BCM & DR: Can Organizations be Resilient?

6 07 2014

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014 (A.Alex Fullick)





Business Continuity Management (BCM) / Disaster Recovery (DR) Document Templates Available for Small and Medium Businesses!!

3 07 2014

Not every business can spend thousands and thousands of dollars on expensive software packages to get their BCM / DR programs off the ground – or has the time to get software configured and ready for use.

Having experienced these challenges first hand, StoneRoad developed a cheaper alternative: we developed document templates for Business Impact Analysis (BIA), Business Continuity Plans (BCP) and more.

Visit the StoneRoad site and go to the Shop section to view the various templates available and get your program moving with a low cost alternative to expensive software! Each template provides instructions on what information is needed so that you can build your program with less fuss – and with more results!

Here’s just a sample of our document offerings:

1) Test Scope Charter Document (Word Document)
2) Business Impact Analysis (BIA) (Excel Worksheets)
3) Operating Unit Business Continuity Plan (BCP) Template (Word Document)
4) Emergency Employee Logistics & Pandemic Plan (Word Document)
5) Test Executive Summary (Word Document)

…and more. We’re adding new templates all the time to help you. We even have BCM & DR books and ebooks available.

So download what you need and get started!

Happy planning!

Regards,
The StoneRoad Team

“Reduce Suffering Through Disaster Planning”

© 2014, Stone Road Inc.





BCM & DR Books to Help Build Your Program by A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL

3 07 2014

The message about disasters, disaster planning and business continuity is slowly spreading throughout the globe, as we see more and more organizations beginning to realize the value of preparedness and response activities to protect their operations and instil confidence in those they do business with.

Here at StoneRoad, we’ve seen a spike in people asking us questions and seeking advice on Business Continuity Management (BCM) / Disaster Recovery Programs – and we couldn’t be happier.

So we’d like to remind you that there are some great books by our founder, Alex Fullick, that can help provide great insight into how a good program operates – and how it shouldn’t. The books noted below are available on Amazon.com and at our own shop over at www.stone-road.com.

1) Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility

2) Business Impact Analysis (BIA): Building the Foundation for a Strong Business Continuity Program

3) Made Again – Volume 1: Practical Advice for Business Continuity Programs

4) Made Again – Volume 2: Practical Advice for Business Continuity Programs

Keep an eye out for the next book by A.Alex Fullick; “Testing Disaster and Business Continuity Plans” expected to launch in the fall of 2014.

Until then, happy planning!!

Regards,
The StoneRoad Team

© 2014, Stone Road Inc.





BCM / DR: eBooks Now Available by A. Alex Fullick (Stone Road Inc)

21 06 2014

We’ve been a bunch of busy beavers here at StoneRoad. We’re very happy to announce that two books by our founder A.Alex Fullick, ‘Heads in the Sand’ and ‘Business Impact Analysis’ are now exclusively available as ebooks at the StoneRoad shop.

Get your copies now using the links below:

Heads in the Sand
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=201&zenid=3d712e28f2680972874f7e4a8d473940

Business Impact Analysis
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=202&zenid=3d712e28f2680972874f7e4a8d473940

‘Like’ Join us on Facebook too at Stone Road Inc.

The StoneRoad Team.
(C) Stone Road Inc, 2014





BCM / DR: How Does an Organization Become Resilient?

21 06 2014

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture of what will make an organization resilient.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014
A.Alex Fullick has over 18 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





10 Tips to Remember When You Don’t Have a Disaster Plan…and Disaster Strikes!

8 06 2014

(c) Stone Road Inc. 2014 (A.Alex Fullick)

When disaster strikes, keep calm and march on!! Sometimes it’s not always that easy and in a real situation you really do need to carry on; if you don’t, you’re done! Over! Caput! Even with the numerous disasters occurring in the world – some man-made some natural in nature – there are still many organizations that would rather take their chances with fate than invest in a Disaster Response / Emergency Response / Business Continuity Management program. When disaster does strike, these organizations are left empty handed. With no plans or processes in place to respond to the situation they must ‘wing it’ if they’re to continue staying in business – or attempt to stay in business.
So what should organizations consider and focus on if they are caught in a serious situation and they don’t have a BCM/DR program in place? What do they need to do to try to get some level of coordination in response, restoration, recovery and resumption efforts? Below are some tips for how leaders need to view the predicament they find themselves in; a disaster/crisis with no BCM/DR program or plan in place.

1. Don’t Throw in the Towel – Don’t give up! You’ve got to do something even if you don’t have a proven plan in place, so keep going and do what you feel is right. Under no circumstances should you give up, as you really don’t have an alternative unless you really want your organization to fail. As the saying goes, ‘Keep calm and carry on!’

2. Figure it Out Quickly – Don’t waste time debating and getting everyone’s input on what to do. Figure out what your main objectives are then take it from there. The longer you take the less likely you are to remain in business much longer. And even if you do get up and running, because you took so long to do anything, confidence in your organization will vanish.

3. Focus on People – Make people your priority. A little bit of care and compassion can go along way in public and media perceptions and if you make people priority #1, you’ll be forgiven a bit more for not having a plan or program in place.

4. Reconfigure – Time will be of the essence, so don’t bother trying to get things like-for-like; it won’t happen. You have no plan, which may also mean no alternate site, so get what you can and start rebuilding. It may mean patch-working systems and services together and getting people to do activities they don’t normally do but do it anyway to get your operations up and running. You’ve got a clean slate in front of you, so feel free to reconfigure what you need to make things work. A small beat-up car will get you to “location A” just as well as a luxury car, so if you need to reconfigure…do it.

5. Get Rid of Expectations and Assumptions – Don’t bother asking questions and wondering about assumptions; you need to action things immediately and start doing something. If you’ve had a disaster and have no plan in place, then there are no rules, guidelines, directives or assumptions to work around; no boundaries to hold you back. So everything is possible to you and you’ve got to start trying to get your organization back up and running with technology recovery, business continuity and crisis management so that you can begin to service your clients with the services and products you provide. With assumptions, you may be thinking that everything you need is easily available – including people. However, this might not be the case so throw your assumptions out the window because the only assumption that gets proven correct in a disaster is that all your assumptions are wrong.

6. Emotion Over Intellectual Response – If you want to stay in the good graces of people, then speak to them emotionally, not like an automaton full of intellectual platitudes. If you don’t have a plan in place, you’re biggest fight will be with through how you respond to the disaster as perceived by onlookers not how two IT servers are connected to the internet. Speak with an emotional approach and you may find that people will approach you offering help, assistance and with compassionate sympathy.

7. Don’t Blame – Don’t play the blame game right away. You’re in a disaster and the public, employees, partners and the media what to see you dong something and managing the situation; blaming others is seen as a smoke screen in an effort to deflect questions and criticism. But the opposite occurs so don’t bother playing a game you can’t win. When the dust has settled and you’ve performed investigations into the cause, then you might be in a position to start blaming but it shouldn’t be your priority.

8. Request Help – It’s not time to be proud. If you need assistance to get resources then ask for it. Don’t be shy, as trying to hide the fact you need assistance can cause even more problems. Many organizations are willing to help competitors and partners when they have a disaster but many are too afraid to ask for help because asking for assistance is seen as a weakness when in fact, not asking for assistance is a sign of proud arrogance. If you need help, ask and don’t shy away from stating the issues you have, as it a response or helping hand may appear to help resolve some of the problems you’re facing.

9. People Are Resilient – People do not wantonly wish to fail; they want to succeed and responding to a disaster by their employer is going to make them want to work hard and overcome the situation. Their livelihood is at stake and they aren’t about to let that disappear without fighting for it. Many want to be part of restoration and recovery efforts, as it takes them away from the trauma of what has occurred and helps them focus on areas with which they have more control and knowledge – rebuilding servers, loading applications, testing etc. Your organization isn’t the first to experience and disaster and won’t be the last and in the majority of cases, people overcame adversity by sheer hard work and will power – and never giving up. Let the employees do what they know needs doing instead of trying to make it up on the spot, they are aware of what they need to do, as they do it each day – it’s why you employ them.

10. Listen – Listen to those around you – especially those Subject Matter Experts (SME) and End Users that can offer all sorts of advice on how to get something working again. Often, experts are leveraged from external sources and all too often, they are doing things with their own gain in mind, so don’t throw away suggestions from others, as they may have ideas that can be of assistance and those ideas may work better than some other specialists because they often are thinking outside the box. They are also thinking or ensuring they get their jobs back and their employer operational; a different perspective than some vendors and partners who are more worried about the impact upon their bottom line rather than yours.

11. (BONUS) Document Everything: When the disaster is over – or when you’ve got time to start – begin to document everything you’ve done. Every action item and resolution. Every decision. Every communication – the good and the bad. Every participating role required and what they did – and didn’t need to do. Every action asked and required of partners, vendors and suppliers. Every aspect required to assist employees. This will help start you formal BCM/DR program and begin to pull ideas together for plans because as sure as the sun will rise tomorrow, you’ll be building your program immediately. In fact, it’ll probably be the #1 priority of executives and management, assuming you’re organization was able to get through the situation and come out the other side – though probably battered and bruised.

No matter what happens, you have to be doing something. The situation won’t resolve itself by wondering what to do or wondering what ‘might have been’ had you a BCM/DR plan.
When it seems you’re down, get back up and keep playing on – you’re only beaten if you give up, not if the issue continues. It’s said that Edison failed at inventing the light bulb dozens of times but did he give up, no, he played on. Abraham Lincoln give up, despite losing a couple of elections and became President of the United States.

© StoneRoad 2014
By A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL, author of multiple books on BCM including “BIA: Building the Foundation for a Strong Business Continuity Program” and “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.”





BCM / DR: The Little Test Activities Often Forgotten

26 04 2014

Having been a part of dozens of test to varying size and scales, I’ve come across quite a few instances where planners – including myself at times – forget to consider when organizing a BCM / DR test. I thought I’d come up with ten (10) areas that have at some point, been a fly in the ointment of test coordinators and caused issues further down the road and on one occasion, at the moment the test was scheduled to begin.

1. Production Priorities – Believe it or not, once everyone was so focused on testing they forgot to ensure that someone was left to support any production issues. While testing activities were underway, all members of a department were focused on ensuring that the test went well that no one was monitoring a production issue, which needless to say, caused allot of grief for business units. Don’t forget that even when you’re testing BCM/DR capabilities, you’re production environments are still ‘live’.

2. Test Strategy – Know ahead of time what strategy you’re going to leverage for testing purposes and ensure its communicated and agreed-to by everyone involved or else different groups will be working in isolation and not working towards the same thing.

3. Managing Scope – Keep people on track during planning and execution. If no one is clear on scope then the activities they plan and execute might not achieve the goals you’ve set. It also means that even though they might perform tasks successfully and everyone is happy, you still didn’t get what you originally planned for. It’s like being given a bicycle to get from A to B when you originally asked for a pickup truck. Sure you got to where you’re going but the goal was the truck. Did you really achieve your goal and scope if the scope and goal was to get from A to B with a truck? Nope, you didn’t.

4. Resource Assignment – When user activities are required it has been assumed the people needed will be available but often the department responsible for the resources are never approached about being part of the test and when they are, it’s too late because people are working on other initiatives. So make sure you speak with other teams early so that resources can be aligned early.

5. Change Management / Requests – This is relate to the scope; if you’re changing something – even times, dates etc – make sure everyone knows about it and that you document the desired change. Using the previous example about the bicycle and truck; it may have been a great idea to change the truck to the bicycle and it still worked for you however, the scope was the truck and there was no formal mention of changing it to the bicycle. If you’d managed it correctly and documented the fact you were going to use a bicycle, then it would have been known by everyone that the truck is ‘out’ and the bike was ‘in’ and everything would be a success.

6. Agreement – When you have key decisions made or need key decisions to be made, ensure you have agreement on the final outcome. It could be that if you make decisions without consulting impacted parties, they won’t support what you’ve determined and will continue on their original path. This only means confusion and failure further down the road. Keep everyone on the same page and part of the decision making process; if even as an FYI in some cases.

7. Documentation – Make sure you document all aspects of the test; most notably scope and goals and objectives. If you don’t who do you know you met them? You won’t even be able to talk to audit and prove you did what you set out to do because you don’t have anything that captures what you originally set out to do and quite possibly, nothing that sums up what you actually did (a test summary document).

8. Focus on Test Planning Rather Than Planning the Test – Try not to get far off the path here. It’s one thing to ensure you plan the test so that it doesn’t impact production systems or other critical aspects and it’s another to set up the test in a way that it has no relevance and doesn’t reflect what you’d actually do in a real situation. If that happens, you really aren’t testing anything. You need to know where the gaps are in the plans and that they’ll work in a real situation.

9. Test Timelines – Estimate activity sequences and schedule accordingly. If it takes 24 hours to get a mainframe up and running – from scratch – then have end users come in at the same time as the main frame team would be ridiculous, as they’d be sitting around for an entire day before they can do anything. That won’t make them happy.

10. Test Schedule – Plan ahead. When planning efforts are underway to schedule major initiatives over the next year or so, make sure that testing is part of that planning effort. This ensure that departments are aware of the test ahead of schedule and that they are able to plan for that initiative. Also, if you have 3rd party DR vendors involved, you often have no choice but to schedule test time a year in advance or run the risk of not having any time available to test, as the vendors other clients will take up all the available time.

Some of this may seem obvious but you’d be surprised how often the simply things can derail a test. Keep in mind the little things and you’ll have a great chance of success. Remember, if you have the most luxurious car in the world, it does nothing if you don’t have the key.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





TIEMS Newsletter: Latest Edition is Ready

24 03 2014

Hi all,

The latest edition of the TIEMS Newsletter is ready. Take note of some interesting conference announcements and even some opportunities to participate in some research projects. You can find the latest newsletter at the following link:

http://tiems.info/images/TIEMS%202014%20Newsletter%20March.pdf

Enjoy!

The StoneRoad Team





When is a Disaster Considered a Disaster?

22 02 2014

It’s kind of like the old question; ‘If a tree falls in the forest and no one is there to hear it, does it make a sound?’ A disaster isn’t a disaster if there’s no measureable impact. No impact to people’s perception of the situation. No impact to people’s lives. If there is a large fire but there is no people or property (facilities, IT equipment etc.) or processes involved – either by fighting the fire or being impacted by the fire – is it still a disaster? There are no fire fighters and no burning buildings, which have no people being impacted so is it still a fire worth tracking and determining the impact and disaster level? No, because there is no measureable impact.
There will be arguments that state yes, it is a disaster because of the damage it can still cause (i.e. the environment) but if no one is involved how do you know it’s a disaster? There’s nothing that tells you it’s a disaster; nothing to point towards to say ‘this’ is the reason for the fire being a disaster because when the large fire is discovered it’s impact isn’t known…yet
A disaster must have some level of measurable impact. Something that can be ‘seen’ and ‘felt’ by people before it can be classified as a real disaster – and it has to impact people, otherwise it may just be an incident or an event of note. A fire in the middle of nowhere can still be a disaster, but if no one is there to see it, fight it or be impacted by it, it’s not classified as a real disaster because there’s nothing to measure as an impact.
For a disaster to be a disaster – in the eyes of people, media and the public in general – there has to be an impact to;
• People;
• Communities & Community Infrastructure;
• Service interruptions;
• Resources;
• Facilities;
• Technology (including those that impact services and processes);
• Suppliers;
• Vendors;
• Partners;
• Finances;
• Responders…and more.

If there is no measurable impact to any of the above, it’s not a disaster or a situation worth reporting on, it may just be an incident or Business As Usual (BAU) occurrence for which response mechanisms have already been developed to address. A means of addressing the situation before it escalates out of immediate control to become a disaster. Or even, the means to respond to the non-event when the non-event escalates and does begin to have an impact. Staying with the fire example, a forest fire may be a bad situation but not a disaster until it continues out of control and begins to threaten communities. Then what started as a non-event or non-disaster suddenly becomes a disaster.
The argument can be made that anything that impacts another is a disaster. A forest fire is a disaster because it destroys property, animal life and the natural resources it envelopes. But again, if there is no one to fight the fire – or even plan to fight the fire and maybe even to see the fire – is there a real disaster when no one is involved? If people are not involved with the situation by either resolving or addressing it or being impacted by it, it’s not a disaster. It’s just a situation that may or may not be in the headlines and will quickly be forgotten.

© StoneRoad 2014
A.Alex Fullick has over 17yrs experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM & DR: Plans That Can’t Be Made!

31 01 2014

In many organizations, executives and employees – and even auditors, will ask Business Continuity Management (BCM) / Disaster Recovery (DR) practitioners if they have plans for every situation possible; every potential risk and every potential impact to the organization. Considering that the number of risks that exist in the world today is basically infinite – once you calculate all the various potential impacts to an organization from a single event – there will be communication, restoration and recovery plans that just can’t be developed, documented, implemented, communicated, validated or maintained. It is impossible to have a response to every situation; the secret it to be able to adapt to the situation and leverage the response plans you do have to help adapt to the disaster situation.
Still, the questions will come about these plans and why a response isn’t captured for a particular situation and its resulting scenarios. A BCM/DR practitioner must be able to address these questions and be able to respond with reasons as to why specific plans don’t – and can’t – exist.
There are a few key reasons that practitioners must be able to communicate to those asking the questions and they are noted below.

1. Unknown Unknowns – In any situation – both disaster related and non-disaster related, will contain all sorts of details. One specific activity or item can have multiple responses depending on the details that come from the situation itself. For example, an earthquake can cause minor or major damage to an area but depending on where it occurs and when it occurs, the responses to the earthquake will be completely different.

2. Highly Improbably – Sometimes a risk to an organization is just so improbably that creating a plan for the situation would be futile and a waste of resources (time and people). For example, an organization with a facility in the middle of the Canadian prairies wouldn’t bother creating a disaster response plan to avalanches; it’s just so highly unlikely that it could ever happen. If an organization documents the probably risks – such as floods or snowstorms for that previously mentioned prairie location – it can adapt the plans that address the likely risks to those that are highly unlikely. New plans for unlikely activities would just distract from developing plans and processes that are really needed.

3. Changes in Assumptions – Assumptions are those things we believe to be true and they should be challenged continuously; especially through tests and exercises. However, if they aren’t challenged at some point then the continued planning and BCM/DR program development could be based on false information. For instance, if specific partners are expected to perform specific tasks for your organization when it experiences a disaster but they don’t know about them – or the tasks have changed and they’ve not been notified – your plans are going to out of sync with expectations and need. Plans are not build on assumptions but the detailed activities contained with them will be built by assumptions and they must be reviewed at all times.

4. Public Opinion / Perception – Public opinion can change with no warning; what the public may agree to in one situation they may not agree with in another situation- even when the details are relatively the same. All an organization can do is ensure it has a comprehensive Crisis Management and Communications Plan (CM&C) and those responsible for the plan understand how to communicate with the public and respond to the public. There is no way and organization can guess at what the public may believe and trying to determine every response plan to unknown perceptions would take eons to develop – something that an organization just can’t do.

5. External Directives – Depending on the scale of the situation, an organization may receive instructions from 3rd parties, such as the police or local governments. It’s never known what these groups may dictate to an organization, as it’s never known ahead of time what or when a disaster will occur. Thus, a plan can’t be developed to address the specifics of what to do based on directives received from external sources. However, if an organization has an established BCM/DR program with relevant plans and processes, it can adapt itself to the situation based on the impact to the organization itself. If an external source dictates a directive then the organization can take what it has in place and adapt itself. But a plan specific to communications that haven’t been provided – because a disaster hasn’t occurred yet – can’t be documented.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”








Follow

Get every new post delivered to your Inbox.