Archive for September 20, 2011

The Revolutionary

I am going to go off topic for this blog post to direct your attention to a new documentary film soon to be released about a fascinating man I have had the opportunity to get to know through weekly lunch meetings with the Gig Harbor Midday Rotary Club.

I first started talking to Sidney because one of my sons is a Linguist in the Navy and is fluent in Mandarin Chinese.  Sidney is a very humble man and it took me a while to realize just how vast his experiences and role in the Chinese history really are.  This web site, about the documentary film being made about the life of Sidney Rittenberg, tells his story much better than I could ever do.  I am making arrangements to attend the premier of the documentary at Pacific Lutheran University in Tacoma, WA in a few weeks.

I strongly urge you to take few a minutes and look at the interview clips on the web site and, should the documentary, “The Revolutionary” make it to a theater near you, I urge you to check it out.

Gaining Management’s Attention

It is a question that Business Continuity and Disaster Recovery Planners have had to deal with ever since this field came into being: “What can I do to get management fully engaged in the planning  process?” 

There is a current discussion going on in a Linked-In Business Continuity Group on this topic.  There are your typical, age-old answers, of highlighting the awareness of the need for this kind of planning; identifying the managers’ greatest recovery concerns; being better skilled at selling the benefits of planning.  There are even some more creative answers with highlighting the risks involved of not planning and the such. 

These are all very good answers – might work, might not – and the struggle continues. 

I do not profess to have THE answer to this question.  And, I know that what I propose is not easy to achieve – but, it seems to me the best way to motivate people to pay attention is to hit them in the wallet.  By this I mean, try to get their ability to plan incorporated in their performance appraisals that help determine their bonus, next raise or promotion.  At the end of the day, individuals are going to concentrate their time and attention on those tasks that will influence their performance appraisal and bonus or pay increases.  In most organizations, the only employees being graded on how well business continuity planning is completed are the business continuity planners.  Sounds responsible – but, doesn’t help promote the need to plan.  Our leadership teams can give all the lip service they want to the need to plan and participate on tests, but unless they back it up with penalizing those who don’t participate, you are still going to have problems getting participation.  Currently, there are few penalties for not planning other than having the BCP folks whine at and pester you. 

Every department management team should be held responsible for the development of their plans.  The BCP planner is really an internal consultant available to help them achieve this, but the responsibility should lie with the management team.  Have their success in planning, documenting and testing their business continuity strategies included in their performance appraisal and I bet they start paying more attention to their plans. 

One variation of this is in organizations that include Audit Results in the performance appraisal process.  Get your Auditors to include review of business continuity plans in each department audit.  If exceptions are noted, and these exceptions impact the performance appraisal or bonus program, they will be addressed. 

Again, I am not saying it will be easy to change the corporate culture to get business continuity planning included in the performance appraisal or regular audit process, but, I feel pretty confident that if by not giving attention to the planning effort, these managers feel they are leaving some bonus money on the table, they will start paying attention.  And, do we really care whether or not they buy into the “need” to plan as long as they plan?  Maybe – but, hey, results are results.

Disasters, Disasters, Disasters

One of the challenges that Business Continuity and Disaster Recovery Planners have had to face over the years is in dealing with a largely apathetic business community.  Many of the management personnel we try hard to work with just do not buy into the belief that a disaster is likely to occur – or, at least – not during their time in the position, so why invest time and resources to plan for an unlikely event?

In this day and age, that is dangerous thinking.

I have written a few blogs over the past month about real events that have recently impacted the business community – the threats are real; the impacts are meaningful.  Safe Harbor Consulting alone has received numerous calls from companies that have been impacted by these events – even if just impacted by having to prepare for potential losses – realizing the need to update, expand and improve their emergency response and business continuity plans and posture.

It used to be that I would search for disaster related stories on the internet to try to validate the work we do, but now all you have to do is look at the top news stories for the day.

Today, for example, some of the top news stories on Yahoo include:

A Google news search, in addition to similar headlines, includes:

And these are just the top news stories for a typical day.  Each of these events have the potential of causing some sort of business interruption or impacting the workforce in some way for companies in the vicinity of the event.

These stories range from the scary (earthquake) to the sublime (satellite falling to earth), but they all have crisis management, emergency response and potential business continuity concerns.

We can no longer pretend that the threats are not out there.  And, we as professional planners can no longer use the excuse that management just does not appreciate the need for planning – it is our job to make them understand the need for planning!  So, let’s get out there and do our jobs.

I almost hate to see what tomorrow’s headlines will bring!

The Emergency Notification and Escalation Process

I think that one of the biggest challenges in the Emergency Response process is devising efficient and effective escalation and notification protocol.  Who gets called and when?  What are the triggers to escalate?  Who is being called into action vs. who needs to simply be informed?  This is particularly challenging when the event is one that starts out small and grows into something larger.

The response to Hurricane Katrina is a prime example of an event where this process got confused and mismanaged.  Certain agencies were waiting to be called into the response process while those in need expected them to engage automatically.  The “engagement trigger”, if you will, was not defined and understood.  The responder thought the trigger was a request by the local authorities, the local authorities expected the trigger was implied by the extent of the crisis.  One waited for the phone call, while the others sat waiting for help.

I think it is important that engagement triggers be defined for all entities that could have a response action.  Are there automatic triggers, where a response team will conditionally engage given certain parameters?  Or, are there teams who will always be called into action by others?  These must be defined, communicated, known and rehearsed.  Back to the Katrina disaster – most agencies knew what to do – they just did not start doing it at the right time due to the confusion on when or how to engage.

With regards to the notification process, I often see confusion in programs between a notification that calls you into action vs. a notification to be informed or put on stand-by.  Many organizations use a multi-tiered notification process utilizing, Alerts, Declarations and an Alls Clear notification system.

An alert, prepares responders for the potential to engage should the situation escalate.  A declaration is a call to action.  Some events will bypass the alert stage and immediately result in a declaration.  Not all alerts will result in a subsequent declaration.  But, all alerts and declarations must be followed by an eventual Alls Clear. 

I have also worked with many organizations that did not have a protocol for issuing an Alls Clear communications.  I think it is important to notify all team members and all parties included in the response process, whether actively engaged or not, that the situation has ended and they can return to normal operations.

And then there is the challenge of notifying those who must engage (a call to action) and simply those who want to know.  I highly encourage limiting that “want to know” group to a select few.  Most of these folks can be kept informed after-the-fact with post event summaries.  Most of your emergency notification calls should be a call to action (or an alert to those who may be called to action).  Too often I have seen Command Centers and the emergency response process get bogged down by curiosity calls and fringe management interfering with those who have a job to do.

I recently worked with an organization that had a large number of non-responders who insisted they had a “need to know” about certain incidents.  This was remedied when there was an on-the-job injury at 3:00 am resulting in a phone call to all these individuals.  Suddenly, it became less important to include them in the notification tree and they settled for being on the post incident report distribution list.

There are many applications and services that facilitate the notification and alert process, but, the ease of use of these systems should not result in you simply adding folks to the notification list if it is not understood what their response responsibilities are.

Identify your triggers.  Make sure if you have automatic triggers that everyone understands when and where they apply.  And, include these triggers in your response drills and exercises.

A Survey: Your Favorite Disaster Movies

Okay, here is another self-serving blog post.  In an attempt to increase the interaction on this blog page, I am going to try to conduct a fun (I hope) little survey.  I can see that this blog page gets a relatively good amount of hits each day, but few (very few, basically almost none) folks are clicking on the “No Comment” button to change it into a “One Comment” or more button.  So – help me out here folks!

So, here goes – the survey question, somewhat related to the topic of the blog, is …

WHAT IS YOUR ALL-TIME FAVORITE DISASTER MOVIE?

This website includes a long list of what it labels “Disaster Movies” – although I think they really stretch the genre definition.  I looked this list over and saw a few of my all time favorites, although I wouldn’t really have labeled them as disaster movies.  These include:  “The Omega Man”; “A Boy and His Dog”; and, “Independence Day”.  I bet there aren’t too many of you who can say you have seen, “A Boy and His Dog”.

So, what are your favorites?  Please enter your favorite(s) in the reply box at the bottom of this post (or, if the reply box does not appear, click on the “No Comments” button to take you to a page formatted for replies).  Maybe some of these can give me ideas for future facilitated exercises … then again, maybe not.

Famous Disasters

Today I am going to take a little break from the typical business continuity and disaster recovery blog to simply direct your attention to this neat little web site I found listing a few historic disasters.  This is by no means an exhaustive list nor do I necessarily believe these are THE most famous disasters of all time, but it is a neat little page with some interesting facts about a few historic disasters.

If you have the chance, check this page out and read the little vignettes about the events listed.

Seems like 2011 could have a list of its own.  One of earlier blogs looked at the incidents that have occurred the past few months.  And, within hours of posting that particular blog, the lights went out in Southern California and the surrounding area.

I hope that the most famous disasters remain in our past, but something tells me we’ve got a few in our near future and that is why we must continue to be diligent and plan for what comes next.

Calamityville

Having spent some time visiting my brother and his family this past weekend, we finally got to talking about how our individual specialties have real synergistic potential to help advance and improve our own fields of expertise.  My brother, Dr. John Flach, is the Professor and Chair of Psychology at Wright State University in Dayton, Ohio.  John (I don’t have to call him, Dr. Flach) specializes in Human Factors Engineering and has been spending a lot of time studying human factors at time of crisis.

John put me on to this Calamityville project at Wright State which sounds rather interesting.  I get all goose-bumpy thinking about how this could be applied to a number of emergency response practices and organizations.  Interesting stuff I thought you might like to check out.

We then spent a few hours watching a near-disaster take place as my alma mater, the Ohio State University, nearly lost a football game to the University of Toledo – but, that is another story for a different kind of blog.

Check out the Calamityville website and let me know what you think.  Does this sound like something that will work and have potential to give us greater insight in crisis response techniques and practices?  Your comments are welcomed – just don’t tell me you are a Michigan fan!

Increased Terrorist Threats

Unfortunately, news reports about terrorist threats for this coming weekend do not come as a surprise.  I will be travelling myself this weekend, including on 9/11, and am preparing myself to be patient with heightened security measures at the airports.

Part of the terrorists’ objective is to paralyze their enemy from the fear of terrorism.  I am not, in any way, suggesting these heightened measures are not warranted – in fact, I believe in the motto of “better safe than sorry” – but, the increased measures we take and their impacts on the otherwise free citizens of the United States is, in some small way, a victory for the terrorists.

I just hope we all can understand and appreciate the need for these increased efforts this weekend and all of us can abide by the heightened security with patience and cooperation.

I will be keeping an eye on the reports – including checking out what Mayor Bloomberg has to say in his upcoming Press Conference.  I will not vary my travel plans, but will build in extra time in my schedule to anticipate some slow-downs at the airports.  I hope the fear and threats are just a technique for instilling fear and do not result in any real incidents.

Be safe my friends and enjoy your weekend.

And, regarding the anniversary of 9/11 … never forget.

Is 2011 Becoming the Year of the Disaster?

What is going on with the weather this year?  My wife and I moved out to the Pacific Northwest over three years ago, for reasons I will not bore you with, and are sitting up here without a worry in the world, while the rest of the country has been bombarded with weather and geological related incidents one right after another.

This year has truly been an epic year in terms of these events in the United States.  Certainly, each and every year brings its own challenges, but this year seems to be one right after the other.

We kicked off this year with the Groundhog Day Blizzard that crippled much of the nation from New Mexico and Northern Texas to New England and Eastern Canada.  Who knew at that time that this was just the beginning?

Shortly after this huge snowstorm, which contributed to the next crisis, the flooding began.  We have had historic levels of flooding on the Mississippi River, Missouri River and others. 

Then, the tornadoes started to occur.  The 2011 tornado season was one of the worst on record seemingly making the news every night with a new city being devastated.  According to this Wikipedia article, there have been 1,764 tornadoes in the US in 2011 – that’s a lot of tornadoes and a lot of damage!

Then, while the weather takes a little break, we get a nice little earthquake on the East Coast.  Nothing real significant (easy to say, sitting here in Gig Harbor, WA) but just a little something to rattle the cages of those who didn’t expect an earthquake to be rattling their cages.

And, that “little break” the weather took didn’t last long, as right on the heels of the earthquake, Hurricane Irene decided to give the East Coast a visit.  It turns out she was not as bad as some prognosticators predicted, but she was pretty bad nonetheless.

So, what’s next?  Oh, how about a few little Texas fires – and by little, I mean Texas-style little, which is pretty huge to the rest of us.  A little more flooding in the Northeast, perhaps – check.

I am currently working with an East Coast company to help them plan for an Emergency Response exercise.  We are quickly reaching the conclusion that they do not have to exercise given the number of real life implementations they have had and are even now currently experiencing with more floods in New Jersey.  Enough already!

Safe Harbor Consulting opened our doors as a new business continuity, disaster recovery, and crisis management consulting firm earlier this year.  Some folks have accused us of causing these disasters as a way of promoting the need for our services.  I assure you, our connections with the man above are not that good.

And I have only talked about incidents impacting the US!  Imagine how long this blog would be if I started listing worldwide events.  I am almost afraid to ask, “What could be next?”  The answer is likely to be in a future blog.

Be safe, folks.

Test Facilitation – Who Should Be Doing This?

This, of course, is a self-serving question – I won’t even try to disguise that fact – but I wonder how effective it is for Business Continuity and Disaster Recovery Managers to design, administer and facilitate their own tests and exercises.

I used to argue this point years ago when I was a programmer.  I thought it was very important to separate the testing responsibilities from the programmer writing the code.  It just seemed to me, if the person who wrote the program was also responsible for testing it, you wouldn’t be so effective.  They would only test to see that the software worked the way they wrote it and not the way a user might use it – does that make any sense?  I remember once another programmer asked me to help test their program.  I sat down at the input screen and in the fields asking for dollar amounts typed in a bunch of letters – they immediately said – “No, no, no – those are numeric only fields.”  “Yeah, well what happens if I put in letters?”  The program aborted.  Back to adding code checking the fields for numeric values.

In the case of Business Continuity programs I think there are a few conflicts of interest at play here.  I think many planners use tests to highlight program weaknesses and increase awareness of policies and procedures, but, they are also responsible for many aspects of the program and, by human nature, will design the test/exercise knowing what they do well and what they do not.  Maybe, having an outside entity, someone who is not prejudiced by the knowledge of what a particular program’s strengths and weaknesses are, would result in a more legitimate exercise.

Secondly, even though Business Continuity Planners are mostly responsible for preparing their organizations to respond to and recover from disasters, don’t most, if not all, of you also have some role to play in the implementation or management of the crisis during time of the disaster?  If so, how well are you testing your process if you are the one preparing and facilitating the exercise?

One last segment of this commercial – I really do apologize for this, I promised myself I would try to be more subtle in using this blog as a blatant commercial – by using an experienced outside organization to develop and facilitate your exercise, we gain the benefit of the knowledge they have learned in participating in many exercises of other organizations and seeing what they have done well and what they have struggled with.  Some of this experience will benefit your organization as they observe your responses and actions throughout the exercise.  I know that I always find myself, at one point or another in an exercise, when discussing the challenges an organization faced in the post exercise review offering saying something like, “What I have seen another company do in this situation that seems to work for them is …”

I know this often comes down to a question of costs and budgets – what doesn’t – but, I think some planners just aren’t confident enough to have someone else come in and test their program and/or use the exercise as a means to promote themselves and their role in an organization.  For programs that are mature and your real testing objective is to measure just how prepared you and your organization really are, maybe it’s time to bring in an outsider to help administer your exercise.  If so … our phones are open.

Now back to your regularly scheduled show.