Blizzard 2015 business continuity tips

The blizzard of 2015 is in full swing, so you can't prepare for it now, but you can start preparing for the next one when you evaluate your company's response to the blizzard:

Blizzard 2015 business continuity tips

Healthcare Info Security put together a great article to help you do just that (including some quotes from DRI's Al Berman).

The article's tips revolve around 3 areas:

• Personnel Issues
• Reviewing Backup Processes
• Maintaining Priorities

These 3 areas will be any company's focus in a weather-related disaster. 

The steps you can take to assure you're ready to respond to a blizzard can often be applied to a tornado, hurricane, flood, etc. 

In some cases, we get a little advance warning that the weather may produce a disaster, and it's imperative the business continuity professional is prepared to take advantage of every minute of that advance warning.

Emergency notifications - many things to consider (Part 1)

Emergency notifications are an area that every organization needs to master before it is needed. Solutions basically fall into 3 groups:

• Call tree or cascade system
• A 1-800 hotline number for employees to call
• An automated Emergency Notification System (ENS)

Call trees, I've observed, are typically organized in one of two ways. Using a department of 30 people as an example, the call tree would usually be organized one of the following ways:

1. The department manager calls all 30 people, noting anyone they are unable to get in touch with.
2. The department manager calls employee #1, who calls employee #2, who calls employee #3, and so on until employee #30 is contacted, who then calls the department manager to confirm all notifications were made. If employee #1 is unable to reach employee #2, they are to call employee #3, and continue calling employees until the next person is reached. The is also called a cascade system, or "call stick" since it resembles a stick more than a tree.

Call tree procedures often lack the depth needed in the event of an actual incident. Even if procedures are sufficiently detailed, both methods have benefits and pitfalls, as illustrated in the two tables below.

With either of these options, notifications will take a long time. Both methods are open to human error. 

Both methods have the problem of keeping the call trees updated and distributed, which may be feasible for an organization with 20 people, but not for an organization with hundreds or thousands. Both methods have the issue of how you are generating the call trees and storing information: is this information being pulled from he human resources / payroll data, or are departments expected to maintain their own call trees?

I've talked with many defenders of call trees, who believe if the procedures are detailed enough, they will be successful when needed.

I have to disagree. Getting employees to keep their contact information current in human resources / payroll data is difficult, getting employees to maintain current contact information in two systems in nearly impossible. Someone has to enter new employees and take out employees no longer with the company. It is almost certain that at any given time, the information in the two systems will differ. 

As business continuity professionals, we have to take into consideration the opportunity (and great potential) for human error in the middle of an incident or disaster.

The time it takes to reach employees can be critical if, for example, your company is trying to verify no one was in the building at midnight when a disaster happened.

I've never encountered, in any company, someone in the legal department who would approve of giving out employee contact information past the management level. It's simply a breach of confidentiality, and something the company has no right to do without documented consent from employees.

So why are so many companies using call trees? I think it's often a case where the business continuity professional is given direction to use call trees as a notification strategy, often  by upper management. The business continuity professional distributes the call trees, and no one objects . . . until something goes wrong. Upper management sometimes just fails to realize that confidential information is being shared not only with management but other employees, possibly even the legal department doesn't realize what is happening, and no one considers the risks and implications of this strategy.

Some of the best Human Resources personnel I've known have refused to grant Business Continuity any access to employee contact information, because of the confidentiality involved and because of the risks in granting access to systems often used for payroll. Obviously, that is a problem that impacts call trees and other methods of employee notification.

I can't recommend call trees to any organization I work with other than small businesses, and then the confidentiality issue still has to be addressed. 

Business continuity professionals need to educate upper management about the risks and short-comings of call trees, and steer them in another direction.

I'll discuss other options for notification tomorrow. Thanks for reading.

The CEO's knowledge of business continuity

Check out this great article from Continuity Central:

CEO? Here are three key business continuity questions you need to ask

So often, the CEO believes they have an understanding of business continuity that is greater than their true understanding. 

Business continuity professionals need to regularly communicate with the CEO to assure they understand the risk level the company was willing to take (as identified in the last Risk Analysis), what business functions were identified as critical to the survival of the company (and what business functions weren't deemed critical), and the resources required to either maintain critical functions without interruption, or recover critical functions in the in the Recovery Time Objective (RTO) as documented in the last Business Impact Analysis - including systems, data, sites, personnel, hardware including workstations

A CEO that understood these things 2 years ago when a Risk Analysis and Business Impact Analysis were completed may not recall everything, if they aren't involved in Business Continuity on a very regular basis (such as weekly, not yearly).

Can your CEO explain what is recoverable and in what time frame? Can they explain how many people would be working from home (if able) or waiting for facilities to secure a new site that can accommodate all employees and functions? 

Check out Continuity Central's article, and I'd love to know what you think.

And keep in mind that Business Continuity Awareness week is coming up in March and could be a great time to work on awareness with your CEO and upper management.

A common theme you may notice in my blogs is that I campaign hard against the idea that disaster recovery is dead (long live business resilience). Unless your RTOs for every function are zero downtime, and you have a perfect mirroring of all systems (which doesn't mean you're immune to disaster), you have work-space recovery for 100% of employees, disaster recovery is still relevant. Even if you have all of those things, you still have to deal with Crisis Communication, Emergency Response and Emergency Management, and Disaster Recovery. 

There is no getting around it. Business Continuity and Business Resilience plans enhance the Disaster Recovery plan, not replace. You can't disaster-proof your business. If you could, well, a lot of us would be out of a job!

Check out my Toolbox page for some resources you may want to incorporate for Business Continuity Awareness week.