Creating a resilient organization is something many organization strive for but many fall short in their goals. This week we’ll speak with Scott Teel from Agility Recovery who’ll provide some great insight on what Business Continuity and Disaster Recovery Planners need to consider – and do – when turning their organization into a resilient organization. Continue reading
Not every business can spend thousands and thousands of dollars on expensive software packages to get their BCM / DR programs off the ground – or has the time to get software configured and ready for use.
Having experienced these challenges first hand, StoneRoad developed a cheaper alternative: we developed document templates for Business Impact Analysis (BIA), Business Continuity Plans (BCP) and more.
Visit the StoneRoad site and go to the Shop section to view the various templates available and get your program moving with a low cost alternative to expensive software! Each template provides instructions on what information is needed so that you can build your program with less fuss – and with more results!
Here’s just a sample of our document offerings:
1) Test Scope Charter Document (Word Document)
2) Business Impact Analysis (BIA) (Excel Worksheets)
3) Operating Unit Business Continuity Plan (BCP) Template (Word Document)
4) Emergency Employee Logistics & Pandemic Plan (Word Document)
5) Test Executive Summary (Word Document)
…and more. We’re adding new templates all the time to help you. We even have BCM & DR books and ebooks available.
So download what you need and get started!
The StoneRoad Team
“Reduce Suffering Through Disaster Planning”
© 2014, Stone Road Inc.
The message about disasters, disaster planning and business continuity is slowly spreading throughout the globe, as we see more and more organizations beginning to realize the value of preparedness and response activities to protect their operations and instil confidence in those they do business with.
Here at StoneRoad, we’ve seen a spike in people asking us questions and seeking advice on Business Continuity Management (BCM) / Disaster Recovery Programs – and we couldn’t be happier.
So we’d like to remind you that there are some great books by our founder, Alex Fullick, that can help provide great insight into how a good program operates – and how it shouldn’t. The books noted below are available on Amazon.com and at our own shop over at www.stone-road.com.
Keep an eye out for the next book by A.Alex Fullick; “Testing Disaster and Business Continuity Plans” expected to launch in the fall of 2014.
Until then, happy planning!!
The StoneRoad Team
© 2014, Stone Road Inc.
Hello dear readers!! We’ve been a bit quiet lately over here at StoneRoad due to multiple vacations (Singapore, Australia, New Zealand and more) and now that we’re all back, it’s time to start posting once more. Enjoy…
The StoneRoad Team
**The below section is an abbreviated bonus taken from the Appendix of the book, “Business Impact Analysis (BA): Building the Foundations for a Strong Business Continuity Program” by A.Alex Fullick. The full text can be found in the aforementioned book.**
Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:
1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.
2. No Timely Follow Up of Results – A BIA is conducted almost always in support of an enterprise-wide business continuity program. The real value of a BIA is the follow-up activities that lead to effective recovery strategies being implemented based on the BIA priorities of the business processes. Occasionally, so much effort and cost is put into the BIA that business continuity planners never get around to fully implementing the follow-up recovery strategies and plans. Without the implementation of these follow-ups, the value of the BIA becomes wasted.
3. No Agreement on Scope (Level of Detail) – This level of detail can span an entire spectrum. On one end, some BIAs will contain relatively little detail to provide a higher-level executive view of the analysis. On the other end, and far more prevalent, are BIAs that include for each business process its corresponding input dependencies, output dependencies, recovery point objectives, recovery time objectives, and financial impacts. The common mistake here does not involve selecting the right or wrong level of detail – what’s appropriate for one company may be totally inappropriate for another – but rather, failing to reach agreement among all relevant parties as to what level of detail best meets the requirements that are driving the BIA in the first place.
4. Minimal Executive Support – One of the factors that most influences the relative success of a BIA is the degree of executive support offered at the outset. The kickoff process usually consists of two parts: a widely distributed email and an initial presentation. The email should come from the highest level executive sponsoring the BIA and should be distributed to all parties who will be participating in the effort. The email should emphatically voice the executive’s support for the project and insist on the support of al participants, particularly during the interview process.
5. Poor Questionnaires – An important step of any BIA is the collection of data from business units. The manner in which this data is asked for often spells the difference between a full, timely and meaningful collection of data, and one that is delayed and incomplete. One of the best ways to avoid this situation is to develop survey forms that are thorough enough to capture all relevant information and simple enough for business users to complete quickly and easily.
6. Lack of Preparation for Interviews/Workshops – Interviews are the cornerstone of a successful BIA, yet few planners prepare adequately for them to ensure their effectiveness. Interviewers need to learn as much as they can about a given business unit prior to the meeting, including a thorough review of the respondent’s survey.
7. Lack of Critical Focus – Analysts frequently make the mistake of asking business users ‘what are the most important business processes within their department?’ The reason this is a mistake is because virtually all critical business processes have a large degree of importance and value – otherwise they would not be designated as critical – resulting in less likelihood of it being easy to prioritize processes according to value or importance. A much better question to ask is ‘how long can a business process be idle before major impact is felt?
8. Focusing on the Tools Instead of the Process – Some analysts who conduct BIAs become very focused on the tools they will be using in the collection, compiling and analyzing the data provided by the business users. The emphasis often shifts inappropriately from the process being used, to the automation that can be applied to the process. There is an inherent flaw in this approach. If a poorly designed manual process that is being used to collect and analyze the data suddenly becomes automated, what you typically end up with is a poorly designed automated process.
9. Ineffective Interviewing Technique – I have known more than a few BIA analysts who preferred to rely solely on surveys, questionnaires and emails to collect needed data. The example previously cited concerning the over-focus on tools shows how this can less than desirable results. Analysts often say that setting up interviews can be more hassle than it’s worth. They will mention how interviews often start late, or may be cut short, or have to be re-scheduled, or cancelled altogether. In my experience, the real reason some BIA analysts try to steer clear of face-to-face meetings is that they tend to use ineffective techniques when interviewing business process owners.
10. Insufficient Results Analysis – Analysts conducting a BIA collect a wealth of information during the course of their efforts. But the value of this information is sometimes diminished by poor or incomplete analysis of the data. Analysts need to look for trends, patterns, relationships and discrepancies among and within the data to ensure a thorough and meaningful analysis.
11. Unclear Presentations – Data that is thoroughly collected and well analyzed is sometimes de-valued by an unclear or confusing presentation of the information and results. Managers in general and sponsoring executives in particular, expect BIA analysts to summarize their results in high-level presentations that are succinct and effective. Unfortunately, this does not always happen. Analysts gather a huge amount of data in the process of conducting BIA. In compiling and analyzing this data, analyst sometime err on the side of presenting too much information rather than too little.
12. Undefined Scope – Often, the BCP focuses entirely on system restoration. Resumption of business needs to include the people and processes required to resume operations. Many BCP programs are headed up by IT departments. ‘Tunnel vision’ can often cause these departments to focus on system recovery and not take the people issues into account. During an event, the people issues are often the most difficult to resolve. The scope of a business impact analysis (BIA) pertains to the number of business units, such as Finance, Administration and IT, which will be participating in the effort.
Don’t let your BIA efforts fall to the wayside; make sure you have strong BIA approach and you’ll end up with a strong BCM / DR program.
Check out our revamped shop at http://www.stone-road.com. We’ve added lots of new document templates to help get your new BCM / DR program off the ground – with more on the way. Each comes with built-in instructions so you don’t need to try and figure it all out on your own. You can even manipulate the templates if you want to so they address your specific need. Our goal is to show you ‘how’ to do things not just tell you ‘what’ you need to do.
Here’s a sample list of what we’ve got so far:
1 – Test-Exercise Project Change Request Template – $9.99
2 – Test-Exercise Scope Statement (Charter) – $29.99
3 – Test-Exercise Executive Summary – $29.99
4 – Operating Unit Business Continuity Plan (BCP) – $79.99
5 – Business Impact Analysis (BIA) (This one along can cost thousands for a software application.) – $79.99
1 – Employee Logistics Plan – $tbd
2 – BCM/DR Program Policy Template – $tbd
3 – BCM / DR Program Overview (As a bonus, this will include the Policy template) – $tbd
If there’s something specific you’re looking for, send us an email. We’ve got lots in our arsenal and alwasy building new templates so we may just have what you need and just haven’t gotten around to getting it up on the site. We can always build something for you. You can reach us at firstname.lastname@example.org.
StoneRoad: Reducing Corporate Suffering Through Continuity Planning.
The StoneRoad Team
StoneRoad 2013 (C)
Alex Fullick wants you – and your business – to succeed. Better yet, he wants you to flourish beyond your wildest dreams. But what Alex Fullick knows (and what you may not yet know) is that business success doesn’t come out of the blue, or on a whim or stroke of luck. You have to plan for business success, not only for the anticipated good times of strong sales, revenues and profits, but also for the difficult days when a sudden disaster strikes. It can – and does – happen.
Welcome, then, to the world of Business Continuity Management (BCM), the world where BCM expert Alex Fullick resides. Over the years, he has seen it all – and the one key conclusion he’s reached is that businesses with a plan to deal with significant disruptions and disasters are generally the ones that emerge from the situation stronger and with their operations intact. The reverse is just as true: an organization without a continuity plan is taking an enormous risk, one that has the potential to destroy the company and lay waste to years of hard work.
Fullick acknowledges that, to most eyes and ears, the very notion of “Business Continuity Management” is a term that might cause the ears to shut down and the eyes to glaze over. It may be a dry topic, rather lacking in sex appeal, but it is also a very important cog in your business-planning machine. Simply put, if you are a business owner or key manager, you need to know exactly what you will do when disaster strikes.
Fullick’s most recent planning guidebook is entitled Business Impact Analysis: Building the Foundations for a Strong Business Continuity Program, takes a detailed look at the steps a business owner needs to take to gather the information required to create and manage a strong business continuity program. The BIA, in Fullick’s view, is the foundation upon which a business continuity program is built; it follows, then, that a proper Business Impact Analysis requires strength and depth and that its content must fully reflect the operational and cultural needs of your organization. There is no single cookie-cutter approach that can be applied to each and every business operation.
This book should be required reading for business owners and senior corporate officials, not only because the subject is itself of vital importance, but also because Fullick lays out his BIA foundation in a straightforward contextual manner that is both appealing and highly informative. Business Impact Analysis is a critical building process – and Fullick provides the tools required in an easy to follow systematic approach so that organizational leaders can use the BIA process to its very best advantage.
Alex Fullick is the founder and managing director of StoneRoad, a business consultancy based in Southern Ontario that specializes in a process known as Business Continuity Management (BCM). Fullick published his first work in 2009 entitled Heads in the Sand; he followed that up with Volumes 1 and 2 of Made Again. Business Impact Analysis is his fourth publication with two further publications in the works. In his free time, Fullick is an avid curler and hiker.
Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program
by A. Alex Fullick
For more information visit: http://www.stone-road.com
When disaster – or a crises – strikes, organizations must be able to refer to a plan to help guide them through the tasks they need to consider executing to respond, restore and recover, systems and operations. All to often when a BCM / DR plan is pulled off the shelf or printed from a file, one ends up with a document that is huge in nature and breadth though rather slim and small in usable content.
This is because many organization put everything they can think of into their BCM/DR plans, which more times that naught, overshadows the actual content needed to be followed; the stuff that provides the detail on what to do. A BCM / DR plan should be action oriented not full of irrelevant information; irrelevant at the time of disaster, not irrelevant to the overall program.
I tend to follow a specific rule of thumb that says if there aren’t action items listed by Page 5, then it’s not an action oriented plan. It might address audit concerns, legal arguments and executive expectations but for the user – the one executing activities – it doesn’t address what they need and doesn’t provide it in a clear and concise manner.
So, noted below are a dozen things that shouldn’t be in your BCM / DR plan; the plan needed by users. It doesn’t mean that some of these things aren’t available in another document; an over-arching BCM program document.
1. Distribution Lists (Program Level): You can keep these separate, as names and positions will change constantly. It’s better to keep this separate, as it offers no value to the action plan.
2. Methodology Utilized: Sure you have a documented strategy for how you’re going to develop the program – and plans – but again, there’s no reason to have this in the plans themselves. It just adds more useless information to the plan and isn’t relevant when activities need to be executed.
3. Program Assumptions: You may have some assumptions related to the plan and they should only be those attributed to the plan. Program level assumptions should be kept separate and in a program document – not a plan.
4. Meetings / Schedules / Attendees: Who really needs to know who attended a meeting(s) in the past? No one that’s executing activities needs to know this. You may need to keep track of meeting attendees during the disasters, but not those planning meetings. They can be kept separately.
5. Maintenance Schedule (Program Level): How you monitor and maintain the various plans should be kept in a central location and kept at the program level. Can you imagine the confusion you’d have if you kept this type on information in every single plan? Repetition all over the place and most of it out of sync.
6. Names: The names of individuals change constantly due to new hires, those that leave their position and those that are promoted. Try to use position titles whenever possible – it’ll make it easier.
7. Document Audience: This is like the distribution lists and should be kept separate – if it’s even needed. The audience for an action-oriented plan should be anyone in the organization because you never know who has to pick it up and use it. Keep in mind, the audience isn’t always the same group that has a copy of the plan.
8. BCM / DR Program Descriptors: You can define the program in a program document but don’t redefine it for a plan.
9. Document Approvals / Signoffs: For audit purposes, it’s always a good idea to keep track of signoffs in a separate document.
10. Project Management / Definition: Just like ‘Methodology’ you don’t need to define how you created the plan. That information can be kept separately in a program document or a document that outlines how plans were to be developed. Incorporating it into the plan itself is unnecessary fluff used only to increase the page count.
11. Reporting Mechanisms: Only those reporting mechanisms that are needed to execute the plan should be in the document. There shouldn’t be the overall reporting strategy in a document that details how to rebuild the mainframe.
12. Program Overview: If you have a plan that details how to vacate the facility due to a fire, do you really need pages and pages that describe how the rest of the program operates and what other functions are part of the program? No. What you do need though is to ensure that there is a link to the next stage of the program – the next plan – that needs to be activated/executed because of the disaster.
13. (BONUS) Test and exercise results and documentation. This information is still good to have but it’s not relevant when a plan needs to be activated and followed. it’s just extra fluff that hides the information users really need in their documents. Keep your test and exercise results in documents related to tests. Test information isn’t action-oriented and won’t help anyone in a disaster.
The larger the plan (document) the harder it is to follow and the longer it’ll take people to find what steps they need to execute / implement. If the document is kept action-oriented, then the fluff materials aren’t needed. All the fluff can be kept in a separate document at the program level so that its kept for audit and regulatory purposes – where applicable – and the plan can be better followed and utilized during a real disaster. Just remember, the KISS principle (and I don’t mean Gene Simmons here): Keep It Simple Stupid!
© StoneRoad (Stone Road Inc) 2013
“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”
by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3
Available at http://www.stone-road.com, http://www.amazon.com & http://www.volumesdirect.com