BCM / DR: eBooks Now Available by A. Alex Fullick (Stone Road Inc)

21 06 2014

We’ve been a bunch of busy beavers here at StoneRoad. We’re very happy to announce that two books by our founder A.Alex Fullick, ‘Heads in the Sand’ and ‘Business Impact Analysis’ are now exclusively available as ebooks at the StoneRoad shop.

Get your copies now using the links below:

Heads in the Sand
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=201&zenid=3d712e28f2680972874f7e4a8d473940

Business Impact Analysis
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=202&zenid=3d712e28f2680972874f7e4a8d473940

‘Like’ Join us on Facebook too at Stone Road Inc.

The StoneRoad Team.
(C) Stone Road Inc, 2014





BCM / DR: How Does an Organization Become Resilient?

21 06 2014

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture of what will make an organization resilient.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014
A.Alex Fullick has over 18 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





10 Tips to Remember When You Don’t Have a Disaster Plan…and Disaster Strikes!

8 06 2014

(c) Stone Road Inc. 2014 (A.Alex Fullick)

When disaster strikes, keep calm and march on!! Sometimes it’s not always that easy and in a real situation you really do need to carry on; if you don’t, you’re done! Over! Caput! Even with the numerous disasters occurring in the world – some man-made some natural in nature – there are still many organizations that would rather take their chances with fate than invest in a Disaster Response / Emergency Response / Business Continuity Management program. When disaster does strike, these organizations are left empty handed. With no plans or processes in place to respond to the situation they must ‘wing it’ if they’re to continue staying in business – or attempt to stay in business.
So what should organizations consider and focus on if they are caught in a serious situation and they don’t have a BCM/DR program in place? What do they need to do to try to get some level of coordination in response, restoration, recovery and resumption efforts? Below are some tips for how leaders need to view the predicament they find themselves in; a disaster/crisis with no BCM/DR program or plan in place.

1. Don’t Throw in the Towel – Don’t give up! You’ve got to do something even if you don’t have a proven plan in place, so keep going and do what you feel is right. Under no circumstances should you give up, as you really don’t have an alternative unless you really want your organization to fail. As the saying goes, ‘Keep calm and carry on!’

2. Figure it Out Quickly – Don’t waste time debating and getting everyone’s input on what to do. Figure out what your main objectives are then take it from there. The longer you take the less likely you are to remain in business much longer. And even if you do get up and running, because you took so long to do anything, confidence in your organization will vanish.

3. Focus on People – Make people your priority. A little bit of care and compassion can go along way in public and media perceptions and if you make people priority #1, you’ll be forgiven a bit more for not having a plan or program in place.

4. Reconfigure – Time will be of the essence, so don’t bother trying to get things like-for-like; it won’t happen. You have no plan, which may also mean no alternate site, so get what you can and start rebuilding. It may mean patch-working systems and services together and getting people to do activities they don’t normally do but do it anyway to get your operations up and running. You’ve got a clean slate in front of you, so feel free to reconfigure what you need to make things work. A small beat-up car will get you to “location A” just as well as a luxury car, so if you need to reconfigure…do it.

5. Get Rid of Expectations and Assumptions – Don’t bother asking questions and wondering about assumptions; you need to action things immediately and start doing something. If you’ve had a disaster and have no plan in place, then there are no rules, guidelines, directives or assumptions to work around; no boundaries to hold you back. So everything is possible to you and you’ve got to start trying to get your organization back up and running with technology recovery, business continuity and crisis management so that you can begin to service your clients with the services and products you provide. With assumptions, you may be thinking that everything you need is easily available – including people. However, this might not be the case so throw your assumptions out the window because the only assumption that gets proven correct in a disaster is that all your assumptions are wrong.

6. Emotion Over Intellectual Response – If you want to stay in the good graces of people, then speak to them emotionally, not like an automaton full of intellectual platitudes. If you don’t have a plan in place, you’re biggest fight will be with through how you respond to the disaster as perceived by onlookers not how two IT servers are connected to the internet. Speak with an emotional approach and you may find that people will approach you offering help, assistance and with compassionate sympathy.

7. Don’t Blame – Don’t play the blame game right away. You’re in a disaster and the public, employees, partners and the media what to see you dong something and managing the situation; blaming others is seen as a smoke screen in an effort to deflect questions and criticism. But the opposite occurs so don’t bother playing a game you can’t win. When the dust has settled and you’ve performed investigations into the cause, then you might be in a position to start blaming but it shouldn’t be your priority.

8. Request Help – It’s not time to be proud. If you need assistance to get resources then ask for it. Don’t be shy, as trying to hide the fact you need assistance can cause even more problems. Many organizations are willing to help competitors and partners when they have a disaster but many are too afraid to ask for help because asking for assistance is seen as a weakness when in fact, not asking for assistance is a sign of proud arrogance. If you need help, ask and don’t shy away from stating the issues you have, as it a response or helping hand may appear to help resolve some of the problems you’re facing.

9. People Are Resilient – People do not wantonly wish to fail; they want to succeed and responding to a disaster by their employer is going to make them want to work hard and overcome the situation. Their livelihood is at stake and they aren’t about to let that disappear without fighting for it. Many want to be part of restoration and recovery efforts, as it takes them away from the trauma of what has occurred and helps them focus on areas with which they have more control and knowledge – rebuilding servers, loading applications, testing etc. Your organization isn’t the first to experience and disaster and won’t be the last and in the majority of cases, people overcame adversity by sheer hard work and will power – and never giving up. Let the employees do what they know needs doing instead of trying to make it up on the spot, they are aware of what they need to do, as they do it each day – it’s why you employ them.

10. Listen – Listen to those around you – especially those Subject Matter Experts (SME) and End Users that can offer all sorts of advice on how to get something working again. Often, experts are leveraged from external sources and all too often, they are doing things with their own gain in mind, so don’t throw away suggestions from others, as they may have ideas that can be of assistance and those ideas may work better than some other specialists because they often are thinking outside the box. They are also thinking or ensuring they get their jobs back and their employer operational; a different perspective than some vendors and partners who are more worried about the impact upon their bottom line rather than yours.

11. (BONUS) Document Everything: When the disaster is over – or when you’ve got time to start – begin to document everything you’ve done. Every action item and resolution. Every decision. Every communication – the good and the bad. Every participating role required and what they did – and didn’t need to do. Every action asked and required of partners, vendors and suppliers. Every aspect required to assist employees. This will help start you formal BCM/DR program and begin to pull ideas together for plans because as sure as the sun will rise tomorrow, you’ll be building your program immediately. In fact, it’ll probably be the #1 priority of executives and management, assuming you’re organization was able to get through the situation and come out the other side – though probably battered and bruised.

No matter what happens, you have to be doing something. The situation won’t resolve itself by wondering what to do or wondering what ‘might have been’ had you a BCM/DR plan.
When it seems you’re down, get back up and keep playing on – you’re only beaten if you give up, not if the issue continues. It’s said that Edison failed at inventing the light bulb dozens of times but did he give up, no, he played on. Abraham Lincoln give up, despite losing a couple of elections and became President of the United States.

© StoneRoad 2014
By A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL, author of multiple books on BCM including “BIA: Building the Foundation for a Strong Business Continuity Program” and “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.”





Crisis Communications: 11 Ways to Recognize that it May Not Be Working

25 05 2014

All BCM program components must be validated prior to any disaster ever occurring; the more validation performed, meaning the more tests with varying situations and scenarios are performed, the better the overall Crisis Management plan and strategy will achieve. The problem is that all too often an organization will draft a crisis management strategy (contained within the crisis management plan) and believe that it will work as documented. This isn’t always the case and in too many instances, it can prove to be detrimental to an organization when it’s experiencing a major business interruption – regardless of the trigger.
There are many indicators to show an organization that what it’s doing isn’t working and that the strategy they are currently working with needs an immediate change.
Disasters and crises can present many challenges for organization and an organization should no compound their own problems by not being alert to early signals that they might be heading down the wrong road.
Below are just a few of those early warning signs that can help an organization amend its crisis communication strategy (the plan) to ensure it doesn’t end up losing control of the overall situation.

1. Negative Social Media Traffic: You’re communicating all sorts of information but no matter what you do messages being posted on the various social media sites are negative towards you and your efforts. The cause could be that the messages you’re sending out aren’t addressing the concerns of those impacted or those that require information. Instead the messages are ‘self-serving’ and thus causing friction with the public, which results in negative comments being posted. Negative traffic can also be caused by the organization itself; it’s not all external. If an organization has schedule postings or updates about the latest product or service, it doesn’t hold well when these keep coming out during a disaster.

2. The Speaker is confused: Nothing is worse than having the ‘face’ face of the organization (that is experiencing the disaster) seem confused and not knowledgeable of what is going on; what the overall disaster situation is or what the organizations plans are in responding to the disaster. Any speaker should know what is occurring and be able to speak to the situation at hand and what the organization is doing; if they can’t, they will make the organization seem unprepared to respond and being in total confusion.

3. Rumours Abound: If you are addressing the situation and providing accurate information but rumours are still being spread, then the organization isn’t addressing the concerns of those needing information. Like #1, people will begin to determine their own conclusions based on little bits of information they come across and then post those conclusions to social media sites or through emails to others. When this occurs, ensure you address the rumours so that they can be dispelled immediately; not addressing rumours will mean they continue, which will harm your crisis management efforts even if you are doing the best you can.

4. Staff Rebellion: When staff begins to moan and groan, it probably means they’re not receiving information they require. Often, organizations focus so much on ensuring that others receiving information and they assume that employees know what they need to do or know where they need to go to get it; this isn’t always the case. You must include employee communications – and continued updates – in your crisis management strategy.

5. Media Questions & Responses: If the media are asking the same question over and over, or leading you back to the same question it means that a key point hasn’t been addressed. It may be something you don’t want to address or don’t know completely, and if so, you better be aware that the media won’t let go of the topic until they feel that it’s been addressed. If you don’t know, then state you don’t know and will update them when it’s possible to do so but ignoring it or simply ‘skirting’ around the topic will only cause them to continue to press for information, which in the end will look like you’re hiding something. And when that occurs, some organizations become antagonistic and begin to debate – to put it politely – with social media posters and traditional media representatives. Don’t get into a debate with them about what has or hasn’t occurred; you’re just being sidetracked by fictitious situations and scenarios being presented by people who have not received the basic information the organization needs to communicate.

6. Clear Lack of Awareness & Training: Nothing says a person don’t know what they’re talking about when they are full of “um’s” and “uh’s”. It shows that there is clearly no proper training in speaking in front of people or that a basic understanding of what the organization will do is severely lacking. It’s as though the person standing in front of the camera’s making it up as they are going or that their responses on social media sites are just basic run-of-the-mill responses; the kind you can relate to sports figures that rattle off basic one-liners after a game (i.e. it was a tough game, I thought the team did well, we played hard…etc). If anyone sounds like that, they know there is no real awareness or training on what needs to be done because during a disaster people are looking for specifics, not boiler plate responses. When there is a lack of training and overall response awareness by company spokespeople, messages can be contradictory because they are speaking ‘off the cuff’ or making it up based on what they ‘think’ is occurring behind the scenes rather than what is occurring. This is why training and awareness must be tailored for all areas of an organization; from the most senior position to the newest employee. Each must have a reasonable understanding of expectations and what role – if any – they will plan. Awareness isn’t just about the response activities but also awareness of what actually happened. People will send messages on social media based on what they know and if you’re organization isn’t aware of what happened, you won’t be perceived as really understanding the situation.

7. Lawyer Speak: There is a time and place for lawyers and lawyer speak but it’s not at the outset of a disaster when people need to know what has happened, what they need to do and if they are going to be impacted by the situation (if they haven’t been already). Lawyers don’t want leaders of organizations to take responsibility for the disaster but they have to take responsibility because they need to respond to it. Taking responsibility does NOT equate to accepting blame, which is what many legal representatives tell leaders. The time for legal speak comes when the dust has begun to settle and a clearer view of the situation comes to light; not at the outset when the main concern is people safety and getting operations back to an operating level. When legal representatives do all the talking for an organization, it sends the wrong message to the public, which are expecting the leader(s) of the organization to do all the talking and direction; to be the human face of the organization. Leaders are leaders during good times and must also be leaders during bad times, or else it shows that the organization has no plan in place and lacks clear leadership, which may not be the case…but will be the perception. It’s commonly joked by many individuals – the public in general – that lawyers and politicians can speak for ages but never say anything, so don’t let lawyers do the talking for you, even though they will play a key role in the crisis at later stages.

8. Communication & Decision Delays: If the chain of command is too long and the delay in obtaining decisions takes allot of time; then you can imagine the silence that would be coming from the organization when the demand for information by the media and public is increasing. If the decision process is taking too long then there is too much discussion occurring in the “Crisis Management” team and not enough action. This could be that the restoration/recovery/resumption/continuity plans are not sufficient enough to deal with the situation or possibly that required plans don’t exist. If they don’t, then that would cause the delay for decisions and in communications. Too much time at the boardroom table trying to figure out an action plan means no one is communicating outward to those needing information and that absence shows the media (and public) that there is no action plan in place. This is what causes rumour and conjecture to take hold and then cause a PR disaster for the organization. Not only are you fighting the disaster itself, you’re fighting public perception.

9. Leadership Visibility: During the Lac Megantic rail disaster in Quebec, Canada (July 6, 2013), the President of the rail line (Montreal, Maine and Atlantic Railway) waited days before appearing in the devastated town, believing that his presence was best spent at his corporate headquarters coordinating efforts. He wasn’t visible to those impacted or anyone else requiring information; the railway was ‘faceless’ and only press releases and comments released through the media were seen by people, which gave the message that the railway was hiding and wasn’t addressing the situation at hand; a situation that literally levelled the centre of the small town. This was not seen as acceptable especially when there are examples of leaders being on scene and taking control of bad situations such as the then New York mayor, Rudy Giuliani, who was coordinating efforts almost immediately after the 9/11 attacks.

10. Focusing on Blame: Continuing from #7, everyone will want to know the cause of the disaster and who’s at fault…but not immediately. Despite perceptions, an organizations first priority to ensure people safety; finding the blame can come later once the first priority has been taken care of. Unfortunately, some organizations would rather try to deflect criticism first and find the blame rather than addressing the key point of life safety. Even if 1st responders are available and internally employees were there to help any injured parties, if the communication coming out of the organization is about blame then the fact that the organization did help those impacted first, will get lost. There is a time for blame – and that’s when the time for investigating the cause has begun, not when the disaster first begins. Organizational resources will be focuses on people and then obtaining some level of operational capability and when that occurs, and then the cause can be looked at. Of course, if a major hurricane occurs then the cause of the disaster should be obvious but then the questions about why you weren’t prepared will surface.

11. Appear to be Uncaring: You can communicate all you wish and if you’re perceived to be uncaring then no amount of communications is going to change that. In a majority of situations, an organization tries to make itself the victim but in all cases, it’s the people impacted (or hurt) by the disaster that is the victim – not the organization. An organization is rarely seen as the victim, though the people within it can be perceived as victims. A crisis management plan addresses the situation at hand but must also address and focus on the impact the disaster on people; the real victims of the situation. If an organization doesn’t seem to come across as caring in its communications then it can be seen as a pariah within the community, rather than a member of the community and no amount of back-tracking is going to change that perception any time soon. Your crisis management plan – regardless of how extensive and comprehensive it is – won’t ever be perceived as successful because the external view of the organization is negative.

If any of the above noted aspects occur, you’re on your way to more problems as each item is an indication that your current crisis management strategy isn’t working and you need to ‘change gears’ quickly to get things back on track. Remember, this isn’t the restoration, recovery or resumption activities, this is how the organization manages the crisis (disaster) and if that isn’t working well, it makes no difference how successful your restoration and recovery activities are, people will still see your organization in a negative light.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM/DR: Understanding Want and Need

15 01 2014

BIA results can help determine many aspects of the BCM/DR program to come; they validate what is required – and what’s not. And what’s required and what’s not is determined through the development of the various strategies and approaches that are created as a result of the BIA findings. However, that doesn’t stop individuals of all levels from believing they know what they require for their restoration and recovery strategy regardless of what the BIA findings state.

This is because many individuals have a difficult time comprehending that they may not be the most important area within the organization and thus, aren’t required to be available immediately. And if a department – or particular aspects of a department – aren’t required immediately after a disaster, many will disregard that fact and begin to state what they must have; what they want vs. what they actually need.

The difference between want and need is something that all BCM/DR practitioners must clearly understand and communicate to department leads; especially those responsible for acquiring, developing and implementing the various strategies required to address BIA findings.

A department that is not required to have its processes become immediately available after a disaster will want specific action to be taken so they can become available sooner but resources, BIA findings and cost will determine that it is not needed.

Sometimes business people – even some IT personnel – will state they want something but there isn’t any information / data to back up their requirement. The BIA and resulting continuity, restoration and recovery strategies required to address those findings, determines what is needed and what isn’t. Here’s the difference between want and need:

• Need is based on what the agreed-to BAI findings state is required – based on the strategy developed. Then you know what you need and it separates from the want.
• Want is based on feelings and desire, and no one wants their department processes to be formally classed as not being required during a disaster – or at least not immediately required.

Need is something that if isn’t available, a department that wants to be up and running cannot be up and running because dependencies required to run the department (i.e. items that arrive from other departments) aren’t available or aren’t required based on BIA findings. So even then, when a department wants to be available, it still can’t become available because one of its dependencies aren’t needed. So even when people state they know what they want and what they believe they need, the BCM/DR professional must ensure that the strategy departments want aligns to the strategy the organization needs.

Make sure you know the difference and if asked why something isn’t provisioned for, you’ll understand – through the BIA findings – the reason.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM / DR Scheduling

23 12 2013

Nothing happens without good planning and implementation strategies and this is required when planning out the development of the Business Continuity Management (BCM) / Disaster Recovery (DR) program. It’s impossible to just start something without having any idea when you’ll be finished or what you need to reach along the way to be able to take the next step.

Often, to get proper buy-in from executives, a BCM/DR practitioner has to provide a timeline alongside the goals and deliverables the project will provide. Its one thing to provide the reasons why you need a program and if those are accepted by executives as valid reasons (let’s hope they think so…), the next question will be, “When will it be done?” So, a draft timeline must be mapped out; from how long a BIA will take and when the findings will be delivered to when the 1st test will occur.

Of course, it will all be built upon assumptions such as resource availability for example, but a high-level timeline must be provided to executives. Below are ten considerations a practitioner must keep in mind when building the BCM/DR program:

1. Communicate Schedule – At first you’re communicating the schedule to the executive team hoping for buy-in on need for a BCM/DR program build but you also need to communicate the schedule with other stakeholders. For example, if you’re going to be meeting with all division leaders, they should know what you’re timelines are so they can work within those or recommend amendments if the timeline is unrealistic (to them).

2. Base on Agreed-to Availability – If a department isn’t available due to some high-priority initiative during the week of a specific month, then schedule around them and accommodate their priorities. It could be that you meet with them first or schedule them last so that they don’t experience any distractions as they implement their own high priority project. Meet with the department/division leads to ensure that timing is mutually satisfactory.

3. Report Progress – Once you’re got a timeline developed and approved, executives are going to expect a report on your progress; not just on the deliverables but if you’re moving on track to the timeline. Are you behind schedule or are you ahead of schedule and if you’re behind, what you’re going to do to try and get back on schedule. Keep in mind, you may be behind schedule due to an unforeseen circumstance, which had resources focusing on something else and the BCM/DR meetings needed to be rescheduled to later dates. If that’s the case, make sure this is communicated to the executive team, as they will understand if there were unforeseen circumstances based on an incident or sudden client issue that refocused individuals. They won’t be happy if you’re behind schedule for not ‘valid’ reason and have no plan to get back on track.

4. Issues, Risks & Assumptions – If the unforeseen circumstance, as noted in #3 above, there hopefully will have been a documented risk; a risk that states that the schedule is based on no unforeseen circumstances occurring and that available resources aren’t refocused for any amount of time to deal with it. If resources are repurposed to deal with the issue, then the BCM/DR schedule will be impacted. By doing this, executives will understand the reason for being behind and will allow you to re-plan but won’t be happy if you were always planning a ‘perfect path’ – that nothing will go wrong.

5. The Right Resources – When scheduling, make sure you’re going to get the right person to interview or participate. If you are assigned someone who is impossible to schedule a meeting with because their calendar is continuously full because they are over allocated, you may find your timelines slipping. Make sure you get the best resource participant from the department and ensure they have time committed to the BCM/DR program.

6. Project vs Program – Be sure to break up the overall timeline into min-projects. For example, when you will begin and end the Business Impact Analysis (BIA) project and when you will perform the BCM/DR strategy development project. Each must have a start and end date with a specific deliverable planned. All this needs to be sketched out.

7. Determine Milestones – The end dates noted above in #6 may also be your milestones; key points you’re striving to achieve in your overall timeline. Make sure that you have a few key points captured, as these are used in the progress reporting with executive management, so they can ‘see’ your progress.

8. Dependencies – If you have any dependencies between program phases, identify those up front so executives – and others – understand why some phases are performed in a specific order. For example, the development of BCM/DR strategies cannot begin until the BIA phase has completed and findings presented or a test cannot occur until specific plans have been developed and implemented.

9. Schedule Around ‘Them’ – When scheduling, try to schedule around the individuals themselves, as they have other responsibilities to deal with as part of their daily routine. If anyone’s schedule must be accommodating, it must the BCM/DR practitioners, not the department individual. Keep them in mind when schedule and show respect, meaning don’t schedule them over lunch or late on a Friday afternoon, it’ll only create a bit of animosity – unless you’re paying for lunch. Don’t forget, people have vacations so try not to ‘jump’ on them just before they leave or on the first day they get back.

10. Know the Executive/Board Schedule – When you’re reporting the status of your program build, you’ll be required to present the updates to executives (or a likeminded committee) and you need to know what their timeframes are. Do they meet every 2 weeks on a Wednesday? When does your status report need to be submitted to get on the agenda? Know these types of dates in advance.

11. Know ‘Busy’ Timeframes – This should be a no-brainer; don’t schedule around the busy timeframes when individuals are not going to available to attend meetings or provide information. For example, if there are numerous activities that occur at month end; don’t schedule people during that time. Use it to catch up on your own materials and update status reports etc.

12. Revisit Timelines – During each phase, review the schedule for the next phase to ensure you are on track and make adjustments where you need to. Keep your timelines realistic based on what’s happening and forecast what you think the next phase(s) will consist of. For example, you may have determined that 2 months would be enough to spend developing technology restoration and recovery strategies but based on the BIA findings, you may need to extend that by another month because you need to contact a 3rd party vendor.

© StoneRoad 2013
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





8 Considerations for Online BCM/DR Solutions

24 11 2013

To many, it might seem easier just to go the online application route to perform a Business Impact Analysis (BIA) or build Business Continuity Plans (BCP), Crisis Management & Communication protocols and even Disaster Team roles and responsibilities. However, it’s not always that easy. An online solution may not be the best bet to start with, as there are considerations organizations need to think of before going down the ‘online’ route.

1. Financial Considerations:
a. Product Cost – This is one of the main considerations for all purchases. If it’s too expensive – regardless of what it does and/or doesn’t do – many won’t consider it. So, the price is something that pops to the top of every list no matter what the requirements are. Once cost is balanced against other requirements, then the real decision get made. Want and need against the cost to get what suits the organization.
b. Administrator Training: Often, the purchase of a solution means that someone – either an individual or a group of individuals need to be trained on how to administrate and configure the new application.
c. User Training: In the past there have been instances where individuals must travel to the vendor’s location to receive training on their product – this may still occur for some products. If this is the case, then your organization must take into account the additional travel and accommodation costs attributed to the number – and length – of training courses that have to be taken before anyone can begin to use the product. In some instances, this might add weeks to your planned implementation schedule because the course offerings (training) may be dependent upon the vendor’s availability and if current courses have any available spaces.

2. Set-Up & Configuration: This requires your internal IT team to get involved. They need to ensure they have a server available or space on an existing server to house the new application. In many instances, they want to know more questions that you’re able to answer, and then chatting back and forth with the vendor for configuration requirements may take some time, especially if you encounter any issues.

3. Internal Technology Involvement: OK, so you bought the new online application – now what? Who internally is going to support it and do they need training on its workings and what’s required to support you and the internal users?

4. Support & On-going Maintenance: Make sure that if you have any questions, contacting someone for assistance is easily available. If you’re vendor is in another time zone, their support hours may not cover the time you’re in the office and thus, you only have a small winder each day to speak with someone. Find out what level of support is offered. In some instances most of the technical support ends up coming from your own internal IT personnel, which usually frustrates them, as they’re supporting a systems/application that isn’t theirs to start with.

5. Questionnaire Build: Most applications, such as those intended for Business Impact Analysis (BIA), come with some pre-existing questions, which you can leverage. However, in many cases the questions are generic and may not represent the full range of information you require. If that’s the case, then you need to ensure you have time available to plan out your questions and then insert them into the application. Depending upon the application functions, you may have to build in links between various questions. For example, if a question is answered with a ‘no’ then it skips the following questions that may appear if the answer to a question was ‘yes’. Good questions will help give you the information you need so be sure to spend time on the questions to ensure they meet the needs of your organization.

6. Reporting: One of the advantages to online applications, is they are able to provide all sort of reports and report formats. However, since each organization is different and the reporting isn’t standard from one organization to another – let alone reporting related to BCM/DR – an organization may have to design its own reports and build the criteria around them so that it gets the information it wants to make decisions based on the input from users. Designing reports may come at a later date once the user (BCM resource) is more comfortable with the application and when there is actual data to work from, rather than building the report before actual responses and input has been received.

7. Time: Time is money, as they say; do you have the time to get everything noted above coordinated before moving on to build your BCM/DR program? If the direction from senior management to build a program comes with deadlines (i.e. a BIA completed in 2 months with findings and recommendations) do you have the time to begin looking for an online solution, purchase it, design to you specifications, train users (including yourself), get users to complete the questionnaires (or whatever is being sought), capture the findings and present them to executives? Quite possibly not. The online solution may become a more long term aspect to enhance the program, rather than the component that kicks it off.

8. Growth: If you’re organization has grown by leaps and bounds it will become impossible to be able to manage all the various program components. Change would be happening so quickly (let’s hope) that a manual process would take too long and be too labour intensive to ensure plans are kept current, incorporating the change in so many locations (assuming new facilities are being utilized), new nationalities and requirements, new departments (spread over multiple locations) and new processes and client/vendor/partner needs. And this doesn’t begin to include the new challenges for Technology Recovery Plan (TRP).

In the end, an online solution will eventually expedite information and keep it manageable, it just can take allot of effort to get there. Sometimes the old manual method of acquiring BIA information is quicker and easier. Yet while that is being done, an online solution can be investigated and slowly built in the background being populated with the information being obtained from the initial BIA – when you’ve actually moved on from the BIA and working on developing contingency strategies and solution. The manual process for BCM/Dr can only last so long before it becomes harder to maintain. As the organization grows and hierarchical structures begin to ebb and flow to meet new challenges, the online version can respond much quicker than updating multiple documents.

In no way is this intended to deter organizations form using online BCM/Dr applications; in fact in the long run they can offer more good than negative. But, starting out fresh with them can cause delays and hindrances you may not have time to tolerate.

© Stone Road Inc. (StoneRoad) A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL





12 Reasons Why Organizations Will ‘Forget’ What to Do in a Disaster

16 09 2013

Many organizations can build comprehensive BCM program and plans; detailing every action and activity needed to ensure the continued operation of an organization when a disaster strikes. However, even the most comprehensive program and plan can still suffer greatly when they are needed the most because many organizations’ DR team and team members forget what it is they are supposed to do.
There are many reasons for that. Sudden changes in environment can throw people for a loop, as the situation throws chaos into their normal day and it’s easy for people to forget what to do when they are required to do it. Sometimes the reason for plan activities or action items being forgotten occur even before the disaster situation makes itself known.
Below are some of the reasons why people – and organizations – forget their activities before and during a disaster.

1. No Executive Support: It’s easy to forget some initiative within an organization when even the executive leadership don’t support it. After all, if they don’t care for something, why should anyone else? It’s that simple, without executive support people will quickly forget that there is BCM or DR program in place for when a disaster occurs. Even executives will wonder where it is and believe it or not, even without their support having played a part in its development (if at all) will wonder why no one knows what’s going on and why people aren’t performing tasks.

2. No Leadership: Continuing on from #1, people want leadership during a disaster; they believe that those responsible for the organization in good times, is also responsible for the organization during bad times and will provide guidance and leadership on what needs to be done when a disaster occurs. If there is no one taking responsibility for the disaster, then people are left hanging – wondering what to do. This doesn’t mean the leader or coordinator of the response functions is responsible for the disaster, it means they are taking the responsibility to lead the organization resulting of the disaster. Even if employees and members of various DR teams are aware of their activities, they are still looking at the organizations leadership to provide direction and provide answers to any key questions that may come up as a result of specific situations discovered based on the disaster. If executives and/or senior management aren’t part of the decision making process and part of the BCM program, they won’t know what to do or what is expected of them. The executives themselves won’t be aware of the DR/BCM team makeup or what any of the program protocols are. They could end up trying to lead the organization through the disaster, blind.

3. No Plans: One of the biggest reasons people will stand around wondering what to do is that there isn’t a plan – even a bad one – in place for them to activate, reference and follow. In a nutshell, the organization has done nothing to promote any sort of disaster response or planning mechanisms and when disaster strikes, there is no know prioritization of what needs to be activated. All the responses are made up on the spot, which could pose even more problems for the organization. It’s like a jigsaw puzzle; you don’t start putting the pieces together until you know the picture (or at least most people don’t) and you can’t rebuild a corporation after a disaster when you don’t even know what pieces you need first to rebuild it. No plans in place can mean the end of the organization, as it will take too long to figure out what is priority between the business and technology and getting the two to agree to a restoration, recovery and resumption strategy. You can’t ‘wing’ it in a disaster…

4. No Delegation of Authority: It’s often quite comical when someone is required to perform BCM activities, as captured in a DR/BCP or crisis management plan but they aren’t give the authority to do so. This can mean they don’t have the delegation of authority to make decisions or provide guidance to others or they don’t have the IDs and/or passwords to perform functions. It’s like giving someone a car and telling them it is all paid for and its there for as long as they want it but not giving them the key. This is one thing that stops many organizations from performing activities; people don’t have the authority to do anything and thus, they are waiting for direction from others when in fact they are the ones who are supposed to be providing the direction. If someone doesn’t have the right authority to perform activities, they will be a roadblock to other activities and many groups may be standing and waiting around for guidance and information. And further on the point of IDs and passwords; often this information is created and placed in a secure location that people forget about. Rarely are they reviewed and updated and even remembered because they are placed in an online folder, which is no longer available because technology has failed. These IDs and passwords are for use only during a disaster so they rarely get reviewed. These should be part of an annual (at least) review to ensure the people remember where they are and what they are – and remember that these are probably powerful IDs and passwords and only a few key people should know about them to start with. If someone leaves the organization, make sure you change the passwords and remove their ID just in case. When you test, try activities using these profiles to ensure that they are current and validated; that required activities can be performed using these ‘generic’ IDs and passwords but are amended after the test so they are fresh and those using them – the users – can’t use them during normal business hours.

5. No Testing/Validation: If validation activities are not performed, then how can anyone know exactly what to do? Testing is a form of training and training will help people identify their roles and build BCM plans and processes. When testing, start off small and then build upon successes – and upon problems – so that the program becomes stronger and stronger. If no one participates in test then no one has the opportunity to practice their roles and areas of responsibility; they then need someone to remind them or provide guidance to them as to what to do. Also, if you only test once or rarely, people will forget what they need to do and where their materials are located.

6. Assumptions: A key reason many stand around not knowing what to do, or forgetting what they need to do, is related back to the assumptions made during the initial stages of building and implementing plans and processes. All too often non-technology departments (i.e. “the business”) will make assumptions about technology departments (i.e. “IT”) but without ever validating that the assumptions are correct; sometimes never even letting the other know that an assumption has even been made. From personal experience, there have been too many instances where one side of the other states that ‘IT/business knows x or y…’ or that ‘IT/business will do…’ and it almost never proves to be true. Both teams end up confused not knowing what to do because they are waiting on the other for information or they are assuming that something is occurring while they’re just waiting for some confirmation that an activity is done. In reality, everyone is standing around not knowing what to do or who to even talk to. If you’re using assumption in your initial planning, through exercises and tests, the amount of assumptions being used should dwindle over time as they either become actual roles within a plan/process or become proven to be false and are removed from a plan/process.

7. No Awareness & Training: It’s a simple one really; no one knows what to do in a disaster because no one has told them about it. They haven’t been part of the overall program build or design (not that everyone needs to be part of every phase) and haven’t been told they are responsible for specific activities. Often, DR team members don’t even know they are part of that team until someone asks what they are going to do in a meeting full of other managers – some not sure why they are their in the first place. This also means that they haven’t bee involved with any testing activities to help validate plans, which is one of the best opportunities for training; executing activities under controlled circumstances to actually learn what needs to be completed and understand expectations.

8. Plans and Processes are Written in Isolation: Sometimes its not even a case of forgetting what needs to be done, as outlined in a BCP/DR plan – it’s never being told of what is in the plan and not being part of its build. All to often plans are build in isolation meaning someone not within the department is writing its contents based on what they know and what they hear at meeting yet if the actual user isn’t part of that development or the person responsible for actioning activities isn’t part of the plans development, they aren’t going to know what activities they are responsible for. Ensure that all plans are written with the person or persons responsible for the plan itself; the person who’ll actually be responsible to action the activities within the plan.

9. No Review of Plans (by Users): One of the best ways to ensure that a BCP/DR plans everything it needs and that the content is clear and understood, is to ensure that its reviewed by the actual user. When they review existing plans, as noted in #8 above, they can recommend enhancements, additions or even deletions based on real knowledge of what needs to be done. If a plan was written in isolation and not review was performed by an actual user, it’s no wonder people don’t know what actions to take or even where their plans is – if they even know there is a plan in the first place. If no review of the plan is performed then the users themselves don’t become familiar with content and what is expected of them. Instead of initiating proactive measures they wait for someone to tell them what is expected and in many cases, those individuals are assuming that ‘plan’ users know what needs to be done.

10. Focus on Blame: When an organization has a disaster, often you see the Public Relations (PR) representative or the President stand in front of a microphone being questioned by members of the media – or even the public sometimes – and they spend allot of time pointing the finger of blame or trying to deflect any criticism or questioning on what the organization is doing. When employees see this, they will spend their time trying to find the cause of the problem or the ‘right one to blame’ rather than concentrating on a proper response, restoration and recovery strategy. All hands are on deck to find out what is wrong and who should be help responsible but if leadership is busy with that approach then employees will be too, as they won’t be focusing on the right tasks at hand. It ends up being a crutch that organizations leverage so that they can start their restoration and recovery activities in the background, away from the face of the media. Usually, this means they didn’t have any strategy in place to begin with and the excuse that someone else is to blame is used as a smokescreen to cover the fact that behind the scenes, no one knows what to do within the organization.

11. Checklist Approach: If BCM is checkbox on someone’s report, the chances are it’s a checkbox on an executive report. They eventually see the checkbox ticked and then there is no more discussion or promotion of the BCM initiatives. This also means that the only reason the program was stated in the first place was to ensure someone’s checkbox was ticked and that it drops off of any report or audit ticket. Chances are good that the work and value of the work performed to plan, develop and execute plans was minimal at best and won’t be of much use during a real situation. Thus, no one will pay close attention to the BCM program and the related plans because it’s treated as a one-time thing – forgotten when the checkbox is identified as complete.

12. Seeking Direction: Like many people, when something occurs everyone looks around for direction; who will take control of the situation and tell us what to do? Staff will look to management while management is looking at executives; each expecting the other to provide direction on what they should – or shouldn’t – be doing. Think of when a fire alarm goes off in a facility – even a fire drill – most people keep working or start asking if it’s a real situation or not. Should be get up? Should we leave? Many wait to be told to leave before they bother responding to the alarms. If people can’t understand that they need to leave when the fire alarms go off its no wonder they don’t understand their role when a disaster strikes. Everyone is seeking direction from someone else.

Finally, panic is something that can run rampant during a disaster. When that happens, any thought of gaining control of the situation can go out the window and there’s no way anyone is going to pay attention to their role on a disaster team when that happens. This is why many of the items noted above need to be addressed prior to any situation occurring. When people are more aware of what to do and have been through it a few times – each more challenging than the last – they are better prepared to deal with the situation when it’s real – not faked under controlled circumstances, as it is usually done during a test. There will still be an element of panic – it’s almost a given – but putting measures in place to deal with it ahead of time can help reduce its impact and increase the chances considerably that no one will be standing around wondering what to do; they won’t forget.

© StoneRoad (Stone Road Inc) 2013

Books by A. Alex Fullick Available at the following:
http://www.stone-road.com, http://www.amazon.com & http://www.volumesdirect.com





8 TIPS for COMMUNICATING DURING A CRISIS

16 08 2013

To most people a crisis is bad and for the most part, they’d probably be right. However, an organization can do good things when they are hit with a crisis; some may even say there is an opportunity. The situation itself might be bad enough but it it’s not being managed correctly or communications aren’t approached in a positive way, the crisis can be compounded because the media and the public will think there are more things being hidden by the organization.
If it seems that an organization isn’t prepared – through its communications and response actions – the media and public may start to go ‘hunting’ for more information and uncover other details of the organization that the organization may not want released. Not that they are bad examples on their own but compounded with the existing crisis they will seem larger and could create another crisis or even escalate the existing one. The organization will then be fighting more than one crisis on its hands.
Below are some tips for how to communicate during a crisis; some do’s and don’ts and tips for ensuring good communications when speaking to the media and the general public.

1. Lawyers Aren’t the Face of the Organization – This is one of the biggest mistakes organizations make when communicating with the media and public; they let their lawyers do the talking. Lawyers are good at what they do don’t get me wrong, they just aren’t the ‘face’ of the organization. Often they will speak in terms that the public either don’t understand or don’t want to hear. The public wants to hear what the situation is and what the organization is going to do about the crisis, not the legalities it’s taking to find blame (which is what the lawyers will be trying to do to wither minimize or remove the burden off the shoulders of the organization).

2. Apologize and Show You Care – Be sincere and offer apologies. Don’t say you’re sorry and continue with a ‘but’ statement, as it just nullifies the apology and the public and media will know you really aren’t showing care of the parties involved or impacted by the crisis. It shows you’re trying to defend the organization rather than helping those impacted – or possibly injured – as a result of the situation. Apologizing with sincerity can soften the anger towards the organization and actually help bring people towards the organization by offering assistance. Apologizing also shows that the main concern of the organization is people, not money or shareholders, but people impacted by the situation.

3. Leadership – You’ve got to have the leaders in front of the camera. Public Relations or Human Resource Managers can be in front of the camera only so long before people begin to question the leadership qualities of those in charge if they aren’t being seen by the public. Organizational leaders must be seen during a crisis, not just when good things occur.

4. Responsibility – Many may not agree but take responsibility for what happened. To deny or lay blame immediately isn’t appreciated. Even if you know the situation was not caused by your organization, it’s your organization in the headlines and people are watching. So take responsibility and take control of the situation; you can always find the blame later and take necessary actions.

5. Don’t Delay – Too often many organizations take too long to put a response together. If there’s a delay in response it could send the message that you’re trying to hide something or that you’re hoping the situation will just go away, which it won’t. Even a quick press conference to state what you know – even if it’s very little – still shows that you’re on top of events and managing the situation, not letting the situation manage you.

6. Ask for Help – There’s nothing wrong with asking for help. It may not mean asking for help to restore systems and processes but it may be to ask help from the media to communicate key phone numbers or websites that employees or customers or the public can access to get more information or provide information on what they might know about the disaster. The media is always willing to help and to a large degree, when an organization requests assistance with such initiatives, it helps show the public you have nothing to hide because you’re inviting others to participate and offer assistance.

7. Communicate Even When It’s Over – A crisis isn’t over after a day or two in the headlines; it’s over when you’ve learned something and resolved the matter so that it doesn’t occur again (if the situation allows for that). If you’ve had an internal problem that caused the crisis, communicating days or weeks later that the situation has been resolved, shows that you learned something from the crisis and saw it through to the end by resolving it and letting other know of that resolution.

8. Leaders Need Training – Everyone needs training to improve their skills and move forward, this includes corporate / organizational leaders. No one knows when a crisis will occur – and it will – so leaders need to have training on how to communicate in crisis. There are many crisis management & communication courses offered so leaders should prepare themselves. They expect the rest of the organization to be prepared and do their part when a crisis or disaster occurs, so leaders need to ensure they are prepared.

© Stone Road Inc. 2013





Crisis Management: When Does a Crisis Start?

12 07 2013

Many of us don’t hear about a crisis until it hits the newswires, either through social media, news websites or through a posting on a social site we might follow. In some cases, we might not know about a crisis until we see 1st responders racing down the road heading towards and emergency.
Some will automatically see a disaster as a large catastrophe and one of the BCM/DR industry definitions of a disaster is that it’s a sudden, unplanned event that prevents the organization from performing normal operations. Though both a crisis and/or disaster can start well before the public or media even get wind of the problem.
Sometimes a disaster doesn’t begin until after a period of time when a lesser level of operational hindrance has been experienced. Then when the disaster itself occur, the management of the situation will determine the level of crisis; meaning how well the crisis is handled from the perspective of the public, media, stakeholders (vendors, partners etc) and employees.
For an operational impact, it could be that a key application is offline but is that a disaster? Probably not. If the offline application has a major impact upon people causing major distress and problems such as something in health care or the financial industry, then yes, that application being offline – even for a short time – is a disaster. How the immediate response and post-disaster activities are managed is what will create the crisis for the company. If you get something up and running within a very short time (and in today’s world that’s usually no more than an hour) then it might not be a disaster and a quick response and communication to the community will suffice. If it’s longer, then the management level and involvement of the situation and the level of impact it has becomes a disaster.
Still, if an organization has an internal Crisis Management process in place, early identification and response measures may prevent the incident from escalating and becoming a crisis – or a disaster if nothing is done about it – in the media or public eye. It was just an incident that didn’t have any major impact. Oddly enough, it could have been a major interruption but the impact on Service Level Agreements (SLA), employees, customers, vendors and partners was limited in size and scope; it was just a major incident for the company involved because of the resources (financial, time, personnel) it took to get resolved.
So, when does a crisis start?
It starts the moment the organization believes that someone – anyone – will begin to ask questions. It could be a client, employee (who will access social media about it if they haven’t been educated about not communicating corporate activities), vendor, partner or in some cases a financial institution or legislative body. An organization may be able to manage the situation internally with little impacts being had on external – and internal parties – but as soon as questions are asked about the disruption, you have the start of a crisis. It’s how well you manage those initial questions – along with the incident response itself (I.e. getting the critical application up and running as soon as possible) – that will determine how big the crisis escalates. If you don’t manage it properly the crisis will grow and escalate, making it a ‘Public Relations’ disaster.
The start of a crisis is different for every organization. It all depends on the level of preparation, preparedness and response is developed and instilled within the corporate operations. If an organization doesn’t have anything developed or the level of development is sub-par and very ‘flimsy’, the crisis starts quickly and escalates quickly – reaching that “PR” disaster timeframe in record time.

**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3.
Available at http://www.stone-road.com, http://www.amazon.com, http://www.volumesdirect.com








Follow

Get every new post delivered to your Inbox.