Emergency Management Magazine has a wonderful article about embedding the business continuity process into the culture of an organization:
Tips for Creating a Culture of Preparedness
So often, this is the hardest thing to achieve in your awareness program. There are some great insights in this article.
Business Continuity Awareness Week is coming up in March, incorporate some of this advice into your plan!
Denise Fortner, MBCP
Showing posts with label Training. Show all posts
Showing posts with label Training. Show all posts
Saturday, February 14, 2015
Monday, February 9, 2015
The CEO's knowledge of business continuity
Check out this great article from Continuity Central:
CEO? Here are three key business continuity questions you need to ask
So often, the CEO believes they have an understanding of business continuity that is greater than their true understanding.
Business continuity professionals need to regularly communicate with the CEO to assure they understand the risk level the company was willing to take (as identified in the last Risk Analysis), what business functions were identified as critical to the survival of the company (and what business functions weren't deemed critical), and the resources required to either maintain critical functions without interruption, or recover critical functions in the in the Recovery Time Objective (RTO) as documented in the last Business Impact Analysis - including systems, data, sites, personnel, hardware including workstations
A CEO that understood these things 2 years ago when a Risk Analysis and Business Impact Analysis were completed may not recall everything, if they aren't involved in Business Continuity on a very regular basis (such as weekly, not yearly).
Can your CEO explain what is recoverable and in what time frame? Can they explain how many people would be working from home (if able) or waiting for facilities to secure a new site that can accommodate all employees and functions?
Check out Continuity Central's article, and I'd love to know what you think.
And keep in mind that Business Continuity Awareness week is coming up in March and could be a great time to work on awareness with your CEO and upper management.
A common theme you may notice in my blogs is that I campaign hard against the idea that disaster recovery is dead (long live business resilience). Unless your RTOs for every function are zero downtime, and you have a perfect mirroring of all systems (which doesn't mean you're immune to disaster), you have work-space recovery for 100% of employees, disaster recovery is still relevant. Even if you have all of those things, you still have to deal with Crisis Communication, Emergency Response and Emergency Management, and Disaster Recovery.
There is no getting around it. Business Continuity and Business Resilience plans enhance the Disaster Recovery plan, not replace. You can't disaster-proof your business. If you could, well, a lot of us would be out of a job!
Check out my Toolbox page for some resources you may want to incorporate for Business Continuity Awareness week.
Friday, January 30, 2015
The Old Elevator Speech
Many professionals are familiar with the concept of the elevator speech: a rehearsed, persuasive, short statement that sells you, your company or your products and services, that you can use if you unexpectedly see a contact or potential customer (or employer) and only have a very brief amount of time to talk to them - like the length of time an elevator ride might take.
MindTools.com has developed guidelines for crafting an elevator speech, if you've never created one before:
http://www.mindtools.com/pages/article/elevator-pitch.htm
The elevator speech is a fantastic tool, one you should definitely utilize. But . . . how long has it been since you revisited your elevator speech and updated it?
Is it covered in dust?
Why not take the time this week to make it a priority to revise your elevator speech?
Got your elevator speech updated?
Ready to take it to the next level?
Many business continuity professionals have worked in their current company for years. They know all of the members of upper management, and the members of upper management have at least an average understanding of your company's business continuity program.
But you may have limited face-time with members of upper management: perhaps you see them in a weekly staff meeting where you're expected to very briefly give an update. Unless you schedule time with them, which can be challenging, you don't have a lot of opportunities to:
MindTools.com has developed guidelines for crafting an elevator speech, if you've never created one before:
http://www.mindtools.com/pages/article/elevator-pitch.htm
The elevator speech is a fantastic tool, one you should definitely utilize. But . . . how long has it been since you revisited your elevator speech and updated it?
Is it covered in dust?
Why not take the time this week to make it a priority to revise your elevator speech?
Got your elevator speech updated?
Ready to take it to the next level?
Many business continuity professionals have worked in their current company for years. They know all of the members of upper management, and the members of upper management have at least an average understanding of your company's business continuity program.
But you may have limited face-time with members of upper management: perhaps you see them in a weekly staff meeting where you're expected to very briefly give an update. Unless you schedule time with them, which can be challenging, you don't have a lot of opportunities to:
- sell yourself: your skills, your initiative, your ideas;
- sell your business continuity program: not just update them on the latest development, but tout the progress that has been made in the program in the last year(s) or remind them of challenges that have been overcome; and
- sell your vision:
- what area(s) do you feel needs to be a focal point of the business continuity program this year?
- what ideas do you have about changing the status quo?
- what do you need management support to do this year?
The Alec Baldwin movie "Glengarry Glen Ross" utilizes a sales saying: ABC = Always Be Closing. It means everything should ideally be done with one goal in mind: taking you a step closer to making a sale or closing the deal.
Always Be Closing
Be prepared to use even a brief period of time (like an elevator ride) when you have the captive attention of someone in your organization crucial to your success or the success of one of you initiatives. Here's a sample elevator speech crafted to highlight a problem in the organization, what is already being done about the problem, and an idea that requires the buy-in of executive management:
Note that last sentence asking for a commitment to meet and discuss scheduling on a specific day. Without that sentence, you haven't asked for the "sale", you haven't necessarily made progress to closing the deal. You could go back to your office and hope he considers what you said . . . or you can Always Be Closing and ask for a commitment before he steps out of that elevator.
If those two paragraphs look long, consider this: with no practice (and a little bit of a slow southern drawl) I read it out loud in 47 seconds.
Experiment with developing several elevator speeches for different situations to accomplish different goals. Practice them so you are always ready.
As business continuity professionals, it's what we do: always be ready!
Never get caught not knowing what to say again.
Always Be Closing
Be prepared to use even a brief period of time (like an elevator ride) when you have the captive attention of someone in your organization crucial to your success or the success of one of you initiatives. Here's a sample elevator speech crafted to highlight a problem in the organization, what is already being done about the problem, and an idea that requires the buy-in of executive management:
"Did you know that at the last fire drill, it took 45 minutes to clear the building? I spoke with the fire chief and she said a building this size should be able to evacuate in half that time. One of the lunch-and-learns I've scheduled for Business Continuity Awareness Week in March, is for her to come in and stress exactly how quickly a fire can spread through a training video they use. I'm especially concerned that employees who require assistance aren't being evacuated fast enough.
"I'd like to increase the frequency of our fire drills until we improve the evacuation time, of course working around critical business periods. Combined with my awareness initiatives, I know we can do better on employee safety. Can I book some time with you next Monday to discuss the fire drill scheduling?"Look at the sentence in red: it ends on a positive note that shows confidence.
Note that last sentence asking for a commitment to meet and discuss scheduling on a specific day. Without that sentence, you haven't asked for the "sale", you haven't necessarily made progress to closing the deal. You could go back to your office and hope he considers what you said . . . or you can Always Be Closing and ask for a commitment before he steps out of that elevator.
If those two paragraphs look long, consider this: with no practice (and a little bit of a slow southern drawl) I read it out loud in 47 seconds.
Experiment with developing several elevator speeches for different situations to accomplish different goals. Practice them so you are always ready.
As business continuity professionals, it's what we do: always be ready!
Never get caught not knowing what to say again.
Thursday, January 29, 2015
Ready.gov - Testing & Exercises
Ready.gov Testing and Exercises
Ready.gov has put together a list of the benefits of testing. They also did a fantastic job of discussing the use of the term 'exercising' vs. 'testing':
I know some people have become adverse to the word 'testing', feeling that if the test isn't 100% successful, it reflects poorly, like a failure. Personally, I use the words interchangeably. I think one key to a successful exercise program is setting the expectation with management that it is designed to find the areas that need improvement, and there will always be areas that need improvement.
In my opinion, if an organization is testing year after year and they're finding no weaknesses in the continuity plan, then they need to look at changing the testing scenario. Recovering the IT environment isn't proof of business continuity, it's one component. Some organizations may over-focus on IT recovery/resilience, at the expense of other plan components such as:
Ready.gov has put together a list of the benefits of testing. They also did a fantastic job of discussing the use of the term 'exercising' vs. 'testing':
Testing the Plan
When you hear the word “testing,” you probably think about a pass/fail evaluation. You may find that there are parts of your preparedness program that will not work in practice. Consider a recovery strategy that requires relocating to another facility and configuring equipment at that facility. Can equipment at the alternate facility be configured in time to meet the planned recovery time objective? Can alarm systems be heard and understood throughout the building to warn all employees to take protective action? Can members of emergency response or business continuity teams be alerted to respond in the middle of the night? Testing is necessary to determine whether or not the various parts of the preparedness program will work.
Exercises
When you think about exercises, physical fitness to improve strength, flexibility and overall health comes to mind. Exercising the preparedness program helps to improve the overall strength of the preparedness program and the ability of team members to perform their roles and to carry out their responsibilities. There are several different types of exercises that can help you to evaluate your program and its capability to protect your employees, facilities, business operations, and the environment
I know some people have become adverse to the word 'testing', feeling that if the test isn't 100% successful, it reflects poorly, like a failure. Personally, I use the words interchangeably. I think one key to a successful exercise program is setting the expectation with management that it is designed to find the areas that need improvement, and there will always be areas that need improvement.
In my opinion, if an organization is testing year after year and they're finding no weaknesses in the continuity plan, then they need to look at changing the testing scenario. Recovering the IT environment isn't proof of business continuity, it's one component. Some organizations may over-focus on IT recovery/resilience, at the expense of other plan components such as:
- Command and control procedures
- Communications with employees, shareholders and the media (employees may have been told not to speak to the media if an event occurs, but have you updated that direction to include not posting to any social media or taking unauthorized pictures during a recovery?)
- Alternate facility for employees to work in, both locally and farther away in the case of a large incident
- Staffing, cross-training and the need for alternate staff
- Managing customer communications and expectations
Testing is such an important component to the business continuity program. Once it's become an integrated part of the program, it's important to continuously reevaluate the scope and scenario of your exercises.
Wednesday, January 28, 2015
DRJ's SpringWorld 2015
DRJ's SpringWorld opens in 51 days! Mark your calendar: March 22 - 25, 2015.
http://www.drj.com/events/spring-world-2015/homepage.html
Tuesday, January 27, 2015
Notification Wallet Card Template and Awareness Training
Business Continuity Contact Card (Wallet Card) Template
This PowerPoint presentation was shared on www.slideshare.net: Best Practices in Business Planning for Pandemic Influenza, by Jim Goble, CBCP, at National City Corporation. It's from 2006 but a lot of it is still relevant, including the Wallet Card template on slide 12.
If you've never created a Wallet Card for your organization, they're very useful. Team members may have a lot of that information on their phones, but it could be outdated. By developing and distributing a Wallet Card, they can refer to it and updates contact information in their phones. This is Crisis Communication, something a team would access during the Notification Phase of an event as well as the Assessment Phase.
Make sure you date your Wallet Cards, so employees can easily tell if they're looking at the most recent version. I recommend updating the card quarterly, or more often if important information changes.
If your organization isn't used to the idea of a Wallet Card, this can be something you introduce during Business Continuity Awareness Week, March 16 - 20, 2015.
http://bcaw.groupsite.com/main/summary
BCAW also has a lot of information you may want to add to your toolbox. You can also sign up for the group so that you'll get reminders about Business Continuity Awareness Week.
If you know that Business Continuity Awareness is an area your organization needs to work on, make this the year that you introduce Business Continuity Awareness Week!
This PowerPoint presentation was shared on www.slideshare.net: Best Practices in Business Planning for Pandemic Influenza, by Jim Goble, CBCP, at National City Corporation. It's from 2006 but a lot of it is still relevant, including the Wallet Card template on slide 12.
If you've never created a Wallet Card for your organization, they're very useful. Team members may have a lot of that information on their phones, but it could be outdated. By developing and distributing a Wallet Card, they can refer to it and updates contact information in their phones. This is Crisis Communication, something a team would access during the Notification Phase of an event as well as the Assessment Phase.
Make sure you date your Wallet Cards, so employees can easily tell if they're looking at the most recent version. I recommend updating the card quarterly, or more often if important information changes.
If your organization isn't used to the idea of a Wallet Card, this can be something you introduce during Business Continuity Awareness Week, March 16 - 20, 2015.
http://bcaw.groupsite.com/main/summary
BCAW also has a lot of information you may want to add to your toolbox. You can also sign up for the group so that you'll get reminders about Business Continuity Awareness Week.
If you know that Business Continuity Awareness is an area your organization needs to work on, make this the year that you introduce Business Continuity Awareness Week!
Monday, December 29, 2014
Manage Risk and Deliver Security in a Digital World
Gartner Security & Risk Management Summit
8 – 11 June 2015 | National Harbor, MD (Washington, D.C. area)http://www.gartner.com/technology/summits/na/security/
Sunday, December 28, 2014
Risky Business
The Information Risk Management group is hosting the 2015 Risky Business conference in London November 12, 2015. Risky Business 2015 will be held in London, England.
http://www.irmplc.com/event/risky-business-conference/
Subscribe to:
Posts (Atom)