Continuity management has long been tied to disaster planning and crisis response as fundamental to emergency planning but the reality is: If you’re just practicing business continuity to survive you’re never going to get much out of it.
The key to effective value creation from continuity management is a strategy that builds on how the day-to-day business is designed to create value. Today’s global market puts us all in crisis. Corporate directors are in jail. Cyber terrorists can easily hide across borders around world yet still access information kept locked away. States and countries declare bankruptcy. Instability is everywhere.
Businesses are so interdependent on one another that supply chain and technology are complex grey zones of value and accountability. The bottom line is the business needs to create value to survive. Maybe value means money, maybe it’s customer satisfaction or maybe it’s serving its nonprofit goal. Regardless, the creation of that value must be the crux of your resilience plans.
One of the most common misconceptions of business continuity planning is that it starts with a disaster and in a lucky world no one would need a plan. Luck favors the prepared. A business with a healthy continuity management program doesn’t just survive crisis; it thrives daily. The reality of the business world is that every day is more complex and risk loaded. In order to work toward corporate maturity and institutionalization of the systems that create value you have to structure and live your plan.
Think again! So many companies these days think it’s a good idea to let technology get behind the wheel of business or business recovery. This is not going to move you forward. Business is about people and systems. If you happen to have a computer to help with one of those systems, fine, but don’t let that computer boss you around and don’t EVER start thinking that computer cares about you or your company. It doesn’t and it never will.
Likewise, there’s a strong trend to push business decisions on to the people who care for the computer. They are fantastic people and they help you get what you need. You may even get to feeling like they are indispensable because they are always saying things like, “We are working on that now”. Or they make your iPad work after you screamed at it and threatened to throw it out the window. Your tech team may be working miracles but they still can not run your business. Put them back in their car seat and get back to driving!
Consider a complex manufacturing and logistics organisation, based at the North Pole, traditionally very busy around the 25th December. As you might imagine, planning for this event takes all year – no sooner has Santa Claus sat down on Boxing Day then he’’s called to deal with all sorts of unplanned events that require attention.
This year, it started early. Santa was putting the sleigh in the garage when he was accosted by Mrs Claus.
““What are these reports on the radio about you kissing somebody’’s Mommy?”” she demanded.
““W, w, what? Who?”” Santa stammered.
Santa was able to explain that there must have been a case of mistaken identity. Santa’’s image had taken a battering at the hands of an imposter. He was straight onto his Incident Management Team and, following a quick injunction and a public apology, his reputation was restored. He couldn’’t afford for his customers to think he was in anyway naughty.
February brought ice storms to the North Pole.
““Sir, it’’s too cold for the employees to work,”” his Elf and Safety Manager told him, “”I have instructed the elves to down tools.””
Santa sighed and reached for the Yellow Pages, “”Hello, heat engineers? It’s just possible you could save my elves…”.”
Despite the interruption, with a bit of overtime, the Elves were soon back on schedule.
Things carried on uninterrupted until spring saw flocks of birds returning from their winter habitats. Concern rose amongst Santa’’s employees that the wild birds may bring the H5N1 avian flu virus with them, giving rise to concerns about an epidemic. Santa consulted the WHO website for the latest advice.
““There’’s currently little risk for us, the birds are returning from countries where there has been no recorded H5N1 outbreaks, but to be sure, I’’ll employ a couple of special wardens specifically to keep an eye on the well-being of the birds”” he told his elves, hoping that he wouldn’’t have to employ more wardens when the wild reindeer herds returned. He’’d read that the Blue Tongue virus was spreading north and already had problems with one of his sleigh crew having a red nose….
The summer holidays always presented Santa with problems, bored children with too much time on their hands were always on the lookout to cause mischief. This year Santa’’s IT partners informed him one morning that his “Naughty or Nice” database had been hacked! The status of all the children had been changed and there was no way they could sort it out.
Fortunately Santa is pretty tech-savvy. He didn’’t panic and instructed his IT department to delete the data and restore from the back up. As extra insurance, he asked for a full virus check to be undertaken, arranged for the firewall firmware to be updated and instructed all the elves to change their passwords.
There were no further problems to distract Santa. Come the 24th, the Elves loaded up the sleigh and the reindeer team was harnessed. Santa clambered up into the driving seat, picked up the reins with one hand and turned the sleigh’s ignition with the other. There was a short croak and then nothing. He turned the key again, with the same result. Santa realised that when he had been managing his reputation issues last year, he’’d forgotten to turn the sleigh headlights off. The battery had gone flat.
Fortunately, on Mrs Claus’ insistence, the date was the 24th of November and Santa and Elves were running an exercise. Sure, Santa hated having to squeeze into his suit before his annual diet had worked off all the previous year’s mince pies, the Elves got cranky at having to load and unload the sleigh and the reindeer team disliked being taken from their warm stables, but Mrs Claus had seen the benefits of exercising ahead of “the “big off””. The battery was rigged up to the charger and, come the big day, all the good children received the right presents thanks to Santa’’s business continuity arrangements….
Just a bit of fun! Special thanks to Richard Jones!
Did you know you have a frog and a rat in your brain that help you survive? I learned that while reading Laurence Gonzales’ latest book, “Surviving Survival”. The title, though initially vague, points out an excellent conundrum: what do you do once you’ve survived a crisis? You don’t come out the other side of any crisis the same so how do you assimilate the “survivor” parts of you into your old view of yourself. You must be a whole being to move comfortably forward.
Often complex and though I have a little whiplash from descriptions of “drama in real life” to deep diving in the neurology, I give it 4 of 5 stars. Great book!
Here’s a good assessment of 9 ways to Recognize a good BCPlan. Enjoy
There are all sorts of templates and thoughts on how the various Business Continuity Management (BCM) program components should look – the “plans.” Every organization has its own self-styled plan; every consulting agency has its own look and feel and every available free online template looks different from the next. So how can you recognize a good plan from a really bad and confusing plan?
The following 10 considerations will help you determine if you’ve got a good plan or a not-so-good plan
- Action Oriented: If people are expected to follow and execute plan activities, it must be action oriented. A document full of theory and suggestions won’t be of any help and will quickly be used to stop a desk from wobbling – or used to capture excess dust that may collect on a shelf. As a rule of thumb, I tend to look for the first action step/item/activity within the first 5 pages after…
View original post 1,247 more words
Yes, for the next year or two your bank examiner may make the mistake of crediting you for exercising your disaster plan when you documented an actual crisis but let’s take a step back and think about this before we consider it a “win”.
Experiencing a crisis or disruption does not meet the standard for exercising your plan and should not be adequate to count as testing your plan for many reasons. Including:
- Under best practice continuity management guidelines it is clear that establishing and testing an exercise program is not the same as documenting events that threaten or impact the business. These are two separate best practices.
- FFIEC examination guidelines state “The board and senior management should establish a testing program appropriate for the size, complexity, and risk profile of the organization and its business lines”. Passively experiencing crisis does not demonstrate a testing program has been established and, no matter what the extent of the crisis, will it be appropriate for the size, complexity and risk profile of the organization. In fact, it may be counter productive and make you look unprepared because you didn’t plan a test.
- Community banks are likely to have experienced 6-12 crises in a year. What makes this one particularly meaningful? Did you document the other ones? What are your standards for documentation?
- Test objectives were not set or met (no, “survival” does not count) and only one part of your response plan was tested. The “test” was not comprehensive.
- Since you weren’t planning to experience this problem, exercise controls were not in place when you had it. You can only manage what you measure.
- Hypothetically, would you consider going to the emergency room because you thought you might be having a heart attack to be an indicator for your ability to deal with stress? Technically the answer is “Yes”. However, that’s certainly no way to live and if this is your common practice then it indicates you don’t really have a good plan for your health. The same is true for your organization. Why have a heart attack to wait to check and see if your blood pressure is too high? It’s easier to use a blood pressure cuff and check your heart rate.
Let’s speak the truth: This is not the attitude of a healthy, mature business and will not, for much longer, meet requirements for safety and soundness.
Now, before you get frustrated, I realize you don’t want to do continuity management this way. You have a LOT on your plate that you’d rather be getting to (call reports anyone?) and you’re just not sure where to get started. So, DCS has set up some fantastic tools to make planning exercising EASY for you! Get excited now and bookmark this for future reference! First, go ahead and log that problem you had on our FREE Crisis Event Log. It’s got a couple of brief questions to help you get down the information you need to learn from and properly document the problem.
Next, use our FREE Strategic Road Map to get an idea about what a good, well-rounded financial institution can do on to build operational strength. NO, you don’t have to do that big fail-over test right away. We actually recommend against it. Start drilling the little things first. Can you guarantee that you can contact everyone when they’re not at work? Try your call tree out and write down what happens. That’s a great test!
Another quick tip is to see what your IT provider is doing to test regularly. We often find out the IT department regularly tests failover procedures but rarely documents it adequately for oversight or examination requirements. All you have to do is start documenting! It’s easy! You can do that!
We have also started a new product line: DIY Turnkey Continuity. We’re building very strong key kits for your continuity tool case at affordable prices. We’ve started with a data breach kit and will be releasing an exercise kit before the end of the summer. For our BOL friends, we are looking for pilot users to test these at a discounted rate! Private message me if you’re interested. Also let me know what other kits you’re interested in. Pandemic, social media and vendor management are on our list for 2013.
I hope these ideas help out. We realize you are doing everything you can to keep compliant and the business moving in a positive direction. Please let us know what else we can do to make your job easier!
The complex environment in which businesses operate today creates the need for sophisticated business continuity management (BCM) program that address a wide range of threats, including natural disasters, technology issues and man made incidents. It is also important that these programs stay in sync with the strategic goals of the organization. The 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study is a comprehensive look at the current state of BCM programs and the drivers for further program development.
The online survey conducted by Continutity Insights between November 2011 and January 2012, explores changes to the global risk landscape, supply chain interdependicies, the emergence and increased usage of cloud computing, mobile applications and social media.
One of the critical success factors for an organization is the ability to identify and successfully mitigate the risks associated with running its operations. These risks, can be grouped into various categories under the heading “operational risks”, refer to any type of risk that is neither financial nor market related.
There are many sources of operational disruptions, all of which can be devastating affects if not sufficiently planned for. The process of planning can begin only when these threats and their impacts have been thoroughly assessed.
BCM has emerged as one of the key disciplines that organizations can use to manage operational risk. The discipline continues to evolve from one that is focused on responding to an event or incident to one that adapts to changing market trends and threats.
It might be an auto repair shop washed away by a flood. A dentist’s office scorched by a fire. A dry cleaner hit by a tornado. A pet store frozen by an ice storm and power outage. There are lots of sorts of businesses, and lots of kinds of disasters, but one thing remains the same: businesses disrupted by disaster permanently close their doors at an alarming rate. In fact, according to the Insurance Institute for Business and Home Safety, one in four small businesses closed by a disaster never re-opens.
So, when the unthinkable happens, will you be prepared to lead your business through the crisis? Preparedness is the key! By creating a disaster recovery and business continuity plan, your business can increase its recovery capabilities dramatically. A plan can help you make the right decisions quickly, cut downtime, and minimize financial losses. It can even help you avoid certain disasters through planning and mitigation measures.
The prospect of creating and implementing such a plan can be daunting, but business leaders in Tulsa have a unique opportunity to get a head start on the process by attending A Day Without Business, a business continuity summit hosted by Tulsa Partners’ Disaster Resistant Business Council.
A Day Without Business will take place on Thursday, March 15, 2012 from 9 a.m. to 3:30 p.m. at the Holiday Inn – City Center in downtown Tulsa. Registration is open through March 2, online at www.tulsapartners.org or by phone at 918-632-0044. The cost for the one-day event is $65, and space is limited.
The event’s opening speaker will be Tulsa Chamber of Commerce President and CEO Mike Neal. The luncheon keynote speakers will be Rob O’Brian and Tonya Sprenkle, President and Vice President of the Joplin Area Chamber of Commerce, who will share about their Chamber’s experience with the May 2011 Joplin Tornado.
The lead sponsors for A Day Without Business are Tulsa Partners’ Disaster Resistant Business Council, State Farm Insurance, TRC Disaster Solutions and Williams. Other participating organizations for the event include the Insurance Institute for Business and Home Safety, Titan Data Services and the Tulsa Health Department.
For more information about A Day Without Business, contact Tulsa Partners at 918-632-0044, firstname.lastname@example.org, or www.TulsaPartners.org.
Written by guest blogger Jessica Hill
It’s astonishing in it’s simplicity. The business often gets left out of disaster recovery and the resilience picture. Disaster recovery is the continuity of your information systems but you certainly can’t recreate your business with simply a server. That server has to live somewhere, it needs people to love and care for it and it needs a purpose. Your IT manager cannot determine your purpose. It must be held in the core vision of the organization. Your plan needs the core competencies of your organization – how you create value. This is the deliverable for the Business Impact Analysis process. Don’t leave yours out!