When planning our various BCM/DR components, you need to build and maintain some level of a schedule. If you don’t have a schedule built for let’s say the BIA or the development of a Crisis Communications Plan, then Executives will never know when to expect the results and participants will continually ‘put you off’. Continue reading
There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.
Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture.
It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.
The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.
1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.
2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.
3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.
4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.
5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help
6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.
When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.
© StoneRoad 2014 (A.Alex Fullick)
The message about disasters, disaster planning and business continuity is slowly spreading throughout the globe, as we see more and more organizations beginning to realize the value of preparedness and response activities to protect their operations and instil confidence in those they do business with.
Here at StoneRoad, we’ve seen a spike in people asking us questions and seeking advice on Business Continuity Management (BCM) / Disaster Recovery Programs – and we couldn’t be happier.
So we’d like to remind you that there are some great books by our founder, Alex Fullick, that can help provide great insight into how a good program operates – and how it shouldn’t. The books noted below are available on Amazon.com and at our own shop over at www.stone-road.com.
Keep an eye out for the next book by A.Alex Fullick; “Testing Disaster and Business Continuity Plans” expected to launch in the fall of 2014.
Until then, happy planning!!
The StoneRoad Team
© 2014, Stone Road Inc.
(c) Stone Road Inc. 2014 (A.Alex Fullick)
When disaster strikes, keep calm and march on!! Sometimes it’s not always that easy and in a real situation you really do need to carry on; if you don’t, you’re done! Over! Caput! Even with the numerous disasters occurring in the world – some man-made some natural in nature – there are still many organizations that would rather take their chances with fate than invest in a Disaster Response / Emergency Response / Business Continuity Management program. When disaster does strike, these organizations are left empty handed. With no plans or processes in place to respond to the situation they must ‘wing it’ if they’re to continue staying in business – or attempt to stay in business.
So what should organizations consider and focus on if they are caught in a serious situation and they don’t have a BCM/DR program in place? What do they need to do to try to get some level of coordination in response, restoration, recovery and resumption efforts? Below are some tips for how leaders need to view the predicament they find themselves in; a disaster/crisis with no BCM/DR program or plan in place.
1. Don’t Throw in the Towel – Don’t give up! You’ve got to do something even if you don’t have a proven plan in place, so keep going and do what you feel is right. Under no circumstances should you give up, as you really don’t have an alternative unless you really want your organization to fail. As the saying goes, ‘Keep calm and carry on!’
2. Figure it Out Quickly – Don’t waste time debating and getting everyone’s input on what to do. Figure out what your main objectives are then take it from there. The longer you take the less likely you are to remain in business much longer. And even if you do get up and running, because you took so long to do anything, confidence in your organization will vanish.
3. Focus on People – Make people your priority. A little bit of care and compassion can go along way in public and media perceptions and if you make people priority #1, you’ll be forgiven a bit more for not having a plan or program in place.
4. Reconfigure – Time will be of the essence, so don’t bother trying to get things like-for-like; it won’t happen. You have no plan, which may also mean no alternate site, so get what you can and start rebuilding. It may mean patch-working systems and services together and getting people to do activities they don’t normally do but do it anyway to get your operations up and running. You’ve got a clean slate in front of you, so feel free to reconfigure what you need to make things work. A small beat-up car will get you to “location A” just as well as a luxury car, so if you need to reconfigure…do it.
5. Get Rid of Expectations and Assumptions – Don’t bother asking questions and wondering about assumptions; you need to action things immediately and start doing something. If you’ve had a disaster and have no plan in place, then there are no rules, guidelines, directives or assumptions to work around; no boundaries to hold you back. So everything is possible to you and you’ve got to start trying to get your organization back up and running with technology recovery, business continuity and crisis management so that you can begin to service your clients with the services and products you provide. With assumptions, you may be thinking that everything you need is easily available – including people. However, this might not be the case so throw your assumptions out the window because the only assumption that gets proven correct in a disaster is that all your assumptions are wrong.
6. Emotion Over Intellectual Response – If you want to stay in the good graces of people, then speak to them emotionally, not like an automaton full of intellectual platitudes. If you don’t have a plan in place, you’re biggest fight will be with through how you respond to the disaster as perceived by onlookers not how two IT servers are connected to the internet. Speak with an emotional approach and you may find that people will approach you offering help, assistance and with compassionate sympathy.
7. Don’t Blame – Don’t play the blame game right away. You’re in a disaster and the public, employees, partners and the media what to see you dong something and managing the situation; blaming others is seen as a smoke screen in an effort to deflect questions and criticism. But the opposite occurs so don’t bother playing a game you can’t win. When the dust has settled and you’ve performed investigations into the cause, then you might be in a position to start blaming but it shouldn’t be your priority.
8. Request Help – It’s not time to be proud. If you need assistance to get resources then ask for it. Don’t be shy, as trying to hide the fact you need assistance can cause even more problems. Many organizations are willing to help competitors and partners when they have a disaster but many are too afraid to ask for help because asking for assistance is seen as a weakness when in fact, not asking for assistance is a sign of proud arrogance. If you need help, ask and don’t shy away from stating the issues you have, as it a response or helping hand may appear to help resolve some of the problems you’re facing.
9. People Are Resilient – People do not wantonly wish to fail; they want to succeed and responding to a disaster by their employer is going to make them want to work hard and overcome the situation. Their livelihood is at stake and they aren’t about to let that disappear without fighting for it. Many want to be part of restoration and recovery efforts, as it takes them away from the trauma of what has occurred and helps them focus on areas with which they have more control and knowledge – rebuilding servers, loading applications, testing etc. Your organization isn’t the first to experience and disaster and won’t be the last and in the majority of cases, people overcame adversity by sheer hard work and will power – and never giving up. Let the employees do what they know needs doing instead of trying to make it up on the spot, they are aware of what they need to do, as they do it each day – it’s why you employ them.
10. Listen – Listen to those around you – especially those Subject Matter Experts (SME) and End Users that can offer all sorts of advice on how to get something working again. Often, experts are leveraged from external sources and all too often, they are doing things with their own gain in mind, so don’t throw away suggestions from others, as they may have ideas that can be of assistance and those ideas may work better than some other specialists because they often are thinking outside the box. They are also thinking or ensuring they get their jobs back and their employer operational; a different perspective than some vendors and partners who are more worried about the impact upon their bottom line rather than yours.
11. (BONUS) Document Everything: When the disaster is over – or when you’ve got time to start – begin to document everything you’ve done. Every action item and resolution. Every decision. Every communication – the good and the bad. Every participating role required and what they did – and didn’t need to do. Every action asked and required of partners, vendors and suppliers. Every aspect required to assist employees. This will help start you formal BCM/DR program and begin to pull ideas together for plans because as sure as the sun will rise tomorrow, you’ll be building your program immediately. In fact, it’ll probably be the #1 priority of executives and management, assuming you’re organization was able to get through the situation and come out the other side – though probably battered and bruised.
No matter what happens, you have to be doing something. The situation won’t resolve itself by wondering what to do or wondering what ‘might have been’ had you a BCM/DR plan.
When it seems you’re down, get back up and keep playing on – you’re only beaten if you give up, not if the issue continues. It’s said that Edison failed at inventing the light bulb dozens of times but did he give up, no, he played on. Abraham Lincoln give up, despite losing a couple of elections and became President of the United States.
© StoneRoad 2014
By A.Alex Fullick, MBCI, CBCP, CBRA, v3ITIL, author of multiple books on BCM including “BIA: Building the Foundation for a Strong Business Continuity Program” and “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.”
To most people a crisis is bad and for the most part, they’d probably be right. However, an organization can do good things when they are hit with a crisis; some may even say there is an opportunity. The situation itself might be bad enough but it it’s not being managed correctly or communications aren’t approached in a positive way, the crisis can be compounded because the media and the public will think there are more things being hidden by the organization.
If it seems that an organization isn’t prepared – through its communications and response actions – the media and public may start to go ‘hunting’ for more information and uncover other details of the organization that the organization may not want released. Not that they are bad examples on their own but compounded with the existing crisis they will seem larger and could create another crisis or even escalate the existing one. The organization will then be fighting more than one crisis on its hands.
Below are some tips for how to communicate during a crisis; some do’s and don’ts and tips for ensuring good communications when speaking to the media and the general public.
1. Lawyers Aren’t the Face of the Organization – This is one of the biggest mistakes organizations make when communicating with the media and public; they let their lawyers do the talking. Lawyers are good at what they do don’t get me wrong, they just aren’t the ‘face’ of the organization. Often they will speak in terms that the public either don’t understand or don’t want to hear. The public wants to hear what the situation is and what the organization is going to do about the crisis, not the legalities it’s taking to find blame (which is what the lawyers will be trying to do to wither minimize or remove the burden off the shoulders of the organization).
2. Apologize and Show You Care – Be sincere and offer apologies. Don’t say you’re sorry and continue with a ‘but’ statement, as it just nullifies the apology and the public and media will know you really aren’t showing care of the parties involved or impacted by the crisis. It shows you’re trying to defend the organization rather than helping those impacted – or possibly injured – as a result of the situation. Apologizing with sincerity can soften the anger towards the organization and actually help bring people towards the organization by offering assistance. Apologizing also shows that the main concern of the organization is people, not money or shareholders, but people impacted by the situation.
3. Leadership – You’ve got to have the leaders in front of the camera. Public Relations or Human Resource Managers can be in front of the camera only so long before people begin to question the leadership qualities of those in charge if they aren’t being seen by the public. Organizational leaders must be seen during a crisis, not just when good things occur.
4. Responsibility – Many may not agree but take responsibility for what happened. To deny or lay blame immediately isn’t appreciated. Even if you know the situation was not caused by your organization, it’s your organization in the headlines and people are watching. So take responsibility and take control of the situation; you can always find the blame later and take necessary actions.
5. Don’t Delay – Too often many organizations take too long to put a response together. If there’s a delay in response it could send the message that you’re trying to hide something or that you’re hoping the situation will just go away, which it won’t. Even a quick press conference to state what you know – even if it’s very little – still shows that you’re on top of events and managing the situation, not letting the situation manage you.
6. Ask for Help – There’s nothing wrong with asking for help. It may not mean asking for help to restore systems and processes but it may be to ask help from the media to communicate key phone numbers or websites that employees or customers or the public can access to get more information or provide information on what they might know about the disaster. The media is always willing to help and to a large degree, when an organization requests assistance with such initiatives, it helps show the public you have nothing to hide because you’re inviting others to participate and offer assistance.
7. Communicate Even When It’s Over – A crisis isn’t over after a day or two in the headlines; it’s over when you’ve learned something and resolved the matter so that it doesn’t occur again (if the situation allows for that). If you’ve had an internal problem that caused the crisis, communicating days or weeks later that the situation has been resolved, shows that you learned something from the crisis and saw it through to the end by resolving it and letting other know of that resolution.
8. Leaders Need Training – Everyone needs training to improve their skills and move forward, this includes corporate / organizational leaders. No one knows when a crisis will occur – and it will – so leaders need to have training on how to communicate in crisis. There are many crisis management & communication courses offered so leaders should prepare themselves. They expect the rest of the organization to be prepared and do their part when a crisis or disaster occurs, so leaders need to ensure they are prepared.
© Stone Road Inc. 2013
We’d like to give you a friendly reminder that if you’re attending the Australian & New Zealand Disaster and Emergency Management Conference in Brisbane, Australia (May 28-30, 2013), StoneRoad founder A.Alex Fullick will be presenting the topic “Heads in the Sand: What Stops Corporations from Seeing Business Continuity as a Social Responsibilty” on Wednesday, May 29, 2013. If you’re in the neighbourhood stop by; you’re sure to hear a great presentation.
StoneRoad 2013 (R)
Most organizations don’t want to imagine what would happen if a disaster struck their operation, but what if a disaster did strike. How would your organization respond? The best way to know how to respond is to develop, implement and maintain a Business Continuity Management (BCM) program. A BCM program provides a framework for building organizational resiliency with effective responses and safeguards that protect its reputation, stakeholders, employees, and facilities.
BCM is not just about remedying technology shortfalls, as many organizations believe. It’s also about securing, protecting, communicating and preparing corporations from disastrous impacts upon its workforce, facilities and its technologies – To minimize the impact on operations. BCM touches every aspect of an organization from the mailroom, the field and the call centre to the manufacturing floor and right up to the boardroom.
To make your program effective, consider some of the following suggestions when planning:
1. Start With the Worst – Begin the planning with the worst-case situation your organization can imagine. For many, this example is the tragic events of September 11, 2001. Work backwards from there and you’ll start to fill in many of the dangers that can harm your corporation. You’ll also be able to start challenging the worst case situation and begin to get more inventive with potential impacts – and develop the plan accordingly.
2. 3 Pillars of a Business Continuity Plan (BCP) – Every BCP plan must address three things; Workforce Availability, Facility Availability and Technology Availability. If each plan has these three core components, an organization can respond to any disaster situation and expand their capabilities by adding varying situations and scenarios through validation exercises.
3. Dedicated Resource – Assign a person with the appropriate training and authority to get things done, if not, the program will quickly fall to the wayside in favour of other initiatives. This may include getting outside help to get the process kick-started (i.e. consultants, contactors etc).
4. BCM Program vs. BCM Project – The BCM program must live on and continually meet the needs of an organization, as it grows and changes; so to must the BCM program. A project has an end date but a program must live and breathe and contain more than just a single aspect of BCM. Therefore, when the Business Impact Analysis (BIA) is completed, that’s just one ‘project’ of the overall BCM program; you’ve got lots more to get through and develop.
5. Exercising/Testing – Plans mean nothing if they haven’t been validated. Every organization must exercise its plans to make sure they’ll work during a disaster. It’s better to find gaps in your plans through exercising and under controlled circumstances rather than when the real thing happens.
6. Executive Support – If no one is there to champion the BCM program, it won’t last too long. In fact, there’s a good chance it will run out of steam and end up on the backburner of boardroom discussions. Having executive support shows the rest of the organization that BCM is taken seriously.
7. Awareness & Training – It can take a long time to develop continuity plans and create processes and procedures but if no one knows how to use them, where they’re kept or under what circumstances they’re required, they won’t be of any value or use. Remember, awareness and training are not the same things and every level of the organization must received its fair share of both if the program (and all the developed plans and processes) are to be useful and successful.
8. Focus on People – This should be a no brainer; BCM is about people. It’s people that build the plans, use the plans, review and exercise the plans. It’s people that will be impacted by not having plans in place; clients, vendors, employees and communities. If you state that technology availability is the most important part, you’ve basically told those individuals – who you need to help build plans – that they aren’t important. Keep in mind; people first.
9. Business Impact Analysis (BIA) – Every company must understand what it does and how it does it. A BIA is the process of analysing business functions and the effect that a disruption might have upon them. Knowing this will help corporations develop appropriate Business Continuity Plans (BCP) and other contingency strategies. Ensure you get agreement on the findings, don’t just state what they are and move forward. The findings from a BIA are what the attendees believe is important and it could turn out that what they feel is important to the company is not what executives believe is important. Make sure executives are in agreement with the findings before you start developing restoration and recovery plans – you could be way off the mark.
10. Program Maintenance and Monitoring – If program components aren’t maintained and updated the Business Continuity strategies developed – and the related documentation – will reflect the corporation as it once was, not as it current is.
11. Bonus: Using Software Only – Software can be very beneficial for maintaining and gathering information but beware, it doesn’t take into account the nuances of people or scenarios specifics. It may tell you that you need 10 desktops in 24 hours but the situation itself may call for something completely different based on what has occurred. Don’t fall into the trap that DR/BC software will answer all your questions and save you; it’s a tool to help you.
Having a BCM program in place is a part of an organizations Corporate Social Responsibility (CSR) but there are other benefits to implementing a program. First, your organization will have the security in knowing a robust plan is in place to deal with disasters, providing safety and security for all employees. Second, a proper BCM program will provide a competitive advantage. Those organizations will strong programs win out over organizations that don’t have BCM plans in place because there is knowledge that your organization will have developed a way to provide a product or service even during a disaster.
It’s not easy building a BCM program; it can be tough to develop, implement and maintain but it will only take a single crisis or disaster to prove its worth. A single crisis or disaster can be one too many. Are you prepared?
© StoneRoad (2013)
BCM document templates available in the ‘shop’ section at http://www.stone-road.com.