but there is no people or property (facilities, IT equipment etc.) or processes involved – either by fighting the fire or being impacted by the fire – is it still a disaster? There are no fire fighters and no burning buildings, which have no people being impacted so is it still a fire worth tracking and determining the impact and disaster level? No, because there is no measureable impact.
There will be arguments that state yes, it is a disaster because of the damage it can still cause (i.e. the environment) but if no one is involved how do you know it’s a disaster? There’s nothing that tells you it’s a disaster; nothing to point towards to say ‘this’ is the reason for the fire being a disaster because when the large fire is discovered it’s impact isn’t known…yet
A disaster must have some level of measurable impact. Something that can be ‘seen’ and ‘felt’ by people before it can be classified as a real disaster – and it has to impact people, otherwise it may just be an incident or an event of note. A fire in the middle of nowhere can still be a disaster, but if no one is there to see it, fight it or be impacted by it, it’s not classified as a real disaster because there’s nothing to measure as an impact.
For a disaster to be a disaster – in the eyes of people, media and the public in general – there has to be an impact to;
• People;
• Communities & Community Infrastructure;
• Service interruptions;
• Resources;
• Facilities;
• Technology (including those that impact services and processes);
• Suppliers;
• Vendors;
• Partners;
• Finances;
• Responders…and more.

If there is no measurable impact to any of the above, it’s not a disaster or a situation worth reporting on, it may just be an incident or Business As Usual (BAU) occurrence for which response mechanisms have already been developed to address. A means of addressing the situation before it escalates out of immediate control to become a disaster. Or even, the means to respond to the non-event when the non-event escalates and does begin to have an impact. Staying with the fire example, a forest fire may be a bad situation but not a disaster until it continues out of control and begins to threaten communities. Then what started as a non-event or non-disaster suddenly becomes a disaster.
The argument can be made that anything that impacts another is a disaster. A forest fire is a disaster because it destroys property, animal life and the natural resources it envelopes. But again, if there is no one to fight the fire – or even plan to fight the fire and maybe even to see the fire – is there a real disaster when no one is involved? If people are not involved with the situation by either resolving or addressing it or being impacted by it, it’s not a disaster. It’s just a situation that may or may not be in the headlines and will quickly be forgotten.

© StoneRoad 2014
A.Alex Fullick has over 17yrs experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM & DR: Plans That Can’t Be Made!

31 01 2014

In many organizations, executives and employees – and even auditors, will ask Business Continuity Management (BCM) / Disaster Recovery (DR) practitioners if they have plans for every situation possible; every potential risk and every potential impact to the organization. Considering that the number of risks that exist in the world today is basically infinite – once you calculate all the various potential impacts to an organization from a single event – there will be communication, restoration and recovery plans that just can’t be developed, documented, implemented, communicated, validated or maintained. It is impossible to have a response to every situation; the secret it to be able to adapt to the situation and leverage the response plans you do have to help adapt to the disaster situation.
Still, the questions will come about these plans and why a response isn’t captured for a particular situation and its resulting scenarios. A BCM/DR practitioner must be able to address these questions and be able to respond with reasons as to why specific plans don’t – and can’t – exist.
There are a few key reasons that practitioners must be able to communicate to those asking the questions and they are noted below.

1. Unknown Unknowns – In any situation – both disaster related and non-disaster related, will contain all sorts of details. One specific activity or item can have multiple responses depending on the details that come from the situation itself. For example, an earthquake can cause minor or major damage to an area but depending on where it occurs and when it occurs, the responses to the earthquake will be completely different.

2. Highly Improbably – Sometimes a risk to an organization is just so improbably that creating a plan for the situation would be futile and a waste of resources (time and people). For example, an organization with a facility in the middle of the Canadian prairies wouldn’t bother creating a disaster response plan to avalanches; it’s just so highly unlikely that it could ever happen. If an organization documents the probably risks – such as floods or snowstorms for that previously mentioned prairie location – it can adapt the plans that address the likely risks to those that are highly unlikely. New plans for unlikely activities would just distract from developing plans and processes that are really needed.

3. Changes in Assumptions – Assumptions are those things we believe to be true and they should be challenged continuously; especially through tests and exercises. However, if they aren’t challenged at some point then the continued planning and BCM/DR program development could be based on false information. For instance, if specific partners are expected to perform specific tasks for your organization when it experiences a disaster but they don’t know about them – or the tasks have changed and they’ve not been notified – your plans are going to out of sync with expectations and need. Plans are not build on assumptions but the detailed activities contained with them will be built by assumptions and they must be reviewed at all times.

4. Public Opinion / Perception – Public opinion can change with no warning; what the public may agree to in one situation they may not agree with in another situation- even when the details are relatively the same. All an organization can do is ensure it has a comprehensive Crisis Management and Communications Plan (CM&C) and those responsible for the plan understand how to communicate with the public and respond to the public. There is no way and organization can guess at what the public may believe and trying to determine every response plan to unknown perceptions would take eons to develop – something that an organization just can’t do.

5. External Directives – Depending on the scale of the situation, an organization may receive instructions from 3rd parties, such as the police or local governments. It’s never known what these groups may dictate to an organization, as it’s never known ahead of time what or when a disaster will occur. Thus, a plan can’t be developed to address the specifics of what to do based on directives received from external sources. However, if an organization has an established BCM/DR program with relevant plans and processes, it can adapt itself to the situation based on the impact to the organization itself. If an external source dictates a directive then the organization can take what it has in place and adapt itself. But a plan specific to communications that haven’t been provided – because a disaster hasn’t occurred yet – can’t be documented.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM/DR: Understanding Want and Need

15 01 2014

BIA results can help determine many aspects of the BCM/DR program to come; they validate what is required – and what’s not. And what’s required and what’s not is determined through the development of the various strategies and approaches that are created as a result of the BIA findings. However, that doesn’t stop individuals of all levels from believing they know what they require for their restoration and recovery strategy regardless of what the BIA findings state.

This is because many individuals have a difficult time comprehending that they may not be the most important area within the organization and thus, aren’t required to be available immediately. And if a department – or particular aspects of a department – aren’t required immediately after a disaster, many will disregard that fact and begin to state what they must have; what they want vs. what they actually need.

The difference between want and need is something that all BCM/DR practitioners must clearly understand and communicate to department leads; especially those responsible for acquiring, developing and implementing the various strategies required to address BIA findings.

A department that is not required to have its processes become immediately available after a disaster will want specific action to be taken so they can become available sooner but resources, BIA findings and cost will determine that it is not needed.

Sometimes business people – even some IT personnel – will state they want something but there isn’t any information / data to back up their requirement. The BIA and resulting continuity, restoration and recovery strategies required to address those findings, determines what is needed and what isn’t. Here’s the difference between want and need:

• Need is based on what the agreed-to BAI findings state is required – based on the strategy developed. Then you know what you need and it separates from the want.
• Want is based on feelings and desire, and no one wants their department processes to be formally classed as not being required during a disaster – or at least not immediately required.

Need is something that if isn’t available, a department that wants to be up and running cannot be up and running because dependencies required to run the department (i.e. items that arrive from other departments) aren’t available or aren’t required based on BIA findings. So even then, when a department wants to be available, it still can’t become available because one of its dependencies aren’t needed. So even when people state they know what they want and what they believe they need, the BCM/DR professional must ensure that the strategy departments want aligns to the strategy the organization needs.

Make sure you know the difference and if asked why something isn’t provisioned for, you’ll understand – through the BIA findings – the reason.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM / DR Scheduling

23 12 2013

Nothing happens without good planning and implementation strategies and this is required when planning out the development of the Business Continuity Management (BCM) / Disaster Recovery (DR) program. It’s impossible to just start something without having any idea when you’ll be finished or what you need to reach along the way to be able to take the next step.

Often, to get proper buy-in from executives, a BCM/DR practitioner has to provide a timeline alongside the goals and deliverables the project will provide. Its one thing to provide the reasons why you need a program and if those are accepted by executives as valid reasons (let’s hope they think so…), the next question will be, “When will it be done?” So, a draft timeline must be mapped out; from how long a BIA will take and when the findings will be delivered to when the 1st test will occur.

Of course, it will all be built upon assumptions such as resource availability for example, but a high-level timeline must be provided to executives. Below are ten considerations a practitioner must keep in mind when building the BCM/DR program:

1. Communicate Schedule – At first you’re communicating the schedule to the executive team hoping for buy-in on need for a BCM/DR program build but you also need to communicate the schedule with other stakeholders. For example, if you’re going to be meeting with all division leaders, they should know what you’re timelines are so they can work within those or recommend amendments if the timeline is unrealistic (to them).

2. Base on Agreed-to Availability – If a department isn’t available due to some high-priority initiative during the week of a specific month, then schedule around them and accommodate their priorities. It could be that you meet with them first or schedule them last so that they don’t experience any distractions as they implement their own high priority project. Meet with the department/division leads to ensure that timing is mutually satisfactory.

3. Report Progress – Once you’re got a timeline developed and approved, executives are going to expect a report on your progress; not just on the deliverables but if you’re moving on track to the timeline. Are you behind schedule or are you ahead of schedule and if you’re behind, what you’re going to do to try and get back on schedule. Keep in mind, you may be behind schedule due to an unforeseen circumstance, which had resources focusing on something else and the BCM/DR meetings needed to be rescheduled to later dates. If that’s the case, make sure this is communicated to the executive team, as they will understand if there were unforeseen circumstances based on an incident or sudden client issue that refocused individuals. They won’t be happy if you’re behind schedule for not ‘valid’ reason and have no plan to get back on track.

4. Issues, Risks & Assumptions – If the unforeseen circumstance, as noted in #3 above, there hopefully will have been a documented risk; a risk that states that the schedule is based on no unforeseen circumstances occurring and that available resources aren’t refocused for any amount of time to deal with it. If resources are repurposed to deal with the issue, then the BCM/DR schedule will be impacted. By doing this, executives will understand the reason for being behind and will allow you to re-plan but won’t be happy if you were always planning a ‘perfect path’ – that nothing will go wrong.

5. The Right Resources – When scheduling, make sure you’re going to get the right person to interview or participate. If you are assigned someone who is impossible to schedule a meeting with because their calendar is continuously full because they are over allocated, you may find your timelines slipping. Make sure you get the best resource participant from the department and ensure they have time committed to the BCM/DR program.

6. Project vs Program – Be sure to break up the overall timeline into min-projects. For example, when you will begin and end the Business Impact Analysis (BIA) project and when you will perform the BCM/DR strategy development project. Each must have a start and end date with a specific deliverable planned. All this needs to be sketched out.

7. Determine Milestones – The end dates noted above in #6 may also be your milestones; key points you’re striving to achieve in your overall timeline. Make sure that you have a few key points captured, as these are used in the progress reporting with executive management, so they can ‘see’ your progress.

8. Dependencies – If you have any dependencies between program phases, identify those up front so executives – and others – understand why some phases are performed in a specific order. For example, the development of BCM/DR strategies cannot begin until the BIA phase has completed and findings presented or a test cannot occur until specific plans have been developed and implemented.

9. Schedule Around ‘Them’ – When scheduling, try to schedule around the individuals themselves, as they have other responsibilities to deal with as part of their daily routine. If anyone’s schedule must be accommodating, it must the BCM/DR practitioners, not the department individual. Keep them in mind when schedule and show respect, meaning don’t schedule them over lunch or late on a Friday afternoon, it’ll only create a bit of animosity – unless you’re paying for lunch. Don’t forget, people have vacations so try not to ‘jump’ on them just before they leave or on the first day they get back.

10. Know the Executive/Board Schedule – When you’re reporting the status of your program build, you’ll be required to present the updates to executives (or a likeminded committee) and you need to know what their timeframes are. Do they meet every 2 weeks on a Wednesday? When does your status report need to be submitted to get on the agenda? Know these types of dates in advance.

11. Know ‘Busy’ Timeframes – This should be a no-brainer; don’t schedule around the busy timeframes when individuals are not going to available to attend meetings or provide information. For example, if there are numerous activities that occur at month end; don’t schedule people during that time. Use it to catch up on your own materials and update status reports etc.

12. Revisit Timelines – During each phase, review the schedule for the next phase to ensure you are on track and make adjustments where you need to. Keep your timelines realistic based on what’s happening and forecast what you think the next phase(s) will consist of. For example, you may have determined that 2 months would be enough to spend developing technology restoration and recovery strategies but based on the BIA findings, you may need to extend that by another month because you need to contact a 3rd party vendor.

© StoneRoad 2013
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





19th Edition of the TIEMS Newsletter – Now Available

30 11 2013

Hello dear readers. The latest edition of the International Emergency Managers Society (TIEMS) is not available on line. Take a look through for some interesting information and some great events coming up in the next few months. You might even find a pic – albeit an old one – of a familiar face we have here at StoneRoad.

http://tiems.info/

Enjoy,
The StoneRoad Team





8 Considerations for Online BCM/DR Solutions

24 11 2013

To many, it might seem easier just to go the online application route to perform a Business Impact Analysis (BIA) or build Business Continuity Plans (BCP), Crisis Management & Communication protocols and even Disaster Team roles and responsibilities. However, it’s not always that easy. An online solution may not be the best bet to start with, as there are considerations organizations need to think of before going down the ‘online’ route.

1. Financial Considerations:
a. Product Cost – This is one of the main considerations for all purchases. If it’s too expensive – regardless of what it does and/or doesn’t do – many won’t consider it. So, the price is something that pops to the top of every list no matter what the requirements are. Once cost is balanced against other requirements, then the real decision get made. Want and need against the cost to get what suits the organization.
b. Administrator Training: Often, the purchase of a solution means that someone – either an individual or a group of individuals need to be trained on how to administrate and configure the new application.
c. User Training: In the past there have been instances where individuals must travel to the vendor’s location to receive training on their product – this may still occur for some products. If this is the case, then your organization must take into account the additional travel and accommodation costs attributed to the number – and length – of training courses that have to be taken before anyone can begin to use the product. In some instances, this might add weeks to your planned implementation schedule because the course offerings (training) may be dependent upon the vendor’s availability and if current courses have any available spaces.

2. Set-Up & Configuration: This requires your internal IT team to get involved. They need to ensure they have a server available or space on an existing server to house the new application. In many instances, they want to know more questions that you’re able to answer, and then chatting back and forth with the vendor for configuration requirements may take some time, especially if you encounter any issues.

3. Internal Technology Involvement: OK, so you bought the new online application – now what? Who internally is going to support it and do they need training on its workings and what’s required to support you and the internal users?

4. Support & On-going Maintenance: Make sure that if you have any questions, contacting someone for assistance is easily available. If you’re vendor is in another time zone, their support hours may not cover the time you’re in the office and thus, you only have a small winder each day to speak with someone. Find out what level of support is offered. In some instances most of the technical support ends up coming from your own internal IT personnel, which usually frustrates them, as they’re supporting a systems/application that isn’t theirs to start with.

5. Questionnaire Build: Most applications, such as those intended for Business Impact Analysis (BIA), come with some pre-existing questions, which you can leverage. However, in many cases the questions are generic and may not represent the full range of information you require. If that’s the case, then you need to ensure you have time available to plan out your questions and then insert them into the application. Depending upon the application functions, you may have to build in links between various questions. For example, if a question is answered with a ‘no’ then it skips the following questions that may appear if the answer to a question was ‘yes’. Good questions will help give you the information you need so be sure to spend time on the questions to ensure they meet the needs of your organization.

6. Reporting: One of the advantages to online applications, is they are able to provide all sort of reports and report formats. However, since each organization is different and the reporting isn’t standard from one organization to another – let alone reporting related to BCM/DR – an organization may have to design its own reports and build the criteria around them so that it gets the information it wants to make decisions based on the input from users. Designing reports may come at a later date once the user (BCM resource) is more comfortable with the application and when there is actual data to work from, rather than building the report before actual responses and input has been received.

7. Time: Time is money, as they say; do you have the time to get everything noted above coordinated before moving on to build your BCM/DR program? If the direction from senior management to build a program comes with deadlines (i.e. a BIA completed in 2 months with findings and recommendations) do you have the time to begin looking for an online solution, purchase it, design to you specifications, train users (including yourself), get users to complete the questionnaires (or whatever is being sought), capture the findings and present them to executives? Quite possibly not. The online solution may become a more long term aspect to enhance the program, rather than the component that kicks it off.

8. Growth: If you’re organization has grown by leaps and bounds it will become impossible to be able to manage all the various program components. Change would be happening so quickly (let’s hope) that a manual process would take too long and be too labour intensive to ensure plans are kept current, incorporating the change in so many locations (assuming new facilities are being utilized), new nationalities and requirements, new departments (spread over multiple locations) and new processes and client/vendor/partner needs. And this doesn’t begin to include the new challenges for Technology Recovery Plan (TRP).

In the end, an online solution will eventually expedite information and keep it manageable, it just can take allot of effort to get there. Sometimes the old manual method of acquiring BIA information is quicker and easier. Yet while that is being done, an online solution can be investigated and slowly built in the background being populated with the information being obtained from the initial BIA – when you’ve actually moved on from the BIA and working on developing contingency strategies and solution. The manual process for BCM/Dr can only last so long before it becomes harder to maintain. As the organization grows and hierarchical structures begin to ebb and flow to meet new challenges, the online version can respond much quicker than updating multiple documents.

In no way is this intended to deter organizations form using online BCM/Dr applications; in fact in the long run they can offer more good than negative. But, starting out fresh with them can cause delays and hindrances you may not have time to tolerate.

© Stone Road Inc. (StoneRoad) A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL








Follow

Get every new post delivered to your Inbox.