Tag Archive for business continuity planning

The 12 Steps of Business Continuity Planning

So, I am writing a complete Business Continuity Planning Governance Guide and Standards manual for one of my clients and it dawned on me that this process really is a neat little building block methodology that might best be simply explained through a “Twelve Days of Christmas”-like presentation.

This is NOT part of the manual I am creating, but, I thought I might share it with you.  So … here goes …

THE TWELVE STEPS OF BUSINESS CONTINUITY PLANNING

The first step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Defining business processes performed by my company.

The second step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Identifying potential impacts from a disaster
To the business processes performed by my company.

The third step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Assigning Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The fourth step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Inventorying recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The fifth step in Business Continuity Planning that Safe Harbor Consulting taught to me is
All of these things
Inventorying recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The sixth step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Researching recovery options to achieve
All of these things
Providing the recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The seventh step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Selecting the best recovery strategies
From the researched recovery options to achieve
All of these things
Providing the recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The eighth step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Implementing the recovery capability
For the selected recovery strategies
From the researched recovery options to achieve
All of these things
Providing the recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The ninth step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Documenting the recovery process to
Employ the recovery capability
For the selected recovery strategies
From the researched recovery options to achieve
All of these things
Providing the recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The tenth step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Simulating a recovery effort using the
Documented recovery process to
Employ the recovery capability
For the selected recovery strategies
From the researched recovery options to achieve
All of these things
Providing the recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The eleventh step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Improving the recovery program based on findings from
Simulating a recovery effort using the
Documented recovery process to
Employ the recovery capability
For the selected recovery strategies
From the researched recovery options to achieve
All of these things
Providing the recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

The twelfth step in Business Continuity Planning that Safe Harbor Consulting taught to me is
Ensure everyone knows what we did to
Improve the recovery program based on findings from
Simulating a recovery effort using the
Documented recovery process to
Employ the recovery capability
For the selected recovery strategies
From the researched recovery options to achieve
All of these things
Providing the recovery requirements
Needed to achieve the Recovery Time Objectives
Based on potential impacts from a disaster
To the business processes performed by my company.

Business Objectives vs Business Continuity Objectives – The Missing Step

This blog article talks about a step in the Business Continuity Planning (BCP) Methodology that I think is missing – and, I happen to think it is a pretty important step.

One of the greatest challenges in the BCP methodology is in establishing the program’s recovery objectives.  Whether you label them as Maximum Acceptable Downtime (MAD); Recovery Time and Recovery Point Objectives (RTO & RPO); or some other creative anagram unique to your process, these program benchmarks are usually arrived at through a Business Impact Analysis (BIA) process or, at least, through some survey/interview with business managers and subject matter experts to establish what the critical business processes are; what timeframes they must be recovered; and what resources must be available in certain timeframes to enable our continuity or recovery of those processes.  Does this sound familiar?  I’m I right, so far?

But – you knew there was going to be a but – to achieve what end?  I mean, we do a great job defining business continuity objectives, but do we do so against established business objectives?

I always thought that the savvy business manager, when asked to complete a BIA questionnaire would ask the question, “What is Senior Management expecting me to achieve during the business interruption period?”  Sometimes, I think, we get close.  Many times I hear business continuity planning professionals say that the objective is to “survive” the disaster or “keep the company solvent”.  But do we ever define what that means – in business objective terms?

So, forget about operating in disaster situations for a second.  Just think about business as usual objectives.  Most every company and most every department within each company has established business or performance objectives.  There are defined revenue targets, income objectives, margin targets, production objectives, etc.  There are expected number of widgets to produce per week; sales targets; number of calls handled per hour; items sold; and so on and so on.

What I would want to know, if I were the business manager being asked what my critical processes are and how long can we go without performing those processes, is:  What adjustments are being made to my performance objectives during this incident you are asking me to plan for?  Am I expected to still achieve my revenue target, sales target, income target, margin targets?  Am I still being measured against growth?  How many widgets per day am I expected to still crank out?  If you can tell me what my management is expecting me to produce during this contingency period, I can then tell you what I need to do, when I need to do it and what I need to get it done.

Seems to me, we miss that step.  We make middle management guess at what our business targets are.  And, furthermore, we never ensure that their guesses are consistent with one another.  Each individual manager who completes the BIA makes their own assumptions about what the overall business objectives are during a business interruption event.  Seems a bit risky to me.

I understand why and how this happens.  It is primarily because middle management is more accessible in our planning process.  It is much easier to include middle management in the planning process, feed them the BIA questions and get them to assign MADs, RTOs and RPOs than it is to include Senior Management in the process.  But – there’s that damn word again – how can we really define viable business continuity objectives if we don’t first know our business objectives during time of an event?

I wonder what would happen if we tried?  I wonder … what if you posed that question to upper management?  What if we added that step in our BCP Methodology:  Define adjusted business objectives that must be achieved during a serious business interruption event.  IN BUSINESS TERMS – not in BCP terms.  Interesting.

Anyway, just a thought.  What do you think?

The BIA Insult

So, I came across this quote the other day that someone was using in a presentation about the importance of conducting a Business Impact Analysis (BIA):

“A business continuity plan that is not predicated on or guided by the results of a business impact analysis (BIA) is, at best, guesswork, is incomplete, and may not function as it should during an actual recovery.”

Really?

I understand what they mean and I appreciate this message given to business continuity planners, but, I would hesitate saying this in a board room.  It may not be wise suggesting to the CEO and other senior executives that they do not know their business well enough to tell you what is important to them and what business processes are necessary to keep their organization solvent.

I have long since been of the opinion that business continuity planners have become victims of our own methodology.  I think many of us have lost sight of the why’s and wherefores of what we do and have become too caught up in the whats and how we do things.  And, I think, the BIA is a prime example of this.

Ultimately, why do we conduct a BIA?

I suggest that we perform a BIA to establish the objectives for our Business Continuity program.  We gather and analyze the impacts of a business interruption in terms of financial impacts, reputational impacts, operational impacts, legal and regulatory impacts and other impacts unique to our company or industry.  Armed with this measurable and intangible information, we can make an educated and informed decision about what business processes we need to continue – and, in what timeframe – to minimize our losses and keep the organization solvent following some sort of devastating business interruption event.

I like to break down the standard Business Continuity Methodology into the Strategic Planning Phases and the Tactical Planning Phases.  The Strategic Planning Phases consists of the Risk Analysis, Business Impact Analysis, Recovery Requirements Analysis and Cost Benefits Analysis of viable solutions.  The Strategic Planning part of the methodology helps us define “what” our business continuity plan should achieve.  The Tactical Planning Phases of the methodology define “how” we achieve our objectives.  This includes, implementing the chosen solutions and documenting the policies, plans and procedures.

But, I don’t believe the Business Continuity Planner is always needed to define the Strategy.  I think, in some instances, the “strategy” can be given to us by the CEO, board or other executive management team members.

What if the CEO told you what business processes they want to continue, in what time frames?  Are you going to tell him/her that that would be creating a BCP based, at best, on guesswork?

I know that the methodologies say we MUST CONDUCT a BIA.  But, I think that that requirement is a little bit tangled up.  I think it is absolutely correct to say, before you can  successfully implement a viable and effective business continuity plan you must establish your recovery time and recovery point objectives; you must identify and categorize your business processes in terms of criticality and importance to the sustainability of the organization and the ability to satisfy the corporate mission; you must know the dependencies and requirements that support those critical processes to ensure a complete and holistic recovery solution – but, I am not sure a BIA is always what is needed to get these “strategic” parameters.

Yes, I have been in many a situation where the leadership team was not comfortable in establishing these objectives without the support of information gathered and analyzed through an in-depth BIA.  I have also seen many a business continuity planning team chastised for spending months on gathering and analyzing information simply to conclude in telling management teams what they already knew.  And, I have seen business continuity programs fail at time of an event because they were predicated on the findings from a BIA that were never verified and matched against management’s expectations, which were significantly different from what the information gathered suggested.

Now, I am not against BIAs.  I have made a nice living by conducting many a BIA over the past 20 years, and I do believe they are valuable and necessary tools – just not in every case.    I caution business continuity planners not to become so married to the methodology that you lose sight of what the objectives are for each methodology component.  If the objective of a BIA is to establish the continuity and recovery objectives of your business continuity program and the executive team in your company knows and are willing to sign off on recovery and continuity objectives that are given to you – do you really need to conduct the BIA?

In any case, I don’ think I would ever suggest that a business continuity plan not based on the findings from a BIA is guesswork, especially if the guesses are coming from the Executive Management Team.  I just know that if you came into my company and told me that a team of business continuity planning specialists are needed to identify what our critical processes are, I would be showing you to the front door.

The Recovery Requirements Analysis

I have been in more than a few BIAs or business continuity planning sessions when it is like pulling teeth trying to get business managers to identify the applications and/or other requirements and resources they need to minimally perform their mission critical business processes.

This is especially true when working with financial traders.  First, they under-estimate their need for tools and resources, believing that as long as they have a phone, they can conduct trades.  But then the list of requirements grows and grows.

A typical requirements analysis session with traders might go like this:

ME:  What do you minimally need in an alternate site to conduct your business?

TRADER:  I don’t need anything.  Just give me a phone and I can trade anywhere.

ME:  So, all you need is a phone?  You can trade with just a phone.

TRADER:  That’s right.  Just a phone.  Well, I also need my data feed.  But, just a phone and a data feed.

ME:  Nothing else?

TRADER:  Well, I need a phone, my data feed and the blotter system.  Just a phone, data feed … oh, and I need trade tickets.  Just a phone, my data feed, the blotter system and trade tickets.  That’s all I need.  Oh, and I need my directory of phone numbers… and a recorded phone line.

Does this sound familiar?

Here, check out this link to a secretly videotaped, recovery requirements session I conducted with one business manager:

Recovery Requirements Analysis Video.

Okay, so I am being funny.  But, if you have done this for as long as I have, I am sure you shared in the laugh.  I have used this routine in a few public speaking sessions I have done on business continuity planning.  It is always a good trick for getting my point across and keeping the audience awake.

And maybe, just maybe, I am being a Jerk!