BCM/DR & Covid-19: The Rush is On!

Posted on March 28, 2020 by StoneRoad

All around me I see people focused on Covid-019 and as it’s such a major aspect, incident and focus in today’s world, that’s not surprising. The amount of impact a tiny virus cell has had on the world is incredible. Who ever said the small things don’t matter, obviously didn’t know anything about diseases and pandemics.

The rush seems to be on to update plans? Seriously? Where was the updating over the last few years? Have BCM/DR practitioners forgotten that updating and maintaining plans and programs is a key aspect of the entire industry? It’s not a one-time thing, which seems to be the practices right now Anyone that comes out and says they are updating their plan now that the Covid-19 pandemic is here was not updating their plan prior to the outbreak. I don’t get it! Why weren’t we doing it? Did we become complacent and just not think that maintenance was necessary; that a one-time plan development was good enough?! Or that once we had a plan and did some sort of test/exercise, which probably entailed more planning than the actual development of the plan itself – was good enough. Sorry, that’s just not going to cut it.

Why?

Why did we become so complacent and not maintain our plans? Some have kept them up to date, as you see blogs and posts on social media sites stating they they’re following their plans and protocols but they seem to be either less than or equal to, the number of those that didn’t maintain their plans. If they weren’t maintaining their pandemic plans (aka People Availability Plans), I’m curious to know just what plans or parts of the BCM program were being updated. Call trees? Crisis Management Team (CMT) contact information? The IT Technology Recovery Plan (ITTRP) / IT Disaster Recovery Plan (ITDRP). What has been maintained?

There’s a gap with support too, because obviously executives don’t know what they’re doing for the most part and many are stating they were hit with the Covid-19 pandemic disaster by surprise. BULLCRAP!! We saw things coming weeks ago, as the virus began to spread from China to Japan and South Korea and then to other areas. We got the head’s up it was coming but sat by believing it ‘wouldn’t touch us’. Well, they were wrong.
Now the rush seems to be on to ‘mitigate’ and impact but the impact is already here, so they are actually responding to Covid-19. A few week’s ago organizations may have been able to get away with saying they were performing mitigation activities but they can’t now; they’re responding.

Perhaps it’s a way of telling themselves that they aren’t in any way responsible for what’s happening, so they can blame someone else down the road for not being prepared. Saying they are implementing mitigation plans isn’t really true at all; they just don’t want to admit they fell behind. Hence the rush to get a response in place; any response to help with where they are and how they’ve been impacted.

Alex

Crisis Management: When Does a Crisis Start?

Posted on July 12, 2013 by StoneRoad

Many of us don’t hear about a crisis until it hits the newswires, either through social media, news websites or through a posting on a social site we might follow. In some cases, we might not know about a crisis until we see 1st responders racing down the road heading towards and emergency.
Some will automatically see a disaster as a large catastrophe and one of the BCM/DR industry definitions of a disaster is that it’s a sudden, unplanned event that prevents the organization from performing normal operations. Though both a crisis and/or disaster can start well before the public or media even get wind of the problem.
Sometimes a disaster doesn’t begin until after a period of time when a lesser level of operational hindrance has been experienced. Then when the disaster itself occur, the management of the situation will determine the level of crisis; meaning how well the crisis is handled from the perspective of the public, media, stakeholders (vendors, partners etc) and employees.
For an operational impact, it could be that a key application is offline but is that a disaster? Probably not. If the offline application has a major impact upon people causing major distress and problems such as something in health care or the financial industry, then yes, that application being offline – even for a short time – is a disaster. How the immediate response and post-disaster activities are managed is what will create the crisis for the company. If you get something up and running within a very short time (and in today’s world that’s usually no more than an hour) then it might not be a disaster and a quick response and communication to the community will suffice. If it’s longer, then the management level and involvement of the situation and the level of impact it has becomes a disaster.
Still, if an organization has an internal Crisis Management process in place, early identification and response measures may prevent the incident from escalating and becoming a crisis – or a disaster if nothing is done about it – in the media or public eye. It was just an incident that didn’t have any major impact. Oddly enough, it could have been a major interruption but the impact on Service Level Agreements (SLA), employees, customers, vendors and partners was limited in size and scope; it was just a major incident for the company involved because of the resources (financial, time, personnel) it took to get resolved.
So, when does a crisis start?
It starts the moment the organization believes that someone – anyone – will begin to ask questions. It could be a client, employee (who will access social media about it if they haven’t been educated about not communicating corporate activities), vendor, partner or in some cases a financial institution or legislative body. An organization may be able to manage the situation internally with little impacts being had on external – and internal parties – but as soon as questions are asked about the disruption, you have the start of a crisis. It’s how well you manage those initial questions – along with the incident response itself (I.e. getting the critical application up and running as soon as possible) – that will determine how big the crisis escalates. If you don’t manage it properly the crisis will grow and escalate, making it a ‘Public Relations’ disaster.
The start of a crisis is different for every organization. It all depends on the level of preparation, preparedness and response is developed and instilled within the corporate operations. If an organization doesn’t have anything developed or the level of development is sub-par and very ‘flimsy’, the crisis starts quickly and escalates quickly – reaching that “PR” disaster timeframe in record time.

**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3.
Available at http://www.stone-road.com, http://www.amazon.com, http://www.volumesdirect.com

12 Tips, Trips & Traps: The Business Impact Analysis (BIA)

Posted on July 1, 2013 by StoneRoad

Hello dear readers!! We’ve been a bit quiet lately over here at StoneRoad due to multiple vacations (Singapore, Australia, New Zealand and more) and now that we’re all back, it’s time to start posting once more. Enjoy…
The StoneRoad Team
**************************************

**The below section is an abbreviated bonus taken from the Appendix of the book, “Business Impact Analysis (BA): Building the Foundations for a Strong Business Continuity Program” by A.Alex Fullick. The full text can be found in the aforementioned book.**

Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:

1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.

2. No Timely Follow Up of Results – A BIA is conducted almost always in support of an enterprise-wide business continuity program. The real value of a BIA is the follow-up activities that lead to effective recovery strategies being implemented based on the BIA priorities of the business processes. Occasionally, so much effort and cost is put into the BIA that business continuity planners never get around to fully implementing the follow-up recovery strategies and plans. Without the implementation of these follow-ups, the value of the BIA becomes wasted.

3. No Agreement on Scope (Level of Detail) – This level of detail can span an entire spectrum. On one end, some BIAs will contain relatively little detail to provide a higher-level executive view of the analysis. On the other end, and far more prevalent, are BIAs that include for each business process its corresponding input dependencies, output dependencies, recovery point objectives, recovery time objectives, and financial impacts. The common mistake here does not involve selecting the right or wrong level of detail – what’s appropriate for one company may be totally inappropriate for another – but rather, failing to reach agreement among all relevant parties as to what level of detail best meets the requirements that are driving the BIA in the first place.

4. Minimal Executive Support – One of the factors that most influences the relative success of a BIA is the degree of executive support offered at the outset. The kickoff process usually consists of two parts: a widely distributed email and an initial presentation. The email should come from the highest level executive sponsoring the BIA and should be distributed to all parties who will be participating in the effort. The email should emphatically voice the executive’s support for the project and insist on the support of al participants, particularly during the interview process.

5. Poor Questionnaires – An important step of any BIA is the collection of data from business units. The manner in which this data is asked for often spells the difference between a full, timely and meaningful collection of data, and one that is delayed and incomplete. One of the best ways to avoid this situation is to develop survey forms that are thorough enough to capture all relevant information and simple enough for business users to complete quickly and easily.

6. Lack of Preparation for Interviews/Workshops – Interviews are the cornerstone of a successful BIA, yet few planners prepare adequately for them to ensure their effectiveness. Interviewers need to learn as much as they can about a given business unit prior to the meeting, including a thorough review of the respondent’s survey.

7. Lack of Critical Focus – Analysts frequently make the mistake of asking business users ‘what are the most important business processes within their department?’ The reason this is a mistake is because virtually all critical business processes have a large degree of importance and value – otherwise they would not be designated as critical – resulting in less likelihood of it being easy to prioritize processes according to value or importance. A much better question to ask is ‘how long can a business process be idle before major impact is felt?

8. Focusing on the Tools Instead of the Process – Some analysts who conduct BIAs become very focused on the tools they will be using in the collection, compiling and analyzing the data provided by the business users. The emphasis often shifts inappropriately from the process being used, to the automation that can be applied to the process. There is an inherent flaw in this approach. If a poorly designed manual process that is being used to collect and analyze the data suddenly becomes automated, what you typically end up with is a poorly designed automated process.

9. Ineffective Interviewing Technique – I have known more than a few BIA analysts who preferred to rely solely on surveys, questionnaires and emails to collect needed data. The example previously cited concerning the over-focus on tools shows how this can less than desirable results. Analysts often say that setting up interviews can be more hassle than it’s worth. They will mention how interviews often start late, or may be cut short, or have to be re-scheduled, or cancelled altogether. In my experience, the real reason some BIA analysts try to steer clear of face-to-face meetings is that they tend to use ineffective techniques when interviewing business process owners.

10. Insufficient Results Analysis – Analysts conducting a BIA collect a wealth of information during the course of their efforts. But the value of this information is sometimes diminished by poor or incomplete analysis of the data. Analysts need to look for trends, patterns, relationships and discrepancies among and within the data to ensure a thorough and meaningful analysis.

11. Unclear Presentations – Data that is thoroughly collected and well analyzed is sometimes de-valued by an unclear or confusing presentation of the information and results. Managers in general and sponsoring executives in particular, expect BIA analysts to summarize their results in high-level presentations that are succinct and effective. Unfortunately, this does not always happen. Analysts gather a huge amount of data in the process of conducting BIA. In compiling and analyzing this data, analyst sometime err on the side of presenting too much information rather than too little.

12. Undefined Scope – Often, the BCP focuses entirely on system restoration. Resumption of business needs to include the people and processes required to resume operations. Many BCP programs are headed up by IT departments. ‘Tunnel vision’ can often cause these departments to focus on system recovery and not take the people issues into account. During an event, the people issues are often the most difficult to resolve. The scope of a business impact analysis (BIA) pertains to the number of business units, such as Finance, Administration and IT, which will be participating in the effort.

Don’t let your BIA efforts fall to the wayside; make sure you have strong BIA approach and you’ll end up with a strong BCM / DR program.

6 Questions: Why an Organization Should Exercise BCM/DR Plans

Posted on May 24, 2013 by StoneRoad

It’s great to have many continuity plans and strategies to prepare for and respond to, disasters. However, if they aren’t validated they don’t carry any weight and there’s no way of knowing if they would be any good – useful – when a real situation occurs.

BCM practitioners may make the case for exercising plans but sometimes management may not want to provide the resources – physical & financial – available to validate the plans. There are a few questions that can be posed to executive management to possibly allow for the right kind of commitment and support to validate continuity strategies and plans.

1. Will an exercise increase overall BCM awareness within the organization? Well, let’s face it, if you’re exercising BCM plans, of course you’ll be increasing BCM awareness. Depending upon what you’re exercising and how you manage / facilitate the exercise, awareness will be increased but make it a positive experience or else BCM will end up being something negative in participants eyes.

2. Will the exercise identify potential ‘gaps’ in documented BCM plans and procedures? Let’s hope so. Not only do you want to validate what you have documented and discussed with numerous representatives but you also want to find things that may be wrong in the plans – not just what’s right.

3. Is there potential for the exercise to provide ‘learning opportunities’ for participants and the organization in general? If managed correctly and viewed as a positive experience, then employees will learn from the exercises – and from each other. In some cases, they may even be working with people they wouldn’t normally encounter in their daily operations.

4. Will the exercise provide an opportunity to leverage the results for further corporate gain and benefit? They should. If you can show that you’re exercising you plans – and have documented proof of them (Exercise Charters, Executive Summaries, Issue Logs etc) then you can use this information to help respond to RFPs etc and develop a stronger case for a potential client to choose your organization over a competitor. Having a strong BCM program can be used for competitive advantage.

5. Can the exercise provide skills and knowledge transfer between participants? Depending on what is in scope for the exercise, participants may need to seek assistance from other people in the organization for guidance. For instance, if a Single Point of Knowledge (SPOK) isn’t available to rebuild the payroll server because they are busy with other initiatives, they may be able to pass along their knowledge – as best they can – to another resource who will do it for the exercise, this way people are talking to each other and learning from each other. This is a simple example but you get the idea.

6. Can the exercise increase the responsiveness and effectiveness of the organization should a real disaster (or other event) occur? Simply put, the more practice people get the better they become, whether that be BCM or in any other area. Whether you have a large scale situation or a smaller scale incident, you’ll be better prepared if your people – and the processes and plans – are better prepared and knowledgeable. Enough said.

If any answer is ‘yes’ to the above questions, you’re well on your way to securing the support for validating continuity strategies and plans. Exercising only makes a person – or in this case, a program – stronger more robust.
© StoneRoad 2013

**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3,
Available at http://www.amazon.com, http://www.volumesdirect.com and
http://www.stone-road.com.

BCM / DR Program Templates Available from StoneRoad

Posted on May 12, 2013 by StoneRoad

Check out our revamped shop at http://www.stone-road.com. We’ve added lots of new document templates to help get your new BCM / DR program off the ground – with more on the way. Each comes with built-in instructions so you don’t need to try and figure it all out on your own. You can even manipulate the templates if you want to so they address your specific need. Our goal is to show you ‘how’ to do things not just tell you ‘what’ you need to do.

Here’s a sample list of what we’ve got so far:
1 – Test-Exercise Project Change Request Template – $9.99
2 – Test-Exercise Scope Statement (Charter) – $29.99
3 – Test-Exercise Executive Summary – $29.99
4 – Operating Unit Business Continuity Plan (BCP) – $79.99
5 – Business Impact Analysis (BIA) (This one along can cost thousands for a software application.) – $79.99

Coming soon:
1 – Employee Logistics Plan – $tbd
2 – BCM/DR Program Policy Template – $tbd
3 – BCM / DR Program Overview (As a bonus, this will include the Policy template) – $tbd

If there’s something specific you’re looking for, send us an email. We’ve got lots in our arsenal and alwasy building new templates so we may just have what you need and just haven’t gotten around to getting it up on the site. We can always build something for you. You can reach us at inquiries@stone-road.com.

StoneRoad: Reducing Corporate Suffering Through Continuity Planning.

Regards,
The StoneRoad Team
StoneRoad 2013 (C)

7 Things That Can Ruin a BCM Program

Posted on May 11, 2013 by StoneRoad

When financial hardships strike an organization, the Business Continuity program usually takes a hit. In fact, often it will take a hit when times are good so that the corporation can focus on other initiatives; initiatives designed to build upon the good times and keep the company making money. Increase that revenue, YEAH!! When this occurs, resources get reassigned to other projects and the BCM program gets placed on the back burner or it will see resources funnelled away to support other initiatives.
What kind of things do organizations cut from their budgets that can undermine and slowly dismantle a BCM program? Here’s just a short list of some of the actions corporations will take in diverting BCM intended resources.

1. Training – Training is suspended because sending employees on courses to upgrade and keep skills current is deemed as being too costly, especially if travel and accommodation is required. This training also helps to bring new ideas to the organization on how to better their programs but at the same time many executives (or those that approve BCM training) will simply state that the corporation knows what it would do. Thus, additional training isn’t required. Or worse, they send BCM people on courses that have nothing to do with their role.

2. Tests / Exercises – Some BCM tests get cancelled because they take resources away from other initiatives that are deemed a higher priority. Not exercising – and validating – plans and policies can cause issues with recovery procedures when a real disaster occurs because they haven’t been validated and team members have not practiced what they need to do. Also, some believe that if you’ve exercised once before, that’s all you need to do. You did it so you don’t need to do it again. Wrong! The more practice and progressively challenging you make the exercises the more robust the plans and policies become – and the better you’ll be able to respond and recover when disaster strikes.

3. Business Impact Analysis (BIA) – An organization will choose to skip updating the BIA and utilize previous findings assuming that nothing has changed, which is rarely the case. If nothing changed – ever – then there would be no such thing as projects. Projects drive change; from technology to processes. When projects are implemented it will change existing processes, introduce new ones or cancel some others. All this must be captured in the BIA and then carried over to the appropriate plans (i.e. contingency plans, crisis mgmt, technology recovery etc). Remember, ‘change is constant’ and the BIA should be able to capture those changes and then funnel them through to the right areas of the program so it reflects the organization as it is now – not as it once was.

4. BCM Awareness Program – Awareness weeks or sessions, assuming your organization has them, are cancelled to concentrate on other initiatives or because management don’t want to put a ‘scare’ into employees. Most employees I’ve ever worked with have said they would like to know what is expected of them in a disaster; keeping it from them is not a good idea. You’re really harming yourself and the business in the end. Some of the best ideas will come from involving people and keeping them up to date on progress. To put this in perspective, I was told by a Senior Director of a client that they would be making a poster of a specific announcement and hang it up around the office. “Everyone will see it and know of it and we’ll make sure it’s updated as needed”” they said. I guess they didn’t notice that just outside this director’s office were 3 posters; 1 was no longer relevant for the last year and the 2nd poster had a due date on it that was just over 2 years. Hmm, I wonder if those were supposed to be updated too.

5. Maintenance Initiatives – Business Continuity Plans (BCP) or other BCM components don’t get updated, which means that the best any BCM program can do – when not having been maintained – is take the organization back to the state of services and systems at the last time of updating. This is very specific when it comes to Technology Recovery Plans, which if not updated will only bring back systems that could reflect the structure of the company three year prior – assuming maintenance hasn’t been performed for three years. It could end up costing a corporation more money to purchase software and hardware to help bring the recovered systems to more updated levels. This can also increase the time it takes to recovery causing additional delays in getting operations running again. Also, there nothing worse that trying to find someone through call trees or notification applications (or whatever method is used) only to find that they changed numbers and now you can’t find one of the key people you need to help get restoration and recovery efforts started.

6. BCM Support / Investment – Investment in BCM is reduced or halted. This would include future initiatives such as building a new data centre, upgrading the backup tape systems, renewing key components of a Disaster Recovery (DR) vendor contract, or ensuring that a hot-site DR site (which can be internal) is linked to the main data centre to ensure that constant communication is kept between the two sites. Sometimes these initiatives are cut in favour of sticking with what is known for now (i.e. restore from tape), which can be detrimental if it takes 24 hours to restore from tape but certain systems and services need to be available and fully functional by the 8 hour mark. Just like an old car, the older it gets the harder it is to find anyone who has the skills and knowledge to fix the issues and the parts become scarcer and scarcer and the level of reliability on the car slowly begins to slide down the scale.

7. Organizational / IT Change Management: Nothing last forever or rather nothing stays the same forever; change in constant and the organization is constantly changing. If organizational change management (OCM) and IT change management aren’t incorporated or monitored by the BCM/DR team, plans will quickly become obsolete. They’ll only represent the organization as it was before the last change, assuming that while various BCM/DR program components were made, no changes ever occurred (and we know that isn’t true). So keep an eye out for change at all levels because if you don’t, you’re program will quickly fall out of step with the rest of the organization.

When any of these occur, the corporation begins to put itself in danger because what may have been a strong BCM program is now being scaled back and no longer receiving the focus it should have. When the corporation is growing and expanding during the good times, so too should the BCM program, otherwise if the corporation is hit with a disaster situation, it will have a program that only reflects the corporation before it expanded and implemented new initiatives. The corporations BCM program is only as good as the resources and the focus it receives from the top tier levels of the organization and the amount of respect it gets.
StoneRoad 2013 ®

**NOW AVAILABLE**
Purchase books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, at the following locations:
http://www.amazon.com, http://www.stone-road.com/shop & http://www.volumesdirect.com.

10 Issues to Remember When Initiating and Developing a BCP Program

Posted on March 10, 2013 by StoneRoad

Most organizations don’t want to imagine what would happen if a disaster struck their operation, but what if a disaster did strike. How would your organization respond? The best way to know how to respond is to develop, implement and maintain a Business Continuity Management (BCM) program. A BCM program provides a framework for building organizational resiliency with effective responses and safeguards that protect its reputation, stakeholders, employees, and facilities.

BCM is not just about remedying technology shortfalls, as many organizations believe. It’s also about securing, protecting, communicating and preparing corporations from disastrous impacts upon its workforce, facilities and its technologies – To minimize the impact on operations. BCM touches every aspect of an organization from the mailroom, the field and the call centre to the manufacturing floor and right up to the boardroom.

To make your program effective, consider some of the following suggestions when planning:

1. Start With the Worst – Begin the planning with the worst-case situation your organization can imagine. For many, this example is the tragic events of September 11, 2001. Work backwards from there and you’ll start to fill in many of the dangers that can harm your corporation. You’ll also be able to start challenging the worst case situation and begin to get more inventive with potential impacts – and develop the plan accordingly.

2. 3 Pillars of a Business Continuity Plan (BCP) – Every BCP plan must address three things; Workforce Availability, Facility Availability and Technology Availability. If each plan has these three core components, an organization can respond to any disaster situation and expand their capabilities by adding varying situations and scenarios through validation exercises.

3. Dedicated Resource – Assign a person with the appropriate training and authority to get things done, if not, the program will quickly fall to the wayside in favour of other initiatives. This may include getting outside help to get the process kick-started (i.e. consultants, contactors etc).

4. BCM Program vs. BCM Project – The BCM program must live on and continually meet the needs of an organization, as it grows and changes; so to must the BCM program. A project has an end date but a program must live and breathe and contain more than just a single aspect of BCM. Therefore, when the Business Impact Analysis (BIA) is completed, that’s just one ‘project’ of the overall BCM program; you’ve got lots more to get through and develop.

5. Exercising/Testing – Plans mean nothing if they haven’t been validated. Every organization must exercise its plans to make sure they’ll work during a disaster. It’s better to find gaps in your plans through exercising and under controlled circumstances rather than when the real thing happens.

6. Executive Support – If no one is there to champion the BCM program, it won’t last too long. In fact, there’s a good chance it will run out of steam and end up on the backburner of boardroom discussions. Having executive support shows the rest of the organization that BCM is taken seriously.

7. Awareness & Training – It can take a long time to develop continuity plans and create processes and procedures but if no one knows how to use them, where they’re kept or under what circumstances they’re required, they won’t be of any value or use. Remember, awareness and training are not the same things and every level of the organization must received its fair share of both if the program (and all the developed plans and processes) are to be useful and successful.

8. Focus on People – This should be a no brainer; BCM is about people. It’s people that build the plans, use the plans, review and exercise the plans. It’s people that will be impacted by not having plans in place; clients, vendors, employees and communities. If you state that technology availability is the most important part, you’ve basically told those individuals – who you need to help build plans – that they aren’t important. Keep in mind; people first.

9. Business Impact Analysis (BIA) – Every company must understand what it does and how it does it. A BIA is the process of analysing business functions and the effect that a disruption might have upon them. Knowing this will help corporations develop appropriate Business Continuity Plans (BCP) and other contingency strategies. Ensure you get agreement on the findings, don’t just state what they are and move forward. The findings from a BIA are what the attendees believe is important and it could turn out that what they feel is important to the company is not what executives believe is important. Make sure executives are in agreement with the findings before you start developing restoration and recovery plans – you could be way off the mark.

10. Program Maintenance and Monitoring – If program components aren’t maintained and updated the Business Continuity strategies developed – and the related documentation – will reflect the corporation as it once was, not as it current is.

11. Bonus: Using Software Only – Software can be very beneficial for maintaining and gathering information but beware, it doesn’t take into account the nuances of people or scenarios specifics. It may tell you that you need 10 desktops in 24 hours but the situation itself may call for something completely different based on what has occurred. Don’t fall into the trap that DR/BC software will answer all your questions and save you; it’s a tool to help you.

Having a BCM program in place is a part of an organizations Corporate Social Responsibility (CSR) but there are other benefits to implementing a program. First, your organization will have the security in knowing a robust plan is in place to deal with disasters, providing safety and security for all employees. Second, a proper BCM program will provide a competitive advantage. Those organizations will strong programs win out over organizations that don’t have BCM plans in place because there is knowledge that your organization will have developed a way to provide a product or service even during a disaster.

It’s not easy building a BCM program; it can be tough to develop, implement and maintain but it will only take a single crisis or disaster to prove its worth. A single crisis or disaster can be one too many. Are you prepared?
© StoneRoad (2013)

**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, available at http://www.stone-road.com, http://www.amazon.com, http://www.volumesdirect.com

BCM document templates available in the ‘shop’ section at http://www.stone-road.com.

New Book by A.Alex Fullick – Business Impact Analysis (BIA): Building the Foundation for a Strong Business Continuity Program

Posted on February 27, 2013 by StoneRoad

We’re so happy to announce the new book release by StoneRoad founder, A.Alex Fullick. Checkout the press release below. For purchase details go to http://www.stone-road.com of http://www.amazon.com.

Congrats boss!!
***************************

Alex Fullick wants you – and your business – to succeed. Better yet, he wants you to flourish beyond your wildest dreams. But what Alex Fullick knows (and what you may not yet know) is that business success doesn’t come out of the blue, or on a whim or stroke of luck. You have to plan for business success, not only for the anticipated good times of strong sales, revenues and profits, but also for the difficult days when a sudden disaster strikes. It can – and does – happen.

Welcome, then, to the world of Business Continuity Management (BCM), the world where BCM expert Alex Fullick resides. Over the years, he has seen it all – and the one key conclusion he’s reached is that businesses with a plan to deal with significant disruptions and disasters are generally the ones that emerge from the situation stronger and with their operations intact. The reverse is just as true: an organization without a continuity plan is taking an enormous risk, one that has the potential to destroy the company and lay waste to years of hard work.

Fullick acknowledges that, to most eyes and ears, the very notion of “Business Continuity Management” is a term that might cause the ears to shut down and the eyes to glaze over. It may be a dry topic, rather lacking in sex appeal, but it is also a very important cog in your business-planning machine. Simply put, if you are a business owner or key manager, you need to know exactly what you will do when disaster strikes.

Fullick’s most recent planning guidebook is entitled Business Impact Analysis: Building the Foundations for a Strong Business Continuity Program, takes a detailed look at the steps a business owner needs to take to gather the information required to create and manage a strong business continuity program. The BIA, in Fullick’s view, is the foundation upon which a business continuity program is built; it follows, then, that a proper Business Impact Analysis requires strength and depth and that its content must fully reflect the operational and cultural needs of your organization. There is no single cookie-cutter approach that can be applied to each and every business operation.

This book should be required reading for business owners and senior corporate officials, not only because the subject is itself of vital importance, but also because Fullick lays out his BIA foundation in a straightforward contextual manner that is both appealing and highly informative. Business Impact Analysis is a critical building process – and Fullick provides the tools required in an easy to follow systematic approach so that organizational leaders can use the BIA process to its very best advantage.

*****************
Alex Fullick is the founder and managing director of StoneRoad, a business consultancy based in Southern Ontario that specializes in a process known as Business Continuity Management (BCM). Fullick published his first work in 2009 entitled Heads in the Sand; he followed that up with Volumes 1 and 2 of Made Again. Business Impact Analysis is his fourth publication with two further publications in the works. In his free time, Fullick is an avid curler and hiker.

Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program
by A. Alex Fullick
ISBN: 9780981365749
$19.99
For more information visit: http://www.stone-road.com

10 Questions to Ask Your Partners/Suppliers about BCM / DR

Posted on January 12, 2013 by StoneRoad

Organizations do not work in isolation; they require suppliers, vendors, partners and clients/customers. Without any of these and organization cannot – and does not – operate. Even an organization that might be the only provider of a service or product still needs someone to provide it raw materials before it can sell them to vendors and clients. Thus, if any supplier or vendor – either upstream or downstream – experiences an outage, the organization will begin to suffer as well. For example, when Toyota experienced a disaster due to the Japanese Earthquake and resulting tsunami, many manufacturing plants around the globe later experienced issues. They had to cut back shifts or in some business instances, the business had to close for a short time until supplies from Japan could be received once more.

The disaster may have been present in one part of the world but its impact was felt around the globe. As a result, it’s important for all organizations to understand what to do when one – or more – of their partners experience a disaster. It’s not an organizations responsibility to tell another what to do during a disaster (meaning, documenting a plan for them) but it is every organizations responsibility to understand the basics of what they need to do when a partner is operating in disaster mode?

Do you continue to operate? Do you temporarily stop making a product? Do you ship your product to a temporary location or stop shipping altogether? Do you want your vendors and partners to do – or not do – something specific when you have a disaster? Expectations must be understood by all parties involved when it comes to disasters. In fact, sometimes having a well documented and validated BCM / DR program can make all the difference to whether an organization chooses a specific vendor over another. Here are some basic questions you can ask a potential vendor or supplier.

1. Do you have a Business Continuity / Disaster Plan (or program) in place?
2. Have you ever experienced a major business disruption and how did you handle it?
3. What where the long term impacts to your organization?
4. Do you validate your BCP / DR plans on a regular basis?
5. Do you have dedicated resources (with assigned roles & responsibilities) to address disruptions (incidents, crises, disasters) when they occur?
6. Do you provide financial support to your BCM / DR program?
7. Do you have Senior Management / Executive support and sponsorship for you BCM / DR program?
8. What is your basic response, restoration and recovery strategy? (Note: They may be reluctant to provide details, which one would expect, though they should be able to provide a high-level overview of what steps they would execute if a disaster occurs.)
9. Do you review (validate) your BCM / DR requirements on a regular basis?
10. What makes your program better than your competitors?
11. Bonus Question: How do you manage change in your organization and does BCM / DR reflect those changes?

Depending on the nature of your operation and the responses to the questions above, you will probably have follow up questions that need asking. Be very weary of anyone who tends to downplay the importance of BCM / DR and corporate resiliency because if they aren’t providing you information that makes you comfortable just think what it’ll be like when a disaster occurs. Remember, they may be the one’s experiencing a disaster but it’s still could have a significant impact upon you.
© StoneRoad (Stone Road Inc) 2013

**NOW AVAILABLE**
“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”
by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3
Available at http://www.stone-road.com, http://www.amazon.com & http://www.volumesdirect.com

9 Things to Know When Presenting BCM / DR to Senior Executives

Posted on December 16, 2012 by StoneRoad

Recently I attended a great conference on a subject connected to the Emergency Management and Preparedness industry. It was quite informative and as I always try to do, left with greater knowledge than when I arrived; always taking with me information that can help boost any potential gaps in Business Continuity Management, Disaster Planning & Management, Crisis Communications and Emergency Management. It certainly did provide some great insights.

However, I found that due to many of the attendees and presenters – many of which were scientists and researchers – the message they were trying to convey sometimes got lost during their presentations. It was because they were incredibly intelligent and brilliant in their thinking, they could not speak to the audience; they were speaking at the audience. Often, many of them had the same end-message, where governments and organizations need to step up and take their topics seriously but it got me thinking; if I can’t understand some of what is being said – and I’m in the industry – how are governments and organizations going to take the message(s) seriously? They won’t be able to because they aren’t able to understand the message.

So I started writing some notes that would inevitably help presenters when speaking or presenting in front of others. If you can manage a few of these your message will be better received – and understood.

1. No Gaps: Don’t leave anything out of the message you’re trying to convey. Make sure you state the past experiences and state of the organization as well as your desired end state. An author doesn’t tell half the story or leave anything out; at some point the entire story is there for the reader. This must be true to BCM/DR/ERM; tell the entire message you’re conveying.
2. Verbiage to a Minimum (Slides): If you’re going to use PowerPoint slides, don’t overload them with tons of verbiage. Simply keep this in mind; do you want the audience to listen to you or read the slides, ignoring you? Choose wisely.
3. Not Just Data / Facts and Real Examples: Providing a ton of numbers won’t help get your message across – unless you’re an accountant. Since that’s not always the case, data – too much of it – will only get people to think of something else while they wait for you to finish your talk. Provide real example – even some from you own corporation – that illustrates your comments and position. Even provide good (and bad) examples from your competitors because if they’ve had a bad experience, which you can learn from – that’s the best example you can use.
4. Know the Value of BCM: If you’re going to present the good points of BCM to Senior Executives, really think through the value that BCM will bring to the organization. Too often it’s thought of as an expense but if you’ve thought through how it adds value to the organization, then you’re offering something that executives will listen to and buy into to.
5. Know the Stakeholders: When presenting in from on Senior Management, many believe that they are the stakeholders. Well, as with other internal resources (i.e. employees) that’s correct though they aren’t the only stakeholders. Remember to think of external partners, vendors and suppliers; they are stakeholders too and if they have a disaster your organization is impacted. If you have a disaster, they have an impact upon you and these dependencies must be understood by executives.
6. Acronyms: Simply put, people aren’t automatons or robots so don’t speak like one. Not everyone knows what they mean and with so many acronyms around these days, you could use one that has a completely different meaning than what you intend. If that happens, you’ve lost your audience because they simply don’t understand you. So if you’re speaking your language make sure you translate your words so they understand you.
7. Use of Assumptions: Many people forget that assumptions are those things you believe to be true; either in a disaster, during planning or in some other area. If you start quoting assumptions – especially in front of executives – make sure you investigate your assumptions first. And those you can’t clarify, make sure that during your planning efforts you either prove they are correct or prove them wrong. In the end, if you don’t clarify your assumptions, you could cause major headaches when a disaster occurs.
8. Be Relevant: Speak to your industry and your organization. Yes, some examples may represent others but stick with what you’re really after; getting BCM/DR/ERM buy in from your own organization. If you speak too much about others – especially other industries other than your own – you’re not being relevant at all. You’re wasting time – yours and theirs.
9. The Right Presenter: If you don’t know how to present or don’t know how to present, then get someone who is. You can still be there to answer questions and coach them ahead of time but if you’re not the right person to get the message across, get someone who is. It will make a huge difference if the message comes across with confidence rather than coming from someone who shows insecurity and stutters/stammers through the presentation. Feel free to join a Toastmasters group to help build your presentation skills.

We all want our presentations to be understood and welcomed and we have to know how to present our ideas effectively. If we don’t learn how to do that, we might end up with BCM being pushed to the backburner so make sure you get their attention right from the start; it could end up being the only opportunity you get.

Stoneroad's Blog

Business Continuity Management (BCM)

Category Archives: Call Tree