Happy First Day of Spring!

Time for some spring cleaning: properly dispose of those old, out-dated Business Continuity plans. All you need is your current one!

Blizzard 2015 business continuity tips

The blizzard of 2015 is in full swing, so you can't prepare for it now, but you can start preparing for the next one when you evaluate your company's response to the blizzard:

Blizzard 2015 business continuity tips

Healthcare Info Security put together a great article to help you do just that (including some quotes from DRI's Al Berman).

The article's tips revolve around 3 areas:

• Personnel Issues
• Reviewing Backup Processes
• Maintaining Priorities

These 3 areas will be any company's focus in a weather-related disaster. 

The steps you can take to assure you're ready to respond to a blizzard can often be applied to a tornado, hurricane, flood, etc. 

In some cases, we get a little advance warning that the weather may produce a disaster, and it's imperative the business continuity professional is prepared to take advantage of every minute of that advance warning.

Disaster recovery isn't dead: 7 things to cover in your DR plan

Business Continuity never replaced DR, it absorbed it into the BC Program. Here's a great reminder of 7 things that should be in your DR plan (from CSO):

7 critical things to cover in your disaster recovery plan

What's in an IT Disaster Recovery plan template?

SunGard Availability Services has an article that might be useful if you're working on IT DR plans:

Whats in an IT DR plan template

This is a good article and very helpful. It's also a perfect example of what a "plan template" means: it shows you the headings for the plan, the questions you need to answer, and what type of data needs to be included. It's not a file you download and fill in the blanks. 

Any guide that purports to be a quick fill-in-the-blanks template is a fraud: it's either so high level that it's worth nothing, or it's a sales pitch in disguise. SunGard Availability Services' template is exactly the kind of thing you want when you're looking for a template: some key pointers, a list of the things you must include (which is incomplete because it can't address every business in every situation), and some advice on the headings you want to use and in what order.

4 ways to make a project a success despite reluctant users

Insurance Networking News has a fantastic article on one of the most common barriers to any project:

Making a project succeed despite reluctant users

Regardless what business you're in, you will have people who don't share your vision. This article is geared specifically toward software/system users who are less than supportive or completely against change, but the ideas in the article can be applied to a wide range of situations.

Creating a Culture of Preparedness

Emergency Management Magazine has a wonderful article about embedding the business continuity process into the culture of an organization:

Tips for Creating a Culture of Preparedness

So often, this is the hardest thing to achieve in your awareness program. There are some great insights in this article.

Business Continuity Awareness Week is coming up in March, incorporate some of this advice into your plan!

Emergency notifications - many things to consider (Part 1)

Emergency notifications are an area that every organization needs to master before it is needed. Solutions basically fall into 3 groups:

• Call tree or cascade system
• A 1-800 hotline number for employees to call
• An automated Emergency Notification System (ENS)

Call trees, I've observed, are typically organized in one of two ways. Using a department of 30 people as an example, the call tree would usually be organized one of the following ways:

1. The department manager calls all 30 people, noting anyone they are unable to get in touch with.
2. The department manager calls employee #1, who calls employee #2, who calls employee #3, and so on until employee #30 is contacted, who then calls the department manager to confirm all notifications were made. If employee #1 is unable to reach employee #2, they are to call employee #3, and continue calling employees until the next person is reached. The is also called a cascade system, or "call stick" since it resembles a stick more than a tree.

Call tree procedures often lack the depth needed in the event of an actual incident. Even if procedures are sufficiently detailed, both methods have benefits and pitfalls, as illustrated in the two tables below.

With either of these options, notifications will take a long time. Both methods are open to human error. 

Both methods have the problem of keeping the call trees updated and distributed, which may be feasible for an organization with 20 people, but not for an organization with hundreds or thousands. Both methods have the issue of how you are generating the call trees and storing information: is this information being pulled from he human resources / payroll data, or are departments expected to maintain their own call trees?

I've talked with many defenders of call trees, who believe if the procedures are detailed enough, they will be successful when needed.

I have to disagree. Getting employees to keep their contact information current in human resources / payroll data is difficult, getting employees to maintain current contact information in two systems in nearly impossible. Someone has to enter new employees and take out employees no longer with the company. It is almost certain that at any given time, the information in the two systems will differ. 

As business continuity professionals, we have to take into consideration the opportunity (and great potential) for human error in the middle of an incident or disaster.

The time it takes to reach employees can be critical if, for example, your company is trying to verify no one was in the building at midnight when a disaster happened.

I've never encountered, in any company, someone in the legal department who would approve of giving out employee contact information past the management level. It's simply a breach of confidentiality, and something the company has no right to do without documented consent from employees.

So why are so many companies using call trees? I think it's often a case where the business continuity professional is given direction to use call trees as a notification strategy, often  by upper management. The business continuity professional distributes the call trees, and no one objects . . . until something goes wrong. Upper management sometimes just fails to realize that confidential information is being shared not only with management but other employees, possibly even the legal department doesn't realize what is happening, and no one considers the risks and implications of this strategy.

Some of the best Human Resources personnel I've known have refused to grant Business Continuity any access to employee contact information, because of the confidentiality involved and because of the risks in granting access to systems often used for payroll. Obviously, that is a problem that impacts call trees and other methods of employee notification.

I can't recommend call trees to any organization I work with other than small businesses, and then the confidentiality issue still has to be addressed. 

Business continuity professionals need to educate upper management about the risks and short-comings of call trees, and steer them in another direction.

I'll discuss other options for notification tomorrow. Thanks for reading.

BC Management post on backup technologies

Check out this BC Management post on the results of their survey on backup technologies being used:

What are organizations using for backup technologies?


57% of the respondents said they were backing up to tape. Tape recovery can be time consuming and negatively impact the RTOs (Recovery Time Objectives). 

During exercises, organizations need to assure they aren't just testing a successful restore from tape, but that critical business functions are up and running in the time identified in the BIA. 

If restoring from tape could prevent your organization from meeting RTOs, it may be time for you to partner with IT leadership to show upper management why a technology upgrade is needed. IT leadership may welcome the help in articulating their business case for upgraded technology.

The CEO's knowledge of business continuity

Check out this great article from Continuity Central:

CEO? Here are three key business continuity questions you need to ask

So often, the CEO believes they have an understanding of business continuity that is greater than their true understanding. 

Business continuity professionals need to regularly communicate with the CEO to assure they understand the risk level the company was willing to take (as identified in the last Risk Analysis), what business functions were identified as critical to the survival of the company (and what business functions weren't deemed critical), and the resources required to either maintain critical functions without interruption, or recover critical functions in the in the Recovery Time Objective (RTO) as documented in the last Business Impact Analysis - including systems, data, sites, personnel, hardware including workstations

A CEO that understood these things 2 years ago when a Risk Analysis and Business Impact Analysis were completed may not recall everything, if they aren't involved in Business Continuity on a very regular basis (such as weekly, not yearly).

Can your CEO explain what is recoverable and in what time frame? Can they explain how many people would be working from home (if able) or waiting for facilities to secure a new site that can accommodate all employees and functions? 

Check out Continuity Central's article, and I'd love to know what you think.

And keep in mind that Business Continuity Awareness week is coming up in March and could be a great time to work on awareness with your CEO and upper management.

A common theme you may notice in my blogs is that I campaign hard against the idea that disaster recovery is dead (long live business resilience). Unless your RTOs for every function are zero downtime, and you have a perfect mirroring of all systems (which doesn't mean you're immune to disaster), you have work-space recovery for 100% of employees, disaster recovery is still relevant. Even if you have all of those things, you still have to deal with Crisis Communication, Emergency Response and Emergency Management, and Disaster Recovery. 

There is no getting around it. Business Continuity and Business Resilience plans enhance the Disaster Recovery plan, not replace. You can't disaster-proof your business. If you could, well, a lot of us would be out of a job!

Check out my Toolbox page for some resources you may want to incorporate for Business Continuity Awareness week.

Ready.gov - Testing & Exercises

Ready.gov Testing and Exercises

Ready.gov has put together a list of the benefits of testing. They also did a fantastic job of discussing the use of the term 'exercising' vs. 'testing':

Testing the Plan

When you hear the word “testing,” you probably think about a pass/fail evaluation. You may find that there are parts of your preparedness program that will not work in practice. Consider a recovery strategy that requires relocating to another facility and configuring equipment at that facility. Can equipment at the alternate facility be configured in time to meet the planned recovery time objective? Can alarm systems be heard and understood throughout the building to warn all employees to take protective action? Can members of emergency response or business continuity teams be alerted to respond in the middle of the night? Testing is necessary to determine whether or not the various parts of the preparedness program will work.

Exercises

When you think about exercises, physical fitness to improve strength, flexibility and overall health comes to mind. Exercising the preparedness program helps to improve the overall strength of the preparedness program and the ability of team members to perform their roles and to carry out their responsibilities. There are several different types of exercises that can help you to evaluate your program and its capability to protect your employees, facilities, business operations, and the environment

I know some people have become adverse to the word 'testing', feeling that if the test isn't 100% successful, it reflects poorly, like a failure. Personally, I use the words interchangeably. I think one key to a successful exercise program is setting the expectation with management that it is designed to find the areas that need improvement, and there will always be areas that need improvement.

In my opinion, if an organization is testing year after year and they're finding no weaknesses in the continuity plan, then they need to look at changing the testing scenario. Recovering the IT environment isn't proof of business continuity, it's one component. Some  organizations may over-focus on IT recovery/resilience, at the expense of other plan components such as:

• Command and control procedures
• Communications with employees, shareholders and the media (employees may have been told not to speak to the media if an event occurs, but have you updated that direction to include not posting to any social media or taking unauthorized pictures during a recovery?)
• Alternate facility for employees to work in, both locally and farther away in the case of a large incident
• Staffing, cross-training and the need for alternate staff
• Managing customer communications and expectations

Testing is such an important component to the business continuity program. Once it's become an integrated part of the program, it's important to continuously reevaluate the scope and scenario of your exercises.

Notification Wallet Card Template and Awareness Training

Business Continuity Contact Card (Wallet Card) Template

This PowerPoint presentation was shared on www.slideshare.net: Best Practices in Business Planning for Pandemic Influenza, by Jim Goble, CBCP, at National City Corporation. It's from 2006 but a lot of it is still relevant, including the Wallet Card template on slide 12. 

If you've never created a Wallet Card for your organization, they're very useful. Team members may have a lot of that information on their phones, but it could be outdated. By developing and distributing a Wallet Card, they can refer to it and updates contact information in their phones. This is Crisis Communication, something a team would access during the Notification Phase of an event as well as the Assessment Phase.

Make sure you date your Wallet Cards, so employees can easily tell if they're looking at the most recent version. I recommend updating the card quarterly, or more often if important information changes.

If your organization isn't used to the idea of a Wallet Card, this can be something you introduce during Business Continuity Awareness Week, March 16 - 20, 2015.

http://bcaw.groupsite.com/main/summary

BCAW also has a lot of information you may want to add to your toolbox. You can also sign up for the group so that you'll get reminders about Business Continuity Awareness Week. 

If you know that Business Continuity Awareness is an area your organization needs to work on, make this the year that you introduce Business Continuity Awareness Week!

Risk isn't the enemy, failure to plan is the enemy

Friday Funny

I've seen my share of plans like this!

Time for a plan update (and maybe a strategy update too)

The "Ransom Note" Plan

“Ransom note”, “ransom note format” or “ransom note formatting”: when a document is sent out to a team for each member to insert their content, usually in wildly different formats, and looks similar to a ransom note made up of letters cut out of different magazines.

Sample usage: “If I had a dollar for every ransom note recovery plan I had to spend all night fixing, I’d be retired.”

Copy/Paste is no substitute for careful planning!

Wednesday Wisdom: For the small business owner

I wish I could broadcast this out to every small business owner: you can't afford to wait! Having a disaster recovery and business continuity plan isn't just an option., it can be the difference in your business surviving or failing. See the post from Monday (February 3) for more on the subject.

The need for disaster recovery isn't dead

TheGuardian.com ran an article in their Small Business Money Blog about the state of disaster recovery and business continuity planning in small and medium sized businesses:

Business continuity plans: a position for recovery

A few key take-aways:

Small and medium sized business that fail to create a disaster recovery or business continuity plan are more likely to close in the first two years of operating.

"In the Aviva survey, half of SME owners questioned revealed they had no BCP in place, and a further 16% said they didn't think they needed one. Only 36% of respondents were even aware of BCPs and what they were for, while, worryingly, only a quarter (28%) of business owners said they had a BCP in place. The remaining 6% didn't know if they had a BCP or not."

I think this article demonstrates that the need for disaster recovery isn't dead. Big businesses may tout that they have mirroring or use the Cloud and have business resiliency, but there is still a lot that needs to be done ot reach small and medium sized businesses.

I think there's been a trend of some people believing that as technology improves and more business functions are automated, the role of the business continuity professional is diminishing, but that just isn't true. IT continuity isn't business continuity.