Business Continuity Planning Services.

Free Tools

Free Tools for Developing Continuity Plans and Programs.

Monday, February 24, 2014

Do-it-yourself Business Continuity for small businesses

DIY Projects.  There are do-it-yourself projects for just about anything under the sun.  If you get the parts and materials, there are videos or walk-throughs that can show you how to build just about anything.
So it isn’t any surprise to me that the Federal Emergency Management Agency (FEMA) has a little known DIY project designed help businesses and organizations develop and implement Business Continuity.

The Business Continuity Planning Suite is a FREE toolset provided by FEMA for developing and implementing Business Continuity in any size organization or across any agency.  It can be downloaded from the FEMA website and installed on any PC running Windows.  The toolset has free Business Continuity Training courses, Plan templates and instructions for both Business Continuity Planning and IT Disaster Recovery Planning, and even has exercise program development tools.

It has a step-by-step guide on how to develop and implement Business Continuity across a business or an organization.  The steps and processes are easy to understand and follow and if you ever get stuck, there is a free training course that covers each topic.

It does require a little time, but what important DIY project doesn't?  It’s just a matter of committing the effort to it and in very little time, you can have an actionable Business Continuity program running in your business or organization.

This is a great starting point for small businesses or organizations looking to bring in Business Continuity without it being costly.

This is just a very basic framework, but it can be built upon once it implemented.

The Planning Suite is an extractable ZIP file.  Unzip the file and run the main start page to access the suite.

The Business Continuity Planning Suite can be accessed and downloaded here:

I suggest you watch the short training videos in order first.  They can be accessed from the Planning Suite or directly by following the link below.

Emergency Plans for workplaces can be accessed here:

This suite will help get the process started with bringing Business Continuity to your business or organization.  And it doesn't cost anything.

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET .

Monday, February 17, 2014

"Counting the costs, and benefits, for Business Continuity – a U.S. Consultant’s perspective"

By Geary Sikich .

When I was asked to write this article for Business Continuity Awareness Week (BCAW) a caveat was given that this must actually be my position (they stated that they are not looking for a BC practitioner to offer what they believe is a CFO perspective). So, with that caveat in mind, here is my position on counting costs and benefits for business continuity.

How does one define the costs, benefits and intangible value of business continuity? Do we apply standard arguments, such as Return On Investment (ROI)? Or, do we embrace a definition that is vague and can mean whatever a person wishes it to mean? Let us take a look at value. Value can be defined as:
The regard that something is held to deserve; the importance, worth, or usefulness of something.
The material or monetary worth of something.
The worth of something compared to the price paid or asked for it.
A person's principles or standards of behavior; one's judgment of what is important in life.
So how do you justify the costs for Business Continuity and express its benefits in terms that make sense to senior executives, middle management and employees in general?

Critical Questions
To start one must look critically at business continuity. This entails asking questions, critical questions as to the definition of business continuity and what business continuity promises. An interesting phrase in Croatian is: “U laži su kratke noge”. The phrase U laži su kratke noge basically means that a lie has no legs or that one can't get away with a lie; the truth will always come out. A literal translation is: A lie has short legs and can be appropriately used for any number of political promises made, especially pre-election, which are short-lived.

In my view, business continuity as currently practiced promises a lot and delivers very little. Software is abundant and generally lacks any depth in terms of value, short of an inventory list of “mission critical” processes; workstation components and call trees. We fail to ask critical questions regarding the “continuity” of the business and therefore generally provide little of value in respect to business continuity. Most programs are no more than enhanced systems recovery or enhanced emergency preparedness masquerading in the guise of “business continuity.” Dissecting process becomes a means to an end defined as “Mission Critical.” Yet, we fail to ask: “Is the process still relevant after a disaster?” The research that is done is very prescriptive, there is little in the way of creative problem solving and critical thinking. Our knowledge base contains a wealth of potentially inaccurate “False Positives” cloaked in the veil of “Business Impact Assessment” jargon. The alignment of the business continuity program is along “Defined Boundaries” and departmental turf; that is only crossed with extreme trepidation. Business continuity is not embraced as well as we think – which leads practitioners to believe that they are making headway and that they talk the language of the C-Suite.

Plans are accepted on a prima facie basis. Prima Facie is defined as: “What appears to be true and is accepted as a fact, until evidence to the contrary is presented.” The value received from planning is often overshadowed by the lack of scope in the planning process. We fail to ask critical questions regarding where the organization (enterprise) needs to be in the future. That is not to say that we can predict the future. Far from it; but we need to look to the future instead of relying on the past as the predictor of success. ROI is a measure of past performance not future performance/value.

Plans generally are tactical and not strategic. We talk about business continuity, but in fact, build evacuation, systems recovery and other tactical documents. At first sight; before closer inspection: They had, prima facie, a legitimate plan.
Business continuity is about making difficult decisions. CVS recently decided to stop selling tobacco products. Tobacco products represent a “cash cow” for most businesses. However, CVS is a healthcare enterprise. Will their decision affect the continuity of the business? The answer is, of course. But this was a strategic business decision that reflects the continuity of the business operations of CVS.
Planning takes effort. Look at a map and the distance between places does not appear all that far. Take for example, Hong Kong to Tokyo or Istanbul to Kuwait City. Yet, having taken flights from these places, I can tell you that these are long and painful on parts of the body.

Concluding Thoughts
Most business continuity programs end up putting the bullseye over the bullet holes. In other words, if you don’t have a target you are bound to hit something. Ask a few simple questions, “What are the goals and objectives for the organization in the next year?” “What is covered in the business interruption insurance policy (if one exists)?” “What customer represents more than 10% of your business revenue?” “Where is the competition for your organization (enterprise) materializing?” What you generally get back, beyond the blank stare are answers that can be summarized thus: “That is not my job and not the within the scope of our business continuity program.” Reflect on this: Continuity is being there in the future providing the goods and services that your markets demand. Continuity is not a narrowly focused initiative that is tactical in nature and fails to ask the right questions for fear of failure.

In a recent article written for McKinsey & CO. Professor Philip Rosenzweig (The benefits—and limits—of decision models) writes:
The growing power of decision models has captured plenty of C-suite attention in recent years. Combining vast amounts of data and increasingly sophisticated algorithms, modeling has opened up new pathways for improving corporate performance. Models can be immensely useful, often making very accurate predictions or guiding knotty optimization choices and, in the process, can help companies to avoid some of the common biases that at times undermine leaders’ judgments.
Yet when organizations embrace decision models, they sometimes overlook the need to use them well.
I think that this summarizes my position on business continuity well – we need to embrace the model and we need to not overlook how to use the model well.

By Geary Sikich – Entrepreneur, consultant, author and business lecturer
Contact Information: E-mail: or Telephone: 1- 219-922-7718.

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide. Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the U.S. Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. Geary has a passion for helping executives, risk managers, and contingency planning professionals leverage their brand and leadership skills by enhancing decision making skills, changing behaviors, communication styles and risk management efforts. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.


Monday, February 10, 2014

4 Other Uses For Tabletop Exercising Other Than Scenario-Based Testing

Exercising is perhaps the most important part of a Business Continuity Program.  Once all of the plans have been developed, exercising helps validate that they are actionable and helps identify gaps in recovery and/or sustainment of critical services.  Traditional tabletop exercises have a script that the facilitator follows and the Business Continuity Team determines that best course of action.

But not all tabletop exercises have to be created equal.  The tabletop exercise can be used as much as an information gathering tool as a scenario-based test.

Here are 4 additional uses to conduct Tabletop Exercises often for reasons other than testing and drilling.

Strategy Development
At some point you are going to have to develop a recovery and sustainment strategy.  Tabletop exercises are the best place to get this conversation started with each division and department.  Now that Critical Services, Critical Staff and Critical Support Requirements have been defined, it’s time to figure out the best way to reach the final goal of sustainability.  In this tabletop you would meet with the Department Recovery Coordinators (DRC) individually  to discuss how they go about sustaining or recovering the services in their division or department, alternate relocation site activation, vital records management and staff notification.  Once the strategy is defined, another tabletop exercise is scheduled with the DRC and Emergency Relocation Group to validate the procedure through a scenario-based exercise.

The only way for a Business Continuity Program to work is if all the moving part work together to achieve the same objectives.  Using the first tabletop exercise to build consensus across the teams is a very useful way to get them to agree on what needs to happen and when.   Instead of trying to figure it out all on your own, let the organization determine what is best for them and then get the teams to agree on what needs to happen

Review and Audit
Using selected Business Continuity Team members (Program Lead, DRCs, Recovery Teams, etc.) as the Program Review and Audit Team not only meets the requirements of BS IOS 22301, it places accountability on the teams that will be responsible for executing the plans in the event of a disaster or crisis and requires that they update them accordingly.  Furthermore, you also need someone outside of the continuity teams to be on the review and audit team who can be an objective voice.

Despite what we think of ourselves, we don’t know it all.  Business Continuity is a group effort and good discussions bring to light things that were no considered.  This doesn’t need to be a fluff exercise, but it should be a way for everyone to express their ideas.  There are never any bad ideas.  Only better ones.  It’s the better ones you want to use in your planning development process.
The other way to achieve this result is to form a working group for Business Continuity and charter it.  Having a forum to share ideas is really the only way to make Business Continuity actionable.

What other uses for tabletop exercises other than traditional scenario-based testing do you see or use?

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 year of experience on the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET . ______________________________________________________

Wednesday, February 5, 2014

The reality of the events in Atlanta Georgia on January 28, 2014 (Snow Storm)

There has been so much speculation and finger pointing pertaining to the events that occurred in the Atlanta Metro Area related to the snow storm that occurred on January 28, 2014. It is necessary to explain now things transpired as they did from someone who dealt with it first hand.

I left my office at 4:00 PM that afternoon and what would normally be a 45 minute drive, turned into a 7 hour ordeal. I saw firsthand why the situation got out of control as quickly as it did. Below are my observations and experiences. You are welcome to come to your own conclusions.

1) The National Weather Service may claim that they knew the storm had a very high potential of impacting the Atlanta Metro area early on, and they likely did, but they didn’t disseminate this information to local affiliates until after 11:00 AM on January 28th. Even then the potential was still lower than evacuation triggers (around 50% potential). By the time the information reach city officials and the likelihood was raised, people were already at work and kids were already at school and the snow was falling. It’s clear to me that were can not rely on weather predictions and the NWS to get information to necessary decision makers quickly.

2) The release of staff was not staggered, so everyone left at the same time, which put over a million cars on the roads at the same time. (Note that the Mayor of Atlanta and the Governor of Georgia took complete responsibility for this). The Atlanta Public School District DID, however stagger release of students in their schools.

3) Georgia residents were not prepared for the impact this could have on them, so very few personal precautions were taken in advance. They are also not used to driving in such conditions so there were several accidents (over 1000 in just a few hours). Drivers were going too fast for conditions. Frustrations ran very high and that caused many more accidents.

4) Hundreds of car and big truck drivers abandoned their vehicles in the middle of the roads, highways and exit ramps blocking the traffic behind them. There were occasions where entire highways and interstates were 100% blocked by abandoned cars and trucks and nothing could pass. Buses full of students were stuck because of blocked roads, highways and interstates. Several hundred students were stuck in schools overnight. Buses could not get to their locations because roads were blocked. School bus drivers with buses full of students were stuck for many hours and did what they had to do to accommodate them. Bus drivers and school administrators did what they could to help the kids. I my opinion, they are the heroes of this ordeal.

5) This was a rare snow and ice event in Atlanta. Cities and counties in Metro Atlanta can’t afford to keep sand and salt trucks on standby for something that occurs 2 or more years apart. Up north they can maintain fleet because it’s a regular occurrence. The few treatment trucks they do have in Atlanta were stuck in traffic like everyone else.

6) Businesses in the area kept their doors open long past closing time to accommodate people who were stranded, so the business community stepped up in the metro areas time of need. They are heroes as well. Home Depot, CVS and many other businesses made this event a little easier.

This is a case where everybody could have prepared better.  Simple as that.  No one is to blame and everyone is to blame.

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 year of experience on the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET . 

Tuesday, February 4, 2014

The Core Documents of Business Continuity Planning – Getting Started

By Tom Ryan

Congratulations!  You've just landed a job or assignment in the Business Continuity department for your company and its time to get started.  As you navigate the though the issues, it is important to remember the mission is to reduce risk to the organization by minimizing the impact of a disruptive event.   To do this you will rely on many members of the organization, from senior management to the mailroom. 

There are several core documents to be developed and revised over the course your business continuity career.  They are the Business Impact Analysis (BIA), the Risk Assessment, the Business Continuity Plan (BCP), the exercise/test plans, and the governance reporting.   But the true core deliverable, in the moment of need, is the business continuity plan.

I put the BIA first on the list of documents to create over the Risk Assessment.  You will learn that there are different schools of thought as with any discipline.  In my view, understanding what is critical to the organization is a prerequisite to scoping the risk assessment.  For example, if you run a warehousing business the critical processes will be different from that of a hospital or a financial services company.  These processes will have their own risk profiles and understanding those risks are important.

The true core document is the business continuity plan.  This is the document that will address the risk to the organization; this is the operational document to use in the event of a disaster or lesser incident.  Again, there are schools of thought on the scope and development of the BCP.  One school will look only at the impact and begin at the point of the outage.  My view is that scenario plans can be useful, particularly for events that occur on a regular basis (e.g. hurricanes and blizzards).

To ensure that the BCP is valid, sufficient, and effective one needs to test it.  Each organization will develop a test plan(s) according to its situation.  Some organizations may not be able to conduct a test.  In these less than ideal circumstances, the business continuity planner should conduct a series of desktop exercises to discuss the plan, procedures that need to be followed, and potential issues.

The conclusion of tests and/or exercises then leads to governance reporting.  Typically this will be to the business managers associated with the tests.   These reports will review the scope and objectives of the test, issues raised as a result of the tests, and the action plan to resolve or mitigate those issues.   A summary of the tests should be sent to the sponsoring senior manager, senior stakeholders, and appropriate risk committees.

The communication with senior management should illustrate the nature and means that the business continuity plan will reduce the impact of a disaster to the organization.

Tom Ryan has worked as the global business continuity manager for RBS Sempra Commodities, starting their program from a scratch to cover six trading locations with two recovery sites with data centers.  He has done business impact analysis and emergency management consulting work with Datalink, Inc.  Previous to his roles in business continuity, Tom managed a software QA testing department and was an auditor for major investment banks.


Monday, February 3, 2014

The Story of Widgets, Inc

Once upon a time there was a wildly successful company called Widgets, Inc.  They made widgets, of course.  They design them, mass produce them in their own manufacturing centers and ship them using their own fleet of Widget, Inc trucks to Widget stores for sale to consumer. They also provided after market support to the customers who purchase widgets at their retail stores and through their on-line eCommerce website.

One morning, the CEO called a meeting to ask some questions about Business Continuity.  He had questions about how he could bring Business Continuity to Widgets, Inc.

The story continues here:

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 year of experience on the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET . ______________________________________________________