by Scott Owens, PMP, CBCP on July 17th, 2012

I was recently interviewed as a disaster planning expert in Farm Equipment magazine. Please review Lynn Woolf's nice article in the July/August Issue by clicking the link below:

Don't Become a Statistic

by Scott Owens, PMP, CBCP on March 21st, 2012

“C’mon, Bob, the fire alarm is going off, we need to get out of the building”. 
“I know, I saw the memo about the fire drill today, just need to finish this email – only another minute or so.  Besides, most of my department is ignoring it, so what is the big deal?”

Have you seen this scenario at your office?  Once or twice a year the office manager announces the need for a fire drill.  Many people roll their eyes and plan to be out of the office to avoid the ‘unproductive madness’.  So when the fire drill alarm goes off, you will frequently see the prairie-dogging phenomenon – cubicle dwellers pop their heads up to see what the rest of their coworkers are going to do.  The momentum of the teams toward the door can often be predicted based on the habits of others, not on what the firm expects of them.

But these drills truly do have value.  Studies show that large percentages of employees do not know the best route out of the building if their main route is blocked.  Research also indicates that in less than 60 seconds, a fire can fill a room with enough smoke to make it disorienting and difficult to find exits.  For the same reason high performance athlete’s train before the big game, practicing fire drills makes success more likely during the real event.

So how do you build a fire drill process that instills the importance of safety into your team?

Start at the top.  Company executives must be committed to the program and support it not with lip service and a corporate policy in the employee handbook that no one will read, but in person at the next company meeting.  The CEO and the management team must all be on board.  And they must lead by example.  That means when the fire alarm goes off, the corporate leaders are the first ones out of their offices encouraging others to drop what they are going and get out of the building. 

Second, set a goal for a reasonable amount of time to have everyone out.  This will depend on the size of the facility, the number of people, and a few other factors, but less than 2-3 minutes should be a target.  Every time a drill occurs, assign a person to keep a stopwatch going and try to beat your previous time.  Adding a little game to the drill keeps it fun.  If you have more than one facility, set up a competition between them.  Offer free company gear (hats, t-shirts, coffee mugs, etc.) to the teams that meet certain goals.  Plan a pizza party if the fire drill’s results improve over last time – it is amazing what people will do for free pizza.

But getting out of the building is not the end of the drill.  How do you know every person is out? Each department, team, or floor should have a Fire Captain assigned that will both sweep their area looking for those still at their desks or those that need assistance, and perform a roll call when teams have arrived at their designated meeting spot (usually in the parking lot).  The Fire Captains should be able to account for every person, either present at the safety spot, or via knowledge that they are out of the office.  Additionally, the receptionist should bring the guest log book if one exists to account for visitors that may not know where to go. 

Finally, the office manager should meet briefly with the Fire Captains to discuss any issues or concerns regarding the goals set for evacuation.  A brief report should be shared with all employees on how well the drill went and if it achieved its objectives.  Following this process should help turn your ho-hum fire drill into an event that you can be proud of, and an organization that places a priority on the safety of its workforce.

by Scott Owens, PMP, CBCP on March 19th, 2012

Business Continuity Awareness Week 2012 begins today!  Hopefully you have been enjoying this most important event by promoting education and awareness in your organization.  Please enjoy these resources to encourage your teams toward a higher level of resiliency. 

The Time is Now
…watch this short video as a kickoff to the week.

Join the BC24 Online Incident Management Simulation game with your friends.

Download Business Continuity Awareness Posters (bottom of this page) that you can print and post in public areas.

See also a variety of online Educational Webinars and informational materials

And much more at the official BCAW site.

Have an educational week.

by Scott Owens, PMP, CBCP on January 30th, 2012

This week I had the privilege of being a guest blogger for Continuity Insights, a premier periodical exclusively focused on business continuity and disaster recovery. Click the link to enjoy this post, and please share your thoughts.

by Scott Owens, PMP, CBCP on December 18th, 2011

Executives and managers make difficult decisions every day, but one of the most important decisions that may have to be made is to formally declare a disaster for his or her company. This is a critical decision because one once it has been made, it initiates a critical chain of events that will spawn multiple teams and processes to manage human safety, damage assessment, salvage and restoration, and recovery of assets and systems.

These activities may consume significant financial and human resources to secure new facilities or assets, procure equipment and supplies, or to acquire targeted services. Declaring a disaster may be the first step in qualifying for governmental disaster assistance, emergency assistance from local responders, or insurance assistance. So it is very important.

But it is also essential to recognize that it may be difficult to stop this process once it has started, and that doing so may be equally impactful. For example, once the Information Technology team has initiated a system or database transition to an alternate site, halting the process mid-stream might be worse than the disaster itself. Likewise, certain processes may have regulatory control check points that impact the logistics of managing through a disaster.

My point in all this is simply to understand that the decision to declare a disaster should not be taken lightly. It is recommended to consider the following questions and criteria prior to the final decision. There is no one right answer, but the details of each answer will guide the decision process.
  • Have we confirmed that the immediate disaster threat is over?
  • Are our facilities safe and structurally sound?
  • Are all of our employees, contractors, business partners, clients, and other onsite visitors safe?
  • What is the damage assessment for all assets (workforce, facilities, data & systems, capital, vendors & suppliers, communication channels, distribution channels)? The BCP should have identified a threshold of damage that would trigger a disaster declaration – has this exceeded the threshold?
  • Are any internal systems off line? This could include security systems, business functional systems (e-mail, inventory control, payroll & accounting, customer service or relationship systems, patient records, claims management, etc.), phone systems, mechanical & HVAC, or power systems.
  • Are we able to provide service to our clients and customers to meet expectations?
  • Have we exceeded or do we know that we will surpass any Recovery Time Objectives (RTO) for IT systems or business processes?

by Scott Owens, PMP, CBCP on November 20th, 2011

Recently a colleague asked about a business continuity plan assessment, wondering what types of questions should be answered as part of this review. The assumption was that the organization had some sort of plan, but that executives didn’t know how to determine whether what they had was comprehensive. So it sounded like a perfect blog post.

So in order to identify the critical needs of your organization and be in a position to protect your assets, here is a list of some questions to consider during the development of a BCP. This is by no means comprehensive, or personalized to a specific company or industry, but can offer some thoughts as to where the process would start.

• Could your business survive being without its key systems, people, or processes for 24 hours? 48 hours? 72 hours? Do you know what your true recovery capabilities are?
• Have you planned for many different types of disaster scenarios?
• Do you know what your most vulnerable assets are?
• What is the financial loss to your company if you were not able to process customer orders?
• Do you have a comprehensive crisis communication strategy that considers the top ten stakeholder groups?
• Do your primary suppliers have solid business continuity plans to avoid a shortage of materials?
• Are you in a regulated industry that mandates certain types of disaster planning components? If so, did you pass your last compliance audit?
• Are your policies and procedures in line with industry standards?
• Do you have a succession plan for company executives that extends below the C-Suite?
• Does your data backup strategy reflect a balance of both recovery times and recovery points?
• Is your plan role based, rather than person based?
• Is the core technology in your data recovery strategy older than 4 years?
• Do you have an alternate working site for office staff identified?
• Do you have an active business continuity program that is led by a director devoting 25% of his or her time to it?
• How frequently do you perform disaster drills?

by Scott Owens, PMP, CBCP on November 6th, 2011

Let’s take a quick review of some of the noteworthy disaster events of 2011:
• 27 earthquakes over 6.0 magnitude in South America, Asia, and the Pacific rim
• Shift of the Earth’s magnetic north pole
• Japan’s magnitude 8.9 earthquake and tsunami
• Hurricane Irene scrapes most of the US eastern coast leaving 30 dead and $5.5 billion in insured losses
• Volcano in Iceland erupts spewing ash all over Europe
• Deadly tornadoes in Joplin, Missouri claim 160 lives, cause 900 injuries, and destroy 8000 houses and 450 businesses
• Electrical blackout in San Diego leaves 4.1 million people without power for several days
• Texas wildfires scorch thousands of acres of land

To date in 2011, FEMA has declared 91 disasters, eclipsing the twelve month total from 2010 in only 10 months, and on pace to shatter the all-time record. Did any of these situations have a direct or indirect impact on your business, your customers, or your suppliers? Were you prepared for these?

There is always the possibility that your organization exists in a microcosm of the world that doesn’t ever change and is safe and protected from external events. But chances are if this is the case, your business isn’t very vibrant or profitable.

So how is your business continuity or disaster recovery plan? Is it time to consider a revision or a rewrite?

by Scott Owens, PMP, CBCP on October 24th, 2011

Enjoyed this clever business continuity video ... pride is often your own worst enemy.

by Scott Owens, PMP, CBCP on October 9th, 2011

In the world of disaster recovery and business continuity, professionals tend to focus on a few key metrics. Perhaps the most widely known is the Recovery Time Objective or RTO. This concept is the time (in hours or days) from the start of the disaster event until when all critical systems and processes have been restored to an acceptable operational mode. This is usually mandated by an executive team or department leader, and typically answers the question, “How soon can we be back online?”

Again starting at the disaster event, but going back in time, we find another interesting metric - the Recovery Point Objective or RPO. This is the point in time at which we have a high level of confidence that a secure system and data backup exists. Most companies run backups each night, so this is generally less than 24 hours.  This value answers the question, “How much data am I willing to lose?”

But both of these metrics aren’t worth the paper the executive report is printed on unless your Actual Recovery Capability (ARC) is consistent with your RTO. Why does it matter? How is this different than RTO? Simply speaking, your ARC is reality. The ARC is a documented length of time that it takes to restore key processes and systems to an acceptable operational state – in other words, “How long did it really take?” Recovery Time Objective is just that – an objective or goal, and often assumes a best case scenario. The real world is rarely a best case scenario.

How do you close the gap? Lowering the variance requires training, testing, and discipline. If you can complete a minimum of 3 successful disaster drills for the same domain in which the recovery time is within 5% of the objective, you can have confidence that your RTO is attainable. When you know what your Actual Recovery Capability is, then you have a metric that matters.

by Scott Owens, PMP, CBCP on September 26th, 2011

How much time do you spend buying a car? A few hours for several nights on the internet researching, a few phone calls to friends, an afternoon walking the dealer lots, a few test drives, a little haggling, then the purchase. Sound familiar? According to a 2010 survey, the average person spends 10 hours on the purchase of a new car. And on average, Americans will use their car about 30 minutes per day and only keep a new car for about 4.5 years.

Would it surprise you to find out that most people spend more time choosing a car than they do choosing an enterprise software package? This is true, even though most enterprise software programs have a useful life of 6-9 years. I know what you are thinking – it isn’t a fair comparison because selecting software isn’t exciting like driving home with new wheels. But there are a lot more similarities than you might think. And it is a great analogy because of the simplicity. Let’s dig a little deeper.

First, in both scenarios, you need to understand your true needs (requirements). Need to pull a boat? Maybe the VW Beetle isn’t the best choice. Need to send invoices to customers? Maybe you should take the time to make sure the software can produce them in the format you need. Must have 7 cup holders? Are you sure you really need 7, or would 4 be sufficient? Need that software to integrate with another system automatically? Perhaps someone could manually enter the few data elements rather than build a software bridge. Unless you have a good handle on this, and some understanding of how to prioritize your needs, you are doomed to end up with a product that surprisingly (or not) can’t do what you thought.

Second, in both scenarios, you need to realize that no perfect match to your needs exists, and although you will find competing products (according to a specific class), you will find it hard to truly compare apples to apples. Need fold-down rear seats in the minivan? Great, but you might have to upgrade to the platinum trim package for an extra $1000. And if you don’t spend the bucks on this, you might lose the DVD player. But the other minivan has lay-flat seats and two DVD players. How do you compare? The same is true for software. Most packages have various tiers that engage blocks of functionality together. And each vendor will have their own spin on how a certain function works. Diligence is a must here – only by taking time to carefully compare products not against each other, but against a documented list of requirements can you know how close a match you will have.

Do you know anyone with shiny object syndrome? They are distracted by any shiny objects no matter how small, and totally lose focus on the task at hand. Car salesmen and software salesmen often use this tactic. The car comes with a built-in barbeque grill in the trunk for tailgating. Whoa. Not on my requirements list, but only another $500, and think about how cool this would be. The software package comes with a life-size 3-D hologram avatar with a British accent that serves as an interactive helpdesk system. It was the first thing the salesman showed me. Whoa. Where do I sign? These features alone might sell the entire product even though it lacks some basic things. This is where a structured product demonstration can help fine tune the process to generate predictable results. And not structured by the vendor, structured by you. If they don’t play ball with your process, they go home without a sale. Make them prove that they have the meat and potatoes before they bring out desert.

So what is the point with this? The point is that like buying a car, purchasing software without a methodical process designed to accurately determine needs, compare and evaluate products against these needs, and control the selection process, a decision is likely to occur for which the team will regret in a year. No one wants to live with a bad decision for the next 8 years. And with the cost of these enterprise systems hovering in the mid 6 figures, no organization can afford to make a bad choice.

Make sure the software selection process is done right to minimize the risk to your organization.

by Scott Owens, PMP, CBCP on September 15th, 2011

One of the biggest mistakes that organizations make is to assume that the business continuity (BC) or disaster recovery (DR) plan that was created several years ago for your organization will be sufficient in a crisis. Are you sure that the plans were all-inclusive? What if your firm never got around to completing this initiative?

And what about the impact that natural disasters have had on businesses? To date in 2011, FEMA has declared 81 disasters, equaling the twelve month total from 2010, and on pace to shatter the all-time record. Did any of these situations have a direct or indirect impact on your business, your customers, or your suppliers? Were you prepared for these? Did your plan reflect this?

How do you know if your plans are as comprehensive as they need to be, or if they will stand up to the scrutiny of an audit if you are in a regulated industry?

The reality of business in today’s climate is that in the span of a year, critical business assumptions, resources, finances, sales, products, teams, technology, customers, suppliers, regulations, and even physical locations are likely to change or adapt. If your BC / DR plan has not been updated in the last 6 months to reflect changes in your business, the plan might be worthless in a true crisis.

The easy answer to all these questions is that you probably need to start with an assessment of your status quo. Understanding your environment (technical, operational, financial, regulatory), your teams and their capabilities, and your risk tolerance, is critical to making sure you have a solid plan. Knowing what exists from a BC and DR perspective, and performing a comparison to a core set of best practices is a great start. From this gap analysis, you will have a roadmap of how to best update your plans to protect the organization.

by Scott Owens, PMP, CBCP on September 7th, 2011

by Scott Owens, PMP, CBCP on August 29th, 2011

In my experience as a business continuity planning professional, I have generally seen three ways in which organizations start down the path of business continuity (BC) or disaster recovery (DR) planning.

The first is usually through legislation, regulation, or government mandate. Those companies in regulated industries such as healthcare, insurance, banking/financial, and energy have various requirements that specify a need for BC and DR planning. More often than not, these regulations do not specify exactly how this must be accomplished, but provide an end game. Additionally, most industry trade groups have some level of expectation regarding disaster planning. 

The second way that real BC or DR planning work typically starts inside a company is when the corporate executives understand that managing risk is an important way to help keep their business healthy. These types of organizations tend to want to have an internal expert in this domain, and invest their people’s time in education and training.

And finally, some firms start the BC or DR planning process after a disaster strikes their organization or the company of a close friend or colleague. Seeing the devastation, understanding the financial or other loss, and feeling the personal affects has the unique power to motivate people into action. But often, at this point it is too late.

Don’t rely on choosing option #3. If this is your strategy, you might not even have the opportunity to recover. Make sure you have a current, realistic business continuity and disaster recovery plan, and make sure it has been tested recently.

by Scott Owens, PMP, CBCP on August 15th, 2011

Today's post will be the first in a series to discuss the stages in the BCP Life Cycle. In order to properly design and implement a business continuity solution that provides the appropriate approach for an organization, you should consider all the stages in the BCP Life Cycle. Each stage provides a focused set of activities to gather information, provide analysis, design solutions, build documentation, or other steps. And while many stages could be performed independently, without a holistic view of the inputs to and outputs from each stage, it is likely that the end product from a stage is not optimal.

Risk Assessment is the first stage in the BCP Life Cycle. Many of our readers are probably familiar with Enterprise Risk Management (ERM) and the processes surrounding this organizational exercise. Much of the Risk Assessment overlaps with ERM. The goal in this stage is to understand high level risks to the organization from all facets - physical, environmental, social, political, operational, and more. A typical Risk Assessment identifies approximately 100 key risk items, and then provides analysis to quantify these risks in a consistent stratification model. The model generally uses a scoring metric or cost as the measuring point.

So why should you care about a Risk Assessment? Because most organizations do not have a an unlimited budget to spend on all the risk items. Nearly every company needs to prioritize the spending and planning, and many items are simply not going to make the cut. So without taking the time to complete a Risk Analysis, you might not have a complete picture of what is really important.

by Scott Owens, PMP, CBCP on August 1st, 2011

Business Continuity Planning involves the analysis, preparation, and planning that are necessary to minimize loss and ensure continuity of an organization’s critical business functions in the event of a disaster.

A Business Continuity Plan (BCP) is designed to outline the steps required to recover the systems and business processes that are critical to routine operations.

So why should you care if your company has one?

Nearly every day a disaster impacts a company or a community. Hurricanes, wildfires, blizzards, extreme heat, tornadoes, and tsunamis create big headlines, but it is often the events that do not create headlines, such as server failures, that create havoc for business. The consequences can be measured in a variety of ways: human loss or injury, financial loss or fines, impact to reputation or brand image, failure to comply with governmental regulations, and more.

According to a study by the Disaster Recovery Journal in 2007, “43 percent of businesses suffering a disaster never recover sufficiently to resume business. Of those that do reopen, only 29 percent are still operating two years later.”

The Dallas Morning News reported in January, 2007 that “A four-day computer crash at Parkland Memorial Hospital in November [2006] could end up costing $6 million to $7 million in lost bill collections, hospital officials acknowledged this week.”

The list of examples like these is long, yet many organizations still feel it isn't important.

This blog is dedicated to sharing information about business continuity planning, the respective industry best practices, and lessons learned, in hopes that more organizations will consider business continuity planning a serious component of their enterprise risk management strategy.

Next Posts ▶