Tag Archive for disaster recovery

Marketplace Empathy

Safe Harbor Consulting has been successful in assisting a number of organizations with their Table Top Exercise Programs for business continuity, disaster recovery and crisis management solutions.  One of the first challenges we face in the exercise planning process is to settle on the right scenario for the exercise.

Of course, the first thing we do is to get our client to forget about the scenario for a moment and list those things within your programs that you want emphasized in the exercise.  For example, we ask questions like:

Do you want the scenario to include death and injury of employees and guests?  Or, keep the focus on business interruption?

Do you want to address damage assessment procedures or just have the scenario result in the loss of access to facilities?

Do you want the scenario to result in a long term outage (weeks or months)?  Or, a short term loss (hours or days)?

Do you want the scenario to be an immediate impact and obvious disaster?  Or, an escalating problem that “rolls” into a disaster?

Knowing the answer to these questions will help us land on the proper scenario.

But, this scenario discussion also leads us to talk about another interesting phenomena in business continuity planning that I am not sure I have heard anyone else talk about.  Many times, I find myself trying to talk the client down from those “spectacular” disaster scenarios to scenarios that are more likely to occur and, believe it or not, more likely to offer a greater challenge to your organization.

The phenomena I speak of is a concept I call “Marketplace Empathy”.

One of the factors that will measure your success in responding to and recovering from a business interruption event is how well do you meet the outside world’s expectations?  In those newsworthy, high impact, catastrophic events that impact you, your costumers and your competitors alike, you are not necessarily expected to be up and running the next day, or even weeks or longer.  The marketplace, as a whole, can empathize with your dilemma and will allow you the luxury of time to get back to business as usual.

This will not be the case when your business interruption event is caused by a less newsworthy, low impact event that only impacts you.  If your Call Center is down because of a fire in your telecom office that takes your PBX down you are not going to be granted that same level of forgiveness as when a tornado wipes out the entire town where your Call Center happens to be located.

Marketplace Empathy.

With it, RTEs (Recovery Time Expectations) will expand.  Without it, RTEs will shrink.

With it, the news will center on the event.  Without it, the news will center on your inability to deliver.

I do not believe Marketplace Empathy is a concept that should influence your planning process, but it is something you should consider when planning for and/or executing your Table Top Exercises.

The fact is, RTOs (Recovery Time Objectives) and MADs (Maximum Acceptable Downtimes) are planning targets based on BIAs and other informational input, but the RTEs will be influenced by the scenario you are impacted by and responding to.  When you go with the Tom Clancy-esque type of scenarios in your Table Top Exercise you risk having your participants focusing on the event itself and you allow people to challenge the real need to recover the business when the impact is so great and so many people are affected.

Marketplace Empathy.  Just something to consider when planning your next exercise.

Planning versus Being Prepared

Many organizations engage in business continuity and disaster recovery planning; few organizations are prepared for a business interruption event or a disaster.  There is a difference.

My wife is a terrific party planner.  We just threw a birthday party for our youngest son who turned eleven years old this past Sunday.  My wife “planned” his party weeks in advance, but, until we got the invitations sent, the supplies purchased, the house cleaned, the balloons and decorations put up, the gifts wrapped and the cake baked, we were not “prepared” for the party.

The Allied Forces “planned” the D-Day Invasion months in advance; but, until they recruited for, trained, transported the forces and equipment to where they were needed, ran simulations, drills and practices, monitored the weather, performed reconnaissance, set up Command Centers and established communications channels and protocol, they were not “prepared” for the invasion.

Simply going through the motions of creating Business Continuity and Disaster Recovery Plans does not necessarily mean your organization is prepared to respond to, operate through or recover from a business interruption event or disaster.  There are many organizations who have followed the standard and accepted business continuity planning methodology, resulting in numerous, well-documented plans, that are NOT prepared for a disaster.  How can this be?  Here are some contributing factors that can result in that kind of dichotomy:

Invalid Planning Assumptions.  Almost every plan written includes a list of planning assumptions in the Introduction or Overview sections.  Many times these “assumptions” are really planning requirements, caveats or downright erroneous assumptions that invalidate the plans and continuity strategies in place.

For example:

  • A plan might include the assumption that employees are trained and have copies of the plans in their homes. This should not be a plan assumption; this should be a program requirement.  This requirement is auditable and should be tracked.  Your plan should not “assume” this to be true; your program should “ensure” that this is true.
  • A plan that utilizes a work from home solution might include the assumption that employees routinely take their laptops home with them every night. Again this is an example of a program requirement, not a plan assumption.  If your business continuity solution relies on corporate assets, such as laptops, being available in certain employee’s homes at time of a disaster, you need to ensure that these assets are there when needed.
  • Sometimes, plans “assume” that the disaster impacts only the facility that the plan is written for. In cases when the continuity or recovery strategies rely on alternate sites (or employees working from home) that share a common footprint of known risks and threats in the area; that may not be a plausible assumption.  In these cases, it is important that management know “what” they are prepared for.  For example, management might be told that you are prepared for a building outage but not a wide-area outage caused by an earthquake or flood or hurricane.  This could be important information to know if you are in an earthquake, flood or hurricane zone.
  • Many plans include the “assumption” that the strategies and technologies the plan relies upon are available, functional and usable at time of need. Many times, management reads this “assumption” as a “given” when, in fact, these solutions are yet to be implemented, contracted for or proven reliable.

When assessing an organization’s level of preparedness, plan assumptions should not be glossed over nor should they be accepted as being “givens” or truths.  If the viability of your plan is dependent on these assumptions being true, you must have policies and procedures in place to ensure these conditions exists and protocols in place to measure the level to which they are being met.

Dependencies That Can’t Be Depended Upon.  In a related situation, some plans include a list of dependencies that the plan’s execution relies upon.  Sometimes, the reliability of these dependencies are also listed in the plan’s assumptions.

For example:

  • The successful execution of the strategies outlined in the plan might be dependent upon external, single-source suppliers (of services, information or raw material) remaining operational. If these organizations are also at risk of being impacted by the same business interruption event, this might not be a reliable requirement.  You should include the examination of these organizations’ recovery plans in your programs’ activities or eliminate this dependency as a single point of failure within your environment.
  • Plans are often dependent on certain individuals or subject matter experts being available to participate in the recovery effort. “People” are often overlooked as single-points-of-failure.  If the successful execution of your recovery solutions rely on one or more particular individuals being available to execute the plan, you are at risk of failure during events that impact the availability of your work-force.  Many companies that have this dependency also state that their plans could be used during a Pandemic event – this is just one type of scenario that puts that dependency at grave risk.
  • Many plans are also dependent on certain technologies and/or applications being accessible at time of an event.  Sometimes, the recovery or continuity of these technologies and applications are within the scope of your plans and sometimes, they are not.  In either case, whether or not this dependency can be relied upon is something that can and should be proven.

Failure to Socialize the Plans.  Even companies with spectacular plans and solutions in place can be unprepared for the events they have planned for due to the lack of training and education of the people who must execute the plans.  Well written plans and fully enabled solutions can fail to protect the organization from devastation if the people relied upon to execute those plans or utilize the solutions have not been trained in and practiced their roles for time of implementation.

None of Shakespeare’s plays would be successful if the actors were reading the scripts for the first time on the night of the opening performance.  Documented plans should be treated like scripts; the lines should be memorized and rehearsed well before they are needed.  If your organization is dependent on the documented plans at time of a disaster, then it is quite possible that you are not “prepared” to respond and recover.

Unreliable Testing Practices.  And then there are companies that do routinely practice and rehearse for the event, but are still not “prepared” because of some unreliable testing practices that are commonly used.

Most business continuity and disaster recovery plans are designed to allow an organization to respond to and recover from an incident that occurs without warning demanding immediate response, yet, it takes them months to plan for a test.

If the advanced planning for a test is more than an exercise in scheduling resources, your organization may not be prepared for the real deal.  Too often, the time needed to prepare for a test is used to create special back-ups; install or provision equipment; order supplies; coordinate resource availability; or a number of other logistical activities that require time to complete – none of which you will be able to do at time of a disaster that hits without warning.

If your organization plans its tests weeks or months in advanced, you need to scrutinize the actions being taken to prepare for the test and question whether or not that activity would be required at time of a real event.

And, too often, organizations execute these tests or rehearsals utilizing a small set of understudies and not the people who will engage at time of the real event (thus, not achieving the socialization mentioned above).  This, too, is something that can be audited and tracked.  Your program should identify anyone who has the potential of being engaged at time of an emergency response, continuity and/or recovery event and ensure that they are trained and routinely participate in recovery tests and exercises.

CONCLUSION

So, yes, there are many companies that “plan” for a business interruption event but are far from being “prepared” for a business interruption event.  The ultimate goal is being “prepared”; do not allow yourself to be lulled into a false sense of security just because you have a “plan”.

2015 Program Review

Safe Harbor Consulting

Business Continuity / Disaster Recovery / Crisis Management

Program Review and Planning

As the years change on the calendar and we begin to initiate our 2015 projects, improvements and advancements, it is a good time to stop, measure and assess where our programs stand today.

Safe Harbor Consulting can provide an experienced and professional program review of your Business Continuity, Disaster Recovery and/or Crisis Management programs to:

  • Inventory all Program Components and assess their state of completeness and accuracy
  • Identify program strengths and opportunities for improvement
  • Compare your program components against industry standards and accepted best practices
  • Review the current Program’s Organizational Structure to ensure the right fit within your organization with the proper management oversight and controls
  • Assess your organization’s current state of readiness and identify risks that may impact your ability to adequately respond to a business interruption event
  • Propose an Action Plan Roadmap based on management priorities and expectations

In conducting this Program Review, Safe Harbor Consulting will:

  • Interview key corporate assets responsible for the development, maintenance and implementation of these programs within your organization
  • Review all program related documentation, including:
    • Program related policies, procedures, mission statements, goals and objectives
    • Plans, manuals and supporting program databases
    • Audit findings and related reports
    • Test plans and results
    • Training materials and presentations
    • Other material that may exist in your environment
  • Review all company and industry standards related to BCP/DR/CM for your particular industry
  • Compile our findings in a Management Report
  • Offer recommendations for short term tactical and long term strategic improvements for your programs including potential re-organization of the reporting structure and program oversight
  • Present an Action Plan for implementing all program recommendations

The deliverables that you receive at the end of Safe Harbor Consulting’s review will include:

  • A Program Assessment Findings Report
  • An action-oriented recommended Project Plan to achieve short-term and long-term program improvement goals
  • An Executive Summary Report
  • A Management Presentation of Findings and Recommendations

Your Safe Harbor Consulting Program Review will be based on years of experience in the fields of business continuity, disaster recovery and crisis management across multiple industries and organizations utilizing a variety of technologies and infrastructure in support of mission critical business processes; and, supported by lessons learned through the live implementation of such plans following serious corporate disasters and business outages.

Safe Harbor Consulting prides itself on being practical and pragmatic in our approach, to ensure that the resulting programs are consistent with management expectations and are actionable at time of an event.  We will not only review the program material, but will assess your organization’s state of readiness to respond to an incident and, adequately put your plans into action.

Don’t let another year go by lacking the confidence that you and your organization are prepared to respond to a serious business interruption event – call Safe Harbor Consulting today to schedule a meeting to prepare our proposal for conducting your Program Review.

SHC-Logo1.jpg

253-509-0233

www.safeharborconsulting.biz

 

 

The Business Continuity Planning Objective (Hint: It’s not to implement the BCP Methodology)

So, I was recently helping a colleague prepare a management presentation to discuss her plans for advancing the business continuity program in her company.  Maybe it’s just a matter of semantics, but we had a lengthy discussion over “objectives”, “goals” and “tasks”.

If you have read any of my recent blogs you might recognize a pattern in which I think business continuity planners have become victims of our own methodology.  This discussion helped me to emphasize that point.  When I suggested to my colleague that she should first succinctly define her objective, she merely listed the steps of the methodology.  I strongly disagree.

A business continuity planner’s objective is not to complete the BCP methodology.  The methodology is simply a recipe towards achieving an end.  What is that “end” you hope to achieve?  That “end” is your ultimate objective.

So, we started with: “To provide the company a means in which they can recover from (or continue operations through) any business interruption event that impacts their operations, facilities, employees or workflow.”  I am sure you can improve on this sentence, but, it is a good start – and, it helps set the right mind frame.  Regardless of what any auditor thinks or what any other professional has led you to believe (especially those with a vested interest in having you follow a given methodology), the business continuity planner’s job is not to execute the BCP methodology; your job is to prepare your organization to successfully respond to, continue critical operations through, and recover from a business interruption event.

Now, it just so happens that one of the best ways to achieve that objective is to follow the standard methodology, but, with this understanding of our ultimate objective we can better assess what components of the methodology are needed for our situation and determine what, if any, adjustments to the methodology we need to make to achieve this objective for our particular company.  We simply need to ask ourselves – about each component in the methodology – is this needed and how is it best used to achieve our objective?

With this thought in mind, I like to reorganize the standard methodology a bit and divide the components of the methodology into the Strategic Planning Components and the Tactical Planning Components.  Strategic Planning Components of the methodology help us define “what” our program should accomplish and the Tactical Planning Components help us describe “how” we accomplish these strategic goals.  The diagram here depicts this re-organization of the methodology.  (Click on the diagram for a better view.)

Methodology

If you think about the BCP methodology as a recipe for baking a cake, the Strategic Planning Components are needed to decide what kind of cake we should bake, how big it should be, what ingredients are needed to bake it and how long it should take to bake it.  The Tactical Planning Components are needed to ensure we have access to everything we need when the time comes to bake the cake, and, have the instructions for actually baking the cake when it is required.  The methodology also suggests we practice baking this cake a time or two before having to serve it for real – a good idea if you have never baked a cake before – and, making whatever adjustments are needed to constantly improve the cake and the baking process.

Now we get to a question that is becoming a topic of conversation for many business continuity planners: if the Strategic Planning Components of the methodology help us define what kind and how much cake we should bake, are they necessary if this is told to us by our management team?

This is where I think we often fall victim to our methodology.  I think we must ask ourselves – who is our customer?  Who are we designing business continuity programs for?  The methodology is not our customer.  The auditors are not our customers.  The CEO and/or Board of Directors are our customers.  In my mind, the key phrase in every BCP/Disaster Recovery/Emergency Response regulatory requirement is the one that states these plans/programs must be consistent with management expectations and approved by the Board of Directors.

I think that if Senior Management dictates the strategy to the business continuity planner and then approves the solutions put in place to achieve those strategic objectives, it is less important that you can tick off having performed every task within the BCP Methodology – even if not being able to do so upsets the auditors.  Furthermore, the business continuity planner who follows every step of the methodology to the letter and implements a solution that is not consistent with management’s expectations – has not done their job.

At the end of the day, the business continuity planner must ensure that their organization is in position to effectively and efficiently respond to and recover from any business interruption that impacts their organization.  I say, if you can achieve that – you have done your job, with or without having completed the entire BCP methodology.  Now, some will challenge and say that short of actually experiencing a disaster, the only real way to ensure that you have achieved this objective is to complete every step of the methodology.  I believe that the real proof is in the design and execution of the exercises and tests you perform.  That, to me, is the real challenge – good, complete and verifiable exercises.

But, my real objective for writing this blog is not to convince anyone that they shouldn’t follow the BCP methodology.  I think, in almost every case, even following my theory here, you will eventually determine that the standard BCP methodology is the best means for getting your job done.  I just wish to get business continuity planners to understand what their ultimate objective is and not to simply follow the methodology because they think they have to but to understand why they are following the methodology and help ensure that everything they do – every step they follow in the methodology – can be tied back to achieving this ultimate objective.  In this way, I believe, you can design your implementation of the methodology in a way that does not waste anyone’s time and effort in gathering information or conducting analyses that do not contribute to the final objective.

I think my colleague got the point and her management presentation was well received.  So, I think, I can count at least one practitioner that now sees my point.

R U O K?

Many business continuity, disaster recovery, emergency response and crisis management programs currently utilize some sort of automated notification tool to alert employees of an incident and/or to call them to action following a disaster.  I have written past blogs about being careful with what you say in the recorded message being used for this notification because you can never be quite sure who is listening to the message – but, now, I want to know if you are making sure you also use this tool to ask, “Are you okay?”

I often hear business continuity and disaster recovery planners remind employees that job one is to ensure the health and welfare of employees and job two is to recover business operations and the tools to support them.  I think it is important to practice what we preach and to construct our emergency messages in the same vain.  I think it would be nice to first put in some information on how the company can help the employee, if they need, prior to asking the employee to help the company by engaging their recovery plans.

And, this does not just apply to messages being recorded (or typed) for the automated notification systems.  If your program still relies on phone call trees, I think it is a good idea to include this verbiage in a suggested script to be used for these calls.

Furthermore, I think it is important to keep the “Are you okay?” mantra going throughout the recovery effort.  I think it is important to do more than just make sure that employees know how to contact the Employee Assistance Program (EAP), but to also make that ask throughout the effort.  Not only should you help keep the employee okay by enforcing shift limits and making sure no one over does it in their anxiety to help the company through a tough time – but you need to make the ask.  Ask them if they are okay before they show signs that indicate otherwise.

And, finally, that same ask should be made after the incident is over.  There are many emergency response programs that require a mental health recovery period following participation in an incident.  You may want to consider a similar policy for certain members of your emergency response, crisis management, business continuity and/or disaster recovery teams.

Making sure the employees are okay during and throughout an emergency may require more than what your EAP has to offer.  There are companies out there that provide at time of disaster mental health assistance that can be on-site to help identify problems and help resolve issues when they arise.  You should consider including these types of companies in your program directories.  One such company, Empathia, is included in the My Links section of this blog page – but there are others, as well.

Just a thought.  And, I hope this blog finds you OK!

Is “The Cloud” Clouding Our Judgment?

The cloud does not only happen in a cloud. The cloud is simply a nebulous way of depicting the magic that happens between geographically distanced technology interacting over a network. Clouds have been long used as a way to pictorially represent a network connection between two end-points without trying to depict or represent the hardware, technology and software that resides inside. Clouds have been around for a long time in technical schematics but the term “cloud computing” has only recently come in vogue as an answer to everyone’s technology prayer. It is, in a manner of speaking, a cute little marketing gimmick.

As far as business continuity and disaster recovery planning is concerned, we should not think of the cloud as the savior to all our recovery challenges. In fact, the only thing that is really new is the term. Technology continuity programs have utilized networks to distance end users from the technology they use; to allow flexible access to other resources to meet increased demand or adjust to unexpected problems; and, to back up data to off-site locations for a long time. Before the term “the cloud” became a cool thing to say, we simply called it remote computing.

But the fact remains, there is still hardware and software at each end of and within the cloud itself that can break and require redundancies, quick fixes or alternate modes of operation depending upon the timeliness you need that functionality back in play. In other words – we still need disaster recovery plans.

Furthermore, the cloud represents some additional risks and threats itself. Just as the cloud is used to avoid depicting what happens inside, it also hides who might be inside there with you. Networks can be compromised. You may not know who else is inside that cloud looking at, duplicating and/or changing your data. In addition, much of the cloud concept now includes having solutions where data and applications are warehoused on technology that houses other organization’s data and applications as well. All of this opens up risks of compromise, sabotage and cyber terrorism. In fact now, some endpoints that do not have adequate backup solutions in place can take down numerous companies with one incident. There are several industries that utilize the cloud to access a monopoly-like third party service provider to help them function. If that organization experiences a failure without adequate backup systems in place – an entire industry could be jeopardized. One example that immediately comes to mind is the airlines industry. There are few service providers that provide flight control data necessary to board planes, perform crew scheduling, and manage operations. If one of those entities experiences a prolonged outage – many airlines may be non-operational until the systems can be brought back up on-line.

Like almost everything else in life, the cloud provides many benefits but it also has potential risks and downfalls. I simply suggest that business continuity and disaster recovery planners do not let the hype of “the cloud” to cloud our judgments on what is needed in our continuity programs. In many cases, the use of the cloud simply relocates single-points-of-failure or moves risks and threats from internal assets to vendor supported assets, but the risks and threats are still there and the impacts of failure still remain.

Out with the Old In with the New

Well, we are now several weeks into the new year and, as crisis management and business continuity professionals, we are happy to see 2012 in our rear view mirrors.  Maybe it is just the relative recentness of Hurricane Sandy, or the fact that she devastated such a wide and highly populated area in the United States, but 2012 seemed to have been a very busy year for business continuity planners.  And, this is not just in terms of responses to a number of disasters, but also in terms of preparing for high-risk events such as the London Olympics, the US Presidential Party Conventions and several Political Summits throughout the region.

I guess some of the reasons we were so busy are good reasons.  I am witnessing a much higher level of awareness for the potential of business interruptions occurring from mass gathering events.  I have been somewhat impressed with the levels of preparedness from both the public and private domain for events such as the Olympics and the Conventions.  It seems people are starting to realize the benefits of the private and public sectors working together in preparation for these events.  Coordinating work schedules and being aware of commuting challenges and potential mass gatherings, coupled with work from home solutions and proactive strategies for shifting work-flows and employees away from the congestion during the most active event times, seem to all have helped businesses and communities cope with the challenges of hosting such events.

And, I think, by planning for these kind of scheduled interruptions, our programs have been strengthened and improved, allowing us to better respond to the unscheduled interruptions that seem to be happening at an alarmingly more frequent rate with a much wider footprint.

This article from Huffington Post does a pretty good job in summarizing the challenges we experienced in 2012 caused by disaster.  Even though there are a number of “disasters” associated with wildfires in the US this past year, there are enough other events that support my statement that 2012 was a busy year.

The one quote that stands out to me in the Huffington Post article is from the acting director of the U.S. National Weather Service, Laura Furgione, who states, “The normal has changed, I guess. The normal is extreme.”  Well, if extreme is our new normal, it is up to all of us to make sure that “prepared” is our new posture.

Whereas, I am glad to put 2012 behind us, I am also anxious to make sure that we, as planners, have grown and applied the lessons learned from these events in our 2013 and beyond plans.  Do not fall into the trap of believing what we learned from Hurricane Sandy only prepares us for the next Hurricane.  Focus on the impacts.  Some of the lessons learned from Sandy are applicable for any event that immobilizes a large portion of our workforce, or forces closure of a number of our key facilities, or results in widespread power outages, and on and on.

The German writer, artist, politician Johann Wolfgang van Goethe once said, “The greatest tragedy in all of life is to experience the pain but miss the lesson.”   I hope that the pain experienced in 2012 was not for nothing.

Now, bring on 2013.  I can’t wait to see what she has in store for us.

Businesses Driving Businesses to Plan: The Planning Impetus

One of the greatest challenges, I think, with getting companies (and by this, I mean the BOD of companies) to pay more attention to and invest more capital in business continuity and disaster recovery plans is that there is no real “pain” in not having a plan unless a disaster occurs.

I mean, what pain does a company really realize by not having a viable business continuity plan?

There are no fines; no penalties; no lost revenue; no competitive disadvantage to really speak of.  Sure, us BCP/DR professionals will try to convince you this is not entirely true … but, come on, what pain does the Executive Suite really feel?  Be honest.  Any fines or penalties for not having a plan will only be levied when this fact is discovered FOLLOWING your inadequate response to a disaster.

The BCP Planners complain?  So what … it’s their job to complain.

Failed audits?  Big deal – pretend to fix the issues – just don’t spend too much money doing so.

Me, personally, I don’t think the government will or necessarily should audit plans and levy fines or penalties.  No, the impetus for getting BCP/DR planning really rolling in Corporate America (or World-wide) is when the big guys finally get so concerned with interruptions that might occur with their vendors and suppliers that they start making having viable, certified plans in place a condition for doing business with them.

This is when the pain will be felt.  Having your customers demanding you have plans in place in order to win or maintain their business will impact your bottom line.  Not having plans will be a competitive disadvantage.  And, you can bet your bottom dollar, the Executive Suite will ensure that this business requirement is fulfilled to their biggest customers’ satisfaction.

In my mind, when the big fish start to worry about the plans of their suppliers, BCP and DR planning will become a much more important strategic concern for all the smaller fish.  And, I think that time is coming.  Until then, good luck trying to find the pain points that work in your organization.

The Job of the Business Continuity Planner

Many professionals that I talk to seem to think that the Business Continuity Planner’s job is to ensure their company can recover from business interruption events.  Now, this may just be an argument in semantics or me simply splitting hairs, but I don’t quite see it that way.

In my way of thinking, the Business Continuity Planner’s job is to make sure that management is informed of risks, potential impacts resulting from those risks and the costs/benefits of options available to mitigate or respond to those risks, so that management can make informed and intelligent decisions about what mitigation and recovery strategies to invest in.  And, when those decisions are made, the Business Continuity Planner is responsible for helping manage and coordinate the implementation and testing of those solutions.  But, it is senior management’s job to ensure that the company can recover from business interruption events.

In my mind, the worst thing that can happen to a Business Continuity Planner is not that the company cannot recover from an incident, but that senior management is justified in saying, “But no one told me that this risk existed and these implications could occur”.  If the Business Continuity Planner can show that the risks were identified, the impacts clear and viable solutions presented that management chose not to invest in, then the Business Continuity Planner had done his/her job.

We cannot force management to invest in business continuity or disaster recovery solutions, but we can let them know, with no uncertainty, what is potentially at risk should they not invest in, or under-invest in, business continuity and disaster recovery solutions.  Our jobs are to ensure that there are no surprises about what might occur and what the impacts might be should a business interruption event occur.

Prior to management making decisions to invest in solutions, the Business Continuity Planner’s job is to gather information, research risks and solutions, perform cost/benefits analysis and communicate our findings to the proper decision makers.  We are often research analysts and salespeople.  And, it is a difficult sale to make – asking management to invest capital from a limited available cache in our programs as opposed to other programs being pitched by other department managers.

Part of the risks we must inform management about, goes beyond the risk of disasters, but also includes the risk of being out of compliance with laws, contracts and industry standards.  And, we must be brutally honest about our abilities to respond and recover.  We do this by realistically conducting exercises and tests and reporting back the findings without a bias towards success.

Our jobs are to set expectations consistent with the risk environment and solutions in place today.  It is senior management’s job to decide what risks are acceptable and how much to invest in improving our solutions.  If they do not have all of the right information to make that decision, it is then that we have failed in our jobs.

Having Plans Even If You Don’t Plan to Recover

I once had my lead sales and marketing guy pull in a favor and get me a meeting with the president of a small specialty, food processing company to discuss business continuity planning and the potential of us helping in the development of a program for this firm.

As soon as I walked into the conference room, this gentleman announced, “Joe, I really don’t know what there is for us to discuss, the fact of the matter is, we have this one location with a lot of expensive and unique equipment.  If a disaster takes us down, we simply go out of business.  There is no way, short of building a whole new factory for us to get up and running again.  And, quite frankly, that would just be too expensive and not practical.”

Now, of course, I talked to him about the value of having data backup and recovery plans for all of his computer resident data and infrastructure, but, he felt he had all of that in place and was confident with his IT recovery solutions.

So, instead of trying to convince him that he should have some sort of business continuity plans, I told him that even with the strategy of “shutting down and going out of business”, you want to make sure that you do that right – and, that that strategy also requires pre-planning, pre-provisioning, and exercising.

For example, there are things you need to do to go out of business properly:

  • You may still have accounts receivables to be collected.
  • You probably have accounts payables that need to be met.
  • You probably still owe your employees their last paychecks.
  • You have bank accounts and other financial matters that must be closed.
  • You might have salvaged equipment to be sold.
  • You might have legal obligations that need to be addressed.
  • For customers with unfulfilled orders, you might want to help them find another company that could help them.
  • And more.

You don’t just simply stop functioning as a business; there are things that must be done to dissolve the entity.  And, these things will require some people to be active and some tasks to be performed.

Your plan should include strategies for:

  • Getting your trusted advisors together;
  • For communicating with employees, suppliers and customers;
  • For addressing financial and legal matters;
  • And others

I think we were both surprised that by the end of our meeting, we were shaking hands on a project to team up and document his business continuity – or, should I say – business cessation plans – which we now know as his Crisis Management Plan.

The moral of the story is, even if your strategy is not to invest in recovery solutions, which, in some cases might be the most prudent strategy, your firm still needs a Crisis Management Plan to see that strategy properly employed.

At the end of the day, we had another satisfied client.