BCM & DR: Can Organizations be Resilient?

6 07 2014

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014 (A.Alex Fullick)





BCM & DR Books to Help Build Your Program by A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL

3 07 2014

The message about disasters, disaster planning and business continuity is slowly spreading throughout the globe, as we see more and more organizations beginning to realize the value of preparedness and response activities to protect their operations and instil confidence in those they do business with.

Here at StoneRoad, we’ve seen a spike in people asking us questions and seeking advice on Business Continuity Management (BCM) / Disaster Recovery Programs – and we couldn’t be happier.

So we’d like to remind you that there are some great books by our founder, Alex Fullick, that can help provide great insight into how a good program operates – and how it shouldn’t. The books noted below are available on Amazon.com and at our own shop over at www.stone-road.com.

1) Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility

2) Business Impact Analysis (BIA): Building the Foundation for a Strong Business Continuity Program

3) Made Again – Volume 1: Practical Advice for Business Continuity Programs

4) Made Again – Volume 2: Practical Advice for Business Continuity Programs

Keep an eye out for the next book by A.Alex Fullick; “Testing Disaster and Business Continuity Plans” expected to launch in the fall of 2014.

Until then, happy planning!!

Regards,
The StoneRoad Team

© 2014, Stone Road Inc.





BCM / DR: eBooks Now Available by A. Alex Fullick (Stone Road Inc)

21 06 2014

We’ve been a bunch of busy beavers here at StoneRoad. We’re very happy to announce that two books by our founder A.Alex Fullick, ‘Heads in the Sand’ and ‘Business Impact Analysis’ are now exclusively available as ebooks at the StoneRoad shop.

Get your copies now using the links below:

Heads in the Sand
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=201&zenid=3d712e28f2680972874f7e4a8d473940

Business Impact Analysis
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=202&zenid=3d712e28f2680972874f7e4a8d473940

‘Like’ Join us on Facebook too at Stone Road Inc.

The StoneRoad Team.
(C) Stone Road Inc, 2014





BCM / DR: How Does an Organization Become Resilient?

21 06 2014

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture of what will make an organization resilient.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014
A.Alex Fullick has over 18 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





10 Tips to Remember When You Don’t Have a Disaster Plan…and Disaster Strikes!

8 06 2014

(c) Stone Road Inc. 2014 (A.Alex Fullick)

When disaster strikes, keep calm and march on!! Sometimes it’s not always that easy and in a real situation you really do need to carry on; if you don’t, you’re done! Over! Caput! Even with the numerous disasters occurring in the world – some man-made some natural in nature – there are still many organizations that would rather take their chances with fate than invest in a Disaster Response / Emergency Response / Business Continuity Management program. When disaster does strike, these organizations are left empty handed. With no plans or processes in place to respond to the situation they must ‘wing it’ if they’re to continue staying in business – or attempt to stay in business.
So what should organizations consider and focus on if they are caught in a serious situation and they don’t have a BCM/DR program in place? What do they need to do to try to get some level of coordination in response, restoration, recovery and resumption efforts? Below are some tips for how leaders need to view the predicament they find themselves in; a disaster/crisis with no BCM/DR program or plan in place.

1. Don’t Throw in the Towel – Don’t give up! You’ve got to do something even if you don’t have a proven plan in place, so keep going and do what you feel is right. Under no circumstances should you give up, as you really don’t have an alternative unless you really want your organization to fail. As the saying goes, ‘Keep calm and carry on!’

2. Figure it Out Quickly – Don’t waste time debating and getting everyone’s input on what to do. Figure out what your main objectives are then take it from there. The longer you take the less likely you are to remain in business much longer. And even if you do get up and running, because you took so long to do anything, confidence in your organization will vanish.

3. Focus on People – Make people your priority. A little bit of care and compassion can go along way in public and media perceptions and if you make people priority #1, you’ll be forgiven a bit more for not having a plan or program in place.

4. Reconfigure – Time will be of the essence, so don’t bother trying to get things like-for-like; it won’t happen. You have no plan, which may also mean no alternate site, so get what you can and start rebuilding. It may mean patch-working systems and services together and getting people to do activities they don’t normally do but do it anyway to get your operations up and running. You’ve got a clean slate in front of you, so feel free to reconfigure what you need to make things work. A small beat-up car will get you to “location A” just as well as a luxury car, so if you need to reconfigure…do it.

5. Get Rid of Expectations and Assumptions – Don’t bother asking questions and wondering about assumptions; you need to action things immediately and start doing something. If you’ve had a disaster and have no plan in place, then there are no rules, guidelines, directives or assumptions to work around; no boundaries to hold you back. So everything is possible to you and you’ve got to start trying to get your organization back up and running with technology recovery, business continuity and crisis management so that you can begin to service your clients with the services and products you provide. With assumptions, you may be thinking that everything you need is easily available – including people. However, this might not be the case so throw your assumptions out the window because the only assumption that gets proven correct in a disaster is that all your assumptions are wrong.

6. Emotion Over Intellectual Response – If you want to stay in the good graces of people, then speak to them emotionally, not like an automaton full of intellectual platitudes. If you don’t have a plan in place, you’re biggest fight will be with through how you respond to the disaster as perceived by onlookers not how two IT servers are connected to the internet. Speak with an emotional approach and you may find that people will approach you offering help, assistance and with compassionate sympathy.

7. Don’t Blame – Don’t play the blame game right away. You’re in a disaster and the public, employees, partners and the media what to see you dong something and managing the situation; blaming others is seen as a smoke screen in an effort to deflect questions and criticism. But the opposite occurs so don’t bother playing a game you can’t win. When the dust has settled and you’ve performed investigations into the cause, then you might be in a position to start blaming but it shouldn’t be your priority.

8. Request Help – It’s not time to be proud. If you need assistance to get resources then ask for it. Don’t be shy, as trying to hide the fact you need assistance can cause even more problems. Many organizations are willing to help competitors and partners when they have a disaster but many are too afraid to ask for help because asking for assistance is seen as a weakness when in fact, not asking for assistance is a sign of proud arrogance. If you need help, ask and don’t shy away from stating the issues you have, as it a response or helping hand may appear to help resolve some of the problems you’re facing.

9. People Are Resilient – People do not wantonly wish to fail; they want to succeed and responding to a disaster by their employer is going to make them want to work hard and overcome the situation. Their livelihood is at stake and they aren’t about to let that disappear without fighting for it. Many want to be part of restoration and recovery efforts, as it takes them away from the trauma of what has occurred and helps them focus on areas with which they have more control and knowledge – rebuilding servers, loading applications, testing etc. Your organization isn’t the first to experience and disaster and won’t be the last and in the majority of cases, people overcame adversity by sheer hard work and will power – and never giving up. Let the employees do what they know needs doing instead of trying to make it up on the spot, they are aware of what they need to do, as they do it each day – it’s why you employ them.

10. Listen – Listen to those around you – especially those Subject Matter Experts (SME) and End Users that can offer all sorts of advice on how to get something working again. Often, experts are leveraged from external sources and all too often, they are doing things with their own gain in mind, so don’t throw away suggestions from others, as they may have ideas that can be of assistance and those ideas may work better than some other specialists because they often are thinking outside the box. They are also thinking or ensuring they get their jobs back and their employer operational; a different perspective than some vendors and partners who are more worried about the impact upon their bottom line rather than yours.

11. (BONUS) Document Everything: When the disaster is over – or when you’ve got time to start – begin to document everything you’ve done. Every action item and resolution. Every decision. Every communication – the good and the bad. Every participating role required and what they did – and didn’t need to do. Every action asked and required of partners, vendors and suppliers. Every aspect required to assist employees. This will help start you formal BCM/DR program and begin to pull ideas together for plans because as sure as the sun will rise tomorrow, you’ll be building your program immediately. In fact, it’ll probably be the #1 priority of executives and management, assuming you’re organization was able to get through the situation and come out the other side – though probably battered and bruised.

No matter what happens, you have to be doing something. The situation won’t resolve itself by wondering what to do or wondering what ‘might have been’ had you a BCM/DR plan.
When it seems you’re down, get back up and keep playing on – you’re only beaten if you give up, not if the issue continues. It’s said that Edison failed at inventing the light bulb dozens of times but did he give up, no, he played on. Abraham Lincoln give up, despite losing a couple of elections and became President of the United States.

© StoneRoad 2014
By A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL, author of multiple books on BCM including “BIA: Building the Foundation for a Strong Business Continuity Program” and “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.”





Crisis Communications: 11 Ways to Recognize that it May Not Be Working

25 05 2014

All BCM program components must be validated prior to any disaster ever occurring; the more validation performed, meaning the more tests with varying situations and scenarios are performed, the better the overall Crisis Management plan and strategy will achieve. The problem is that all too often an organization will draft a crisis management strategy (contained within the crisis management plan) and believe that it will work as documented. This isn’t always the case and in too many instances, it can prove to be detrimental to an organization when it’s experiencing a major business interruption – regardless of the trigger.
There are many indicators to show an organization that what it’s doing isn’t working and that the strategy they are currently working with needs an immediate change.
Disasters and crises can present many challenges for organization and an organization should no compound their own problems by not being alert to early signals that they might be heading down the wrong road.
Below are just a few of those early warning signs that can help an organization amend its crisis communication strategy (the plan) to ensure it doesn’t end up losing control of the overall situation.

1. Negative Social Media Traffic: You’re communicating all sorts of information but no matter what you do messages being posted on the various social media sites are negative towards you and your efforts. The cause could be that the messages you’re sending out aren’t addressing the concerns of those impacted or those that require information. Instead the messages are ‘self-serving’ and thus causing friction with the public, which results in negative comments being posted. Negative traffic can also be caused by the organization itself; it’s not all external. If an organization has schedule postings or updates about the latest product or service, it doesn’t hold well when these keep coming out during a disaster.

2. The Speaker is confused: Nothing is worse than having the ‘face’ face of the organization (that is experiencing the disaster) seem confused and not knowledgeable of what is going on; what the overall disaster situation is or what the organizations plans are in responding to the disaster. Any speaker should know what is occurring and be able to speak to the situation at hand and what the organization is doing; if they can’t, they will make the organization seem unprepared to respond and being in total confusion.

3. Rumours Abound: If you are addressing the situation and providing accurate information but rumours are still being spread, then the organization isn’t addressing the concerns of those needing information. Like #1, people will begin to determine their own conclusions based on little bits of information they come across and then post those conclusions to social media sites or through emails to others. When this occurs, ensure you address the rumours so that they can be dispelled immediately; not addressing rumours will mean they continue, which will harm your crisis management efforts even if you are doing the best you can.

4. Staff Rebellion: When staff begins to moan and groan, it probably means they’re not receiving information they require. Often, organizations focus so much on ensuring that others receiving information and they assume that employees know what they need to do or know where they need to go to get it; this isn’t always the case. You must include employee communications – and continued updates – in your crisis management strategy.

5. Media Questions & Responses: If the media are asking the same question over and over, or leading you back to the same question it means that a key point hasn’t been addressed. It may be something you don’t want to address or don’t know completely, and if so, you better be aware that the media won’t let go of the topic until they feel that it’s been addressed. If you don’t know, then state you don’t know and will update them when it’s possible to do so but ignoring it or simply ‘skirting’ around the topic will only cause them to continue to press for information, which in the end will look like you’re hiding something. And when that occurs, some organizations become antagonistic and begin to debate – to put it politely – with social media posters and traditional media representatives. Don’t get into a debate with them about what has or hasn’t occurred; you’re just being sidetracked by fictitious situations and scenarios being presented by people who have not received the basic information the organization needs to communicate.

6. Clear Lack of Awareness & Training: Nothing says a person don’t know what they’re talking about when they are full of “um’s” and “uh’s”. It shows that there is clearly no proper training in speaking in front of people or that a basic understanding of what the organization will do is severely lacking. It’s as though the person standing in front of the camera’s making it up as they are going or that their responses on social media sites are just basic run-of-the-mill responses; the kind you can relate to sports figures that rattle off basic one-liners after a game (i.e. it was a tough game, I thought the team did well, we played hard…etc). If anyone sounds like that, they know there is no real awareness or training on what needs to be done because during a disaster people are looking for specifics, not boiler plate responses. When there is a lack of training and overall response awareness by company spokespeople, messages can be contradictory because they are speaking ‘off the cuff’ or making it up based on what they ‘think’ is occurring behind the scenes rather than what is occurring. This is why training and awareness must be tailored for all areas of an organization; from the most senior position to the newest employee. Each must have a reasonable understanding of expectations and what role – if any – they will plan. Awareness isn’t just about the response activities but also awareness of what actually happened. People will send messages on social media based on what they know and if you’re organization isn’t aware of what happened, you won’t be perceived as really understanding the situation.

7. Lawyer Speak: There is a time and place for lawyers and lawyer speak but it’s not at the outset of a disaster when people need to know what has happened, what they need to do and if they are going to be impacted by the situation (if they haven’t been already). Lawyers don’t want leaders of organizations to take responsibility for the disaster but they have to take responsibility because they need to respond to it. Taking responsibility does NOT equate to accepting blame, which is what many legal representatives tell leaders. The time for legal speak comes when the dust has begun to settle and a clearer view of the situation comes to light; not at the outset when the main concern is people safety and getting operations back to an operating level. When legal representatives do all the talking for an organization, it sends the wrong message to the public, which are expecting the leader(s) of the organization to do all the talking and direction; to be the human face of the organization. Leaders are leaders during good times and must also be leaders during bad times, or else it shows that the organization has no plan in place and lacks clear leadership, which may not be the case…but will be the perception. It’s commonly joked by many individuals – the public in general – that lawyers and politicians can speak for ages but never say anything, so don’t let lawyers do the talking for you, even though they will play a key role in the crisis at later stages.

8. Communication & Decision Delays: If the chain of command is too long and the delay in obtaining decisions takes allot of time; then you can imagine the silence that would be coming from the organization when the demand for information by the media and public is increasing. If the decision process is taking too long then there is too much discussion occurring in the “Crisis Management” team and not enough action. This could be that the restoration/recovery/resumption/continuity plans are not sufficient enough to deal with the situation or possibly that required plans don’t exist. If they don’t, then that would cause the delay for decisions and in communications. Too much time at the boardroom table trying to figure out an action plan means no one is communicating outward to those needing information and that absence shows the media (and public) that there is no action plan in place. This is what causes rumour and conjecture to take hold and then cause a PR disaster for the organization. Not only are you fighting the disaster itself, you’re fighting public perception.

9. Leadership Visibility: During the Lac Megantic rail disaster in Quebec, Canada (July 6, 2013), the President of the rail line (Montreal, Maine and Atlantic Railway) waited days before appearing in the devastated town, believing that his presence was best spent at his corporate headquarters coordinating efforts. He wasn’t visible to those impacted or anyone else requiring information; the railway was ‘faceless’ and only press releases and comments released through the media were seen by people, which gave the message that the railway was hiding and wasn’t addressing the situation at hand; a situation that literally levelled the centre of the small town. This was not seen as acceptable especially when there are examples of leaders being on scene and taking control of bad situations such as the then New York mayor, Rudy Giuliani, who was coordinating efforts almost immediately after the 9/11 attacks.

10. Focusing on Blame: Continuing from #7, everyone will want to know the cause of the disaster and who’s at fault…but not immediately. Despite perceptions, an organizations first priority to ensure people safety; finding the blame can come later once the first priority has been taken care of. Unfortunately, some organizations would rather try to deflect criticism first and find the blame rather than addressing the key point of life safety. Even if 1st responders are available and internally employees were there to help any injured parties, if the communication coming out of the organization is about blame then the fact that the organization did help those impacted first, will get lost. There is a time for blame – and that’s when the time for investigating the cause has begun, not when the disaster first begins. Organizational resources will be focuses on people and then obtaining some level of operational capability and when that occurs, and then the cause can be looked at. Of course, if a major hurricane occurs then the cause of the disaster should be obvious but then the questions about why you weren’t prepared will surface.

11. Appear to be Uncaring: You can communicate all you wish and if you’re perceived to be uncaring then no amount of communications is going to change that. In a majority of situations, an organization tries to make itself the victim but in all cases, it’s the people impacted (or hurt) by the disaster that is the victim – not the organization. An organization is rarely seen as the victim, though the people within it can be perceived as victims. A crisis management plan addresses the situation at hand but must also address and focus on the impact the disaster on people; the real victims of the situation. If an organization doesn’t seem to come across as caring in its communications then it can be seen as a pariah within the community, rather than a member of the community and no amount of back-tracking is going to change that perception any time soon. Your crisis management plan – regardless of how extensive and comprehensive it is – won’t ever be perceived as successful because the external view of the organization is negative.

If any of the above noted aspects occur, you’re on your way to more problems as each item is an indication that your current crisis management strategy isn’t working and you need to ‘change gears’ quickly to get things back on track. Remember, this isn’t the restoration, recovery or resumption activities, this is how the organization manages the crisis (disaster) and if that isn’t working well, it makes no difference how successful your restoration and recovery activities are, people will still see your organization in a negative light.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





When is a Disaster Considered a Disaster?

22 02 2014

It’s kind of like the old question; ‘If a tree falls in the forest and no one is there to hear it, does it make a sound?’ A disaster isn’t a disaster if there’s no measureable impact. No impact to people’s perception of the situation. No impact to people’s lives. If there is a large fire but there is no people or property (facilities, IT equipment etc.) or processes involved – either by fighting the fire or being impacted by the fire – is it still a disaster? There are no fire fighters and no burning buildings, which have no people being impacted so is it still a fire worth tracking and determining the impact and disaster level? No, because there is no measureable impact.
There will be arguments that state yes, it is a disaster because of the damage it can still cause (i.e. the environment) but if no one is involved how do you know it’s a disaster? There’s nothing that tells you it’s a disaster; nothing to point towards to say ‘this’ is the reason for the fire being a disaster because when the large fire is discovered it’s impact isn’t known…yet
A disaster must have some level of measurable impact. Something that can be ‘seen’ and ‘felt’ by people before it can be classified as a real disaster – and it has to impact people, otherwise it may just be an incident or an event of note. A fire in the middle of nowhere can still be a disaster, but if no one is there to see it, fight it or be impacted by it, it’s not classified as a real disaster because there’s nothing to measure as an impact.
For a disaster to be a disaster – in the eyes of people, media and the public in general – there has to be an impact to;
• People;
• Communities & Community Infrastructure;
• Service interruptions;
• Resources;
• Facilities;
• Technology (including those that impact services and processes);
• Suppliers;
• Vendors;
• Partners;
• Finances;
• Responders…and more.

If there is no measurable impact to any of the above, it’s not a disaster or a situation worth reporting on, it may just be an incident or Business As Usual (BAU) occurrence for which response mechanisms have already been developed to address. A means of addressing the situation before it escalates out of immediate control to become a disaster. Or even, the means to respond to the non-event when the non-event escalates and does begin to have an impact. Staying with the fire example, a forest fire may be a bad situation but not a disaster until it continues out of control and begins to threaten communities. Then what started as a non-event or non-disaster suddenly becomes a disaster.
The argument can be made that anything that impacts another is a disaster. A forest fire is a disaster because it destroys property, animal life and the natural resources it envelopes. But again, if there is no one to fight the fire – or even plan to fight the fire and maybe even to see the fire – is there a real disaster when no one is involved? If people are not involved with the situation by either resolving or addressing it or being impacted by it, it’s not a disaster. It’s just a situation that may or may not be in the headlines and will quickly be forgotten.

© StoneRoad 2014
A.Alex Fullick has over 17yrs experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM & DR: Plans That Can’t Be Made!

31 01 2014

In many organizations, executives and employees – and even auditors, will ask Business Continuity Management (BCM) / Disaster Recovery (DR) practitioners if they have plans for every situation possible; every potential risk and every potential impact to the organization. Considering that the number of risks that exist in the world today is basically infinite – once you calculate all the various potential impacts to an organization from a single event – there will be communication, restoration and recovery plans that just can’t be developed, documented, implemented, communicated, validated or maintained. It is impossible to have a response to every situation; the secret it to be able to adapt to the situation and leverage the response plans you do have to help adapt to the disaster situation.
Still, the questions will come about these plans and why a response isn’t captured for a particular situation and its resulting scenarios. A BCM/DR practitioner must be able to address these questions and be able to respond with reasons as to why specific plans don’t – and can’t – exist.
There are a few key reasons that practitioners must be able to communicate to those asking the questions and they are noted below.

1. Unknown Unknowns – In any situation – both disaster related and non-disaster related, will contain all sorts of details. One specific activity or item can have multiple responses depending on the details that come from the situation itself. For example, an earthquake can cause minor or major damage to an area but depending on where it occurs and when it occurs, the responses to the earthquake will be completely different.

2. Highly Improbably – Sometimes a risk to an organization is just so improbably that creating a plan for the situation would be futile and a waste of resources (time and people). For example, an organization with a facility in the middle of the Canadian prairies wouldn’t bother creating a disaster response plan to avalanches; it’s just so highly unlikely that it could ever happen. If an organization documents the probably risks – such as floods or snowstorms for that previously mentioned prairie location – it can adapt the plans that address the likely risks to those that are highly unlikely. New plans for unlikely activities would just distract from developing plans and processes that are really needed.

3. Changes in Assumptions – Assumptions are those things we believe to be true and they should be challenged continuously; especially through tests and exercises. However, if they aren’t challenged at some point then the continued planning and BCM/DR program development could be based on false information. For instance, if specific partners are expected to perform specific tasks for your organization when it experiences a disaster but they don’t know about them – or the tasks have changed and they’ve not been notified – your plans are going to out of sync with expectations and need. Plans are not build on assumptions but the detailed activities contained with them will be built by assumptions and they must be reviewed at all times.

4. Public Opinion / Perception – Public opinion can change with no warning; what the public may agree to in one situation they may not agree with in another situation- even when the details are relatively the same. All an organization can do is ensure it has a comprehensive Crisis Management and Communications Plan (CM&C) and those responsible for the plan understand how to communicate with the public and respond to the public. There is no way and organization can guess at what the public may believe and trying to determine every response plan to unknown perceptions would take eons to develop – something that an organization just can’t do.

5. External Directives – Depending on the scale of the situation, an organization may receive instructions from 3rd parties, such as the police or local governments. It’s never known what these groups may dictate to an organization, as it’s never known ahead of time what or when a disaster will occur. Thus, a plan can’t be developed to address the specifics of what to do based on directives received from external sources. However, if an organization has an established BCM/DR program with relevant plans and processes, it can adapt itself to the situation based on the impact to the organization itself. If an external source dictates a directive then the organization can take what it has in place and adapt itself. But a plan specific to communications that haven’t been provided – because a disaster hasn’t occurred yet – can’t be documented.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM/DR: Understanding Want and Need

15 01 2014

BIA results can help determine many aspects of the BCM/DR program to come; they validate what is required – and what’s not. And what’s required and what’s not is determined through the development of the various strategies and approaches that are created as a result of the BIA findings. However, that doesn’t stop individuals of all levels from believing they know what they require for their restoration and recovery strategy regardless of what the BIA findings state.

This is because many individuals have a difficult time comprehending that they may not be the most important area within the organization and thus, aren’t required to be available immediately. And if a department – or particular aspects of a department – aren’t required immediately after a disaster, many will disregard that fact and begin to state what they must have; what they want vs. what they actually need.

The difference between want and need is something that all BCM/DR practitioners must clearly understand and communicate to department leads; especially those responsible for acquiring, developing and implementing the various strategies required to address BIA findings.

A department that is not required to have its processes become immediately available after a disaster will want specific action to be taken so they can become available sooner but resources, BIA findings and cost will determine that it is not needed.

Sometimes business people – even some IT personnel – will state they want something but there isn’t any information / data to back up their requirement. The BIA and resulting continuity, restoration and recovery strategies required to address those findings, determines what is needed and what isn’t. Here’s the difference between want and need:

• Need is based on what the agreed-to BAI findings state is required – based on the strategy developed. Then you know what you need and it separates from the want.
• Want is based on feelings and desire, and no one wants their department processes to be formally classed as not being required during a disaster – or at least not immediately required.

Need is something that if isn’t available, a department that wants to be up and running cannot be up and running because dependencies required to run the department (i.e. items that arrive from other departments) aren’t available or aren’t required based on BIA findings. So even then, when a department wants to be available, it still can’t become available because one of its dependencies aren’t needed. So even when people state they know what they want and what they believe they need, the BCM/DR professional must ensure that the strategy departments want aligns to the strategy the organization needs.

Make sure you know the difference and if asked why something isn’t provisioned for, you’ll understand – through the BIA findings – the reason.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





The 4 R’s of Disaster

7 11 2013

When the director of technology states that the IT infrastructure is up and available after a disaster, many believe it means that an organization can now begin to operate as normal. This is not completely correct; it’s only part of the solution. It’s like a car salesman pointing out a car on the lot; just because it’s sitting there doesn’t mean it’s ready for use – you need gas, a key and other bits before it’s ready for use. So, just because the technology infrastructure is ready, doesn’t mean it’s ready for use.

What’s happened is that the infrastructure has only been restored; the organization still needs other components in play before it can safely say it is back to operations – not necessarily ‘normal’ operations (Is it ever ‘normal’ to operate in disaster mode??). Yet when technology is restored there is the misconception that all must be well.

I like to keep 4 R’s in mind when an organization is getting back up on its feet after a major situation. Below describe four key stages that an organization must go through before it can state – confidently – that it’s back open for business – albeit, no doubt at reduced capacity and capability.

1. Response: Basically, this relates to the initial responsive activities an organization takes when a disaster occurs. It would include such things as evacuation & assembly procedures, communications (internal, external), crisis management, DR team activation, 1st aid/CPR assistance and other basic activities.

2. Restoration: This focuses on the restoration of technology/IT equipment and services. It does not automatically mean that once a server or application is restored that all is ‘well’ once again in the world. That’s not it al all. What it does mean that the organization has been able to get all the pretty green lights on and systems are restored. All the systems can ‘see’ each other, cables are connected and power is running to everything. The technology infrastructure is now ready for the next step.

3. Recovery: Recovery focuses on data. What data do you have? Have you lost any? Is it corrupted? What was lost when systems failed (regardless of the trigger)? Can you access it? It means obtaining the data (from whatever source) and validating that is usable (i.e. not corrupted) and available for users. It’s also to ensure that systems are actually speaking to each other; that files will pass from one system application to another, as expected. If they can’t, then there is an issue with the technology set or potentially with the data itself. In some instances, an IT and business user will validate that data has not been corrupted and if it is OK, it’s time to move to the next phase. If not, IT must go back and obtain the last set of data files that are OK and not corrupted but if not, users are now brought in for resumption.

4. Resumption: Resumption relates to the end user; the person using the recovered data that moves between the restored systems. This is the final step in the 4 R’s. Once systems are available and data has been validated and available for use, the user now can begin to perform their business operations in the order and frequency dictated by the departments Business Continuity Plan.

Some might say you can incorporate a 5th “R” to the mix; review. However, ‘review’ would actually fall into the maintenance category and the continued review of existing plans and procedures that aren’t just attributed to a disaster occurring. Review would occur after testing and validation for lessons learned and ensuring that disaster team members are kept up to date on expectations and reviewing various other BCM/DR program components (plans, processes etc) to ensure they are current and maintained on a regular basis. The 4 R’s strictly relates to a disaster situation.

The other part with review is that you can do this after a disaster has occurred or some other organizational incident, as a lessons learned. Review how you did and what needs to change.

Sometimes using quick little items like “the 4 R’s” can help illuminate the minds of executives that don’t fully understand – or pay attention to – BCM/DR.

(C) StoneRoad (A.Alex Fullick) 2013
Alex Fullick is the author of several books including his latest, “Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program” (Available at http://www.amazon.com or http://www.stone-road.com/shop.)








Follow

Get every new post delivered to your Inbox.