Archive for Management Reporting

The Business Continuity Planning Objective (Hint: It’s not to implement the BCP Methodology)

So, I was recently helping a colleague prepare a management presentation to discuss her plans for advancing the business continuity program in her company.  Maybe it’s just a matter of semantics, but we had a lengthy discussion over “objectives”, “goals” and “tasks”.

If you have read any of my recent blogs you might recognize a pattern in which I think business continuity planners have become victims of our own methodology.  This discussion helped me to emphasize that point.  When I suggested to my colleague that she should first succinctly define her objective, she merely listed the steps of the methodology.  I strongly disagree.

A business continuity planner’s objective is not to complete the BCP methodology.  The methodology is simply a recipe towards achieving an end.  What is that “end” you hope to achieve?  That “end” is your ultimate objective.

So, we started with: “To provide the company a means in which they can recover from (or continue operations through) any business interruption event that impacts their operations, facilities, employees or workflow.”  I am sure you can improve on this sentence, but, it is a good start – and, it helps set the right mind frame.  Regardless of what any auditor thinks or what any other professional has led you to believe (especially those with a vested interest in having you follow a given methodology), the business continuity planner’s job is not to execute the BCP methodology; your job is to prepare your organization to successfully respond to, continue critical operations through, and recover from a business interruption event.

Now, it just so happens that one of the best ways to achieve that objective is to follow the standard methodology, but, with this understanding of our ultimate objective we can better assess what components of the methodology are needed for our situation and determine what, if any, adjustments to the methodology we need to make to achieve this objective for our particular company.  We simply need to ask ourselves – about each component in the methodology – is this needed and how is it best used to achieve our objective?

With this thought in mind, I like to reorganize the standard methodology a bit and divide the components of the methodology into the Strategic Planning Components and the Tactical Planning Components.  Strategic Planning Components of the methodology help us define “what” our program should accomplish and the Tactical Planning Components help us describe “how” we accomplish these strategic goals.  The diagram here depicts this re-organization of the methodology.  (Click on the diagram for a better view.)

Methodology

If you think about the BCP methodology as a recipe for baking a cake, the Strategic Planning Components are needed to decide what kind of cake we should bake, how big it should be, what ingredients are needed to bake it and how long it should take to bake it.  The Tactical Planning Components are needed to ensure we have access to everything we need when the time comes to bake the cake, and, have the instructions for actually baking the cake when it is required.  The methodology also suggests we practice baking this cake a time or two before having to serve it for real – a good idea if you have never baked a cake before – and, making whatever adjustments are needed to constantly improve the cake and the baking process.

Now we get to a question that is becoming a topic of conversation for many business continuity planners: if the Strategic Planning Components of the methodology help us define what kind and how much cake we should bake, are they necessary if this is told to us by our management team?

This is where I think we often fall victim to our methodology.  I think we must ask ourselves – who is our customer?  Who are we designing business continuity programs for?  The methodology is not our customer.  The auditors are not our customers.  The CEO and/or Board of Directors are our customers.  In my mind, the key phrase in every BCP/Disaster Recovery/Emergency Response regulatory requirement is the one that states these plans/programs must be consistent with management expectations and approved by the Board of Directors.

I think that if Senior Management dictates the strategy to the business continuity planner and then approves the solutions put in place to achieve those strategic objectives, it is less important that you can tick off having performed every task within the BCP Methodology – even if not being able to do so upsets the auditors.  Furthermore, the business continuity planner who follows every step of the methodology to the letter and implements a solution that is not consistent with management’s expectations – has not done their job.

At the end of the day, the business continuity planner must ensure that their organization is in position to effectively and efficiently respond to and recover from any business interruption that impacts their organization.  I say, if you can achieve that – you have done your job, with or without having completed the entire BCP methodology.  Now, some will challenge and say that short of actually experiencing a disaster, the only real way to ensure that you have achieved this objective is to complete every step of the methodology.  I believe that the real proof is in the design and execution of the exercises and tests you perform.  That, to me, is the real challenge – good, complete and verifiable exercises.

But, my real objective for writing this blog is not to convince anyone that they shouldn’t follow the BCP methodology.  I think, in almost every case, even following my theory here, you will eventually determine that the standard BCP methodology is the best means for getting your job done.  I just wish to get business continuity planners to understand what their ultimate objective is and not to simply follow the methodology because they think they have to but to understand why they are following the methodology and help ensure that everything they do – every step they follow in the methodology – can be tied back to achieving this ultimate objective.  In this way, I believe, you can design your implementation of the methodology in a way that does not waste anyone’s time and effort in gathering information or conducting analyses that do not contribute to the final objective.

I think my colleague got the point and her management presentation was well received.  So, I think, I can count at least one practitioner that now sees my point.

The Job of the Business Continuity Planner

Many professionals that I talk to seem to think that the Business Continuity Planner’s job is to ensure their company can recover from business interruption events.  Now, this may just be an argument in semantics or me simply splitting hairs, but I don’t quite see it that way.

In my way of thinking, the Business Continuity Planner’s job is to make sure that management is informed of risks, potential impacts resulting from those risks and the costs/benefits of options available to mitigate or respond to those risks, so that management can make informed and intelligent decisions about what mitigation and recovery strategies to invest in.  And, when those decisions are made, the Business Continuity Planner is responsible for helping manage and coordinate the implementation and testing of those solutions.  But, it is senior management’s job to ensure that the company can recover from business interruption events.

In my mind, the worst thing that can happen to a Business Continuity Planner is not that the company cannot recover from an incident, but that senior management is justified in saying, “But no one told me that this risk existed and these implications could occur”.  If the Business Continuity Planner can show that the risks were identified, the impacts clear and viable solutions presented that management chose not to invest in, then the Business Continuity Planner had done his/her job.

We cannot force management to invest in business continuity or disaster recovery solutions, but we can let them know, with no uncertainty, what is potentially at risk should they not invest in, or under-invest in, business continuity and disaster recovery solutions.  Our jobs are to ensure that there are no surprises about what might occur and what the impacts might be should a business interruption event occur.

Prior to management making decisions to invest in solutions, the Business Continuity Planner’s job is to gather information, research risks and solutions, perform cost/benefits analysis and communicate our findings to the proper decision makers.  We are often research analysts and salespeople.  And, it is a difficult sale to make – asking management to invest capital from a limited available cache in our programs as opposed to other programs being pitched by other department managers.

Part of the risks we must inform management about, goes beyond the risk of disasters, but also includes the risk of being out of compliance with laws, contracts and industry standards.  And, we must be brutally honest about our abilities to respond and recover.  We do this by realistically conducting exercises and tests and reporting back the findings without a bias towards success.

Our jobs are to set expectations consistent with the risk environment and solutions in place today.  It is senior management’s job to decide what risks are acceptable and how much to invest in improving our solutions.  If they do not have all of the right information to make that decision, it is then that we have failed in our jobs.

The ROI Issue: Does Preparedness Planning Have One?

My good friend, and, hopefully, soon to be guest blogger on this site, David Lindstedt has written a very interesting and intelligent article recently published by Continuity Insights, titled: “Does Preparedness Have and ROI? | Part 1, An Answer”.

I highly recommend you taking a look at this article as I think David offers some very poignant thoughts on this often debated topic.  The concept of a Return on Your Investment for the time, effort and monies spent on preparedness planning and solutions is something many practitioners have been seeking as justification for the hard-to-get budget to support the solutions we would like see put into place.  We are, after all, vying for the same dollars that others within the organization are asking for to support revenue generating products, tools and assets.  I think David, in Part 1 of his article, has set a nice foundation for a supporting argument.  I am very curious now, to read part 2.

Maybe his part 2 will address my subsequent questions.  I understand and appreciate the concepts behind this discussion, but I think the question about ROI helps us only to a point in helping capture those last few dollars for our programs.  The ROI argument or question, might really be, at what point is an ROI required to invest in our preparedness program and when does the ROI, even if it does exist, no longer make sense?

I ask forgiveness from my international readers as I draw an analogy to American football.   There are some contingencies or preparedness programs that just makes sense to invest in – like having a backup Quarterback – or backup for each position.  But, how many backups and what combinations are the right number?  And what is the right price to pay for the backups?

Should I pay more for my backup QB than I do for a starting lineman?  Should I have two backup QB’s and only three backup offensive linemen that are interchangeable?  Should I invest in a backup kicker, or just use one of my other players in an emergency situation?

Using David’s article as my guide, it is obvious that I get an ROI for each backup.  I benefit from being able to practice against the backups.  The competition for a starting position improves the play of all.  And, some backups might even put some additional fans in the seats.  But a return alone is not the answer.  We must analyze how each decision impacts the whole.  Sometimes I think the business continuity planners loose sight of this fact.

The more I pay for backup QB’s the less I have to spend on facilities, marketing, uniforms, cheerleaders, etc.  And we all know how important the cheerleaders are.

So, yes, I anxiously await David’s part 2 – “The Implications”.  He is a smart man; I am looking forward to benefitting from his wisdom.

Establishing RTOs

I think there is a common mistake that we, as business continuity planners, make when working with our business partners to determine RTOs for processes and applications that support them.

I think we do a good job in using the findings from our Business Impact Analyses (BIA) to help identify the Most Critical, Critical and Essential business processes (or whatever labels you happen to use) to ensure that these processes are what we recover first, but, I think when we work with these areas to define Recovery Time Objectives (RTO) we do not properly establish the post-disaster performance objectives.  I think that most of us allow our business partners to establish their RTOs based on the assumption that they will be operating at or close to business as usual.

Sure, we instruct them to try to establish the minimum requirements and consider work arounds and the such … but, to achieve what end?  How many of us first ask senior management if there will be any changes to our management objectives following a serious business interruption event?  Will revenue or income targets be adjusted?  How much additional costs and expenses can we incur?  Will response or service targets be adjusted?  Margin targets adjusted?  ROI?  ROE?  Or, any other management metrics adjusted because we are in crisis mode of operations?

Although this goes against my overall philosophy of trying to simplify things, I think it would be beneficial to establish three modes of operation when establishing RTOs with our business partners.

  1. Survival Mode
  2. Sustain Mode
  3. Business as Usual Mode

The goal of Survival Mode operations is simply to keep the company solvent.  Forget trying to be profitable; forget growth targets; forget avoiding all penalties, fines and service interruptions – what, minimally, does the company need to do to not jeopardize the solvency of the firm?

The goal of Sustain Mode operations is to satisfy the commitments we have today with our current customer base.  What do we need to do to keep our current customer base satisfied and meet the regulatory and contractual obligations we already have in place.

And the goal of Business as Usual is … well, just what the words say.

I think if we could get senior management to define the management objectives for each mode of operation and how long the company can operate in each mode, the RTOs we establish will be much more realistic.

I work in many environments testing their RTO capabilities where, when short time-frames are missed, they report this as a failed exercise but, the business areas ultimately say, we could have lived with the delays.  I think our RTOs, in general, are much tighter than they need be if we think about Survival first, then Sustain and then BAU.

I know, I know, I know … for those of you cursing me out; yes, there are some real crucial business processes that legitimately have very short RTOs (or require immediate failover with no downtime), but I think that pool of requirements is much smaller than many of our programs suggest.

So, yes, I think we do a good job focusing on Most Critical job processes, but I don’t think we establish the right mindset in gathering the requirements to support them after a disaster.

I welcome all comments to the contrary or, heavens forbid, in support of this concept.

Risk Free, Satisfaction Guaranteed Program Review

Safe Harbor Consulting (SHC), a management consulting firm specializing in business continuity, disaster recovery, emergency response and crisis management, is offering a risk free, satisfaction guaranteed Program Review.  SHC will review your program documentation, interview employees with key responsibilities in your solutions and review other program material in an effort to discover opportunities to strengthen your programs, improve your strategies and/or expand your solutions.

If, at the completion of the review and following the delivery of the SHC Findings Report, you are not satisfied that we have identified valid, substantial opportunities to advance your program and/or better position your organization’s response and recovery posture, you will not be invoiced for SHC services.

“I have found that having outside experts review program material prior to conducting a Tabletop Exercise or Physical Program Test is an excellent technique for ensuring your program material is in tip-top condition prior to sharing it with internal management and employees”, says Joe Flach, CEO and Lead Consultant at SHC.  “If the material we review is in excellent condition and, other than a few cosmetic fixes has no real identifiable issues, problems or concerns, than our review will indicate as much and we will not charge you for our efforts.  Only if we discover legitimate opportunities to improve the program or program material, and only if the customer agrees that we have achieved this, will we prepare an invoice for our agreed upon fees.”

To take advantage of this Risk Free, Satisfaction Guaranteed Program Review offer, please contact Safe Harbor Consulting at (253) 509-0233 or email them at safeharborconsulting@yahoo.com.  To learn more about Safe Harbor Consulting you can visit them at www.safeharborconsulting.biz.

Business Continuity Plan Check-Up

I went to visit my doctor today for my annual checkup.  Happy to report – everything looks good.

I have been exercising regularly; I have been watching my diet, keeping my weight down; I feel great; No problems – no symptoms of anything being wrong.  No reason to go see a doctor, other than it was time for a checkup.

Same is true for our Business Continuity, Disaster Recovery and Crisis Management plans.  Even though we may exercise them regularly; Even though we may keep them up to date and well maintained; Even though they feel good and look good to us – it is a good idea to submit them for a checkup every now and then.

Getting an outside review of our plans and documentation helps ensure we catch those inconsistencies and hidden problems that we ourselves may not be aware of.  Just as certain health risks are not always obvious to the patient; certain shortcomings in our enterprise emergency management programs may not be recognized by those who administer, create and maintain the plans themselves.

I do not refrain from going to the doctors for a checkup simply because I am sure there is nothing wrong; I get a higher level of confidence and reassurance when everything checks out fine.  And, I know some people that realize they are not in the greatest health but put off going to the Doctor until they can “get into a little better shape”.  Bad move. 

Even if you know your program is in great shape – getting that reassurance through an annual or semi-annual “check-up” can help validate this feeling for you.  And, if you know your program has problems, getting an outsider’s help on designing a get-fit regime may not be a bad idea.

Safe Harbor Consulting offers a program review with a guarantee that if we do not find opportunities to improve your program – the check-up is free.  How can you go wrong with that?  If only I could get my doctor to offer such a deal – my visit today, I am glad to say, would have been on the house!

Business Continuity Planning: Do Your Homework

I have been following several threads on various professional discussion boards and am quickly realizing a fundamental mistake that I think a lot of business continuity and disaster recovery planners are making.

Lots of these practitioners are listing, for me and others, all the questions we should be asking of a company’s management and leadership teams to help define recovery objectives, critical processes and the such.  Whereas, I think the business continuity and disaster recovery planner absolutely need to have this information to do their job right, I do not think we should be wasting senior management’s time in asking them to provide this information for us.  I think this adds to our planning problem; we get in meetings with very busy senior management personnel and ask them to provide us with information that we should know or, at the very least, have other avenues for ascertaining.

Me personally, I do not want to sit in front of Sr. Management and ASK them:

  • Where do your revenues come from?
  • What are your most critical processes?
  • What would happen if these business centers were shut down?
  • Lots more … just check out the discussion boards.

No.  When I finally get an audience with Sr. Management, I want to TELL them:

  • As you know, we get 80% of our revenue from …
  • Our most critical processes are…
  • If the business center in _________ were shut down for 1 day, we would loose …
  • Etc.

This information is out there.  It is in Annual Reports.  It is in SEC Filings.  It can be gathered from others throughout the organization.

When I get in front of Sr. Management, I want a succinct statement of facts, problems and potential solutions.  I do not want a list of questions for them.

There are many threads on these discussion boards asking how do I get management’s attention or participation or approval …  I think, really, if we look in the mirror, we are our own worst enemy in this regard.  We try to get buy in to a process, a theory or an ambiguously stated concern.

Do your homework.  Don’t go to Sr. Management asking to approve a process or methodology for finding risks and analyzing requirements.  Do not ask management what they are concerned about.  Go to them with real issues, supported by hard facts.  Tell them what they should be concerned about and why, in terms that they understand and issues that would concern them as business men and women not you as a business continuity planner.  Have potential solutions ready to discuss.

It is an age old business adage: “Don’t come to me with problems, come to me with solutions.”  Business continuity planners, we are worse – we come to them with questions.

Bad tactic in my book.  But then, maybe that’s just me.

Gaining Management’s Attention

It is a question that Business Continuity and Disaster Recovery Planners have had to deal with ever since this field came into being: “What can I do to get management fully engaged in the planning  process?” 

There is a current discussion going on in a Linked-In Business Continuity Group on this topic.  There are your typical, age-old answers, of highlighting the awareness of the need for this kind of planning; identifying the managers’ greatest recovery concerns; being better skilled at selling the benefits of planning.  There are even some more creative answers with highlighting the risks involved of not planning and the such. 

These are all very good answers – might work, might not – and the struggle continues. 

I do not profess to have THE answer to this question.  And, I know that what I propose is not easy to achieve – but, it seems to me the best way to motivate people to pay attention is to hit them in the wallet.  By this I mean, try to get their ability to plan incorporated in their performance appraisals that help determine their bonus, next raise or promotion.  At the end of the day, individuals are going to concentrate their time and attention on those tasks that will influence their performance appraisal and bonus or pay increases.  In most organizations, the only employees being graded on how well business continuity planning is completed are the business continuity planners.  Sounds responsible – but, doesn’t help promote the need to plan.  Our leadership teams can give all the lip service they want to the need to plan and participate on tests, but unless they back it up with penalizing those who don’t participate, you are still going to have problems getting participation.  Currently, there are few penalties for not planning other than having the BCP folks whine at and pester you. 

Every department management team should be held responsible for the development of their plans.  The BCP planner is really an internal consultant available to help them achieve this, but the responsibility should lie with the management team.  Have their success in planning, documenting and testing their business continuity strategies included in their performance appraisal and I bet they start paying more attention to their plans. 

One variation of this is in organizations that include Audit Results in the performance appraisal process.  Get your Auditors to include review of business continuity plans in each department audit.  If exceptions are noted, and these exceptions impact the performance appraisal or bonus program, they will be addressed. 

Again, I am not saying it will be easy to change the corporate culture to get business continuity planning included in the performance appraisal or regular audit process, but, I feel pretty confident that if by not giving attention to the planning effort, these managers feel they are leaving some bonus money on the table, they will start paying attention.  And, do we really care whether or not they buy into the “need” to plan as long as they plan?  Maybe – but, hey, results are results.

Business Continuity and Executive Liability

I am having a terrific time in preparing for the upcoming American Bar Association (ABA), Tort Trail and Insurance Practice Section (TIPS) teleconference on Disaster Preparedness and Response.  The session I will be participating on is scheduled for September 16 and is titled: “September 11, 2001 Terrorist Attacks: Duties of Corporate Directors and Officers in the Preparation and Execution of Disaster Avoidance and Recovery” – wow, that’s a darn long title!

I have been asked to participate on this panel to give a practitioner’s point of view on what is typically included in a corporation’s Disaster Preparedness Program (and, please, let’s not get hung up on the terminology being used here –see my blog post below) before the lawyers get into talking about possible executive liability and the implications of traditional insurance coverages used as a means for transferring risk.

One of the interesting things that has transpired in our conversations, that may or may not end up being discussed in the teleconference itself, is the different potential legal implications in lawsuits that may follow a company’s response to a disaster and how that ties into the typical planning methodology. 

We have differentiated between disasters in which the corporation played a contributing factor in the event, such as: the BP Oil Spoil in the Gulf of Mexico; the Exxon Valdez oil spill; or, the Union Carbide incident in Bhopal, India and those in which the companies were simply in the way of a tragedy that impacted them, such as: the earthquake and tsunami in Japan; Hurricane Katrina; and the events of 9/11.  And then, after further discussion, we broke up the last category in events that might be expected versus those that could not be foreseen.  It all has potential interesting implications should the companies be sued as a result of their ability or inability to effectively respond to the event and/or protect those around them impacted by the event.

Certainly, it is easy to see the liabilities if the company itself caused the disaster.  But, what about events in which the company is truly the victim?  I suggest there might be some difference if it is something they should have known to prepare for.  This ties directly to the business continuity planner’s findings from a Risk Analysis.  If the Risk Analysis identifies critical facilities on an earthquake fault, or in tornado alley, or in common Hurricane zones – you should plan accordingly.  If your Risk Analysis identifies potential threats from nearby nuclear power plants or hazardous material sites – you should plan accordingly.  And so on.

But, it was also noted that plenty of firms are sued for events they could not reasonably foresee.  I suggest that even if you could not plan to prevent or mitigate a particular scenario, you still can make horrendous mistakes and be negligent in how you react and respond to the unpredictable.  Although I think it is important for companies to have specific response plans for known risks, it is also important to have generic response plans based on impacts of unforeseeable events.  For example, plans to evacuate regardless of why you are evacuating.  Plans for shelter in place, regardless of the outside threat.  Plans to continue operations in alternate facilities, regardless of what rendered the targeted facility inaccessible.  Etc.

Our session will then go on to discuss the role Directors and Officers should be playing in the development, implementation and activation of these plans and the possible liability they may be held to should things go wrong.

I haven’t often had the opportunity to discuss these topics with a group of litigation lawyers and I am fascinated with the synergies we are experiencing in educating one another.  I am looking forward to a fun and rewarding teleconference on September 16 and in continuing the discussion and association with these folks after this event to explore these topics in greater depth.

Enforcing Business Continuity

Business continuity and disaster recovery professionals often ask me, “What is the best way to enforce the need for planning in our organization?”  The simple answer is to let the Auditors be your enforcers.

The business continuity planner should establish and get senior management to publish policies requiring business and technology managers to create and maintain business continuity and disaster recovery plans for their specific areas of concern.  Auditors, both internal and external, are responsible for ensuring all policies within an organization are adhered to.  This is especially effective in organizations where a manager’s review, promotions and pay increases are somehow tied to their ability to have satisfactory audits.

In this environment, the business continuity planner then can become the hero, acting as an internal business continuity planning consultant there to help the business manager pass this portion of their audit.

Too often, the only person held responsible in an organization for ensuring the company has adequate business continuity plans is the business continuity planner.  This is a fundamental flaw in the process.  The manager responsible for meeting a certain business objective under normal operating conditions should be the same manager responsible for meeting those business objectives (perhaps adjusted) during times of crisis.  The role of the business continuity planner should be to establish policy and then assist the business managers in performing the planning methodology and ensuring the enterprise as a whole provides cost effective solutions for a holistic recovery – but, the individual managers should be responsible for the development, content and exercising of their plans.  The business continuity planner should be available to hold their hand through the process if needed and/or come to the rescue when they fail the audits.

Believe me, when helping a business manager address a failed audit tied to their ability to get a raise or promotion, they are not going to even think about the fact that you were the one who was responsible for the policy in the first place.

Befriend your auditor.  And, educate them on what it is the policy is supposed to do for the organization and what they should be looking for to ensure compliance with these policies.  Then, be ready to answer your phone when the calls for help start coming.