BCM PROGRAMS: It’s NOT a One-Time Thing!

When organizations build a Business Continuity management (BMC), Disaster Recovery Plan (DRP) or whatever name you want to give the program, quite often they fail to communicate a specific aspect of BCM to their sponsors and executive management: BCM is not a onetime thing.  It’s not a single goal to reach and then it’s over.  It’s not final when you’ve tested a plan and put the plan on the shelf (or saved the plans in an online application).

It’s ongoing.

It’s cyclical.  Yes, that’s right – cyclical.  That’s because for the most part any methodology you leverage to build your plans, protocols, processes, teams and programs, will fit into – one way or another – the Plan-Do-Check-Act (PDCA) framework developed by W. Edward Deming.  I won’t go into detail the overall cycle in this blog (maybe some other time) but one way or another what you’re doing to create your program is the PDCA cycle.

The cycle is a wheel, which continues round and round and if that’s the case then how could creating and especially the maintenance and review of a BCM/DR program be a onetime thing?  It can’t. This is what executives fail to either understand or aren’t told, which is why later on down the road people – especially executives, begin to question why BCM/DR activities continue after they believe the program (and its deliverables) have been established.  They fail to understand and practitioners fail all too often, to explain that BCM/DR is continuous and not a onetime project.  It’s an operationalized program (hopefully), which needs ongoing support, review and maintenance.

This really needs to be communicated up front when you first start putting you program together.  You may not know the full extent of when, who or how the program will be maintained but when you start your planning you’ve got to communicate that it’s something that’s ongoing.  You may deliver the Finance BCP plan but you’ve got to communicate that it will need to be reviewed annually (at least) for updates, as well as other program components and findings.  Organizational Changes, IT Changes and personal changes will require the continued maintenance and review of strategies and plans otherwise plans – and the program overall – won’t address the needs of the organization.

So the next time you’re talking to you program sponsor or providing an update to executives, make sure they are aware that the program is ongoing and needs continue support and resources.  Then they need to ensure that support exists in all areas and that all areas continue to support and provide updates when required.  It’s not over when the BCP or IT DRP is documented.  The program needs to move in step with the organization.

© StoneRoad 2018

A.Alex Fullick has over 21 years’ experience working in Business Continuity and is the author of numerous books, including “Watch Your Step”, “BIA: Building the Foundation for a Strong Business Continuity Program.”and Testing Disaster Recovery and Business Continuity Plans.”

Advertisements

Preparing for the Unexpected: LIVE @ DRJ Fall 2018 (Sep 24/18)!!

For anyone that may have missed it during our aired episodes of Preparing for the Unexpected with host, Alex Fullick on the VoiceAmerica radio network, this is just a reminder that we’re broadcasting LIVE from the Disaster Recovery Journal (DRJ) Fall 2018 conference in Phoenix, Arizona on Monday, September 24/18 from 11am (PST) to 5pm (PST). 

VoiceAmerica Live Event Page

We’ll be talking to conference speakers/presenters and attendees alike about all things Business Continuity, Disaster Planning, Resilience, Crisis Management and any other subject we happen to come across.

Enjoy!

The StoneRoad Team

fullick-Promo-Variety

Preparing for the Unexpected – March 29, 2018: The Salvage Team

Our March 29, 2018 show will focus on the often forgotten and overlooked team within the Crisis Management Team (CMT) structure: The Salvage Team.

Listen in and get some tips on how to manage this forgotten team.

https://www.voiceamerica.com/episode/105350/salvage-and-restoration-the-forgotten-crisis-team

Enjoy!

The StoneRoad Team

Business Continuity Management (BCM) / Disaster Recovery (DR) Document Templates Available for Small and Medium Businesses!!

Not every business can spend thousands and thousands of dollars on expensive software packages to get their BCM / DR programs off the ground – or has the time to get software configured and ready for use.

Having experienced these challenges first hand, StoneRoad developed a cheaper alternative: we developed document templates for Business Impact Analysis (BIA), Business Continuity Plans (BCP) and more.

Visit the StoneRoad site and go to the Shop section to view the various templates available and get your program moving with a low cost alternative to expensive software! Each template provides instructions on what information is needed so that you can build your program with less fuss – and with more results!

Here’s just a sample of our document offerings:

1) Test Scope Charter Document (Word Document)
2) Business Impact Analysis (BIA) (Excel Worksheets)
3) Operating Unit Business Continuity Plan (BCP) Template (Word Document)
4) Emergency Employee Logistics & Pandemic Plan (Word Document)
5) Test Executive Summary (Word Document)

…and more. We’re adding new templates all the time to help you. We even have BCM & DR books and ebooks available.

So download what you need and get started!

Happy planning!

Regards,
The StoneRoad Team

“Reduce Suffering Through Disaster Planning”

© 2014, Stone Road Inc.

BCM & DR: Plans That Can’t Be Made!

In many organizations, executives and employees – and even auditors, will ask Business Continuity Management (BCM) / Disaster Recovery (DR) practitioners if they have plans for every situation possible; every potential risk and every potential impact to the organization. Considering that the number of risks that exist in the world today is basically infinite – once you calculate all the various potential impacts to an organization from a single event – there will be communication, restoration and recovery plans that just can’t be developed, documented, implemented, communicated, validated or maintained. It is impossible to have a response to every situation; the secret it to be able to adapt to the situation and leverage the response plans you do have to help adapt to the disaster situation.
Still, the questions will come about these plans and why a response isn’t captured for a particular situation and its resulting scenarios. A BCM/DR practitioner must be able to address these questions and be able to respond with reasons as to why specific plans don’t – and can’t – exist.
There are a few key reasons that practitioners must be able to communicate to those asking the questions and they are noted below.

1. Unknown Unknowns – In any situation – both disaster related and non-disaster related, will contain all sorts of details. One specific activity or item can have multiple responses depending on the details that come from the situation itself. For example, an earthquake can cause minor or major damage to an area but depending on where it occurs and when it occurs, the responses to the earthquake will be completely different.

2. Highly Improbably – Sometimes a risk to an organization is just so improbably that creating a plan for the situation would be futile and a waste of resources (time and people). For example, an organization with a facility in the middle of the Canadian prairies wouldn’t bother creating a disaster response plan to avalanches; it’s just so highly unlikely that it could ever happen. If an organization documents the probably risks – such as floods or snowstorms for that previously mentioned prairie location – it can adapt the plans that address the likely risks to those that are highly unlikely. New plans for unlikely activities would just distract from developing plans and processes that are really needed.

3. Changes in Assumptions – Assumptions are those things we believe to be true and they should be challenged continuously; especially through tests and exercises. However, if they aren’t challenged at some point then the continued planning and BCM/DR program development could be based on false information. For instance, if specific partners are expected to perform specific tasks for your organization when it experiences a disaster but they don’t know about them – or the tasks have changed and they’ve not been notified – your plans are going to out of sync with expectations and need. Plans are not build on assumptions but the detailed activities contained with them will be built by assumptions and they must be reviewed at all times.

4. Public Opinion / Perception – Public opinion can change with no warning; what the public may agree to in one situation they may not agree with in another situation- even when the details are relatively the same. All an organization can do is ensure it has a comprehensive Crisis Management and Communications Plan (CM&C) and those responsible for the plan understand how to communicate with the public and respond to the public. There is no way and organization can guess at what the public may believe and trying to determine every response plan to unknown perceptions would take eons to develop – something that an organization just can’t do.

5. External Directives – Depending on the scale of the situation, an organization may receive instructions from 3rd parties, such as the police or local governments. It’s never known what these groups may dictate to an organization, as it’s never known ahead of time what or when a disaster will occur. Thus, a plan can’t be developed to address the specifics of what to do based on directives received from external sources. However, if an organization has an established BCM/DR program with relevant plans and processes, it can adapt itself to the situation based on the impact to the organization itself. If an external source dictates a directive then the organization can take what it has in place and adapt itself. But a plan specific to communications that haven’t been provided – because a disaster hasn’t occurred yet – can’t be documented.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”

12 Reasons Why Organizations Will ‘Forget’ What to Do in a Disaster

Many organizations can build comprehensive BCM program and plans; detailing every action and activity needed to ensure the continued operation of an organization when a disaster strikes. However, even the most comprehensive program and plan can still suffer greatly when they are needed the most because many organizations’ DR team and team members forget what it is they are supposed to do.
There are many reasons for that. Sudden changes in environment can throw people for a loop, as the situation throws chaos into their normal day and it’s easy for people to forget what to do when they are required to do it. Sometimes the reason for plan activities or action items being forgotten occur even before the disaster situation makes itself known.
Below are some of the reasons why people – and organizations – forget their activities before and during a disaster.

1. No Executive Support: It’s easy to forget some initiative within an organization when even the executive leadership don’t support it. After all, if they don’t care for something, why should anyone else? It’s that simple, without executive support people will quickly forget that there is BCM or DR program in place for when a disaster occurs. Even executives will wonder where it is and believe it or not, even without their support having played a part in its development (if at all) will wonder why no one knows what’s going on and why people aren’t performing tasks.

2. No Leadership: Continuing on from #1, people want leadership during a disaster; they believe that those responsible for the organization in good times, is also responsible for the organization during bad times and will provide guidance and leadership on what needs to be done when a disaster occurs. If there is no one taking responsibility for the disaster, then people are left hanging – wondering what to do. This doesn’t mean the leader or coordinator of the response functions is responsible for the disaster, it means they are taking the responsibility to lead the organization resulting of the disaster. Even if employees and members of various DR teams are aware of their activities, they are still looking at the organizations leadership to provide direction and provide answers to any key questions that may come up as a result of specific situations discovered based on the disaster. If executives and/or senior management aren’t part of the decision making process and part of the BCM program, they won’t know what to do or what is expected of them. The executives themselves won’t be aware of the DR/BCM team makeup or what any of the program protocols are. They could end up trying to lead the organization through the disaster, blind.

3. No Plans: One of the biggest reasons people will stand around wondering what to do is that there isn’t a plan – even a bad one – in place for them to activate, reference and follow. In a nutshell, the organization has done nothing to promote any sort of disaster response or planning mechanisms and when disaster strikes, there is no know prioritization of what needs to be activated. All the responses are made up on the spot, which could pose even more problems for the organization. It’s like a jigsaw puzzle; you don’t start putting the pieces together until you know the picture (or at least most people don’t) and you can’t rebuild a corporation after a disaster when you don’t even know what pieces you need first to rebuild it. No plans in place can mean the end of the organization, as it will take too long to figure out what is priority between the business and technology and getting the two to agree to a restoration, recovery and resumption strategy. You can’t ‘wing’ it in a disaster…

4. No Delegation of Authority: It’s often quite comical when someone is required to perform BCM activities, as captured in a DR/BCP or crisis management plan but they aren’t give the authority to do so. This can mean they don’t have the delegation of authority to make decisions or provide guidance to others or they don’t have the IDs and/or passwords to perform functions. It’s like giving someone a car and telling them it is all paid for and its there for as long as they want it but not giving them the key. This is one thing that stops many organizations from performing activities; people don’t have the authority to do anything and thus, they are waiting for direction from others when in fact they are the ones who are supposed to be providing the direction. If someone doesn’t have the right authority to perform activities, they will be a roadblock to other activities and many groups may be standing and waiting around for guidance and information. And further on the point of IDs and passwords; often this information is created and placed in a secure location that people forget about. Rarely are they reviewed and updated and even remembered because they are placed in an online folder, which is no longer available because technology has failed. These IDs and passwords are for use only during a disaster so they rarely get reviewed. These should be part of an annual (at least) review to ensure the people remember where they are and what they are – and remember that these are probably powerful IDs and passwords and only a few key people should know about them to start with. If someone leaves the organization, make sure you change the passwords and remove their ID just in case. When you test, try activities using these profiles to ensure that they are current and validated; that required activities can be performed using these ‘generic’ IDs and passwords but are amended after the test so they are fresh and those using them – the users – can’t use them during normal business hours.

5. No Testing/Validation: If validation activities are not performed, then how can anyone know exactly what to do? Testing is a form of training and training will help people identify their roles and build BCM plans and processes. When testing, start off small and then build upon successes – and upon problems – so that the program becomes stronger and stronger. If no one participates in test then no one has the opportunity to practice their roles and areas of responsibility; they then need someone to remind them or provide guidance to them as to what to do. Also, if you only test once or rarely, people will forget what they need to do and where their materials are located.

6. Assumptions: A key reason many stand around not knowing what to do, or forgetting what they need to do, is related back to the assumptions made during the initial stages of building and implementing plans and processes. All too often non-technology departments (i.e. “the business”) will make assumptions about technology departments (i.e. “IT”) but without ever validating that the assumptions are correct; sometimes never even letting the other know that an assumption has even been made. From personal experience, there have been too many instances where one side of the other states that ‘IT/business knows x or y…’ or that ‘IT/business will do…’ and it almost never proves to be true. Both teams end up confused not knowing what to do because they are waiting on the other for information or they are assuming that something is occurring while they’re just waiting for some confirmation that an activity is done. In reality, everyone is standing around not knowing what to do or who to even talk to. If you’re using assumption in your initial planning, through exercises and tests, the amount of assumptions being used should dwindle over time as they either become actual roles within a plan/process or become proven to be false and are removed from a plan/process.

7. No Awareness & Training: It’s a simple one really; no one knows what to do in a disaster because no one has told them about it. They haven’t been part of the overall program build or design (not that everyone needs to be part of every phase) and haven’t been told they are responsible for specific activities. Often, DR team members don’t even know they are part of that team until someone asks what they are going to do in a meeting full of other managers – some not sure why they are their in the first place. This also means that they haven’t bee involved with any testing activities to help validate plans, which is one of the best opportunities for training; executing activities under controlled circumstances to actually learn what needs to be completed and understand expectations.

8. Plans and Processes are Written in Isolation: Sometimes its not even a case of forgetting what needs to be done, as outlined in a BCP/DR plan – it’s never being told of what is in the plan and not being part of its build. All to often plans are build in isolation meaning someone not within the department is writing its contents based on what they know and what they hear at meeting yet if the actual user isn’t part of that development or the person responsible for actioning activities isn’t part of the plans development, they aren’t going to know what activities they are responsible for. Ensure that all plans are written with the person or persons responsible for the plan itself; the person who’ll actually be responsible to action the activities within the plan.

9. No Review of Plans (by Users): One of the best ways to ensure that a BCP/DR plans everything it needs and that the content is clear and understood, is to ensure that its reviewed by the actual user. When they review existing plans, as noted in #8 above, they can recommend enhancements, additions or even deletions based on real knowledge of what needs to be done. If a plan was written in isolation and not review was performed by an actual user, it’s no wonder people don’t know what actions to take or even where their plans is – if they even know there is a plan in the first place. If no review of the plan is performed then the users themselves don’t become familiar with content and what is expected of them. Instead of initiating proactive measures they wait for someone to tell them what is expected and in many cases, those individuals are assuming that ‘plan’ users know what needs to be done.

10. Focus on Blame: When an organization has a disaster, often you see the Public Relations (PR) representative or the President stand in front of a microphone being questioned by members of the media – or even the public sometimes – and they spend allot of time pointing the finger of blame or trying to deflect any criticism or questioning on what the organization is doing. When employees see this, they will spend their time trying to find the cause of the problem or the ‘right one to blame’ rather than concentrating on a proper response, restoration and recovery strategy. All hands are on deck to find out what is wrong and who should be help responsible but if leadership is busy with that approach then employees will be too, as they won’t be focusing on the right tasks at hand. It ends up being a crutch that organizations leverage so that they can start their restoration and recovery activities in the background, away from the face of the media. Usually, this means they didn’t have any strategy in place to begin with and the excuse that someone else is to blame is used as a smokescreen to cover the fact that behind the scenes, no one knows what to do within the organization.

11. Checklist Approach: If BCM is checkbox on someone’s report, the chances are it’s a checkbox on an executive report. They eventually see the checkbox ticked and then there is no more discussion or promotion of the BCM initiatives. This also means that the only reason the program was stated in the first place was to ensure someone’s checkbox was ticked and that it drops off of any report or audit ticket. Chances are good that the work and value of the work performed to plan, develop and execute plans was minimal at best and won’t be of much use during a real situation. Thus, no one will pay close attention to the BCM program and the related plans because it’s treated as a one-time thing – forgotten when the checkbox is identified as complete.

12. Seeking Direction: Like many people, when something occurs everyone looks around for direction; who will take control of the situation and tell us what to do? Staff will look to management while management is looking at executives; each expecting the other to provide direction on what they should – or shouldn’t – be doing. Think of when a fire alarm goes off in a facility – even a fire drill – most people keep working or start asking if it’s a real situation or not. Should be get up? Should we leave? Many wait to be told to leave before they bother responding to the alarms. If people can’t understand that they need to leave when the fire alarms go off its no wonder they don’t understand their role when a disaster strikes. Everyone is seeking direction from someone else.

Finally, panic is something that can run rampant during a disaster. When that happens, any thought of gaining control of the situation can go out the window and there’s no way anyone is going to pay attention to their role on a disaster team when that happens. This is why many of the items noted above need to be addressed prior to any situation occurring. When people are more aware of what to do and have been through it a few times – each more challenging than the last – they are better prepared to deal with the situation when it’s real – not faked under controlled circumstances, as it is usually done during a test. There will still be an element of panic – it’s almost a given – but putting measures in place to deal with it ahead of time can help reduce its impact and increase the chances considerably that no one will be standing around wondering what to do; they won’t forget.

© StoneRoad (Stone Road Inc) 2013

Books by A. Alex Fullick Available at the following:
http://www.stone-road.com, http://www.amazon.com & http://www.volumesdirect.com

Crisis Management: When Does a Crisis Start?

Many of us don’t hear about a crisis until it hits the newswires, either through social media, news websites or through a posting on a social site we might follow. In some cases, we might not know about a crisis until we see 1st responders racing down the road heading towards and emergency.
Some will automatically see a disaster as a large catastrophe and one of the BCM/DR industry definitions of a disaster is that it’s a sudden, unplanned event that prevents the organization from performing normal operations. Though both a crisis and/or disaster can start well before the public or media even get wind of the problem.
Sometimes a disaster doesn’t begin until after a period of time when a lesser level of operational hindrance has been experienced. Then when the disaster itself occur, the management of the situation will determine the level of crisis; meaning how well the crisis is handled from the perspective of the public, media, stakeholders (vendors, partners etc) and employees.
For an operational impact, it could be that a key application is offline but is that a disaster? Probably not. If the offline application has a major impact upon people causing major distress and problems such as something in health care or the financial industry, then yes, that application being offline – even for a short time – is a disaster. How the immediate response and post-disaster activities are managed is what will create the crisis for the company. If you get something up and running within a very short time (and in today’s world that’s usually no more than an hour) then it might not be a disaster and a quick response and communication to the community will suffice. If it’s longer, then the management level and involvement of the situation and the level of impact it has becomes a disaster.
Still, if an organization has an internal Crisis Management process in place, early identification and response measures may prevent the incident from escalating and becoming a crisis – or a disaster if nothing is done about it – in the media or public eye. It was just an incident that didn’t have any major impact. Oddly enough, it could have been a major interruption but the impact on Service Level Agreements (SLA), employees, customers, vendors and partners was limited in size and scope; it was just a major incident for the company involved because of the resources (financial, time, personnel) it took to get resolved.
So, when does a crisis start?
It starts the moment the organization believes that someone – anyone – will begin to ask questions. It could be a client, employee (who will access social media about it if they haven’t been educated about not communicating corporate activities), vendor, partner or in some cases a financial institution or legislative body. An organization may be able to manage the situation internally with little impacts being had on external – and internal parties – but as soon as questions are asked about the disruption, you have the start of a crisis. It’s how well you manage those initial questions – along with the incident response itself (I.e. getting the critical application up and running as soon as possible) – that will determine how big the crisis escalates. If you don’t manage it properly the crisis will grow and escalate, making it a ‘Public Relations’ disaster.
The start of a crisis is different for every organization. It all depends on the level of preparation, preparedness and response is developed and instilled within the corporate operations. If an organization doesn’t have anything developed or the level of development is sub-par and very ‘flimsy’, the crisis starts quickly and escalates quickly – reaching that “PR” disaster timeframe in record time.

**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3.
Available at http://www.stone-road.com, http://www.amazon.com, http://www.volumesdirect.com