Did you know you have a frog and a rat in your brain that help you survive? I learned that while reading Laurence Gonzales’ latest book, “Surviving Survival”. The title, though initially vague, points out an excellent conundrum: what do you do once you’ve survived a crisis? You don’t come out the other side of any crisis the same so how do you assimilate the “survivor” parts of you into your old view of yourself. You must be a whole being to move comfortably forward.
Often complex and though I have a little whiplash from descriptions of “drama in real life” to deep diving in the neurology, I give it 4 of 5 stars. Great book!
Here’s a good assessment of 9 ways to Recognize a good BCPlan. Enjoy
There are all sorts of templates and thoughts on how the various Business Continuity Management (BCM) program components should look – the “plans.” Every organization has its own self-styled plan; every consulting agency has its own look and feel and every available free online template looks different from the next. So how can you recognize a good plan from a really bad and confusing plan?
The following 10 considerations will help you determine if you’ve got a good plan or a not-so-good plan
- Action Oriented: If people are expected to follow and execute plan activities, it must be action oriented. A document full of theory and suggestions won’t be of any help and will quickly be used to stop a desk from wobbling – or used to capture excess dust that may collect on a shelf. As a rule of thumb, I tend to look for the first action step/item/activity within the first 5 pages after…
View original post 1,247 more words
Sitting in a top level Management of Information Systems conference this morning with over 60 CIOs from local corporations the panel discussion started and ran on BYOD for over 90 minutes. This is a hot topic and ambivalence, though not overt, is a clear theme. Though corporations see benefits from decreasing overhead and IT inventory to employee satisfaction the risk possibilities around data security are unrealized.
Issues that arose included:
– separation of hardware from software systems
– new data and cyber policies
– data security systems and controls like management and wiping capabilities
– distinguishing or categorizing personal vs corporate data
– policy enforcement
– user safety during equipment use
– privacy concerns for employees
– device support
It will be interesting to see how this opportunity develops and what evolutions arise to support it’s progress. What are you seeing in your organizations?
I just finished an excellent book on driving change in business: Neil Smith’s “How Excellent Companies Avoid Dumb Things”
Here’s the 12 principles that cut through the barriers:
- The CEO must personally lead and support and change process carried out across the entire organization and a majority of senior management must also support it.
- The entire organization must be engaged in the change process.
- The project must be guided by “stars” who are willing to change the status quo.
- There must be no up-front targets for the company as a whole or the individual departments within it.
- Those who will implement the idea must own the idea.
- It must be easy to put ideas into the change process but hard to remove them.
- Consideration of ideas must be based on facts and analysis, not opinion.
- Consensus must be built.
- There must be a focus on increasing revenue, not just reducing expenses.
- The change process must not disrupt normal business.
- Implementation must be nothing less than 100 percent.
- The change process must be about culture change, not just a completed project.
Smith is right, constructive change that you want to see in your business is going to begin at the top and must be measured and deliberate. Don’t mistake success for luck. It’s not going to come easy!
From DCS Planning’s partner CoreXchange Colocation Services:
CoreXchange deeply admires companies like DCS Planning that provide well-crafted solutions that protect businesses and organizations from painful and deeply damaging data loss.
Every company should have thoughtful, thorough business continuity and disaster recovery plans like the ones offered by DCS Planning. Every company needs to invest in risk assessment and a business impact analyses — again, just like the services offered by DCS Planning.
But every expertly crafted disaster recovery and business continuity plan needs to be built upon a cutting-edge, fault-tolerant network infrastructure that’s ready to withstand the digital age’s most nefarious elements.
Colocation provides a multitude of elements — including hardened space, highly managed environmentals, power & cooling, physical security, and connectivity to telecommunications and network service providers — to better protect and manage companies’ servers and networking equipment.
For example, CoreXchange’s data centers are supported by state-of-the-art power systems featuring redundant 1.5 MQ generators and four 500-ton chillers. This nearly eliminates the possibility of electrical downtime and gives us tight control over the internal environment. We also leave no stone unturned when it comes to security: Our center includes perimeter fencing, 24/7staffed check-in station with mantrap, and internal and external video surveillance.
Colocation with CoreXchange along with a solid plan from DCS Planning can be the bedrock on which your company’s data security, viability and peace of mind rests.
Yes, for the next year or two your bank examiner may make the mistake of crediting you for exercising your disaster plan when you documented an actual crisis but let’s take a step back and think about this before we consider it a “win”.
Experiencing a crisis or disruption does not meet the standard for exercising your plan and should not be adequate to count as testing your plan for many reasons. Including:
- Under best practice continuity management guidelines it is clear that establishing and testing an exercise program is not the same as documenting events that threaten or impact the business. These are two separate best practices.
- FFIEC examination guidelines state “The board and senior management should establish a testing program appropriate for the size, complexity, and risk profile of the organization and its business lines”. Passively experiencing crisis does not demonstrate a testing program has been established and, no matter what the extent of the crisis, will it be appropriate for the size, complexity and risk profile of the organization. In fact, it may be counter productive and make you look unprepared because you didn’t plan a test.
- Community banks are likely to have experienced 6-12 crises in a year. What makes this one particularly meaningful? Did you document the other ones? What are your standards for documentation?
- Test objectives were not set or met (no, “survival” does not count) and only one part of your response plan was tested. The “test” was not comprehensive.
- Since you weren’t planning to experience this problem, exercise controls were not in place when you had it. You can only manage what you measure.
- Hypothetically, would you consider going to the emergency room because you thought you might be having a heart attack to be an indicator for your ability to deal with stress? Technically the answer is “Yes”. However, that’s certainly no way to live and if this is your common practice then it indicates you don’t really have a good plan for your health. The same is true for your organization. Why have a heart attack to wait to check and see if your blood pressure is too high? It’s easier to use a blood pressure cuff and check your heart rate.
Let’s speak the truth: This is not the attitude of a healthy, mature business and will not, for much longer, meet requirements for safety and soundness.
Now, before you get frustrated, I realize you don’t want to do continuity management this way. You have a LOT on your plate that you’d rather be getting to (call reports anyone?) and you’re just not sure where to get started. So, DCS has set up some fantastic tools to make planning exercising EASY for you! Get excited now and bookmark this for future reference! First, go ahead and log that problem you had on our FREE Crisis Event Log. It’s got a couple of brief questions to help you get down the information you need to learn from and properly document the problem.
Next, use our FREE Strategic Road Map to get an idea about what a good, well-rounded financial institution can do on to build operational strength. NO, you don’t have to do that big fail-over test right away. We actually recommend against it. Start drilling the little things first. Can you guarantee that you can contact everyone when they’re not at work? Try your call tree out and write down what happens. That’s a great test!
Another quick tip is to see what your IT provider is doing to test regularly. We often find out the IT department regularly tests failover procedures but rarely documents it adequately for oversight or examination requirements. All you have to do is start documenting! It’s easy! You can do that!
We have also started a new product line: DIY Turnkey Continuity. We’re building very strong key kits for your continuity tool case at affordable prices. We’ve started with a data breach kit and will be releasing an exercise kit before the end of the summer. For our BOL friends, we are looking for pilot users to test these at a discounted rate! Private message me if you’re interested. Also let me know what other kits you’re interested in. Pandemic, social media and vendor management are on our list for 2013.
I hope these ideas help out. We realize you are doing everything you can to keep compliant and the business moving in a positive direction. Please let us know what else we can do to make your job easier!