Sunday, October 11, 2009

A business continuity management primer

By Helmut Mair, corporate risk advisor, Gold Coast City Council.
So you’ve just been appointed the new business continuity manager for your organisation? Congratulations! And you’ve been given an abundance of resources, all the budget you asked for and top management support to boot – that is, if you’re one of the lucky few. If you’re anything like the rest of us, than that’s just wishful thinking and life isn’t about to get a whole lot easier either. The good news is that you’re not alone out there and that you don’t have to fall into the same traps others did before you. Here’s a few of dos and don’ts that will get you kick-started.
Keep It Simple Stupid! (The KISS principle)
Avoid doing all at once, in particular at the start of your journey. Business continuity management is about fostering a risk culture within your organisation, and as with all cultural shifts, it requires ongoing change management and a lot of time. So get prepared for a long campaign, hopefully with many little wins rather than one big failure.
Don’t try to achieve the perfect business continuity plan either, because by its very nature, a continuity plan will be outdated by the time it gets published, mostly due to varying circumstances, staff turnover or contact detail changes. So no matter what you do, you won’t get it 100 percent right - don’t waste your time and energy trying to.
Keeping it simple also implies steering clear of producing a convoluted 100 page document, which will only end up being used as an oversized doorstop - and not to help sustain your organisation during a business disruption. If your business continuity audience spends hours scanning the plan to find an emergency contact phone number, you’re doing something wrong. Reduce the number of pages to a bare minimum. Use an index page for easy reference. Some companies even manage to cram whole business continuity plans onto single folded A4 sheets, which staff carry around in their wallets.
Terminology is important. Don’t use phrases like ‘leveraging synergies’ or any of the ever popular but meaningless buzz words, just to show off your honours degree in marketing literature. Usually people referring to a business continuity plan are under some sort of stress (they might undergo an exercise or even struggle to deal with a real emergency) and therefore your BCP must be as easily digestible and as much to the point as possible. Think bullet points and flowcharts! A good idea is to consistently draw on terminology already in use by your organisation. People will start getting confused and frustrated even about minor issues, such as calling something an ‘event’ that they used to call an ‘incident’.
Yet another pitfall is trying to cater for each and every conceivable scenario, which is simply impractical. Instead, you might want to think about establishing generic scenario groupings. I prefer to use the three categories ‘no people’, ‘no infrastructure’ and ‘no IT’ – or any combination thereof. At the end of the day, it doesn’t really matter whether an IT outage has been caused by a computer virus or a power failure – it still means that staff won’t be able to use their PCs and the manual workarounds will be exactly the same for both cases. Another advantage of this approach is that a big component of your pandemic plan will already fall out of your continuity documentation (‘no people’ scenario!). Which brings us to our next point: resist the temptation to reinvent the wheel.
There are plenty of tools out there – use them!
Business continuity is not an academic exercise, so recycle as much information and documentation as practical. Learn from past experiences, even if they are not your own; there are case studies for all kinds of circumstances on the Internet. And if you have Y2K or SARS response plans already in place, even if they are outdated, you will be amazed at how much useful information you will be able to uncover.
Another good idea is to follow a standard or a handbook, especially if this is your first encounter with business continuity. BS 25999 and HB292/293 respectively, are two recommended tools from each category. Adhering to such reference material will also help with the assurance process later down the track.
Technology can make your life a whole lot easier, in particular from a maintenance perspective. The traditional way to review a business continuity plan is for the responsible person to hand out copies of the document every so often, hoping that the people on the distribution list will take the time for perusal and flag up any sections requiring amendment. A much more efficient solution is to have the plan not owned by a single person only, but by many different contributors. If each individual section of the plan is allocated to an owner and stored electronically, then the business continuity plan can be assembled automatically from all the different bits and pieces at the click of a button.
To illustrate this, imagine employees keeping their contact details current via a form on the corporate intranet, a procurement officer maintaining a list of purchasing templates in a predetermined network location and the sales manager regularly updating a list of key customers in a CRM database. None of the above activities impose unreasonable additional workload on staff, in fact they should be carried out as part of day-to-day, good business practice already. You will also avoid duplication of data as, for instance, staff contact details get only stored where they should be (in an HR database) and not in a Word BCP document. Your software will simply draw together the required information from various electronic sources and your plan becomes almost self-maintaining. Get one of your capable IT staff on board, they are often really good at this sort of thing.
It’s a sales job after all
People love gadgets! So why not keep your business continuity plan(s) on memory sticks or Blackberries? They are easy to carry around at all times and have the capacity to retain huge quantities of data, which enables you not only to store the BCPs themselves, but all kinds of related vital records, too (e.g. building plans or templates for manual workarounds). In our organisation we are using fingerprint encrypted memory sticks to keep confidential information safe. The enhanced gadget-factor certainly helps from a sales point of view! Other tools to include in your marketing mix are standard flyers and handouts, a presence on the corporate intranet and presentations at all levels of your organisation.
Just like in any other sales job, persistence pays off - but don’t forget to get off people’s back once in a while. Just because business continuity is your focus of attention, it will not necessarily be your stakeholders’ top-priority. Consequently, you might want to make it as convenient as possible for them to participate in your activities, for instance by exercising your IT outage scenario when your IT department is doing scheduled maintenance anyway. As a result, your practice drill isn’t causing any additional interruptions. Also, most staff won’t object to practising the work-from-home pandemic strategy occasionally. Don’t get me wrong, business continuity is not a popularity contest, but in all likelihood most people will initially perceive you as little more than a nuisance preventing them from getting their ‘normal’ job done. You will need every trick in the book to keep them motivated.
Basic BCP ingredients
To answer the frequently asked question about what should actually go into a business continuity plan, a non-exhaustive list of fundamental components is provided below:
- Plan owner(s) and person(s) responsible for individual plan components;
- Activation trigger (When is your plan activated? This could be based on maximum acceptable outage times) and activation sequences (How is the plan activated? Make sure to prioritise if you have more than one BCP and to establish communication protocols);
- Contact lists (staff, suppliers, customers, emergency contacts). Also include at least one backup for each contact, as well as next-of-kin, after-hours, and mobile numbers);
- A list of minimum resources required (human resources, laptops, mobile phones, two-way radios, cars, software, vital records, gensets, etc.);
- Pre-determined alternative location arrangements (How many people will have to be displaced if the building has to be vacated? Where do we relocate to? How do we get there? For how long can we stay there?);
- Workarounds (e.g. for each generic scenario);
- Reference to your organisation’s standard operating procedures;
- Incident log forms;
- General document control (version control, distribution list, date of last update, BCP location on your network drive/intranet/document management system).
Once your continuity documentation is in place, you will want to establish an ongoing training and testing regime for validation and practicing purposes.
Practice, practice, practice
This should really be the fun part of it all, so don’t try to make people fail or cry or crawl - and if you do, don’t be surprised if they won’t turn up for your next exercise. Remember the part about the sales job?
Again, doing it all at once is not a good idea. Start with simple plan reviews and follow up with life tests for smaller, manageable areas before doing comprehensive, organisation-wide exercises. These activities aren’t about failing or passing a test, they are about building up competence and as long as you achieve that, every test will be a success.
It is sad to say, but a real incident does help. A lot. People will see business continuity in a completely different light once they’ve been exposed to the inconvenience of a major business disruption. Try to find people in your organisation who previously experienced such situations; they can be great ambassadors for your cause.
But don’t just burn down headquarters yet to have a real-life incident. Realistically, if staff are picking up the plan for the first time when the building is on fire, it is too late already. Experience shows that business continuity plans actually aren’t heavily used during incidents; unless staff have to assume completely new roles or look up phone numbers. In most occasions, your plan is simply a tool to develop a routine before a business disruption happens. During exercising is the right time to step through the documentation, identify gaps and ask questions.
To get the most out of your practice drills, take scenarios that are meaningful to your employees. Hence locusts plagues and alien invasions are probably out of the question. Maybe you can even use an event your organisation encountered in the past already.
Involve your stakeholders
Most importantly, make sure your stakeholders are involved at every step of the journey, including the business impact analysis and risk assessment stages. Don’t hide in your office for 12 months writing a business continuity plan in isolation and then expect people to buy into the outcome. That simply won’t happen.
Similarly, don’t enforce something your staff won’t need, just because it’s written somewhere or some auditor requested it. If one of your departments has a three- paragraph business continuity plan and it works for them, then that’s ok. That’s all they need. To get the most out of business continuity, it should be meaningful to staff and approached with common sense. And beware the consultants, too. Many a consultant will try to sell you their standard off-the-shelf product which isn’t really tailored to your organisation (i.e. useless) and/or volumes and volumes of paperwork (since getting paid by the hour). On the other hand, one area where I found consultants of excellent value is in exercising our plans - they do this stuff all the time and know how to expose gaps.
Regarding a business continuity plan’s content however, as much of it as possible should be originated and owned by the people who will be using the plans, i.e. your staff. After all, your goal should not just be to have a documented plan on the shelf, but to get people involved and prepared.
Good luck and enjoy the ride!
This article first appeared in Continuity Forum News, Edition 9, January 2008. Website: www.continuity.net.au. Contact: support@continuity.net.au

No comments:

Post a Comment