Preparing for the Unexpected – 2018-04-19: The Challenges of BCM/DR Programs – Part II

The April 19/18 show continues from where Part I of “The Challenges of BCM/DR Programs” left off. Join us and see if you’re encountering the same challenges.

The StoneRoad Team




10 Issues to Remember When Initiating and Developing a BCP Program

Most organizations don’t want to imagine what would happen if a disaster struck their operation, but what if a disaster did strike. How would your organization respond? The best way to know how to respond is to develop, implement and maintain a Business Continuity Management (BCM) program. A BCM program provides a framework for building organizational resiliency with effective responses and safeguards that protect its reputation, stakeholders, employees, and facilities.

BCM is not just about remedying technology shortfalls, as many organizations believe. It’s also about securing, protecting, communicating and preparing corporations from disastrous impacts upon its workforce, facilities and its technologies – To minimize the impact on operations. BCM touches every aspect of an organization from the mailroom, the field and the call centre to the manufacturing floor and right up to the boardroom.

To make your program effective, consider some of the following suggestions when planning:

1. Start With the Worst – Begin the planning with the worst-case situation your organization can imagine. For many, this example is the tragic events of September 11, 2001. Work backwards from there and you’ll start to fill in many of the dangers that can harm your corporation. You’ll also be able to start challenging the worst case situation and begin to get more inventive with potential impacts – and develop the plan accordingly.

2. 3 Pillars of a Business Continuity Plan (BCP) – Every BCP plan must address three things; Workforce Availability, Facility Availability and Technology Availability. If each plan has these three core components, an organization can respond to any disaster situation and expand their capabilities by adding varying situations and scenarios through validation exercises.

3. Dedicated Resource – Assign a person with the appropriate training and authority to get things done, if not, the program will quickly fall to the wayside in favour of other initiatives. This may include getting outside help to get the process kick-started (i.e. consultants, contactors etc).

4. BCM Program vs. BCM Project – The BCM program must live on and continually meet the needs of an organization, as it grows and changes; so to must the BCM program. A project has an end date but a program must live and breathe and contain more than just a single aspect of BCM. Therefore, when the Business Impact Analysis (BIA) is completed, that’s just one ‘project’ of the overall BCM program; you’ve got lots more to get through and develop.

5. Exercising/Testing – Plans mean nothing if they haven’t been validated. Every organization must exercise its plans to make sure they’ll work during a disaster. It’s better to find gaps in your plans through exercising and under controlled circumstances rather than when the real thing happens.

6. Executive Support – If no one is there to champion the BCM program, it won’t last too long. In fact, there’s a good chance it will run out of steam and end up on the backburner of boardroom discussions. Having executive support shows the rest of the organization that BCM is taken seriously.

7. Awareness & Training – It can take a long time to develop continuity plans and create processes and procedures but if no one knows how to use them, where they’re kept or under what circumstances they’re required, they won’t be of any value or use. Remember, awareness and training are not the same things and every level of the organization must received its fair share of both if the program (and all the developed plans and processes) are to be useful and successful.

8. Focus on People – This should be a no brainer; BCM is about people. It’s people that build the plans, use the plans, review and exercise the plans. It’s people that will be impacted by not having plans in place; clients, vendors, employees and communities. If you state that technology availability is the most important part, you’ve basically told those individuals – who you need to help build plans – that they aren’t important. Keep in mind; people first.

9. Business Impact Analysis (BIA) – Every company must understand what it does and how it does it. A BIA is the process of analysing business functions and the effect that a disruption might have upon them. Knowing this will help corporations develop appropriate Business Continuity Plans (BCP) and other contingency strategies. Ensure you get agreement on the findings, don’t just state what they are and move forward. The findings from a BIA are what the attendees believe is important and it could turn out that what they feel is important to the company is not what executives believe is important. Make sure executives are in agreement with the findings before you start developing restoration and recovery plans – you could be way off the mark.

10. Program Maintenance and Monitoring – If program components aren’t maintained and updated the Business Continuity strategies developed – and the related documentation – will reflect the corporation as it once was, not as it current is.

11. Bonus: Using Software Only – Software can be very beneficial for maintaining and gathering information but beware, it doesn’t take into account the nuances of people or scenarios specifics. It may tell you that you need 10 desktops in 24 hours but the situation itself may call for something completely different based on what has occurred. Don’t fall into the trap that DR/BC software will answer all your questions and save you; it’s a tool to help you.

Having a BCM program in place is a part of an organizations Corporate Social Responsibility (CSR) but there are other benefits to implementing a program. First, your organization will have the security in knowing a robust plan is in place to deal with disasters, providing safety and security for all employees. Second, a proper BCM program will provide a competitive advantage. Those organizations will strong programs win out over organizations that don’t have BCM plans in place because there is knowledge that your organization will have developed a way to provide a product or service even during a disaster.

It’s not easy building a BCM program; it can be tough to develop, implement and maintain but it will only take a single crisis or disaster to prove its worth. A single crisis or disaster can be one too many. Are you prepared?
© StoneRoad (2013)

Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, available at,,

BCM document templates available in the ‘shop’ section at

The 6 “C’s” of Crisis Management & Communications

While in China I had an interesting conversation with a gentleman from China (he spoke English).  Our main topic was Emergency Management but as we conversed, he kept making note of a few things related to Crisis Management and each one seemed to begin with the letter “C”.  I don’t know if it was something that was intentional or if it was something that was just coming across due to the language difficulties between us, which I didn’t find that difficult by the way.  Anyway, I thought I’d make note of them and provide a description of what he was getting across.

In every crisis, disaster or emergency situation, which he was defining as a larger community based disaster such as an earthquake (hey, he was part of the Great Sichuan Earthquake of 2008, China).  Listening to him was fascinating, as he was actually there and a part of the recovery and coordination efforts related to the massive Chinese earthquake that killed 10’s of thousands – if not more.  So here are the 6 C’s of Crisis Management – and I haven’t put them in any specific order in case you’re wondering…

  1. Contain – First, get a grip on the situation and don’t let it spread any further and do any more damage that it already has.  I guess a good example of his would be a fire and how fire fighters contain a blaze.  Even firefighters fighting brush fires burn a perimeter (a controlled burn) to ensure the fire stays contained within a certain area.  I know some of you will have experience on this disaster, so feel free to add details on how that’s done.  It’s in every organization’s best interest to ensure that a situation doesn’t get out of control – so contain it and don’t let the situation spread.
  2. Control – Take charge of the situation and don’t wait for it to play out in front of you – it could be too late.  If an organization doesn’t take control of the situation – through media and its Crisis Team structure – someone or something else will take control of it for you.  For instance, if there’s no media represented updates on the situation, then speculation and rumour will begin to run rampant. Try then to gain control of the situation – it will be next to impossible because the media (bless ‘em) will begin to make its own assumptions and presentation on what the situation is.  You’ll be fighting two fires now; the situation itself and the possible misrepresentation in the media.  Take command of the situation.
  3. Command – This referred to the various components and members of the Crisis Team and Crisis Team structures (I.e. Disaster Teams).  Take charge of the situation (…is that another “C”?) and ensure that you’re on top of things.  You can even be on top of things if you don’t have the full scale and scope of the situation yet.  You do this by taking command and having proper protocols – that have been rehearsed and validated – that everyone understands and utilizes to ensure the situation is under control.  It outlines proper roles and responsibilities that team members follow to allow proper response, crisis management, restoration and recovery efforts to be initiated.
  4. Continue – This is what you want most for you business operations, right?  After any disaster or crisis, you want to be able to continue your operations one way or another and usually the sooner the better.  The longer you’re out the greater the impact will be on your bottom line, community, shareholders, clients and employees.  All your plans and procedures should be in place not just to address and manage the crisis but to allow your operations to continue.  Managing a crisis effectively doesn’t mean your business will continue.  Business Continuity will work when the crisis is being managed effectively, if not, you’re going to end up diverting resources to ‘fire fighting’ rather than ensuring the business continues.  They go together and if you don’t have one without the other, it’s like walking a straight line while jumping on a pogo stick cross-eyed. 
  5. Communicate – Communicate quickly, often and effectively.   You’ve got more audiences that you think you have and they will all need to be addressed.  The Board of Directors will be seeking different levels of information than what the public is seeking, which is different than what your employees need.  Don’t just spit out generic comments and expect everyone to understand it.   Not every message is received the same way – and if you’ve got different people delivering the message, then you can expect differences in delivery as well.  What ever you do, don’t say “No comment” or “Off the Record”  – that’s just asking for trouble.  There’s not such thing as off the record – not in today’s world of technology and if you say ‘no comment’ it’s interpreted as something is being hidden.  If media – or anyone for that matter – thinks your hiding something or lying, you’re going to be “guilty” in the eyes of everyone who heard the message.  And those that didn’t hear it, will read and see it on the news.  Refer back to the comments in #2. 
  6. Care – Show you care about people, especially those impacted by the situation. This includes your employees.  Often, corporations will talk about the impact on customers and clients but forget the employees. Wouldn’t that make employees feel they aren’t cared for?  After all, they are the ones closest to, and the first ones influenced, by the situation (assuming an internal fire or other crisis).  I read recently a great article that said, speak and communicate to people’s emotions and how they see the disaster, not how you – the organization – sees it.  You have a better chance of controlling and containing situation is you speak the hearts and minds of people rather than to the pocketbooks of shareholders and bank managers, or worse, speak as you’re the victim.  

 I liked what he had to say overall and was busy in the back of my mind comparing his thoughts and comments to BCM and how he was also describing the crisis management component of BCM.  I know his perspective was large grander but the principles were all the same. I could go on and on into more detail but I have a 2nd and 3rd book to complete first – maybe this topic will make it on the list of other items to write about (I’ve a list of 11 books so far…).

 I think I should add that after our discussion he was presenting at the conference I was attending in Beijing (The International Emergency Management Society – TIEMS) and he only seemed to make note of 4 C’s.  But then again I was listening to his speech through a translator and he may have said all 6 from our discussion but the translator may have missed it.  May be the 2 C’s were ‘Lost in Translation’ ha ha 


The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.” Available at **

12 Things NOT to Include in Your BCM / DR Plan

When disaster – or a crises – strikes, organizations must be able to refer to a plan to help guide them through the tasks they need to consider executing to respond, restore and recover, systems and operations. All to often when a BCM / DR plan is pulled off the shelf or printed from a file, one ends up with a document that is huge in nature and breadth though rather slim and small in usable content.

This is because many organization put everything they can think of into their BCM/DR plans, which more times that naught, overshadows the actual content needed to be followed; the stuff that provides the detail on what to do. A BCM / DR plan should be action oriented not full of irrelevant information; irrelevant at the time of disaster, not irrelevant to the overall program.

I tend to follow a specific rule of thumb that says if there aren’t action items listed by Page 5, then it’s not an action oriented plan. It might address audit concerns, legal arguments and executive expectations but for the user – the one executing activities – it doesn’t address what they need and doesn’t provide it in a clear and concise manner.

So, noted below are a dozen things that shouldn’t be in your BCM / DR plan; the plan needed by users. It doesn’t mean that some of these things aren’t available in another document; an over-arching BCM program document.

1. Distribution Lists (Program Level): You can keep these separate, as names and positions will change constantly. It’s better to keep this separate, as it offers no value to the action plan.

2. Methodology Utilized: Sure you have a documented strategy for how you’re going to develop the program – and plans – but again, there’s no reason to have this in the plans themselves. It just adds more useless information to the plan and isn’t relevant when activities need to be executed.

3. Program Assumptions: You may have some assumptions related to the plan and they should only be those attributed to the plan. Program level assumptions should be kept separate and in a program document – not a plan.

4. Meetings / Schedules / Attendees: Who really needs to know who attended a meeting(s) in the past? No one that’s executing activities needs to know this. You may need to keep track of meeting attendees during the disasters, but not those planning meetings. They can be kept separately.

5. Maintenance Schedule (Program Level): How you monitor and maintain the various plans should be kept in a central location and kept at the program level. Can you imagine the confusion you’d have if you kept this type on information in every single plan? Repetition all over the place and most of it out of sync.

6. Names: The names of individuals change constantly due to new hires, those that leave their position and those that are promoted. Try to use position titles whenever possible – it’ll make it easier.

7. Document Audience: This is like the distribution lists and should be kept separate – if it’s even needed. The audience for an action-oriented plan should be anyone in the organization because you never know who has to pick it up and use it.   Keep in mind, the audience isn’t always the same group that has a copy of the plan.

8. BCM / DR Program Descriptors: You can define the program in a program document but don’t redefine it for a plan.

9. Document Approvals / Signoffs: For audit purposes, it’s always a good idea to keep track of signoffs in a separate document.

10. Project Management / Definition: Just like ‘Methodology’ you don’t need to define how you created the plan. That information can be kept separately in a program document or a document that outlines how plans were to be developed. Incorporating it into the plan itself is unnecessary fluff used only to increase the page count.

11. Reporting Mechanisms: Only those reporting mechanisms that are needed to execute the plan should be in the document. There shouldn’t be the overall reporting strategy in a document that details how to rebuild the mainframe.

12. Program Overview: If you have a plan that details how to vacate the facility due to a fire, do you really need pages and pages that describe how the rest of the program operates and what other functions are part of the program? No. What you do need though is to ensure that there is a link to the next stage of the program – the next plan – that needs to be activated/executed because of the disaster.

13. (BONUS) Test and exercise results and documentation.  This information is still good to have but it’s not relevant when a plan needs to be activated and followed.  it’s just extra fluff that hides the information users really need in their documents.  Keep your test and exercise results in documents related to tests.  Test information isn’t action-oriented and won’t help anyone in a disaster.

The larger the plan (document) the harder it is to follow and the longer it’ll take people to find what steps they need to execute / implement. If the document is kept action-oriented, then the fluff materials aren’t needed. All the fluff can be kept in a separate document at the program level so that its kept for audit and regulatory purposes – where applicable – and the plan can be better followed and utilized during a real disaster. Just remember, the KISS principle (and I don’t mean Gene Simmons here): Keep It Simple Stupid!
© StoneRoad (Stone Road Inc) 2013

“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”
by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3
Available at, &

10 Questions to Ask Your Partners/Suppliers about BCM / DR

Organizations do not work in isolation; they require suppliers, vendors, partners and clients/customers. Without any of these and organization cannot – and does not – operate. Even an organization that might be the only provider of a service or product still needs someone to provide it raw materials before it can sell them to vendors and clients. Thus, if any supplier or vendor – either upstream or downstream – experiences an outage, the organization will begin to suffer as well. For example, when Toyota experienced a disaster due to the Japanese Earthquake and resulting tsunami, many manufacturing plants around the globe later experienced issues. They had to cut back shifts or in some business instances, the business had to close for a short time until supplies from Japan could be received once more.

The disaster may have been present in one part of the world but its impact was felt around the globe. As a result, it’s important for all organizations to understand what to do when one – or more – of their partners experience a disaster. It’s not an organizations responsibility to tell another what to do during a disaster (meaning, documenting a plan for them) but it is every organizations responsibility to understand the basics of what they need to do when a partner is operating in disaster mode?

Do you continue to operate? Do you temporarily stop making a product? Do you ship your product to a temporary location or stop shipping altogether? Do you want your vendors and partners to do – or not do – something specific when you have a disaster? Expectations must be understood by all parties involved when it comes to disasters. In fact, sometimes having a well documented and validated BCM / DR program can make all the difference to whether an organization chooses a specific vendor over another. Here are some basic questions you can ask a potential vendor or supplier.

1. Do you have a Business Continuity / Disaster Plan (or program) in place?
2. Have you ever experienced a major business disruption and how did you handle it?
3. What where the long term impacts to your organization?
4. Do you validate your BCP / DR plans on a regular basis?
5. Do you have dedicated resources (with assigned roles & responsibilities) to address disruptions (incidents, crises, disasters) when they occur?
6. Do you provide financial support to your BCM / DR program?
7. Do you have Senior Management / Executive support and sponsorship for you BCM / DR program?
8. What is your basic response, restoration and recovery strategy? (Note: They may be reluctant to provide details, which one would expect, though they should be able to provide a high-level overview of what steps they would execute if a disaster occurs.)
9. Do you review (validate) your BCM / DR requirements on a regular basis?
10. What makes your program better than your competitors?
11. Bonus Question: How do you manage change in your organization and does BCM / DR reflect those changes?

Depending on the nature of your operation and the responses to the questions above, you will probably have follow up questions that need asking. Be very weary of anyone who tends to downplay the importance of BCM / DR and corporate resiliency because if they aren’t providing you information that makes you comfortable just think what it’ll be like when a disaster occurs. Remember, they may be the one’s experiencing a disaster but it’s still could have a significant impact upon you.
© StoneRoad (Stone Road Inc) 2013

“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”
by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3
Available at, &

StoneRoad Announces New Document Templates to Help Your BCM / DR Program!!

StoneRoad is happy to announce that we now have more BCM / DR document templates available for purchase from our shop at  We’ve said it before and we’ll say it again; everything we do is to help you and your corporation move forward with your Business Continuity / Disaster Planning programs.  To help with that, we’ve now got the following document templates available:

a) Business Impact Analysis (BIA)   

b) BCM/DR Test-Exercise Scope Template    

c) BCM/DR Test-Exercise Project Change Template    

d) Operating Unit Business Continuity Plan (BCP) Template     

Each comes with built in ‘how-to’ notes so that you can work your way through the documents and help build your program.  Each is build in a modular format so you can either copy/paste components when you need more room or delete components when you don’t.

We’re working on more templates for 2013…so we’ve only just begun to give you tools you need.

Check things out at

Happy planning!
The StoneRoad Team

Risk and Issue Management in BCM / DR Programs

Let’s face it, there’s some level of risk in everything we do.  We work to ensure that the risks never come to pass by mitigating them and monitoring situations.  If the situation escalates maybe our risk becomes an actual issue.  This is true for when we build our BCM/DR programs as well.  As we work at developing our plans and processes, we run the risk of collecting and incorporating the wrong information or missing information altogether, which only impacts our BCM/DR plans and processes.

To keep on track, not only are we to ensure we’ve got all the necessary components but we must manage the risks and issues that crop up during our planning, development and execution phases.  Regardless of what BCM/DR methodology you subscribe to – and some don’t subscribe to any one in particular, they just take the best from every methodology and utilize those components – risk and issue management is key to ensuring you stay on track with your schedule, budget, scope and resources.

So how do we manage our risks and issues?  What even distinguishes a risk from an issue?  Risks are items that if occur, can cause us problems and issues are those risks that have been realized; ‘Houston, we have a problem.’

Understanding how to manage your risks and issues will take you a long way and will – in the end – make your BCM/DR planning road much smoother.  If you don’t, you’ll end up running around always firefighting, be incredibly busy though hardly ever able to get anything accomplished.

Let’s look at what risks and issues really are, how to manage and track them and some tools you can leverage to ensure your BCM/DR program keeps moving forward and not tripping over everything on its path.

  1. Decision Log:  Log any decisions that are made on your project.  For example, why you won’t be performing a Risk Analysis or why you decided to build an internal Technology  Recovery strategy rather than using an external strategy (i.e. 3rd  party vendor).
  2. Risks:  Risks are items that have the potential to impact  your project either by resources, schedule or budget.  In project management terms that’s called the triple constraint.  It doesn’t mean that it’s a guarantee they will occur but that there is the potential of them occurring and hampering your work.  An example could be the availability of a Single Point of Knowledge (SPoK) that is assigned to too many initiatives and doesn’t have sufficient time to spend with you.  As a result, the schedule will be impacted.  By the way, when you document a risk make it an “If / Then” statement: IF ‘x’ occurs THEN  ‘Y’ will be impacted.  Follow that up with a mitigation strategy on how you’ll try to mitigate the risk from      ever occurring and give some specific checkpoint dates to go with your  strategy.  It could come down to something simple such as reviewing ‘x’ on a bi-weekly basis to ensure things are on track and the risk isn’t escalating in probability…and severity.  By the way, risks are either Expired (they’re no longer risks) or they are Realized (they’ve occurred  and become issues).
  3. Critical Risks:  In simple terms, they are risks that have  a very highly likelihood of occurring but haven’t occurred yet.  Usually, when a risk is escalated to a critical risk the mitigation strategies kick in rather quickly and everyone rallies together to ensure it doesn’t become an issue.
  4. Issues:  An issue is a risk (critical and  non-critical) that has occurred and is impacting your project / BCM program.  Each issue must have some  level of devised action plan in place so that the issue is resolved and the roadblock is removed from what you’re trying to accomplish.

Managing risks and issues is vital to ensuring your BCM project success and this goes for all phases of the project, not just the initial phases.  We work in an industry where we state that ‘anything can happen’ and that is true for projects as well; it can be derailed at anytime by anything.

Often, we’re aware that something could hinder our progress but we don’t properly monitor it to ensure it doesn’t become an issue for us.  With disasters, we monitor the coming storm (i.e. hurricanes…) but we don’t monitor the coming storm that can be something like a change in technology strategy, which might have an impact on the overall TRP strategy we’re putting together.  So monitor the risks and issues or else you might find yourself in trouble.

© StoneRoad


Check out for details.


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at, &