The April 19/18 show continues from where Part I of “The Challenges of BCM/DR Programs” left off. Join us and see if you’re encountering the same challenges.
The StoneRoad Team
The April 19/18 show continues from where Part I of “The Challenges of BCM/DR Programs” left off. Join us and see if you’re encountering the same challenges.
The StoneRoad Team
No matter the industry, the size of your organization, or the location(s) of your business, Business Continuity Management (BCM) and Disaster Recovery (DR) programs always seem to experience a common set of challenges. Drawing from 20+ years of experience, Alex Fullick will discuss these many challenges that seem to transcend industry and location – and which seem to appear at one time or another – in every BCM/DR program. Listen in to hear why some of these challenges occur and how to deal with them when you begin to encounter the same issues in your program.
The StoneRoad Team
Having been a part of dozens of test to varying size and scales, I’ve come across quite a few instances where planners – including myself at times – forget to consider when organizing a BCM / DR test. I thought I’d come up with ten (10) areas that have at some point, been a fly in the ointment of test coordinators and caused issues further down the road and on one occasion, at the moment the test was scheduled to begin.
1. Production Priorities – Believe it or not, once everyone was so focused on testing they forgot to ensure that someone was left to support any production issues. While testing activities were underway, all members of a department were focused on ensuring that the test went well that no one was monitoring a production issue, which needless to say, caused allot of grief for business units. Don’t forget that even when you’re testing BCM/DR capabilities, you’re production environments are still ‘live’.
2. Test Strategy – Know ahead of time what strategy you’re going to leverage for testing purposes and ensure its communicated and agreed-to by everyone involved or else different groups will be working in isolation and not working towards the same thing.
3. Managing Scope – Keep people on track during planning and execution. If no one is clear on scope then the activities they plan and execute might not achieve the goals you’ve set. It also means that even though they might perform tasks successfully and everyone is happy, you still didn’t get what you originally planned for. It’s like being given a bicycle to get from A to B when you originally asked for a pickup truck. Sure you got to where you’re going but the goal was the truck. Did you really achieve your goal and scope if the scope and goal was to get from A to B with a truck? Nope, you didn’t.
4. Resource Assignment – When user activities are required it has been assumed the people needed will be available but often the department responsible for the resources are never approached about being part of the test and when they are, it’s too late because people are working on other initiatives. So make sure you speak with other teams early so that resources can be aligned early.
5. Change Management / Requests – This is relate to the scope; if you’re changing something – even times, dates etc – make sure everyone knows about it and that you document the desired change. Using the previous example about the bicycle and truck; it may have been a great idea to change the truck to the bicycle and it still worked for you however, the scope was the truck and there was no formal mention of changing it to the bicycle. If you’d managed it correctly and documented the fact you were going to use a bicycle, then it would have been known by everyone that the truck is ‘out’ and the bike was ‘in’ and everything would be a success.
6. Agreement – When you have key decisions made or need key decisions to be made, ensure you have agreement on the final outcome. It could be that if you make decisions without consulting impacted parties, they won’t support what you’ve determined and will continue on their original path. This only means confusion and failure further down the road. Keep everyone on the same page and part of the decision making process; if even as an FYI in some cases.
7. Documentation – Make sure you document all aspects of the test; most notably scope and goals and objectives. If you don’t who do you know you met them? You won’t even be able to talk to audit and prove you did what you set out to do because you don’t have anything that captures what you originally set out to do and quite possibly, nothing that sums up what you actually did (a test summary document).
8. Focus on Test Planning Rather Than Planning the Test – Try not to get far off the path here. It’s one thing to ensure you plan the test so that it doesn’t impact production systems or other critical aspects and it’s another to set up the test in a way that it has no relevance and doesn’t reflect what you’d actually do in a real situation. If that happens, you really aren’t testing anything. You need to know where the gaps are in the plans and that they’ll work in a real situation.
9. Test Timelines – Estimate activity sequences and schedule accordingly. If it takes 24 hours to get a mainframe up and running – from scratch – then have end users come in at the same time as the main frame team would be ridiculous, as they’d be sitting around for an entire day before they can do anything. That won’t make them happy.
10. Test Schedule – Plan ahead. When planning efforts are underway to schedule major initiatives over the next year or so, make sure that testing is part of that planning effort. This ensure that departments are aware of the test ahead of schedule and that they are able to plan for that initiative. Also, if you have 3rd party DR vendors involved, you often have no choice but to schedule test time a year in advance or run the risk of not having any time available to test, as the vendors other clients will take up all the available time.
Some of this may seem obvious but you’d be surprised how often the simply things can derail a test. Keep in mind the little things and you’ll have a great chance of success. Remember, if you have the most luxurious car in the world, it does nothing if you don’t have the key.
© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”
Many organizations can build comprehensive BCM program and plans; detailing every action and activity needed to ensure the continued operation of an organization when a disaster strikes. However, even the most comprehensive program and plan can still suffer greatly when they are needed the most because many organizations’ DR team and team members forget what it is they are supposed to do.
There are many reasons for that. Sudden changes in environment can throw people for a loop, as the situation throws chaos into their normal day and it’s easy for people to forget what to do when they are required to do it. Sometimes the reason for plan activities or action items being forgotten occur even before the disaster situation makes itself known.
Below are some of the reasons why people – and organizations – forget their activities before and during a disaster.
1. No Executive Support: It’s easy to forget some initiative within an organization when even the executive leadership don’t support it. After all, if they don’t care for something, why should anyone else? It’s that simple, without executive support people will quickly forget that there is BCM or DR program in place for when a disaster occurs. Even executives will wonder where it is and believe it or not, even without their support having played a part in its development (if at all) will wonder why no one knows what’s going on and why people aren’t performing tasks.
2. No Leadership: Continuing on from #1, people want leadership during a disaster; they believe that those responsible for the organization in good times, is also responsible for the organization during bad times and will provide guidance and leadership on what needs to be done when a disaster occurs. If there is no one taking responsibility for the disaster, then people are left hanging – wondering what to do. This doesn’t mean the leader or coordinator of the response functions is responsible for the disaster, it means they are taking the responsibility to lead the organization resulting of the disaster. Even if employees and members of various DR teams are aware of their activities, they are still looking at the organizations leadership to provide direction and provide answers to any key questions that may come up as a result of specific situations discovered based on the disaster. If executives and/or senior management aren’t part of the decision making process and part of the BCM program, they won’t know what to do or what is expected of them. The executives themselves won’t be aware of the DR/BCM team makeup or what any of the program protocols are. They could end up trying to lead the organization through the disaster, blind.
3. No Plans: One of the biggest reasons people will stand around wondering what to do is that there isn’t a plan – even a bad one – in place for them to activate, reference and follow. In a nutshell, the organization has done nothing to promote any sort of disaster response or planning mechanisms and when disaster strikes, there is no know prioritization of what needs to be activated. All the responses are made up on the spot, which could pose even more problems for the organization. It’s like a jigsaw puzzle; you don’t start putting the pieces together until you know the picture (or at least most people don’t) and you can’t rebuild a corporation after a disaster when you don’t even know what pieces you need first to rebuild it. No plans in place can mean the end of the organization, as it will take too long to figure out what is priority between the business and technology and getting the two to agree to a restoration, recovery and resumption strategy. You can’t ‘wing’ it in a disaster…
4. No Delegation of Authority: It’s often quite comical when someone is required to perform BCM activities, as captured in a DR/BCP or crisis management plan but they aren’t give the authority to do so. This can mean they don’t have the delegation of authority to make decisions or provide guidance to others or they don’t have the IDs and/or passwords to perform functions. It’s like giving someone a car and telling them it is all paid for and its there for as long as they want it but not giving them the key. This is one thing that stops many organizations from performing activities; people don’t have the authority to do anything and thus, they are waiting for direction from others when in fact they are the ones who are supposed to be providing the direction. If someone doesn’t have the right authority to perform activities, they will be a roadblock to other activities and many groups may be standing and waiting around for guidance and information. And further on the point of IDs and passwords; often this information is created and placed in a secure location that people forget about. Rarely are they reviewed and updated and even remembered because they are placed in an online folder, which is no longer available because technology has failed. These IDs and passwords are for use only during a disaster so they rarely get reviewed. These should be part of an annual (at least) review to ensure the people remember where they are and what they are – and remember that these are probably powerful IDs and passwords and only a few key people should know about them to start with. If someone leaves the organization, make sure you change the passwords and remove their ID just in case. When you test, try activities using these profiles to ensure that they are current and validated; that required activities can be performed using these ‘generic’ IDs and passwords but are amended after the test so they are fresh and those using them – the users – can’t use them during normal business hours.
5. No Testing/Validation: If validation activities are not performed, then how can anyone know exactly what to do? Testing is a form of training and training will help people identify their roles and build BCM plans and processes. When testing, start off small and then build upon successes – and upon problems – so that the program becomes stronger and stronger. If no one participates in test then no one has the opportunity to practice their roles and areas of responsibility; they then need someone to remind them or provide guidance to them as to what to do. Also, if you only test once or rarely, people will forget what they need to do and where their materials are located.
6. Assumptions: A key reason many stand around not knowing what to do, or forgetting what they need to do, is related back to the assumptions made during the initial stages of building and implementing plans and processes. All too often non-technology departments (i.e. “the business”) will make assumptions about technology departments (i.e. “IT”) but without ever validating that the assumptions are correct; sometimes never even letting the other know that an assumption has even been made. From personal experience, there have been too many instances where one side of the other states that ‘IT/business knows x or y…’ or that ‘IT/business will do…’ and it almost never proves to be true. Both teams end up confused not knowing what to do because they are waiting on the other for information or they are assuming that something is occurring while they’re just waiting for some confirmation that an activity is done. In reality, everyone is standing around not knowing what to do or who to even talk to. If you’re using assumption in your initial planning, through exercises and tests, the amount of assumptions being used should dwindle over time as they either become actual roles within a plan/process or become proven to be false and are removed from a plan/process.
7. No Awareness & Training: It’s a simple one really; no one knows what to do in a disaster because no one has told them about it. They haven’t been part of the overall program build or design (not that everyone needs to be part of every phase) and haven’t been told they are responsible for specific activities. Often, DR team members don’t even know they are part of that team until someone asks what they are going to do in a meeting full of other managers – some not sure why they are their in the first place. This also means that they haven’t bee involved with any testing activities to help validate plans, which is one of the best opportunities for training; executing activities under controlled circumstances to actually learn what needs to be completed and understand expectations.
8. Plans and Processes are Written in Isolation: Sometimes its not even a case of forgetting what needs to be done, as outlined in a BCP/DR plan – it’s never being told of what is in the plan and not being part of its build. All to often plans are build in isolation meaning someone not within the department is writing its contents based on what they know and what they hear at meeting yet if the actual user isn’t part of that development or the person responsible for actioning activities isn’t part of the plans development, they aren’t going to know what activities they are responsible for. Ensure that all plans are written with the person or persons responsible for the plan itself; the person who’ll actually be responsible to action the activities within the plan.
9. No Review of Plans (by Users): One of the best ways to ensure that a BCP/DR plans everything it needs and that the content is clear and understood, is to ensure that its reviewed by the actual user. When they review existing plans, as noted in #8 above, they can recommend enhancements, additions or even deletions based on real knowledge of what needs to be done. If a plan was written in isolation and not review was performed by an actual user, it’s no wonder people don’t know what actions to take or even where their plans is – if they even know there is a plan in the first place. If no review of the plan is performed then the users themselves don’t become familiar with content and what is expected of them. Instead of initiating proactive measures they wait for someone to tell them what is expected and in many cases, those individuals are assuming that ‘plan’ users know what needs to be done.
10. Focus on Blame: When an organization has a disaster, often you see the Public Relations (PR) representative or the President stand in front of a microphone being questioned by members of the media – or even the public sometimes – and they spend allot of time pointing the finger of blame or trying to deflect any criticism or questioning on what the organization is doing. When employees see this, they will spend their time trying to find the cause of the problem or the ‘right one to blame’ rather than concentrating on a proper response, restoration and recovery strategy. All hands are on deck to find out what is wrong and who should be help responsible but if leadership is busy with that approach then employees will be too, as they won’t be focusing on the right tasks at hand. It ends up being a crutch that organizations leverage so that they can start their restoration and recovery activities in the background, away from the face of the media. Usually, this means they didn’t have any strategy in place to begin with and the excuse that someone else is to blame is used as a smokescreen to cover the fact that behind the scenes, no one knows what to do within the organization.
11. Checklist Approach: If BCM is checkbox on someone’s report, the chances are it’s a checkbox on an executive report. They eventually see the checkbox ticked and then there is no more discussion or promotion of the BCM initiatives. This also means that the only reason the program was stated in the first place was to ensure someone’s checkbox was ticked and that it drops off of any report or audit ticket. Chances are good that the work and value of the work performed to plan, develop and execute plans was minimal at best and won’t be of much use during a real situation. Thus, no one will pay close attention to the BCM program and the related plans because it’s treated as a one-time thing – forgotten when the checkbox is identified as complete.
12. Seeking Direction: Like many people, when something occurs everyone looks around for direction; who will take control of the situation and tell us what to do? Staff will look to management while management is looking at executives; each expecting the other to provide direction on what they should – or shouldn’t – be doing. Think of when a fire alarm goes off in a facility – even a fire drill – most people keep working or start asking if it’s a real situation or not. Should be get up? Should we leave? Many wait to be told to leave before they bother responding to the alarms. If people can’t understand that they need to leave when the fire alarms go off its no wonder they don’t understand their role when a disaster strikes. Everyone is seeking direction from someone else.
Finally, panic is something that can run rampant during a disaster. When that happens, any thought of gaining control of the situation can go out the window and there’s no way anyone is going to pay attention to their role on a disaster team when that happens. This is why many of the items noted above need to be addressed prior to any situation occurring. When people are more aware of what to do and have been through it a few times – each more challenging than the last – they are better prepared to deal with the situation when it’s real – not faked under controlled circumstances, as it is usually done during a test. There will still be an element of panic – it’s almost a given – but putting measures in place to deal with it ahead of time can help reduce its impact and increase the chances considerably that no one will be standing around wondering what to do; they won’t forget.
© StoneRoad (Stone Road Inc) 2013
Check out our revamped shop at http://www.stone-road.com. We’ve added lots of new document templates to help get your new BCM / DR program off the ground – with more on the way. Each comes with built-in instructions so you don’t need to try and figure it all out on your own. You can even manipulate the templates if you want to so they address your specific need. Our goal is to show you ‘how’ to do things not just tell you ‘what’ you need to do.
Here’s a sample list of what we’ve got so far:
1 – Test-Exercise Project Change Request Template – $9.99
2 – Test-Exercise Scope Statement (Charter) – $29.99
3 – Test-Exercise Executive Summary – $29.99
4 – Operating Unit Business Continuity Plan (BCP) – $79.99
5 – Business Impact Analysis (BIA) (This one along can cost thousands for a software application.) – $79.99
1 – Employee Logistics Plan – $tbd
2 – BCM/DR Program Policy Template – $tbd
3 – BCM / DR Program Overview (As a bonus, this will include the Policy template) – $tbd
If there’s something specific you’re looking for, send us an email. We’ve got lots in our arsenal and alwasy building new templates so we may just have what you need and just haven’t gotten around to getting it up on the site. We can always build something for you. You can reach us at firstname.lastname@example.org.
StoneRoad: Reducing Corporate Suffering Through Continuity Planning.
The StoneRoad Team
StoneRoad 2013 (C)
We’d like to give you a friendly reminder that if you’re attending the Australian & New Zealand Disaster and Emergency Management Conference in Brisbane, Australia (May 28-30, 2013), StoneRoad founder A.Alex Fullick will be presenting the topic “Heads in the Sand: What Stops Corporations from Seeing Business Continuity as a Social Responsibilty” on Wednesday, May 29, 2013. If you’re in the neighbourhood stop by; you’re sure to hear a great presentation.
StoneRoad 2013 (R)
When financial hardships strike an organization, the Business Continuity program usually takes a hit. In fact, often it will take a hit when times are good so that the corporation can focus on other initiatives; initiatives designed to build upon the good times and keep the company making money. Increase that revenue, YEAH!! When this occurs, resources get reassigned to other projects and the BCM program gets placed on the back burner or it will see resources funnelled away to support other initiatives.
What kind of things do organizations cut from their budgets that can undermine and slowly dismantle a BCM program? Here’s just a short list of some of the actions corporations will take in diverting BCM intended resources.
1. Training – Training is suspended because sending employees on courses to upgrade and keep skills current is deemed as being too costly, especially if travel and accommodation is required. This training also helps to bring new ideas to the organization on how to better their programs but at the same time many executives (or those that approve BCM training) will simply state that the corporation knows what it would do. Thus, additional training isn’t required. Or worse, they send BCM people on courses that have nothing to do with their role.
2. Tests / Exercises – Some BCM tests get cancelled because they take resources away from other initiatives that are deemed a higher priority. Not exercising – and validating – plans and policies can cause issues with recovery procedures when a real disaster occurs because they haven’t been validated and team members have not practiced what they need to do. Also, some believe that if you’ve exercised once before, that’s all you need to do. You did it so you don’t need to do it again. Wrong! The more practice and progressively challenging you make the exercises the more robust the plans and policies become – and the better you’ll be able to respond and recover when disaster strikes.
3. Business Impact Analysis (BIA) – An organization will choose to skip updating the BIA and utilize previous findings assuming that nothing has changed, which is rarely the case. If nothing changed – ever – then there would be no such thing as projects. Projects drive change; from technology to processes. When projects are implemented it will change existing processes, introduce new ones or cancel some others. All this must be captured in the BIA and then carried over to the appropriate plans (i.e. contingency plans, crisis mgmt, technology recovery etc). Remember, ‘change is constant’ and the BIA should be able to capture those changes and then funnel them through to the right areas of the program so it reflects the organization as it is now – not as it once was.
4. BCM Awareness Program – Awareness weeks or sessions, assuming your organization has them, are cancelled to concentrate on other initiatives or because management don’t want to put a ‘scare’ into employees. Most employees I’ve ever worked with have said they would like to know what is expected of them in a disaster; keeping it from them is not a good idea. You’re really harming yourself and the business in the end. Some of the best ideas will come from involving people and keeping them up to date on progress. To put this in perspective, I was told by a Senior Director of a client that they would be making a poster of a specific announcement and hang it up around the office. “Everyone will see it and know of it and we’ll make sure it’s updated as needed”” they said. I guess they didn’t notice that just outside this director’s office were 3 posters; 1 was no longer relevant for the last year and the 2nd poster had a due date on it that was just over 2 years. Hmm, I wonder if those were supposed to be updated too.
5. Maintenance Initiatives – Business Continuity Plans (BCP) or other BCM components don’t get updated, which means that the best any BCM program can do – when not having been maintained – is take the organization back to the state of services and systems at the last time of updating. This is very specific when it comes to Technology Recovery Plans, which if not updated will only bring back systems that could reflect the structure of the company three year prior – assuming maintenance hasn’t been performed for three years. It could end up costing a corporation more money to purchase software and hardware to help bring the recovered systems to more updated levels. This can also increase the time it takes to recovery causing additional delays in getting operations running again. Also, there nothing worse that trying to find someone through call trees or notification applications (or whatever method is used) only to find that they changed numbers and now you can’t find one of the key people you need to help get restoration and recovery efforts started.
6. BCM Support / Investment – Investment in BCM is reduced or halted. This would include future initiatives such as building a new data centre, upgrading the backup tape systems, renewing key components of a Disaster Recovery (DR) vendor contract, or ensuring that a hot-site DR site (which can be internal) is linked to the main data centre to ensure that constant communication is kept between the two sites. Sometimes these initiatives are cut in favour of sticking with what is known for now (i.e. restore from tape), which can be detrimental if it takes 24 hours to restore from tape but certain systems and services need to be available and fully functional by the 8 hour mark. Just like an old car, the older it gets the harder it is to find anyone who has the skills and knowledge to fix the issues and the parts become scarcer and scarcer and the level of reliability on the car slowly begins to slide down the scale.
7. Organizational / IT Change Management: Nothing last forever or rather nothing stays the same forever; change in constant and the organization is constantly changing. If organizational change management (OCM) and IT change management aren’t incorporated or monitored by the BCM/DR team, plans will quickly become obsolete. They’ll only represent the organization as it was before the last change, assuming that while various BCM/DR program components were made, no changes ever occurred (and we know that isn’t true). So keep an eye out for change at all levels because if you don’t, you’re program will quickly fall out of step with the rest of the organization.
When any of these occur, the corporation begins to put itself in danger because what may have been a strong BCM program is now being scaled back and no longer receiving the focus it should have. When the corporation is growing and expanding during the good times, so too should the BCM program, otherwise if the corporation is hit with a disaster situation, it will have a program that only reflects the corporation before it expanded and implemented new initiatives. The corporations BCM program is only as good as the resources and the focus it receives from the top tier levels of the organization and the amount of respect it gets.
StoneRoad 2013 ®
Purchase books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, at the following locations:
http://www.amazon.com, http://www.stone-road.com/shop & http://www.volumesdirect.com.