BCM & DR: Can Organizations be Resilient?

6 07 2014

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014 (A.Alex Fullick)





Business Continuity Management (BCM) / Disaster Recovery (DR) Document Templates Available for Small and Medium Businesses!!

3 07 2014

Not every business can spend thousands and thousands of dollars on expensive software packages to get their BCM / DR programs off the ground – or has the time to get software configured and ready for use.

Having experienced these challenges first hand, StoneRoad developed a cheaper alternative: we developed document templates for Business Impact Analysis (BIA), Business Continuity Plans (BCP) and more.

Visit the StoneRoad site and go to the Shop section to view the various templates available and get your program moving with a low cost alternative to expensive software! Each template provides instructions on what information is needed so that you can build your program with less fuss – and with more results!

Here’s just a sample of our document offerings:

1) Test Scope Charter Document (Word Document)
2) Business Impact Analysis (BIA) (Excel Worksheets)
3) Operating Unit Business Continuity Plan (BCP) Template (Word Document)
4) Emergency Employee Logistics & Pandemic Plan (Word Document)
5) Test Executive Summary (Word Document)

…and more. We’re adding new templates all the time to help you. We even have BCM & DR books and ebooks available.

So download what you need and get started!

Happy planning!

Regards,
The StoneRoad Team

“Reduce Suffering Through Disaster Planning”

© 2014, Stone Road Inc.





BCM & DR Books to Help Build Your Program by A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL

3 07 2014

The message about disasters, disaster planning and business continuity is slowly spreading throughout the globe, as we see more and more organizations beginning to realize the value of preparedness and response activities to protect their operations and instil confidence in those they do business with.

Here at StoneRoad, we’ve seen a spike in people asking us questions and seeking advice on Business Continuity Management (BCM) / Disaster Recovery Programs – and we couldn’t be happier.

So we’d like to remind you that there are some great books by our founder, Alex Fullick, that can help provide great insight into how a good program operates – and how it shouldn’t. The books noted below are available on Amazon.com and at our own shop over at www.stone-road.com.

1) Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility

2) Business Impact Analysis (BIA): Building the Foundation for a Strong Business Continuity Program

3) Made Again – Volume 1: Practical Advice for Business Continuity Programs

4) Made Again – Volume 2: Practical Advice for Business Continuity Programs

Keep an eye out for the next book by A.Alex Fullick; “Testing Disaster and Business Continuity Plans” expected to launch in the fall of 2014.

Until then, happy planning!!

Regards,
The StoneRoad Team

© 2014, Stone Road Inc.





BCM / DR: eBooks Now Available by A. Alex Fullick (Stone Road Inc)

21 06 2014

We’ve been a bunch of busy beavers here at StoneRoad. We’re very happy to announce that two books by our founder A.Alex Fullick, ‘Heads in the Sand’ and ‘Business Impact Analysis’ are now exclusively available as ebooks at the StoneRoad shop.

Get your copies now using the links below:

Heads in the Sand
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=201&zenid=3d712e28f2680972874f7e4a8d473940

Business Impact Analysis
OR

https://stone-road.netfirms.com/cart/index.php?main_page=document_product_info&cPath=3&products_id=202&zenid=3d712e28f2680972874f7e4a8d473940

‘Like’ Join us on Facebook too at Stone Road Inc.

The StoneRoad Team.
(C) Stone Road Inc, 2014





BCM / DR: How Does an Organization Become Resilient?

21 06 2014

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture of what will make an organization resilient.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014
A.Alex Fullick has over 18 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





Crisis Communications: 11 Ways to Recognize that it May Not Be Working

25 05 2014

All BCM program components must be validated prior to any disaster ever occurring; the more validation performed, meaning the more tests with varying situations and scenarios are performed, the better the overall Crisis Management plan and strategy will achieve. The problem is that all too often an organization will draft a crisis management strategy (contained within the crisis management plan) and believe that it will work as documented. This isn’t always the case and in too many instances, it can prove to be detrimental to an organization when it’s experiencing a major business interruption – regardless of the trigger.
There are many indicators to show an organization that what it’s doing isn’t working and that the strategy they are currently working with needs an immediate change.
Disasters and crises can present many challenges for organization and an organization should no compound their own problems by not being alert to early signals that they might be heading down the wrong road.
Below are just a few of those early warning signs that can help an organization amend its crisis communication strategy (the plan) to ensure it doesn’t end up losing control of the overall situation.

1. Negative Social Media Traffic: You’re communicating all sorts of information but no matter what you do messages being posted on the various social media sites are negative towards you and your efforts. The cause could be that the messages you’re sending out aren’t addressing the concerns of those impacted or those that require information. Instead the messages are ‘self-serving’ and thus causing friction with the public, which results in negative comments being posted. Negative traffic can also be caused by the organization itself; it’s not all external. If an organization has schedule postings or updates about the latest product or service, it doesn’t hold well when these keep coming out during a disaster.

2. The Speaker is confused: Nothing is worse than having the ‘face’ face of the organization (that is experiencing the disaster) seem confused and not knowledgeable of what is going on; what the overall disaster situation is or what the organizations plans are in responding to the disaster. Any speaker should know what is occurring and be able to speak to the situation at hand and what the organization is doing; if they can’t, they will make the organization seem unprepared to respond and being in total confusion.

3. Rumours Abound: If you are addressing the situation and providing accurate information but rumours are still being spread, then the organization isn’t addressing the concerns of those needing information. Like #1, people will begin to determine their own conclusions based on little bits of information they come across and then post those conclusions to social media sites or through emails to others. When this occurs, ensure you address the rumours so that they can be dispelled immediately; not addressing rumours will mean they continue, which will harm your crisis management efforts even if you are doing the best you can.

4. Staff Rebellion: When staff begins to moan and groan, it probably means they’re not receiving information they require. Often, organizations focus so much on ensuring that others receiving information and they assume that employees know what they need to do or know where they need to go to get it; this isn’t always the case. You must include employee communications – and continued updates – in your crisis management strategy.

5. Media Questions & Responses: If the media are asking the same question over and over, or leading you back to the same question it means that a key point hasn’t been addressed. It may be something you don’t want to address or don’t know completely, and if so, you better be aware that the media won’t let go of the topic until they feel that it’s been addressed. If you don’t know, then state you don’t know and will update them when it’s possible to do so but ignoring it or simply ‘skirting’ around the topic will only cause them to continue to press for information, which in the end will look like you’re hiding something. And when that occurs, some organizations become antagonistic and begin to debate – to put it politely – with social media posters and traditional media representatives. Don’t get into a debate with them about what has or hasn’t occurred; you’re just being sidetracked by fictitious situations and scenarios being presented by people who have not received the basic information the organization needs to communicate.

6. Clear Lack of Awareness & Training: Nothing says a person don’t know what they’re talking about when they are full of “um’s” and “uh’s”. It shows that there is clearly no proper training in speaking in front of people or that a basic understanding of what the organization will do is severely lacking. It’s as though the person standing in front of the camera’s making it up as they are going or that their responses on social media sites are just basic run-of-the-mill responses; the kind you can relate to sports figures that rattle off basic one-liners after a game (i.e. it was a tough game, I thought the team did well, we played hard…etc). If anyone sounds like that, they know there is no real awareness or training on what needs to be done because during a disaster people are looking for specifics, not boiler plate responses. When there is a lack of training and overall response awareness by company spokespeople, messages can be contradictory because they are speaking ‘off the cuff’ or making it up based on what they ‘think’ is occurring behind the scenes rather than what is occurring. This is why training and awareness must be tailored for all areas of an organization; from the most senior position to the newest employee. Each must have a reasonable understanding of expectations and what role – if any – they will plan. Awareness isn’t just about the response activities but also awareness of what actually happened. People will send messages on social media based on what they know and if you’re organization isn’t aware of what happened, you won’t be perceived as really understanding the situation.

7. Lawyer Speak: There is a time and place for lawyers and lawyer speak but it’s not at the outset of a disaster when people need to know what has happened, what they need to do and if they are going to be impacted by the situation (if they haven’t been already). Lawyers don’t want leaders of organizations to take responsibility for the disaster but they have to take responsibility because they need to respond to it. Taking responsibility does NOT equate to accepting blame, which is what many legal representatives tell leaders. The time for legal speak comes when the dust has begun to settle and a clearer view of the situation comes to light; not at the outset when the main concern is people safety and getting operations back to an operating level. When legal representatives do all the talking for an organization, it sends the wrong message to the public, which are expecting the leader(s) of the organization to do all the talking and direction; to be the human face of the organization. Leaders are leaders during good times and must also be leaders during bad times, or else it shows that the organization has no plan in place and lacks clear leadership, which may not be the case…but will be the perception. It’s commonly joked by many individuals – the public in general – that lawyers and politicians can speak for ages but never say anything, so don’t let lawyers do the talking for you, even though they will play a key role in the crisis at later stages.

8. Communication & Decision Delays: If the chain of command is too long and the delay in obtaining decisions takes allot of time; then you can imagine the silence that would be coming from the organization when the demand for information by the media and public is increasing. If the decision process is taking too long then there is too much discussion occurring in the “Crisis Management” team and not enough action. This could be that the restoration/recovery/resumption/continuity plans are not sufficient enough to deal with the situation or possibly that required plans don’t exist. If they don’t, then that would cause the delay for decisions and in communications. Too much time at the boardroom table trying to figure out an action plan means no one is communicating outward to those needing information and that absence shows the media (and public) that there is no action plan in place. This is what causes rumour and conjecture to take hold and then cause a PR disaster for the organization. Not only are you fighting the disaster itself, you’re fighting public perception.

9. Leadership Visibility: During the Lac Megantic rail disaster in Quebec, Canada (July 6, 2013), the President of the rail line (Montreal, Maine and Atlantic Railway) waited days before appearing in the devastated town, believing that his presence was best spent at his corporate headquarters coordinating efforts. He wasn’t visible to those impacted or anyone else requiring information; the railway was ‘faceless’ and only press releases and comments released through the media were seen by people, which gave the message that the railway was hiding and wasn’t addressing the situation at hand; a situation that literally levelled the centre of the small town. This was not seen as acceptable especially when there are examples of leaders being on scene and taking control of bad situations such as the then New York mayor, Rudy Giuliani, who was coordinating efforts almost immediately after the 9/11 attacks.

10. Focusing on Blame: Continuing from #7, everyone will want to know the cause of the disaster and who’s at fault…but not immediately. Despite perceptions, an organizations first priority to ensure people safety; finding the blame can come later once the first priority has been taken care of. Unfortunately, some organizations would rather try to deflect criticism first and find the blame rather than addressing the key point of life safety. Even if 1st responders are available and internally employees were there to help any injured parties, if the communication coming out of the organization is about blame then the fact that the organization did help those impacted first, will get lost. There is a time for blame – and that’s when the time for investigating the cause has begun, not when the disaster first begins. Organizational resources will be focuses on people and then obtaining some level of operational capability and when that occurs, and then the cause can be looked at. Of course, if a major hurricane occurs then the cause of the disaster should be obvious but then the questions about why you weren’t prepared will surface.

11. Appear to be Uncaring: You can communicate all you wish and if you’re perceived to be uncaring then no amount of communications is going to change that. In a majority of situations, an organization tries to make itself the victim but in all cases, it’s the people impacted (or hurt) by the disaster that is the victim – not the organization. An organization is rarely seen as the victim, though the people within it can be perceived as victims. A crisis management plan addresses the situation at hand but must also address and focus on the impact the disaster on people; the real victims of the situation. If an organization doesn’t seem to come across as caring in its communications then it can be seen as a pariah within the community, rather than a member of the community and no amount of back-tracking is going to change that perception any time soon. Your crisis management plan – regardless of how extensive and comprehensive it is – won’t ever be perceived as successful because the external view of the organization is negative.

If any of the above noted aspects occur, you’re on your way to more problems as each item is an indication that your current crisis management strategy isn’t working and you need to ‘change gears’ quickly to get things back on track. Remember, this isn’t the restoration, recovery or resumption activities, this is how the organization manages the crisis (disaster) and if that isn’t working well, it makes no difference how successful your restoration and recovery activities are, people will still see your organization in a negative light.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM / DR: The Little Test Activities Often Forgotten

26 04 2014

Having been a part of dozens of test to varying size and scales, I’ve come across quite a few instances where planners – including myself at times – forget to consider when organizing a BCM / DR test. I thought I’d come up with ten (10) areas that have at some point, been a fly in the ointment of test coordinators and caused issues further down the road and on one occasion, at the moment the test was scheduled to begin.

1. Production Priorities – Believe it or not, once everyone was so focused on testing they forgot to ensure that someone was left to support any production issues. While testing activities were underway, all members of a department were focused on ensuring that the test went well that no one was monitoring a production issue, which needless to say, caused allot of grief for business units. Don’t forget that even when you’re testing BCM/DR capabilities, you’re production environments are still ‘live’.

2. Test Strategy – Know ahead of time what strategy you’re going to leverage for testing purposes and ensure its communicated and agreed-to by everyone involved or else different groups will be working in isolation and not working towards the same thing.

3. Managing Scope – Keep people on track during planning and execution. If no one is clear on scope then the activities they plan and execute might not achieve the goals you’ve set. It also means that even though they might perform tasks successfully and everyone is happy, you still didn’t get what you originally planned for. It’s like being given a bicycle to get from A to B when you originally asked for a pickup truck. Sure you got to where you’re going but the goal was the truck. Did you really achieve your goal and scope if the scope and goal was to get from A to B with a truck? Nope, you didn’t.

4. Resource Assignment – When user activities are required it has been assumed the people needed will be available but often the department responsible for the resources are never approached about being part of the test and when they are, it’s too late because people are working on other initiatives. So make sure you speak with other teams early so that resources can be aligned early.

5. Change Management / Requests – This is relate to the scope; if you’re changing something – even times, dates etc – make sure everyone knows about it and that you document the desired change. Using the previous example about the bicycle and truck; it may have been a great idea to change the truck to the bicycle and it still worked for you however, the scope was the truck and there was no formal mention of changing it to the bicycle. If you’d managed it correctly and documented the fact you were going to use a bicycle, then it would have been known by everyone that the truck is ‘out’ and the bike was ‘in’ and everything would be a success.

6. Agreement – When you have key decisions made or need key decisions to be made, ensure you have agreement on the final outcome. It could be that if you make decisions without consulting impacted parties, they won’t support what you’ve determined and will continue on their original path. This only means confusion and failure further down the road. Keep everyone on the same page and part of the decision making process; if even as an FYI in some cases.

7. Documentation – Make sure you document all aspects of the test; most notably scope and goals and objectives. If you don’t who do you know you met them? You won’t even be able to talk to audit and prove you did what you set out to do because you don’t have anything that captures what you originally set out to do and quite possibly, nothing that sums up what you actually did (a test summary document).

8. Focus on Test Planning Rather Than Planning the Test – Try not to get far off the path here. It’s one thing to ensure you plan the test so that it doesn’t impact production systems or other critical aspects and it’s another to set up the test in a way that it has no relevance and doesn’t reflect what you’d actually do in a real situation. If that happens, you really aren’t testing anything. You need to know where the gaps are in the plans and that they’ll work in a real situation.

9. Test Timelines – Estimate activity sequences and schedule accordingly. If it takes 24 hours to get a mainframe up and running – from scratch – then have end users come in at the same time as the main frame team would be ridiculous, as they’d be sitting around for an entire day before they can do anything. That won’t make them happy.

10. Test Schedule – Plan ahead. When planning efforts are underway to schedule major initiatives over the next year or so, make sure that testing is part of that planning effort. This ensure that departments are aware of the test ahead of schedule and that they are able to plan for that initiative. Also, if you have 3rd party DR vendors involved, you often have no choice but to schedule test time a year in advance or run the risk of not having any time available to test, as the vendors other clients will take up all the available time.

Some of this may seem obvious but you’d be surprised how often the simply things can derail a test. Keep in mind the little things and you’ll have a great chance of success. Remember, if you have the most luxurious car in the world, it does nothing if you don’t have the key.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





When is a Disaster Considered a Disaster?

22 02 2014

It’s kind of like the old question; ‘If a tree falls in the forest and no one is there to hear it, does it make a sound?’ A disaster isn’t a disaster if there’s no measureable impact. No impact to people’s perception of the situation. No impact to people’s lives. If there is a large fire but there is no people or property (facilities, IT equipment etc.) or processes involved – either by fighting the fire or being impacted by the fire – is it still a disaster? There are no fire fighters and no burning buildings, which have no people being impacted so is it still a fire worth tracking and determining the impact and disaster level? No, because there is no measureable impact.
There will be arguments that state yes, it is a disaster because of the damage it can still cause (i.e. the environment) but if no one is involved how do you know it’s a disaster? There’s nothing that tells you it’s a disaster; nothing to point towards to say ‘this’ is the reason for the fire being a disaster because when the large fire is discovered it’s impact isn’t known…yet
A disaster must have some level of measurable impact. Something that can be ‘seen’ and ‘felt’ by people before it can be classified as a real disaster – and it has to impact people, otherwise it may just be an incident or an event of note. A fire in the middle of nowhere can still be a disaster, but if no one is there to see it, fight it or be impacted by it, it’s not classified as a real disaster because there’s nothing to measure as an impact.
For a disaster to be a disaster – in the eyes of people, media and the public in general – there has to be an impact to;
• People;
• Communities & Community Infrastructure;
• Service interruptions;
• Resources;
• Facilities;
• Technology (including those that impact services and processes);
• Suppliers;
• Vendors;
• Partners;
• Finances;
• Responders…and more.

If there is no measurable impact to any of the above, it’s not a disaster or a situation worth reporting on, it may just be an incident or Business As Usual (BAU) occurrence for which response mechanisms have already been developed to address. A means of addressing the situation before it escalates out of immediate control to become a disaster. Or even, the means to respond to the non-event when the non-event escalates and does begin to have an impact. Staying with the fire example, a forest fire may be a bad situation but not a disaster until it continues out of control and begins to threaten communities. Then what started as a non-event or non-disaster suddenly becomes a disaster.
The argument can be made that anything that impacts another is a disaster. A forest fire is a disaster because it destroys property, animal life and the natural resources it envelopes. But again, if there is no one to fight the fire – or even plan to fight the fire and maybe even to see the fire – is there a real disaster when no one is involved? If people are not involved with the situation by either resolving or addressing it or being impacted by it, it’s not a disaster. It’s just a situation that may or may not be in the headlines and will quickly be forgotten.

© StoneRoad 2014
A.Alex Fullick has over 17yrs experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM & DR: Plans That Can’t Be Made!

31 01 2014

In many organizations, executives and employees – and even auditors, will ask Business Continuity Management (BCM) / Disaster Recovery (DR) practitioners if they have plans for every situation possible; every potential risk and every potential impact to the organization. Considering that the number of risks that exist in the world today is basically infinite – once you calculate all the various potential impacts to an organization from a single event – there will be communication, restoration and recovery plans that just can’t be developed, documented, implemented, communicated, validated or maintained. It is impossible to have a response to every situation; the secret it to be able to adapt to the situation and leverage the response plans you do have to help adapt to the disaster situation.
Still, the questions will come about these plans and why a response isn’t captured for a particular situation and its resulting scenarios. A BCM/DR practitioner must be able to address these questions and be able to respond with reasons as to why specific plans don’t – and can’t – exist.
There are a few key reasons that practitioners must be able to communicate to those asking the questions and they are noted below.

1. Unknown Unknowns – In any situation – both disaster related and non-disaster related, will contain all sorts of details. One specific activity or item can have multiple responses depending on the details that come from the situation itself. For example, an earthquake can cause minor or major damage to an area but depending on where it occurs and when it occurs, the responses to the earthquake will be completely different.

2. Highly Improbably – Sometimes a risk to an organization is just so improbably that creating a plan for the situation would be futile and a waste of resources (time and people). For example, an organization with a facility in the middle of the Canadian prairies wouldn’t bother creating a disaster response plan to avalanches; it’s just so highly unlikely that it could ever happen. If an organization documents the probably risks – such as floods or snowstorms for that previously mentioned prairie location – it can adapt the plans that address the likely risks to those that are highly unlikely. New plans for unlikely activities would just distract from developing plans and processes that are really needed.

3. Changes in Assumptions – Assumptions are those things we believe to be true and they should be challenged continuously; especially through tests and exercises. However, if they aren’t challenged at some point then the continued planning and BCM/DR program development could be based on false information. For instance, if specific partners are expected to perform specific tasks for your organization when it experiences a disaster but they don’t know about them – or the tasks have changed and they’ve not been notified – your plans are going to out of sync with expectations and need. Plans are not build on assumptions but the detailed activities contained with them will be built by assumptions and they must be reviewed at all times.

4. Public Opinion / Perception – Public opinion can change with no warning; what the public may agree to in one situation they may not agree with in another situation- even when the details are relatively the same. All an organization can do is ensure it has a comprehensive Crisis Management and Communications Plan (CM&C) and those responsible for the plan understand how to communicate with the public and respond to the public. There is no way and organization can guess at what the public may believe and trying to determine every response plan to unknown perceptions would take eons to develop – something that an organization just can’t do.

5. External Directives – Depending on the scale of the situation, an organization may receive instructions from 3rd parties, such as the police or local governments. It’s never known what these groups may dictate to an organization, as it’s never known ahead of time what or when a disaster will occur. Thus, a plan can’t be developed to address the specifics of what to do based on directives received from external sources. However, if an organization has an established BCM/DR program with relevant plans and processes, it can adapt itself to the situation based on the impact to the organization itself. If an external source dictates a directive then the organization can take what it has in place and adapt itself. But a plan specific to communications that haven’t been provided – because a disaster hasn’t occurred yet – can’t be documented.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”





BCM / DR Scheduling

23 12 2013

Nothing happens without good planning and implementation strategies and this is required when planning out the development of the Business Continuity Management (BCM) / Disaster Recovery (DR) program. It’s impossible to just start something without having any idea when you’ll be finished or what you need to reach along the way to be able to take the next step.

Often, to get proper buy-in from executives, a BCM/DR practitioner has to provide a timeline alongside the goals and deliverables the project will provide. Its one thing to provide the reasons why you need a program and if those are accepted by executives as valid reasons (let’s hope they think so…), the next question will be, “When will it be done?” So, a draft timeline must be mapped out; from how long a BIA will take and when the findings will be delivered to when the 1st test will occur.

Of course, it will all be built upon assumptions such as resource availability for example, but a high-level timeline must be provided to executives. Below are ten considerations a practitioner must keep in mind when building the BCM/DR program:

1. Communicate Schedule – At first you’re communicating the schedule to the executive team hoping for buy-in on need for a BCM/DR program build but you also need to communicate the schedule with other stakeholders. For example, if you’re going to be meeting with all division leaders, they should know what you’re timelines are so they can work within those or recommend amendments if the timeline is unrealistic (to them).

2. Base on Agreed-to Availability – If a department isn’t available due to some high-priority initiative during the week of a specific month, then schedule around them and accommodate their priorities. It could be that you meet with them first or schedule them last so that they don’t experience any distractions as they implement their own high priority project. Meet with the department/division leads to ensure that timing is mutually satisfactory.

3. Report Progress – Once you’re got a timeline developed and approved, executives are going to expect a report on your progress; not just on the deliverables but if you’re moving on track to the timeline. Are you behind schedule or are you ahead of schedule and if you’re behind, what you’re going to do to try and get back on schedule. Keep in mind, you may be behind schedule due to an unforeseen circumstance, which had resources focusing on something else and the BCM/DR meetings needed to be rescheduled to later dates. If that’s the case, make sure this is communicated to the executive team, as they will understand if there were unforeseen circumstances based on an incident or sudden client issue that refocused individuals. They won’t be happy if you’re behind schedule for not ‘valid’ reason and have no plan to get back on track.

4. Issues, Risks & Assumptions – If the unforeseen circumstance, as noted in #3 above, there hopefully will have been a documented risk; a risk that states that the schedule is based on no unforeseen circumstances occurring and that available resources aren’t refocused for any amount of time to deal with it. If resources are repurposed to deal with the issue, then the BCM/DR schedule will be impacted. By doing this, executives will understand the reason for being behind and will allow you to re-plan but won’t be happy if you were always planning a ‘perfect path’ – that nothing will go wrong.

5. The Right Resources – When scheduling, make sure you’re going to get the right person to interview or participate. If you are assigned someone who is impossible to schedule a meeting with because their calendar is continuously full because they are over allocated, you may find your timelines slipping. Make sure you get the best resource participant from the department and ensure they have time committed to the BCM/DR program.

6. Project vs Program – Be sure to break up the overall timeline into min-projects. For example, when you will begin and end the Business Impact Analysis (BIA) project and when you will perform the BCM/DR strategy development project. Each must have a start and end date with a specific deliverable planned. All this needs to be sketched out.

7. Determine Milestones – The end dates noted above in #6 may also be your milestones; key points you’re striving to achieve in your overall timeline. Make sure that you have a few key points captured, as these are used in the progress reporting with executive management, so they can ‘see’ your progress.

8. Dependencies – If you have any dependencies between program phases, identify those up front so executives – and others – understand why some phases are performed in a specific order. For example, the development of BCM/DR strategies cannot begin until the BIA phase has completed and findings presented or a test cannot occur until specific plans have been developed and implemented.

9. Schedule Around ‘Them’ – When scheduling, try to schedule around the individuals themselves, as they have other responsibilities to deal with as part of their daily routine. If anyone’s schedule must be accommodating, it must the BCM/DR practitioners, not the department individual. Keep them in mind when schedule and show respect, meaning don’t schedule them over lunch or late on a Friday afternoon, it’ll only create a bit of animosity – unless you’re paying for lunch. Don’t forget, people have vacations so try not to ‘jump’ on them just before they leave or on the first day they get back.

10. Know the Executive/Board Schedule – When you’re reporting the status of your program build, you’ll be required to present the updates to executives (or a likeminded committee) and you need to know what their timeframes are. Do they meet every 2 weeks on a Wednesday? When does your status report need to be submitted to get on the agenda? Know these types of dates in advance.

11. Know ‘Busy’ Timeframes – This should be a no-brainer; don’t schedule around the busy timeframes when individuals are not going to available to attend meetings or provide information. For example, if there are numerous activities that occur at month end; don’t schedule people during that time. Use it to catch up on your own materials and update status reports etc.

12. Revisit Timelines – During each phase, review the schedule for the next phase to ensure you are on track and make adjustments where you need to. Keep your timelines realistic based on what’s happening and forecast what you think the next phase(s) will consist of. For example, you may have determined that 2 months would be enough to spend developing technology restoration and recovery strategies but based on the BIA findings, you may need to extend that by another month because you need to contact a 3rd party vendor.

© StoneRoad 2013
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”








Follow

Get every new post delivered to your Inbox.