Well, it doesn’t see like I’ll be quiet about the Ebola virus anytime soon. If you’ve been paying attention to the news you’ll see that Spain has had a few cases and has recently had a nurse test positive for the disease and she was wearing protective clothing. So, is what we have in place good enough? Do the ‘people that know’ actually know how to stop and confine the disease from spreading if the care workers are still catching it? Continue reading
All organizations with a Business Continuity Management (BCM) or Disaster Recovery (DR) program always strive to have their Business Continuity Plans (BCP) / Disaster Recovery Plans (DRP) in a state they can use: in a state they believe will cover them in any and all situations. They want their plans to at least cover the basic minimum so that they can be responsive to any situation. But if an organization takes its program – and related plans – seriously, then these plans are never fully complete.
For a plan to be truly viable and robust, it must be able to address as many possible situations as possible while at the same time must have the flexible enough to adapt to any potential unknown situations. If it’s ‘carved in stone’ it makes a bit tough to adapt the plan to the situation (the situation won’t adapt to your plan).
This flexibility – and it’s maintenance (which keeps the plan alive) – includes incorporating lessons learned captured from news headlines and then incorporating the potential new activities or considerations that may not be in the current BCM / DRP plan. These plans aren’t quick fixes or static responses to disasters; they are ‘living and breathing’ documents that need new information to grow and become robust. This is why they should never be considered as complete; as the organization grows and changes – and the circumstances surrounding the organization changes – so to must the BCM and DRP plans.
It’s like trying to pin a cloud to the sky; it can’t be done. A BCP / DRP plan can’t stand still; it must be flexible, adaptable and continue to grow.
Risk profiles and risk triggers will continue to change as the organization develops and implements its strategic and tactical goals and objectives – the BCM program and plans must be able to follow along to assist in ensuring the organization can respond to a situation that might take them off their strategic path. A good plan or program is not a destination, it’s really a desired state of being where plans and processes are nurtured to grow and expand – it’s not a plateau you reach and then stop.
So if you want the best BCP / DRP plans to address as many situations and scenarios as possible when your organization is hit by a disaster, understand that to ensure they do just that, don’t ever consider the plans complete. Think of them as an entity that needs to grow and needs attention, otherwise when you need your plans, they won’t be able to help you because they’d reflect contingencies and strategies that represent the company when the plan was first developed – which could be years earlier.
© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”
A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL | Director, Stone Road Inc. | 1-416-830-4632 | email@example.com
“Failure isn’t about falling down, failure is staying down…” – Marillion
There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.
Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture.
It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.
The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.
1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.
2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.
3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.
4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.
5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help
6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.
When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.
© StoneRoad 2014 (A.Alex Fullick)
The message about disasters, disaster planning and business continuity is slowly spreading throughout the globe, as we see more and more organizations beginning to realize the value of preparedness and response activities to protect their operations and instil confidence in those they do business with.
Here at StoneRoad, we’ve seen a spike in people asking us questions and seeking advice on Business Continuity Management (BCM) / Disaster Recovery Programs – and we couldn’t be happier.
So we’d like to remind you that there are some great books by our founder, Alex Fullick, that can help provide great insight into how a good program operates – and how it shouldn’t. The books noted below are available on Amazon.com and at our own shop over at www.stone-road.com.
Keep an eye out for the next book by A.Alex Fullick; “Testing Disaster and Business Continuity Plans” expected to launch in the fall of 2014.
Until then, happy planning!!
The StoneRoad Team
© 2014, Stone Road Inc.
In many organizations, executives and employees – and even auditors, will ask Business Continuity Management (BCM) / Disaster Recovery (DR) practitioners if they have plans for every situation possible; every potential risk and every potential impact to the organization. Considering that the number of risks that exist in the world today is basically infinite – once you calculate all the various potential impacts to an organization from a single event – there will be communication, restoration and recovery plans that just can’t be developed, documented, implemented, communicated, validated or maintained. It is impossible to have a response to every situation; the secret it to be able to adapt to the situation and leverage the response plans you do have to help adapt to the disaster situation.
Still, the questions will come about these plans and why a response isn’t captured for a particular situation and its resulting scenarios. A BCM/DR practitioner must be able to address these questions and be able to respond with reasons as to why specific plans don’t – and can’t – exist.
There are a few key reasons that practitioners must be able to communicate to those asking the questions and they are noted below.
1. Unknown Unknowns – In any situation – both disaster related and non-disaster related, will contain all sorts of details. One specific activity or item can have multiple responses depending on the details that come from the situation itself. For example, an earthquake can cause minor or major damage to an area but depending on where it occurs and when it occurs, the responses to the earthquake will be completely different.
2. Highly Improbably – Sometimes a risk to an organization is just so improbably that creating a plan for the situation would be futile and a waste of resources (time and people). For example, an organization with a facility in the middle of the Canadian prairies wouldn’t bother creating a disaster response plan to avalanches; it’s just so highly unlikely that it could ever happen. If an organization documents the probably risks – such as floods or snowstorms for that previously mentioned prairie location – it can adapt the plans that address the likely risks to those that are highly unlikely. New plans for unlikely activities would just distract from developing plans and processes that are really needed.
3. Changes in Assumptions – Assumptions are those things we believe to be true and they should be challenged continuously; especially through tests and exercises. However, if they aren’t challenged at some point then the continued planning and BCM/DR program development could be based on false information. For instance, if specific partners are expected to perform specific tasks for your organization when it experiences a disaster but they don’t know about them – or the tasks have changed and they’ve not been notified – your plans are going to out of sync with expectations and need. Plans are not build on assumptions but the detailed activities contained with them will be built by assumptions and they must be reviewed at all times.
4. Public Opinion / Perception – Public opinion can change with no warning; what the public may agree to in one situation they may not agree with in another situation- even when the details are relatively the same. All an organization can do is ensure it has a comprehensive Crisis Management and Communications Plan (CM&C) and those responsible for the plan understand how to communicate with the public and respond to the public. There is no way and organization can guess at what the public may believe and trying to determine every response plan to unknown perceptions would take eons to develop – something that an organization just can’t do.
5. External Directives – Depending on the scale of the situation, an organization may receive instructions from 3rd parties, such as the police or local governments. It’s never known what these groups may dictate to an organization, as it’s never known ahead of time what or when a disaster will occur. Thus, a plan can’t be developed to address the specifics of what to do based on directives received from external sources. However, if an organization has an established BCM/DR program with relevant plans and processes, it can adapt itself to the situation based on the impact to the organization itself. If an external source dictates a directive then the organization can take what it has in place and adapt itself. But a plan specific to communications that haven’t been provided – because a disaster hasn’t occurred yet – can’t be documented.
© StoneRoad 2014
A.Alex Fullick has over 17 years experience working in Business Continuity and is the author of numerous books, including “Heads in the Sand” and “BIA: Building the Foundation for a Strong Business Continuity Program.”
Many of us don’t hear about a crisis until it hits the newswires, either through social media, news websites or through a posting on a social site we might follow. In some cases, we might not know about a crisis until we see 1st responders racing down the road heading towards and emergency.
Some will automatically see a disaster as a large catastrophe and one of the BCM/DR industry definitions of a disaster is that it’s a sudden, unplanned event that prevents the organization from performing normal operations. Though both a crisis and/or disaster can start well before the public or media even get wind of the problem.
Sometimes a disaster doesn’t begin until after a period of time when a lesser level of operational hindrance has been experienced. Then when the disaster itself occur, the management of the situation will determine the level of crisis; meaning how well the crisis is handled from the perspective of the public, media, stakeholders (vendors, partners etc) and employees.
For an operational impact, it could be that a key application is offline but is that a disaster? Probably not. If the offline application has a major impact upon people causing major distress and problems such as something in health care or the financial industry, then yes, that application being offline – even for a short time – is a disaster. How the immediate response and post-disaster activities are managed is what will create the crisis for the company. If you get something up and running within a very short time (and in today’s world that’s usually no more than an hour) then it might not be a disaster and a quick response and communication to the community will suffice. If it’s longer, then the management level and involvement of the situation and the level of impact it has becomes a disaster.
Still, if an organization has an internal Crisis Management process in place, early identification and response measures may prevent the incident from escalating and becoming a crisis – or a disaster if nothing is done about it – in the media or public eye. It was just an incident that didn’t have any major impact. Oddly enough, it could have been a major interruption but the impact on Service Level Agreements (SLA), employees, customers, vendors and partners was limited in size and scope; it was just a major incident for the company involved because of the resources (financial, time, personnel) it took to get resolved.
So, when does a crisis start?
It starts the moment the organization believes that someone – anyone – will begin to ask questions. It could be a client, employee (who will access social media about it if they haven’t been educated about not communicating corporate activities), vendor, partner or in some cases a financial institution or legislative body. An organization may be able to manage the situation internally with little impacts being had on external – and internal parties – but as soon as questions are asked about the disruption, you have the start of a crisis. It’s how well you manage those initial questions – along with the incident response itself (I.e. getting the critical application up and running as soon as possible) – that will determine how big the crisis escalates. If you don’t manage it properly the crisis will grow and escalate, making it a ‘Public Relations’ disaster.
The start of a crisis is different for every organization. It all depends on the level of preparation, preparedness and response is developed and instilled within the corporate operations. If an organization doesn’t have anything developed or the level of development is sub-par and very ‘flimsy’, the crisis starts quickly and escalates quickly – reaching that “PR” disaster timeframe in record time.
Hello dear readers!! We’ve been a bit quiet lately over here at StoneRoad due to multiple vacations (Singapore, Australia, New Zealand and more) and now that we’re all back, it’s time to start posting once more. Enjoy…
The StoneRoad Team
**The below section is an abbreviated bonus taken from the Appendix of the book, “Business Impact Analysis (BA): Building the Foundations for a Strong Business Continuity Program” by A.Alex Fullick. The full text can be found in the aforementioned book.**
Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:
1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.
2. No Timely Follow Up of Results – A BIA is conducted almost always in support of an enterprise-wide business continuity program. The real value of a BIA is the follow-up activities that lead to effective recovery strategies being implemented based on the BIA priorities of the business processes. Occasionally, so much effort and cost is put into the BIA that business continuity planners never get around to fully implementing the follow-up recovery strategies and plans. Without the implementation of these follow-ups, the value of the BIA becomes wasted.
3. No Agreement on Scope (Level of Detail) – This level of detail can span an entire spectrum. On one end, some BIAs will contain relatively little detail to provide a higher-level executive view of the analysis. On the other end, and far more prevalent, are BIAs that include for each business process its corresponding input dependencies, output dependencies, recovery point objectives, recovery time objectives, and financial impacts. The common mistake here does not involve selecting the right or wrong level of detail – what’s appropriate for one company may be totally inappropriate for another – but rather, failing to reach agreement among all relevant parties as to what level of detail best meets the requirements that are driving the BIA in the first place.
4. Minimal Executive Support – One of the factors that most influences the relative success of a BIA is the degree of executive support offered at the outset. The kickoff process usually consists of two parts: a widely distributed email and an initial presentation. The email should come from the highest level executive sponsoring the BIA and should be distributed to all parties who will be participating in the effort. The email should emphatically voice the executive’s support for the project and insist on the support of al participants, particularly during the interview process.
5. Poor Questionnaires – An important step of any BIA is the collection of data from business units. The manner in which this data is asked for often spells the difference between a full, timely and meaningful collection of data, and one that is delayed and incomplete. One of the best ways to avoid this situation is to develop survey forms that are thorough enough to capture all relevant information and simple enough for business users to complete quickly and easily.
6. Lack of Preparation for Interviews/Workshops – Interviews are the cornerstone of a successful BIA, yet few planners prepare adequately for them to ensure their effectiveness. Interviewers need to learn as much as they can about a given business unit prior to the meeting, including a thorough review of the respondent’s survey.
7. Lack of Critical Focus – Analysts frequently make the mistake of asking business users ‘what are the most important business processes within their department?’ The reason this is a mistake is because virtually all critical business processes have a large degree of importance and value – otherwise they would not be designated as critical – resulting in less likelihood of it being easy to prioritize processes according to value or importance. A much better question to ask is ‘how long can a business process be idle before major impact is felt?
8. Focusing on the Tools Instead of the Process – Some analysts who conduct BIAs become very focused on the tools they will be using in the collection, compiling and analyzing the data provided by the business users. The emphasis often shifts inappropriately from the process being used, to the automation that can be applied to the process. There is an inherent flaw in this approach. If a poorly designed manual process that is being used to collect and analyze the data suddenly becomes automated, what you typically end up with is a poorly designed automated process.
9. Ineffective Interviewing Technique – I have known more than a few BIA analysts who preferred to rely solely on surveys, questionnaires and emails to collect needed data. The example previously cited concerning the over-focus on tools shows how this can less than desirable results. Analysts often say that setting up interviews can be more hassle than it’s worth. They will mention how interviews often start late, or may be cut short, or have to be re-scheduled, or cancelled altogether. In my experience, the real reason some BIA analysts try to steer clear of face-to-face meetings is that they tend to use ineffective techniques when interviewing business process owners.
10. Insufficient Results Analysis – Analysts conducting a BIA collect a wealth of information during the course of their efforts. But the value of this information is sometimes diminished by poor or incomplete analysis of the data. Analysts need to look for trends, patterns, relationships and discrepancies among and within the data to ensure a thorough and meaningful analysis.
11. Unclear Presentations – Data that is thoroughly collected and well analyzed is sometimes de-valued by an unclear or confusing presentation of the information and results. Managers in general and sponsoring executives in particular, expect BIA analysts to summarize their results in high-level presentations that are succinct and effective. Unfortunately, this does not always happen. Analysts gather a huge amount of data in the process of conducting BIA. In compiling and analyzing this data, analyst sometime err on the side of presenting too much information rather than too little.
12. Undefined Scope – Often, the BCP focuses entirely on system restoration. Resumption of business needs to include the people and processes required to resume operations. Many BCP programs are headed up by IT departments. ‘Tunnel vision’ can often cause these departments to focus on system recovery and not take the people issues into account. During an event, the people issues are often the most difficult to resolve. The scope of a business impact analysis (BIA) pertains to the number of business units, such as Finance, Administration and IT, which will be participating in the effort.
Don’t let your BIA efforts fall to the wayside; make sure you have strong BIA approach and you’ll end up with a strong BCM / DR program.