10 Issues to Remember When Initiating and Developing a BCP Program

Most organizations don’t want to imagine what would happen if a disaster struck their operation, but what if a disaster did strike. How would your organization respond? The best way to know how to respond is to develop, implement and maintain a Business Continuity Management (BCM) program. A BCM program provides a framework for building organizational resiliency with effective responses and safeguards that protect its reputation, stakeholders, employees, and facilities.

BCM is not just about remedying technology shortfalls, as many organizations believe. It’s also about securing, protecting, communicating and preparing corporations from disastrous impacts upon its workforce, facilities and its technologies – To minimize the impact on operations. BCM touches every aspect of an organization from the mailroom, the field and the call centre to the manufacturing floor and right up to the boardroom.

To make your program effective, consider some of the following suggestions when planning:

1. Start With the Worst – Begin the planning with the worst-case situation your organization can imagine. For many, this example is the tragic events of September 11, 2001. Work backwards from there and you’ll start to fill in many of the dangers that can harm your corporation. You’ll also be able to start challenging the worst case situation and begin to get more inventive with potential impacts – and develop the plan accordingly.

2. 3 Pillars of a Business Continuity Plan (BCP) – Every BCP plan must address three things; Workforce Availability, Facility Availability and Technology Availability. If each plan has these three core components, an organization can respond to any disaster situation and expand their capabilities by adding varying situations and scenarios through validation exercises.

3. Dedicated Resource – Assign a person with the appropriate training and authority to get things done, if not, the program will quickly fall to the wayside in favour of other initiatives. This may include getting outside help to get the process kick-started (i.e. consultants, contactors etc).

4. BCM Program vs. BCM Project – The BCM program must live on and continually meet the needs of an organization, as it grows and changes; so to must the BCM program. A project has an end date but a program must live and breathe and contain more than just a single aspect of BCM. Therefore, when the Business Impact Analysis (BIA) is completed, that’s just one ‘project’ of the overall BCM program; you’ve got lots more to get through and develop.

5. Exercising/Testing – Plans mean nothing if they haven’t been validated. Every organization must exercise its plans to make sure they’ll work during a disaster. It’s better to find gaps in your plans through exercising and under controlled circumstances rather than when the real thing happens.

6. Executive Support – If no one is there to champion the BCM program, it won’t last too long. In fact, there’s a good chance it will run out of steam and end up on the backburner of boardroom discussions. Having executive support shows the rest of the organization that BCM is taken seriously.

7. Awareness & Training – It can take a long time to develop continuity plans and create processes and procedures but if no one knows how to use them, where they’re kept or under what circumstances they’re required, they won’t be of any value or use. Remember, awareness and training are not the same things and every level of the organization must received its fair share of both if the program (and all the developed plans and processes) are to be useful and successful.

8. Focus on People – This should be a no brainer; BCM is about people. It’s people that build the plans, use the plans, review and exercise the plans. It’s people that will be impacted by not having plans in place; clients, vendors, employees and communities. If you state that technology availability is the most important part, you’ve basically told those individuals – who you need to help build plans – that they aren’t important. Keep in mind; people first.

9. Business Impact Analysis (BIA) – Every company must understand what it does and how it does it. A BIA is the process of analysing business functions and the effect that a disruption might have upon them. Knowing this will help corporations develop appropriate Business Continuity Plans (BCP) and other contingency strategies. Ensure you get agreement on the findings, don’t just state what they are and move forward. The findings from a BIA are what the attendees believe is important and it could turn out that what they feel is important to the company is not what executives believe is important. Make sure executives are in agreement with the findings before you start developing restoration and recovery plans – you could be way off the mark.

10. Program Maintenance and Monitoring – If program components aren’t maintained and updated the Business Continuity strategies developed – and the related documentation – will reflect the corporation as it once was, not as it current is.

11. Bonus: Using Software Only – Software can be very beneficial for maintaining and gathering information but beware, it doesn’t take into account the nuances of people or scenarios specifics. It may tell you that you need 10 desktops in 24 hours but the situation itself may call for something completely different based on what has occurred. Don’t fall into the trap that DR/BC software will answer all your questions and save you; it’s a tool to help you.

Having a BCM program in place is a part of an organizations Corporate Social Responsibility (CSR) but there are other benefits to implementing a program. First, your organization will have the security in knowing a robust plan is in place to deal with disasters, providing safety and security for all employees. Second, a proper BCM program will provide a competitive advantage. Those organizations will strong programs win out over organizations that don’t have BCM plans in place because there is knowledge that your organization will have developed a way to provide a product or service even during a disaster.

It’s not easy building a BCM program; it can be tough to develop, implement and maintain but it will only take a single crisis or disaster to prove its worth. A single crisis or disaster can be one too many. Are you prepared?
© StoneRoad (2013)

Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, available at http://www.stone-road.com, http://www.amazon.com, http://www.volumesdirect.com

BCM document templates available in the ‘shop’ section at http://www.stone-road.com.

New Book by A.Alex Fullick – Business Impact Analysis (BIA): Building the Foundation for a Strong Business Continuity Program

We’re so happy to announce the new book release by StoneRoad founder, A.Alex Fullick. Checkout the press release below. For purchase details go to http://www.stone-road.com of http://www.amazon.com.

Congrats boss!!

Alex Fullick wants you – and your business – to succeed. Better yet, he wants you to flourish beyond your wildest dreams. But what Alex Fullick knows (and what you may not yet know) is that business success doesn’t come out of the blue, or on a whim or stroke of luck. You have to plan for business success, not only for the anticipated good times of strong sales, revenues and profits, but also for the difficult days when a sudden disaster strikes. It can – and does – happen.

Welcome, then, to the world of Business Continuity Management (BCM), the world where BCM expert Alex Fullick resides. Over the years, he has seen it all – and the one key conclusion he’s reached is that businesses with a plan to deal with significant disruptions and disasters are generally the ones that emerge from the situation stronger and with their operations intact. The reverse is just as true: an organization without a continuity plan is taking an enormous risk, one that has the potential to destroy the company and lay waste to years of hard work.

Fullick acknowledges that, to most eyes and ears, the very notion of “Business Continuity Management” is a term that might cause the ears to shut down and the eyes to glaze over. It may be a dry topic, rather lacking in sex appeal, but it is also a very important cog in your business-planning machine. Simply put, if you are a business owner or key manager, you need to know exactly what you will do when disaster strikes.

Fullick’s most recent planning guidebook is entitled Business Impact Analysis: Building the Foundations for a Strong Business Continuity Program, takes a detailed look at the steps a business owner needs to take to gather the information required to create and manage a strong business continuity program. The BIA, in Fullick’s view, is the foundation upon which a business continuity program is built; it follows, then, that a proper Business Impact Analysis requires strength and depth and that its content must fully reflect the operational and cultural needs of your organization. There is no single cookie-cutter approach that can be applied to each and every business operation.

This book should be required reading for business owners and senior corporate officials, not only because the subject is itself of vital importance, but also because Fullick lays out his BIA foundation in a straightforward contextual manner that is both appealing and highly informative. Business Impact Analysis is a critical building process – and Fullick provides the tools required in an easy to follow systematic approach so that organizational leaders can use the BIA process to its very best advantage.

Alex Fullick is the founder and managing director of StoneRoad, a business consultancy based in Southern Ontario that specializes in a process known as Business Continuity Management (BCM). Fullick published his first work in 2009 entitled Heads in the Sand; he followed that up with Volumes 1 and 2 of Made Again. Business Impact Analysis is his fourth publication with two further publications in the works. In his free time, Fullick is an avid curler and hiker.

Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program
by A. Alex Fullick
ISBN: 9780981365749
For more information visit: http://www.stone-road.com

The 6 “C’s” of Crisis Management & Communications

While in China I had an interesting conversation with a gentleman from China (he spoke English).  Our main topic was Emergency Management but as we conversed, he kept making note of a few things related to Crisis Management and each one seemed to begin with the letter “C”.  I don’t know if it was something that was intentional or if it was something that was just coming across due to the language difficulties between us, which I didn’t find that difficult by the way.  Anyway, I thought I’d make note of them and provide a description of what he was getting across.

In every crisis, disaster or emergency situation, which he was defining as a larger community based disaster such as an earthquake (hey, he was part of the Great Sichuan Earthquake of 2008, China).  Listening to him was fascinating, as he was actually there and a part of the recovery and coordination efforts related to the massive Chinese earthquake that killed 10’s of thousands – if not more.  So here are the 6 C’s of Crisis Management – and I haven’t put them in any specific order in case you’re wondering…

  1. Contain – First, get a grip on the situation and don’t let it spread any further and do any more damage that it already has.  I guess a good example of his would be a fire and how fire fighters contain a blaze.  Even firefighters fighting brush fires burn a perimeter (a controlled burn) to ensure the fire stays contained within a certain area.  I know some of you will have experience on this disaster, so feel free to add details on how that’s done.  It’s in every organization’s best interest to ensure that a situation doesn’t get out of control – so contain it and don’t let the situation spread.
  2. Control – Take charge of the situation and don’t wait for it to play out in front of you – it could be too late.  If an organization doesn’t take control of the situation – through media and its Crisis Team structure – someone or something else will take control of it for you.  For instance, if there’s no media represented updates on the situation, then speculation and rumour will begin to run rampant. Try then to gain control of the situation – it will be next to impossible because the media (bless ‘em) will begin to make its own assumptions and presentation on what the situation is.  You’ll be fighting two fires now; the situation itself and the possible misrepresentation in the media.  Take command of the situation.
  3. Command – This referred to the various components and members of the Crisis Team and Crisis Team structures (I.e. Disaster Teams).  Take charge of the situation (…is that another “C”?) and ensure that you’re on top of things.  You can even be on top of things if you don’t have the full scale and scope of the situation yet.  You do this by taking command and having proper protocols – that have been rehearsed and validated – that everyone understands and utilizes to ensure the situation is under control.  It outlines proper roles and responsibilities that team members follow to allow proper response, crisis management, restoration and recovery efforts to be initiated.
  4. Continue – This is what you want most for you business operations, right?  After any disaster or crisis, you want to be able to continue your operations one way or another and usually the sooner the better.  The longer you’re out the greater the impact will be on your bottom line, community, shareholders, clients and employees.  All your plans and procedures should be in place not just to address and manage the crisis but to allow your operations to continue.  Managing a crisis effectively doesn’t mean your business will continue.  Business Continuity will work when the crisis is being managed effectively, if not, you’re going to end up diverting resources to ‘fire fighting’ rather than ensuring the business continues.  They go together and if you don’t have one without the other, it’s like walking a straight line while jumping on a pogo stick cross-eyed. 
  5. Communicate – Communicate quickly, often and effectively.   You’ve got more audiences that you think you have and they will all need to be addressed.  The Board of Directors will be seeking different levels of information than what the public is seeking, which is different than what your employees need.  Don’t just spit out generic comments and expect everyone to understand it.   Not every message is received the same way – and if you’ve got different people delivering the message, then you can expect differences in delivery as well.  What ever you do, don’t say “No comment” or “Off the Record”  – that’s just asking for trouble.  There’s not such thing as off the record – not in today’s world of technology and if you say ‘no comment’ it’s interpreted as something is being hidden.  If media – or anyone for that matter – thinks your hiding something or lying, you’re going to be “guilty” in the eyes of everyone who heard the message.  And those that didn’t hear it, will read and see it on the news.  Refer back to the comments in #2. 
  6. Care – Show you care about people, especially those impacted by the situation. This includes your employees.  Often, corporations will talk about the impact on customers and clients but forget the employees. Wouldn’t that make employees feel they aren’t cared for?  After all, they are the ones closest to, and the first ones influenced, by the situation (assuming an internal fire or other crisis).  I read recently a great article that said, speak and communicate to people’s emotions and how they see the disaster, not how you – the organization – sees it.  You have a better chance of controlling and containing situation is you speak the hearts and minds of people rather than to the pocketbooks of shareholders and bank managers, or worse, speak as you’re the victim.  

 I liked what he had to say overall and was busy in the back of my mind comparing his thoughts and comments to BCM and how he was also describing the crisis management component of BCM.  I know his perspective was large grander but the principles were all the same. I could go on and on into more detail but I have a 2nd and 3rd book to complete first – maybe this topic will make it on the list of other items to write about (I’ve a list of 11 books so far…).

 I think I should add that after our discussion he was presenting at the conference I was attending in Beijing (The International Emergency Management Society – TIEMS) and he only seemed to make note of 4 C’s.  But then again I was listening to his speech through a translator and he may have said all 6 from our discussion but the translator may have missed it.  May be the 2 C’s were ‘Lost in Translation’ ha ha 


The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.” Available at www.stone-road.com **

Risk and Issue Management in BCM / DR Programs

Let’s face it, there’s some level of risk in everything we do.  We work to ensure that the risks never come to pass by mitigating them and monitoring situations.  If the situation escalates maybe our risk becomes an actual issue.  This is true for when we build our BCM/DR programs as well.  As we work at developing our plans and processes, we run the risk of collecting and incorporating the wrong information or missing information altogether, which only impacts our BCM/DR plans and processes.

To keep on track, not only are we to ensure we’ve got all the necessary components but we must manage the risks and issues that crop up during our planning, development and execution phases.  Regardless of what BCM/DR methodology you subscribe to – and some don’t subscribe to any one in particular, they just take the best from every methodology and utilize those components – risk and issue management is key to ensuring you stay on track with your schedule, budget, scope and resources.

So how do we manage our risks and issues?  What even distinguishes a risk from an issue?  Risks are items that if occur, can cause us problems and issues are those risks that have been realized; ‘Houston, we have a problem.’

Understanding how to manage your risks and issues will take you a long way and will – in the end – make your BCM/DR planning road much smoother.  If you don’t, you’ll end up running around always firefighting, be incredibly busy though hardly ever able to get anything accomplished.

Let’s look at what risks and issues really are, how to manage and track them and some tools you can leverage to ensure your BCM/DR program keeps moving forward and not tripping over everything on its path.

  1. Decision Log:  Log any decisions that are made on your project.  For example, why you won’t be performing a Risk Analysis or why you decided to build an internal Technology  Recovery strategy rather than using an external strategy (i.e. 3rd  party vendor).
  2. Risks:  Risks are items that have the potential to impact  your project either by resources, schedule or budget.  In project management terms that’s called the triple constraint.  It doesn’t mean that it’s a guarantee they will occur but that there is the potential of them occurring and hampering your work.  An example could be the availability of a Single Point of Knowledge (SPoK) that is assigned to too many initiatives and doesn’t have sufficient time to spend with you.  As a result, the schedule will be impacted.  By the way, when you document a risk make it an “If / Then” statement: IF ‘x’ occurs THEN  ‘Y’ will be impacted.  Follow that up with a mitigation strategy on how you’ll try to mitigate the risk from      ever occurring and give some specific checkpoint dates to go with your  strategy.  It could come down to something simple such as reviewing ‘x’ on a bi-weekly basis to ensure things are on track and the risk isn’t escalating in probability…and severity.  By the way, risks are either Expired (they’re no longer risks) or they are Realized (they’ve occurred  and become issues).
  3. Critical Risks:  In simple terms, they are risks that have  a very highly likelihood of occurring but haven’t occurred yet.  Usually, when a risk is escalated to a critical risk the mitigation strategies kick in rather quickly and everyone rallies together to ensure it doesn’t become an issue.
  4. Issues:  An issue is a risk (critical and  non-critical) that has occurred and is impacting your project / BCM program.  Each issue must have some  level of devised action plan in place so that the issue is resolved and the roadblock is removed from what you’re trying to accomplish.

Managing risks and issues is vital to ensuring your BCM project success and this goes for all phases of the project, not just the initial phases.  We work in an industry where we state that ‘anything can happen’ and that is true for projects as well; it can be derailed at anytime by anything.

Often, we’re aware that something could hinder our progress but we don’t properly monitor it to ensure it doesn’t become an issue for us.  With disasters, we monitor the coming storm (i.e. hurricanes…) but we don’t monitor the coming storm that can be something like a change in technology strategy, which might have an impact on the overall TRP strategy we’re putting together.  So monitor the risks and issues or else you might find yourself in trouble.

© StoneRoad


Check out www.stone-road.com for details.


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com


WIN A FREE BCM/DR PROGRAM EVALUATION!!  Find out where you really stand.

We have decided to run a great contest here at StoneRoad: Purchase a book from our founder, A. Fullick, directly from the StoneRoad website (www.stone-road.com) , your name (and company) will be entered into a draw for a FREE Business Continuity Management (BCM) program evaluation.    The more copies you purchase – of any book or combination of books – the more entries your get and the greater your chances.

Oh, and did we say it’s open to EVERYONE AROUND THE WORLD !!  How’s that for confidence in what we do!

So, head over to the StoneRoad website for details and good luck!! www.stone-road.com

This is only valid for books sold through the StoneRoad bookstore (https://stone-road.netfirms.com/cart/);  purchases from any other retail outlets (online or otherwise) are not eligible.     If you have any questions, email inquiries@stone-road.com.



The StoneRoad Team

“Failure isn’t about falling down, failure is staying down” – Marillion

“Procrastination is the art of keeping up with yesterday” – Buddha

Business Continuity Management (BCM) & the Recovery Point Objectives (RPO)

You could win a FREE BCM Program Evaluation. 

For details go to www.stone-road.com.  Good Luck!!


In simple terms, the Recovery Point Objective (RPO) is the maximum tolerable period in which data may be lost from an IT service/system outage or disruption, as caused by a disaster or other incident.  For example, if you take overnight backups, the recovery point objective will often be the end of the previous day’s activity.  This means that when a disaster occurs, business units can either agree to have some level of data loss, which is what will happen, or choose to have no data loss what so ever.  If the latter is the case and no data loss is acceptable, then Technology Restoration & Recovery Plans and related strategies must be developed to meet that need.

Too often, the RPO is identified in the BIA and is captured as a question asked of business unit representatives; what is your expected loss tolerance or what is your RPO?  I’ve never met a single department manager that didn’t say they could tolerate any data loss.  In fact, it’s almost a given that business units won’t allow for any data loss, even when systems are not available under dire situations.  Business units can request a desired RPO – usually at not loss or 0 hours – but the business unit isn’t the one to drive this…at least not at first.

I’ve stated before in other posts that the Technology department should go through the BIA process, as they aren’t immune to outages due to disasters, pandemics and other crises.  It’s the technology department that should be identifying the RPO, as it currently stands.  Business Units may state what they want the RPO to be but it’s the IT department that states what it is.  IT is responsible to take stock of the current technology restoration and recovery procedures and provide the corporation with the RPO; what it would be if a disaster occurred that day.


Identifying the RPO can expose some misconceptions with the expectations many have and what the corporation believes to be in the TRP.  If you ask most business managers, they assume that data and systems will be available when they need it.  Sure, IT performs backups of systems and data and when a user accesses a system to obtain information, it will be there – and it’s always current.  That may be true but that means that backups are performed in real-time, which is rarely the case.  Only the multi-national corporations that have money to spend can build mirrored systems and built-in redundancy – though that’s becoming something rare these days based on the current economic climate.

If a disaster occurs and backups are only performed once every 24 hours, then during a disaster the data that is recovered is only as good as the last completed – and accessible – backup.  That means an entire day can go by where data is manipulated and updated by users but if a disaster occurs, all that data will have been lost because the backup hadn’t occurred yet.  So even though the business unit wants zero loss in data, they will automatically be set back by 24 hours – will have lost 24 hours of work.  The RPO is 24 hours based on the current technology strategy.

If that is the case and business is unwilling to accept the RPO – and loss of data, then technology must request resources to amend the strategy.  Then appropriate actions are taken.  This could be to reconfigure current technology restoration and recovery strategies by acquiring new (or more) equipment; reducing the time of backups from once every 24 hours to 12 hours (or less) and other strategy implementations.  All intended to meet the accepted and approved RPO.

No one wants too loss data.  No one wants to experience a disaster.  Still, when a disaster occurs, the RPO (and related Recovery Time Objectives (RTOs)) is what the corporation is going to use to build business continuity plans, technology recovery plans and any crisis management (especially PR and Media plans).

The point when data and systems are expected is the point upon which the corporation will be judged.  If they aren’t up and running by the time they’ve stated and have data available when they expect it – and haven’t lost any of it – the public and any partnerships will consider the corporation to be untrustworthy and unable to manage negative situations.  The RPO isn’t just the point at which data is last available or the point at which it is current but it’s also the point the point that a corporation must be able to do business – on some level.  This is because client will want to know that their information is safe and hasn’t been compromised – or lost – because of the disaster.  If it has, the negative perceptions of the corporation will begin.

The BIA helps identify the gaps here and if lucky, the IT department will get some extra funding to ensure that RPO’s and RTO’s can be met.  So always remember, the RPO is more than just a point in time; it’s a time that makes a point.


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com


Well, we have decided to run a great contest here at StoneRoad:

Purchase a book from our founder, A. Fullick, directly from the StoneRoad website (www.stone-road.com) , your name (and company) will be entered into a draw for a FREE Business Continuity Management (BCM) program evaluation.    The more copies you purchase – of any book or combination of books – the more entries your get and the greater your chances.  Oh, and did we say it’s open to any person and corporation AROUND THE WORLD !!

How’s that for confidence in what we do?!

So, head over to the StoneRoad website for details and good luck!! www.stone-road.com

This is only valid for books sold through the StoneRoad bookstore (https://stone-road.netfirms.com/cart/);  purchases from any other retail outlets (online or otherwise) are not eligible.

If you have any questions, email inquiries@stone-road.com.



The StoneRoad Team

“Failure isn’t about falling down, failure is staying down” – Marillion

“Procrastination is the art of keeping up with yesterday” – Buddha

Japanese Nuclear Power Plan Report Released (July 2012)

A week ago I’d heard the Fukushima report was coming out and that there were a bunch of conclusions and recommendations being prepared, so I set to writing an article for posting thinking I could add my thoughts as well.  Then I read the report and found that it said everything better than I could.  So, here’s a link to the report The Fukushima Nuclear Accident Independent Investigation Commission  and what the commission recommends and determined was the cause of the disaster.

One thing that I found very interesting is the fact that corporate culture attributed to the disaster – in fact, is listed as a cause of the disasters – and that the very nature of the disaster was communication; from well before the disaster to after it had occurred.  What was also fascinating was that the disaster itself was not the caused by the tsunami, which would be a normal thought but rather the cause of the power plan disaster was man-made.  The tsunami was just the catalyst to trigger all the problems that existed.

I’ve always said – in previous posts – that communications would be the glue that either holds it all together or assists with it all falling apart.  Seems I’ve been validated (and I know I’m not the only person who thinks that).

One thing that I hadn’t expected in the report was the mention of how government and agencies change the names of organizations that experienced or participated in the disasters to show that they’re taking things seriously.   But, they don’t change any of the processes and procedures within these organizations; the processes and procedures that didn’t work the first time.  You can throw paint on a decrepit old car but that won’t make it run any better and that’s what the report basically says.  There is fear that nothing will change; let’s hope it does.

Enjoy the report: I did.

(c) StoneRoad


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com


Europeans Able to Check Hazardous Production Sites

The below notice was sent via the President of The International Emergency Managers Society (TIEMS), of which I’m a member of the editorial advisory board.   I thought this was quick interesting and wondered how this would go over in North America.


Dear TIEMS Members and Supporters,

The Council and the European Parliament have reached an informal agreement on amending a so-called «Seveso Directive ». The Directive is named after an accident which happened in 1976 in Seveso, Italy when a dense vapour cloud containing hazardous substances was released from a pesticide factory. The accident prompted the adoption of legislation aimed at the prevention and control of such accidents. Since then all the companies storing large amounts of fireworks, oil, petrol or toxic chemicals are referred to as « Seveso cites».

The new directive reinforces the rights of EU citizens regarding their access to information on hazardous production sites. European citizens will be able to see if they have dangerous industrial sites in their neighbourhood on the internet and see how to react in case of emergency. They will also be able to go to court if they think that a new Seveso site is established too close to their homes. All Seveso sites will be obliged to prepare an accident prevention policy to improve their level of safety.

Ida Auken, Danish Minister for the Environment and a fervent proponent of this proposal says that this step will allow citizens to feel more secure in their homes even if they live in the proximity of a plant producing hazardous substances.

After the European Parliament adopts its position on first reading in June 2012, the directive will be officially adopted by the Council in the second half of 2012. The amended Directive will enter into force in 2015.

More information is available here: http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/envir/129282.pdf

With Best Regards,

TIEMS Secretariat

The IT Disaster Plan: “What Do I Need?”

Well, after finished the draft on book #4, completing a newsletter for the TIEMS organization and working on some marketing initiatives for StoneRoad (and Madaemen, a division of StoneRoad), I can finally get back to a few blog/article postings.  Enjoy…


Having been in the industry for many years (17 and counting) I get asked quite a few questions; from what is BCM (get that one allot) to how do I get started?  I’m happy to help with answers and try to provide a knowledgeable and suitable response, tailored to the person(s) asking.  Recently, I was asked by a friend what his company needed for an IT Disaster Plan?  Well, I could be sarcastic and say ‘you’ll need technology’ though I didn’t think that would go over well.  I decided to take a different approach and first find out how far along his company was on the BCM/DR road.  Turns out, not very far at.

I started asking a few basic questions to help gauge where they were.  I could tell my his initial question that the company wanted to start building an IT Disaster Plan immediately, skilling many of the other BCM program development components that help lead to the proper development of the IT DR plan.  This occurs for many corporations, where they jump into the solution building before they even know what the solution should be or why they are building the solution and for what the solution supports.  Kind of like trying to do a puzzle without knowing what the picture is.

Not to recreate out entire conversation, here are some of the questions I posed to him – to take back to the office – to help determine what the company should / shouldn’t consider.

  1. What are your critical      processes/services/departments? – If you      don’t know this, what are you building for?
  2. What is your critical data?      – For many, not all data is critical.       Is development data (dummy data) critical?  Probably not.
  3. When do you need it?      – If you don’t know when you need your data (and services/process) up and      running, then you’re really in trouble because you don’t even know when to      restore/recovery IT, let alone what you need to do it.
  4. How much can you loose?      – This is the question ain’t it?       What’s it gonna cost for me (the company) to be off-line and how      long can I suffer loosing money?
  5. What’s the Maximum      Acceptable Outage (MAO) for systems/services to be off-line?      – How long I can tolerate an outage will help determine what I need to      have in place for backup, restoration and recovery equipment/resources.
  6. What’s core to your      business? – You’ve got to know what is core to the      business so that your key/core service/product/system is highlighted as      the topIT DR      priority.
  7. What’s you’re current backup      strategy? – Always good to know where you stand in the      present day, as it helps determine where you’ve got to go in the      future.
  8. What is your current Recovery      Time Objective (RTO)?  Recovery      Point Objective (RPO)? – Where did the numbers come from?  Who decided on what they are?  You might know the RPO based on your      current situation but that doesn’t mean it’s acceptable.  All to often business units believe data      will be available first-thing, when that’s not the case at all.  They also don’t realize that there is      the possibility of lost data because an entire day’s work can potentially      be lost.
  9. Who is determining what is      critical to the company; business users, IT Management or Senior/Executive      Management? – Let’s face it, if the Sr. Execs haven’t told      you what’s important to the company, then you better find out cause you      might be on different playing fields with different expectations before      you ever get started.
  10. What were the results of      your Business Impact Analysis (BIA)? – This      is key and ensures that the final findings are agreed-to by the executive;      otherwise the BIA findings are just the results of each individual      department, which may not be in line with what executives believe to be      critical/key/important to the company.       If they valid the findings, you’ve got your marching orders for the      next steps.  If they don’t agree      with them, you’re going back to square one to find out where the      discrepancies are (i.e. inter-dependencies, identified core processes in      line with corporate strategy and direction…).


We talked more but these were some of the key questions I touched upon.  The lastone – #10–was actually the first question asked.

He then asked a 2nd question; “How do we know if we should use a vendor or not?”  The context related to a decision on when to utilize a vendor DR Site

Really, there’s only one answer; what were the results of your BIA?  When you know the answers you can then move on to answer the other questions need that will inevitably be asked:

  1. Do we need an IT DR strategy      at all? – Based on the BIA results, what is our current      capability?
  2. Can we do it internally?      – Do we have the resources available to build/configure an appropriate      restoration/recovery strategy?
  3. Do you have the      facility(ies) if we go internally? – You      may have multiple locations and one of them has a floor that is completely      empty…could this become the alternate IT location?  You’ll need to investigate but it’s an      option.
  4. What’s the cost to do it      internally? – Again, it’s the main question; how much will      it cost the corporation to put an acceptable strategy in place?
  5. What resources (physical      & financial, employees) to we need to meet the RTO?      – Based on what the corporation currently has available (and current      restoration/recovery strategy in place) what would be need to ensure that      the RTO’s can be met?
  6. What are our options if we      go external? (I.e. cold, warm, hot site configurations)      – Investigate your options, as to what vendors to speak to and determine      what is needed to meet the RTO’s.       You may only need a warm sit over a hot site depending on the BIA      findings and current (internal) configurations.


Building an IT Disaster Recovery Plan or as I like to call it, a “Technology Recovery Plan (TRP)” can’t just happen without proper inputs.  You can’t build a house for someone without knowing what they need and want, so how can you build anIT DRplan without knowing what’s required and why?  You can’t.  What’ll happen is that a restoration/recovery strategy will be developed – at considerable cost – and yet it won’t meet the needs of the organization.  It can over-deliver and exceed the need but then you’ve spent allot of money you didn’t have to.  It’s better to build what you need – with the ability for it to grow – rather than building something in the dark that won’t meet any requirements.   Then the re-work begins and it’s like starting over; again, by spending more money, which you may not have.

Well, when we finished out conversation my friend said he had lots to take back to his boss.  The last time I spoke to him they were deciding on the BIA…  Hmm, wonder if they need some help with that? 😉

(C) Stone Road Inc (2012)


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs” and “Made Again – Volume 2.”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com