I was recently interviewed as a disaster planning expert in Rural Lifestyle magazine. Please review Lynn Woolf's blog in the March/April Issue by clicking the link below:

Be Storm Ready

Patrick Lencioni is one of my favorite authors and management advisors, primarily for his no-nonsense style of organizational leadership.  He wrote a book in 2004 that became an instant classic in business circles, called Death by Meeting.  In this leadership fable, Lencioni addresses the question of why so many people would rather stick their finger in a rotating fan than go to some team meetings.  One of the critical elements to keep participants on their toes is conflict.  Meetings become more interesting if you expect tough discussion on issues that really matter. 
 
So what does conflict have to do with the execution of disaster drills?  Everything!  The goals of a disaster drill are to test your business continuity and disaster recovery plans, but also to test your team’s ability to handle difficult situations and manage through a crisis.  Conflict enhances stress and creates more realistic simulations.  It encourages people to take sides.  It makes the team sweat.  And it will result in an exercise that is remembered long after its completion.
 
My personal philosophy on designing and facilitating drills for organizations is to introduce a significant amount of conflict into the scenario to force the team to work through key decisions. 
 
Below are some ways that you can create conflict in your business continuity and disaster drills:

• Simulate the sudden absence of a key leader to see how other members of the team manage the scenario
  
• Introduce personal conflict such as a family crisis simultaneously with a team member’s work responsibility, forcing them to choose and delegate
  
• Include regulatory compliance deadlines with surprise calls from real government agencies
  
• Incorporate creepy details, such as simulating a stalker scenario for a particular team member
  

If you inject intentional conflict into your next disaster drill, your team will enjoy it and will learn more in the process. 

_{Image courtesy of FreeDigitalPhotos.net}

Imagine being the coach of a great team with high expectations for winning the championship.  You are a world class leader and have surrounded yourself with brilliant assistants – each well known in their respective disciplines.  Weeks before the big game, you and your assistant coaches pour over film of the opponent, study their strengths and weaknesses, and meticulously design a powerful game plan based on technical and artistic analysis.  The plan is great and everyone agrees that it will set the groundwork for a huge victory.  Each player on the team receives a full color, spiral bound version of the game plan. 
 
Between this time and the big game, there is much to do, and with the media days, budget meetings, and sponsor obligations, you never get around to getting the players out to the practice field to run through the new playbook. 
 
On the day of the championship game, everyone seems calm and confident.  After all, everyone has a copy of the most magnificent plan they have ever seen.   Some of the players have read the chapters that contain the insights to their position, but most assumed that it would be common sense, and since they were experienced athletes they could do what was necessary to win.  
 
As the game starts, you see a few good moves, but not exactly matching the way the plan was designed, and very little communication.  By the end of the first half, chaos has set in.  Frustration at team members is obvious and key milestones have been missed.  Since the game plan was not being followed by the team, it has forced the coach to shift formations and player positions on the fly, and to make decisions without having timely information.  Ultimately you have trouble matching up to the challenge and end up losing the game. 
 
I realize that a world class coach would not take this approach because he or she knows that the secret to success on game day is proper training.  The game plan is part of a successful outcome, but unless everyone on the team understands their role and respective responsibility, there will be chaos.  And when the game is on the line, every moment and decision counts.  Bad or delayed decisions can result in failure.
 
So it is with business continuity and disaster recovery planning.  Many organizations have built elaborate, technical, and process-centric plans to help them mitigate risk and manage through a crisis.  But if the plan has never been tested, or if key individuals aren’t familiar with the details, there is a strong likelihood that the plan won’t work the way it was intended. 
 
As a business continuity professional, I have facilitated dozens of disaster drills for clients large and small across many industries, and there is one constant in all of them – the team always learned something that resulted in revisions to the plan.  It might be as simple as modifying phone numbers in your contact list, but it could be significant, such as realizing that a crucial vendor cannot meet your requirement and has to default on a contract.  What a surprise that would be in the wake of a building fire. 
 
The bottom line is that if you haven’t tested your business continuity or disaster recovery plan, you aren’t ready to manage through a disaster.

_{Image courtesy of FreeDigitalPhotos.net}

“C’mon, Bob, the fire alarm is going off, we need to get out of the building”. 
“I know, I saw the memo about the fire drill today, just need to finish this email – only another minute or so.  Besides, most of my department is ignoring it, so what is the big deal?”

Have you seen this scenario at your office?  Once or twice a year the office manager announces the need for a fire drill.  Many people roll their eyes and plan to be out of the office to avoid the ‘unproductive madness’.  So when the fire drill alarm goes off, you will frequently see the prairie-dogging phenomenon – cubicle dwellers pop their heads up to see what the rest of their coworkers are going to do.  The momentum of the teams toward the door can often be predicted based on the habits of others, not on what the firm expects of them.

But these drills truly do have value.  Studies show that large percentages of employees do not know the best route out of the building if their main route is blocked.  Research also indicates that in less than 60 seconds, a fire can fill a room with enough smoke to make it disorienting and difficult to find exits.  For the same reason high performance athlete’s train before the big game, practicing fire drills makes success more likely during the real event.

So how do you build a fire drill process that instills the importance of safety into your team?

Start at the top.  Company executives must be committed to the program and support it not with lip service and a corporate policy in the employee handbook that no one will read, but in person at the next company meeting.  The CEO and the management team must all be on board.  And they must lead by example.  That means when the fire alarm goes off, the corporate leaders are the first ones out of their offices encouraging others to drop what they are going and get out of the building. 

Second, set a goal for a reasonable amount of time to have everyone out.  This will depend on the size of the facility, the number of people, and a few other factors, but less than 2-3 minutes should be a target.  Every time a drill occurs, assign a person to keep a stopwatch going and try to beat your previous time.  Adding a little game to the drill keeps it fun.  If you have more than one facility, set up a competition between them.  Offer free company gear (hats, t-shirts, coffee mugs, etc.) to the teams that meet certain goals.  Plan a pizza party if the fire drill’s results improve over last time – it is amazing what people will do for free pizza.

But getting out of the building is not the end of the drill.  How do you know every person is out? Each department, team, or floor should have a Fire Captain assigned that will both sweep their area looking for those still at their desks or those that need assistance, and perform a roll call when teams have arrived at their designated meeting spot (usually in the parking lot).  The Fire Captains should be able to account for every person, either present at the safety spot, or via knowledge that they are out of the office.  Additionally, the receptionist should bring the guest log book if one exists to account for visitors that may not know where to go. 

Finally, the office manager should meet briefly with the Fire Captains to discuss any issues or concerns regarding the goals set for evacuation.  A brief report should be shared with all employees on how well the drill went and if it achieved its objectives.  Following this process should help turn your ho-hum fire drill into an event that you can be proud of, and an organization that places a priority on the safety of its workforce.

This week I had the privilege of being a guest blogger for Continuity Insights, a premier periodical exclusively focused on business continuity and disaster recovery. Click the link to enjoy this post, and please share your thoughts.

Executives and managers make difficult decisions every day, but one of the most important decisions that may have to be made is to formally declare a disaster for his or her company. This is a critical decision because one once it has been made, it initiates a critical chain of events that will spawn multiple teams and processes to manage human safety, damage assessment, salvage and restoration, and recovery of assets and systems.

These activities may consume significant financial and human resources to secure new facilities or assets, procure equipment and supplies, or to acquire targeted services. Declaring a disaster may be the first step in qualifying for governmental disaster assistance, emergency assistance from local responders, or insurance assistance. So it is very important.

But it is also essential to recognize that it may be difficult to stop this process once it has started, and that doing so may be equally impactful. For example, once the Information Technology team has initiated a system or database transition to an alternate site, halting the process mid-stream might be worse than the disaster itself. Likewise, certain processes may have regulatory control check points that impact the logistics of managing through a disaster.

My point in all this is simply to understand that the decision to declare a disaster should not be taken lightly. It is recommended to consider the following questions and criteria prior to the final decision. There is no one right answer, but the details of each answer will guide the decision process.

• Have we confirmed that the immediate disaster threat is over?
• Are our facilities safe and structurally sound?
• Are all of our employees, contractors, business partners, clients, and other onsite visitors safe?
• What is the damage assessment for all assets (workforce, facilities, data & systems, capital, vendors & suppliers, communication channels, distribution channels)? The BCP should have identified a threshold of damage that would trigger a disaster declaration – has this exceeded the threshold?
• Are any internal systems off line? This could include security systems, business functional systems (e-mail, inventory control, payroll & accounting, customer service or relationship systems, patient records, claims management, etc.), phone systems, mechanical & HVAC, or power systems.
• Are we able to provide service to our clients and customers to meet expectations?
• Have we exceeded or do we know that we will surpass any Recovery Time Objectives (RTO) for IT systems or business processes?

Recently a colleague asked about a business continuity plan assessment, wondering what types of questions should be answered as part of this review. The assumption was that the organization had some sort of plan, but that executives didn’t know how to determine whether what they had was comprehensive. So it sounded like a perfect blog post.

So in order to identify the critical needs of your organization and be in a position to protect your assets, here is a list of some questions to consider during the development of a BCP. This is by no means comprehensive, or personalized to a specific company or industry, but can offer some thoughts as to where the process would start.

• Could your business survive being without its key systems, people, or processes for 24 hours? 48 hours? 72 hours? Do you know what your true recovery capabilities are?
• Have you planned for many different types of disaster scenarios?
• Do you know what your most vulnerable assets are?
• What is the financial loss to your company if you were not able to process customer orders?
• Do you have a comprehensive crisis communication strategy that considers the top ten stakeholder groups?
• Do your primary suppliers have solid business continuity plans to avoid a shortage of materials?
• Are you in a regulated industry that mandates certain types of disaster planning components? If so, did you pass your last compliance audit?
• Are your policies and procedures in line with industry standards?
• Do you have a succession plan for company executives that extends below the C-Suite?
• Does your data backup strategy reflect a balance of both recovery times and recovery points?
• Is your plan role based, rather than person based?
• Is the core technology in your data recovery strategy older than 4 years?
• Do you have an alternate working site for office staff identified?
• Do you have an active business continuity program that is led by a director devoting 25% of his or her time to it?
• How frequently do you perform disaster drills?