Preparing for the Unexpected: July 27/17 Show Announcement!

fullick-Promo-VarietyHello everyone,

We’re happy to announce next week’s show with guest and BCM / DR specialist, Alvaro Orrantia.

Check out the promo here:

Check out Alvaro’s BIO here:

It’s sure to be another great show!


The StoneRoad Team


BCM & DR Program: Using and Dismantling Assumptions

In all planning, whether it is for projects or programs and regardless of the industry and nature of business, one of the key areas that often gets overlooked is the use and belief in assumptions.  Not just overlooked but they tend to become part of the fibre of every project and every BCM/DR program.  We assume ‘so-and-so’ knows this ‘action’ and will do that ‘activity,’ when in fact, so-and-so has no idea what they’re responsible for or even that others believe they’re responsible for it.

We don’t communicate assumptions often and if we do, it’s once or twice in the initial stages of a BCM/DR project or we make them up within the confines of our own segregated meetings, which aren’t attended by those that the assumptions are based on.  We capture the minutes of the meetings and action items but never reach out to those we assigned an assumption to; they’re forgotten and actually become part of the BCM/DR framework – the plans and procedures we expect others to implement at the time of disaster.

Assumptions are used to fill a void – an unknown.   When we don’t know an answer we plug in what we hope will be proven to be the answer but fail to follow up on it.  When it doesn’t occur the way we want, it’s because we put faith in an assumption, as though it was always correct rather than trying to disprove or valid it.  By failing to disprove it, we are in the false believe that we’re taking a step forward because we embraced and accepting the assumption and in this way, provide ourselves with a level of comfort and a reason to point the finger of blame when something goes wrong.

Assumptions aren’t just found during planning and development but during the implementation stages – or phases – of various program components.  Even when an actual disaster occurs assumptions abound, as Crisis Management Teams (CMT) and individuals assume that others are performing the activities required.  Even the assumption that people – and everything else – is and will be available when needed.  If everything was available when and where it was desired and expected, then we wouldn’t have such diverse plans and processes in place to deal with such disaster situations.

Assumptions aren’t always a bad thing.  At the beginning of the BCM/DR program development, assumptions help move things forward.  You plan up to a specific milestone based on a set of assumptions and then validate them through exercises and tests and conversations, as minute details slowly emerge the more and more planning develops.  The results of which (exercises, conversations etc) help fill in the gaps identified that were – originally – assumptions.  This way the assumption becomes a positive because it helps move the program forward by challenging those involved and initiating conversations between groups; communicating the expectations various groups and individuals have about plans, processes and procedures.  Not revisiting them and validating them will only cause problems.

As the organization, changes – plans, processes, resources, locations, lines of business etc – so to must the assumptions.  An assumption developed at the outset of the program development can’t be considered valid years later when all the players and everything else associated with it, has changed.  That ‘s simply ludicrous and naive.  They must be revisited over and over because they may be true under some circumstances but invalid under other circumstances.  Since no one ever knows, when or where a disaster occurs or under what circumstances, assumptions must be challenged, communicated and validated on a regular basis…and quite possibly, new ones developed over time.


© Stone Road inc, May 2012


 “Heads in the Sand: What Stops Corporations from Seeing Business Continuity as a Social Responsibility”

“Made Again Volume 1 – Practical Advice for Business Continuity Programs”

“Made Again Volume 2 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at, &

Leadership in Business Continuity Management (BCM) & Disaster Planning (DR)

I read allot of books on management and leadership; it helps give insight on how to get buy in and work with top tier representatives when trying to develop a BCM/DR/ERM program of just trying to get one back on track.  It also helps me be a stronger leader in the industry and dealing with various clients and their expectations.  One of the things I’ve found over the years – and crops up on many books – is that Leadership and Management are two different things.  Often, corporations believe that if you’re a manager then you’re automatically a leader by default.  Well, that’s not quite true – it can be for some managers – but it’s not a guarantee.

Here’s the dictionary definition of the two:

  1. Leader – A person who guides and      inspires others.
  2. Manager – A person who directs, controls      and manipulates the resources of an organization, division or department.

As you can see, one can be the other but rarely are they found to be both; especially during a disaster or crisis.  A good manager – an inspiring manager – can step up to be a leader during a crisis and a leader during normal’ Business as Usual’ timeframes can sometimes fall flat and just be a manager; forgetting how to lead under pressure and stress.

A good or great leader during a disaster or crisis is not determined by their title, though many believe it is automatic.  Not true.  Leadership qualities can suddenly appear from the most timid of people; it all depends on how they respond to the situation.  Just because someone has the title of Vice-President, it doesn’t mean they are calm under pressure (i.e. disasters) of that they have the following and support of their employees – and direct reporting managers.

What makes a great leader during a crisis, even if they aren’t normally a leader, a manager or sometimes just being a regular employee?

It really depends upon how they respond, work and communicate under pressure.  If they remain calm and focus on the key/core items related to the situation at hand, they will instil confidence; have poise and optimism in themselves, their staff, the community, the media and the general public.  If they seem indecisive and calm under pressure to all that observe them, even if in private they might be a bundle of nerves.

These somehow can operate under stressful and strained circumstances and people pay attention to their direction; they follow the leader.  Managers that believe they are leaders without inspiring their employees and those around them, aren’t leaders, they are just managers of their resources.

In a disaster, a leader must be a quick thinker, able to distinguish the big picture and the overall objective from the detailed – sometimes personal – perspectives people have on a situation.  It’s all about how they respond and react and then project the right response out to others.

Another great aspect of a leader during a crisis is that they listen; they pay attention to the words of others.  Let’s face it, all great leaders – corporate and political – have people who offer advice and guidance on various subjects.  When a disaster occurs, the leader must still be able to listen and take advice from these individuals and at the same time, make sure that his or her advisors are focusing on the right subject matter to bring the situation to a healthy response and quick resolution.  They’ll remove the roadblocks for individuals as they work through their own responsibilities to enable them to perform the functions required from them.  This is something a great leader does during normal business operations as well, not just during a disaster.

A great crisis leader also passes along their lessons learned from previous crises and delivers it to others in a way that will help others grow and individuals and possibly become leaders themselves.

Yes, everyone is different and it is these differences that will separate the leaders from the managers from the followers.  The followers will change course if the leader isn’t strong and instils confidence but then again, a strong leader will change course when the existing strategy isn’t working; they aren’t afraid to keep moving and address the situation at hand as it develops and meanders its way to resolution.

These are the kind of people you want to have on your Crisis Management teams; those that make the ‘big’ decisions and provide direction to the organization.  You want the organization to follow them; so choose the best leaders for the job, whether they are a lower, middle or senior management representative or not.



 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at, &

Disaster Communications: More Than a Phone Line Update

Continuity Magazine, published by the Business Continuity Institute (BCI) had an interesting article regarding “…Resilience in the Workplace.”  The author provided many valuable tips for corporations on how build resiliency within the work force (many ideas of which I’m quite familiar with from years of being in the industry), however there was a point in the article that caught my attention and it provided the spark for this article.

The thought was to bring together team members that aren’t part of the disaster team structure (i.e. those performing restoration and recovery efforts or those leading these teams) and were individuals that were sent home to wait for instructions.  Often, we know we are to communicate the status’ of situation to employees, stakeholders, Crisis Management Team/DR Team members, partners, suppliers, customers and clients and the thing all of these have in common is that a team is made up of people; people, not a product, service or some sort of commodity.  Therefore, we need to treat people as exactly that; people.

During a disaster, only a pre-selected (and hopefully trained) individuals are required to help restore, recovery and validate systems.  Only a select few are given tasks that relate to the disaster/crisis response; the rest may be sent home for further instruction.  This is where some additional issues can slowly creep into the fray.

It is one thing to send people home and ask them to check a phone line for updates; it’s another to actually communicate status’ and expectations with them.  For many employees, the expectation is to go home – when requested to leave for home – and monitor a phone line, website or email, for communications from the corporation (assuming of course the corporation has a communication strategy) but this only last for so long.

The website, email and/or phone messages must be consistent and provide enough information so that employees accessing the line understand what is actually occurring and how things are progressing.  Understandably, details may not be provided but a high-level overview of where things are can help people feel a part of the restoration and recovery efforts when they actually aren’t apart of those teams at all.

In addition, if after a couple of days the only communication is through the email, website or phone line, employees can begin to feel alienated and forgotten.  Not forgotten in the sense that they aren’t going to be needed as some point but forgotten because all they are getting is a phone message, which they probably have to dial into at certain specific designated time to get an update that doesn’t address any of their concerns or questions.

Many of today’s larger corporation have external parties that offer employee assistance (Employee Assistance Programs – EAP) but even here, they can only offer support and provide so much information.  If the EAP is the sole source of information, the employee once again can feel alienated and left to fend for themselves.  Corporations give the perception that they are shuffling off their staff to EAP and then turn around and focus on the restoration and recovery efforts.  That isn’t to say that corporation can’t use EAP’s to help but they can’t just shuffle the responsibility off to an EAP and expect employees to feel like they are being communicated with by the corporation.

It idea the author of the Continuity Magazine provided an interesting idea; create touch points/sessions that can bring together some of the employees sent home, so they can meet each other and bring forward their concerns and issues.  Sure, executives and DR teams are focusing on getting things back up and running but there is still a segment of employees that need to have some focus as well.

An idea could be to have one of the EAP representatives and/or a representative from the corporations Human Resources office organize an information session for those that have been sent home.  Ask them to attend a meeting at a hotel where they can come together and discuss the disaster and be reunited with their colleagues (of all levels).  If they can’t attend in person, provide a conference bridge or web access so they can follow along.  This will at least let employees know they are being looked thought of during a disaster (and being provided a platform to communicate concerns and receive information).   BTW, some of this might even be performed using notification software/applications but beware; it will take some time set up ahead of time and many individuals might not want to provide you with their contact information.  Still, this will at least give you a tool that’s easier to use (hopefully) to reach more people.

Corporations want a sense of community; a sense where everyone wants the corporation and all its employees to be successful.  But when a disaster occurs the focus goes to a select few and the rest can feel like they’ve been pushed aside only to be brought back when the corporation says they are needed again.  It can cause resentment amongst staff because they can’t share their stories and experiences with colleagues and aren’t being communicated with by the corporation; just a voicemail providing little information and continually asking to call back.  That isn’t communication.


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at, &

StoneRoad on the Net…We’re Everywhere!!

Well, it seems lots of hard work pays off and you can find StoneRoad everywhere.  Check this link out and see what the latest entry is.  Thanks to Rob G for this.


Alex (and the StoneRoad gang)


HAPPY NEW YEAR and Welcome to 2012!!

I trust everyone has a great holiday season and you’re all looking forward to a busy and fun 2012!!  We here at StoneRoad sure did and we’re looking forward to some new projects.  Here’s just a bit of what we’re looking at this year;

1) Alex Fullick releases his 3rd book in early 2012 (Made Again – Volume 2: Practical Advice for Business Continuity Programs).

2) Alex Fullick releases his 4th book in the fall of 2012 (tentatively titled “Essence: The Truths of Disaster Planning All Leaders Must Understand.”)

3) Creating and releasing the 1st book under a NEW StoneRoad company, ‘Madaemen (a Division of StoneRoad).’

4) Releasing and selling DR/BCM/ERM templates guides on the website, along with user guides on how they can be utilized.

5) Running a contest with a local Chamber of Commerce to win a free audit engagement (conditions apply).

6) Near the end of 2012, we plan in beginning to take our revolutionary BCM training course on the road.  It’ll be a training like no other.  (More on that in a few months time.)

7) Since our logo has received lots of feedback, we’re going to release a small selection of merchandise later in the year.  For some reason, everyone like our dragon!!   Sorry, can’t have him – he’s ours. 😉

8) Begin development on iPhone application that will help corporations during disasters; again, more on that later in the year.

9) Continue working with The International Emergency Manager’s Society (TIEMS) and will be in Mumbia, India in September 2012.

10) Off hand I can’t remember the dates for publishing but StoneRoad will be contributing a few writing pieces to an encyclopedia on Crisis Management being coordinated by individuals in California, USA (Berkely University springs to mind).  Sorry, just getting back to a ‘work’ frame of mind so a bit fuzzy on the details at the moment.

That’s if to for now…I’m sure there’s more we’ll be doing as time goes by.

Our hope for you is that each and everyone of you finds success in 2012 and your reach your goals or at the very least, been able to take steps towards reaching them.  Here’s to a new year and the wide open road of success; it’s yours to travel!!


Alex & everyone at StoneRoad.


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at, &



BCM Program Ownership vs. BCM Plan Ownership

One of the quandaries many corporations face is who should be the owner of the BCM program and who is the owner of the various plans.  Many need to determine who is responsible for the various plans against who is accountable for the various program components.

A program is usually owned (the overall responsibility)a  by a single individual; an Senior Executive, Vice President or a Director might even be the owner.  However, when it comes to various BCM plans, you end up with the same situation.  An individual can own a single department plan but a senior person may be the ultimate owner of the various division plans.   Meaning, in finance (for example), the CFO might own the overall Finance BCM plan but the accounting department manager may be the owner of the accounting department plan.  It folds up into the larger group of plans; the finance division plan.  This is where confusion sets in, as to who owns what component.  (BTW, yes, I’m aware that ultimately, the overall responsibility for department/division plans would still fall under the Senior Executive but they are rarely involved in such a detailed level.)

Then it gets even harder; who owns the overall program on the Senior Level?  A finance executive doesn’t want to own plans that belong to a Servicing, Human Resources or lord forbid, the Technology department.  The person(s) who has BCM in their performance review/appraisal is the owner of their plan.  That simple.  If you’re judged by the plans in palce for your area, then you own it.  It wouldn’t be prudent for judge someone (appraise or review them) on a subject for which they have no ownership – but hopefully some level of involvement.

It has to be determined where in the organization BCM sits and who owns what components.  Can you imagine what will happen if a DR occurs and there is no owner?  Or worse yet, suddenly everyone becomes and owner?  Yikes!!  But then again, responsibility is different from accountability and maybe if that distinction is made it might be easier to determine who owns what components and plans.


  1. Responsible “chargeable with being the author, cause, or occasion of something” (  For example, departments are the authors of their plans and are responsible to ensure they contain accurate and up to date information.  They are the one’s who would be following them during times of disasters.  They understand the details (if it contains      that level) and the eccentricities within the various department processes.  Thus, they must be responsible for them.
  2. Accountable: ”subject to the obligation to report, explain, or justify something; answerable” (  BCM      is accountable to ensure the plans are updated, maintained and distributed because that is the role of the BCM  rofessional (among many others).  They must ensure the plans conform to a standard and contain a sufficient level of information that will help the corporation (or a particular department) to respond effectively in a disaster.  If it’s in your job/role      description, you are accountable for it; if that is a BCM plan, then you’re accountable.  An executive can be accountable for those who work under them (or with them) and are responsible to make sure the right tools are provided to these individuals so they can continue to develop sufficient plans etc.  Accountability is the last line of defence when something occurs.  Such as the President or CEO is accountable for the entire organization; if something goes wrong, it’s their ‘neck on the line’ so-to-speak.

To put it into perspective, the higher up the ladder you go, the more responsible and accountable you become for you department / division.   Responsibility and accountability expands outwards based on the level of influence one has within the organization.   The newest employee has responsibilities but little accountability because the don’t usually own and processes until they begin to gain influence and move up the corporate ladder; then they gain more responsibility and accountability.  So, back to the BCM program and the various plans.

BCM is the owner or the stewards if you will, of the document templates, document repositories, the review processes and development methodologies (to name but a few) to keep the program current and reflecting the organizational need.  This also means ensuring that a maintenance process is in place, as well as training and awareness campaigns and opportunities.   They can’t own each plan because the content is that of the various departments.  The BCM representative can’t own the content of the Finance department; only the Finance department can own their own items.  What BCM is not the owner or steward of is the plan content, unless it’s a pan specific to the BCM department.  The contents of many of the plans should be that of the individual department leads / functional managers / or division heads.  You can’t shuffle ownership to someone else the moment a disaster occurs.

If the content – and plan – is owned outside of the department, what incentive is there to maintain it?  None.  It would be like me being responsible/accountable to make sure keep your car running in good order.  That just doesn’t make sense, does it?  If that was the case people wouldn’t bother to ensure the plan (or as the example says, their car) is kept maintained because it would always be someone else’s fault should something go wrong.  But if you own your business processes and procedures during normal operations, you are responsible and accountable when they a disaster occurs; you just get guidance and direction from the coordinators on when to enact you plan.   Meaning, when the “DR Team” members say to implement your contingency
plan you have a plan to implement.

Another example, who better to own the Crisis Communications Plan; the BCM team or the Communications team?  Should be a no brainer.  The BCM team might present and develop a format that is to be followed – the document structure if you will – but the content – the detail – must be developed and owned by the Communications team.   Who knows more about communications that the communications team.

When it’s ‘completed’ the BCM team is then responsible – along with the department representatives – to make sure some sort of validation exercise is scheduled to validate the plan(s) content.  Then they need to ensure it is reviewed on a regular basis for updates and relevance.  It should be that way for all plans.

Let’s look at it a different way, I may be the owner of an apartment building (the BCM Program) but the contents of each apartment is the owner of the tenant, not me.  I, as the owner (or superintendant) is responsible to make sure the building runs effectively and efficiently and clean but I’m not responsible for what is inside the apartments, as that content is not mine.  (Unless you break my fridge…ha ha).

Program Ownership is different the Plan ownership and the sooner corporations can instil that insight to team, managers and others, the better the plans will become.  In some instances the Risk Officer (CRO) is the owner of the overall BCM program but will entail the Health & Safety group/team, Security (Information and Physical) and risk management.  They are responsible to ensure the overall program flows while the various components are managed by another person (i.e. the director of InfoSec is responsible for InfoSec and all that it does).

It’s this high level person that present the status of the program to rest of the executives; they are the ultimate owner of it all.  As owner, they expect that all the various components are maintained and validated through exercise and kept current.  That is the responsibility of the component owners (or plan owners).  Clear as mud??


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility


“Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder,

A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

at, &