For many Business Continuity Management (BCM) programs, once all the work is done – the Business Impact Analysis, Continuity Plan, Crisis Plans, and Technology Recovery Plans etc – they tend to sit on busy bookshelves in the corner offices of Executives, never to be looked at until someone needs them. The binders sit there collecting dust and none of the processes and procedures associated with them are ever reviewed, validated or maintained to keep them current. Not only are these binders not reviewed to stay current but even if they are reviewed on a regular basis, many organizations don’t understand when a change may be necessary – outside of their normal review processes. What kind of things can trigger additional reviews or trigger changes to plans and strategies.
Here are just a few things that can help organizations recognize when they need to review their plans and keep those “bookshelf binders” current.
- Vendors/Partners – When senior leadership develops a new strategy and mission, this can cause a change in many of the existing processes departments and individuals perform. On a daily or even hourly basis, there may be constant communications with specific service providers and vendors that are required to implement the current vision but if that vision changes, these vendors may no longer be the provider of choice to help the organization move in the new direction. A review needs to be performed based on the new vision to ensure the vendor can still provide the level of service, or even new service, that’s now required. If the new vision is, for example, to become a new player on the stage in the Disaster Recovery realm, there may no longer be a need to collaborate with a specific vendor because they will now become a competitor. Of course, there are legal ramifications and complications but it still stands, that a change in vendors may be required.
- New Processes Introduced – Processes are a group of activities that create a specific result or output. The process of inputting a new sales order into a system may require a background check on the customer – if it’s a new client, detailing the specifics of the order and finally in putting it into the order system. Then a new process may kick in that manufactures the order and captures the client specific details. When a vision or mission changes, existing processes that have documented contingencies may no longer be valid. When a process is cancelled, then the contingencies associated with the process are no longer valid; they become obsolete. Sometimes contingencies for processes are based on other processes being available (i.e. manufacturing will only produce what is in the sales system. If nothing is in the sales system, no manufacturing will be performed). The decommissioning of a process can have great impact upon another process that may now suddenly find itself with invalid contingencies because the area in which it is dependent no longer exists or won’t be performing the action it requires. This may be an obvious suggestion but often new processes are introduced throughout the year due to project initiatives but corporations don’t consider incorporating them into continuity plans or other strategies until the scheduled review period arrives, which could be a year after the last review period.
- New Departments/Divisions – It should be self-evident that if a new department or Line of Business is created, there is no existing information on what the department does, who does it, when they do it and what they need to ensure they are able to keep doing it in times of disaster. New Business Impact Analyses (BIA) would need to be conducted capturing the core information, as well as a continuity plan developed. A new department created within an organization will bring new processes, new dependencies and new technology dependencies that all need to be taken into account to ensure this area is enveloped into the BCM fold.
- Loss of Key Resources – New visions and organizational restructuring may result in the loss of people, facilities and technology components. For people, there could be instances where individuals are no longer required to perform activities and thus are let go. Yet, when this occurs, the intellectual knowledge they have not only on the decommissioned process, but knowledge on the entire corporation, is lost. There are individuals who perform tasks on a daily basis and they know exactly where that task fits in with other processes within the organization. They also know what it means when the task is not completed on time or as expected. Losing someone who knows so much can harm various organizational areas because that person is a Single Point of Knowledge (SPOK), who on more than one occasion, has probably been utilized to resolve critical operational incidents. It should be stressed that employees, regardless of level, are not single point of failure, which is the predominant perspective and description used for someone during a crisis, which holds a lot of knowledge on a particular subject. People with this kind of knowledge are not failures and should not be addressed as such; technology systems fail or are Single Points of Failure (SPOF) but people with valued skills are Single Points of Knowledge (SPOK). With facilities, an entire workforce can be lost and take with them many skill sets. Depending on the operations a facility performs, there may be instances where lines of technology communication and dependencies are broken, causing much reconfiguration on the part of technical staff. Internet Protocol (IP) addresses and other network administration tasks need to be executed to meet the new enterprise wide configurations; this is a great example when IT change management is required.
- Hot Site Configuration – New visions, missions and organization changes, will definitely means amendments to any hot site configuration, whether they are in-house or subscribed to a provider. A new company change will change what is core to the company and what it should deliver, or continue to deliver during a time of disaster. The hot site may be configured to an older process that was assigned as the most important to the corporation but if that changes, then other system changes may be needed to meet the change. If an organization is lucky enough to have the budget for a mirrored hot site that they cut over to when there is any indication of a blip in operations, no configuration changes may be necessary but if not, a review of the site and its capabilities will need to be performed to ensure it meets the new organizational needs and expectations.
- Re-prioritizing Core Processes – If the implementation and follow up of the Business Impact Analysis (BIA) is performed appropriately, acceptance will have been received as to the order of process priority for which servers and services be restored and recovered. This list will help guide all departments on what is core to the company and what needs to be fully functional when, where and what is required to make it happen. Executive management would have approved of this list and signed off during the post-BIA sessions when findings are presented. There may even have been some open discussions about what needs to be up when and why, but either way the list would provide the business and technology teams a guide on how to rebuild systems from scratch. If an organizational change is made, and new processes are created or old processes are decommissioned, this list needs to be reviewed to reflect what has changed. The listing is a key component on how to restore the company back to normal operations, from a process, employee and technology perspective and is core to a successful recovery.
- New Dependencies / Dependency Shifts – Every process has dependencies; dependencies on people, places, inputs and outputs, internal and external contacts, or a combination of any of these noted. When organizational change occurs, new links become created between the restructured areas. If this happens there could be less intricate relationships between departments, as some things may be consolidated but there may also be instances where additional dependencies get thrown into the mix, where additional steps may be required to complete a process. When this occurs, the priority list noted above changes and so do the resources required to execute them. Technology dependencies may become more complicated, or simplified depending upon the change but, either way, there is a need to review how the processes now link together and this must be reflected in the various components of the BCM program; from communications to technologies to external vendors.
Keeping plans and strategies current is more than just reviewing the components on a regular schedule. They can happen at any time and many triggers can raise a ‘red flag’ that shows the organization that their plans are now out of sync with what the organization is doing. Any change in the organization can give reason to at least review strategies and plans to ensure they stay current. It may be that no change is necessary but it’s better to identify and validate that before a disaster or serious actually occurs.
The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.” Available at www.stone-road.com **