Business Continuity New Years Resolutions

So Mr. or Ms. Business Continuity Planner what’s your New Year’s Resolution for 2010?  Here are some suggestions:

1. If you haven’t started a plan – develop one!  Make sure you familiarize yourself with the industries suggested best practices.  It will make your life easier and allow you to build a viable plan that would indeed work should your organization experience a major disruption to its business operations.
2. If you have a plan – review it to ensure it is indeed viable.
   1. Review your risk – Natural, Technological and Human caused events.  Knowledge of your local risk is critical – know what could affect your business operations and plan accordingly.  Make sure you have planned for the worst case scenario.
   2. Revisit your business impact analysis.  Make sure that nothing has changed in your organization that needs to be addressed from a business continuity perspective.  You don’t want to find out at time of event that a new product or service is critical to the  organizations survival that is unaccounted for from a resumption  or recovery point of view.
   3. Revisit your recovery solution.  Make sure the resources you’ve set aside match the output from your BIA review. Avoid any gap that could delay the resumption or recovery of a critical business function or process.  Make sure you have the appropriate “pieces” in place – technology and people resources.  Don’t forget to revisit your data backup strategies to ensure they too would support the continuity effort following an event.
   4. Review your planning documentation.  Ensure yourself that the documentation reflects the current organization.  Make sure you have addressed the three key elements of business continuity planning – Crisis Management (Response), Business Continuity (Resumption & Recovery) and last but not least Disaster Recovery – the recovery of the IT infrastructure required to support the critical and essential business processes / functions.
   5. Commit yourself to a defined schedule for maintaining, testing and exercising your plan.  Pick some dates and stick to them.  Regarding IT testing – remember almost 80% if 1^st time technology tests FAIL.  Something you need to discover during a test and NOT at time of event.
   6. Schedule a 3^rd party review of your planning process and efforts.  A third set of eyes is always better.  Have that 3^rd party audit and certify the condition of your business continuity plan.  Identify the good, the bad and the ugly!  Prepare a plan to address the bad and the ugly.  Present the findings to your executives and board if necessary.

Whatever your New Year’s Resolution, may 2010 be a productive year for you all.  Here’s to hoping you never have to implement your plan, but if you do, here’s to wishing your planning efforts prove to be successful in every way.  Happy New Year to you all!

December 22, 2009 Posted by johnames | Business Continuity Planning | business continuity, disaster recovery, disaster preparedness, BCP, DR | No Comments Yet

Understanding the Business Equals Realistic Recovery Objectives!

Whether you are starting to develop your business continuity plan or have a mature business continuity plan one thing is certain – in order to facilitate a viable and cost effective business continuity capability you must have an understanding of the business as the executive level envisions it.  Without that specific knowledge, the probability of ensuring the preferred recovery from a major business disruption is questionable at best – thus impacting the business even further.

Too often I see that the recovery objectives are based on a functional area manager’s or the planner’s individual perception.  Although the manager’s or planner’s perception may be correct, it needs to be verified and blessed at the executive level.  Only then can one put together a viable and cost effective solution for ensuring the desired results – the resumption of critical business functions and the recovery of the business over time.  Only then can you align the required recovery sequence with the required resources – technology (systems, applications & data) and people (alternate workspace & their other needs).

If your organization is currently experiencing mass change – people, products & services, facilities, and business strategies, you must ensure that your business continuity strategy keeps pace in order to meet the expectations of the business, even when time and personnel resources are limited. One can not overlook the continuous need to maintain a thorough knowledge of the requirements for resuming business operations following a disruptive event.   You can ill afford the gap that can be created by a lack of attention to business continuity at time of change.  You may find yourself spending too much or not enough in terms of real dollars to protect the business when the time comes.  It is imperative that the business continuity plan, and thus the recovery time objectives match the expectations of the business and your clients.

December 4, 2009 Posted by johnames | Business Continuity Planning | Business, business continuity, diaster planning, disaster recovery | No Comments Yet

Change Management & Business Continuity

Change is an often overlooked issue when it comes to business continuity planning. Things that change on the business front need to be analyzed to determine if the change impacts the organizations business continuity plan. Once thorough change management is implemented, you can make use of the change management procedures to improve your ability to keep the business continuity plan updated by noting significant changes in the infrastructure that are vital to keeping the plan effective. A properly implemented change management program plays a vital role in reducing infrastructure instability and improving operational availability following a business disruption.

What type of change deserves oversight? It’s essential to pay attention to changes in management, staff, business strategies (products & services), business processes, and the technology environment utilized by the organization. It is also imperative to look outside the business and factor in changes that involve critical vendors and key services providers.

In order to ensure plan viability, it is a MUST that the change management processes consider the impact of change on the organizations business continuity plan. At time of event is NOT the time to find out that a change or a series of changes were not factored in to the business continuity plan and thus the organization cannot fully recover their critical business functions and processes.

November 25, 2009 Posted by johnames | Business Continuity Planning | business continuity, disaster recovery, disaster preparedness | No Comments Yet

Deferral Is Not an Option!

Where do you stand?  Are you one of those organizations that have or are considering deferring your business continuity planning efforts?  In the past, when I have had a conversation with those that fall in the above category their thought process was usually – “those concerned about our business continuity plan, the regulators or external auditors, will understand given the economy and the other issues facing business and industry these days.”  My response to them is this – “Maybe they will or maybe they won’t.”  It’s a gamble you may not want to take.

I typically follow with – “How about the other side of that coin?  Will your customers, your clients and others understand?”  If you are providing a product or service they depend on to sustain their existence the answer is probably not.  Is this a gamble you really want to take?

I agree it is important to focus on the bottom line, but it is also important to remember that should you experience a major business disruption, it’s been proven that many of those that depend on that product or service will abandon you, and THAT will definitely impact your bottom line.

During a recent workshop on business continuity and crisis communications those in attendance agreed – without a plan and the ability to communicate, those that depend on their product or service  would not “wait and see” to see how things transpired following a major event.  They could not be away from their customers / clients for an extended period of time.

Planning is essential.  You need to understand the risk your organization faces, develop an impact scenario, develop and implement a solution for recovering your technology, to include your voice environment, identify a recovery location, and most importantly document your plan.  In addition, once the plan is developed it needs to be tested and / or exercised on a regular basis.

As the local business and industry group, the Alliance for Business Continuity & Disaster Preparedness www.preparespokane.com, continues to promote – “Every business should have a plan!  Plan to stay in business!”

November 13, 2009 Posted by johnames | Business Continuity Planning | business continuity, disaster recovery, disaster preparedness | No Comments Yet

Flood Insurance? What About A Plan?

The Risk is known, Now is the Time to Plan!

Having just returned from working in the Seattle area, the business continuity buzz is all about the impact associated with the “significant chance of flooding in South King County’s Green River Valley.”  Check this out  http://www.youtube.com/watch?v=66Nc0s9XMa8 What’s interesting from a business continuity planning perspective is that all you seem to read and hear about is “flood insurance”?  But is flood insurance really the answer?  The government guarantees flood damage to $500K for structures on a replacement value basis, and $500K for contents on an actual cash value basis.  This means if your equipment has even partially been depreciated, you will not get enough money in flood insurance to pay for new equipment.  On top of this, the access to additional flood coverage via normal insurers has dried up, no underwriter wants the risk.  The issue is not about the cost of coverage; it is that there is no coverage available.  See this Seattle Times article this week. http://seattletimes.nwsource.com/html/localnews/2009961102_floodinsurance26m.html#

Companies in Kent/Auburn/Tukwila and Renton, really only have one answer –  A plan to respond to the event, resume critical operations and the resumption of one’s business over time?  I saw very little reference for the need to plan to deal with the event.  Planning is imperative, if your organization is concerned about the continuance of business following the event.

The direction being given is from the 30 thousand foot level.  It needs to be more granular if an organization is to survive the flooding event.  Simply identifying essential services, critical functions, establishing resiliency via flood insurance and ensuring one’s staff is personally prepared is NOT going to ensure the continuity of one’s business.  It’s bigger than that!

An organization that is truly concerned about their ability to deal with the event, the resumption of their critical processes, and their recovery over time needs to invest the time to “do it right” to ensure their plans viability, and thus continuity.  They need to determine – who is going to be involved, what is it they can do (not to mention what resources they are going to need), why does it need to be done, where will it be done (now that’s an interesting question), when does it have to be done and how will they make it happen.

The above level of preparation takes time.  It will be time well invested.  After the event will be too late.  I agree that one should encourage personal preparedness.  It is well know that by ensuring your staff is prepared, will ensure their availability to assist in bringing the organization back on line.  However, it’s also time to consider, and put in place solutions for addressing technology – critical systems, applications, access to data and work area recovery.

Developing a detailed business continuity plan, documenting and putting into motion policies, practices, solutions and procedures, will hopefully ensure a limited impact on your key operations.  Not planning is NOT an option, if continuity of your deliveries is an issue.  Every business should plan – Plan to stay in Business!

October 2, 2009 Posted by johnames | Business Continuity Planning | Aurburn, Flood Planning, Green River Valley Flood, Howard Hansen Dam, Kent Valley Flood, Renton, Tukwila | No Comments Yet

Do You Test Your Disaster Recovery Plan?

You Must Ensure the Recoverability of Your Critical IT Infrastructure!

If it were possible I would ask for a show of hands, but it’s not, so let’s pretend.  How many of you have a disaster recovery plan?  By a disaster recovery plan I mean a formal documented plan that would allow you to recover your critical technology assets. I mean a specific plan to recover the systems, the applications and the data?  Oh yeah, don’t forget ALL the platforms, the desktops and the telecommunications environment – voice and data.  How many of you test the DR plan?  Do you bring the entire critical Information Technology environment up to ensure it would work if need be – from the ground up?  How many of you test more than once a year or when technology changes?

If you raised your hand to all of the above, congratulations – you are definitely in the minority.  Depending on what survey you read, very few organizations that have a plan test their plan – especially the small / medium businesses.  Fewer yet, regardless of size, actually identify measurable test goals and objectives and/or track the results.

When you factor in Symantec’s 2009 disaster recovery statistics – 25% of all disaster recovery tests fail, and only 15% of those surveyed indicated they have never had a test fail.  If you have never tested – your odds of full recovery are not good, especially in a timely fashion.

When you consider an event that requires the actual restoration of businesses information technology that supports the critical business functions; not having tested the restoration process is a scary thought.  Are you the one who would have to explain to senior management that you were unable to restore the technology environment to the level the business units and clients were expecting?

Testing is the ONLY way to ensure the recoverability of your critical infrastructure!  IT-Lifeline clients that test prove that every day.  They are ensuring the recoverability of the technology it would require to support their organization and thus their customers, should they experience a business disruption that affects their technology assets.  Can you say the same?

September 16, 2009 Posted by johnames | Business Continuity Planning | business continuity, Business Continuity Planning, Data Recovery, disaster recovery, Recovery Time Objective, technology | No Comments Yet

 

Oops!  Another Lesson Learned – The Hard Way!

 If you had access to our local paper on Saturday you may have come across an article entitled “Nonprofit agency loses data to overnight theft of computers”.  It seems that four computers were stolen from this organization’s location that contained “irreplaceable data”.  The computers contained critical information that included grant information, donor lists, e-mail addresses, supporter information and promotional material.  The local paper reported that an agency spokesman indicated that they had insurance, the equipment needed to be replaced anyway, but that “it’s the data that’s irreplaceable”.  The agency spokesman went on to say from now on “we are going to make sure we back up the data.”

Although I am sorry for their loss, the above is a lesson that is often learned the hard way.  All too often someone loses their computer or computers either through theft, fire, water or simply computer hardware failure only to find out that the data that resided on the system was “irreplaceable”.   Data backup today is simple, easy and often times can be done in a hands-off type environment.  In other words – automatically, on a regularly scheduled basis, and better yet it is relatively inexpensive.  If you compare the cost of the backup, to the expense of recreating what was lost, if that’s even possible, it can truly be cost effective.

As a business continuity planner, I am still amazed that data backup doesn’t get the attention it requires, not only from small businesses, but medium and large businesses as well.  I constantly see no backup or limited backup.  In addition, some of those that do backup there data don’t give much thought to where that data is stored once it is backed up.  Some leave on it on site (Hum!), some take it home and others hand it off to someone who doesn’t have a clue about protecting or securing magnetic media.

Where do you stand on this issue?  Is your data backed-up in a timely fashion?  How often?  Where is it kept?  Do you know?   If you don’t and might be the one charged with recreating the lost data, if you can, you might just want to ask the “someone” charged with ensuring that the process is performed in a timely fashion and that the media is stored in a safe and secure location.

August 24, 2009 Posted by johnames | Business Continuity Planning | | No Comments Yet

Pacific Northwest Winter Storms Grow and Present Flooding Problems

As the winter weather worsens in the Pacific Northwest, I am continually reminded of the need for PREPAREDNESS.

A series of heavy snowfall since mid-December has left Spokane buried. We broke the 24-hour, 48-hour, 72-hour, 7-day, and 1 month records for most snowfall in a given period just to give you an idea if you reside outside of this area (Mayor Mary Verner spoke to this issue and others in a press conference on 1/7/09). We experienced roof collapses all over the city – 28 buildings so far – and then came the bad news – we would be getting 6-10 more inches of snow followed by rain. Why was that such bad news, you may ask? The added weight that the rain would add to the existing snow on structures all over the area would be a major concern for buildings and structures with flat or low-pitched roofs – we would be approaching 30lbs per square ft, dangerously high. They closed all Spokane School District #81 schools, along with numerous others 4 days already this week because of safety concerns regarding the structural soundness of the buildings. On top of those issues, flooding will start to become a real threat as the rain melts the snow buildup causing transportation, drainage, and safety issues all over the state.

That is a lot of information to take in all at once so I will get back to my main point in writing this post – you must be prepared at all times, for best to worse case scenarios! We were smack in the middle of the biggest snowfall this city has ever experienced, a state of emergency on its own, and then came the next event (more snow and rain leading to heavier snow), and the next (expected flooding all over Washington state)….

As the City of Spokane tried to raise awareness of these events through Press Releases and media, they also spoke to the theme of preparedness. They wanted people/ businesses to be aware of the possible dangers and who they could turn to/ where they could go for assistance should they need it.  

Take the time to plan … plan for the next event!  Figure out NOW what you need to do before you find yourself scrambling to figure out what your next move will be, should you experience a business disruption as the result of that event – whatever it might be; this article speaks to that point. The rest of this winter should be interesting!

January 8, 2009 Posted by johnames | Business Continuity Planning | BCP, Business, business continuity, Business Continuity Planning, disaster recovery, Emergency Management, emergency preparedness | 2 Comments

The Recent Pacific Northwest Inclement Weather and Snow Events Remind us that Response Plans are a Requirement!

The media has been filled with stories about snow and more snow, freezing temperatures, high winds, broken water pipes, collapsed roofs and fires of late.  These events have disrupted a lot of businesses in our area.   I wonder how many of those businesses affected by these events had a response plan to deal with the situation.  Do you have a response plan that is part of your overall business continuity plan?  Sadly, the majority of existing plans that I review for our clients / prospects do not have a response element in place.  The above topics serve as a reminder as to why an organization should have a response plan.

Response can be defined as, the reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required.  Response planning should address the policies, procedures and actions following an emergency.  This needs to be done in advance and in anticipation of an emergency – yes, even a weather related incident.  It needs to define the proverbial who, what, why, where, when and how,

Examples of actions and measures that need to be predefined include:

• Response procedures to minimize harm to personnel and assets.
• Incident management processes to control and mitigate damage to facilities and equipment.
• Crisis management strategies to address operational, service, and public image impacts of an event.
• Crisis communications tactics to address who and how information will be managed and communicated.

The primary goal of the response stage of a business continuity plan is to manage the disaster from the beginning and to position your organization for the resumption of business.  Once again, defining in advance and making sure you have the right people, in the right place, and at the right time will go a long way to ensuring your recovery.

In the meantime, for those of us in our area that have predefined our “Sight Emergency Response Teams” perhaps we should consider renaming them for the time being to the “Snow Emergency Response Teams”…..

December 31, 2008 Posted by johnames | Business Continuity Planning | BCP, Business, business continuity, business contiuity planning, disaster recovery, response plan, winter storms | No Comments Yet

Forget the Downturn in the Economy, these Winter Storms are Fierce!

Forget the Economy (for now) – Got Snow and Ice?
At time of event it’s going to be all about people and resources!

If you live in the Pacific Northwest, or other parts of the country for that matter, you have been subjected to some pretty nasty weather this last week; Spokane Valley even declared a State of Emergency due to the record snowfall. Spokane discusses what officially declaring a state of emergency would mean in this clip, and Spokane’s Mayor Mary Verner addresses the city’s issues in this news clip.  If you are in business, you more than likely had to make some decisions regarding keeping things going on the work front.  Issues dealing with people, resources and your ability to deliver your products and services were no doubt at the top of the list.

Those of you that have worked with IT-Lifeline in the development of your business continuity plans probably get tired of me preaching “right people, right place, at the right time.’  The recent snow event in Spokane, Seattle and Portland proved that little sermon to hold true.

We know in plan development you have to have the right folks in place to evaluate risk and impact to your business from a major business disruption – including a snow event.  When it comes to responding to the event and resuming your business definitely requires the right people.  If you based your response and resumption planning around your organizational chart you may have experienced some difficulties over the last week.  I encourage you to dig deeper (no pun intended) into your planning efforts to ensure you will have the resources – people and things in place when the time comes.

Many of our clients experienced a shortage of “key” staff members – they couldn’t get to work due to impassable roads, impaired local transportation, or issues on the home front. At Spokane International Airport we experienced numerous cancellations and delays after the worst of our storms.  They couldn’t get the job done with those that were able to get to work.  This raised the issue of cross training or the lack there of.  I even heard of one local business that couldn’t even get the door open – the person with the key was stuck.  Others were looking for employees with 4 wheel drive vehicles, but then what do you do when the local law enforcement agencies are saying “stay off the roads”? Do we close?  Do we remain open?  Is there someplace else we can go to get things done – even if it’s only to answer the phones? What about our suppliers? How do we get the word out to our customers and clients?  The list of issues and questions goes on and on.  You probably have your own list.

The bottom line is this – you need to think about the issues pre-event, not during the event.  Snow and ice are not new to us here.  The length and strength of the storm was unprecedented, even in our neck of the woods.  It may be obvious to some, but as a business continuity planner, and speaking on behalf of the remainder of the staff at IT-Lifeline, I can tell you that advance planning makes all the difference in the world when it comes to responding to an event and resuming your business following a major business disruption – even a prolonged snow event.

God forbid — what if there had been a secondary event?  A broken water pipe?  Loss of power? A fire?  Could you have gotten the right people, to the right place, in the right amount of time to respond to the above events and resume your critical business operations?

We ensured we were open to our clients, but that is our business – we had the right people, in the right place, at the right time – did you?  Tell me about your success stories.  Share your list / solutions with others!

December 29, 2008 Posted by johnames | Business Continuity Planning | | No Comments Yet