Preparing for the Unexpected – 2018-04-19: The Challenges of BCM/DR Programs – Part II

The April 19/18 show continues from where Part I of “The Challenges of BCM/DR Programs” left off. Join us and see if you’re encountering the same challenges.

The StoneRoad Team




Preparing for the Unexpected – 2018-04-12: The Challenges of BCM/DR Programs – Part 1

No matter the industry, the size of your organization, or the location(s) of your business, Business Continuity Management (BCM) and Disaster Recovery (DR) programs always seem to experience a common set of challenges. Drawing from 20+ years of experience, Alex Fullick will discuss these many challenges that seem to transcend industry and location – and which seem to appear at one time or another – in every BCM/DR program. Listen in to hear why some of these challenges occur and how to deal with them when you begin to encounter the same issues in your program.


The StoneRoad Team



Business Impact Analysis (BIA): Organizational Integration (Project Change Impacts)

One of the major challenges for Business Continuity Management (BCM) professionals and organizations is ensuring that their Business Impact Analysis (BIA) is kept current and update to date.  The problem with keeping the BIA’s up to date is that there is no process that integrates the BIA into the existing organizational functions.  Continue reading

BCM & DR: Can Organizations be Resilient?

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014 (A.Alex Fullick)

BCM / DR Program Templates Available from StoneRoad

Check out our revamped shop at We’ve added lots of new document templates to help get your new BCM / DR program off the ground – with more on the way. Each comes with built-in instructions so you don’t need to try and figure it all out on your own. You can even manipulate the templates if you want to so they address your specific need. Our goal is to show you ‘how’ to do things not just tell you ‘what’ you need to do.

Here’s a sample list of what we’ve got so far:
1 – Test-Exercise Project Change Request Template – $9.99
2 – Test-Exercise Scope Statement (Charter) – $29.99
3 – Test-Exercise Executive Summary – $29.99
4 – Operating Unit Business Continuity Plan (BCP) – $79.99
5 – Business Impact Analysis (BIA) (This one along can cost thousands for a software application.) – $79.99

Coming soon:
1 – Employee Logistics Plan – $tbd
2 – BCM/DR Program Policy Template – $tbd
3 – BCM / DR Program Overview (As a bonus, this will include the Policy template) – $tbd

If there’s something specific you’re looking for, send us an email. We’ve got lots in our arsenal and alwasy building new templates so we may just have what you need and just haven’t gotten around to getting it up on the site. We can always build something for you. You can reach us at

StoneRoad: Reducing Corporate Suffering Through Continuity Planning.

The StoneRoad Team
StoneRoad 2013 (C)

A.Alex Fullick at the Australian & New Zealand Disaster and Emergency Management Conference (2013)

We’d like to give you a friendly reminder that if you’re attending the Australian & New Zealand Disaster and Emergency Management Conference in Brisbane, Australia (May 28-30, 2013), StoneRoad founder A.Alex Fullick will be presenting the topic “Heads in the Sand: What Stops Corporations from Seeing Business Continuity as a Social Responsibilty” on Wednesday, May 29, 2013. If you’re in the neighbourhood stop by; you’re sure to hear a great presentation.

StoneRoad 2013 (R)

7 Things That Can Ruin a BCM Program

When financial hardships strike an organization, the Business Continuity program usually takes a hit. In fact, often it will take a hit when times are good so that the corporation can focus on other initiatives; initiatives designed to build upon the good times and keep the company making money. Increase that revenue, YEAH!! When this occurs, resources get reassigned to other projects and the BCM program gets placed on the back burner or it will see resources funnelled away to support other initiatives.
What kind of things do organizations cut from their budgets that can undermine and slowly dismantle a BCM program? Here’s just a short list of some of the actions corporations will take in diverting BCM intended resources.

1. Training – Training is suspended because sending employees on courses to upgrade and keep skills current is deemed as being too costly, especially if travel and accommodation is required. This training also helps to bring new ideas to the organization on how to better their programs but at the same time many executives (or those that approve BCM training) will simply state that the corporation knows what it would do. Thus, additional training isn’t required. Or worse, they send BCM people on courses that have nothing to do with their role.

2. Tests / Exercises – Some BCM tests get cancelled because they take resources away from other initiatives that are deemed a higher priority. Not exercising – and validating – plans and policies can cause issues with recovery procedures when a real disaster occurs because they haven’t been validated and team members have not practiced what they need to do. Also, some believe that if you’ve exercised once before, that’s all you need to do. You did it so you don’t need to do it again. Wrong! The more practice and progressively challenging you make the exercises the more robust the plans and policies become – and the better you’ll be able to respond and recover when disaster strikes.

3. Business Impact Analysis (BIA) – An organization will choose to skip updating the BIA and utilize previous findings assuming that nothing has changed, which is rarely the case. If nothing changed – ever – then there would be no such thing as projects. Projects drive change; from technology to processes. When projects are implemented it will change existing processes, introduce new ones or cancel some others. All this must be captured in the BIA and then carried over to the appropriate plans (i.e. contingency plans, crisis mgmt, technology recovery etc). Remember, ‘change is constant’ and the BIA should be able to capture those changes and then funnel them through to the right areas of the program so it reflects the organization as it is now – not as it once was.

4. BCM Awareness Program – Awareness weeks or sessions, assuming your organization has them, are cancelled to concentrate on other initiatives or because management don’t want to put a ‘scare’ into employees. Most employees I’ve ever worked with have said they would like to know what is expected of them in a disaster; keeping it from them is not a good idea. You’re really harming yourself and the business in the end. Some of the best ideas will come from involving people and keeping them up to date on progress. To put this in perspective, I was told by a Senior Director of a client that they would be making a poster of a specific announcement and hang it up around the office. “Everyone will see it and know of it and we’ll make sure it’s updated as needed”” they said. I guess they didn’t notice that just outside this director’s office were 3 posters; 1 was no longer relevant for the last year and the 2nd poster had a due date on it that was just over 2 years. Hmm, I wonder if those were supposed to be updated too.

5. Maintenance Initiatives – Business Continuity Plans (BCP) or other BCM components don’t get updated, which means that the best any BCM program can do – when not having been maintained – is take the organization back to the state of services and systems at the last time of updating. This is very specific when it comes to Technology Recovery Plans, which if not updated will only bring back systems that could reflect the structure of the company three year prior – assuming maintenance hasn’t been performed for three years. It could end up costing a corporation more money to purchase software and hardware to help bring the recovered systems to more updated levels. This can also increase the time it takes to recovery causing additional delays in getting operations running again. Also, there nothing worse that trying to find someone through call trees or notification applications (or whatever method is used) only to find that they changed numbers and now you can’t find one of the key people you need to help get restoration and recovery efforts started.

6. BCM Support / Investment – Investment in BCM is reduced or halted. This would include future initiatives such as building a new data centre, upgrading the backup tape systems, renewing key components of a Disaster Recovery (DR) vendor contract, or ensuring that a hot-site DR site (which can be internal) is linked to the main data centre to ensure that constant communication is kept between the two sites. Sometimes these initiatives are cut in favour of sticking with what is known for now (i.e. restore from tape), which can be detrimental if it takes 24 hours to restore from tape but certain systems and services need to be available and fully functional by the 8 hour mark. Just like an old car, the older it gets the harder it is to find anyone who has the skills and knowledge to fix the issues and the parts become scarcer and scarcer and the level of reliability on the car slowly begins to slide down the scale.

7. Organizational / IT Change Management: Nothing last forever or rather nothing stays the same forever; change in constant and the organization is constantly changing. If organizational change management (OCM) and IT change management aren’t incorporated or monitored by the BCM/DR team, plans will quickly become obsolete. They’ll only represent the organization as it was before the last change, assuming that while various BCM/DR program components were made, no changes ever occurred (and we know that isn’t true). So keep an eye out for change at all levels because if you don’t, you’re program will quickly fall out of step with the rest of the organization.

When any of these occur, the corporation begins to put itself in danger because what may have been a strong BCM program is now being scaled back and no longer receiving the focus it should have. When the corporation is growing and expanding during the good times, so too should the BCM program, otherwise if the corporation is hit with a disaster situation, it will have a program that only reflects the corporation before it expanded and implemented new initiatives. The corporations BCM program is only as good as the resources and the focus it receives from the top tier levels of the organization and the amount of respect it gets.
StoneRoad 2013 ®

Purchase books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, at the following locations:, &