For our Dec 13/18 show we’ll talk with expert Dee Grimm RN, JD about the lessons learned from Hurricane Harvey (August 2017).
The StoneRoad Team
For our Dec 13/18 show we’ll talk with expert Dee Grimm RN, JD about the lessons learned from Hurricane Harvey (August 2017).
The StoneRoad Team
Having been a part of dozens of test to varying size and scales, I’ve come across quite a few instances where planners – including myself at times – forget to consider when organizing a BCM / DR test. I thought I’d come up with ten (10) areas that have at some point, been a fly in the ointment of test coordinators and caused issues further down the road and on one occasion, at the moment the test was scheduled to begin.
1. Production Priorities – Believe it or not, once everyone was so focused on testing they forgot to ensure that someone was left to support any production issues. While testing activities were underway, all members of a department were focused on ensuring that the test went well that no one was monitoring a production issue, which needless to say, caused allot of grief for business units. Don’t forget that even when you’re testing BCM/DR capabilities, you’re production environments are still ‘live’.
2. Test Strategy – Know ahead of time what strategy you’re going to leverage for testing purposes and ensure its communicated and agreed-to by everyone involved or else different groups will be working in isolation and not working towards the same thing.
3. Managing Scope – Keep people on track during planning and execution. If no one is clear on scope then the activities they plan and execute might not achieve the goals you’ve set. It also means that even though they might perform tasks successfully and everyone is happy, you still didn’t get what you originally planned for. It’s like being given a bicycle to get from A to B when you originally asked for a pickup truck. Sure you got to where you’re going but the goal was the truck. Did you really achieve your goal and scope if the scope and goal was to get from A to B with a truck? Nope, you didn’t.
4. Resource Assignment – When user activities are required it has been assumed the people needed will be available but often the department responsible for the resources are never approached about being part of the test and when they are, it’s too late because people are working on other initiatives. So make sure you speak with other teams early so that resources can be aligned early.
5. Change Management / Requests – This is relate to the scope; if you’re changing something – even times, dates etc – make sure everyone knows about it and that you document the desired change. Using the previous example about the bicycle and truck; it may have been a great idea to change the truck to the bicycle and it still worked for you however, the scope was the truck and there was no formal mention of changing it to the bicycle. If you’d managed it correctly and documented the fact you were going to use a bicycle, then it would have been known by everyone that the truck is ‘out’ and the bike was ‘in’ and everything would be a success.
6. Agreement – When you have key decisions made or need key decisions to be made, ensure you have agreement on the final outcome. It could be that if you make decisions without consulting impacted parties, they won’t support what you’ve determined and will continue on their original path. This only means confusion and failure further down the road. Keep everyone on the same page and part of the decision making process; if even as an FYI in some cases.
7. Documentation – Make sure you document all aspects of the test; most notably scope and goals and objectives. If you don’t who do you know you met them? You won’t even be able to talk to audit and prove you did what you set out to do because you don’t have anything that captures what you originally set out to do and quite possibly, nothing that sums up what you actually did (a test summary document).
8. Focus on Test Planning Rather Than Planning the Test – Try not to get far off the path here. It’s one thing to ensure you plan the test so that it doesn’t impact production systems or other critical aspects and it’s another to set up the test in a way that it has no relevance and doesn’t reflect what you’d actually do in a real situation. If that happens, you really aren’t testing anything. You need to know where the gaps are in the plans and that they’ll work in a real situation.
9. Test Timelines – Estimate activity sequences and schedule accordingly. If it takes 24 hours to get a mainframe up and running – from scratch – then have end users come in at the same time as the main frame team would be ridiculous, as they’d be sitting around for an entire day before they can do anything. That won’t make them happy.
10. Test Schedule – Plan ahead. When planning efforts are underway to schedule major initiatives over the next year or so, make sure that testing is part of that planning effort. This ensure that departments are aware of the test ahead of schedule and that they are able to plan for that initiative. Also, if you have 3rd party DR vendors involved, you often have no choice but to schedule test time a year in advance or run the risk of not having any time available to test, as the vendors other clients will take up all the available time.
Some of this may seem obvious but you’d be surprised how often the simply things can derail a test. Keep in mind the little things and you’ll have a great chance of success. Remember, if you have the most luxurious car in the world, it does nothing if you don’t have the key.
© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”
It’s great to have many continuity plans and strategies to prepare for and respond to, disasters. However, if they aren’t validated they don’t carry any weight and there’s no way of knowing if they would be any good – useful – when a real situation occurs.
BCM practitioners may make the case for exercising plans but sometimes management may not want to provide the resources – physical & financial – available to validate the plans. There are a few questions that can be posed to executive management to possibly allow for the right kind of commitment and support to validate continuity strategies and plans.
1. Will an exercise increase overall BCM awareness within the organization? Well, let’s face it, if you’re exercising BCM plans, of course you’ll be increasing BCM awareness. Depending upon what you’re exercising and how you manage / facilitate the exercise, awareness will be increased but make it a positive experience or else BCM will end up being something negative in participants eyes.
2. Will the exercise identify potential ‘gaps’ in documented BCM plans and procedures? Let’s hope so. Not only do you want to validate what you have documented and discussed with numerous representatives but you also want to find things that may be wrong in the plans – not just what’s right.
3. Is there potential for the exercise to provide ‘learning opportunities’ for participants and the organization in general? If managed correctly and viewed as a positive experience, then employees will learn from the exercises – and from each other. In some cases, they may even be working with people they wouldn’t normally encounter in their daily operations.
4. Will the exercise provide an opportunity to leverage the results for further corporate gain and benefit? They should. If you can show that you’re exercising you plans – and have documented proof of them (Exercise Charters, Executive Summaries, Issue Logs etc) then you can use this information to help respond to RFPs etc and develop a stronger case for a potential client to choose your organization over a competitor. Having a strong BCM program can be used for competitive advantage.
5. Can the exercise provide skills and knowledge transfer between participants? Depending on what is in scope for the exercise, participants may need to seek assistance from other people in the organization for guidance. For instance, if a Single Point of Knowledge (SPOK) isn’t available to rebuild the payroll server because they are busy with other initiatives, they may be able to pass along their knowledge – as best they can – to another resource who will do it for the exercise, this way people are talking to each other and learning from each other. This is a simple example but you get the idea.
6. Can the exercise increase the responsiveness and effectiveness of the organization should a real disaster (or other event) occur? Simply put, the more practice people get the better they become, whether that be BCM or in any other area. Whether you have a large scale situation or a smaller scale incident, you’ll be better prepared if your people – and the processes and plans – are better prepared and knowledgeable. Enough said.
If any answer is ‘yes’ to the above questions, you’re well on your way to securing the support for validating continuity strategies and plans. Exercising only makes a person – or in this case, a program – stronger more robust.
© StoneRoad 2013
When teams are determining and developing their Business (unit) Continuity Plan (BCP) the fact that manual procedures will be used, often crops up. ‘What will you do in a DR situation?’ they’re asked and the answer all too often – and quickly – comes back as “we’ll do ‘x’ manually.” Really, is it that easy to do; just revert to a manual process for what normally includes many checks and balances and possibly varying numbers of applications?
In some instances it might be that easy. If you telecommunications are still up you can answer calls and take down information clients are looking for and then call them back when applications come back up. Not a full manual process but you can at least get some client service going. For those old enough to remember, your credit cards were taken manually by restaurants and shops by copying the card imprint using carbon paper. That wasn’t a manual process back then – it was the process. However, if anyone in the restaurant or shop industry wants to ensure they can continue to service clients – and get paid by patrons – they still have an old dusty machine and credit card slips hidden in the back cupboard of the office. In this case, many places use this as the backup process – and it’s a manual process.
But it’s not always that easy to just say you’ll do your processes manually anymore. With huge strides in technology and technology dependencies (and interdependencies) and service level agreements, not to mention the level of governance required in today’s business world, switching to a manual process may not be that easy and in many cases may not even be possible. For that reason organizations must really think through what they can and cannot do manually and take into consideration some key factors.
Below are 9 things an organization must consider before reverting to manual processes during disaster situations and before it’s inserted into any business unit BCP.
1. Short Term Use: If you’re going to use manual processes, remember they are only intended for short term use. They are not meant to be used for any long term use, as it could cause you other problems down the road. They are short term fixes used
2. They May Break Regulations: Sometimes a manual process breaks a rule – or sidesteps a rule – so that a function can be completed. In a disaster situation when (if) you’re using manual processes, be aware that the process may not meet your usual standards simply because technology has been taken out of the loop.
3. Less Audit and Governance: If you are developing manual processes and see a need to have them, know that the level of governance and audit tracing by various technology applications won’t exist if a manual process is leveraged. Still, consider adding some level of audit or governance to lessen an potential future impacts.
4. Serious Emergencies Only: Consider the use of manual processes only in real emergencies. If an application – or some other situation – is very short term, it may not be necessary to bring everyone up to speed on what to do when using the manual process. It may simply be easier to wait until the application (or other dependency) becomes available once more.
5. Not Widely Available (or known): It may seem a bit strange to withhold information but manual processes aren’t something you want everyone to know about. If everyone did know about them, they might be used in non-emergencies, which would completely cause chaos down the road when an issue pops up with the work completed. If you have them, keep them separate from regular operating procedures and don’t distribute widely to people until necessary.
6. Not a Process Replacement: Since manual procedures are intended as a short term fix, they are not a replacement for regular operational activities. They are only mean to be used to continue a critical operation – or as a short term partial fix – until normal operational activities can continue (i.e. applications become available etc). A manual process does not equate to an alternate method of doing the same thing; it’s short term because the normal operational activity can’t continue as is due to an unforeseen circumstance and will be stopped as soon as it’s feasible.
7. Determine Use Requirements: When Can They Be Used? Under what circumstances can – or will – the manual process be utilized? It could be that as part of normal operating procedures, a manual override is required by a management representative because our own authority doesn’t allow for us to continue with a function. We’ve all be in the situation where we are waiting for something to complete but we need to the ‘special authority (or input)’ of a manager before we can continue. You also want to ensure that the manual process can’t compromise your operations and utilized for underhanded purposes, so know when it is appropriate and when the manual process fits into operations – either as a disaster contingency or as part of governance processes.
8. Oversight Requirements: Need some level of oversight on manual processes – even in DR situations, as audit / governance / legislative requirements may still need to be captured (depending on the process and procedure being manually used (i.e. old credit card slips). Keep in mind that developing oversight processes during a disaster period may delay the actual recovery timeframes and can cause unnecessary work but it all depends on what manual process(es) you’ve decided to develop and implement for DR purposes.
9. Documentation – DR Use: Keep these documented and ready for use in a DR situation (part of a BCP plan for use by the appropriate departments (an appendix)) and kept in a separate location from other operating manuals. Quite possibly, they can be kept in a locker or other container at the DR restoration and recovery centre. Make sure you keep things updated too and reviewed every so often. Even if you do have manual procedures in place, they are based on regular operating procedures, so when those change the manual procedures may need to be reviewed as well.
If you’re in a position to use manual processes to get your operational activities completed, that great however, in a DR situation you aren’t operating in normal circumstances and manual processes may not be the norm even when there isn’t a disaster. Think carefully of what you can – and cannot do – with manual processes before you document and incorporate such worded activities into BCP plans. Incorporating them before you’ve considered the ramifications might cause another disaster situation further down the road…sometimes before you’ve even recovered from your first disaster.
© StoneRoad, 2013
Most organizations don’t want to imagine what would happen if a disaster struck their operation, but what if a disaster did strike. How would your organization respond? The best way to know how to respond is to develop, implement and maintain a Business Continuity Management (BCM) program. A BCM program provides a framework for building organizational resiliency with effective responses and safeguards that protect its reputation, stakeholders, employees, and facilities.
BCM is not just about remedying technology shortfalls, as many organizations believe. It’s also about securing, protecting, communicating and preparing corporations from disastrous impacts upon its workforce, facilities and its technologies – To minimize the impact on operations. BCM touches every aspect of an organization from the mailroom, the field and the call centre to the manufacturing floor and right up to the boardroom.
To make your program effective, consider some of the following suggestions when planning:
1. Start With the Worst – Begin the planning with the worst-case situation your organization can imagine. For many, this example is the tragic events of September 11, 2001. Work backwards from there and you’ll start to fill in many of the dangers that can harm your corporation. You’ll also be able to start challenging the worst case situation and begin to get more inventive with potential impacts – and develop the plan accordingly.
2. 3 Pillars of a Business Continuity Plan (BCP) – Every BCP plan must address three things; Workforce Availability, Facility Availability and Technology Availability. If each plan has these three core components, an organization can respond to any disaster situation and expand their capabilities by adding varying situations and scenarios through validation exercises.
3. Dedicated Resource – Assign a person with the appropriate training and authority to get things done, if not, the program will quickly fall to the wayside in favour of other initiatives. This may include getting outside help to get the process kick-started (i.e. consultants, contactors etc).
4. BCM Program vs. BCM Project – The BCM program must live on and continually meet the needs of an organization, as it grows and changes; so to must the BCM program. A project has an end date but a program must live and breathe and contain more than just a single aspect of BCM. Therefore, when the Business Impact Analysis (BIA) is completed, that’s just one ‘project’ of the overall BCM program; you’ve got lots more to get through and develop.
5. Exercising/Testing – Plans mean nothing if they haven’t been validated. Every organization must exercise its plans to make sure they’ll work during a disaster. It’s better to find gaps in your plans through exercising and under controlled circumstances rather than when the real thing happens.
6. Executive Support – If no one is there to champion the BCM program, it won’t last too long. In fact, there’s a good chance it will run out of steam and end up on the backburner of boardroom discussions. Having executive support shows the rest of the organization that BCM is taken seriously.
7. Awareness & Training – It can take a long time to develop continuity plans and create processes and procedures but if no one knows how to use them, where they’re kept or under what circumstances they’re required, they won’t be of any value or use. Remember, awareness and training are not the same things and every level of the organization must received its fair share of both if the program (and all the developed plans and processes) are to be useful and successful.
8. Focus on People – This should be a no brainer; BCM is about people. It’s people that build the plans, use the plans, review and exercise the plans. It’s people that will be impacted by not having plans in place; clients, vendors, employees and communities. If you state that technology availability is the most important part, you’ve basically told those individuals – who you need to help build plans – that they aren’t important. Keep in mind; people first.
9. Business Impact Analysis (BIA) – Every company must understand what it does and how it does it. A BIA is the process of analysing business functions and the effect that a disruption might have upon them. Knowing this will help corporations develop appropriate Business Continuity Plans (BCP) and other contingency strategies. Ensure you get agreement on the findings, don’t just state what they are and move forward. The findings from a BIA are what the attendees believe is important and it could turn out that what they feel is important to the company is not what executives believe is important. Make sure executives are in agreement with the findings before you start developing restoration and recovery plans – you could be way off the mark.
10. Program Maintenance and Monitoring – If program components aren’t maintained and updated the Business Continuity strategies developed – and the related documentation – will reflect the corporation as it once was, not as it current is.
11. Bonus: Using Software Only – Software can be very beneficial for maintaining and gathering information but beware, it doesn’t take into account the nuances of people or scenarios specifics. It may tell you that you need 10 desktops in 24 hours but the situation itself may call for something completely different based on what has occurred. Don’t fall into the trap that DR/BC software will answer all your questions and save you; it’s a tool to help you.
Having a BCM program in place is a part of an organizations Corporate Social Responsibility (CSR) but there are other benefits to implementing a program. First, your organization will have the security in knowing a robust plan is in place to deal with disasters, providing safety and security for all employees. Second, a proper BCM program will provide a competitive advantage. Those organizations will strong programs win out over organizations that don’t have BCM plans in place because there is knowledge that your organization will have developed a way to provide a product or service even during a disaster.
It’s not easy building a BCM program; it can be tough to develop, implement and maintain but it will only take a single crisis or disaster to prove its worth. A single crisis or disaster can be one too many. Are you prepared?
© StoneRoad (2013)
BCM document templates available in the ‘shop’ section at http://www.stone-road.com.
Alex Fullick wants you – and your business – to succeed. Better yet, he wants you to flourish beyond your wildest dreams. But what Alex Fullick knows (and what you may not yet know) is that business success doesn’t come out of the blue, or on a whim or stroke of luck. You have to plan for business success, not only for the anticipated good times of strong sales, revenues and profits, but also for the difficult days when a sudden disaster strikes. It can – and does – happen.
Welcome, then, to the world of Business Continuity Management (BCM), the world where BCM expert Alex Fullick resides. Over the years, he has seen it all – and the one key conclusion he’s reached is that businesses with a plan to deal with significant disruptions and disasters are generally the ones that emerge from the situation stronger and with their operations intact. The reverse is just as true: an organization without a continuity plan is taking an enormous risk, one that has the potential to destroy the company and lay waste to years of hard work.
Fullick acknowledges that, to most eyes and ears, the very notion of “Business Continuity Management” is a term that might cause the ears to shut down and the eyes to glaze over. It may be a dry topic, rather lacking in sex appeal, but it is also a very important cog in your business-planning machine. Simply put, if you are a business owner or key manager, you need to know exactly what you will do when disaster strikes.
Fullick’s most recent planning guidebook is entitled Business Impact Analysis: Building the Foundations for a Strong Business Continuity Program, takes a detailed look at the steps a business owner needs to take to gather the information required to create and manage a strong business continuity program. The BIA, in Fullick’s view, is the foundation upon which a business continuity program is built; it follows, then, that a proper Business Impact Analysis requires strength and depth and that its content must fully reflect the operational and cultural needs of your organization. There is no single cookie-cutter approach that can be applied to each and every business operation.
This book should be required reading for business owners and senior corporate officials, not only because the subject is itself of vital importance, but also because Fullick lays out his BIA foundation in a straightforward contextual manner that is both appealing and highly informative. Business Impact Analysis is a critical building process – and Fullick provides the tools required in an easy to follow systematic approach so that organizational leaders can use the BIA process to its very best advantage.
Alex Fullick is the founder and managing director of StoneRoad, a business consultancy based in Southern Ontario that specializes in a process known as Business Continuity Management (BCM). Fullick published his first work in 2009 entitled Heads in the Sand; he followed that up with Volumes 1 and 2 of Made Again. Business Impact Analysis is his fourth publication with two further publications in the works. In his free time, Fullick is an avid curler and hiker.
Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program
by A. Alex Fullick
For more information visit: http://www.stone-road.com
Every major initiative – or project – within an organization has a sponsor; someone that champions the project and supports everyone involved. Ultimately, they are the one paying for the project; resources, employees, technology equipment, contractor/consultants and anything else required to make the project execute to a successful implementation and conclusion; a Business Continuity / Disaster Recovery test is no different.
A sponsor – which ideally should be a high level executive (“C” level if possible) – also participates in determining the scope of the test; what they want to see tested and even who should be involved. It’s up to the test coordinator (or Project Manager) to organize the information and determine what can be tested and if there any components of the what the sponsor wants that can’t be tested. It doesn’t mean the sponsor is in charge of the planning, that is left to the designated test coordinator, though the sponsor is the designated individual at the executive level responsibility of the test.
Not obtaining Executive support can cause many problems for the test coordinator, test participants and the overall test itself. Without Executive support, the following can occur;
1. No financial support (for accommodations, overtime pay, contract amendments if there are requirements for a 3rd party vendor, travel expenses, technical and non-technical resources etc);
2. Teams can (and will) back out of the test for other priorities especially those that have executive support;
3. Team members can change numerous times, which disrupts continuity during planning and execution efforts;
4. Issues and risk may not be resolved or mitigated respectively;
5. Scope creep has a greater chance of take root;
6. Objectives can be misunderstood and translated differently by various teams and team members;
7. Timelines and deliverables may not be adhered to;
8. The test can be cancelled without any notice in lieu of other initiatives;
9. No recognition for all the hard work put in by testing participants through all stages of the test;
10. Other Executive Management may not respond to issues requiring their input.
A sponsor also adds value to a test – and so much more – and to other BCM / DR program. Here are the things that a sponsor does offer:
1. Provides financial support;
2. Determines the scope of the test;
3. Designates the test coordinator to carry out the sponsor’s directives (this means they give them authority);
4. Assists and determines goals and objectives;
5. Provide approval of any deviations from approved scope via Project Change Requests (PCR);
6. Provides a voice for Business Continuity Management at the Executive boardroom table;
7. Resolves conflicts when it cannot be managed at the test coordinator level; and
8. Provides moral support and guidance to the test coordinator and other test team members.
Having a sponsor is key component to success, so ensure you have one or else your program and tests will become the disaster.
(c) StoneRoad 2013