Four Errors of Judgement with BCM

Monday, June 17th, 2013

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected four of the most common errors of judgement, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

Making decisions about business continuity management is often clouded by a lack of appreciation for its importance and relevance, particularly when considered in respect to other decisions that have to be made or business activities that have to be carried out, and objectivity can be compromised in highly political environments.  That leads to errors such as:

  1. “Scare tactics will engage senior management in business continuity management”.
  2. “Business continuity planning and management is not important right now”.
  3. “We’re only a small business; we don’t need business continuity plans”.
  4. “Business continuity management should be justified like all other investments”.

Fallacy

Fix

1 “Scare tactics will engage senior   management in business continuity management”
Senior managers are usually busy people and getting their attention can   be very difficult, particularly for activities like business continuity   management which is often perceived to be unimportant right now.  Scare tactics sometimes work, but more   successful approaches are available. Educate senior managers by   emphasising that business continuity management is an element of good   governance which aims to increase resilience, minimise down time and reduce   the risk of organisational failure.    Keep the discussion practical by describing the impact of down time on   their objectives and the usefulness of business continuity management in   preventing and keeping downtime to a minimum.    Explain that when tendering for new business you can achieve   competitive advantage by demonstrating your resilience.  Run a short, simple and realistic   desk-based scenario to highlight your arguments.
2 “Business continuity planning and management is not important right now”
This   could not be further from the truth.    You cannot predict when disaster will strike.  Something could be happening right now   whilst you’re reading this.  If you’re   not prepared you will have nothing but regrets  (visit us at : http://continuity.charteris.com/about-business-continuity-management/what-could-happen/   to read what happened to other people). Make time for business continuity planning.
3 “We’re only a small business; we don’t need business continuity plans”
Small businesses tend to be the least resilient because   there are more single points of failure.    Loss of one member of staff with important knowledge, failure of one   key item of equipment, loss of one key customer due to loss of one key   supplier can all spell disaster.    Simple plans can mitigate these risks, reducing the chance of the loss   but also ensuring that you’re properly covered, for example, with the right   insurance. No business is too small to give business   continuity management some consideration.
4 “Business continuity management should be justified like all other   investments” 
Business continuity should be regarded as a cost of doing   business.  Like risk management, it   does not in itself deliver business benefits but there is an opportunity cost   of not doing it.  The good news is that   in many organisations the implementation of business continuity management   results in the identification of process improvements, over-commitment to   insurance cover and excessive disaster recovery assets.  In some organisations where business   continuity software is introduced the introduction of business continuity   management can even lead to headcount reduction. Use the introduction of, and the   process of, business continuity management as an opportunity to identify   organisation weaknesses and overspend on risk mitigation but don’t expect it   to show a return on investment as you would from other investments.

 

For more information log on to http://continuity.charteris.com

Nine Errors of Understanding with BCM

Saturday, June 8th, 2013

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of understanding, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

Comprehension of business continuity management is related to a person’s knowledge of or familiarity with the subject.  Most people charged with responsibility for an organisations’ business continuity management are not trained or experienced in it and hence errors of understanding are common.  Such as:

  1.  “Skip the business impact analysis, let’s get on with planning!”
  2. “Why did you get that system up-and-running first when this one is more important!?”
  3. “Business continuity is someone else’s department”.
  4. “The IT department is responsible for our business continuity plans”.
  5. “Only a few people need to know what our business continuity plans are”.
  6. “In business continuity planning, you can’t overdo the detail”.
  7. “A disaster in our organisation won’t attract media attention”.
  8. “Our insurance policy gives us adequate cover”.
  9. “Business continuity management does not affect our business insurance premium”.

 

 

Fallacy

Fix

1      “Skip the business impact analysis, let’s get on with planning!” 
If you don’t identify and assess critical business activities before   creating your plans you will create plans that do not give you the best   chance of speedy recovery.  Business   leaders are often surprised by the outcomes of the business impact analysis,   learning what really makes the business tick and how long activities could be   interrupted for before business shuts down.  Give the business impact analysis your   full attention!
2     “Why did you get that system   up-and-running first when this one is more important!?”
  This is a very common issue usually resulting from non-existent or poor   business impact assessment, a lack of communication between the business and   IT, or political issues clouding decision making. It is important to be   selective about which IT systems to bring back online first, and it should be   those that are required by the most important business functions – the ones   that need to be recovered the fastest in order to ensure business   continuity.  Get buy-in from the business into business   continuity management, conduct thorough business impact analyses, assess and   invest in closing the gap between the business requirements and the IT   department’s capability and keep plans up-to-date.
3       “Business continuity is someone else’s department”
  1. 1.       
The less obvious flaw in this   logic is that if you leave business continuity planning to others then your   department priorities will not be properly understood and accounted for in   the plans.  Your department might be   the one department that if not up-and-running first after an incident brings   the whole business down.    Treat business continuity as a discipline in its own right, make the   process of planning and management collaborative, and put the most senior   executive in charge.
4     “The   IT department is responsible for our business continuity plans”
The priorities of the whole business need to be understood before   business continuity plans are created.    You’ve got to consider the true resilience of your organisation to   determine where and in what order to channel your resources following an   incident.  Individual departments are   unlikely to understand the full picture.    Treat business continuity as a discipline   in its own right (for example, don’t make it a part of risk management), make   the process of planning and management collaborative, and put the most senior   executive in charge.
5     “Only   a few people need to know what our business continuity plans are”
Almost every employee should be familiar with the elements of business   continuity plans that affect them.    This should not only include emergency procedures, but also for   example social media policies that govern communication during an   incident.  It is often useful to let   clients, partners and suppliers have access to your continuity plans.  And there are even situations when you   should share continuity plans with your competitors.  In your business continuity communication   plan assess the stakeholders and willingly and openly share relevant   information.
6     “In business continuity planning, you   can’t overdo the detail” 
It is very easy to get bogged down in detail, trying to identify every   eventuality and to plan for its occurrence.    You then end up with a massive plan, a tome of a document that is   impossible to use effectively.  Of course   do mitigate key risks with sensible solutions (for example, if you’re in a   flood plain, build flood defences) but for business continuity plans, keep   things simple.    There are three main incident types that   you can plan for generically: 1. Denial of access to buildings and   facilities.  2. Loss of people.  3. Loss of IT and communications.  It rarely matters what has caused the   issue, the key thing is for you to plan your response
7     “A disaster in our organisation won’t   attract media attention” 
Your business may be small and uninteresting to the public, but some   disasters because of their very nature will always attract media   attention.  Significantly though,   social media enables almost instant communication to millions of people and   as a result your disaster might very quickly become national news Include in your business continuity plans   a public relations plan that includes coverage of all media (press and   social).  Build an organisation culture   of healthy respect for the use of social media.  Put policies in place, update employment   terms and conditions, educate staff, lead by example and correct   inappropriate behaviour. Know the social media landscape.  Find out what Twitter, Facebook and other   social media platforms have connections to your organisation, who updates   them and what they are saying?  Keep   this information up-to-date in your business continuity plans because you   might need it when a disaster strikes.    Monitor the landscape and respond to trends where appropriate.  Develop a clear social media strategy to be   implemented in the event of a disaster.    This strategy should be part of your business continuity plans and   should include actions and persons responsible for monitoring trends, communicating   messages and rapidly addressing non-compliance to policies. 
8     “Our insurance policy gives us adequate   cover”
This may indeed be true, but financial support might not be all you   need from your insurer.  Rapid response   (minimum red tape, quick decision making, and fast release of cash) is not   always forthcoming from insurers and this may be the difference between survival   and failure for your organisation. In your business continuity plans address   how re-imbursement occurs (how and when will loss assessments be done and how   quickly will payments be made).    Wherever possible and relevant, pre-agree scenarios and decisions so   that you can take action without seeking approval. 
9     “Business continuity management does not   affect our business insurance premium”
It is not unheard of but is unlikely that implementing business   continuity management will lead to an agreement from an insurer to reduce you   current premium.  What is likely is   that when next your insurer assesses your business your premium will not   increase as much as it would have done.    Some insurers will even pay for or contribute to your cost of implementing   business continuity management. Discuss with your broker the impact of   business continuity management on their assessment of your business’ risk.

Nine Errors of Process with BCM

Saturday, June 8th, 2013

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of process, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

There are a series of essential steps in implementing business continuity management, this includes development, maintenance and implementation of business continuity plans.  Errors of process are evident where there is no framework used to guide the implementation of business continuity management, where experienced business continuity professionals are not called upon to share their experience, and where the organisation loses focus.  This can give rise to errors such as:

  1. “We’ve got business continuity plans… now let me see, where are they?”
  2. “Head office created some plans last year so I think we’ve got it covered”.
  3. “I’m not sure who’s in charge during an incident… it’s the CEO isn’t it?”
  4. “Great communication plan, but what happens when your communications infrastructure is lost?”
  5. “Jimmy and Dave know the passwords to all our systems, plus they’re stored in a key-code safe in the server room”.
  6. “We back up our data regularly but have never tested the backups in anger”.
  7. “We’ve got very strong IT security controls in place”.
  8. “We invested in a fantastic DR facility about 5 years ago”.
  9. “A grab bag is a waste of money”.
  Fallacy

Fix

1     “We’ve got business continuity plans…   now let me see, where are they?”
Plans that are created and then left to gather dust will quickly be   out-of-date and forgotten.  If they’re   not relevant and readily available you might as well not bother having   them. Make business continuity a consideration   in every strategic decision that you make.    In addition to highlighting the importance of business continuity,   because considering business continuity involves the identification of   organisation weaknesses, points of potential failure and dependencies that   affect an organisation’s ability to manage and recover from incidents it will   result in more robust strategic decision-making.  Review the plans quarterly. 
2     “Head office created some plans last   year so I think we’ve got it covered”
Planning that does not involve the staff affected and plans which are   not tested are usually flawed.  They   are not ‘owned’ by the people who may have to implement them and they will   have key procedural weaknesses.  Engage relevant staff in the planning process   and test the plans either in a desktop or blue-light exercise.
3     “I’m not sure who’s in charge during an   incident… it’s the CEO isn’t it?”
Unclear and un-communicated roles and responsibilities result in   confusion and delays during an incident. Identify, document and communicate the   incident ‘command structure’ and the associated roles and responsibilities. 
4     “Great communication plan, but what   happens when your communications infrastructure is    lost?”
Communication is often a serious challenge during an incident.  There are numerous scenarios where things   go wrong.  If you lose power on an   unmanned site or when no one is in, how will you be informed?  If your telephone network goes down   (including mobile as can happen in some companies and some disaster   situations), how will you communicate? Document your communication plan and think   through numerous, relevant scenarios.    Depending on your circumstances there are options available for every   situation; like installing a failover system or contracting with a third   party to monitor your unmanned site; and giving alternative communication   tools to key staff members. 
5     “Jimmy and Dave know the passwords to   all our systems, plus they’re stored in a key-code safe in the server room”
Unfortunately Jimmy, Dave and the server room might all become   unavailable at the same time and in an instant your business is   crippled. Store passwords in at least two   geographically distinct locations and make sure details of those locations   and access to them is known to people who don’t usually work in the same   place together. 
6     “We back up our data regularly but have   never tested the backups in anger”
Unfortunately backups do fail, and so do recovery procedures.  Also, backups can be lost or inaccessible   during a disaster situation. Design a thorough backup testing procedure   that covers all of your systems and run tests at regular intervals.  Also test scenarios where backups from your   normal backup site are not available. 
7     “We’ve got very strong IT security   controls in place”
These days this is indeed the case in most organisations.  It is important though not to take your eye   off the ball during an incident; when you are vulnerable you are likely to be   attacked, and the threats may be internal and external. Include in your business continuity plans,   plans to maintain high levels of IT security during an incident.  Appoint an IT security officer to your   disaster recovery team and make sure that you continue to monitor your systems for threats. 
8     “We invested in a fantastic DR facility   about 5 years ago”
Disaster Recovery facilities need to be kept up-to-date just as any   other normal office facility does.    Outdated assets like computers, printers, electronic screens and   telephony systems might not work when you need them – either because they’re   old or they’re no longer compatible with your infrastructure.  Keep an inventory of DR facility assets,   update and test them on the same schedule as all other office equipment.
9     “A grab bag is a waste of money”
Incidents can happen at any time of the day or night and whether or not   key business continuity people are in the office.  Even with the advent of mobile technology,   hard copies may come in handy.  The   important thing is that somebody will need to ‘grab’ a copy of the business   continuity plan, essential contact details, directions to recovery sites and   other emergency reference material and supplies so that your well thought out   plans can be implemented. Put a grab bag with all the contents   mentioned above next to the main emergency exit of every building.