INEVOLVE SB Website

Business Continuity Planning Services.

Free Tools

Free Tools for Developing Continuity Plans and Programs.

Monday, April 14, 2014

Beware of depending on Third Party Services to assure your daily business and recovery

By Howard ‘Coach’ Pierpont

More organizations are outsourcing portions of their operations these days. Concentrating on the core competency for the organization makes sense in many cases. This allows for the streamlining of internal operations while maximizing the non-core section by utilizing best in class third parties.

The people making the decision to go with a third party need to completely define the statement of work [SOW] and assure that whoever gets the contract follows the SOW. Let me give you an example of a system that was implemented and appeared to be working. At least there was money coming in.

I went to a supplier and requested an item be drop shipped to an east coast location. The supplier had my physical address [not the delivery address] and my mailing or billing address. The supplier contacted the vendor and had the product shipped to the proper location. The vendor was responsible for monthly billing based while I was using the product. Somehow the physical address was sent to the vendor and not the billing address.

Granted, I am in a community where they are creative on their street names, but there is a method. My address is 2124 W 17th Street Road. The vendor input the following address: 2124 W 7th Street Road. There is no such address, but that didn’t seem to make a difference to the vendor who was in turn outsourcing their billing process. Each month they transmitted my information to the billing company. The billing company outsourced the physical bill creation to another party. Each month a bill was created, mailed and later returned by the Post Office as undeliverable.

One month the carrier that handles 7th Street Road went to see the carrier that handles 17th Street Road and asked if there was such an address on that street. Yes, 2 different carriers 10 blocks apart, but at least in the same sorting facility. The 17th Street Road carrier took the mail and put a big question mark on the front and delivered it.

I opened the mail and it contained 4 past due with collection notices and a current invoice. I called the customer service number to get my address fixed. The representative only wanted to set me up for electronic payment. I finally got to speak with a supervisor. She did agree to correct the mailing address and remove the dunning messages before sending me new copies of the invoices.

Soon in my physical address mailbox came the invoices without the dunning messages. Another call revealed a significant flaw in the process. It turns out the process between the billing company and the people that create the physical bill is to create the bill first, make the hardcopy and mail the hardcopy bill. Then in a following process they do the address changes.

Another call to customer service to get the address corrected indicated that their process sequence was flawed. I asked for a good invoice with no penalties for still not having paid.

This took 6 months of my working with either no bills or incorrect bills. This took time on my part to initialize the calls and, on the customer service side, to talk to me and try to resolve the issues. Ultimately this was resolved.

Customer service is a cost to any organization. The best run customer service group can reduce their own costs, adding money to the bottom line as well as potentially up selling the customer due to the positive customer service.

If an organization is going to use a third party to handle the non-core business processes, the methodology needs to be highly defined. It also needs to be tested and reviewed. Someone needs to assure that excellent service is delivered to the customer.

If the process is flawed in daily practice, it will not serve the organization well during a crisis or in recovery. Tabletop tests will not always show how things will work in a disaster situation.

A great Business Continuity Practitioner needs to ask the business how the business knows the process really works.  Use of the Socratic approach to the BIA and reviews will serve every BCP well.

About Howard Pierpont

Contact information:  Howard.Pierpont@disasters.org website: www.disasters.org

With almost 30 years of Business Continuity experience, ranging from global large-scale precision manufacturing to small, stand-alone single site operations, Howard has an extensive and unique background in merging business continuity into continuous operations.
Howard is a Certified Recovery Planner from the University of Richmond, VA as well as a Certified Business Manager with the Association of Professional in business Management, Chicago, IL. He maintains a CBCP from DRII and holds an MBCI designation from BCI.

He is a Charter Member of ICOR and is currently an instructor and training partner with ICOR. Currently, as a DHS/FEMA Reservist Community Recovery Specialist, he works with businesses, nonprofits and municipal governments in communities having received federal disaster declarations. Howard also serves as Board Chair for the Disaster Preparedness and Emergency Response Association.

                       ______________________________________________________

Tuesday, April 8, 2014

Recovery: Least Understood of the Continuity Lifecycle Elements

The post-crisis recovery phase is one of the least addressed in planning, training and simulations.  This is an area that, if not properly managed, can cost financially, reputationally and operationally.  Communications, internal and external are, at best, misjudged.  Guidelines for recovery are lacking and most entities lose focus when it comes to discussing recovery operations.  It may be that recovery is one of the most complicated of the lifecycle elements and that no two recoveries are going to follow the same pattern.  However, the recovery process can be segmented into manageable bits that can be undertaken using a project management approach.

Business Continuity Lifecycle – A Perspective on Recovery

Figure 1, entitled, “Business Continuity Lifecycle” provides a top level graphic depiction of the typical cycle of event response, management, recovery and resumption of operations.  I have added the emergency response and crisis management elements as they intermingle with business continuity.  I have simplified the cycle to four major transition points.  Transition point 1 is the reactive response phase, where we react to events and invoke emergency response actions.  This phase is characterized by activation, reactive response and chaos control.


Transition point 2, I have titled “Unplanned Disruption”.  This is the phase where we begin to identify and address the unplanned developments that result from the event and the reactive response to the event.  Unplanned disruption would include those elements of surprise that the planning effort did not directly address or completely overlooked.  During this phase it is possible that crisis management becomes the lead element in the business continuity process.

Transition point 3, I have titled “Planned Disruption”.  It is in this phase that the plan is actually working as it was written (well perhaps).  This phase is critical to recovery as the recovery planning, based on actual reentry assessment activities, should commence and the recovery team should be transitioned in to the organization.

Transition point 4, I have titled “Termination”.  It is in this phase that recovery activities are in full swing.  Restoration and resumption of business operations are underway.  The resumption activities may still be conducted at an alternate location (if an evacuation has occurred).  During this phase the recovery team is moving dislocated units, entities, etc. back to the normal work area.  It is critical in this phase to get it “right” so that the transition back does not create a new event/crisis.  Note that on figure 1, I have differentiated the Recovery Management aspect, as well as the “Business Recovery” and the “Systems/Information Recovery” activities.

Business Recovery involves more than the recovery of systems/information.  Activities, such as Finance, Marketing, Legal, Production, internal support and external support (“Value Chain”) have to be reset and integrated back into the organization.  Depending on the severity of the event, realignment of operations, reorganization and resetting of corporate goals/objectives may be necessary.  While too numerous to delineate in this space, one should have a plan that outlines the functions and areas within the organization.  This plan should establish timelines for recovery of these activities and reintegration into the business operation.  To ensure smooth transition from event termination to recovery and resumption of “normal business” operations a touchpoint assessment should be part of the recovery process.  This assessment would identify the various touchpoints that major units have in order to incorporate them into the recovery timeline.  For example, if a production unit is coming back on line and new or altered processes are being put in place; training may be required for operators/staff.  The touchpoint with Human Resources would be the training program and certification of staff to operate in the new/altered environment.

Concluding Thoughts

While I have highlighted some aspects of the recovery process in this brief article, I think it is necessary to offer a suggestion regarding recovery plan validation activities.  Some may use the term “drills and exercises” or “simulations” or “war gaming” to describe the validation process.  Designing, developing and implementing a “Recovery Exercise” is, in my experience, a very rare occurrence.  I would recommend that planners take a moment to assess the actual recovery capabilities of their organization.  Design, develop and implement a drill or exercise; whether tabletop or full scale, to see if recovery operations can actually be undertaken and carried out as described in the plan or in the thought process of the organization.  This is an ideal situation for involving the public sector and the “Value Chain” components within your planning framework.  The focus should be on identification of flawed decisions to establish a context for correcting flaws within the risk assessment, business impact assessment process.

About Geary Sikich – Entrepreneur, consultant, author and business lecturer

Contact Information: E-mail: G.Sikich@att.net or gsikich@logicalmanagement.com. Telephone: 1- 219-922-7718.


Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

He holds a B.S. in Criminology from Indiana State University and a M.Ed., in Counseling & Guidance from the University of Texas at El Paso. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.


 ____________________________________________________________

Monday, March 24, 2014

Tackling the Business Impact Analysis

A new business continuity analyst will need to create and/or update the organization's Business Impact Analysis (BIA). If this is a task that is new to the organization, then the analyst will need to scope the document and set out the definitions that will be used. Ideally the entire organization will be represented in one or more BIAs. The analyst should present to the sponsoring executive the plan for accomplishing the BIAs. The analyst will need to:


a) describe the objectives of the BIA,

b) show that the focus will be on the business processes,

c) introduce the concepts and terminology such as (RTO), and

d) identify the planned sources of information and validation.

It is important to focus on processes rather than procedures. There should be relatively few processes, however each process can have many procedures. To use an example common to many organizations, the Human Resources Department may have four processes: hiring/termination, benefits, periodic reviews, and payroll. The procedures for each of these processes may change repeatedly due new software, regulations or vendor requirements. Therefore the analyst should not try to capture details of the procedures but reference their location within the department. Depending on the organization, BIAs may be reviewed and updated on a periodic basis. In addition to periodic updates, any significant changes to business process(es) should prompt a BIA review.

Given resource or budget constraints, if BIAs can not be done for the entire organization, then the analyst needs to work with the sponsoring executive to determine which departments and processes are to be considered core to the organization’s mission.

For each process the BIA will identify the needed resources. These include people (do not forget any on premise long-term consultants), facilities, equipment, and supporting information technology. The analyst will need to note any unique features of the facility that the process uses (e.g. loading dock, clean rooms, vaults). A roster of staff and roles is important to understanding the scale of the process and the relative impact should members of the staff become unable to work. Regarding the IT resources needed, be sure to include required reference databases with applications. Also query the business for any specialized communications gear or production equipment such as check printers. Remember any handheld devices which are needed to generate sales or manage logistics. While business moves relentlessly to electronic formats, an inventory of required paper-based documents and supplies needs to be inventoried.

Once the who, what, and where have been established, the next step is determining the impact to the organization if the process can not be done. Various metrics and units of measure can be used; the analyst needs to assimilate what has been learned so far and determine the outage time frames to be used in the discussion and analysis.

What are the time frames of a business or transaction cycle? Are tasks and deliverables accomplished in weeks, days, hours, minutes, or seconds? Depending on what the business timeframes are, construct an appropriate scale for determining impacts over time. Impacts can have various dimensions: financial, reputational, legal, regulatory plus any dimension that may be important to the organization. Again, need to determine the scales for each dimension you use. The disaster may also involve the loss of data. The analyst must determine with management how little data can be lost and the associated time frame(s).

The result will be a series of RTO values that need to be coupled with RPO values.

As an analyst, you will now have a wealth of data. It is up to you to turn this data into Information that can be used in the subsequent steps towards the goal of a robust business continuity program. You will need to clearly identify the processes that are necessary for the business to carry out its mission and provide management with an understanding as to the impact should a given process stops. This will provide the inputs to the risk assessment and the basis for the business continuity plans to follow.
Tom Ryan has worked as the global business continuity manager for RBS Sempra Commodities, starting their program from a scratch to cover six trading locations with two recovery sites with data centers.  He has done business impact analysis and emergency management consulting work with Datalink, Inc.  Previous to his roles in business continuity, Tom managed a software QA testing department and was an auditor for major investment banks.
______________________________________________________

Monday, March 10, 2014

BS ISO 22301 in 17 Easy Steps

I normally shy away from long blog posts, but this one is critical if you are considering getting your business continuity program certified.  BS ISO 22301 seems very hard to implement at first, but if you understand the requirements of the standard, it becomes very clear, almost too easy to implement across the organization.

There are only a handful of organization worldwide that have been certified in BS ISO 22301.  Right now is a great time to get on the certification calendar be one of those organizations who set the gold standard in Business Continuity.

Below are the 17 steps you will need to do reach program certification.

Step 1: Management support

Business Continuity will not work if the leadership of the organization or business does not support the effort.  Therefore, it’s critical that leadership understand and support the program continuously.  Your job as a practitioner is to show them why Continuity planning is necessary, not through scary stories and photos, but through showing the value the program brings to the organization.  Getting their support and commitment is the first critical step in any Business Continuity effort, but especially in the certification process.

Step 2: Identification of requirements

This is an easy one.  Identify the requirements of the Business Continuity Program.  It’s similar to identifying the business requirements for a large scale project.  If fact, it’s exactly like that.

But in all honesty, there is really only one requirement for Business Continuity.  If you own, run or manage a business, you have a requirement.  Business Continuity IS the requirement.

If you need a more detailed requirement, you can use BS ISO 22103 as the requirement and make certification a goal of the program.  This will cover everything.

Step 3: Business continuity policy & objectives

Developing clear Business Continuity Policy is critical to getting the support and resources you will need.  In fact, here is the one I use every time.

“[Organization name] will develop, implement and maintain an actionable Business Continuity Program based on the BS IOS 22301 standard with support for internal divisions and departments”.

Simple, to the point and it covers everything that Business Continuity is and needs to be.  This will need to be signed off on by the leadership of the business or organization and disseminated throughout.

Create goals and objectives that are in line with the BS ISO 22301 standard.  Make BS ISO 22301 certification a primary goal.

Step 4: Support documents for management system

This is a heavy lift.  You will need to get to writing documents that support the program.  These support documents include incident response plans, lifecycle management plans, measurement and continuous improvement plans, concept of operations, and other documents that support the overall management of the program.

Step 5: Risk assessment & treatment

Despite me wanting to leave risk management to the risk management folks, you will have to conduct and annual risk assessment to meet the IOS 20301 standard.  This is not hard to do, but getting everyone to agree on the risks and mitigations is another story.  Everyone has their own perspective on what is risk and how it should be handled.

However, it has to be done and the best way to do it is to use the ISO 27001 Risk Assessment and Treatment standard.  It can be applied to both IT systems and BCP Critical Services.

I have a very simple, but useful template you can use.  If you are interested in getting a free copy, let me know.

Step 6: Business impact analysis

The Business Impact Analysis is a very useful tool if you don’t use it the way you are supposed to.  Trying to assess impact before it has occurred is prediction and I leave predictions to fortune tellers, weather people and economists. But, again it’s part of the ISO standard, so it has to be done on an annual bases at the very least.

But I have modified it a bit to serve the Business Continuity Program better.  What I need to know through the BIA are 4 critical elements for each division or department in the organization.

By division or department:
  1. What Critical Services does it provide to the organization?
  2. What are the Essential Functions that support those Critical Services?
  3. Who are Critical Staff or what are the Critical Staff Roles (internal and/or external) that support those Essential Functions?
  4. What is required to support the Critical Staff (IT Systems, Alternate Facilities, Communications, etc.)?
Armed with this information, you can continue to the next step.

I have a very simple, but useful template you can use for this too.  If you are interested in getting a free copy, let me know.

Step 7: Business continuity strategy

This is the section where you determine the Continuity Strategy you are going to use.  The one I have had the most success with I will share with you.

1)    Have the leadership assign (done during Step1 ) from within the organization a Business Continuity Lead (BCL) and an IT Disaster Recovery Lead (IT DRL).  These two roles are the program leads.

2)    Have the leadership assign (done during Step 1) someone from each division and/or department the Department Recovery Coordinator (DRC) role to work with you doing the program development process.  The DRCs are responsible for developing plans and recovery strategies for their division or department.  The people in these roles need to have a clear and good understanding of the products and services their division or department provides.

3)    Have the IT leadership assigned IT DR Recovery Teams to support the recovery of critical IT systems

4)    The BCL and the DRCs are the Incident Response Team for divisions and department and the DRL and DR Recovery Teams are the Incident Response Team for Critical IT Systems

5)    The Organizational Leadership and the BCL and DRL make up the Crisis Management Team

6)    If you have a communications department in the organization, they become the Crisis Communications Team.  If not, then the Crisis Management Team is also the Crisis Communications Team.

The key is to: UTILIZE INTERNAL RESOURCES

The 8.4.2 section of BS ISO 22301 requires establishing an Incident Response structure and framework.  I create one for Business Continuity and one for IT Disaster Recovery.  This is the process of responding to incidents, tracking and managing them and it ties into post incident reviews.

I have templates for incident response.  If you are interested in receiving free copies, let me know.

Step 8: Business continuity plan

This is another heavy lift, however it doesn’t have to be time consuming.  Once you have the information from step six, you can begin populating plans.  Each division and/or department needs to have a unit plan, or Continuity of Operations Plan.  The combination of these plans along with the Crisis Management Plan, the Crisis Communications Plan, and all of the support documentation that is created in step 4 makes up the Business Continuity Plan.  There are several templates that you can use to make things easier.  I prefer a modified version the Continuity of Operations template developed and provided free of charge from the Federal Emergency Management Agency (FEMA).

If you are interested in getting a free copy of the modified version of the template, let me know.

Step 9: Training & awareness

Training and awareness is a key requirement for all of this to function properly.  FEMA offers free awareness training.  IS-546.A: Continuity of Operations Awareness Course: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=is-546.a

FEMA also offers Independent study courses here: http://training.fema.gov/IS/crslist.aspx

This will get the organization part of the way.  The remaining training must be tailored to the organization.  Here is a list of training courses you will need.

  • Crisis Management Training
  • Crisis Communications Training
  • Incident Response Training

Step 10: Documentation maintenance

The best way for meet this requirement is to follow the ISO 9001:2008 standard of the section concerning document control.  There is going to be quite a bit of documentation generated by the program and the 9001:2008 standard will help control it.  I also use document management systems like Microsoft SharePoint to manage documents and version control.

Step 11: Exercising and testing

Exercising and testing is the cornerstone of Business Continuity.  A plan not tested and exercised is not a plan.  The Homeland Security Exercise and Evaluation Program (HSEEP) is, by far, the most comprehensive program out there.  And it’s free.  But first, it would be wise to take the free exercise training and development courses provided by FEMA


IS-130: Exercise Evaluation and Improvement Planning: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=IS-130


FEMA HSEEP: Website: https://www.llis.dhs.gov/hseep

Step 12: Post-incident reviews

Post-incident reviews are necessary to review the response to an incident and identify gaps.  An After Action/Corrective Action report needs to be developed, corrective action tasks assigned and suspense dates for corrective actions defined.  You can modify the HSEEP AAR/IP template to meet this requirement.

Step 13: Communication with interested parties

This deals with communication as a whole.  Communicating the program, statuses, incident reporting and communications with external resources and 3rd party vendors.  Constantly communicate what you are doing, how you are doing it and why is has to be done.  You can do this in the form of status report, newsletters, leadership reviews, awareness training, video information and other forms of communicating during the Business Continuity Lifecycle (Plan, Do, Check, Act model).  Communicate up and down the organizational structure often and clearly.

Step 14: Measurement and evaluation

You will have to establish a Lifecycle Management program that includes performance metrics and evaluation criteria.  This is much more simpler than it seems.  Some people think you can only measure Business Continuity when the plan is activated, but that is only a very small portion of what can be measured.  Instead of going into the details of what can be measured (there are hundreds of metrics), I can provide you two free templates that cover the most important things in Business Continuity Measurement and Evaluation.  Let me know if you would like the templates.

The Lifecycle Management Plan is part of the Continuous Improvement Process.

Step 15: Internal audit

Internal auditing is necessary to ensure the program is accurate and continues to meet the requirement of the BS ISO 22301 standard.  Please note that this is an “Internal’” audit team.  This team and their review criteria are established in the Business Continuity Lifecycle Management Plan.  I have a template for this.  If you are interest in a free copy, let me know.

Step 16: Corrective actions

Corrective actions are part of the Plan, Do, Check, Act model, however it needs to be integrated into every step in the BS ISO standard.  The Lifecycle Management Plan takes on the role of evaluating and developing corrective actions across the entire program, from development to implementation, activation and incident response to review and internal audit.  I also have a template for this.  If you are interest in a free copy, leave a comment. This is also part of the Continuous Improvement Process.

Step 17: Management review

This relates back to the very first step.  Management  must have insight and continuous review ability.  Invite them to exercises and plan review sessions.  Invite them to review all of the Business Continuity documentation and strategies.  Invite them to be a part of the working groups.  And as always, schedule management review meetings regularly so they can gain better insight, ask questions and offer suggestions before the documents and strategies become active.  A monthly In Process Review is the best way to review the entire program with Management and Leadership. And as always, generate an After Action Report of the corrective actions that need to be taken and present the status of open action items results of closed action items at the next In Process Review.  This is also part of the Continuous Improvement Process.

Another idea is to have management be members of the Document Review Team for Lifecycle Management.  This way that will have detailed insight into the documents themselves.  I use this method for every review team I have ever established and it is very effective.

Note: State and federal regulated industries and governments have additional requirements that you will have to consider in addition to the 17 steps above.  The federal government alone has many additional rules and requirements related to Business Continuity in Federal Government and federal agencies, so be sure to include those in your certification process.

Additional Information

1)    Purchase a copy of BS ISO 22301 from the BSI store: http://shop.bsigroup.com/ProductDetail/?pid=000000000030207716.

2)    If at all possible, purchase copies of the ISO 27001 and the ISO 9001:2008 standards for the same store.

3)    If you intend to submit the Business Continuity Program for certification (highly recommended), be sure to visit the FEMA PS-Prep website http://www.fema.gov/voluntary-private-sector-preparedness-program-ps-preptm-small-business-preparedness for information, details and certification requirements.

I also have a BS ISO 22301 auditing template if your Business Continuity Program is already established and you want to evaluate it against the standard.  If you would like a free copy, let me know.

Template requests should be sent to Mike Minzes at info@inevolve.com

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET .
 ______________________________________________________

Monday, March 3, 2014

7 other Uses For The Tabletop Exercise

A few weeks ago I wrote a post on 4 other uses for the tabletop exercise.  You can read it here.

Several people have added their suggestions and I wanted to gather their ideas in one post.

There are certainly several other uses for the tabletop exercise.  What do you use them for?

Below is a video that offers some suggestions.


Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET.
 ______________________________________________________

Monday, February 24, 2014

Do-it-yourself Business Continuity for small businesses

DIY Projects.  There are do-it-yourself projects for just about anything under the sun.  If you get the parts and materials, there are videos or walk-throughs that can show you how to build just about anything.
So it isn’t any surprise to me that the Federal Emergency Management Agency (FEMA) has a little known DIY project designed help businesses and organizations develop and implement Business Continuity.

The Business Continuity Planning Suite is a FREE toolset provided by FEMA for developing and implementing Business Continuity in any size organization or across any agency.  It can be downloaded from the FEMA website and installed on any PC running Windows.  The toolset has free Business Continuity Training courses, Plan templates and instructions for both Business Continuity Planning and IT Disaster Recovery Planning, and even has exercise program development tools.

It has a step-by-step guide on how to develop and implement Business Continuity across a business or an organization.  The steps and processes are easy to understand and follow and if you ever get stuck, there is a free training course that covers each topic.

It does require a little time, but what important DIY project doesn't?  It’s just a matter of committing the effort to it and in very little time, you can have an actionable Business Continuity program running in your business or organization.

This is a great starting point for small businesses or organizations looking to bring in Business Continuity without it being costly.

This is just a very basic framework, but it can be built upon once it implemented.

The Planning Suite is an extractable ZIP file.  Unzip the file and run the main start page to access the suite.

The Business Continuity Planning Suite can be accessed and downloaded here:

I suggest you watch the short training videos in order first.  They can be accessed from the Planning Suite or directly by following the link below.

Emergency Plans for workplaces can be accessed here:

This suite will help get the process started with bringing Business Continuity to your business or organization.  And it doesn't cost anything.

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET .
 ______________________________________________________