BUSINESS CONTINUITY & DISASTER PLANNING BOOKS BY ALEX FULLICK: eBOOKS / KINDLE VERSIONS NOW AVAILABLE!!

We are happy to announce that ebook / Kindle versions of all books by StoneRoad founder A.Alex Fullick, are now available from Amazon.com (and other Global Amazon sites).

We hope these information sources help you with your Business Continuity / Disaster Recovery Program efforts. Keep your eyes open for more BCM / DR information sources coming from A.Alex Fullick and StoneRoad.

Happy planning!

 

Regards,

The StoneRoad Team.

PS: Congrats boss!  😉

© StoneRoad 2015

A.Alex Fullick has over 18 years’ experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”

 

BCM & DR: When to Use Software

Often, when an organization initiates its Business Continuity Management (BCM) / Disaster Recovery (DR) program, it a pretty manual process: documents, power points and spreadsheets abound. They look good and they serve a purposes but when the program needs to mature and grow, the manual maintenance and monitoring processes just can’t keep up properly. Suddenly, the person responsible – use is usually only assigned to BCM/DR part time – can’t keep up and things begin to fall apart. It’s time for some help to automate the BCM process to keep it current and maintainable (not just the plans being maintained). Continue reading →

Business Continuity Management (BCM) / Disaster Recovery (DR) Document Templates Available for Small and Medium Businesses!!

Not every business can spend thousands and thousands of dollars on expensive software packages to get their BCM / DR programs off the ground – or has the time to get software configured and ready for use.

Having experienced these challenges first hand, StoneRoad developed a cheaper alternative: we developed document templates for Business Impact Analysis (BIA), Business Continuity Plans (BCP) and more.

Visit the StoneRoad site and go to the Shop section to view the various templates available and get your program moving with a low cost alternative to expensive software! Each template provides instructions on what information is needed so that you can build your program with less fuss – and with more results!

Here’s just a sample of our document offerings:

1) Test Scope Charter Document (Word Document)
2) Business Impact Analysis (BIA) (Excel Worksheets)
3) Operating Unit Business Continuity Plan (BCP) Template (Word Document)
4) Emergency Employee Logistics & Pandemic Plan (Word Document)
5) Test Executive Summary (Word Document)

…and more. We’re adding new templates all the time to help you. We even have BCM & DR books and ebooks available.

So download what you need and get started!

Happy planning!

Regards,
The StoneRoad Team

“Reduce Suffering Through Disaster Planning”

© 2014, Stone Road Inc.

10 Tips to Remember When You Don’t Have a Disaster Plan…and Disaster Strikes!

(c) Stone Road Inc. 2014 (A.Alex Fullick)

When disaster strikes, keep calm and march on!! Sometimes it’s not always that easy and in a real situation you really do need to carry on; if you don’t, you’re done! Over! Caput! Even with the numerous disasters occurring in the world – some man-made some natural in nature – there are still many organizations that would rather take their chances with fate than invest in a Disaster Response / Emergency Response / Business Continuity Management program. When disaster does strike, these organizations are left empty handed. With no plans or processes in place to respond to the situation they must ‘wing it’ if they’re to continue staying in business – or attempt to stay in business.
So what should organizations consider and focus on if they are caught in a serious situation and they don’t have a BCM/DR program in place? What do they need to do to try to get some level of coordination in response, restoration, recovery and resumption efforts? Below are some tips for how leaders need to view the predicament they find themselves in; a disaster/crisis with no BCM/DR program or plan in place.

1. Don’t Throw in the Towel – Don’t give up! You’ve got to do something even if you don’t have a proven plan in place, so keep going and do what you feel is right. Under no circumstances should you give up, as you really don’t have an alternative unless you really want your organization to fail. As the saying goes, ‘Keep calm and carry on!’

2. Figure it Out Quickly – Don’t waste time debating and getting everyone’s input on what to do. Figure out what your main objectives are then take it from there. The longer you take the less likely you are to remain in business much longer. And even if you do get up and running, because you took so long to do anything, confidence in your organization will vanish.

3. Focus on People – Make people your priority. A little bit of care and compassion can go along way in public and media perceptions and if you make people priority #1, you’ll be forgiven a bit more for not having a plan or program in place.

4. Reconfigure – Time will be of the essence, so don’t bother trying to get things like-for-like; it won’t happen. You have no plan, which may also mean no alternate site, so get what you can and start rebuilding. It may mean patch-working systems and services together and getting people to do activities they don’t normally do but do it anyway to get your operations up and running. You’ve got a clean slate in front of you, so feel free to reconfigure what you need to make things work. A small beat-up car will get you to “location A” just as well as a luxury car, so if you need to reconfigure…do it.

5. Get Rid of Expectations and Assumptions – Don’t bother asking questions and wondering about assumptions; you need to action things immediately and start doing something. If you’ve had a disaster and have no plan in place, then there are no rules, guidelines, directives or assumptions to work around; no boundaries to hold you back. So everything is possible to you and you’ve got to start trying to get your organization back up and running with technology recovery, business continuity and crisis management so that you can begin to service your clients with the services and products you provide. With assumptions, you may be thinking that everything you need is easily available – including people. However, this might not be the case so throw your assumptions out the window because the only assumption that gets proven correct in a disaster is that all your assumptions are wrong.

6. Emotion Over Intellectual Response – If you want to stay in the good graces of people, then speak to them emotionally, not like an automaton full of intellectual platitudes. If you don’t have a plan in place, you’re biggest fight will be with through how you respond to the disaster as perceived by onlookers not how two IT servers are connected to the internet. Speak with an emotional approach and you may find that people will approach you offering help, assistance and with compassionate sympathy.

7. Don’t Blame – Don’t play the blame game right away. You’re in a disaster and the public, employees, partners and the media what to see you dong something and managing the situation; blaming others is seen as a smoke screen in an effort to deflect questions and criticism. But the opposite occurs so don’t bother playing a game you can’t win. When the dust has settled and you’ve performed investigations into the cause, then you might be in a position to start blaming but it shouldn’t be your priority.

8. Request Help – It’s not time to be proud. If you need assistance to get resources then ask for it. Don’t be shy, as trying to hide the fact you need assistance can cause even more problems. Many organizations are willing to help competitors and partners when they have a disaster but many are too afraid to ask for help because asking for assistance is seen as a weakness when in fact, not asking for assistance is a sign of proud arrogance. If you need help, ask and don’t shy away from stating the issues you have, as it a response or helping hand may appear to help resolve some of the problems you’re facing.

9. People Are Resilient – People do not wantonly wish to fail; they want to succeed and responding to a disaster by their employer is going to make them want to work hard and overcome the situation. Their livelihood is at stake and they aren’t about to let that disappear without fighting for it. Many want to be part of restoration and recovery efforts, as it takes them away from the trauma of what has occurred and helps them focus on areas with which they have more control and knowledge – rebuilding servers, loading applications, testing etc. Your organization isn’t the first to experience and disaster and won’t be the last and in the majority of cases, people overcame adversity by sheer hard work and will power – and never giving up. Let the employees do what they know needs doing instead of trying to make it up on the spot, they are aware of what they need to do, as they do it each day – it’s why you employ them.

10. Listen – Listen to those around you – especially those Subject Matter Experts (SME) and End Users that can offer all sorts of advice on how to get something working again. Often, experts are leveraged from external sources and all too often, they are doing things with their own gain in mind, so don’t throw away suggestions from others, as they may have ideas that can be of assistance and those ideas may work better than some other specialists because they often are thinking outside the box. They are also thinking or ensuring they get their jobs back and their employer operational; a different perspective than some vendors and partners who are more worried about the impact upon their bottom line rather than yours.

11. (BONUS) Document Everything: When the disaster is over – or when you’ve got time to start – begin to document everything you’ve done. Every action item and resolution. Every decision. Every communication – the good and the bad. Every participating role required and what they did – and didn’t need to do. Every action asked and required of partners, vendors and suppliers. Every aspect required to assist employees. This will help start you formal BCM/DR program and begin to pull ideas together for plans because as sure as the sun will rise tomorrow, you’ll be building your program immediately. In fact, it’ll probably be the #1 priority of executives and management, assuming you’re organization was able to get through the situation and come out the other side – though probably battered and bruised.

No matter what happens, you have to be doing something. The situation won’t resolve itself by wondering what to do or wondering what ‘might have been’ had you a BCM/DR plan.
When it seems you’re down, get back up and keep playing on – you’re only beaten if you give up, not if the issue continues. It’s said that Edison failed at inventing the light bulb dozens of times but did he give up, no, he played on. Abraham Lincoln give up, despite losing a couple of elections and became President of the United States.

© StoneRoad 2014
By A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL, author of multiple books on BCM including “BIA: Building the Foundation for a Strong Business Continuity Program” and “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.”

BCM / DR: The Little Test Activities Often Forgotten

Having been a part of dozens of test to varying size and scales, I’ve come across quite a few instances where planners – including myself at times – forget to consider when organizing a BCM / DR test. I thought I’d come up with ten (10) areas that have at some point, been a fly in the ointment of test coordinators and caused issues further down the road and on one occasion, at the moment the test was scheduled to begin.

1. Production Priorities – Believe it or not, once everyone was so focused on testing they forgot to ensure that someone was left to support any production issues. While testing activities were underway, all members of a department were focused on ensuring that the test went well that no one was monitoring a production issue, which needless to say, caused allot of grief for business units. Don’t forget that even when you’re testing BCM/DR capabilities, you’re production environments are still ‘live’.

2. Test Strategy – Know ahead of time what strategy you’re going to leverage for testing purposes and ensure its communicated and agreed-to by everyone involved or else different groups will be working in isolation and not working towards the same thing.

3. Managing Scope – Keep people on track during planning and execution. If no one is clear on scope then the activities they plan and execute might not achieve the goals you’ve set. It also means that even though they might perform tasks successfully and everyone is happy, you still didn’t get what you originally planned for. It’s like being given a bicycle to get from A to B when you originally asked for a pickup truck. Sure you got to where you’re going but the goal was the truck. Did you really achieve your goal and scope if the scope and goal was to get from A to B with a truck? Nope, you didn’t.

4. Resource Assignment – When user activities are required it has been assumed the people needed will be available but often the department responsible for the resources are never approached about being part of the test and when they are, it’s too late because people are working on other initiatives. So make sure you speak with other teams early so that resources can be aligned early.

5. Change Management / Requests – This is relate to the scope; if you’re changing something – even times, dates etc – make sure everyone knows about it and that you document the desired change. Using the previous example about the bicycle and truck; it may have been a great idea to change the truck to the bicycle and it still worked for you however, the scope was the truck and there was no formal mention of changing it to the bicycle. If you’d managed it correctly and documented the fact you were going to use a bicycle, then it would have been known by everyone that the truck is ‘out’ and the bike was ‘in’ and everything would be a success.

6. Agreement – When you have key decisions made or need key decisions to be made, ensure you have agreement on the final outcome. It could be that if you make decisions without consulting impacted parties, they won’t support what you’ve determined and will continue on their original path. This only means confusion and failure further down the road. Keep everyone on the same page and part of the decision making process; if even as an FYI in some cases.

7. Documentation – Make sure you document all aspects of the test; most notably scope and goals and objectives. If you don’t who do you know you met them? You won’t even be able to talk to audit and prove you did what you set out to do because you don’t have anything that captures what you originally set out to do and quite possibly, nothing that sums up what you actually did (a test summary document).

8. Focus on Test Planning Rather Than Planning the Test – Try not to get far off the path here. It’s one thing to ensure you plan the test so that it doesn’t impact production systems or other critical aspects and it’s another to set up the test in a way that it has no relevance and doesn’t reflect what you’d actually do in a real situation. If that happens, you really aren’t testing anything. You need to know where the gaps are in the plans and that they’ll work in a real situation.

9. Test Timelines – Estimate activity sequences and schedule accordingly. If it takes 24 hours to get a mainframe up and running – from scratch – then have end users come in at the same time as the main frame team would be ridiculous, as they’d be sitting around for an entire day before they can do anything. That won’t make them happy.

10. Test Schedule – Plan ahead. When planning efforts are underway to schedule major initiatives over the next year or so, make sure that testing is part of that planning effort. This ensure that departments are aware of the test ahead of schedule and that they are able to plan for that initiative. Also, if you have 3rd party DR vendors involved, you often have no choice but to schedule test time a year in advance or run the risk of not having any time available to test, as the vendors other clients will take up all the available time.

Some of this may seem obvious but you’d be surprised how often the simply things can derail a test. Keep in mind the little things and you’ll have a great chance of success. Remember, if you have the most luxurious car in the world, it does nothing if you don’t have the key.

© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”

8 Considerations for Online BCM/DR Solutions

To many, it might seem easier just to go the online application route to perform a Business Impact Analysis (BIA) or build Business Continuity Plans (BCP), Crisis Management & Communication protocols and even Disaster Team roles and responsibilities. However, it’s not always that easy. An online solution may not be the best bet to start with, as there are considerations organizations need to think of before going down the ‘online’ route.

1. Financial Considerations:
a. Product Cost – This is one of the main considerations for all purchases. If it’s too expensive – regardless of what it does and/or doesn’t do – many won’t consider it. So, the price is something that pops to the top of every list no matter what the requirements are. Once cost is balanced against other requirements, then the real decision get made. Want and need against the cost to get what suits the organization.
b. Administrator Training: Often, the purchase of a solution means that someone – either an individual or a group of individuals need to be trained on how to administrate and configure the new application.
c. User Training: In the past there have been instances where individuals must travel to the vendor’s location to receive training on their product – this may still occur for some products. If this is the case, then your organization must take into account the additional travel and accommodation costs attributed to the number – and length – of training courses that have to be taken before anyone can begin to use the product. In some instances, this might add weeks to your planned implementation schedule because the course offerings (training) may be dependent upon the vendor’s availability and if current courses have any available spaces.

2. Set-Up & Configuration: This requires your internal IT team to get involved. They need to ensure they have a server available or space on an existing server to house the new application. In many instances, they want to know more questions that you’re able to answer, and then chatting back and forth with the vendor for configuration requirements may take some time, especially if you encounter any issues.

3. Internal Technology Involvement: OK, so you bought the new online application – now what? Who internally is going to support it and do they need training on its workings and what’s required to support you and the internal users?

4. Support & On-going Maintenance: Make sure that if you have any questions, contacting someone for assistance is easily available. If you’re vendor is in another time zone, their support hours may not cover the time you’re in the office and thus, you only have a small winder each day to speak with someone. Find out what level of support is offered. In some instances most of the technical support ends up coming from your own internal IT personnel, which usually frustrates them, as they’re supporting a systems/application that isn’t theirs to start with.

5. Questionnaire Build: Most applications, such as those intended for Business Impact Analysis (BIA), come with some pre-existing questions, which you can leverage. However, in many cases the questions are generic and may not represent the full range of information you require. If that’s the case, then you need to ensure you have time available to plan out your questions and then insert them into the application. Depending upon the application functions, you may have to build in links between various questions. For example, if a question is answered with a ‘no’ then it skips the following questions that may appear if the answer to a question was ‘yes’. Good questions will help give you the information you need so be sure to spend time on the questions to ensure they meet the needs of your organization.

6. Reporting: One of the advantages to online applications, is they are able to provide all sort of reports and report formats. However, since each organization is different and the reporting isn’t standard from one organization to another – let alone reporting related to BCM/DR – an organization may have to design its own reports and build the criteria around them so that it gets the information it wants to make decisions based on the input from users. Designing reports may come at a later date once the user (BCM resource) is more comfortable with the application and when there is actual data to work from, rather than building the report before actual responses and input has been received.

7. Time: Time is money, as they say; do you have the time to get everything noted above coordinated before moving on to build your BCM/DR program? If the direction from senior management to build a program comes with deadlines (i.e. a BIA completed in 2 months with findings and recommendations) do you have the time to begin looking for an online solution, purchase it, design to you specifications, train users (including yourself), get users to complete the questionnaires (or whatever is being sought), capture the findings and present them to executives? Quite possibly not. The online solution may become a more long term aspect to enhance the program, rather than the component that kicks it off.

8. Growth: If you’re organization has grown by leaps and bounds it will become impossible to be able to manage all the various program components. Change would be happening so quickly (let’s hope) that a manual process would take too long and be too labour intensive to ensure plans are kept current, incorporating the change in so many locations (assuming new facilities are being utilized), new nationalities and requirements, new departments (spread over multiple locations) and new processes and client/vendor/partner needs. And this doesn’t begin to include the new challenges for Technology Recovery Plan (TRP).

In the end, an online solution will eventually expedite information and keep it manageable, it just can take allot of effort to get there. Sometimes the old manual method of acquiring BIA information is quicker and easier. Yet while that is being done, an online solution can be investigated and slowly built in the background being populated with the information being obtained from the initial BIA – when you’ve actually moved on from the BIA and working on developing contingency strategies and solution. The manual process for BCM/Dr can only last so long before it becomes harder to maintain. As the organization grows and hierarchical structures begin to ebb and flow to meet new challenges, the online version can respond much quicker than updating multiple documents.

In no way is this intended to deter organizations form using online BCM/Dr applications; in fact in the long run they can offer more good than negative. But, starting out fresh with them can cause delays and hindrances you may not have time to tolerate.

© Stone Road Inc. (StoneRoad) A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL

12 Reasons Why Organizations Will ‘Forget’ What to Do in a Disaster

Many organizations can build comprehensive BCM program and plans; detailing every action and activity needed to ensure the continued operation of an organization when a disaster strikes. However, even the most comprehensive program and plan can still suffer greatly when they are needed the most because many organizations’ DR team and team members forget what it is they are supposed to do.
There are many reasons for that. Sudden changes in environment can throw people for a loop, as the situation throws chaos into their normal day and it’s easy for people to forget what to do when they are required to do it. Sometimes the reason for plan activities or action items being forgotten occur even before the disaster situation makes itself known.
Below are some of the reasons why people – and organizations – forget their activities before and during a disaster.

1. No Executive Support: It’s easy to forget some initiative within an organization when even the executive leadership don’t support it. After all, if they don’t care for something, why should anyone else? It’s that simple, without executive support people will quickly forget that there is BCM or DR program in place for when a disaster occurs. Even executives will wonder where it is and believe it or not, even without their support having played a part in its development (if at all) will wonder why no one knows what’s going on and why people aren’t performing tasks.

2. No Leadership: Continuing on from #1, people want leadership during a disaster; they believe that those responsible for the organization in good times, is also responsible for the organization during bad times and will provide guidance and leadership on what needs to be done when a disaster occurs. If there is no one taking responsibility for the disaster, then people are left hanging – wondering what to do. This doesn’t mean the leader or coordinator of the response functions is responsible for the disaster, it means they are taking the responsibility to lead the organization resulting of the disaster. Even if employees and members of various DR teams are aware of their activities, they are still looking at the organizations leadership to provide direction and provide answers to any key questions that may come up as a result of specific situations discovered based on the disaster. If executives and/or senior management aren’t part of the decision making process and part of the BCM program, they won’t know what to do or what is expected of them. The executives themselves won’t be aware of the DR/BCM team makeup or what any of the program protocols are. They could end up trying to lead the organization through the disaster, blind.

3. No Plans: One of the biggest reasons people will stand around wondering what to do is that there isn’t a plan – even a bad one – in place for them to activate, reference and follow. In a nutshell, the organization has done nothing to promote any sort of disaster response or planning mechanisms and when disaster strikes, there is no know prioritization of what needs to be activated. All the responses are made up on the spot, which could pose even more problems for the organization. It’s like a jigsaw puzzle; you don’t start putting the pieces together until you know the picture (or at least most people don’t) and you can’t rebuild a corporation after a disaster when you don’t even know what pieces you need first to rebuild it. No plans in place can mean the end of the organization, as it will take too long to figure out what is priority between the business and technology and getting the two to agree to a restoration, recovery and resumption strategy. You can’t ‘wing’ it in a disaster…

4. No Delegation of Authority: It’s often quite comical when someone is required to perform BCM activities, as captured in a DR/BCP or crisis management plan but they aren’t give the authority to do so. This can mean they don’t have the delegation of authority to make decisions or provide guidance to others or they don’t have the IDs and/or passwords to perform functions. It’s like giving someone a car and telling them it is all paid for and its there for as long as they want it but not giving them the key. This is one thing that stops many organizations from performing activities; people don’t have the authority to do anything and thus, they are waiting for direction from others when in fact they are the ones who are supposed to be providing the direction. If someone doesn’t have the right authority to perform activities, they will be a roadblock to other activities and many groups may be standing and waiting around for guidance and information. And further on the point of IDs and passwords; often this information is created and placed in a secure location that people forget about. Rarely are they reviewed and updated and even remembered because they are placed in an online folder, which is no longer available because technology has failed. These IDs and passwords are for use only during a disaster so they rarely get reviewed. These should be part of an annual (at least) review to ensure the people remember where they are and what they are – and remember that these are probably powerful IDs and passwords and only a few key people should know about them to start with. If someone leaves the organization, make sure you change the passwords and remove their ID just in case. When you test, try activities using these profiles to ensure that they are current and validated; that required activities can be performed using these ‘generic’ IDs and passwords but are amended after the test so they are fresh and those using them – the users – can’t use them during normal business hours.

5. No Testing/Validation: If validation activities are not performed, then how can anyone know exactly what to do? Testing is a form of training and training will help people identify their roles and build BCM plans and processes. When testing, start off small and then build upon successes – and upon problems – so that the program becomes stronger and stronger. If no one participates in test then no one has the opportunity to practice their roles and areas of responsibility; they then need someone to remind them or provide guidance to them as to what to do. Also, if you only test once or rarely, people will forget what they need to do and where their materials are located.

6. Assumptions: A key reason many stand around not knowing what to do, or forgetting what they need to do, is related back to the assumptions made during the initial stages of building and implementing plans and processes. All too often non-technology departments (i.e. “the business”) will make assumptions about technology departments (i.e. “IT”) but without ever validating that the assumptions are correct; sometimes never even letting the other know that an assumption has even been made. From personal experience, there have been too many instances where one side of the other states that ‘IT/business knows x or y…’ or that ‘IT/business will do…’ and it almost never proves to be true. Both teams end up confused not knowing what to do because they are waiting on the other for information or they are assuming that something is occurring while they’re just waiting for some confirmation that an activity is done. In reality, everyone is standing around not knowing what to do or who to even talk to. If you’re using assumption in your initial planning, through exercises and tests, the amount of assumptions being used should dwindle over time as they either become actual roles within a plan/process or become proven to be false and are removed from a plan/process.

7. No Awareness & Training: It’s a simple one really; no one knows what to do in a disaster because no one has told them about it. They haven’t been part of the overall program build or design (not that everyone needs to be part of every phase) and haven’t been told they are responsible for specific activities. Often, DR team members don’t even know they are part of that team until someone asks what they are going to do in a meeting full of other managers – some not sure why they are their in the first place. This also means that they haven’t bee involved with any testing activities to help validate plans, which is one of the best opportunities for training; executing activities under controlled circumstances to actually learn what needs to be completed and understand expectations.

8. Plans and Processes are Written in Isolation: Sometimes its not even a case of forgetting what needs to be done, as outlined in a BCP/DR plan – it’s never being told of what is in the plan and not being part of its build. All to often plans are build in isolation meaning someone not within the department is writing its contents based on what they know and what they hear at meeting yet if the actual user isn’t part of that development or the person responsible for actioning activities isn’t part of the plans development, they aren’t going to know what activities they are responsible for. Ensure that all plans are written with the person or persons responsible for the plan itself; the person who’ll actually be responsible to action the activities within the plan.

9. No Review of Plans (by Users): One of the best ways to ensure that a BCP/DR plans everything it needs and that the content is clear and understood, is to ensure that its reviewed by the actual user. When they review existing plans, as noted in #8 above, they can recommend enhancements, additions or even deletions based on real knowledge of what needs to be done. If a plan was written in isolation and not review was performed by an actual user, it’s no wonder people don’t know what actions to take or even where their plans is – if they even know there is a plan in the first place. If no review of the plan is performed then the users themselves don’t become familiar with content and what is expected of them. Instead of initiating proactive measures they wait for someone to tell them what is expected and in many cases, those individuals are assuming that ‘plan’ users know what needs to be done.

10. Focus on Blame: When an organization has a disaster, often you see the Public Relations (PR) representative or the President stand in front of a microphone being questioned by members of the media – or even the public sometimes – and they spend allot of time pointing the finger of blame or trying to deflect any criticism or questioning on what the organization is doing. When employees see this, they will spend their time trying to find the cause of the problem or the ‘right one to blame’ rather than concentrating on a proper response, restoration and recovery strategy. All hands are on deck to find out what is wrong and who should be help responsible but if leadership is busy with that approach then employees will be too, as they won’t be focusing on the right tasks at hand. It ends up being a crutch that organizations leverage so that they can start their restoration and recovery activities in the background, away from the face of the media. Usually, this means they didn’t have any strategy in place to begin with and the excuse that someone else is to blame is used as a smokescreen to cover the fact that behind the scenes, no one knows what to do within the organization.

11. Checklist Approach: If BCM is checkbox on someone’s report, the chances are it’s a checkbox on an executive report. They eventually see the checkbox ticked and then there is no more discussion or promotion of the BCM initiatives. This also means that the only reason the program was stated in the first place was to ensure someone’s checkbox was ticked and that it drops off of any report or audit ticket. Chances are good that the work and value of the work performed to plan, develop and execute plans was minimal at best and won’t be of much use during a real situation. Thus, no one will pay close attention to the BCM program and the related plans because it’s treated as a one-time thing – forgotten when the checkbox is identified as complete.

12. Seeking Direction: Like many people, when something occurs everyone looks around for direction; who will take control of the situation and tell us what to do? Staff will look to management while management is looking at executives; each expecting the other to provide direction on what they should – or shouldn’t – be doing. Think of when a fire alarm goes off in a facility – even a fire drill – most people keep working or start asking if it’s a real situation or not. Should be get up? Should we leave? Many wait to be told to leave before they bother responding to the alarms. If people can’t understand that they need to leave when the fire alarms go off its no wonder they don’t understand their role when a disaster strikes. Everyone is seeking direction from someone else.

Finally, panic is something that can run rampant during a disaster. When that happens, any thought of gaining control of the situation can go out the window and there’s no way anyone is going to pay attention to their role on a disaster team when that happens. This is why many of the items noted above need to be addressed prior to any situation occurring. When people are more aware of what to do and have been through it a few times – each more challenging than the last – they are better prepared to deal with the situation when it’s real – not faked under controlled circumstances, as it is usually done during a test. There will still be an element of panic – it’s almost a given – but putting measures in place to deal with it ahead of time can help reduce its impact and increase the chances considerably that no one will be standing around wondering what to do; they won’t forget.

© StoneRoad (Stone Road Inc) 2013

Books by A. Alex Fullick Available at the following:
http://www.stone-road.com, http://www.amazon.com & http://www.volumesdirect.com

12 Tips, Trips & Traps: The Business Impact Analysis (BIA)

Hello dear readers!! We’ve been a bit quiet lately over here at StoneRoad due to multiple vacations (Singapore, Australia, New Zealand and more) and now that we’re all back, it’s time to start posting once more. Enjoy…
The StoneRoad Team
**************************************

**The below section is an abbreviated bonus taken from the Appendix of the book, “Business Impact Analysis (BA): Building the Foundations for a Strong Business Continuity Program” by A.Alex Fullick. The full text can be found in the aforementioned book.**

Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:

1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.

2. No Timely Follow Up of Results – A BIA is conducted almost always in support of an enterprise-wide business continuity program. The real value of a BIA is the follow-up activities that lead to effective recovery strategies being implemented based on the BIA priorities of the business processes. Occasionally, so much effort and cost is put into the BIA that business continuity planners never get around to fully implementing the follow-up recovery strategies and plans. Without the implementation of these follow-ups, the value of the BIA becomes wasted.

3. No Agreement on Scope (Level of Detail) – This level of detail can span an entire spectrum. On one end, some BIAs will contain relatively little detail to provide a higher-level executive view of the analysis. On the other end, and far more prevalent, are BIAs that include for each business process its corresponding input dependencies, output dependencies, recovery point objectives, recovery time objectives, and financial impacts. The common mistake here does not involve selecting the right or wrong level of detail – what’s appropriate for one company may be totally inappropriate for another – but rather, failing to reach agreement among all relevant parties as to what level of detail best meets the requirements that are driving the BIA in the first place.

4. Minimal Executive Support – One of the factors that most influences the relative success of a BIA is the degree of executive support offered at the outset. The kickoff process usually consists of two parts: a widely distributed email and an initial presentation. The email should come from the highest level executive sponsoring the BIA and should be distributed to all parties who will be participating in the effort. The email should emphatically voice the executive’s support for the project and insist on the support of al participants, particularly during the interview process.

5. Poor Questionnaires – An important step of any BIA is the collection of data from business units. The manner in which this data is asked for often spells the difference between a full, timely and meaningful collection of data, and one that is delayed and incomplete. One of the best ways to avoid this situation is to develop survey forms that are thorough enough to capture all relevant information and simple enough for business users to complete quickly and easily.

6. Lack of Preparation for Interviews/Workshops – Interviews are the cornerstone of a successful BIA, yet few planners prepare adequately for them to ensure their effectiveness. Interviewers need to learn as much as they can about a given business unit prior to the meeting, including a thorough review of the respondent’s survey.

7. Lack of Critical Focus – Analysts frequently make the mistake of asking business users ‘what are the most important business processes within their department?’ The reason this is a mistake is because virtually all critical business processes have a large degree of importance and value – otherwise they would not be designated as critical – resulting in less likelihood of it being easy to prioritize processes according to value or importance. A much better question to ask is ‘how long can a business process be idle before major impact is felt?

8. Focusing on the Tools Instead of the Process – Some analysts who conduct BIAs become very focused on the tools they will be using in the collection, compiling and analyzing the data provided by the business users. The emphasis often shifts inappropriately from the process being used, to the automation that can be applied to the process. There is an inherent flaw in this approach. If a poorly designed manual process that is being used to collect and analyze the data suddenly becomes automated, what you typically end up with is a poorly designed automated process.

9. Ineffective Interviewing Technique – I have known more than a few BIA analysts who preferred to rely solely on surveys, questionnaires and emails to collect needed data. The example previously cited concerning the over-focus on tools shows how this can less than desirable results. Analysts often say that setting up interviews can be more hassle than it’s worth. They will mention how interviews often start late, or may be cut short, or have to be re-scheduled, or cancelled altogether. In my experience, the real reason some BIA analysts try to steer clear of face-to-face meetings is that they tend to use ineffective techniques when interviewing business process owners.

10. Insufficient Results Analysis – Analysts conducting a BIA collect a wealth of information during the course of their efforts. But the value of this information is sometimes diminished by poor or incomplete analysis of the data. Analysts need to look for trends, patterns, relationships and discrepancies among and within the data to ensure a thorough and meaningful analysis.

11. Unclear Presentations – Data that is thoroughly collected and well analyzed is sometimes de-valued by an unclear or confusing presentation of the information and results. Managers in general and sponsoring executives in particular, expect BIA analysts to summarize their results in high-level presentations that are succinct and effective. Unfortunately, this does not always happen. Analysts gather a huge amount of data in the process of conducting BIA. In compiling and analyzing this data, analyst sometime err on the side of presenting too much information rather than too little.

12. Undefined Scope – Often, the BCP focuses entirely on system restoration. Resumption of business needs to include the people and processes required to resume operations. Many BCP programs are headed up by IT departments. ‘Tunnel vision’ can often cause these departments to focus on system recovery and not take the people issues into account. During an event, the people issues are often the most difficult to resolve. The scope of a business impact analysis (BIA) pertains to the number of business units, such as Finance, Administration and IT, which will be participating in the effort.

Don’t let your BIA efforts fall to the wayside; make sure you have strong BIA approach and you’ll end up with a strong BCM / DR program.

6 Questions: Why an Organization Should Exercise BCM/DR Plans

It’s great to have many continuity plans and strategies to prepare for and respond to, disasters. However, if they aren’t validated they don’t carry any weight and there’s no way of knowing if they would be any good – useful – when a real situation occurs.

BCM practitioners may make the case for exercising plans but sometimes management may not want to provide the resources – physical & financial – available to validate the plans. There are a few questions that can be posed to executive management to possibly allow for the right kind of commitment and support to validate continuity strategies and plans.

1. Will an exercise increase overall BCM awareness within the organization? Well, let’s face it, if you’re exercising BCM plans, of course you’ll be increasing BCM awareness. Depending upon what you’re exercising and how you manage / facilitate the exercise, awareness will be increased but make it a positive experience or else BCM will end up being something negative in participants eyes.

2. Will the exercise identify potential ‘gaps’ in documented BCM plans and procedures? Let’s hope so. Not only do you want to validate what you have documented and discussed with numerous representatives but you also want to find things that may be wrong in the plans – not just what’s right.

3. Is there potential for the exercise to provide ‘learning opportunities’ for participants and the organization in general? If managed correctly and viewed as a positive experience, then employees will learn from the exercises – and from each other. In some cases, they may even be working with people they wouldn’t normally encounter in their daily operations.

4. Will the exercise provide an opportunity to leverage the results for further corporate gain and benefit? They should. If you can show that you’re exercising you plans – and have documented proof of them (Exercise Charters, Executive Summaries, Issue Logs etc) then you can use this information to help respond to RFPs etc and develop a stronger case for a potential client to choose your organization over a competitor. Having a strong BCM program can be used for competitive advantage.

5. Can the exercise provide skills and knowledge transfer between participants? Depending on what is in scope for the exercise, participants may need to seek assistance from other people in the organization for guidance. For instance, if a Single Point of Knowledge (SPOK) isn’t available to rebuild the payroll server because they are busy with other initiatives, they may be able to pass along their knowledge – as best they can – to another resource who will do it for the exercise, this way people are talking to each other and learning from each other. This is a simple example but you get the idea.

6. Can the exercise increase the responsiveness and effectiveness of the organization should a real disaster (or other event) occur? Simply put, the more practice people get the better they become, whether that be BCM or in any other area. Whether you have a large scale situation or a smaller scale incident, you’ll be better prepared if your people – and the processes and plans – are better prepared and knowledgeable. Enough said.

If any answer is ‘yes’ to the above questions, you’re well on your way to securing the support for validating continuity strategies and plans. Exercising only makes a person – or in this case, a program – stronger more robust.
© StoneRoad 2013

**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3,
Available at http://www.amazon.com, http://www.volumesdirect.com and
http://www.stone-road.com.

BCM / DR Program Templates Available from StoneRoad

Check out our revamped shop at http://www.stone-road.com. We’ve added lots of new document templates to help get your new BCM / DR program off the ground – with more on the way. Each comes with built-in instructions so you don’t need to try and figure it all out on your own. You can even manipulate the templates if you want to so they address your specific need. Our goal is to show you ‘how’ to do things not just tell you ‘what’ you need to do.

Here’s a sample list of what we’ve got so far:
1 – Test-Exercise Project Change Request Template – $9.99
2 – Test-Exercise Scope Statement (Charter) – $29.99
3 – Test-Exercise Executive Summary – $29.99
4 – Operating Unit Business Continuity Plan (BCP) – $79.99
5 – Business Impact Analysis (BIA) (This one along can cost thousands for a software application.) – $79.99

Coming soon:
1 – Employee Logistics Plan – $tbd
2 – BCM/DR Program Policy Template – $tbd
3 – BCM / DR Program Overview (As a bonus, this will include the Policy template) – $tbd

If there’s something specific you’re looking for, send us an email. We’ve got lots in our arsenal and alwasy building new templates so we may just have what you need and just haven’t gotten around to getting it up on the site. We can always build something for you. You can reach us at inquiries@stone-road.com.

StoneRoad: Reducing Corporate Suffering Through Continuity Planning.

Regards,
The StoneRoad Team
StoneRoad 2013 (C)