Continuity planning not about planning for the event but planning for the impact

I recently read an article by the CEO of Onyx Group ( http://www.channelweb.co.uk/crn-uk/opinion/2133927/-step-business-continuity ), Neil Stephenson, about the necessity of planning for all types of scenarios and not just natural disasters – the article proved quite interesting. First of all, it is interesting to see the CEO of a company promoting business continuity planning in such an open and definitive way. Second, Neil Stephenson suggests that continuity planners plan for all potential impactful scenarios (and not just natural disasters). This is particularly interesting as it is a point raised by someone not practicing contingency planning for a living, yet it is something that contingency planners often forget. So often, planners get caught up in the excitement and fear associated with tornadoes, floods, and ice storms, and ignore other potentially more impactful situations (pandemics, IT malfunction, theft of client data, and so on).

As stated, I agree with Neil on all accounts, as noted above, however, we must also remember that it is dangerous to get ‘into the weeds’ when developing business continuity plans. Instead, we should be planning for impacts associated with all of these events (i.e. loss of IT capability, loss of critical / confidential information, loss of facility(ies), and / or loss of personnel). Proceeding in this way ensures that we have addressed all potential impactful events (natural events or otherwise) without complicating our business continuity programs, and confusing the purpose of those programs.

This is my final blog until early in the new year as I am heading out of the country, however, I am already looking forward to continuing on into 2012!

For continuity-related updates, follow me on Twitter @continuityblog

Thank you and have a Merry Christmas and Happy New Year,

The Continuity Blogger

Top Disasters of 2011 – Have Your Say

It is hard to imagine that 2011 is coming to a close. 2011 proved to be an incredible year for my organization in terms of developing and utilizing our contingency planning program. We made significant strides when it comes to developing, testing, and exercising continuity plans, and on numerous occasions we were required to activate one component or another of our contingency planning program. Key individuals and teams were activated to respond to long term and widespread power outages, IT outages, and several situations which had the potential to turn into full-scale PR crises. While responding to and recovering from these situations proved tiresome and daunting at times, the general awareness around our contingency planning program increased ten-fold as a result of these response and recovery efforts. Undergoing several contingency plan activations also allowed the organization to determine what worked and what did not work – plans and procedures were adapted as needed and as necessary.

2011 was also a very busy year in terms of historically significant natural disasters. I am sure that several of you were impacted in one way or another by one or more of these events and have many lessons to share with fellow contingency planning practitioners as a result.

I have listed what I would consider to be the top 10 natural disasters of 2011 below. I have considered population impacted, business disruption caused, death and injury toll, total economic impact, as well as overall shock factor, when ranking these events.

1. March Earthquake and Tsunami - Japan

2. Ongoing Famine - Africa

3. February Earthquake – New Zealand

4. October Floods - Thailand

5. April / May Tornadoes – Southern United States

6. January Floods - Australia  

7. Hurricane Irene – Eastern United States

8. Volcanic Eruptions and associated Ash Plumes – Iceland and Europe

9. October Earthquake - Turkey

10. Fall Wildfires – Texas, United States

Would you change the ranking of these events, and if so, how? Were you impacted by one of these events, and if so, how did your business fare?

I look forward to hearing from you all.

Regards,

The Continuity Blogger

*Follow me on twitter @continuityblog!

A Maturing Contingency Planning Program Creates Inherent Risks

Though progress has been slow, the maturity level of the contingency planning program at my place of work continues to grow, as does the need to ‘let go’ of components of the program (i.e. individual business unit BCPs). I am responsible for facilitating BIAs, developing BCPs, performing training and exercise sessions, and then ultimately, handing responsibility of the BCPs to the business. Being a one man team has made the use of non-dedicated individuals from across the organization to manage plans necessary. This approach of giving ownership to the business is becoming necessary as more and more plans continue to be developed – one person can only manage so much.

While I trust those in the business to manage and maintain their business continuity plans, it must be remembered that continuity planning is not their primary function or responsibility. As such, I have been developing a means of mitigating the risk of plans becoming stale and of the overall contingency planning program becoming forgotten by those whom I have worked with. The thought is that BCP Coordinators from the organization whom are responsible for the maintenance and activation of business continuity plans for their business unit will report to myself on a quarterly basis using the score card or “BCP Preparedness Index” below. Business units (and coordinators) will be scored each quarter based on various criteria. Business units failing to meet base requirements will run the risk of having their poor results reported to senior management. A summary report will also be produced and presented to the board on an annual basis, giving the program traction and visibility at the highest level of management.

While I have made significant progress in developing a measurement tool, I would welcome your thoughts on other criteria / areas which should be measured. I would also welcome feedback from those whom have developed a similar system at their workplace – what has worked / not worked?

I look forward to your responses.

Have a wonderful weekend.

The Continuity Blogger

		Business Unit Title / Manager
		Please note: One (1) point will be allotted for each 'yes' answer while a 'no' answer will result in a score of zero (0).
		Quarter	Q1	Q2	Q3	Q4
		Business impact analysis (BIA) reviewed within the last calendar year
		Plan reviewed and understood by all employees, team leaders, and managers
		Continuity strategy reviewed within the last calendar year
		Overall plan updated / reviewed within the last calendar year
		Plan tested and individuals exercised within the last calendar year
		Plan distributed to all employees (including new employees within the last year)
		Level of confidence in continuity strategy (high / medium / low)
		Comment or concerns
Preparedness Level		Score	Q1	Q2	Q3	Q4
	Poor	0 to 4
	Average	5 to 8
	Excellent	8 to 10

Follow me on Twitter!

After years and years of resistence, I have finally created a twitter account. Having the account provides me with just one more way to communicate with my readers and those organizations and individuals in the field.

Please feel free to add me: @continuityblog.

Thanks.
The Continuity Blogger

Welcome to the Continuity Lounge!

Welcome to the Continuity Lounge - a place for business continuity, risk management, disaster recovery, and emergency management professionals can come to share ideas and experiences.

Stay tuned for my first blog post in the coming days...