Friday Funny: All Natural

I hate the phrase "all natural".

Unless it was made from partially or entirely from supernatural substances, of course it's all natural.

Everything on the planet was made from naturally occurring substances, or something made from naturally occurring substances, or something made for something made from naturally occurring substances.

It's all "all natural"!

Monday Motivation: the quickest way to success

I get so tired of all the people who believe that in order for them to succeed, other's must fail. There is no reason you can't help others succeed along the way!

Blizzard 2015 business continuity tips

The blizzard of 2015 is in full swing, so you can't prepare for it now, but you can start preparing for the next one when you evaluate your company's response to the blizzard:

Blizzard 2015 business continuity tips

Healthcare Info Security put together a great article to help you do just that (including some quotes from DRI's Al Berman).

The article's tips revolve around 3 areas:

• Personnel Issues
• Reviewing Backup Processes
• Maintaining Priorities

These 3 areas will be any company's focus in a weather-related disaster. 

The steps you can take to assure you're ready to respond to a blizzard can often be applied to a tornado, hurricane, flood, etc. 

In some cases, we get a little advance warning that the weather may produce a disaster, and it's imperative the business continuity professional is prepared to take advantage of every minute of that advance warning.

2nd biggest US health insurer has insurance to cover revenue lost as a result of customer info being hacked

From Insurance Networking News:

Anthem to tell customers within two weeks if they were hacked

I had never considered that a health insurer would have information to cover their losses if customer info is hacked, although it makes perfect sense, from a business continuity perspective. But as a consumer (of health insurance, not specifically of Anthem's), my first thought was that their insurance doesn't help me if my information is hacked.

Insurance won't cover damage to an organization's reputation, or gain back the trust of all of their customers.

Friday Funny: It's a Generational Thing

LinkedIn names 10 most overused buzzwords

CIO magazine recently reported on a LinkedIn report that lists the 10 words that are most overused on people's profiles.

The 10 most overused LinkedIn buzzwords

I'm sure these 10 words are also overused on resumes.

The article is worth reading, it discusses each of those tired, boring words and gives tips for replacing those infamous and inadequate words.

Here are the 10 unworthy words:

• motivated
• passionate
• creative (Be creative and use another word.)
• driven
• extensive experience (Okay, that's really two words.)
• responsible
• strategic (Unless you work in strategic planning, in which case it's impossible to avoid; just don't say you're a "strategic thinker". Or "thought leader". That's not on the list but should be. You might as well say "I'm admired by millions, who wish they had thoughts like mine". Did you hear that sound? It was your resume being crumpled up and thrown in the trash.)
• track-record
• organizational
• expert

Now, I need to go check my LinkedIn profile and see how many of these I'm using currently. 

I really hope I didn't use "thought leader".

Disaster recovery isn't dead: 7 things to cover in your DR plan

Business Continuity never replaced DR, it absorbed it into the BC Program. Here's a great reminder of 7 things that should be in your DR plan (from CSO):

7 critical things to cover in your disaster recovery plan

Wednesday Wisdom: Opportunity is Always Knocking!

What's in an IT Disaster Recovery plan template?

SunGard Availability Services has an article that might be useful if you're working on IT DR plans:

Whats in an IT DR plan template

This is a good article and very helpful. It's also a perfect example of what a "plan template" means: it shows you the headings for the plan, the questions you need to answer, and what type of data needs to be included. It's not a file you download and fill in the blanks. 

Any guide that purports to be a quick fill-in-the-blanks template is a fraud: it's either so high level that it's worth nothing, or it's a sales pitch in disguise. SunGard Availability Services' template is exactly the kind of thing you want when you're looking for a template: some key pointers, a list of the things you must include (which is incomplete because it can't address every business in every situation), and some advice on the headings you want to use and in what order.

4 ways to make a project a success despite reluctant users

Insurance Networking News has a fantastic article on one of the most common barriers to any project:

Making a project succeed despite reluctant users

Regardless what business you're in, you will have people who don't share your vision. This article is geared specifically toward software/system users who are less than supportive or completely against change, but the ideas in the article can be applied to a wide range of situations.

Monday Motivation: Don't Let Them Ignore You!

CA takes action to end measles outbreak

It's great to see CA responding to the measles outbreak and trying to put an end to the senseless spread of this disease.

Measles Outbreak Sparks Bid Eliminate Vaccine Exemption

Personally, I don't like the government telling people how to raise their kids, so I have some mixed feelings whether this is the answer. 

However, the anti-vaccination movement based on fake science and panic puts others at risk, especially those too young to be vaccinated and pregnant women. Even if you are vaccinated, it doesn't mean you can't get the measles, it just makes it less  likely that you will. 

Once your personal decisions extend beyond you and your family, and put other people at risk of a disease with horrible side effects, then maybe the government has to step in.

And we do have laws about how you raise your kids: laws against leaving kids unattended, neglect in getting medical care for a child or starving them, laws against physical abuse that place limits on how a parent can 'discipline' a child, laws that state your child must be given an education.

So, as I said, I have some mixed feelings. But I think CA is right bring this up as something that can't be ignored, and hopefully it will raise awareness and cause dialog needed to end these measles outbreaks.

Creating a Culture of Preparedness

Emergency Management Magazine has a wonderful article about embedding the business continuity process into the culture of an organization:

Tips for Creating a Culture of Preparedness

So often, this is the hardest thing to achieve in your awareness program. There are some great insights in this article.

Business Continuity Awareness Week is coming up in March, incorporate some of this advice into your plan!

Friday Funny: Always Up-sell the Client!

Happy Friday!

If you give a customer one option and they refuse, then you've lost the sale. Give them multiple service levels to choose from (although you probably shouldn't hug them). 

Multiple service levels give you a lot more to discuss with a customer than a simple 'yes' or 'no'. It also can make the customer feel they are getting an offer customized to their particular needs, instead of a one-size-fits-all solution!

Emergency notifications - many things to consider (Part 1)

Emergency notifications are an area that every organization needs to master before it is needed. Solutions basically fall into 3 groups:

• Call tree or cascade system
• A 1-800 hotline number for employees to call
• An automated Emergency Notification System (ENS)

Call trees, I've observed, are typically organized in one of two ways. Using a department of 30 people as an example, the call tree would usually be organized one of the following ways:

1. The department manager calls all 30 people, noting anyone they are unable to get in touch with.
2. The department manager calls employee #1, who calls employee #2, who calls employee #3, and so on until employee #30 is contacted, who then calls the department manager to confirm all notifications were made. If employee #1 is unable to reach employee #2, they are to call employee #3, and continue calling employees until the next person is reached. The is also called a cascade system, or "call stick" since it resembles a stick more than a tree.

Call tree procedures often lack the depth needed in the event of an actual incident. Even if procedures are sufficiently detailed, both methods have benefits and pitfalls, as illustrated in the two tables below.

With either of these options, notifications will take a long time. Both methods are open to human error. 

Both methods have the problem of keeping the call trees updated and distributed, which may be feasible for an organization with 20 people, but not for an organization with hundreds or thousands. Both methods have the issue of how you are generating the call trees and storing information: is this information being pulled from he human resources / payroll data, or are departments expected to maintain their own call trees?

I've talked with many defenders of call trees, who believe if the procedures are detailed enough, they will be successful when needed.

I have to disagree. Getting employees to keep their contact information current in human resources / payroll data is difficult, getting employees to maintain current contact information in two systems in nearly impossible. Someone has to enter new employees and take out employees no longer with the company. It is almost certain that at any given time, the information in the two systems will differ. 

As business continuity professionals, we have to take into consideration the opportunity (and great potential) for human error in the middle of an incident or disaster.

The time it takes to reach employees can be critical if, for example, your company is trying to verify no one was in the building at midnight when a disaster happened.

I've never encountered, in any company, someone in the legal department who would approve of giving out employee contact information past the management level. It's simply a breach of confidentiality, and something the company has no right to do without documented consent from employees.

So why are so many companies using call trees? I think it's often a case where the business continuity professional is given direction to use call trees as a notification strategy, often  by upper management. The business continuity professional distributes the call trees, and no one objects . . . until something goes wrong. Upper management sometimes just fails to realize that confidential information is being shared not only with management but other employees, possibly even the legal department doesn't realize what is happening, and no one considers the risks and implications of this strategy.

Some of the best Human Resources personnel I've known have refused to grant Business Continuity any access to employee contact information, because of the confidentiality involved and because of the risks in granting access to systems often used for payroll. Obviously, that is a problem that impacts call trees and other methods of employee notification.

I can't recommend call trees to any organization I work with other than small businesses, and then the confidentiality issue still has to be addressed. 

Business continuity professionals need to educate upper management about the risks and short-comings of call trees, and steer them in another direction.

I'll discuss other options for notification tomorrow. Thanks for reading.

Wednesday Wisdom: Keep Moving Forward

BC Management post on backup technologies

Check out this BC Management post on the results of their survey on backup technologies being used:

What are organizations using for backup technologies?


57% of the respondents said they were backing up to tape. Tape recovery can be time consuming and negatively impact the RTOs (Recovery Time Objectives). 

During exercises, organizations need to assure they aren't just testing a successful restore from tape, but that critical business functions are up and running in the time identified in the BIA. 

If restoring from tape could prevent your organization from meeting RTOs, it may be time for you to partner with IT leadership to show upper management why a technology upgrade is needed. IT leadership may welcome the help in articulating their business case for upgraded technology.

The CEO's knowledge of business continuity

Check out this great article from Continuity Central:

CEO? Here are three key business continuity questions you need to ask

So often, the CEO believes they have an understanding of business continuity that is greater than their true understanding. 

Business continuity professionals need to regularly communicate with the CEO to assure they understand the risk level the company was willing to take (as identified in the last Risk Analysis), what business functions were identified as critical to the survival of the company (and what business functions weren't deemed critical), and the resources required to either maintain critical functions without interruption, or recover critical functions in the in the Recovery Time Objective (RTO) as documented in the last Business Impact Analysis - including systems, data, sites, personnel, hardware including workstations

A CEO that understood these things 2 years ago when a Risk Analysis and Business Impact Analysis were completed may not recall everything, if they aren't involved in Business Continuity on a very regular basis (such as weekly, not yearly).

Can your CEO explain what is recoverable and in what time frame? Can they explain how many people would be working from home (if able) or waiting for facilities to secure a new site that can accommodate all employees and functions? 

Check out Continuity Central's article, and I'd love to know what you think.

And keep in mind that Business Continuity Awareness week is coming up in March and could be a great time to work on awareness with your CEO and upper management.

A common theme you may notice in my blogs is that I campaign hard against the idea that disaster recovery is dead (long live business resilience). Unless your RTOs for every function are zero downtime, and you have a perfect mirroring of all systems (which doesn't mean you're immune to disaster), you have work-space recovery for 100% of employees, disaster recovery is still relevant. Even if you have all of those things, you still have to deal with Crisis Communication, Emergency Response and Emergency Management, and Disaster Recovery. 

There is no getting around it. Business Continuity and Business Resilience plans enhance the Disaster Recovery plan, not replace. You can't disaster-proof your business. If you could, well, a lot of us would be out of a job!

Check out my Toolbox page for some resources you may want to incorporate for Business Continuity Awareness week.

Monday Motivation: Hope

Friday Funny: Use your resources wisely!

Have a wonderful, and happy, weekend! And use your resources to be a positive influence in your work environment!

Wednesday Wisdom: Albert Einstein

More Dynamic Tabletop Exercises for Emergency Response and Crisis Management

One of the challenges of tabletop exercises is that they don't become a predictable reading of the plan. Tabletop exercises are very cost effective, but they aren't known for being creative or exciting  (in general).

One of the benefits of tabletop exercises is that they're very cost effective. And they are a great tool to use with upper management since travel can be minimized. But in order to keep upper management in your organization interested in tabletop exercises, you've got to lead dynamic tabletop exercises that stay fresh and non-repetitive.

FEMA has developed tabletop scripts for organizations to use for three scenarios: a critical power failure to multiple communities, a chemical accident, and an impending hurricane. The chemical accident and hurricane scenarios both have "video inject scripts" that you can use as the exercise progresses:

Emergency Planning Exercises (FEMA)

If you've never presented a tabletop exercise, or would like some new ideas to incorporate, check out the FEMA site and put this in your toolbox!

Monday Motivation: Barbara Corcoran

I didn't know Barbara Corcoran also did a Monday Motivation post, but if I was going to imitate someone, she'd be a great choice. Her success story is truly motivational!

Happy Groundhog Day!

Post-Super Bowl Wisdom

What a fantastic attitude! You may get knocked down, but that just means it's time to rise again. For such a young man, he's wise beyond his years.