Business Continuity Management (BCM) / Disaster Recovery (DR) Document Templates Available for Small and Medium Businesses!!

3 07 2014

Not every business can spend thousands and thousands of dollars on expensive software packages to get their BCM / DR programs off the ground – or has the time to get software configured and ready for use.

Having experienced these challenges first hand, StoneRoad developed a cheaper alternative: we developed document templates for Business Impact Analysis (BIA), Business Continuity Plans (BCP) and more.

Visit the StoneRoad site and go to the Shop section to view the various templates available and get your program moving with a low cost alternative to expensive software! Each template provides instructions on what information is needed so that you can build your program with less fuss – and with more results!

Here’s just a sample of our document offerings:

1) Test Scope Charter Document (Word Document)
2) Business Impact Analysis (BIA) (Excel Worksheets)
3) Operating Unit Business Continuity Plan (BCP) Template (Word Document)
4) Emergency Employee Logistics & Pandemic Plan (Word Document)
5) Test Executive Summary (Word Document)

…and more. We’re adding new templates all the time to help you. We even have BCM & DR books and ebooks available.

So download what you need and get started!

Happy planning!

Regards,
The StoneRoad Team

“Reduce Suffering Through Disaster Planning”

© 2014, Stone Road Inc.





BCM & DR Books to Help Build Your Program by A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL

3 07 2014

The message about disasters, disaster planning and business continuity is slowly spreading throughout the globe, as we see more and more organizations beginning to realize the value of preparedness and response activities to protect their operations and instil confidence in those they do business with.

Here at StoneRoad, we’ve seen a spike in people asking us questions and seeking advice on Business Continuity Management (BCM) / Disaster Recovery Programs – and we couldn’t be happier.

So we’d like to remind you that there are some great books by our founder, Alex Fullick, that can help provide great insight into how a good program operates – and how it shouldn’t. The books noted below are available on Amazon.com and at our own shop over at www.stone-road.com.

1) Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility

2) Business Impact Analysis (BIA): Building the Foundation for a Strong Business Continuity Program

3) Made Again – Volume 1: Practical Advice for Business Continuity Programs

4) Made Again – Volume 2: Practical Advice for Business Continuity Programs

Keep an eye out for the next book by A.Alex Fullick; “Testing Disaster and Business Continuity Plans” expected to launch in the fall of 2014.

Until then, happy planning!!

Regards,
The StoneRoad Team

© 2014, Stone Road Inc.





BCM / DR: eBooks Now Available by A. Alex Fullick (Stone Road Inc)

21 06 2014

We’ve been a bunch of busy beavers here at StoneRoad. We’re very happy to announce that two books by our founder A.Alex Fullick, ‘Heads in the Sand’ and ‘Business Impact Analysis’ are now exclusively available as ebooks at the StoneRoad shop.

Get your copies now using the links below:

Heads in the Sand
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=201&zenid=3d712e28f2680972874f7e4a8d473940

Business Impact Analysis
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=202&zenid=3d712e28f2680972874f7e4a8d473940

‘Like’ Join us on Facebook too at Stone Road Inc.

The StoneRoad Team.
(C) Stone Road Inc, 2014





Crisis Communications: 11 Ways to Recognize that it May Not Be Working

25 05 2014

All BCM program components must be validated prior to any disaster ever occurring; the more validation performed, meaning the more tests with varying situations and scenarios are performed, the better the overall Crisis Management plan and strategy will achieve. The problem is that all too often an organization will draft a crisis management strategy (contained within the crisis management plan) and believe that it will work as documented. This isn’t always the case and in too many instances, it can prove to be detrimental to an organization when it’s experiencing a major business interruption – regardless of the trigger.
There are many indicators to show an organization that what it’s doing isn’t working and that the strategy they are currently working with needs an immediate change.
Disasters and crises can present many challenges for organization and an organization should no compound their own problems by not being alert to early signals that they might be heading down the wrong road.
Below are just a few of those early warning signs that can help an organization amend its crisis communication strategy (the plan) to ensure it doesn’t end up losing control of the overall situation.

1. Negative Social Media Traffic: You’re communicating all sorts of information but no matter what you do messages being posted on the various social media sites are negative towards you and your efforts. The cause could be that the messages you’re sending out aren’t addressing the concerns of those impacted or those that require information. Instead the messages are ‘self-serving’ and thus causing friction with the public, which results in negative comments being posted. Negative traffic can also be caused by the organization itself; it’s not all external. If an organization has schedule postings or updates about the latest product or service, it doesn’t hold well when these keep coming out during a disaster.

2. The Speaker is confused: Nothing is worse than having the ‘face’ face of the organization (that is experiencing the disaster) seem confused and not knowledgeable of what is going on; what the overall disaster situation is or what the organizations plans are in responding to the disaster. Any speaker should know what is occurring and be able to speak to the situation at hand and what the organization is doing; if they can’t, they will make the organization seem unprepared to respond and being in total confusion.

3. Rumours Abound: If you are addressing the situation and providing accurate information but rumours are still being spread, then the organization isn’t addressing the concerns of those needing information. Like #1, people will begin to determine their own conclusions based on little bits of information they come across and then post those conclusions to social media sites or through emails to others. When this occurs, ensure you address the rumours so that they can be dispelled immediately; not addressing rumours will mean they continue, which will harm your crisis management efforts even if you are doing the best you can.

4. Staff Rebellion: When staff begins to moan and groan, it probably means they’re not receiving information they require. Often, organizations focus so much on ensuring that others receiving information and they assume that employees know what they need to do or know where they need to go to get it; this isn’t always the case. You must include employee communications – and continued updates – in your crisis management strategy.

5. Media Questions & Responses: If the media are asking the same question over and over, or leading you back to the same question it means that a key point hasn’t been addressed. It may be something you don’t want to address or don’t know completely, and if so, you better be aware that the media won’t let go of the topic until they feel that it’s been addressed. If you don’t know, then state you don’t know and will update them when it’s possible to do so but ignoring it or simply ‘skirting’ around the topic will only cause them to continue to press for information, which in the end will look like you’re hiding something. And when that occurs, some organizations become antagonistic and begin to debate – to put it politely – with social media posters and traditional media representatives. Don’t get into a debate with them about what has or hasn’t occurred; you’re just being sidetracked by fictitious situations and scenarios being presented by people who have not received the basic information the organization needs to communicate.

6. Clear Lack of Awareness & Training: Nothing says a person don’t know what they’re talking about when they are full of “um’s” and “uh’s”. It shows that there is clearly no proper training in speaking in front of people or that a basic understanding of what the organization will do is severely lacking. It’s as though the person standing in front of the camera’s making it up as they are going or that their responses on social media sites are just basic run-of-the-mill responses; the kind you can relate to sports figures that rattle off basic one-liners after a game (i.e. it was a tough game, I thought the team did well, we played hard…etc). If anyone sounds like that, they know there is no real awareness or training on what needs to be done because during a disaster people are looking for specifics, not boiler plate responses. When there is a lack of training and overall response awareness by company spokespeople, messages can be contradictory because they are speaking ‘off the cuff’ or making it up based on what they ‘think’ is occurring behind the scenes rather than what is occurring. This is why training and awareness must be tailored for all areas of an organization; from the most senior position to the newest employee. Each must have a reasonable understanding of expectations and what role – if any – they will plan. Awareness isn’t just about the response activities but also awareness of what actually happened. People will send messages on social media based on what they know and if you’re organization isn’t aware of what happened, you won’t be perceived as really understanding the situation.

7. Lawyer Speak: There is a time and place for lawyers and lawyer speak but it’s not at the outset of a disaster when people need to know what has happened, what they need to do and if they are going to be impacted by the situation (if they haven’t been already). Lawyers don’t want leaders of organizations to take responsibility for the disaster but they have to take responsibility because they need to respond to it. Taking responsibility does NOT equate to accepting blame, which is what many legal representatives tell leaders. The time for legal speak comes when the dust has begun to settle and a clearer view of the situation comes to light; not at the outset when the main concern is people safety and getting operations back to an operating level. When legal representatives do all the talking for an organization, it sends the wrong message to the public, which are expecting the leader(s) of the organization to do all the talking and direction; to be the human face of the organization. Leaders are leaders during good times and must also be leaders during bad times, or else it shows that the organization has no plan in place and lacks clear leadership, which may not be the case…but will be the perception. It’s commonly joked by many individuals – the public in general – that lawyers and politicians can speak for ages but never say anything, so don’t let lawyers do the talking for you, even though they will play a key role in the crisis at later stages.

8. Communication & Decision Delays: If the chain of command is too long and the delay in obtaining decisions takes allot of time; then you can imagine the silence that would be coming from the organization when the demand for information by the media and public is increasing. If the decision process is taking too long then there is too much discussion occurring in the “Crisis Management” team and not enough action. This could be that the restoration/recovery/resumption/continuity plans are not sufficient enough to deal with the situation or possibly that required plans don’t exist. If they don’t, then that would cause the delay for decisions and in communications. Too much time at the boardroom table trying to figure out an action plan means no one is communicating outward to those needing information and that absence shows the media (and public) that there is no action plan in place. This is what causes rumour and conjecture to take hold and then cause a PR disaster for the organization. Not only are you fighting the disaster itself, you’re fighting public perception.

9. Leadership Visibility: During the Lac Megantic rail disaster in Quebec, Canada (July 6, 2013), the President of the rail line (Montreal, Maine and Atlantic Railway) waited days before appearing in the devastated town, believing that his presence was best spent at his corporate headquarters coordinating efforts. He wasn’t visible to those impacted or anyone else requiring information; the railway was ‘faceless’ and only press releases and comments released through the media were seen by people, which gave the message that the railway was hiding and wasn’t addressing the situation at hand; a situation that literally levelled the centre of the small town. This was not seen as acceptable especially when there are examples of leaders being on scene and taking control of bad situations such as the then New York mayor, Rudy Giuliani, who was coordinating efforts almost immediately after the 9/11 attacks.

10. Focusing on Blame: Continuing from #7, everyone will want to know the cause of the disaster and who’s at fault…but not immediately. Despite perceptions, an organizations first priority to ensure people safety; finding the blame can come later once the first priority has been taken care of. Unfortunately, some organizations would rather try to deflect criticism first and find the blame rather than addressing the key point of life safety. Even if 1st responders are available and internally employees were there to help any injured parties, if the communication coming out of the organization is about blame then the fact that the organization did help those impacted first, will get lost. There is a time for blame – and that’s when the time for investigating the cause has begun, not when the disaster first begins. Organizational resources will be focuses on people and then obtaining some level of operational capability and when that occurs, and then the cause can be looked at. Of course, if a major hurricane occurs then the cause of the disaster should be obvious but then the questions about why you weren’t prepared will surface.

11. Appear to be Uncaring: You can communicate all you wish and if you’re perceived to be uncaring then no amount of communications is going to change that. In a majority of situations, an organization tries to make itself the victim but in all cases, it’s the people impacted (or hurt) by the disaster that is the victim – not the organization. An organization is rarely seen as the victim, though the people within it can be perceived as victims. A crisis management plan addresses the situation at hand but must also address and focus on the impact the disaster on people; the real victims of the situation. If an organization doesn’t seem to come across as caring in its communications then it can be seen as a pariah within the community, rather than a member of the community and no amount of back-tracking is going to change that perception any time soon. Your crisis management plan – regardless of how extensive and comprehensive it is – won’t ever be perceived as successful because the external view of the organization is negative.

If any of the above noted aspects occur, you’re on your way to more problems as each item is an indication that your current crisis management strategy isn’t working and you need to ‘change gears’ quickly to get things back on track. Remember, this isn’t the restoration, recovery or resumption activities, this is how the organization manages the crisis (disaster) and if that isn’t working well, it makes no difference how successful your restoration and recovery activities are, people will still see your organization in a negative light.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





When is a Disaster Considered a Disaster?

22 02 2014

It’s kind of like the old question; ‘If a tree falls in the forest and no one is there to hear it, does it make a sound?’ A disaster isn’t a disaster if there’s no measureable impact. No impact to people’s perception of the situation. No impact to people’s lives. If there is a large fire but there is no people or property (facilities, IT equipment etc.) or processes involved – either by fighting the fire or being impacted by the fire – is it still a disaster? There are no fire fighters and no burning buildings, which have no people being impacted so is it still a fire worth tracking and determining the impact and disaster level? No, because there is no measureable impact.
There will be arguments that state yes, it is a disaster because of the damage it can still cause (i.e. the environment) but if no one is involved how do you know it’s a disaster? There’s nothing that tells you it’s a disaster; nothing to point towards to say ‘this’ is the reason for the fire being a disaster because when the large fire is discovered it’s impact isn’t known…yet
A disaster must have some level of measurable impact. Something that can be ‘seen’ and ‘felt’ by people before it can be classified as a real disaster – and it has to impact people, otherwise it may just be an incident or an event of note. A fire in the middle of nowhere can still be a disaster, but if no one is there to see it, fight it or be impacted by it, it’s not classified as a real disaster because there’s nothing to measure as an impact.
For a disaster to be a disaster – in the eyes of people, media and the public in general – there has to be an impact to;
• People;
• Communities & Community Infrastructure;
• Service interruptions;
• Resources;
• Facilities;
• Technology (including those that impact services and processes);
• Suppliers;
• Vendors;
• Partners;
• Finances;
• Responders…and more.

If there is no measurable impact to any of the above, it’s not a disaster or a situation worth reporting on, it may just be an incident or Business As Usual (BAU) occurrence for which response mechanisms have already been developed to address. A means of addressing the situation before it escalates out of immediate control to become a disaster. Or even, the means to respond to the non-event when the non-event escalates and does begin to have an impact. Staying with the fire example, a forest fire may be a bad situation but not a disaster until it continues out of control and begins to threaten communities. Then what started as a non-event or non-disaster suddenly becomes a disaster.
The argument can be made that anything that impacts another is a disaster. A forest fire is a disaster because it destroys property, animal life and the natural resources it envelopes. But again, if there is no one to fight the fire – or even plan to fight the fire and maybe even to see the fire – is there a real disaster when no one is involved? If people are not involved with the situation by either resolving or addressing it or being impacted by it, it’s not a disaster. It’s just a situation that may or may not be in the headlines and will quickly be forgotten.

© StoneRoad 2014
A.Alex Fullick has over 17yrs experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





19th Edition of the TIEMS Newsletter – Now Available

30 11 2013

Hello dear readers. The latest edition of the International Emergency Managers Society (TIEMS) is not available on line. Take a look through for some interesting information and some great events coming up in the next few months. You might even find a pic – albeit an old one – of a familiar face we have here at StoneRoad.

http://tiems.info/

Enjoy,
The StoneRoad Team





12 Reasons Why Organizations Will ‘Forget’ What to Do in a Disaster

16 09 2013

Many organizations can build comprehensive BCM program and plans; detailing every action and activity needed to ensure the continued operation of an organization when a disaster strikes. However, even the most comprehensive program and plan can still suffer greatly when they are needed the most because many organizations’ DR team and team members forget what it is they are supposed to do.
There are many reasons for that. Sudden changes in environment can throw people for a loop, as the situation throws chaos into their normal day and it’s easy for people to forget what to do when they are required to do it. Sometimes the reason for plan activities or action items being forgotten occur even before the disaster situation makes itself known.
Below are some of the reasons why people – and organizations – forget their activities before and during a disaster.

1. No Executive Support: It’s easy to forget some initiative within an organization when even the executive leadership don’t support it. After all, if they don’t care for something, why should anyone else? It’s that simple, without executive support people will quickly forget that there is BCM or DR program in place for when a disaster occurs. Even executives will wonder where it is and believe it or not, even without their support having played a part in its development (if at all) will wonder why no one knows what’s going on and why people aren’t performing tasks.

2. No Leadership: Continuing on from #1, people want leadership during a disaster; they believe that those responsible for the organization in good times, is also responsible for the organization during bad times and will provide guidance and leadership on what needs to be done when a disaster occurs. If there is no one taking responsibility for the disaster, then people are left hanging – wondering what to do. This doesn’t mean the leader or coordinator of the response functions is responsible for the disaster, it means they are taking the responsibility to lead the organization resulting of the disaster. Even if employees and members of various DR teams are aware of their activities, they are still looking at the organizations leadership to provide direction and provide answers to any key questions that may come up as a result of specific situations discovered based on the disaster. If executives and/or senior management aren’t part of the decision making process and part of the BCM program, they won’t know what to do or what is expected of them. The executives themselves won’t be aware of the DR/BCM team makeup or what any of the program protocols are. They could end up trying to lead the organization through the disaster, blind.

3. No Plans: One of the biggest reasons people will stand around wondering what to do is that there isn’t a plan – even a bad one – in place for them to activate, reference and follow. In a nutshell, the organization has done nothing to promote any sort of disaster response or planning mechanisms and when disaster strikes, there is no know prioritization of what needs to be activated. All the responses are made up on the spot, which could pose even more problems for the organization. It’s like a jigsaw puzzle; you don’t start putting the pieces together until you know the picture (or at least most people don’t) and you can’t rebuild a corporation after a disaster when you don’t even know what pieces you need first to rebuild it. No plans in place can mean the end of the organization, as it will take too long to figure out what is priority between the business and technology and getting the two to agree to a restoration, recovery and resumption strategy. You can’t ‘wing’ it in a disaster…

4. No Delegation of Authority: It’s often quite comical when someone is required to perform BCM activities, as captured in a DR/BCP or crisis management plan but they aren’t give the authority to do so. This can mean they don’t have the delegation of authority to make decisions or provide guidance to others or they don’t have the IDs and/or passwords to perform functions. It’s like giving someone a car and telling them it is all paid for and its there for as long as they want it but not giving them the key. This is one thing that stops many organizations from performing activities; people don’t have the authority to do anything and thus, they are waiting for direction from others when in fact they are the ones who are supposed to be providing the direction. If someone doesn’t have the right authority to perform activities, they will be a roadblock to other activities and many groups may be standing and waiting around for guidance and information. And further on the point of IDs and passwords; often this information is created and placed in a secure location that people forget about. Rarely are they reviewed and updated and even remembered because they are placed in an online folder, which is no longer available because technology has failed. These IDs and passwords are for use only during a disaster so they rarely get reviewed. These should be part of an annual (at least) review to ensure the people remember where they are and what they are – and remember that these are probably powerful IDs and passwords and only a few key people should know about them to start with. If someone leaves the organization, make sure you change the passwords and remove their ID just in case. When you test, try activities using these profiles to ensure that they are current and validated; that required activities can be performed using these ‘generic’ IDs and passwords but are amended after the test so they are fresh and those using them – the users – can’t use them during normal business hours.

5. No Testing/Validation: If validation activities are not performed, then how can anyone know exactly what to do? Testing is a form of training and training will help people identify their roles and build BCM plans and processes. When testing, start off small and then build upon successes – and upon problems – so that the program becomes stronger and stronger. If no one participates in test then no one has the opportunity to practice their roles and areas of responsibility; they then need someone to remind them or provide guidance to them as to what to do. Also, if you only test once or rarely, people will forget what they need to do and where their materials are located.

6. Assumptions: A key reason many stand around not knowing what to do, or forgetting what they need to do, is related back to the assumptions made during the initial stages of building and implementing plans and processes. All too often non-technology departments (i.e. “the business”) will make assumptions about technology departments (i.e. “IT”) but without ever validating that the assumptions are correct; sometimes never even letting the other know that an assumption has even been made. From personal experience, there have been too many instances where one side of the other states that ‘IT/business knows x or y…’ or that ‘IT/business will do…’ and it almost never proves to be true. Both teams end up confused not knowing what to do because they are waiting on the other for information or they are assuming that something is occurring while they’re just waiting for some confirmation that an activity is done. In reality, everyone is standing around not knowing what to do or who to even talk to. If you’re using assumption in your initial planning, through exercises and tests, the amount of assumptions being used should dwindle over time as they either become actual roles within a plan/process or become proven to be false and are removed from a plan/process.

7. No Awareness & Training: It’s a simple one really; no one knows what to do in a disaster because no one has told them about it. They haven’t been part of the overall program build or design (not that everyone needs to be part of every phase) and haven’t been told they are responsible for specific activities. Often, DR team members don’t even know they are part of that team until someone asks what they are going to do in a meeting full of other managers – some not sure why they are their in the first place. This also means that they haven’t bee involved with any testing activities to help validate plans, which is one of the best opportunities for training; executing activities under controlled circumstances to actually learn what needs to be completed and understand expectations.

8. Plans and Processes are Written in Isolation: Sometimes its not even a case of forgetting what needs to be done, as outlined in a BCP/DR plan – it’s never being told of what is in the plan and not being part of its build. All to often plans are build in isolation meaning someone not within the department is writing its contents based on what they know and what they hear at meeting yet if the actual user isn’t part of that development or the person responsible for actioning activities isn’t part of the plans development, they aren’t going to know what activities they are responsible for. Ensure that all plans are written with the person or persons responsible for the plan itself; the person who’ll actually be responsible to action the activities within the plan.

9. No Review of Plans (by Users): One of the best ways to ensure that a BCP/DR plans everything it needs and that the content is clear and understood, is to ensure that its reviewed by the actual user. When they review existing plans, as noted in #8 above, they can recommend enhancements, additions or even deletions based on real knowledge of what needs to be done. If a plan was written in isolation and not review was performed by an actual user, it’s no wonder people don’t know what actions to take or even where their plans is – if they even know there is a plan in the first place. If no review of the plan is performed then the users themselves don’t become familiar with content and what is expected of them. Instead of initiating proactive measures they wait for someone to tell them what is expected and in many cases, those individuals are assuming that ‘plan’ users know what needs to be done.

10. Focus on Blame: When an organization has a disaster, often you see the Public Relations (PR) representative or the President stand in front of a microphone being questioned by members of the media – or even the public sometimes – and they spend allot of time pointing the finger of blame or trying to deflect any criticism or questioning on what the organization is doing. When employees see this, they will spend their time trying to find the cause of the problem or the ‘right one to blame’ rather than concentrating on a proper response, restoration and recovery strategy. All hands are on deck to find out what is wrong and who should be help responsible but if leadership is busy with that approach then employees will be too, as they won’t be focusing on the right tasks at hand. It ends up being a crutch that organizations leverage so that they can start their restoration and recovery activities in the background, away from the face of the media. Usually, this means they didn’t have any strategy in place to begin with and the excuse that someone else is to blame is used as a smokescreen to cover the fact that behind the scenes, no one knows what to do within the organization.

11. Checklist Approach: If BCM is checkbox on someone’s report, the chances are it’s a checkbox on an executive report. They eventually see the checkbox ticked and then there is no more discussion or promotion of the BCM initiatives. This also means that the only reason the program was stated in the first place was to ensure someone’s checkbox was ticked and that it drops off of any report or audit ticket. Chances are good that the work and value of the work performed to plan, develop and execute plans was minimal at best and won’t be of much use during a real situation. Thus, no one will pay close attention to the BCM program and the related plans because it’s treated as a one-time thing – forgotten when the checkbox is identified as complete.

12. Seeking Direction: Like many people, when something occurs everyone looks around for direction; who will take control of the situation and tell us what to do? Staff will look to management while management is looking at executives; each expecting the other to provide direction on what they should – or shouldn’t – be doing. Think of when a fire alarm goes off in a facility – even a fire drill – most people keep working or start asking if it’s a real situation or not. Should be get up? Should we leave? Many wait to be told to leave before they bother responding to the alarms. If people can’t understand that they need to leave when the fire alarms go off its no wonder they don’t understand their role when a disaster strikes. Everyone is seeking direction from someone else.

Finally, panic is something that can run rampant during a disaster. When that happens, any thought of gaining control of the situation can go out the window and there’s no way anyone is going to pay attention to their role on a disaster team when that happens. This is why many of the items noted above need to be addressed prior to any situation occurring. When people are more aware of what to do and have been through it a few times – each more challenging than the last – they are better prepared to deal with the situation when it’s real – not faked under controlled circumstances, as it is usually done during a test. There will still be an element of panic – it’s almost a given – but putting measures in place to deal with it ahead of time can help reduce its impact and increase the chances considerably that no one will be standing around wondering what to do; they won’t forget.

© StoneRoad (Stone Road Inc) 2013

Books by A. Alex Fullick Available at the following:
http://www.stone-road.com, http://www.amazon.com & http://www.volumesdirect.com





8 TIPS for COMMUNICATING DURING A CRISIS

16 08 2013

To most people a crisis is bad and for the most part, they’d probably be right. However, an organization can do good things when they are hit with a crisis; some may even say there is an opportunity. The situation itself might be bad enough but it it’s not being managed correctly or communications aren’t approached in a positive way, the crisis can be compounded because the media and the public will think there are more things being hidden by the organization.
If it seems that an organization isn’t prepared – through its communications and response actions – the media and public may start to go ‘hunting’ for more information and uncover other details of the organization that the organization may not want released. Not that they are bad examples on their own but compounded with the existing crisis they will seem larger and could create another crisis or even escalate the existing one. The organization will then be fighting more than one crisis on its hands.
Below are some tips for how to communicate during a crisis; some do’s and don’ts and tips for ensuring good communications when speaking to the media and the general public.

1. Lawyers Aren’t the Face of the Organization – This is one of the biggest mistakes organizations make when communicating with the media and public; they let their lawyers do the talking. Lawyers are good at what they do don’t get me wrong, they just aren’t the ‘face’ of the organization. Often they will speak in terms that the public either don’t understand or don’t want to hear. The public wants to hear what the situation is and what the organization is going to do about the crisis, not the legalities it’s taking to find blame (which is what the lawyers will be trying to do to wither minimize or remove the burden off the shoulders of the organization).

2. Apologize and Show You Care – Be sincere and offer apologies. Don’t say you’re sorry and continue with a ‘but’ statement, as it just nullifies the apology and the public and media will know you really aren’t showing care of the parties involved or impacted by the crisis. It shows you’re trying to defend the organization rather than helping those impacted – or possibly injured – as a result of the situation. Apologizing with sincerity can soften the anger towards the organization and actually help bring people towards the organization by offering assistance. Apologizing also shows that the main concern of the organization is people, not money or shareholders, but people impacted by the situation.

3. Leadership – You’ve got to have the leaders in front of the camera. Public Relations or Human Resource Managers can be in front of the camera only so long before people begin to question the leadership qualities of those in charge if they aren’t being seen by the public. Organizational leaders must be seen during a crisis, not just when good things occur.

4. Responsibility – Many may not agree but take responsibility for what happened. To deny or lay blame immediately isn’t appreciated. Even if you know the situation was not caused by your organization, it’s your organization in the headlines and people are watching. So take responsibility and take control of the situation; you can always find the blame later and take necessary actions.

5. Don’t Delay – Too often many organizations take too long to put a response together. If there’s a delay in response it could send the message that you’re trying to hide something or that you’re hoping the situation will just go away, which it won’t. Even a quick press conference to state what you know – even if it’s very little – still shows that you’re on top of events and managing the situation, not letting the situation manage you.

6. Ask for Help – There’s nothing wrong with asking for help. It may not mean asking for help to restore systems and processes but it may be to ask help from the media to communicate key phone numbers or websites that employees or customers or the public can access to get more information or provide information on what they might know about the disaster. The media is always willing to help and to a large degree, when an organization requests assistance with such initiatives, it helps show the public you have nothing to hide because you’re inviting others to participate and offer assistance.

7. Communicate Even When It’s Over – A crisis isn’t over after a day or two in the headlines; it’s over when you’ve learned something and resolved the matter so that it doesn’t occur again (if the situation allows for that). If you’ve had an internal problem that caused the crisis, communicating days or weeks later that the situation has been resolved, shows that you learned something from the crisis and saw it through to the end by resolving it and letting other know of that resolution.

8. Leaders Need Training – Everyone needs training to improve their skills and move forward, this includes corporate / organizational leaders. No one knows when a crisis will occur – and it will – so leaders need to have training on how to communicate in crisis. There are many crisis management & communication courses offered so leaders should prepare themselves. They expect the rest of the organization to be prepared and do their part when a crisis or disaster occurs, so leaders need to ensure they are prepared.

© Stone Road Inc. 2013





Crisis Management: When Does a Crisis Start?

12 07 2013

Many of us don’t hear about a crisis until it hits the newswires, either through social media, news websites or through a posting on a social site we might follow. In some cases, we might not know about a crisis until we see 1st responders racing down the road heading towards and emergency.
Some will automatically see a disaster as a large catastrophe and one of the BCM/DR industry definitions of a disaster is that it’s a sudden, unplanned event that prevents the organization from performing normal operations. Though both a crisis and/or disaster can start well before the public or media even get wind of the problem.
Sometimes a disaster doesn’t begin until after a period of time when a lesser level of operational hindrance has been experienced. Then when the disaster itself occur, the management of the situation will determine the level of crisis; meaning how well the crisis is handled from the perspective of the public, media, stakeholders (vendors, partners etc) and employees.
For an operational impact, it could be that a key application is offline but is that a disaster? Probably not. If the offline application has a major impact upon people causing major distress and problems such as something in health care or the financial industry, then yes, that application being offline – even for a short time – is a disaster. How the immediate response and post-disaster activities are managed is what will create the crisis for the company. If you get something up and running within a very short time (and in today’s world that’s usually no more than an hour) then it might not be a disaster and a quick response and communication to the community will suffice. If it’s longer, then the management level and involvement of the situation and the level of impact it has becomes a disaster.
Still, if an organization has an internal Crisis Management process in place, early identification and response measures may prevent the incident from escalating and becoming a crisis – or a disaster if nothing is done about it – in the media or public eye. It was just an incident that didn’t have any major impact. Oddly enough, it could have been a major interruption but the impact on Service Level Agreements (SLA), employees, customers, vendors and partners was limited in size and scope; it was just a major incident for the company involved because of the resources (financial, time, personnel) it took to get resolved.
So, when does a crisis start?
It starts the moment the organization believes that someone – anyone – will begin to ask questions. It could be a client, employee (who will access social media about it if they haven’t been educated about not communicating corporate activities), vendor, partner or in some cases a financial institution or legislative body. An organization may be able to manage the situation internally with little impacts being had on external – and internal parties – but as soon as questions are asked about the disruption, you have the start of a crisis. It’s how well you manage those initial questions – along with the incident response itself (I.e. getting the critical application up and running as soon as possible) – that will determine how big the crisis escalates. If you don’t manage it properly the crisis will grow and escalate, making it a ‘Public Relations’ disaster.
The start of a crisis is different for every organization. It all depends on the level of preparation, preparedness and response is developed and instilled within the corporate operations. If an organization doesn’t have anything developed or the level of development is sub-par and very ‘flimsy’, the crisis starts quickly and escalates quickly – reaching that “PR” disaster timeframe in record time.

**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3.
Available at http://www.stone-road.com, http://www.amazon.com, http://www.volumesdirect.com





12 Tips, Trips & Traps: The Business Impact Analysis (BIA)

1 07 2013

Hello dear readers!! We’ve been a bit quiet lately over here at StoneRoad due to multiple vacations (Singapore, Australia, New Zealand and more) and now that we’re all back, it’s time to start posting once more. Enjoy…
The StoneRoad Team
**************************************

**The below section is an abbreviated bonus taken from the Appendix of the book, “Business Impact Analysis (BA): Building the Foundations for a Strong Business Continuity Program” by A.Alex Fullick. The full text can be found in the aforementioned book.**

Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:

1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.

2. No Timely Follow Up of Results – A BIA is conducted almost always in support of an enterprise-wide business continuity program. The real value of a BIA is the follow-up activities that lead to effective recovery strategies being implemented based on the BIA priorities of the business processes. Occasionally, so much effort and cost is put into the BIA that business continuity planners never get around to fully implementing the follow-up recovery strategies and plans. Without the implementation of these follow-ups, the value of the BIA becomes wasted.

3. No Agreement on Scope (Level of Detail) – This level of detail can span an entire spectrum. On one end, some BIAs will contain relatively little detail to provide a higher-level executive view of the analysis. On the other end, and far more prevalent, are BIAs that include for each business process its corresponding input dependencies, output dependencies, recovery point objectives, recovery time objectives, and financial impacts. The common mistake here does not involve selecting the right or wrong level of detail – what’s appropriate for one company may be totally inappropriate for another – but rather, failing to reach agreement among all relevant parties as to what level of detail best meets the requirements that are driving the BIA in the first place.

4. Minimal Executive Support – One of the factors that most influences the relative success of a BIA is the degree of executive support offered at the outset. The kickoff process usually consists of two parts: a widely distributed email and an initial presentation. The email should come from the highest level executive sponsoring the BIA and should be distributed to all parties who will be participating in the effort. The email should emphatically voice the executive’s support for the project and insist on the support of al participants, particularly during the interview process.

5. Poor Questionnaires – An important step of any BIA is the collection of data from business units. The manner in which this data is asked for often spells the difference between a full, timely and meaningful collection of data, and one that is delayed and incomplete. One of the best ways to avoid this situation is to develop survey forms that are thorough enough to capture all relevant information and simple enough for business users to complete quickly and easily.

6. Lack of Preparation for Interviews/Workshops – Interviews are the cornerstone of a successful BIA, yet few planners prepare adequately for them to ensure their effectiveness. Interviewers need to learn as much as they can about a given business unit prior to the meeting, including a thorough review of the respondent’s survey.

7. Lack of Critical Focus – Analysts frequently make the mistake of asking business users ‘what are the most important business processes within their department?’ The reason this is a mistake is because virtually all critical business processes have a large degree of importance and value – otherwise they would not be designated as critical – resulting in less likelihood of it being easy to prioritize processes according to value or importance. A much better question to ask is ‘how long can a business process be idle before major impact is felt?

8. Focusing on the Tools Instead of the Process – Some analysts who conduct BIAs become very focused on the tools they will be using in the collection, compiling and analyzing the data provided by the business users. The emphasis often shifts inappropriately from the process being used, to the automation that can be applied to the process. There is an inherent flaw in this approach. If a poorly designed manual process that is being used to collect and analyze the data suddenly becomes automated, what you typically end up with is a poorly designed automated process.

9. Ineffective Interviewing Technique – I have known more than a few BIA analysts who preferred to rely solely on surveys, questionnaires and emails to collect needed data. The example previously cited concerning the over-focus on tools shows how this can less than desirable results. Analysts often say that setting up interviews can be more hassle than it’s worth. They will mention how interviews often start late, or may be cut short, or have to be re-scheduled, or cancelled altogether. In my experience, the real reason some BIA analysts try to steer clear of face-to-face meetings is that they tend to use ineffective techniques when interviewing business process owners.

10. Insufficient Results Analysis – Analysts conducting a BIA collect a wealth of information during the course of their efforts. But the value of this information is sometimes diminished by poor or incomplete analysis of the data. Analysts need to look for trends, patterns, relationships and discrepancies among and within the data to ensure a thorough and meaningful analysis.

11. Unclear Presentations – Data that is thoroughly collected and well analyzed is sometimes de-valued by an unclear or confusing presentation of the information and results. Managers in general and sponsoring executives in particular, expect BIA analysts to summarize their results in high-level presentations that are succinct and effective. Unfortunately, this does not always happen. Analysts gather a huge amount of data in the process of conducting BIA. In compiling and analyzing this data, analyst sometime err on the side of presenting too much information rather than too little.

12. Undefined Scope – Often, the BCP focuses entirely on system restoration. Resumption of business needs to include the people and processes required to resume operations. Many BCP programs are headed up by IT departments. ‘Tunnel vision’ can often cause these departments to focus on system recovery and not take the people issues into account. During an event, the people issues are often the most difficult to resolve. The scope of a business impact analysis (BIA) pertains to the number of business units, such as Finance, Administration and IT, which will be participating in the effort.

Don’t let your BIA efforts fall to the wayside; make sure you have strong BIA approach and you’ll end up with a strong BCM / DR program.








Follow

Get every new post delivered to your Inbox.