After receiving many suggestions and lots of feedback, the upcoming radio show dedicated to all things related to Business Continuity Management (BCM), the name has been chosen: Continue reading
It’s kind of like the old question; ‘If a tree falls in the forest and no one is there to hear it, does it make a sound?’ A disaster isn’t a disaster if there’s no measureable impact. No impact to people’s perception of the situation. No impact to people’s lives. If there is a large fire but there is no people or property (facilities, IT equipment etc.) or processes involved – either by fighting the fire or being impacted by the fire – is it still a disaster? There are no fire fighters and no burning buildings, which have no people being impacted so is it still a fire worth tracking and determining the impact and disaster level? No, because there is no measureable impact.
There will be arguments that state yes, it is a disaster because of the damage it can still cause (i.e. the environment) but if no one is involved how do you know it’s a disaster? There’s nothing that tells you it’s a disaster; nothing to point towards to say ‘this’ is the reason for the fire being a disaster because when the large fire is discovered it’s impact isn’t known…yet
A disaster must have some level of measurable impact. Something that can be ‘seen’ and ‘felt’ by people before it can be classified as a real disaster – and it has to impact people, otherwise it may just be an incident or an event of note. A fire in the middle of nowhere can still be a disaster, but if no one is there to see it, fight it or be impacted by it, it’s not classified as a real disaster because there’s nothing to measure as an impact.
For a disaster to be a disaster – in the eyes of people, media and the public in general – there has to be an impact to;
• Communities & Community Infrastructure;
• Service interruptions;
• Technology (including those that impact services and processes);
• Responders…and more.
If there is no measurable impact to any of the above, it’s not a disaster or a situation worth reporting on, it may just be an incident or Business As Usual (BAU) occurrence for which response mechanisms have already been developed to address. A means of addressing the situation before it escalates out of immediate control to become a disaster. Or even, the means to respond to the non-event when the non-event escalates and does begin to have an impact. Staying with the fire example, a forest fire may be a bad situation but not a disaster until it continues out of control and begins to threaten communities. Then what started as a non-event or non-disaster suddenly becomes a disaster.
The argument can be made that anything that impacts another is a disaster. A forest fire is a disaster because it destroys property, animal life and the natural resources it envelopes. But again, if there is no one to fight the fire – or even plan to fight the fire and maybe even to see the fire – is there a real disaster when no one is involved? If people are not involved with the situation by either resolving or addressing it or being impacted by it, it’s not a disaster. It’s just a situation that may or may not be in the headlines and will quickly be forgotten.
© StoneRoad 2014
A.Alex Fullick has over 17yrs experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”
There are all sorts of templates and thoughts on how the various Business Continuity Management (BCM) program components should look – the “plans.” Every organization has its own self-styled plan; every consulting agency has its own look and feel and every available free online template looks different from the next. So how can you recognize a good plan from a really bad and confusing plan?
The following 10 considerations will help you determine if you’ve got a good plan or a not-so-good plan
- Action Oriented: If people are expected to follow and execute plan activities, it must be action oriented. A document full of theory and suggestions won’t be of any help and will quickly be used to stop a desk from wobbling – or used to capture excess dust that may collect on a shelf. As a rule of thumb, I tend to look for the first action step/item/activity within the first 5 pages after the table of contents. If I have to dig through tonnes of pages just to find an action item, I know it’s not going to be of any good to me (or anyone else). If the content is short, sweet, specific and to the point and remains focused on action items, then it’s going to be of benefit to its users.
- Assigned Roles & Responsibilities: This is an easy one; who is doing what, when, how and where. Why is kind of self-evident; to execute activities based on the disaster at hand. This goes hand-in-hand with the action oriented approach. If specific actions are to be taken by someone, then it should state who is responsible for it – and if they aren’t available, who the alternate/backup person is. I suggest that these should be designated by position rather than the actual name of the person. People can change quite a bit in roles and responsibilities; moving from department to department and if the plans aren’t kept current then you can quickly cause confusion when someone who has been in a role for some time, suddenly is told they’re responsible to execute tasks for an area they are no longer associated with. I suggest you designated the roles and responsibility by position title. For example, the Director of “XYZ” will do A, B and C. This even makes it easier when someone new steps into the role; they know right away what they are responsible for, though they may need a bit of guidance from the BCM/DR person so they fully understand expectations before a disaster occurs.
- Comprehension: Do you speak in a plain direct manner yet open up a BCM plan and find if full of 10 syllable words that you can’t find in the dictionary? It’s happened; I know, because I’ve read a few like that. The writer doesn’t sound smarter when they use big words; it detracts from what is important in the plan and if people are distracted by words and their meanings, there’s a sure fire chance that things will be skipped, misinterpreted or misunderstood. The comprehension must be quick, concise and direct if people are to follow it. In many cases, the BCM/DR person cannot – I repeat – cannot action every single plan and be able to manage activities on their own. It simply can’t happen that way – and if it did, then someone didn’t do a good job of getting buy-in from Senior Management and didn’t do a good job of bringing awareness forward (i.e. about roles and responsibilities). You’ve also got to remember that when a disaster strikes, peoples thoughts can run away from them, so any instruction shave to be short simple and right to the point. Finally, the person who has to execute activities may not the person who wrote or contributed to the plan (because key personnel aren’t available) and they have to be able to understand what it says. If it reads like an eighteenth century theologian book on philosophy, it probably won’t work for people.
- Minimal Fluff: I’m a firm believer that incorporating the strategy used to develop the plan – which ends up appearing all plans – is fluff material and adds to value to a plan required to respond to a disaster. Any fluff material should be kept in a single over-arching BCM program document that outlines how strategies are executed and managed. For example, the times per year the plan will be reviewed or how the workshops will be managed to create the plan. This is the kind of information that only adds numerous pages to a plan rather than adds helpful information to the plan user (the one needing to follow and execute activities).
- Not Everything to Everyone: If it’s a Crisis Management (CM) plan you’re reading it shouldn’t contain all the information related to a departments Business Continuity Plan (BCP); meaning is shouldn’t contain duplicate information that already exists in another plan. The Crisis Manager (or whatever the title is called for you organization) only wants to see the actions related to the Crisis Mgmt plan, not the actions attributed to the Technology Manager…unless of course, its relevant to the Crisis Mgmt plan. If it’s the Technology Recovery Plan, (TRP), then it doesn’t need to be in the Crisis Mgmt plan, though the CM plan may say to activate the TRP but now provide all the details of the TRP. Too much information is just as bad as not enough information in a disaster; people become overloaded with information and they can’t process it correctly or in a timely manner.
- Maintained: Let’s keep this simple; if the plan is years old and hasn’t been maintained, reviewed or updated it probably doesn’t contain the best information you need. Sure it contains some that will probably be of help to users but it’s out of date and can cause confusion because it represents the organization as it was years earlier – not as it is today. It’s just a snap shop of the past and not reflective of the present.
- Available: The various plans should be made available to everyone that needs it – and maybe to those that don’t really need it. A plan can sometimes be used by someone who didn’t write or contribute to it but they’re still going to have to know where it is and have it available to them if they need it.
- Cross-Referenced: No man is an island – so the saying goes – and neither is a BCP plan. The plans must be cross-references and aligned to ensure there are no contradictions in activity execution. For example, if Finance says it’s passing its “x” process over to Human Resources (HR) when it’s being impacted by a disaster, then the HR department must be well aware – and prepared – to actually do that. They’ll need the skills and tools to do it. And in most cases, they may not be able to take on the additional work load because they’re impacted by the disaster as well so how could they take on the additional work? They can’t. Thus, you’ve got to make sure that the plans are cross-referenced and that no one is making assumptions that other will perform specific activities – or not perform activities, which will only cause problems when the plans are activated.
- Accessible: It’s one thing to distribute plans and have them located on systems but if no one can get at them, what good are they going to do. This is an extension of “Available” where the plan must be accesses by those who need it. If it’s locked in the VPs office – and only his/hers – then no one is going to get to use it. Sometimes it’s locked off site in a vault or 3rd party storage facility but then when it’s needed, only a select few can actually get at the plan; special access is required, which can take time…when you don’t have any extra to spare.
These 9 guideline principles will help anyone identify a good plan from a bad one. Depending on your level of expertise and knowledge, you can add many more components but really, that just adding details and getting away from the basic function. You can add all sorts of bells and whistles to make a plan work but if the basics aren’t there, it won’t make sense when it’s needed.
© StoneRoad (Stone Road Inc) 2012
“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”
by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3