BlackswanHunting the Black Swans in Your Continuity Program

This is the ninth in the DRG ongoing series regarding hunting and mastery of the black swans in your continuity program. Look for it on the first Wednesday of each month.

"Black Swans" in your Continuity Program are those events that remain outside the range of normal expectations, and may well produce a significant negative impact when they occur. For reasons of budget, culture, or simple lack of awareness, we just do not see or deal with these potentially devastating exposures in our enterprise continuity capability. This series discusses some of the most common of these "black swans" in business continuity programs, those that are really staring us in the face and screaming for attention.

Already published:
Quarry 1: Employee Availability for Response Activities.
Quarry 2: The Level of Individual Employee Commitment to BCM
Quarry 3: Exercising Your Plans
Quarry 4: Exercising Your Plans: Objectives and Annual Programs
Quarry 5: Exercising Your Plans: Business Unit Continuity Plans
Quarry 6: Exercising Your Plans: Technology Recovery Plans
Quarry 7: Exercising Your Plans: Logistics, Communications, and Support Plans
Quarry 8: Lessons Learned

Quarry 9: New Year's Resolutions!

Now that all of the wonderful (and not so wonderful!) presents and delicious foods of the holidays are over (or left-over!), may I suggest that you accede to tradition and begin to make resolutions about how you can do better in the New Year. Having survived the supposed end of the world according to the Mayan calendar, we now get another chance to put our Business Continuity houses in order. And so here is my list of Business Continuity Program Resolutions you might consider for the New Year. We have talked about some of these in earlier columns; here's some additional information about four choices.

Harness the Power of the People
How many people do you want to assist with your program? Just you and your staff? Plus the DR folks? Plus the IT Security and Physical Security folks? Harness the power of all employees to look for risks in all of their individual areas of operation…and to suggest ways to mitigate these risks. All this just by doing a few awareness-raising exercises this year. Give away an IPAD for the best idea to mitigate a previously unidentified risk….and give away more than one if you get more than one great idea. Publicize the ideas and the winners on your intranet. If it works (and it will), do it periodically. Think about other ideas to get everyone in a risk identification and mitigation mode.

And yes, you want to make everyone feel that he or she is an important member of your team. We may be the professionals, but we need to count on everyone to understand the risks in their individual areas of operation. And so also include everyone by name in departmental continuity plans and technology recovery plans. There is nothing quite like seeing the faces of employees change when they find their names and individual responsibilities listed in the plan when you do your periodic structured walkthrough or other plan exercise. Yes, it's true that listing the names of individual staff members in their department's plan will engender more updates….but it will also heighten the commitment of each individual to the program. Make ALL employees part of your team and you will be amazed at the results of so many eyes and ears and brains being directed to risk identification, design of mitigation measures, and missing communication links from one continuity plan to another. Leveraging this resource can rock your world! It can also make you a super-critical part of your organization. Just promise to try it.

Know Where Your Key People Live
We are always looking to identify single-points-of –failure or SPoFs in BCM, for many very good reasons. For example, in this era of increasing frequency of severe weather events, you need to know where your people are during such events as hurricanes, blizzards and ice storms, floods, earthquakes, tornadoes, and other major natural disasters. The effects of these events may threaten your people and their families as well as cut them off from participating in recovery efforts. Do not make the unthinking judgment that such an event will not occur. And do not count on telecommunications services working – where there is no power, it will be difficult to use email and impossible to charge a mobile device unless you have a car charger, a car, and gasoline in that car. There was much talk of providing emergency mobile phone charging stations in the aftermath of Hurricane Sandy when power was down in very large areas. But we have yet to see the any such stations and it may be quite a long time before they are in general use.

This resolution requires that you make a huge map of your area and post it on the wall in an office or conference room. (You don't have to leave it up all the time….) Note everyone's address on the map (or on an electronic copy of the map) as well as potential cut-off points such as rivers and bridges, highways and smaller roads, between their locations and the designated recovery location where you need them to report. Do the same for the primary site, because it is possible that your site will be working but your people will not be able to get there. Remember also that" working from home" is not a viable option unless employees have home generators when the power outage is prolonged. Also think about what is the capacity of your network to absorb the increased load resulting from such a strategy.

Wouldn't you like to know about this situation ahead of time so that you would know that your five staff members who would be rebuilding databases live in the same neighborhood and/or rely on the same highways and bridges to get to your recovery site? Or they do not have vehicles and rely on public transportation (which may be disrupted). Yes, you can bring them in to hotels close to the recovery site or primary site ahead of time IF this is a disaster that provides time to prepare. But do remember that employees that are worried about the status of their family members will find it hard to concentrate their attention on recovery activities. It's not an easy call but you do not want to find out that you have no one available to accomplish key objectives when you are in the middle of a recovery event. This is clearly a potential black swan in ANY organization that has not performed this mapping exercise.

Build and Use Repeatable Processes
Here is a resolution that will make your life simpler and easier as year follows year follows year. Anything that you do regularly, such as exercising plans to increase usability and reliability, performing notification exercises, reviewing BIAs for changes, or quarterly reporting on regular activities, can be made much simpler by doing it the same way each time you do it. I call these sets of steps or procedures protocols, or processes. There will be a fixed number of defined steps that will be executed each time and these can be done the same way each time. Develop templates and reporting structures that can be filled in each time to guide discussions and ensure that no critical steps are missed.

Not only will this make process execution easier for you, it will also become much easier for all participants each time that they also participate in the process. Of course you will need to refine the steps and the templates associated with each process during the first few executions, but once you have a working process, it should offer the right mix of process steps and tools for each step. If you have not used this type of process before, you may be surprised at how much easier it will make your work.

Processes are tools that work because they are fit-for-task. A hammer is a much better tool for setting a nail than is a shoe or whatever comes to hand when you need to set a nail. All of the other participants will grow used to the tool set that is brought to bear by the processes you put in place. And what used to be rocky will become smooth!

Ensure that Logistics and Support Teams Work
There are many activities that will need to be executed when there is an interruption – and not all of these are direct recovery activities. Also, most of these are NOT related to normal work activities. Most of them will be executed ONLY when there is a serious interruption. All the more reason to train the members of these teams through progressively more realistic scenarios. Some of these activities will be difficult and perhaps even impossible for some team members to execute. Surely it is better to learn that certain people will not respond well to a need to provide grief counseling, contacting families, or even deciding on the fly how IT architecture should be changed to take advantage of new technologies when a data center is being rebuilt at a new site.

Some people are very calm under fire; some are immobilized by fear. Again, it is far better to find this out before an interruption incident occurs. Another difficult point is how senior management will make decisions under extreme pressure. It can be useful to have them walk through complex and serious interruption scenarios to sort out among themselves how they will come to a decision. Some of this will be dependent on the culture of the organization, but some will be dependent on the personalities of the participants. Again, best to rehearse when the real pressure is off.

So choose your resolution from one of the above or from your own list. It's easy to make New Year's Resolutions, but considerably harder to follow through on them, as most of us already understand. But if you don't try, you are sure to get nothing in return.

Don't be afraid to do something that will take more than one year to demonstrate all of its benefits. Business Continuity Management is an ongoing process, and so take advantage of the time you have to build a more productive program, one that is easier for you to manage and more easily gains the support of all the members of your organization.

About the Author

Kathleen Lucey, FBCI, is President of Montague Risk Management, a business continuity consulting firm founded in 1996. She is a member of the BCI Global Membership Council, past member of the Board of the BCI, and the founding President of the BCI USA Chapter. IBM chose her as the first winner of its Business Continuity Practitioner of the Year Award in 1998. She speaks and publishes widely in both North America and Europe. Kathleen may be reached via email at kathleenalucey@gmail.com.