Continuity management has long been tied to disaster planning and crisis response as fundamental to emergency planning but the reality is: If you’re just practicing business continuity to survive you’re never going to get much out of it.
The key to effective value creation from continuity management is a strategy that builds on how the day-to-day business is designed to create value. Today’s global market puts us all in crisis. Corporate directors are in jail. Cyber terrorists can easily hide across borders around world yet still access information kept locked away. States and countries declare bankruptcy. Instability is everywhere.
Businesses are so interdependent on one another that supply chain and technology are complex grey zones of value and accountability. The bottom line is the business needs to create value to survive. Maybe value means money, maybe it’s customer satisfaction or maybe it’s serving its nonprofit goal. Regardless, the creation of that value must be the crux of your resilience plans.
One of the most common misconceptions of business continuity planning is that it starts with a disaster and in a lucky world no one would need a plan. Luck favors the prepared. A business with a healthy continuity management program doesn’t just survive crisis; it thrives daily. The reality of the business world is that every day is more complex and risk loaded. In order to work toward corporate maturity and institutionalization of the systems that create value you have to structure and live your plan.
Did you know you have a frog and a rat in your brain that help you survive? I learned that while reading Laurence Gonzales’ latest book, “Surviving Survival”. The title, though initially vague, points out an excellent conundrum: what do you do once you’ve survived a crisis? You don’t come out the other side of any crisis the same so how do you assimilate the “survivor” parts of you into your old view of yourself. You must be a whole being to move comfortably forward.
Often complex and though I have a little whiplash from descriptions of “drama in real life” to deep diving in the neurology, I give it 4 of 5 stars. Great book!
From DCS Planning’s partner CoreXchange Colocation Services:
CoreXchange deeply admires companies like DCS Planning that provide well-crafted solutions that protect businesses and organizations from painful and deeply damaging data loss.
Every company should have thoughtful, thorough business continuity and disaster recovery plans like the ones offered by DCS Planning. Every company needs to invest in risk assessment and a business impact analyses — again, just like the services offered by DCS Planning.
But every expertly crafted disaster recovery and business continuity plan needs to be built upon a cutting-edge, fault-tolerant network infrastructure that’s ready to withstand the digital age’s most nefarious elements.
Colocation provides a multitude of elements — including hardened space, highly managed environmentals, power & cooling, physical security, and connectivity to telecommunications and network service providers — to better protect and manage companies’ servers and networking equipment.
For example, CoreXchange’s data centers are supported by state-of-the-art power systems featuring redundant 1.5 MQ generators and four 500-ton chillers. This nearly eliminates the possibility of electrical downtime and gives us tight control over the internal environment. We also leave no stone unturned when it comes to security: Our center includes perimeter fencing, 24/7staffed check-in station with mantrap, and internal and external video surveillance.
Colocation with CoreXchange along with a solid plan from DCS Planning can be the bedrock on which your company’s data security, viability and peace of mind rests.
Yes, for the next year or two your bank examiner may make the mistake of crediting you for exercising your disaster plan when you documented an actual crisis but let’s take a step back and think about this before we consider it a “win”.
Experiencing a crisis or disruption does not meet the standard for exercising your plan and should not be adequate to count as testing your plan for many reasons. Including:
- Under best practice continuity management guidelines it is clear that establishing and testing an exercise program is not the same as documenting events that threaten or impact the business. These are two separate best practices.
- FFIEC examination guidelines state “The board and senior management should establish a testing program appropriate for the size, complexity, and risk profile of the organization and its business lines”. Passively experiencing crisis does not demonstrate a testing program has been established and, no matter what the extent of the crisis, will it be appropriate for the size, complexity and risk profile of the organization. In fact, it may be counter productive and make you look unprepared because you didn’t plan a test.
- Community banks are likely to have experienced 6-12 crises in a year. What makes this one particularly meaningful? Did you document the other ones? What are your standards for documentation?
- Test objectives were not set or met (no, “survival” does not count) and only one part of your response plan was tested. The “test” was not comprehensive.
- Since you weren’t planning to experience this problem, exercise controls were not in place when you had it. You can only manage what you measure.
- Hypothetically, would you consider going to the emergency room because you thought you might be having a heart attack to be an indicator for your ability to deal with stress? Technically the answer is “Yes”. However, that’s certainly no way to live and if this is your common practice then it indicates you don’t really have a good plan for your health. The same is true for your organization. Why have a heart attack to wait to check and see if your blood pressure is too high? It’s easier to use a blood pressure cuff and check your heart rate.
Let’s speak the truth: This is not the attitude of a healthy, mature business and will not, for much longer, meet requirements for safety and soundness.
Now, before you get frustrated, I realize you don’t want to do continuity management this way. You have a LOT on your plate that you’d rather be getting to (call reports anyone?) and you’re just not sure where to get started. So, DCS has set up some fantastic tools to make planning exercising EASY for you! Get excited now and bookmark this for future reference! First, go ahead and log that problem you had on our FREE Crisis Event Log. It’s got a couple of brief questions to help you get down the information you need to learn from and properly document the problem.
Next, use our FREE Strategic Road Map to get an idea about what a good, well-rounded financial institution can do on to build operational strength. NO, you don’t have to do that big fail-over test right away. We actually recommend against it. Start drilling the little things first. Can you guarantee that you can contact everyone when they’re not at work? Try your call tree out and write down what happens. That’s a great test!
Another quick tip is to see what your IT provider is doing to test regularly. We often find out the IT department regularly tests failover procedures but rarely documents it adequately for oversight or examination requirements. All you have to do is start documenting! It’s easy! You can do that!
We have also started a new product line: DIY Turnkey Continuity. We’re building very strong key kits for your continuity tool case at affordable prices. We’ve started with a data breach kit and will be releasing an exercise kit before the end of the summer. For our BOL friends, we are looking for pilot users to test these at a discounted rate! Private message me if you’re interested. Also let me know what other kits you’re interested in. Pandemic, social media and vendor management are on our list for 2013.
I hope these ideas help out. We realize you are doing everything you can to keep compliant and the business moving in a positive direction. Please let us know what else we can do to make your job easier!
Many executives ask themselves: “I know the basics about critical processes and mission-critical systems but what can I do to really make a difference in our ability to consistently exceed our customer’s expectations?”
One way is to focus on increasing your business value and to sustain that value regardless of expected or unexpected circumstances. Below are 10 planning actions that you can take to support your mission critical value proposition.
10. Don’t be satisfied with a computer backup plan. When your clients ask what’s the #1 reason they should use your company, do you say it’s your technology? Probably not. Why are you relying on technology to save you in a disaster?
9. Ask questions. What are your employees doing in their personal lives for emergency readiness? What are their concerns? How can you help them?
8. Talk about operational risk and continuity management in business strategy meetings. Talking is the first step to integrating it into the corporate culture.
7. Don’t count on vendors to pick up your slack in an emergency. If it’s not written into your contract don’t put it in your plan. Even then, always have a backup plan.
6. Know when to say there’s a problem. Chances are you’re not going to be the one to first notice something is wrong. If you are ignoring business deficiencies, others are too.
5. Know your emergency response plan. Every natural hazard has a professional group that monitors it and knows how to respond. The response plans are usually free online. Get a good plan for the basic natural disasters in your area. Keep it simple and your bases covered.
4. Don’t focus on the fear. It’s easy to look at the unlimited disaster scenarios and get overwhelmed. Instead look at what’s really important – a strong business plan.
3. Make a list of what is really important to your business. Keep it short – not more than ten points (tops!). Share it with everyone – your boss, your employees, your clients, your partners.
2. Build relationships with three key responders. This could be your local police department or a critical vendor. The point is being on a first name basis with the person who has the answers you’re going to need during your emergency.
1. Create a solid employee communications plan and test it quarterly or more often. People are your greatest asset; know how to connect with them. Set standards and make them clear.
Still unsure or need help developing a road map to make your path simple? We’re here for you. Call now for a free consultation. 888-297-PLAN
Operational risk has eclipsed credit risk as national banks’ chief safety and soundness challenge, Comptroller of Currency Thomas Curry told the Exchequer Club in Washington, D.C., last week.
Operational risk – the risk of loss due to failures of people, processes, systems and external events – is “high and increasing,” Curry said. He cited flawed risk models, lack of adequate controls over third party vendors and anti-money laundering efficiencies as some examples of operational risk.
“[A]s banks and thrifts face greater resource constraints and higher compliance costs, they may feel greater pressure to economize on systems and processes in order to enhance their income and operating economies …,” Curry said. “All institutions … must resist the temptation to under-invest in the systems and controls they need to prevent greater risk and larger losses in the future.”
He emphasized the risk of operational failure is embedded in every activity and product – from a bank’s processing, accounting and information systems to the implementation of its credit risk management procedures.
“No issues look larger today than operational risk in all its dimensions, the manner in which all risks interact, and the importance of managing those risks in an integrated fashion across the entire enterprise,” Curry said. “These themes are a supervisory priority for us at the OCC today and they should similarly command the attention of the industry.”
reprinted from the Oklahoma Bankers Association Weekly Update, May 21, 2012
Just like a simple checklist for car or home maintenance, your business needs emergency management maintenance as well. For your convenience here’s a Business Service Checklist that I developed for my use. It fits on a single page all the business maintenance tasks that need regular attention, but which are forgotten easily. I hope you find it useful! Please add your own recommendations in the comments section.
Every 3 months:
- Check first aid kit, replenish supplies as necessary.
- Check employee roster to make sure numbers are correct.
- Drill generator or back up power capabilities.
- Test your crisis communication plan.
- Exercise your plans.
- Hold mock evacuation of your facility. Invite local fire department to take part and give recommendations.
- Have fire extinguishers inspected by licensed professional.
- Have AED (automated external defibrillator) inspected and, if necessary, recharged.
- Replace batteries in supply kits, emergency exit lighting, etc.
- Review your risks. What’s changed?
- Update your response, recovery and resumption plans.
- Review insurance coverage.
- Have local fire & police departments do a walk through of your facility. Each brings a unique and new perspective to safety, vulnerabilities and security improvements. This also keeps you in touch with the people who would be responding to emergencies at your facilities. During an emergency is NOT the best time to get introduced!
- Employee safety training & awareness – choose a specific day every year to employee safety and awareness. September is National Preparedness Month and is ideal. There are various activities to take part in across the nation. Many service providers host free seminars and offer preparedness kits. Hold your own personal and professional prep seminars. Make it fun! Hold safety competitions, get employees involved. Recognize employees or departments with high safety track records. Distribute resources like home safety kit fact sheets. Highlight office safety initiatives like reporting spills, extinguisher training or expert audits.
Given that you agree with the recent post on every business having the same four core values . . . let’s continue our discussion.
Here’s a diagram for visualization: Business Value Balance. Each operational value exists in a spectrum (generally from happiest to least happy). Depending on the current score for each value on their respective spectrum, business is probably good. Referring to the chart, you can see the business as the core, four-pointed star. When the staff is happy, the customers are happy, the business is generally likable and its making a profit the business is sustainable.
There’s another star, too: a red, eight-pointed star. The eight-pointed star is the zone of risk tolerance. If you chart the scores of the four requirements for sustainability within the level of tolerance, it’s holding steady. If the level of value isn’t meeting or exceeding the least tolerable level, then its a problem. Simple enough. When one or more of the scores exceeds the level of tolerance, the business will naturally look for ways to move back toward a balance.
HERE’s THE CATCH: How the business finds its way to pull one score back to center could happen at the cost of another value. And, if no one’s managing the balancing act, it will be at the cost of another value. They’re all interrelated so they will all be effected.
If you don’t have plans to deal with keeping the four basic core values in balance, business ends up looking chaotic. It is constantly in flux, always pulling and pushing at itself. Costing the happiness of staff, the happiness of clients, likability and profit. This diminishes sustainability and resilience.
Next blog: keeping the business values at the center of your continuity program.
What do you think? Do you agree? Disagree? Case studies?
It’s astonishing in it’s simplicity. The business often gets left out of disaster recovery and the resilience picture. Disaster recovery is the continuity of your information systems but you certainly can’t recreate your business with simply a server. That server has to live somewhere, it needs people to love and care for it and it needs a purpose. Your IT manager cannot determine your purpose. It must be held in the core vision of the organization. Your plan needs the core competencies of your organization – how you create value. This is the deliverable for the Business Impact Analysis process. Don’t leave yours out!
I’d like to hear what everyone is including in their emergency response handbooks – Let’s make a list we can refer to for updates. Here’s a start. We include basic emergency response items in our handbook:
seismic activity (earthquake),
hazardous materials spill,
medical emergency (first aid)
chemical & bio warfare exposure,
suspicious packages and bomb threats,
violence (including robbery),
pandemic health threat,
cyberterrorism/ identity theft/ data breach
we also include basics around:
incident command systems
We are in OK so there are doubtless more regionally specific threats. We do a high level risk assessment over all, then a more detailed assessment and monitoring for high risks. Response procedures are in a handbook for everyone that is separate from the BCM. This way we can educate and train without concern for strategy leaking or over-education. What are you including?