Beware of depending on Third Party Services to assure your daily business and recovery

By Howard ‘Coach’ Pierpont

More organizations are outsourcing portions of their operations these days. Concentrating on the core competency for the organization makes sense in many cases. This allows for the streamlining of internal operations while maximizing the non-core section by utilizing best in class third parties.

The people making the decision to go with a third party need to completely define the statement of work [SOW] and assure that whoever gets the contract follows the SOW. Let me give you an example of a system that was implemented and appeared to be working. At least there was money coming in.

I went to a supplier and requested an item be drop shipped to an east coast location. The supplier had my physical address [not the delivery address] and my mailing or billing address. The supplier contacted the vendor and had the product shipped to the proper location. The vendor was responsible for monthly billing based while I was using the product. Somehow the physical address was sent to the vendor and not the billing address.

Granted, I am in a community where they are creative on their street names, but there is a method. My address is 2124 W 17^th Street Road. The vendor input the following address: 2124 W 7^th Street Road. There is no such address, but that didn’t seem to make a difference to the vendor who was in turn outsourcing their billing process. Each month they transmitted my information to the billing company. The billing company outsourced the physical bill creation to another party. Each month a bill was created, mailed and later returned by the Post Office as undeliverable.

One month the carrier that handles 7^th Street Road went to see the carrier that handles 17^th Street Road and asked if there was such an address on that street. Yes, 2 different carriers 10 blocks apart, but at least in the same sorting facility. The 17^th Street Road carrier took the mail and put a big question mark on the front and delivered it.

I opened the mail and it contained 4 past due with collection notices and a current invoice. I called the customer service number to get my address fixed. The representative only wanted to set me up for electronic payment. I finally got to speak with a supervisor. She did agree to correct the mailing address and remove the dunning messages before sending me new copies of the invoices.

Soon in my physical address mailbox came the invoices without the dunning messages. Another call revealed a significant flaw in the process. It turns out the process between the billing company and the people that create the physical bill is to create the bill first, make the hardcopy and mail the hardcopy bill. Then in a following process they do the address changes.

Another call to customer service to get the address corrected indicated that their process sequence was flawed. I asked for a good invoice with no penalties for still not having paid.

This took 6 months of my working with either no bills or incorrect bills. This took time on my part to initialize the calls and, on the customer service side, to talk to me and try to resolve the issues. Ultimately this was resolved.

Customer service is a cost to any organization. The best run customer service group can reduce their own costs, adding money to the bottom line as well as potentially up selling the customer due to the positive customer service.

If an organization is going to use a third party to handle the non-core business processes, the methodology needs to be highly defined. It also needs to be tested and reviewed. Someone needs to assure that excellent service is delivered to the customer.

If the process is flawed in daily practice, it will not serve the organization well during a crisis or in recovery. Tabletop tests will not always show how things will work in a disaster situation.

A great Business Continuity Practitioner needs to ask the business how the business knows the process really works.  Use of the Socratic approach to the BIA and reviews will serve every BCP well.

About Howard Pierpont

Contact information:  Howard.Pierpont@disasters.org website: www.disasters.org

With almost 30 years of Business Continuity experience, ranging from global large-scale precision manufacturing to small, stand-alone single site operations, Howard has an extensive and unique background in merging business continuity into continuous operations.

Howard is a Certified Recovery Planner from the University of Richmond, VA as well as a Certified Business Manager with the Association of Professional in business Management, Chicago, IL. He maintains a CBCP from DRII and holds an MBCI designation from BCI.

He is a Charter Member of ICOR and is currently an instructor and training partner with ICOR. Currently, as a DHS/FEMA Reservist Community Recovery Specialist, he works with businesses, nonprofits and municipal governments in communities having received federal disaster declarations. Howard also serves as Board Chair for the Disaster Preparedness and Emergency Response Association.
                       ______________________________________________________

Read More

Recovery: Least Understood of the Continuity Lifecycle Elements

The post-crisis recovery phase is one of the least addressed in planning, training and simulations.  This is an area that, if not properly managed, can cost financially, reputationally and operationally.  Communications, internal and external are, at best, misjudged.  Guidelines for recovery are lacking and most entities lose focus when it comes to discussing recovery operations.  It may be that recovery is one of the most complicated of the lifecycle elements and that no two recoveries are going to follow the same pattern.  However, the recovery process can be segmented into manageable bits that can be undertaken using a project management approach.

Business Continuity Lifecycle – A Perspective on Recovery

Figure 1, entitled, “Business Continuity Lifecycle” provides a top level graphic depiction of the typical cycle of event response, management, recovery and resumption of operations.  I have added the emergency response and crisis management elements as they intermingle with business continuity.  I have simplified the cycle to four major transition points.  Transition point 1 is the reactive response phase, where we react to events and invoke emergency response actions.  This phase is characterized by activation, reactive response and chaos control.

Transition point 2, I have titled “Unplanned Disruption”.  This is the phase where we begin to identify and address the unplanned developments that result from the event and the reactive response to the event.  Unplanned disruption would include those elements of surprise that the planning effort did not directly address or completely overlooked.  During this phase it is possible that crisis management becomes the lead element in the business continuity process.

Transition point 3, I have titled “Planned Disruption”.  It is in this phase that the plan is actually working as it was written (well perhaps).  This phase is critical to recovery as the recovery planning, based on actual reentry assessment activities, should commence and the recovery team should be transitioned in to the organization.

Transition point 4, I have titled “Termination”.  It is in this phase that recovery activities are in full swing.  Restoration and resumption of business operations are underway.  The resumption activities may still be conducted at an alternate location (if an evacuation has occurred).  During this phase the recovery team is moving dislocated units, entities, etc. back to the normal work area.  It is critical in this phase to get it “right” so that the transition back does not create a new event/crisis.  Note that on figure 1, I have differentiated the Recovery Management aspect, as well as the “Business Recovery” and the “Systems/Information Recovery” activities.

Business Recovery involves more than the recovery of systems/information.  Activities, such as Finance, Marketing, Legal, Production, internal support and external support (“Value Chain”) have to be reset and integrated back into the organization.  Depending on the severity of the event, realignment of operations, reorganization and resetting of corporate goals/objectives may be necessary.  While too numerous to delineate in this space, one should have a plan that outlines the functions and areas within the organization.  This plan should establish timelines for recovery of these activities and reintegration into the business operation.  To ensure smooth transition from event termination to recovery and resumption of “normal business” operations a touchpoint assessment should be part of the recovery process.  This assessment would identify the various touchpoints that major units have in order to incorporate them into the recovery timeline.  For example, if a production unit is coming back on line and new or altered processes are being put in place; training may be required for operators/staff.  The touchpoint with Human Resources would be the training program and certification of staff to operate in the new/altered environment.

Concluding Thoughts

While I have highlighted some aspects of the recovery process in this brief article, I think it is necessary to offer a suggestion regarding recovery plan validation activities.  Some may use the term “drills and exercises” or “simulations” or “war gaming” to describe the validation process.  Designing, developing and implementing a “Recovery Exercise” is, in my experience, a very rare occurrence.  I would recommend that planners take a moment to assess the actual recovery capabilities of their organization.  Design, develop and implement a drill or exercise; whether tabletop or full scale, to see if recovery operations can actually be undertaken and carried out as described in the plan or in the thought process of the organization.  This is an ideal situation for involving the public sector and the “Value Chain” components within your planning framework.  The focus should be on identification of flawed decisions to establish a context for correcting flaws within the risk assessment, business impact assessment process.

About Geary Sikich – Entrepreneur, consultant, author and business lecturer

Contact Information: E-mail: G.Sikich@att.net or gsikich@logicalmanagement.com. Telephone: 1- 219-922-7718.

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

He holds a B.S. in Criminology from Indiana State University and a M.Ed., in Counseling & Guidance from the University of Texas at El Paso. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.

 ____________________________________________________________

Read More

Tackling the Business Impact Analysis

A new business continuity analyst will need to create and/or update the organization's Business Impact Analysis (BIA). If this is a task that is new to the organization, then the analyst will need to scope the document and set out the definitions that will be used. Ideally the entire organization will be represented in one or more BIAs. The analyst should present to the sponsoring executive the plan for accomplishing the BIAs. The analyst will need to:


a) describe the objectives of the BIA,

b) show that the focus will be on the business processes,

c) introduce the concepts and terminology such as (RTO), and

d) identify the planned sources of information and validation.

It is important to focus on processes rather than procedures. There should be relatively few processes, however each process can have many procedures. To use an example common to many organizations, the Human Resources Department may have four processes: hiring/termination, benefits, periodic reviews, and payroll. The procedures for each of these processes may change repeatedly due new software, regulations or vendor requirements. Therefore the analyst should not try to capture details of the procedures but reference their location within the department. Depending on the organization, BIAs may be reviewed and updated on a periodic basis. In addition to periodic updates, any significant changes to business process(es) should prompt a BIA review.

Given resource or budget constraints, if BIAs can not be done for the entire organization, then the analyst needs to work with the sponsoring executive to determine which departments and processes are to be considered core to the organization’s mission.

For each process the BIA will identify the needed resources. These include people (do not forget any on premise long-term consultants), facilities, equipment, and supporting information technology. The analyst will need to note any unique features of the facility that the process uses (e.g. loading dock, clean rooms, vaults). A roster of staff and roles is important to understanding the scale of the process and the relative impact should members of the staff become unable to work. Regarding the IT resources needed, be sure to include required reference databases with applications. Also query the business for any specialized communications gear or production equipment such as check printers. Remember any handheld devices which are needed to generate sales or manage logistics. While business moves relentlessly to electronic formats, an inventory of required paper-based documents and supplies needs to be inventoried.

Once the who, what, and where have been established, the next step is determining the impact to the organization if the process can not be done. Various metrics and units of measure can be used; the analyst needs to assimilate what has been learned so far and determine the outage time frames to be used in the discussion and analysis.

What are the time frames of a business or transaction cycle? Are tasks and deliverables accomplished in weeks, days, hours, minutes, or seconds? Depending on what the business timeframes are, construct an appropriate scale for determining impacts over time. Impacts can have various dimensions: financial, reputational, legal, regulatory plus any dimension that may be important to the organization. Again, need to determine the scales for each dimension you use. The disaster may also involve the loss of data. The analyst must determine with management how little data can be lost and the associated time frame(s).

The result will be a series of RTO values that need to be coupled with RPO values.

As an analyst, you will now have a wealth of data. It is up to you to turn this data into Information that can be used in the subsequent steps towards the goal of a robust business continuity program. You will need to clearly identify the processes that are necessary for the business to carry out its mission and provide management with an understanding as to the impact should a given process stops. This will provide the inputs to the risk assessment and the basis for the business continuity plans to follow.
Tom Ryan has worked as the global business continuity manager for RBS Sempra Commodities, starting their program from a scratch to cover six trading locations with two recovery sites with data centers.  He has done business impact analysis and emergency management consulting work with Datalink, Inc.  Previous to his roles in business continuity, Tom managed a software QA testing department and was an auditor for major investment banks.
______________________________________________________

Read More

BS ISO 22301 in 17 Easy Steps

I normally shy away from long blog posts, but this one is critical if you are considering getting your business continuity program certified.  BS ISO 22301 seems very hard to implement at first, but if you understand the requirements of the standard, it becomes very clear, almost too easy to implement across the organization.

There are only a handful of organization worldwide that have been certified in BS ISO 22301.  Right now is a great time to get on the certification calendar be one of those organizations who set the gold standard in Business Continuity.

Below are the 17 steps you will need to do reach program certification.

Step 1: Management support

Business Continuity will not work if the leadership of the organization or business does not support the effort.  Therefore, it’s critical that leadership understand and support the program continuously.  Your job as a practitioner is to show them why Continuity planning is necessary, not through scary stories and photos, but through showing the value the program brings to the organization.  Getting their support and commitment is the first critical step in any Business Continuity effort, but especially in the certification process.

Step 2: Identification of requirements

This is an easy one.  Identify the requirements of the Business Continuity Program.  It’s similar to identifying the business requirements for a large scale project.  If fact, it’s exactly like that.

But in all honesty, there is really only one requirement for Business Continuity.  If you own, run or manage a business, you have a requirement.  Business Continuity IS the requirement.

If you need a more detailed requirement, you can use BS ISO 22103 as the requirement and make certification a goal of the program.  This will cover everything.

Step 3: Business continuity policy & objectives

Developing clear Business Continuity Policy is critical to getting the support and resources you will need.  In fact, here is the one I use every time.

“[Organization name] will develop, implement and maintain an actionable Business Continuity Program based on the BS IOS 22301 standard with support for internal divisions and departments”.

Simple, to the point and it covers everything that Business Continuity is and needs to be.  This will need to be signed off on by the leadership of the business or organization and disseminated throughout.

Create goals and objectives that are in line with the BS ISO 22301 standard.  Make BS ISO 22301 certification a primary goal.

Step 4: Support documents for management system

This is a heavy lift.  You will need to get to writing documents that support the program.  These support documents include incident response plans, lifecycle management plans, measurement and continuous improvement plans, concept of operations, and other documents that support the overall management of the program.

Step 5: Risk assessment & treatment

Despite me wanting to leave risk management to the risk management folks, you will have to conduct and annual risk assessment to meet the IOS 20301 standard.  This is not hard to do, but getting everyone to agree on the risks and mitigations is another story.  Everyone has their own perspective on what is risk and how it should be handled.

However, it has to be done and the best way to do it is to use the ISO 27001 Risk Assessment and Treatment standard.  It can be applied to both IT systems and BCP Critical Services.

I have a very simple, but useful template you can use.  If you are interested in getting a free copy, let me know.

Step 6: Business impact analysis

The Business Impact Analysis is a very useful tool if you don’t use it the way you are supposed to.  Trying to assess impact before it has occurred is prediction and I leave predictions to fortune tellers, weather people and economists. But, again it’s part of the ISO standard, so it has to be done on an annual bases at the very least.

But I have modified it a bit to serve the Business Continuity Program better.  What I need to know through the BIA are 4 critical elements for each division or department in the organization.

By division or department:

1. What Critical Services does it provide to the organization?
2. What are the Essential Functions that support those Critical Services?
3. Who are Critical Staff or what are the Critical Staff Roles (internal and/or external) that support those Essential Functions?
4. What is required to support the Critical Staff (IT Systems, Alternate Facilities, Communications, etc.)?

Armed with this information, you can continue to the next step.

I have a very simple, but useful template you can use for this too.  If you are interested in getting a free copy, let me know.

Step 7: Business continuity strategy

This is the section where you determine the Continuity Strategy you are going to use.  The one I have had the most success with I will share with you.

1)    Have the leadership assign (done during Step1 ) from within the organization a Business Continuity Lead (BCL) and an IT Disaster Recovery Lead (IT DRL).  These two roles are the program leads.

2)    Have the leadership assign (done during Step 1) someone from each division and/or department the Department Recovery Coordinator (DRC) role to work with you doing the program development process.  The DRCs are responsible for developing plans and recovery strategies for their division or department.  The people in these roles need to have a clear and good understanding of the products and services their division or department provides.

3)    Have the IT leadership assigned IT DR Recovery Teams to support the recovery of critical IT systems

4)    The BCL and the DRCs are the Incident Response Team for divisions and department and the DRL and DR Recovery Teams are the Incident Response Team for Critical IT Systems

5)    The Organizational Leadership and the BCL and DRL make up the Crisis Management Team

6)    If you have a communications department in the organization, they become the Crisis Communications Team.  If not, then the Crisis Management Team is also the Crisis Communications Team.

The key is to: UTILIZE INTERNAL RESOURCES

The 8.4.2 section of BS ISO 22301 requires establishing an Incident Response structure and framework.  I create one for Business Continuity and one for IT Disaster Recovery.  This is the process of responding to incidents, tracking and managing them and it ties into post incident reviews.

I have templates for incident response.  If you are interested in receiving free copies, let me know.

Step 8: Business continuity plan

This is another heavy lift, however it doesn’t have to be time consuming.  Once you have the information from step six, you can begin populating plans.  Each division and/or department needs to have a unit plan, or Continuity of Operations Plan.  The combination of these plans along with the Crisis Management Plan, the Crisis Communications Plan, and all of the support documentation that is created in step 4 makes up the Business Continuity Plan.  There are several templates that you can use to make things easier.  I prefer a modified version the Continuity of Operations template developed and provided free of charge from the Federal Emergency Management Agency (FEMA).

If you are interested in getting a free copy of the modified version of the template, let me know.

Step 9: Training & awareness

Training and awareness is a key requirement for all of this to function properly.  FEMA offers free awareness training.  IS-546.A: Continuity of Operations Awareness Course: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=is-546.a

FEMA also offers Independent study courses here: http://training.fema.gov/IS/crslist.aspx

This will get the organization part of the way.  The remaining training must be tailored to the organization.  Here is a list of training courses you will need.

• Crisis Management Training
• Crisis Communications Training
• Incident Response Training

Step 10: Documentation maintenance

The best way for meet this requirement is to follow the ISO 9001:2008 standard of the section concerning document control.  There is going to be quite a bit of documentation generated by the program and the 9001:2008 standard will help control it.  I also use document management systems like Microsoft SharePoint to manage documents and version control.

Step 11: Exercising and testing

Exercising and testing is the cornerstone of Business Continuity.  A plan not tested and exercised is not a plan.  The Homeland Security Exercise and Evaluation Program (HSEEP) is, by far, the most comprehensive program out there.  And it’s free.  But first, it would be wise to take the free exercise training and development courses provided by FEMA

IS-120.A: An Introduction to Exercises: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=IS-120.a

IS-130: Exercise Evaluation and Improvement Planning: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=IS-130

IS-139: Exercise Design: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=IS-139

FEMA HSEEP: Website: https://www.llis.dhs.gov/hseep

Step 12: Post-incident reviews

Post-incident reviews are necessary to review the response to an incident and identify gaps.  An After Action/Corrective Action report needs to be developed, corrective action tasks assigned and suspense dates for corrective actions defined.  You can modify the HSEEP AAR/IP template to meet this requirement.

Step 13: Communication with interested parties

This deals with communication as a whole.  Communicating the program, statuses, incident reporting and communications with external resources and 3rd party vendors.  Constantly communicate what you are doing, how you are doing it and why is has to be done.  You can do this in the form of status report, newsletters, leadership reviews, awareness training, video information and other forms of communicating during the Business Continuity Lifecycle (Plan, Do, Check, Act model).  Communicate up and down the organizational structure often and clearly.

Step 14: Measurement and evaluation

You will have to establish a Lifecycle Management program that includes performance metrics and evaluation criteria.  This is much more simpler than it seems.  Some people think you can only measure Business Continuity when the plan is activated, but that is only a very small portion of what can be measured.  Instead of going into the details of what can be measured (there are hundreds of metrics), I can provide you two free templates that cover the most important things in Business Continuity Measurement and Evaluation.  Let me know if you would like the templates.

The Lifecycle Management Plan is part of the Continuous Improvement Process.

Step 15: Internal audit

Internal auditing is necessary to ensure the program is accurate and continues to meet the requirement of the BS ISO 22301 standard.  Please note that this is an “Internal’” audit team.  This team and their review criteria are established in the Business Continuity Lifecycle Management Plan.  I have a template for this.  If you are interest in a free copy, let me know.

Step 16: Corrective actions

Corrective actions are part of the Plan, Do, Check, Act model, however it needs to be integrated into every step in the BS ISO standard.  The Lifecycle Management Plan takes on the role of evaluating and developing corrective actions across the entire program, from development to implementation, activation and incident response to review and internal audit.  I also have a template for this.  If you are interest in a free copy, leave a comment. This is also part of the Continuous Improvement Process.

Step 17: Management review

This relates back to the very first step.  Management  must have insight and continuous review ability.  Invite them to exercises and plan review sessions.  Invite them to review all of the Business Continuity documentation and strategies.  Invite them to be a part of the working groups.  And as always, schedule management review meetings regularly so they can gain better insight, ask questions and offer suggestions before the documents and strategies become active.  A monthly In Process Review is the best way to review the entire program with Management and Leadership. And as always, generate an After Action Report of the corrective actions that need to be taken and present the status of open action items results of closed action items at the next In Process Review.  This is also part of the Continuous Improvement Process.

Another idea is to have management be members of the Document Review Team for Lifecycle Management.  This way that will have detailed insight into the documents themselves.  I use this method for every review team I have ever established and it is very effective.

Note: State and federal regulated industries and governments have additional requirements that you will have to consider in addition to the 17 steps above.  The federal government alone has many additional rules and requirements related to Business Continuity in Federal Government and federal agencies, so be sure to include those in your certification process.

Additional Information

1)    Purchase a copy of BS ISO 22301 from the BSI store: http://shop.bsigroup.com/ProductDetail/?pid=000000000030207716.

2)    If at all possible, purchase copies of the ISO 27001 and the ISO 9001:2008 standards for the same store.

3)    If you intend to submit the Business Continuity Program for certification (highly recommended), be sure to visit the FEMA PS-Prep website http://www.fema.gov/voluntary-private-sector-preparedness-program-ps-preptm-small-business-preparedness for information, details and certification requirements.

I also have a BS ISO 22301 auditing template if your Business Continuity Program is already established and you want to evaluate it against the standard.  If you would like a free copy, let me know.

Template requests should be sent to Mike Minzes at info@inevolve.com

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET .

 ______________________________________________________

Read More

7 other Uses For The Tabletop Exercise

A few weeks ago I wrote a post on 4 other uses for the tabletop exercise.  You can read it here.

Several people have added their suggestions and I wanted to gather their ideas in one post.

There are certainly several other uses for the tabletop exercise.  What do you use them for?

Below is a video that offers some suggestions.

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET.

 ______________________________________________________

Read More

Do-it-yourself Business Continuity for small businesses

DIY Projects.  There are do-it-yourself projects for just about anything under the sun.  If you get the parts and materials, there are videos or walk-throughs that can show you how to build just about anything.

So it isn’t any surprise to me that the Federal Emergency Management Agency (FEMA) has a little known DIY project designed help businesses and organizations develop and implement Business Continuity.

The Business Continuity Planning Suite is a FREE toolset provided by FEMA for developing and implementing Business Continuity in any size organization or across any agency.  It can be downloaded from the FEMA website and installed on any PC running Windows.  The toolset has free Business Continuity Training courses, Plan templates and instructions for both Business Continuity Planning and IT Disaster Recovery Planning, and even has exercise program development tools.

It has a step-by-step guide on how to develop and implement Business Continuity across a business or an organization.  The steps and processes are easy to understand and follow and if you ever get stuck, there is a free training course that covers each topic.

It does require a little time, but what important DIY project doesn't?  It’s just a matter of committing the effort to it and in very little time, you can have an actionable Business Continuity program running in your business or organization.

This is a great starting point for small businesses or organizations looking to bring in Business Continuity without it being costly.

This is just a very basic framework, but it can be built upon once it implemented.

The Planning Suite is an extractable ZIP file.  Unzip the file and run the main start page to access the suite.

The Business Continuity Planning Suite can be accessed and downloaded here:

http://www.ready.gov/business-continuity-planning-suite

I suggest you watch the short training videos in order first.  They can be accessed from the Planning Suite or directly by following the link below.

http://www.fema.gov/media-library/multimedia/collections/272

Emergency Plans for workplaces can be accessed here:

http://www.fema.gov/disaster/4086/updates/developing-emergency-plan-workplace

This suite will help get the process started with bringing Business Continuity to your business or organization.  And it doesn't cost anything.

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET .
 ______________________________________________________

Read More

"Counting the costs, and benefits, for Business Continuity – a U.S. Consultant’s perspective"

By Geary Sikich .

Introduction
When I was asked to write this article for Business Continuity Awareness Week (BCAW) a caveat was given that this must actually be my position (they stated that they are not looking for a BC practitioner to offer what they believe is a CFO perspective). So, with that caveat in mind, here is my position on counting costs and benefits for business continuity.

How does one define the costs, benefits and intangible value of business continuity? Do we apply standard arguments, such as Return On Investment (ROI)? Or, do we embrace a definition that is vague and can mean whatever a person wishes it to mean? Let us take a look at value. Value can be defined as:
The regard that something is held to deserve; the importance, worth, or usefulness of something.
The material or monetary worth of something.
The worth of something compared to the price paid or asked for it.
A person's principles or standards of behavior; one's judgment of what is important in life.
So how do you justify the costs for Business Continuity and express its benefits in terms that make sense to senior executives, middle management and employees in general?

Critical Questions
To start one must look critically at business continuity. This entails asking questions, critical questions as to the definition of business continuity and what business continuity promises. An interesting phrase in Croatian is: “U laži su kratke noge”. The phrase U laži su kratke noge basically means that a lie has no legs or that one can't get away with a lie; the truth will always come out. A literal translation is: A lie has short legs and can be appropriately used for any number of political promises made, especially pre-election, which are short-lived.

In my view, business continuity as currently practiced promises a lot and delivers very little. Software is abundant and generally lacks any depth in terms of value, short of an inventory list of “mission critical” processes; workstation components and call trees. We fail to ask critical questions regarding the “continuity” of the business and therefore generally provide little of value in respect to business continuity. Most programs are no more than enhanced systems recovery or enhanced emergency preparedness masquerading in the guise of “business continuity.” Dissecting process becomes a means to an end defined as “Mission Critical.” Yet, we fail to ask: “Is the process still relevant after a disaster?” The research that is done is very prescriptive, there is little in the way of creative problem solving and critical thinking. Our knowledge base contains a wealth of potentially inaccurate “False Positives” cloaked in the veil of “Business Impact Assessment” jargon. The alignment of the business continuity program is along “Defined Boundaries” and departmental turf; that is only crossed with extreme trepidation. Business continuity is not embraced as well as we think – which leads practitioners to believe that they are making headway and that they talk the language of the C-Suite.

Plans are accepted on a prima facie basis. Prima Facie is defined as: “What appears to be true and is accepted as a fact, until evidence to the contrary is presented.” The value received from planning is often overshadowed by the lack of scope in the planning process. We fail to ask critical questions regarding where the organization (enterprise) needs to be in the future. That is not to say that we can predict the future. Far from it; but we need to look to the future instead of relying on the past as the predictor of success. ROI is a measure of past performance not future performance/value.

Plans generally are tactical and not strategic. We talk about business continuity, but in fact, build evacuation, systems recovery and other tactical documents. At first sight; before closer inspection: They had, prima facie, a legitimate plan.
Business continuity is about making difficult decisions. CVS recently decided to stop selling tobacco products. Tobacco products represent a “cash cow” for most businesses. However, CVS is a healthcare enterprise. Will their decision affect the continuity of the business? The answer is, of course. But this was a strategic business decision that reflects the continuity of the business operations of CVS.
Planning takes effort. Look at a map and the distance between places does not appear all that far. Take for example, Hong Kong to Tokyo or Istanbul to Kuwait City. Yet, having taken flights from these places, I can tell you that these are long and painful on parts of the body.

Concluding Thoughts
Most business continuity programs end up putting the bullseye over the bullet holes. In other words, if you don’t have a target you are bound to hit something. Ask a few simple questions, “What are the goals and objectives for the organization in the next year?” “What is covered in the business interruption insurance policy (if one exists)?” “What customer represents more than 10% of your business revenue?” “Where is the competition for your organization (enterprise) materializing?” What you generally get back, beyond the blank stare are answers that can be summarized thus: “That is not my job and not the within the scope of our business continuity program.” Reflect on this: Continuity is being there in the future providing the goods and services that your markets demand. Continuity is not a narrowly focused initiative that is tactical in nature and fails to ask the right questions for fear of failure.

In a recent article written for McKinsey & CO. Professor Philip Rosenzweig (The benefits—and limits—of decision models) writes:
The growing power of decision models has captured plenty of C-suite attention in recent years. Combining vast amounts of data and increasingly sophisticated algorithms, modeling has opened up new pathways for improving corporate performance. Models can be immensely useful, often making very accurate predictions or guiding knotty optimization choices and, in the process, can help companies to avoid some of the common biases that at times undermine leaders’ judgments.
Yet when organizations embrace decision models, they sometimes overlook the need to use them well.
I think that this summarizes my position on business continuity well – we need to embrace the model and we need to not overlook how to use the model well.

By Geary Sikich – Entrepreneur, consultant, author and business lecturer
Contact Information: E-mail: G.Sikich@att.net or gsikich@logicalmanagement.com. Telephone: 1- 219-922-7718.

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide. Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the U.S. Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. Geary has a passion for helping executives, risk managers, and contingency planning professionals leverage their brand and leadership skills by enhancing decision making skills, changing behaviors, communication styles and risk management efforts. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.

______________________________________________________

Read More

4 Other Uses For Tabletop Exercising Other Than Scenario-Based Testing

Exercising is perhaps the most important part of a Business Continuity Program.  Once all of the plans have been developed, exercising helps validate that they are actionable and helps identify gaps in recovery and/or sustainment of critical services.  Traditional tabletop exercises have a script that the facilitator follows and the Business Continuity Team determines that best course of action.

But not all tabletop exercises have to be created equal.  The tabletop exercise can be used as much as an information gathering tool as a scenario-based test.

Here are 4 additional uses to conduct Tabletop Exercises often for reasons other than testing and drilling.

Strategy Development

At some point you are going to have to develop a recovery and sustainment strategy.  Tabletop exercises are the best place to get this conversation started with each division and department.  Now that Critical Services, Critical Staff and Critical Support Requirements have been defined, it’s time to figure out the best way to reach the final goal of sustainability.  In this tabletop you would meet with the Department Recovery Coordinators (DRC) individually  to discuss how they go about sustaining or recovering the services in their division or department, alternate relocation site activation, vital records management and staff notification.  Once the strategy is defined, another tabletop exercise is scheduled with the DRC and Emergency Relocation Group to validate the procedure through a scenario-based exercise.

Teambuilding

The only way for a Business Continuity Program to work is if all the moving part work together to achieve the same objectives.  Using the first tabletop exercise to build consensus across the teams is a very useful way to get them to agree on what needs to happen and when.   Instead of trying to figure it out all on your own, let the organization determine what is best for them and then get the teams to agree on what needs to happen

Review and Audit

Using selected Business Continuity Team members (Program Lead, DRCs, Recovery Teams, etc.) as the Program Review and Audit Team not only meets the requirements of BS IOS 22301, it places accountability on the teams that will be responsible for executing the plans in the event of a disaster or crisis and requires that they update them accordingly.  Furthermore, you also need someone outside of the continuity teams to be on the review and audit team who can be an objective voice.

Brainstorming

Despite what we think of ourselves, we don’t know it all.  Business Continuity is a group effort and good discussions bring to light things that were no considered.  This doesn’t need to be a fluff exercise, but it should be a way for everyone to express their ideas.  There are never any bad ideas.  Only better ones.  It’s the better ones you want to use in your planning development process.

The other way to achieve this result is to form a working group for Business Continuity and charter it.  Having a forum to share ideas is really the only way to make Business Continuity actionable.

What other uses for tabletop exercises other than traditional scenario-based testing do you see or use?

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 year of experience on the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET . ______________________________________________________

Read More

The reality of the events in Atlanta Georgia on January 28, 2014 (Snow Storm)

There has been so much speculation and finger pointing pertaining to the events that occurred in the Atlanta Metro Area related to the snow storm that occurred on January 28, 2014. It is necessary to explain now things transpired as they did from someone who dealt with it first hand.

I left my office at 4:00 PM that afternoon and what would normally be a 45 minute drive, turned into a 7 hour ordeal. I saw firsthand why the situation got out of control as quickly as it did. Below are my observations and experiences. You are welcome to come to your own conclusions.

1) The National Weather Service may claim that they knew the storm had a very high potential of impacting the Atlanta Metro area early on, and they likely did, but they didn’t disseminate this information to local affiliates until after 11:00 AM on January 28th. Even then the potential was still lower than evacuation triggers (around 50% potential). By the time the information reach city officials and the likelihood was raised, people were already at work and kids were already at school and the snow was falling. It’s clear to me that were can not rely on weather predictions and the NWS to get information to necessary decision makers quickly.

2) The release of staff was not staggered, so everyone left at the same time, which put over a million cars on the roads at the same time. (Note that the Mayor of Atlanta and the Governor of Georgia took complete responsibility for this). The Atlanta Public School District DID, however stagger release of students in their schools.

3) Georgia residents were not prepared for the impact this could have on them, so very few personal precautions were taken in advance. They are also not used to driving in such conditions so there were several accidents (over 1000 in just a few hours). Drivers were going too fast for conditions. Frustrations ran very high and that caused many more accidents.

4) Hundreds of car and big truck drivers abandoned their vehicles in the middle of the roads, highways and exit ramps blocking the traffic behind them. There were occasions where entire highways and interstates were 100% blocked by abandoned cars and trucks and nothing could pass. Buses full of students were stuck because of blocked roads, highways and interstates. Several hundred students were stuck in schools overnight. Buses could not get to their locations because roads were blocked. School bus drivers with buses full of students were stuck for many hours and did what they had to do to accommodate them. Bus drivers and school administrators did what they could to help the kids. I my opinion, they are the heroes of this ordeal.

5) This was a rare snow and ice event in Atlanta. Cities and counties in Metro Atlanta can’t afford to keep sand and salt trucks on standby for something that occurs 2 or more years apart. Up north they can maintain fleet because it’s a regular occurrence. The few treatment trucks they do have in Atlanta were stuck in traffic like everyone else.

6) Businesses in the area kept their doors open long past closing time to accommodate people who were stranded, so the business community stepped up in the metro areas time of need. They are heroes as well. Home Depot, CVS and many other businesses made this event a little easier.

This is a case where everybody could have prepared better.  Simple as that.  No one is to blame and everyone is to blame.

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 year of experience on the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET . 
______________________________________________________

Read More

The Core Documents of Business Continuity Planning – Getting Started

By Tom Ryan

Congratulations!  You've just landed a job or assignment in the Business Continuity department for your company and its time to get started.  As you navigate the though the issues, it is important to remember the mission is to reduce risk to the organization by minimizing the impact of a disruptive event.   To do this you will rely on many members of the organization, from senior management to the mailroom. 

There are several core documents to be developed and revised over the course your business continuity career.  They are the Business Impact Analysis (BIA), the Risk Assessment, the Business Continuity Plan (BCP), the exercise/test plans, and the governance reporting.   But the true core deliverable, in the moment of need, is the business continuity plan.

I put the BIA first on the list of documents to create over the Risk Assessment.  You will learn that there are different schools of thought as with any discipline.  In my view, understanding what is critical to the organization is a prerequisite to scoping the risk assessment.  For example, if you run a warehousing business the critical processes will be different from that of a hospital or a financial services company.  These processes will have their own risk profiles and understanding those risks are important.

The true core document is the business continuity plan.  This is the document that will address the risk to the organization; this is the operational document to use in the event of a disaster or lesser incident.  Again, there are schools of thought on the scope and development of the BCP.  One school will look only at the impact and begin at the point of the outage.  My view is that scenario plans can be useful, particularly for events that occur on a regular basis (e.g. hurricanes and blizzards).

To ensure that the BCP is valid, sufficient, and effective one needs to test it.  Each organization will develop a test plan(s) according to its situation.  Some organizations may not be able to conduct a test.  In these less than ideal circumstances, the business continuity planner should conduct a series of desktop exercises to discuss the plan, procedures that need to be followed, and potential issues.

The conclusion of tests and/or exercises then leads to governance reporting.  Typically this will be to the business managers associated with the tests.   These reports will review the scope and objectives of the test, issues raised as a result of the tests, and the action plan to resolve or mitigate those issues.   A summary of the tests should be sent to the sponsoring senior manager, senior stakeholders, and appropriate risk committees.

The communication with senior management should illustrate the nature and means that the business continuity plan will reduce the impact of a disaster to the organization.

Tom Ryan has worked as the global business continuity manager for RBS Sempra Commodities, starting their program from a scratch to cover six trading locations with two recovery sites with data centers.  He has done business impact analysis and emergency management consulting work with Datalink, Inc.  Previous to his roles in business continuity, Tom managed a software QA testing department and was an auditor for major investment banks.

______________________________________________________

Read More

The Story of Widgets, Inc

Once upon a time there was a wildly successful company called Widgets, Inc.  They made widgets, of course.  They design them, mass produce them in their own manufacturing centers and ship them using their own fleet of Widget, Inc trucks to Widget stores for sale to consumer. They also provided after market support to the customers who purchase widgets at their retail stores and through their on-line eCommerce website.

One morning, the CEO called a meeting to ask some questions about Business Continuity.  He had questions about how he could bring Business Continuity to Widgets, Inc.

The story continues here:

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 year of experience on the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET . ______________________________________________________

Read More

15 Planning and Preparedness Quotes From Master's in Their Professions

Planning and preparedness are things that every professional in every industry who is, or has been very successful or masterful at what they do makes a priority. 

They are proof that planning and preparation begets success. 

But it is also the way we think as much as it is the way we act.

Preparing and planning is more than just writing down a goal or two and posting them on a wall. Knowing how to get where your are going, anticipating obstacles along the way, how to overcome them if they happen and how to deal with the angst that setbacks can bring all dictate when and how success comes, or even if it does at all.

The right mindset is a key aspect of success as much as the planning is.

Some of the greatest leaders and masters in their industries know this and live or lived by it. Planning and preparation for what does, or might lie ahead is the very way these people achieved what they did.

From Sun Tzu ( 544–496 BC) and Confucius (551–479 BC) to modern day successes like Elon Musk, Will Smith and Oprah Winfrey, all of them advocated planning and preparing.

Plan, be prepared and be willing to do what it takes to be successful. Opportunity will arrive. 

Business Continuity is a planning discipline that these same principals apply too. 

Here are fifteen (15) planning and preparedness quotes from great thinkers and planners spanning 2500 years.

1) "Success depends upon previous preparation, and without such preparation there is sure to be failure". - Confucius  

2) "The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand". - Sun Tzu

3) "For which of you, desiring to build a tower, does not first sit down and count the cost, whether he has enough to complete it? Otherwise, when he has laid a foundation and is not able to finish, all who see it begin to mock him, saying, ‘This man began to build and was not able to finish".’- Luke 14:28-33 ~ Holy Bible

4) "Give me six hours to chop down a tree and I will spend the first four sharpening the axe" - Abraham Lincoln  

5) "Before anything else, preparation is the key to success". - Alexander Graham Bell

6) "Let our advance worrying become advance thinking and planning". - Winston Churchill

7) "The time to repair the roof is when the sun is shining". - John F. Kennedy

8) "Your biggest enemy is the unknown and assumptions.” -  LTG Christianson

9) "Our thinking and our behavior are always in anticipation of a response. It is therefore fear-based". - Deepak Chopra

10) “Someone's sitting in the shade today because someone planted a tree a long time ago”. - Warren Buffett 

11) "Even with all our technology and the inventions that make modern life so much easier than it once was, it takes just one big natural disaster to wipe all that away and remind us that, here on Earth, we're still at the mercy of nature". - Neil deGrasse Tyson

12) "Fundamental preparation is always effective.". - Kareem Abdul-Jabbar 

13) "Some people don't like change, but you need to embrace change if the alternative is disaster". - Elon Musk

14) "I feel that luck is preparation meeting opportunity". - Oprah Winfrey

15) "I've always considered myself to be just average talent and what I have is a ridiculous insane obsessiveness for practice and preparation". - Will Smith

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 year of experience on the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET.
______________________________________________________

Read More