More Thoughts on Planning and Plans

Joe Flach | May 30, 2012 | No comments

Mike Tyson is quoted as saying, “Everyone has a plan, ‘till they get punched in the mouth.”

How well do your plans stand up to the punch in the mouth?

Field Marshal Helmuth von Moltke put it this way, in a more familiar quote, “No plan survives contact with the enemy.”

In our case, the enemy is the disaster or business interruption event we are planning for.

And, Arthur C. Clarke, had this observation, “All human plans [are] subject to ruthless revision by Nature, or Fate, or whatever one preferred to call the powers behind the Universe.”

The point is; whatever you had in mind when developing your business continuity, emergency response or disaster recovery plans, the event you will have to respond to will be nothing like what you envisioned.  Now, I know many of you are thinking, “That is why we do not plan for particular scenarios, we plan for the impacts of scenarios!”  But, I still say, you cannot plan without certain assumptions and certain biases about how the response will take place or how the crisis will unfold – and, I suggest, it won’t happen that way.

This is why I always like to look for evidence in a plan that you have provided the framework for decision makers to get together, make changes to the plan as needed, and, have the means to communicate these decisions to those who need to know this information.

I happen to believe in what Lester Robert Bittel had to say about planning, “Good plans shape good decisions.”  But, it is important to understand that not all decisions are made ahead of the event and the good plan must lay the foundation for at-time-of-disaster decisions to be made to adjust the plan based on how the enemy is responding.

Now, I happen to make a good living from helping organizations create, document and test crisis management, emergency response, business continuity and disaster recovery plans.  So, I would not dare under-emphasize the importance of planning – but, like some of the quotes I will share below – I think the value gained is in the planning process and not so much in the plans.

Dwight D. Eisenhower said it this way, in a quote that is often repeated, “In preparing for battle I have always found that plans are useless, but planning is indispensable.”

Dr. Gramme Edwards paraphrases it this way, “It’s not the plan that’s important, it’s the planning.”

Indeed!  It is in the planning process where we build out solutions, implement recovery capabilities and exercise our abilities to respond.  This is the real value and the enablers that will allow us to survive the business interruption event.  The written plan, with step-by-step instructions for how we operate, sometimes for weeks after the event – will hardly ever be referenced and certainly, not referenced after the first 24 hours.  I do believe that those decisions we made before the event that provide action steps within the first few hours of an event can be valuable – but once decision makers get together and have the luxury of a little time to figure out where we currently stand – decisions made before the event occurred will have less value.

The capabilities we have in place because of the planning process will be the key to our survival.  How we utilize those capabilities will require flexibility based on the event itself.

Winston Churchill said, “Those who plan do better than those who do not plan even thou they rarely stick to their plan.”

I think that is a much better way of saying what I mean!

I do run up against “pride of authorship” when I evaluate written plans – and I understand and completely empathize with that.  I am guilty of the same.

But, Publilius Syrus says, “It’s a bad plan that admits of no modification.”

I do believe in the power of planning.  And, I agree that planning is essential.

Although attributed to many different people, I think Tariq Siddique says it best and simplest, when he states, “If you are failing to plan, you are planning to fail.”  (This quote is often attributed to Benjamin Franklin, who may have said the same thing or something very similar.)

And, I couldn’t agree more with Sun Tzu in his The Art of War, when he suggests, “Plan for what is difficult while it is easy.”

This is why we must plan before the disaster.  Not only because we do not have the luxury of time to plan afterwards, but because the planning process is easier lacking the chaos and confusion that will accompany the disaster.

But, remember, it is the planning that is important and the resulting capabilities put in place during the planning process.  The plans themselves, may not be what is needed to get you through the particular crisis you are responding to.

Hillel J. Einhorn states, “In complex situations, we may rely too heavily on planning and forecasting and underestimate the importance of random factors in the environment. That reliance can also lead to delusions of control.”

I think our plans need to allow for the flexibility to respond to these random factors.  And, yes, I do think some of us have “delusions of control” when it comes to assessing our state of readiness.

I want to end with two more thoughts on planning.  I have witnessed so many programs lacking progress because of their desire to create the perfect plan.

George Patton is quoted as saying, “A good plan today is better than a perfect plan tomorrow.”

I agree.

And, lastly, when exercising our plans and our recovery capabilities, I so often find planners who like to assign pass/fail grades to the tasks.  I like to rely on what Thomas Edison had to say about failures, “I have not failed.  I’ve just found 10,000 ways that won’t work.”

There I think I have reached my quota of quotes.  If you made it all the way to the end of this blog – I applaud you.  Thanks.

If you have a favorite quote to share with us, please do so by adding a comment.

Category: Business Continuity, Crisis Management, Disaster Recovery | Tags: , , , , ,

The Recovery Requirements Analysis

Joe Flach | May 29, 2012 | One comment

I have been in more than a few BIAs or business continuity planning sessions when it is like pulling teeth trying to get business managers to identify the applications and/or other requirements and resources they need to minimally perform their mission critical business processes.

This is especially true when working with financial traders.  First, they under-estimate their need for tools and resources, believing that as long as they have a phone, they can conduct trades.  But then the list of requirements grows and grows.

A typical requirements analysis session with traders might go like this:

ME:  What do you minimally need in an alternate site to conduct your business?

TRADER:  I don’t need anything.  Just give me a phone and I can trade anywhere.

ME:  So, all you need is a phone?  You can trade with just a phone.

TRADER:  That’s right.  Just a phone.  Well, I also need my data feed.  But, just a phone and a data feed.

ME:  Nothing else?

TRADER:  Well, I need a phone, my data feed and the blotter system.  Just a phone, data feed … oh, and I need trade tickets.  Just a phone, my data feed, the blotter system and trade tickets.  That’s all I need.  Oh, and I need my directory of phone numbers… and a recorded phone line.

Does this sound familiar?

Here, check out this link to a secretly videotaped, recovery requirements session I conducted with one business manager:

Recovery Requirements Analysis Video.

Okay, so I am being funny.  But, if you have done this for as long as I have, I am sure you shared in the laugh.  I have used this routine in a few public speaking sessions I have done on business continuity planning.  It is always a good trick for getting my point across and keeping the audience awake.

And maybe, just maybe, I am being a Jerk!

Category: BIA, Business Continuity | Tags: , ,

The ROI Issue: Does Preparedness Planning Have One?

Joe Flach | May 29, 2012 | No comments

My good friend, and, hopefully, soon to be guest blogger on this site, David Lindstedt has written a very interesting and intelligent article recently published by Continuity Insights, titled: “Does Preparedness Have and ROI? | Part 1, An Answer”.

I highly recommend you taking a look at this article as I think David offers some very poignant thoughts on this often debated topic.  The concept of a Return on Your Investment for the time, effort and monies spent on preparedness planning and solutions is something many practitioners have been seeking as justification for the hard-to-get budget to support the solutions we would like see put into place.  We are, after all, vying for the same dollars that others within the organization are asking for to support revenue generating products, tools and assets.  I think David, in Part 1 of his article, has set a nice foundation for a supporting argument.  I am very curious now, to read part 2.

Maybe his part 2 will address my subsequent questions.  I understand and appreciate the concepts behind this discussion, but I think the question about ROI helps us only to a point in helping capture those last few dollars for our programs.  The ROI argument or question, might really be, at what point is an ROI required to invest in our preparedness program and when does the ROI, even if it does exist, no longer make sense?

I ask forgiveness from my international readers as I draw an analogy to American football.   There are some contingencies or preparedness programs that just makes sense to invest in – like having a backup Quarterback – or backup for each position.  But, how many backups and what combinations are the right number?  And what is the right price to pay for the backups?

Should I pay more for my backup QB than I do for a starting lineman?  Should I have two backup QB’s and only three backup offensive linemen that are interchangeable?  Should I invest in a backup kicker, or just use one of my other players in an emergency situation?

Using David’s article as my guide, it is obvious that I get an ROI for each backup.  I benefit from being able to practice against the backups.  The competition for a starting position improves the play of all.  And, some backups might even put some additional fans in the seats.  But a return alone is not the answer.  We must analyze how each decision impacts the whole.  Sometimes I think the business continuity planners loose sight of this fact.

The more I pay for backup QB’s the less I have to spend on facilities, marketing, uniforms, cheerleaders, etc.  And we all know how important the cheerleaders are.

So, yes, I anxiously await David’s part 2 – “The Implications”.  He is a smart man; I am looking forward to benefitting from his wisdom.

Category: Business Continuity, Management Reporting | Tags: , , ,

Happy Memorial Day from Safe Harbor Consulting

Joe Flach | May 28, 2012 | No comments

Many of us across the United States of America get to enjoy a Monday holiday in memory of the brave men and women who have given up their lives in defense of our country and our freedoms.

War is a horrible and tragic reminder of man’s imperfections.  It is unfortunate that, at times, we must engage in such atrocities to protect the people and liberties that we cherish.  Whereas, it would be wonderful if man could resolve conflict without the need to result to war, it is a luxury that we do not live with today.

However, today is not the day to discuss the need for or the rights and wrongs about war, but rather, it is a day to remember those who lost their lives in fighting them on our behalf.

We, at Safe Harbor Consulting, proudly join in with other Americans across the United States in remembering those individuals who died keeping our harbors safe.

There was a time, not too far ago, when business continuity practitioners in the U.S. didn’t really consider the threats of war as a viable risk to plan for.  The tragic events of 9/11 changed the way some people think about war and changed the way some business continuity planners think about risks.

Many more brave young men and women have been added to the names of those we remember on this day since that tragic event.

So, as we, and millions of other Americans enjoy our parades; our backyard cookouts; our baseball games; and, our freedom – we say, “Thank you”.

Happy Memorial Day.

The Folks at Safe Harbor Consulting

Category: Uncategorized | Tags: ,

The “Stand-Down” Employee – An Outside the Box Idea

Joe Flach | May 17, 2012 | No comments

Every business continuity program includes a number of employees who do not support time sensitive business functions.  These employees are not assigned seats in the alternate recovery site; are not expected to work from home; and, are not targets to relocate to other locations.  In general, these employees are asked to “stand-down” during the business interruption event until such time as an interim work location is established or the production facility is restored and ready for re-occupancy.

Many programs will note that these employees may be called upon to perform other emergency response and/or restoration activities to help the company respond to and recover from the event that caused the business interruption.  And some programs go as far as to include information in their employee databases regarding special skill-sets or other attributes (such as, whether or not they have four-wheel drive vehicles) to consider on how to possibly re-deploy these individuals to help in this regard.

I also like to caution management not to forget about these employees as they will soon be concerned about their status in the company; whether or not they still have a job; and, what their compensation status is while they “stand-down”.  History has shown that if management does not keep these individuals informed of their status and periodically communicate with these individuals they will start calling in and hunting you down to give them the answers and reassurances they are looking for.

Most HR plans fall short of defining an absolute policy with regards to how these employees will be addressed during an outage, other than to establish it as a task that they evaluate the situation, make a case-by-case determination as to how the situation will be handled and define the tools and means to communicate that to the employees.  All in all, I believe that this is a valid strategy and position to take.

I am working with one organization that is considering taking this to another level with a program that, I think, is very creative and resourceful.  This organization is considering establishing a position in their Crisis Management Program responsible for organizing a Community Response and Relief Team to provide whatever assistance and relief they can to others in the community that may have been impacted by the event that caused their business interruption.  This team would be comprised of “stand-down” employees who volunteer to be members of this program.  This type of program may be similar to and could possibly draw upon the practices employed by airlines’ CARE programs for responding to an aviation disaster and providing compassionate assistance to impacted families from the incident.

This idea is still just on the drawing board but it is an idea that I thought others might wish to consider and, perhaps, something others have already implemented.  If anyone is willing to share their ideas on this or can share examples of where it has been implemented, we would love to hear from you.

I, for one, would like to see this idea come to fruition at this organization and would love for it to catch on at others.  I will start exploring this option at other organizations I work with should the opportunity present itself.

Category: Business Continuity, Crisis Management, Emergency Response, Events | Tags: , ,

Disaster Recovery Planning vs. Disaster Recovery Plans

Joe Flach | May 14, 2012 | 2 comments

So often, when we are engaged to review existing business continuity and disaster recovery plans, we find volumes of “plans” with very important planning information but very little in the way of action plans for at-time-of-recovery activity.

By this, I mean, many “plans” include information discovered in the BIA and Risk Analyses.  There are tables and reports on what the impacts are for being down, what the requirements are in a recovery center, how many desks are needed in a recovery site, special equipment requirements, special forms, vital records listings and locations, what the critical applications are, RTO’s, RPO’s, vendor listings, employee listings, and on and on and on.

All of this information is CRITICAL INFORMATION for designing a recovery solution, but is of no real value at time of an incident.

At time of disaster, I need to know how to engage the plans and how to employ the capabilities that are provided –based on all that information listed above.

In my opinion, this information should be segregated.  When a business interruption event occurs, I do not care what the findings were in the BIA or RA – all I want to know is what is in place now, how do we get to it and what do we do when we get there.

I review many plans that pass the weight test but are so full of “noise” and so loaded with information that they become too bulky and are not usable as an action plan for what we do.

Sometimes it can be as simple as separating the two parts of the plan – many times, the “action plan” component is missing altogether.  This is sometimes especially true when a database software tool is used.  The database reports look so good and fill up so many pages, people think that that is the plan.  No, that is a collection of information needed to ensure we put the proper capability in place, but is not the action plan for how we employ that capability.

Practical, pragmatic, easy-to-use action plans are hard to come by, but, what I am most interested in finding when asked to review an organization’s level of response preparedness.

Do not confuse a compilation of information gathered in the planning process as being your disaster recovery plan.

Category: Business Continuity, Disaster Recovery | Tags: , ,

Happy Mother’s Day from Safe Harbor Consulting

Joe Flach | May 11, 2012 | No comments

Mother’s Day is coming up on Sunday and we would like to wish a Happy Mother’s Day to all the Moms that might be reading our blog page – but, hopefully, not on Sunday.

When you stop and think about it, business continuity planners and emergency management professionals could probably learn a lot about our trade from Moms.

The first effective Call Trees were probably implemented by Moms looking for that hard to find child who didn’t make it home on time for dinner.  The missing-child’s Mom would call neighbor Moms, who would call other Mom’s, who would call other Mom’s, until someone finally hit on the location of that lost-track-of-time child and report back to the initial Mom.

And what Mother’s purse does not show signs of being a fully equipped Emergency Go Kit?

Mom’s always know the important phone numbers to call and always seem to know just where to post this information so it is easily found when needed.

If you ever want to know what the “mission critical” items are for a safe and prosperous vacation, just look into the Mom’s suitcases – all the critical and essential “business processes” are neatly packed and readily available.

And, should a crisis erupt, who better than Mom to take charge, rally the troops, stymie the panic and find the mops to start cleaning up the mess?

From kissing booboos to easing broken hearts, Mom is the quintessential emergency manager and crisis counselor.

So, thanks Moms.  Not only have you helped us along the way in life, but you have prepared us for this odd profession we find ourselves in today.

Have a Happy Mother’s Day.

Category: Uncategorized | Tags: ,

An Open Invitation to Guest Bloggers

Joe Flach | May 11, 2012 | One comment

Yesterday marked a milestone in our brief existence as Business Continuity bloggers.  Our tracking software indicated that we achieved our first 100+ unique visitors/day to our blog page yesterday with 104 hits!!  On average we get about 20 – 30 visitors each day, but that average has been steadily climbing throughout our existence.  To date, the largest single month has seen 720 unique page visits to our blog page – but this month is already threatening that mark.

We are pleased with this traffic and thank you all for investing your valuable time in checking out the topics, issues and subjects we choose to blog about.

As a result, we think it is now a good time to issue an open invitation to any of you that might wish to post a guest blog article on our site.  Whereas, we love the challenge to come up with fresh and creative blog articles, we also welcome the opportunity to add new voices and flavor to our page.  And, you can be confident that some of your peers and co-planners will actually see your articles … hopefully, at a continued rate of over 100/day.

Please feel free to indicate your interest in being a guest blogger through a comment to this entry or by emailing us at jflach@safeharborconsulting.biz.

You can email us with an idea or complete draft article and we will get back to you as quickly as possible.

We will reserve the right to pick and choose those articles that we deem appropriate for this blog page, but I am confident that we will have lots of flexibility to allow your thoughts to grace and improve our page.

We also continue to have an open invitation for complimentary service providers to include a link to their pages in our “My Links” section of this page.

Thanks for your patronage to our page.  If you were one of the 100+ that visited us yesterday – thanks for coming back.

Enjoy your weekend and think about being a guest blogger – we would love to hear from you.

Category: Business Continuity - General | Tags: ,

Are We Prepared for the Next Disaster?

Joe Flach | May 10, 2012 | No comments

I found and listened to this NPR radio story titled, “Is the U.S. Prepared for the Next Disaster?”.  Even though this interview was conducted a year ago, I think the message is still valid and important.

I think the interviewee, Craig Fugate, does a good job in identifying a problem with past disasters being a failure to engage the proper level of support through a formal request for assistance.  Although Mr. Fugate doesn’t use this term, I like to label these the “triggers to engage”.  One of the biggest problems with the response to Hurricane Katrina was that Federal authorities assumed the trigger to engage was a call from the local authorities, whereas the local authorities thought the trigger to engage was the event itself.  While Federal agencies were waiting to be asked for help, local agencies were sitting and waiting for the help to arrive.  Meanwhile, crucial time was slipping by and the losses and damages were escalating.

I was glad to learn that FEMA now self-engages not only when an incident occurs but also when the threat of incident rises.

I think this is an important lesson to learn and address in our own plans.  I think it is important to identify and practice those “triggers” for engaging certain components in our Emergency Response, Business Continuity and Disaster Recovery Programs.  What are the “triggers” for: putting vendors on alert; communicating with employees; mobilizing resources; alerting customers and other stakeholders; declaring a disaster; etc.?

Also, Mr. Fugate notes that having a single entity in charge introduces a single-point-of-failure in the response process.  Whereas, I understand his point, I also think it is important to mention that when you have lots of links in your communication and control “chain” you have lots of opportunity for the chain to break.  If the mayor engages the governor who engages the president – well, there are lots of mis-engagements that can occur.  And, if one link in the chain breaks, all the links that follow are missed.

I agree with Mr. Fugate that we are better prepared today than what we were in the past, but saying you are in better shape today than you were when you were grossly out of shape, does not mean you are in good shape.  Unfortunately, I also believe that the further removed you are from the last significant event, the more likely you are to get back out of shape.  We are never more prepared to respond to a disaster than we are immediately after a disaster occurs.  Lessons learned are fresh in the mind, implementation guidelines and procedures are reviewed, refreshed and rehearsed.  But, as time goes by, we start to, once again get complacent and once again start to slip back into our bad habits.  And, as soon as we start to believe we are in good shape, I start to get more worried.

In conclusion, I think this is a terrific interview with important messages that are worth listening to again.  I encourage you to think about and rehearse the “triggers” in your program and to identify potential weak links in your communications and engagement chains.  And, never allow yourself to believe we are prepared for the next disaster … continue to work on improving your level of preparedness.  After all … how do you think people would have responded to the question, “Is the U.S. Prepared for the Next Disaster?” on September 10, 2001?

Category: Business Continuity, Crisis Management, Disaster Prevention, Disaster Recovery, Emergency Response, Events, Risk Management | Tags: , , ,

Establishing RTOs

Joe Flach | May 9, 2012 | 2 comments

I think there is a common mistake that we, as business continuity planners, make when working with our business partners to determine RTOs for processes and applications that support them.

I think we do a good job in using the findings from our Business Impact Analyses (BIA) to help identify the Most Critical, Critical and Essential business processes (or whatever labels you happen to use) to ensure that these processes are what we recover first, but, I think when we work with these areas to define Recovery Time Objectives (RTO) we do not properly establish the post-disaster performance objectives.  I think that most of us allow our business partners to establish their RTOs based on the assumption that they will be operating at or close to business as usual.

Sure, we instruct them to try to establish the minimum requirements and consider work arounds and the such … but, to achieve what end?  How many of us first ask senior management if there will be any changes to our management objectives following a serious business interruption event?  Will revenue or income targets be adjusted?  How much additional costs and expenses can we incur?  Will response or service targets be adjusted?  Margin targets adjusted?  ROI?  ROE?  Or, any other management metrics adjusted because we are in crisis mode of operations?

Although this goes against my overall philosophy of trying to simplify things, I think it would be beneficial to establish three modes of operation when establishing RTOs with our business partners.

  1. Survival Mode
  2. Sustain Mode
  3. Business as Usual Mode

The goal of Survival Mode operations is simply to keep the company solvent.  Forget trying to be profitable; forget growth targets; forget avoiding all penalties, fines and service interruptions – what, minimally, does the company need to do to not jeopardize the solvency of the firm?

The goal of Sustain Mode operations is to satisfy the commitments we have today with our current customer base.  What do we need to do to keep our current customer base satisfied and meet the regulatory and contractual obligations we already have in place.

And the goal of Business as Usual is … well, just what the words say.

I think if we could get senior management to define the management objectives for each mode of operation and how long the company can operate in each mode, the RTOs we establish will be much more realistic.

I work in many environments testing their RTO capabilities where, when short time-frames are missed, they report this as a failed exercise but, the business areas ultimately say, we could have lived with the delays.  I think our RTOs, in general, are much tighter than they need be if we think about Survival first, then Sustain and then BAU.

I know, I know, I know … for those of you cursing me out; yes, there are some real crucial business processes that legitimately have very short RTOs (or require immediate failover with no downtime), but I think that pool of requirements is much smaller than many of our programs suggest.

So, yes, I think we do a good job focusing on Most Critical job processes, but I don’t think we establish the right mindset in gathering the requirements to support them after a disaster.

I welcome all comments to the contrary or, heavens forbid, in support of this concept.

Category: Business Continuity, Business Impact Analysis, Management Reporting | Tags: , , , ,
« Older Entries