Business Continuity Planning Services.

Free Tools

Free Tools for Developing Continuity Plans and Programs.

Monday, April 14, 2014

Beware of depending on Third Party Services to assure your daily business and recovery

By Howard ‘Coach’ Pierpont

More organizations are outsourcing portions of their operations these days. Concentrating on the core competency for the organization makes sense in many cases. This allows for the streamlining of internal operations while maximizing the non-core section by utilizing best in class third parties.

The people making the decision to go with a third party need to completely define the statement of work [SOW] and assure that whoever gets the contract follows the SOW. Let me give you an example of a system that was implemented and appeared to be working. At least there was money coming in.

I went to a supplier and requested an item be drop shipped to an east coast location. The supplier had my physical address [not the delivery address] and my mailing or billing address. The supplier contacted the vendor and had the product shipped to the proper location. The vendor was responsible for monthly billing based while I was using the product. Somehow the physical address was sent to the vendor and not the billing address.

Granted, I am in a community where they are creative on their street names, but there is a method. My address is 2124 W 17th Street Road. The vendor input the following address: 2124 W 7th Street Road. There is no such address, but that didn’t seem to make a difference to the vendor who was in turn outsourcing their billing process. Each month they transmitted my information to the billing company. The billing company outsourced the physical bill creation to another party. Each month a bill was created, mailed and later returned by the Post Office as undeliverable.

One month the carrier that handles 7th Street Road went to see the carrier that handles 17th Street Road and asked if there was such an address on that street. Yes, 2 different carriers 10 blocks apart, but at least in the same sorting facility. The 17th Street Road carrier took the mail and put a big question mark on the front and delivered it.

I opened the mail and it contained 4 past due with collection notices and a current invoice. I called the customer service number to get my address fixed. The representative only wanted to set me up for electronic payment. I finally got to speak with a supervisor. She did agree to correct the mailing address and remove the dunning messages before sending me new copies of the invoices.

Soon in my physical address mailbox came the invoices without the dunning messages. Another call revealed a significant flaw in the process. It turns out the process between the billing company and the people that create the physical bill is to create the bill first, make the hardcopy and mail the hardcopy bill. Then in a following process they do the address changes.

Another call to customer service to get the address corrected indicated that their process sequence was flawed. I asked for a good invoice with no penalties for still not having paid.

This took 6 months of my working with either no bills or incorrect bills. This took time on my part to initialize the calls and, on the customer service side, to talk to me and try to resolve the issues. Ultimately this was resolved.

Customer service is a cost to any organization. The best run customer service group can reduce their own costs, adding money to the bottom line as well as potentially up selling the customer due to the positive customer service.

If an organization is going to use a third party to handle the non-core business processes, the methodology needs to be highly defined. It also needs to be tested and reviewed. Someone needs to assure that excellent service is delivered to the customer.

If the process is flawed in daily practice, it will not serve the organization well during a crisis or in recovery. Tabletop tests will not always show how things will work in a disaster situation.

A great Business Continuity Practitioner needs to ask the business how the business knows the process really works.  Use of the Socratic approach to the BIA and reviews will serve every BCP well.

About Howard Pierpont

Contact information: website:

With almost 30 years of Business Continuity experience, ranging from global large-scale precision manufacturing to small, stand-alone single site operations, Howard has an extensive and unique background in merging business continuity into continuous operations.
Howard is a Certified Recovery Planner from the University of Richmond, VA as well as a Certified Business Manager with the Association of Professional in business Management, Chicago, IL. He maintains a CBCP from DRII and holds an MBCI designation from BCI.

He is a Charter Member of ICOR and is currently an instructor and training partner with ICOR. Currently, as a DHS/FEMA Reservist Community Recovery Specialist, he works with businesses, nonprofits and municipal governments in communities having received federal disaster declarations. Howard also serves as Board Chair for the Disaster Preparedness and Emergency Response Association.


Tuesday, April 8, 2014

Recovery: Least Understood of the Continuity Lifecycle Elements

The post-crisis recovery phase is one of the least addressed in planning, training and simulations.  This is an area that, if not properly managed, can cost financially, reputationally and operationally.  Communications, internal and external are, at best, misjudged.  Guidelines for recovery are lacking and most entities lose focus when it comes to discussing recovery operations.  It may be that recovery is one of the most complicated of the lifecycle elements and that no two recoveries are going to follow the same pattern.  However, the recovery process can be segmented into manageable bits that can be undertaken using a project management approach.

Business Continuity Lifecycle – A Perspective on Recovery

Figure 1, entitled, “Business Continuity Lifecycle” provides a top level graphic depiction of the typical cycle of event response, management, recovery and resumption of operations.  I have added the emergency response and crisis management elements as they intermingle with business continuity.  I have simplified the cycle to four major transition points.  Transition point 1 is the reactive response phase, where we react to events and invoke emergency response actions.  This phase is characterized by activation, reactive response and chaos control.

Transition point 2, I have titled “Unplanned Disruption”.  This is the phase where we begin to identify and address the unplanned developments that result from the event and the reactive response to the event.  Unplanned disruption would include those elements of surprise that the planning effort did not directly address or completely overlooked.  During this phase it is possible that crisis management becomes the lead element in the business continuity process.

Transition point 3, I have titled “Planned Disruption”.  It is in this phase that the plan is actually working as it was written (well perhaps).  This phase is critical to recovery as the recovery planning, based on actual reentry assessment activities, should commence and the recovery team should be transitioned in to the organization.

Transition point 4, I have titled “Termination”.  It is in this phase that recovery activities are in full swing.  Restoration and resumption of business operations are underway.  The resumption activities may still be conducted at an alternate location (if an evacuation has occurred).  During this phase the recovery team is moving dislocated units, entities, etc. back to the normal work area.  It is critical in this phase to get it “right” so that the transition back does not create a new event/crisis.  Note that on figure 1, I have differentiated the Recovery Management aspect, as well as the “Business Recovery” and the “Systems/Information Recovery” activities.

Business Recovery involves more than the recovery of systems/information.  Activities, such as Finance, Marketing, Legal, Production, internal support and external support (“Value Chain”) have to be reset and integrated back into the organization.  Depending on the severity of the event, realignment of operations, reorganization and resetting of corporate goals/objectives may be necessary.  While too numerous to delineate in this space, one should have a plan that outlines the functions and areas within the organization.  This plan should establish timelines for recovery of these activities and reintegration into the business operation.  To ensure smooth transition from event termination to recovery and resumption of “normal business” operations a touchpoint assessment should be part of the recovery process.  This assessment would identify the various touchpoints that major units have in order to incorporate them into the recovery timeline.  For example, if a production unit is coming back on line and new or altered processes are being put in place; training may be required for operators/staff.  The touchpoint with Human Resources would be the training program and certification of staff to operate in the new/altered environment.

Concluding Thoughts

While I have highlighted some aspects of the recovery process in this brief article, I think it is necessary to offer a suggestion regarding recovery plan validation activities.  Some may use the term “drills and exercises” or “simulations” or “war gaming” to describe the validation process.  Designing, developing and implementing a “Recovery Exercise” is, in my experience, a very rare occurrence.  I would recommend that planners take a moment to assess the actual recovery capabilities of their organization.  Design, develop and implement a drill or exercise; whether tabletop or full scale, to see if recovery operations can actually be undertaken and carried out as described in the plan or in the thought process of the organization.  This is an ideal situation for involving the public sector and the “Value Chain” components within your planning framework.  The focus should be on identification of flawed decisions to establish a context for correcting flaws within the risk assessment, business impact assessment process.

About Geary Sikich – Entrepreneur, consultant, author and business lecturer

Contact Information: E-mail: or Telephone: 1- 219-922-7718.

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

He holds a B.S. in Criminology from Indiana State University and a M.Ed., in Counseling & Guidance from the University of Texas at El Paso. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.