Employee Readiness

Your BCP program and its capability to respond and recover are directly related to the readiness of employees across the organization.  It is important to note that too many times we train only those directly involved in key recovery positions and do not train the lowest levels of the organization.  To see how good a job you are doing, ask employees at the lowest level of the organization if they know what BCP is and what they are supposed to do in an emergency.  Additionally, employee readiness must be heightened not only at work but at home.

 

Training at Work

Your employees should be able to answer the following questions for their business unit:

 

• Who is in charge of the recovery plan for the department?
• What is the phone number of our BCP Employee Status Line or website address where I can get up-to-date information?
• Where is the location of the initial meeting site or alternate recovery site after an emergency is announced?
• What are your designated responsibilities as a member of one of the emergency response teams?
• Who should report to the initial meeting location or the alternate recovery site after an emergency is announced, and what are the telephone numbers at those locations?
• Who are the company employees you contact immediately?
• If one of your emergency contacts were not at his/her desk, how would you be able to contact him/her?
• Retrieve your current emergency notification recall list and indicate if the list is current.

 

Training at Home

In the event of a regional event, employees must be prepared at home or you will have a reduced workforce to support your recovery needs.

 

• FEMA provides an excellent site for you to direct employees and guide them in preparing at home for an event that may impact their families.
• The site address is www.ready.gov.

Additionally,  you should periodically issue Employee Communications with relevant BCP information, phone numbers, website addresses and reminders.  Remember, train to the lowest level of the organization and you will not go wrong.

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information on MHA, contact Michael Herrera at herrera at mha-it dot com.

Back to the Basics – BCP 101

Developing a BCP program requires a sound methodology to ensure consistency of application and level of results.  Using the Disaster Recovery Institute International (DRII) model as our baseline, we break a typical BCP program into the following areas:

 

Oversight and Governance 

• Develop a sound management oversight group to oversee the program and its plan of action. 
• Determine the budgeting process and how it will be administered on a regular basis.
• Create reporting mechanisms to show progress, successes and action items on a regular basis.
• Document and approve policies and standards for implementation of the program.

 

Functional Requirements

• Identify what is critical to your organization using a Business Impact Analysis (BIA) study.  Determine how soon after a disruption your business processes must be recovered, how much data loss is acceptable and the associated technology to support the processes.
• Using a Threat and Risk Assessment (TRA), determine relevant threats (man-made, natural, technological) to your organization and the level of mitigation you have in place today.  Document findings and recommendations for improvement.

 

Recovery Strategy

• Based on the findings of your BIA and TRA, identify the recovery strategies (e.g., internal, external, hybrid) you will need to recover your critical staff, business processes and computer technology in a timely manner.  Can we do this internally using another company location, use a third party recovery provider and/or use internal sites along with an external provider? 
• Document options, costs and present for review and approval by the Oversight group.
• Budget and implement the solutions.

 

Plan Development

• Create a corporate level crisis management team to strategically lead the organization in a disruption.
• Train recovery planners and teams in the development and use of recovery plans for business processes and computer technology.
• Document and develop recovery plans and teams for your critical business processes and computer technology identified in your BIA.
• Hold a mock disaster exercise for the crisis management team and walkthroughs of your recovery plans.

 

Plan Testing, Maintenance

• Hold recovery exercises at your alternate locations for your business processes and computer technology.
• Update the recovery plans on a regularly scheduled business.
• Update your alternate site configurations based on the changes in your business processes and technology.

 

Continuous Improvement

• Look for continued ways to improve the BCP program and measure its capability. 
• Document a roadmap for continued improvement. 

 

This is a highly simplified view of a BCP program but provides you with the basic components of what is required to be implemented in any recovery program.

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information on MHA, contact Michael Herrera at herrera at mha-it dot com.

MHA Consulting Free Webinar “The Business Impact Analysis Study – Cornerstone to Identifying What is Critical to Your Organization”

MHA Consulting presents “The Business Impact Analysis Study – Cornerstone to Identifying What is Critical to Your Organization”

The Business Impact Analysis (BIA) is the cornerstone of a quality Business Continuity Planning program and is a crucial first step to identifying the mission critical business processes and applications of your organization. Additionally, it will help you identify the appropriate recovery strategies and technologies required to recover the mission critical business processes and applications of your organization in a timeframe consistent with the needs of your organization. Without a BIA study, your BCP program will lack direction and focus when it comes to protecting what is most critical to your organization in a cost effective and timely manner. This session will cover the basics of a “best practice” BIA and the steps required to successfully implement it in your organization today. Register today for this free, insightful webinar to be held on January 28, 2010 at 11 am est.

Click on or paste the following link into your browser to register:

https://student.gototraining.com/6h65c/register/1531324575052884375

Instructor Biographies

Michael Herrera is the President and CEO of MHA Consulting, a business continuity planning and information technology consulting firm servicing today’s leading private and public sector organizations. He and his firm bring real world, executable experience that includes twenty (20) years experience in business continuity planning that encompasses the biotech, consumer, education, financial, government, healthcare, hi-tech, insurance, manufacturing, retail and public utility industries.

Patrick Potter is the VP of Business Development & Service Delivery at MHA Consulting. Most recently, Patrick was an Associate Director at Protiviti, a global business risk and internal audit consulting firm. Patrick’s responsibilities included leading the BCM practice for the Phoenix office, which spans Arizona, Nevada and New Mexico. He also led teams working with client companies in Internal Audit, Sarbanes Oxley / regulatory compliance, IT and other areas of risk consulting. He has a Bachelors degree from Northern Arizona University and a Master of Business Administration (MBA).

Preparing Our BCP Programs for 2010

As we look back at 2009, it was a trying year for all of us.  We have definitely seen the impact to BCP programs across our client base in the United States.  The economy has impacted the readiness of BCP programs across the country, degrading their ability to respond effectively and in a timely manner.  Some by-products of the economic situation that are affecting BCP programs are as follows:

• Loss of Key Staff – Not Just in BCP but Across the Organization
• Loss or Elimination of the BCP Budget
• Reduced or Eliminated Recovery Exercises
• Morale Down Across the Organization
• Recovery Initiatives Cut or Reduced
• Organization Focused on Making Money and not BCP

 

So, with this in mind, we will have to make do with what we have in place and determine how we can best mitigate our organizational exposures and provide a timely response and recovery capability.   Using the 80/20 rule as a guideline, focus on the 20% of your recovery program that makes up 80% of what is critical to the organization:

• Make sure company Fire and Life Safety plans are up to date and you can safely evacuate people from the building and account for them.
• Keep company employee status lines and websites up to date and operational.
• Focus solely on the most critical plans (e.g., required in first 3 to 5 days) in your organization and keep them up to date.
• Exercise the most critical plans and teams using short exercises to keep team members abreast of recovery plans and strategies without taking too much of their time.
• Test the Crisis Management Team using 30-Minute Mock Disaster Exercises.
• Reduce alternate site configurations to what is needed in the first week of a disaster; if you have what you need in the first week you can typically survive for at least 30 days.

 

Be prepared for 2010 to be a year of maintaining your recovery posture and not losing it!

 

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information on MHA, contact Michael Herrera at herrera at mha-it dot com.

Have You Forecasted Your Recovery Exercises for the Next 12 to 24 Months?

Do you know what you are going to be exercising over the next 12 to 24 months in your recovery program?  Have you forecasted what business units and systems/applications will be exercised and validated to ensure mission critical operations can continue uninterrupted?  Forecasting your exercises brings a rhyme and a reason to execution of each event and the allocation of resources, time and money.

To aid in forecasting, you must establish exercise standards dictating the frequency and type of exercise required based on criticality to the organization.  The more critical entities and systems/applications you have will need to be exercised more frequently and thoroughly versus the less critical entities and systems/applications. 

Once these standards are established, document exercises of the entities and systems/applications over a calendar year.  You should focus on the most critical first and note when these will be exercised based on the frequency you established in your standards. 

As you progress, you should move from standalone to integrated to business process exercises.  This will require multi-department and multiple systems/applications to work together to perform end to end processing of a key corporate service.

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations.  Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business.  For more information, please visit: http://www.mha-it.com or contact Patrick Potter at potter@mha-it.com

IT Pandemic Planning – How Will Your IT Organization Continue to Support Itself and the Business?

Does your Information Technology function have a sound Pandemic plan?    For many of our clients, IT has some of the most dramatic reliance on key individuals.  We have clients with hundreds of IT employees and those with less than 50, yet there still remains a high level of dependence on key personnel either due to layoffs, size of the department or just plain lack of bench depth.

With that in mind, the IT pandemic plan must be comprehensive and include key components:

• A list of Any Open Items that will Cause the Plan to Fail or Not Perform Optimally (e.g., Lack of Laptops, Network Bandwidth, Personnel Depth, etc.)
• Well Defined Criteria for Activation of the Plan Based on Severity of the Pandemic
• Clear Understanding of the Mission Critical Functions of IT that Must Operate at All Times
• Documented Ability to Remotely Monitor and Operate the Data Center  
• Sufficient Laptops for Critical Personnel with VPN Access
• A Data Network That Can Support  Remote Network Bandwidth
• Pre-Agreed Upon Deviations to Production Operation Changes as Severity  of the Pandemic Increases
• Key Documentation in Event Key Personnel Are Out
• Ability to Forward Phones to Home Seamlessly
• Communication Tools (Conference Bridges, Web Based Meetings, etc.)

 

In organizations with small IT populations, activation of the pandemic plan may occur before the rest of the organization as a preemptive measure to insulate itself.   Additionally, management must agree upon on deviations to normal operation of the production environment to include incident management, change control, problem management, data backups, project implementation, etc.  IT should regularly hold days for staff to work for from and validate the plan.

Lastly,  if the IT plan is not bulletproof, its ability to support the business is clearly compromised.

 

 About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information, please visit: http://www.mha-it.com or contact Patrick Potter at potter@mha-it.com

Using 30-Minute Mock Disaster Exercises to Keep Your Team Sharp

Do you want to keep your recovery team personnel sharp, thinking on their feet, and the BCP process fresh in their minds?   We all want multiple half-day exercises each year to entrench our recovery teams in the process, but who gets that much time made available to them?

We have come up with a way to keep our teams engaged using 30-minute mock disaster exercises in addition to the annual half-day exercise.  So, what is the format for such an exercise?  Here is what we do:

1. Present a short scenario outlying the event at hand and what is known (2 to 3 minutes)
2. Request the Team to address the Crisis Management aspects dealing with the immediate tactical needs of the scenario (10 minutes)
3. Request the Team to address the Crisis Leadership aspects dealing with the long-term issues associated with their decisions, business cycle, etc. (10 minutes)
4. Follow up and action items (5 to 7 minutes)

 

Regular short exercises make the team focus on the task at hand and not lose sight at what needs to be accomplished.  Use a timer to keep them focused and document what they come up with for each component of the exercise.  Update your plans as needed.

 

Good Luck!

 

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information, contact Michael Herrera at Herrera at mha-it.com.

So You Want to Be a BCP Consultant?

On my travels across the USA on client engagements, I am often asked what does it take to be a successful consultant in the field of BCP.   In mulling this over, below are what I consider key to your success as a consultant: 

• Integrity
• Superior Listening Skills
• Strong Work Ethic
• Willingness to Do the Dirty Work
• High Levels Of Performance
• Sound Knowledge Of All Areas Of BCP And The Proven Ability To Implement All Aspects Of It
• Ability To Speak To All Levels Of Senior Management And Staff
• Second To None Presentation Skills
• Ability To Think On Your Feet
• Dress Appropriately And Present A Highly Professional And Well Groomed Appearance
• Etiquette
• Ability To Get Things Done And Have Them Work
• Superior Facilitation Skills
• Exude Confidence At All Times
• Bullet Proof References
• Customer Service Skills
• Knowing Your Strengths and Weaknesses

In the end, it comes down to the relationships you have established with your clients for you to be successful long-term.  The greatest vote of confidence is having your clients refer you to their colleagues or speak to your prospective clients with no hesitation.  At MHA, we retain clients an average of five years; we are very proud of this fact and do everything we can to protect our reputation as well as our client relationship.

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information on MHA, contact Michael Herrera at herrera@mha-it.com.

Human Factors in Crisis Management

The “Human Factor” is the single greatest variable in your BCP program.  You can have plans, strategies, multiple contingencies but it still comes down to people and their inner workings.  People have their biases and beliefs  There is a level of narcissism and a need for control.  Also, there is a fear of failing in front of their peers or a fear of reprisal.

 These various kinds of stress can have an impact on decision-making.  The belief that they must solve all issues without collaboration can lead to unfavorable results.  Knowing the personalities of the team and how they work together can greatly improve the quality of your BCP program.  Training is key here.

 A grouping of the various factors each person on a crisis management team brings with them that you must deal with include:

 

• Decision Making Styles
• Conflict Styles
• Education
• Family History
• Narcissism

 

I believe that key crisis management team members should be selected based on ability to execute and not just because they are senior leaders in a particular role.  Look out for leaders taking over and not collaborating.   Infighting, inability to make decisions, and other similar traits are also not desirable.  Some people thrive on pressure while others don’t.  People’s view of the leader can have a positive or negative impact.  Mix up the teams, change the leaders, require primaries work with alternates, use team building exercises, etc. to build a cohesive, well-oiled team that can stand strong in the heat of a crisis.

 

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information on MHA, contact Michael Herrera at herrera@mha-it.com.

Black Swan Events

Recently, there was an article in the September Harvard Business Review and it focused on Assessing Risk today.  Traditionally, there has been a focus on planning for high probability, high impact events.  As a consequence, the planning for low probability/high consequence events has been neglected.

The article stated that companies have become adept at managing predictable, lower-level risks; they have a false sense of security about their ability to anticipate and deal with more hazardous events.

Low probability/high consequence events are also known as “Black Swan” events. Good examples of these “Black Swan” events are the Madoff Ponzi Scheme and the failure of Lehman Brothers, etc.   In the business continuity realm, September 11 was a Black Swan event.  Nassim Nicholas Taleb in his 2007 book The Black Swan deemed the following criteria to define such an event:

• The event is a surprise (to the observer).
• The event has a major impact.

 

After the fact, the event is rationalized by hindsight, as if it had been expected. So, how do we make management aware of Black Swan events and prepare for them?  We recommend you develop a “Heat Map” and plot the likelihood and significance of various types of threats at the organization.  This Heat Map, which should be a component of your Threat and Risk Assessment, should focus senior executives on unlikely but potentially devastating risk that merit but do not receive the attention they do.

 

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information on MHA, contact Michael Herrera at herrera@mha-it.com.