Archive for Business Continuity – General

Planning versus Being Prepared

Many organizations engage in business continuity and disaster recovery planning; few organizations are prepared for a business interruption event or a disaster.  There is a difference.

My wife is a terrific party planner.  We just threw a birthday party for our youngest son who turned eleven years old this past Sunday.  My wife “planned” his party weeks in advance, but, until we got the invitations sent, the supplies purchased, the house cleaned, the balloons and decorations put up, the gifts wrapped and the cake baked, we were not “prepared” for the party.

The Allied Forces “planned” the D-Day Invasion months in advance; but, until they recruited for, trained, transported the forces and equipment to where they were needed, ran simulations, drills and practices, monitored the weather, performed reconnaissance, set up Command Centers and established communications channels and protocol, they were not “prepared” for the invasion.

Simply going through the motions of creating Business Continuity and Disaster Recovery Plans does not necessarily mean your organization is prepared to respond to, operate through or recover from a business interruption event or disaster.  There are many organizations who have followed the standard and accepted business continuity planning methodology, resulting in numerous, well-documented plans, that are NOT prepared for a disaster.  How can this be?  Here are some contributing factors that can result in that kind of dichotomy:

Invalid Planning Assumptions.  Almost every plan written includes a list of planning assumptions in the Introduction or Overview sections.  Many times these “assumptions” are really planning requirements, caveats or downright erroneous assumptions that invalidate the plans and continuity strategies in place.

For example:

  • A plan might include the assumption that employees are trained and have copies of the plans in their homes. This should not be a plan assumption; this should be a program requirement.  This requirement is auditable and should be tracked.  Your plan should not “assume” this to be true; your program should “ensure” that this is true.
  • A plan that utilizes a work from home solution might include the assumption that employees routinely take their laptops home with them every night. Again this is an example of a program requirement, not a plan assumption.  If your business continuity solution relies on corporate assets, such as laptops, being available in certain employee’s homes at time of a disaster, you need to ensure that these assets are there when needed.
  • Sometimes, plans “assume” that the disaster impacts only the facility that the plan is written for. In cases when the continuity or recovery strategies rely on alternate sites (or employees working from home) that share a common footprint of known risks and threats in the area; that may not be a plausible assumption.  In these cases, it is important that management know “what” they are prepared for.  For example, management might be told that you are prepared for a building outage but not a wide-area outage caused by an earthquake or flood or hurricane.  This could be important information to know if you are in an earthquake, flood or hurricane zone.
  • Many plans include the “assumption” that the strategies and technologies the plan relies upon are available, functional and usable at time of need. Many times, management reads this “assumption” as a “given” when, in fact, these solutions are yet to be implemented, contracted for or proven reliable.

When assessing an organization’s level of preparedness, plan assumptions should not be glossed over nor should they be accepted as being “givens” or truths.  If the viability of your plan is dependent on these assumptions being true, you must have policies and procedures in place to ensure these conditions exists and protocols in place to measure the level to which they are being met.

Dependencies That Can’t Be Depended Upon.  In a related situation, some plans include a list of dependencies that the plan’s execution relies upon.  Sometimes, the reliability of these dependencies are also listed in the plan’s assumptions.

For example:

  • The successful execution of the strategies outlined in the plan might be dependent upon external, single-source suppliers (of services, information or raw material) remaining operational. If these organizations are also at risk of being impacted by the same business interruption event, this might not be a reliable requirement.  You should include the examination of these organizations’ recovery plans in your programs’ activities or eliminate this dependency as a single point of failure within your environment.
  • Plans are often dependent on certain individuals or subject matter experts being available to participate in the recovery effort. “People” are often overlooked as single-points-of-failure.  If the successful execution of your recovery solutions rely on one or more particular individuals being available to execute the plan, you are at risk of failure during events that impact the availability of your work-force.  Many companies that have this dependency also state that their plans could be used during a Pandemic event – this is just one type of scenario that puts that dependency at grave risk.
  • Many plans are also dependent on certain technologies and/or applications being accessible at time of an event.  Sometimes, the recovery or continuity of these technologies and applications are within the scope of your plans and sometimes, they are not.  In either case, whether or not this dependency can be relied upon is something that can and should be proven.

Failure to Socialize the Plans.  Even companies with spectacular plans and solutions in place can be unprepared for the events they have planned for due to the lack of training and education of the people who must execute the plans.  Well written plans and fully enabled solutions can fail to protect the organization from devastation if the people relied upon to execute those plans or utilize the solutions have not been trained in and practiced their roles for time of implementation.

None of Shakespeare’s plays would be successful if the actors were reading the scripts for the first time on the night of the opening performance.  Documented plans should be treated like scripts; the lines should be memorized and rehearsed well before they are needed.  If your organization is dependent on the documented plans at time of a disaster, then it is quite possible that you are not “prepared” to respond and recover.

Unreliable Testing Practices.  And then there are companies that do routinely practice and rehearse for the event, but are still not “prepared” because of some unreliable testing practices that are commonly used.

Most business continuity and disaster recovery plans are designed to allow an organization to respond to and recover from an incident that occurs without warning demanding immediate response, yet, it takes them months to plan for a test.

If the advanced planning for a test is more than an exercise in scheduling resources, your organization may not be prepared for the real deal.  Too often, the time needed to prepare for a test is used to create special back-ups; install or provision equipment; order supplies; coordinate resource availability; or a number of other logistical activities that require time to complete – none of which you will be able to do at time of a disaster that hits without warning.

If your organization plans its tests weeks or months in advanced, you need to scrutinize the actions being taken to prepare for the test and question whether or not that activity would be required at time of a real event.

And, too often, organizations execute these tests or rehearsals utilizing a small set of understudies and not the people who will engage at time of the real event (thus, not achieving the socialization mentioned above).  This, too, is something that can be audited and tracked.  Your program should identify anyone who has the potential of being engaged at time of an emergency response, continuity and/or recovery event and ensure that they are trained and routinely participate in recovery tests and exercises.

CONCLUSION

So, yes, there are many companies that “plan” for a business interruption event but are far from being “prepared” for a business interruption event.  The ultimate goal is being “prepared”; do not allow yourself to be lulled into a false sense of security just because you have a “plan”.

Another BCP Acronym

Yes, I realize that the last thing we need in Business Continuity Planning practices is another acronym, but, hey, what’s the fun in writing a blog if you can’t cause trouble?  So here goes – another BCP acronym …

I have been stating for a while now, that the BCP Methodology needs to be revisited.  I think that the tried and true practice of conducting BIAs is a bit flawed.  In practice, I think, the methodology attacks middle management and department level areas in the organization without first establishing corporate-wide and senior level objectives for business during a crisis.  When we ask people to establish RTOs and RPOs (more of those lovely acronyms – see the chart below) what are they basing their answers on?  When we ask for impacts of being down, to set those recovery objectives, what business objectives are they being designed to meet?

I think that the BCP Methodology needs to add a step in the beginning of our analyses in which we establish – are you ready for it, here it comes, the new acronym, in three, two, one – our ABOs, Adjusted Business Objectives.  I think part of the fallacy in our current process is that RTOs (or MADs if you prefer that acronym) are set with the assumption that the company is still aiming to hit its established business objectives for the year.  And, I think that is wrong.  During times of crisis, I think management’s expectations of what the company should achieve are adjusted.  During times of crisis, we may not have the same Income Targets, Profit Targets, Sales Targets, Margin Targets, Production Targets, etc.

Every company establishes business objectives for the year – assuming we operate in a normal business environment.  Once that “normal” environment is compromised due to a disaster, I think those business objectives get adjusted.  And, I think it is important to relay that information to the management team that is responding to our BIA questions.  We should be asking what the critical timeframes are for conducting business functions given we need to meet these Adjusted Business Objectives or ABOs.

Department objectives are, I hope, based on meeting the overall corporate objectives.  Once we know our ABOs we can translate that down to the department level and establish more meaningful RTOs, RPOs, MADs and what have yous.

The real challenge here is, however, getting senior management involved enough in the process to establish these ABOs.  One reason I think we don’t do that today is because it is much easier beginning the process with middle management.  The savvy manager, however, I think, is the one that asks, “During a time of crisis, what are my department’s objectives?  What is senior management expecting us to get done throughout the crisis period?”

So, there it is, a new BCP acronym – ABOs – just what we needed … NOT!

ACRONYMS USED IN THIS ARTICLE – FOR THE UNINITIATED

BCP – Business Continuity Planning

BIA – Business Impact Analysis

RTO – Recovery Time Objectives

RPO – Recovery Point Objectives

MAD – Maximum Acceptable Downtime

 

The Business Continuity Planning Objective (Hint: It’s not to implement the BCP Methodology)

So, I was recently helping a colleague prepare a management presentation to discuss her plans for advancing the business continuity program in her company.  Maybe it’s just a matter of semantics, but we had a lengthy discussion over “objectives”, “goals” and “tasks”.

If you have read any of my recent blogs you might recognize a pattern in which I think business continuity planners have become victims of our own methodology.  This discussion helped me to emphasize that point.  When I suggested to my colleague that she should first succinctly define her objective, she merely listed the steps of the methodology.  I strongly disagree.

A business continuity planner’s objective is not to complete the BCP methodology.  The methodology is simply a recipe towards achieving an end.  What is that “end” you hope to achieve?  That “end” is your ultimate objective.

So, we started with: “To provide the company a means in which they can recover from (or continue operations through) any business interruption event that impacts their operations, facilities, employees or workflow.”  I am sure you can improve on this sentence, but, it is a good start – and, it helps set the right mind frame.  Regardless of what any auditor thinks or what any other professional has led you to believe (especially those with a vested interest in having you follow a given methodology), the business continuity planner’s job is not to execute the BCP methodology; your job is to prepare your organization to successfully respond to, continue critical operations through, and recover from a business interruption event.

Now, it just so happens that one of the best ways to achieve that objective is to follow the standard methodology, but, with this understanding of our ultimate objective we can better assess what components of the methodology are needed for our situation and determine what, if any, adjustments to the methodology we need to make to achieve this objective for our particular company.  We simply need to ask ourselves – about each component in the methodology – is this needed and how is it best used to achieve our objective?

With this thought in mind, I like to reorganize the standard methodology a bit and divide the components of the methodology into the Strategic Planning Components and the Tactical Planning Components.  Strategic Planning Components of the methodology help us define “what” our program should accomplish and the Tactical Planning Components help us describe “how” we accomplish these strategic goals.  The diagram here depicts this re-organization of the methodology.  (Click on the diagram for a better view.)

Methodology

If you think about the BCP methodology as a recipe for baking a cake, the Strategic Planning Components are needed to decide what kind of cake we should bake, how big it should be, what ingredients are needed to bake it and how long it should take to bake it.  The Tactical Planning Components are needed to ensure we have access to everything we need when the time comes to bake the cake, and, have the instructions for actually baking the cake when it is required.  The methodology also suggests we practice baking this cake a time or two before having to serve it for real – a good idea if you have never baked a cake before – and, making whatever adjustments are needed to constantly improve the cake and the baking process.

Now we get to a question that is becoming a topic of conversation for many business continuity planners: if the Strategic Planning Components of the methodology help us define what kind and how much cake we should bake, are they necessary if this is told to us by our management team?

This is where I think we often fall victim to our methodology.  I think we must ask ourselves – who is our customer?  Who are we designing business continuity programs for?  The methodology is not our customer.  The auditors are not our customers.  The CEO and/or Board of Directors are our customers.  In my mind, the key phrase in every BCP/Disaster Recovery/Emergency Response regulatory requirement is the one that states these plans/programs must be consistent with management expectations and approved by the Board of Directors.

I think that if Senior Management dictates the strategy to the business continuity planner and then approves the solutions put in place to achieve those strategic objectives, it is less important that you can tick off having performed every task within the BCP Methodology – even if not being able to do so upsets the auditors.  Furthermore, the business continuity planner who follows every step of the methodology to the letter and implements a solution that is not consistent with management’s expectations – has not done their job.

At the end of the day, the business continuity planner must ensure that their organization is in position to effectively and efficiently respond to and recover from any business interruption that impacts their organization.  I say, if you can achieve that – you have done your job, with or without having completed the entire BCP methodology.  Now, some will challenge and say that short of actually experiencing a disaster, the only real way to ensure that you have achieved this objective is to complete every step of the methodology.  I believe that the real proof is in the design and execution of the exercises and tests you perform.  That, to me, is the real challenge – good, complete and verifiable exercises.

But, my real objective for writing this blog is not to convince anyone that they shouldn’t follow the BCP methodology.  I think, in almost every case, even following my theory here, you will eventually determine that the standard BCP methodology is the best means for getting your job done.  I just wish to get business continuity planners to understand what their ultimate objective is and not to simply follow the methodology because they think they have to but to understand why they are following the methodology and help ensure that everything they do – every step they follow in the methodology – can be tied back to achieving this ultimate objective.  In this way, I believe, you can design your implementation of the methodology in a way that does not waste anyone’s time and effort in gathering information or conducting analyses that do not contribute to the final objective.

I think my colleague got the point and her management presentation was well received.  So, I think, I can count at least one practitioner that now sees my point.

Summer Is Ending – That Must Mean DRJ Fall World

I wish I could tell you that the reason there hasn’t been a blog article here for over a month is that I was vacationing in some exotic location without internet access; or I was deep in remote, third world countries performing humanitarian work for international charities; or that I won the lottery and was out spending my new found fortunes ­ ­­- but, I can’t.

Although the reason that there hasn’t been a blog article here for over a month isn’t exactly a bad reason – in fact, I am happy to say that the primary reason is I have been busy with delivering consulting projects for new clients.

For me, that is a hopeful sign.  This bares hope of a sign that the economy is picking up and companies are now able to support projects, such as business continuity planning, that are often deemed deferrable during down-times.  This bares hope that budgets are starting to allow for monies to invest in consulting assistance for projects, such as disaster recovery planning, where the in-house expertise is lacking.  This bares hope, that Safe Harbor Consulting is gaining a reputation for delivering professional consulting assistance and is making a name for itself in the crisis management and emergency planning arena.

But, I realize, even with all these “good” signs keeping me busy, I still have an obligation – to Safe Harbor Consulting and to those of you who invest time from your busy days to check out this page – to keep the articles and information fresh.  So, now that summer vacations are over – even though I did not take one – and, the kids are back in school, it is time to get some fresh information out on this blog.

The end of Summer Vacations, the start of school, football season kicking off in the United States are all signs of the calendar changing to fall.  And, in our profession that means DRJ Fall World.  I am happy to report that I am typing up this blog page from my hotel room at the San Diego Sheraton Hotel and Resort at DRJ Fall World 2012.  It is Monday afternoon and we are off to a tremendous start.

Yesterday, Sunday, was full of tremendous Workshop Sessions, a welcoming reception and product demonstrations.  Today, Monday, kicked-off with 3 very informative and entertaining General Sessions and the opening of the Exhibit Hall full of vendors and service providers ready and willing to educate you on their products and services designed to assist in the strengthening and expanding of your business continuity, disaster recovery, crisis management and emergency response programs.

I have already passed out and collected numerous business cards – the real value-add at these conferences – and have made a number of new acquaintances and new friends … and it IS ONLY MONDAY!!

I am looking forward to the breakout sessions this afternoon and two more action packed days of DRJ Fall World laying in front of me.  This DRJ conference marks the 47th Conference put on by the DRJ and they just keep getting better.  That is mostly because the attendees are getting more experienced and are able to drive the topics discussed to deeper and more complex levels of challenges that we face in this field.

I will – I promise – post a few more blogs during my time here so that you can learn some of the stuff that I learn.  And, if you happen to be here – come up and say, “Hi” – it would be a pleasure to meet you, as well.

But, now – I have those breakout sessions to get to, so, I will see you later.

Happy Birthday To Us!

This month is the 1 Year Anniversary for this Business Continuity Blog page.  And you thought we couldn’t keep it going for a whole year! ;-)  Our first article on this blog was posted on July 16, 2011.  Since that time, we have posted 130 articles on the topics of business continuity, disaster recovery, emergency preparedness and crisis management.  Who knew we had so much to say … watch it!

Over the past year, we have had over 5,600 unique views of our blog page – not too shabby for a page in such a specific and unique field of expertise.  And, we sincerely thank each and every one of you who invested your valuable time to see what it is we had to say (or write about).  We especially thank all of you who have come back to check us out periodically throughout the year.

We added the facebook “Like” option to our page about ¾ of the way through the year and have received a good number of “likes” on certain articles.  By doing so, you have helped promote our site to others in your facebook network to help broaden our exposure, and, for that, we thank you.

The page views have continuously trended up throughout the year, so we know our reach is expanding and our audience is growing, this is all the incentive we need going into year two to make sure we keep the page fresh and add new content.

We have invited you to also participate as guest bloggers on our page and have had a couple individuals express interest in doing so and anxiously await their entries to post to our page.  If you would like to post your articles here, just let us know.

We have worked hard to get this page recognized by Internet search engines and have been successful in getting this page listed as the number 1 or 2 entry when doing a search on “Business Continuity Blogs”.  This, we think, is mainly achieved by the number of fresh, updates we post to the site.

By the number of spam messages we have received throughout the year – over 8,800! – it is obvious that our page is easily found.

The one thing that we would like to have done better is, to have achieved more comments on our posts.  Over the past year we only received 45 comments on our articles.  Not a bad number, but we were hoping this forum would generate more conversation.  Comments help us to assess whether or not we are addressing the right topics and help you to educate us (and other readers) on other techniques and practices that you have found to work for you and your organizations.

Overall, it has been a fun year.  Sometimes we are challenged to come up with fresh, new content, but, through incidents and other forums, we have been able to find new and unique ideas to post about.  We anticipate the same for year two.

So, if you are reading this and have enjoyed our page over the past year, or even if you are reading your first post on this site, we would gladly accept your birthday present as a comment on this article to help propel us into year two knowing there are people out there celebrating along with us.  Thanks.

An Open Invitation to Guest Bloggers

Yesterday marked a milestone in our brief existence as Business Continuity bloggers.  Our tracking software indicated that we achieved our first 100+ unique visitors/day to our blog page yesterday with 104 hits!!  On average we get about 20 – 30 visitors each day, but that average has been steadily climbing throughout our existence.  To date, the largest single month has seen 720 unique page visits to our blog page – but this month is already threatening that mark.

We are pleased with this traffic and thank you all for investing your valuable time in checking out the topics, issues and subjects we choose to blog about.

As a result, we think it is now a good time to issue an open invitation to any of you that might wish to post a guest blog article on our site.  Whereas, we love the challenge to come up with fresh and creative blog articles, we also welcome the opportunity to add new voices and flavor to our page.  And, you can be confident that some of your peers and co-planners will actually see your articles … hopefully, at a continued rate of over 100/day.

Please feel free to indicate your interest in being a guest blogger through a comment to this entry or by emailing us at jflach@safeharborconsulting.biz.

You can email us with an idea or complete draft article and we will get back to you as quickly as possible.

We will reserve the right to pick and choose those articles that we deem appropriate for this blog page, but I am confident that we will have lots of flexibility to allow your thoughts to grace and improve our page.

We also continue to have an open invitation for complimentary service providers to include a link to their pages in our “My Links” section of this page.

Thanks for your patronage to our page.  If you were one of the 100+ that visited us yesterday – thanks for coming back.

Enjoy your weekend and think about being a guest blogger – we would love to hear from you.

Continuity Insights 2012 Management Conference

The Continuity Insights 2012 Management Conference is scheduled for April 16 – 18 in Scottsdale, Arizona.  And, Safe Harbor Consulting will be there and well represented on the agenda.

We have been slated a terrific spot on the agenda with Joe Flach presenting his break-out session, “Revisiting the BC/DR Planning Methodology” (Session B4) on Monday, April 16 from 11:00 am – 12:00 noon.  Then, on Tuesday, April 17 from 9:45 – 11:00 am, Mr. Flach will be a panel member in a break-out session on “Exercise Facilitation Techniques” (Session G4).

You can register through the Continuity Insights website and enjoy early registration discounts.

Safe Harbor Consulting will also be hosting a Hospitality Suite in the “Talking Stick Resort”, where the conference is being held, and we look forward to meeting and entertaining you there.  We will post the room number for the hospitality suite on the Conference Bulletin Board at the conference.

We are looking forward to some fun in the sun; interesting and educating sessions; and good times with good friends.  Let us know if you are planning to attend the conference so we can be sure to connect in Scottsdale.