NYSE- FAIL

As I sit in my computer room looking outside on a gloomy Fall day, I am left to ask myself - How did this happen? Yes, this is Canada in late November and yes, it is indeed normal to be rainy and cold. This is not why I am asking HOW.

I am asking how as, between teleconference meetings this morning, I came across the following article:

http://www.computerworld.com/s/article/9233125/Even_with_prep_did_Wall_Street_s_business_continuity_plans_fail_?taxonomyId=154&pageNumber=1

How can it be that, in 2012, with nearly two weeks notice of an impending disaster, the New York Stock Exchange (NYSE) can find itself in such a predicament? Surely they must have considered the impacts that such a storm would have on their business prior to developing their continuity plans and strategies. Surely they must have asked 'what happens to our people power' in the event of such a geographically large, lengthy and impactful crisis. And, surely, they must have confirmed that they had all doomsday scenarios covered when they reported on their business continuity program annually to the U.S. Securities and Exchange Commission and the Financial Industry Regulatory Authority.

Maybe not.

The NYSE made the age-old error of investing in, relying on, and reporting on their IT disaster recovery capability only. They failed to consider a scenario in which the infrastructure would fail and actual people would be required on-site (or at least within a building with power) when doing their business continuity planning. In 2012, it is no-longer acceptable to forget about such things. Considering your technology, people, information, and image are no brainers when developing your contingency strategies.

As much as this situation saddens me, it also gives me hope that... maybe my skill set and services are still required as much as they ever were.

For the record - a straightforward hot-site solution located away from the coastline elsewhere in New England is all that it would have taken to keep the NYSE up and running...

Thank you for reading,

The Continuity Blogger

Follow me on Twitter @continuity_blog

As global tensions heat up, should we be considering whether international agreements are worth the risk?

            

Contingency planning efforts and their associated expenditures have been for not. Pack your things and get out.

This is what you could be hearing from your Chief Executive Officer in the event of a significant supply chain or service disruption, which, depending on the business you are in, could bring you to your knees in the near future.

In the past, a large proportion of organizations undergoing significant growth have built and become reliant upon international agreements (supply and service agreements)  with like organizations around the world. The agreements have often been a quick and easy way to grow business / increase revenue (via the use of cheap labour, gaining access to resources outside of the reach of the organization, and so on). The assumption made by organizations entering such agreements has always been that world tensions would never get to a point where said agreements could be compromised. Unfortunately, as Israel ratchets up its talk against Iran / as Iran continues to develop nuclear devices, and as China and Japan tensions continue to escalate, such international agreements should be reviewed. After all, for many organizations, a military conflict could bring a key supplier / outsourcer located in a conflict zone to their knees, and as a result, the hiring organization to its knees as well. Imagine that, after years of contingency planning preparation, a conflict a world away could render all of your efforts useless.

I am not writing this blog to create undue alarm. I am writing the article to warn that we are at a point in time where the risks of developing dependencies on international organizations are beginning to outweigh the benefits. Sure, after a careful cost – benefit analysis, it may be determined that benefits do continue to outweigh costs despite rising tensions, but have you (or your risk management department) done that analysis? And if so, have you looked at all of the ‘what-if scenarios’?

At the end of the day, the decision of your business may be to continue with the status quo, but before deciding to continue down this road, please consider the following:

-          Create a ‘plan B’ should a critical supplier be incapacitated.

-          Relying upon domestic suppliers and vendors to act as ‘plan B’ should an international firm become unreliable during a conflict is risky. Overlooking these vendors during the initial RFP period may have left a sour taste in their collective mouths, and they may not necessarily take you back.

-          Do not be afraid to ask to review the contingency plans of your outsourcing partners. Ask your partners if they have considered what they would do in the event of a large international / regional conflict and ensure that there are known penalties if they do not meet their obligations.

-          Become engaged in your organizations procurement process or ensure that your risk management department does. Make sure the risks of doing business with an international player are fully understood by all levels of management before contracts are signed.

Again, this blog is not intended to cause unnecessary concern, however, it is intended to question the assumption that many of in our field have made – that international peace will continue indefinitely.

What are your thoughts on this matter?

Thank you for reading,

The Continuity Blogger

Follow me on Twitter @continuity_blog

The cloud is NOT the answer

Lately, I have been perusing other continuity planning blogs and have found an overwhelming number that are arguing that the cloud is equivalent to an all encompassing business continuity and crisis planning strategy. Though many of these bloggers are blogging as a means of promoting their product, not all are.

I am hear to counteract these blogs which, in my mind, are not only incorrect, but seem to be misleading readers on purpose.

You see, any experienced continuity planner can tell you that there is more to business continuity than where critical systems and data are stored. Going to a CFO or CEO  and explaining to them that you have found the holy grail of business continuity planning and that said holy grail is the cloud, will likely lead to a quick trip out the door.

Yes, I can certainly see and appreciate the merits of moving IT systems to the cloud (continuity of systems and apps, availability of data, ability to access systems and data remotely in some cases), but doing so will not in itself prepare your organization for a crisis.

What these blogs touting cloud computing fail to recognize is that there are other components of business continuity planning outside of disaster recovery. Where will the cloud get you when your crisis is a PR / communications crisis? How will it address a loss of building situation, when your building houses a call centre or a trade centre? What does it do to mitigate or prepare you for a pandemic?

As I have stated, the cloud certainly has a place in the day-to-day discussions of continuity planners, but it is receiving far too much credit and much too little skepticism.

Relying on the cloud as your continuity strategy is far too simplistic of an approach to take and will only leave your organization exposed to the many risks facing it on a daily basis. Be diligent and thorough when seeking new continuity strategies for your organization, and do not be afraid to challenge your peers when it comes to something like cloud computing - business continuity planning is a complex field and any pundit suggesting that there be a catch-all continuity strategy is misinformed or seeking to misinform.

What do you think? Do you agree or disagree?

Thanks,
The Contingency Blogger

Why knowing the DRI best practices does not = immediate success

For those new to the business continuity field, a simple understanding of the Disaster Recovery Institute’s ’10 Best Practices’ is often explained as being the sole prerequisite for entry into the workplace. Having a theoretical understanding as well as some practical experience in these best practice areas is absolutely crucial to having any semblance of a successful business continuity career.

Unfortunately, workplace demeanor, soft skills and attitude required to coincide with the theoretical knowledge is often overlooked by many of the leading business continuity training institutions. Students are often provided a base-level of knowledge (and in some cases, experience), given their ABCP credentials and, subsequently, are sent off to face the world. Many of these individuals who entered educational institutions full of vim, vigor and excitement are left unemployed or underemployed, or are working in positions in which they can’t possibly succeed long-term.

While it is a shame that our educational institutions are not providing insight into the ‘other prerequisites’, it can be understood as there is only so much time during a school year and much to cover. That said, it would be ideal to see educators provide at least a base understanding of what is really required in the workplace to succeed – and student success is the end goal, is it not?

Well, I would like to provide my two cents as I have seen too many colleagues fail early in their careers. My top five tips to recent entrants into the workforce are as follows:

-          Be vocal on all matters potentially related to business continuity and take charge, while not appearing to be confrontational or cocky. Employers appreciate someone who is willing to voice their opinion whilst not insulting or tearing down those of a colleague. Having your (educated) opinion heard will help garner respect from those around you.

-          Learn about the organization, and when you think you know all that you can possibly know, dig deeper. It is impossible to develop an effective, useful, and truly comprehensive continuity program for an organization that you do not 100% understand. Efforts will be made in vain and misdirected. Don’t be afraid to ask those around you, and those above you, for information / context / and history on the organizations continuity program. Review any and all documentation made available to you by your direct report and your predecessor.

-          Be flexible and open to critique. Just because you did things a certain way while in school doesn’t mean you can’t be open to new ideas and new approaches suggested by those around you. Outright rejecting any ideas or opinions made to you will immediately raise a red flag. On the contrary, those who are willing to listen to the suggestions of other and blend their ideas with outside ideas often appear brilliant at the end of the day. Those that do not appear confrontational and defensive… Not a good start!

-          Understand expectations. Not having a VERY clear understanding of expectations will lead to misguided efforts and a failure to meet expectations / priorities set in the minds of your direct reports. There is nothing more frustration than ‘flying blind’, but working hard, only to be told that you have missed the mark.

-          Be approachable and helpful. Your role is to help protect the interests and operations of the business (i.e. you are providing a service to the business). Colleagues will only put up with an inapproachable individual for so long before they are no longer willing to work with them. These individuals will steer clear of you even when they require your assistance, and as a result, your value to the organization will begin to decline. On the other hand, colleagues will sing your praises if you are open and willing to help them reach their end goal.

Above all else, remain positive, and care about what you do – it will be reflective in your quality of work.

Thanks for reading,

The Continuity Blogger

Why the NHL Cannot be Considered a Mature, Functional and Sustainable Business in 2012

As the clock ticks down to the inevitable September 15th lockout of National Hockey League (NHL) players, it becomes increasingly clear to that the NHL cannot, and should not, be considered a world-class business...

I understand that many of you will make the argument that the NHL, just like all professional sports leagues, operates in a fashion similar to any class-act business - it has substantial numbers of employees operating internationally, it benefits from significant revenue generation (and a hefty profit), it sells a quality and desirable product, it is international in scope, it has sizable marketing / human resources / sales departments, it has a board of directors, and it has entered into partnerships and agreements with some of the largest persona and companies in the world. All of these criteria would most certainly lead one to believe that the NHL is, in fact, an influential and striving business.

Well, I would argue otherwise... No world class business would operate themselves in a way that allows for:

- a voluntary and lengthy shutdown of operations, and a potential jeopardization of multi-million dollar tv deals, and other corporate partnerships with some of the world's largest organizations;
- the lock out of employees not once, not twice, but three times over a period spanning less than 20 years;
- the demonstration of negligence resulting from a lack-of development and implementation of contingency plans required to continue operations during labour-shortage situations;
- an expectation that clientele will come crawling back to the product despite a highly disruptive and exceptionally toxic service disruption;
- a bitter and ongoing public relations battle with employees in which not only employees, but the business appear to be selfish, self-absorbed, and oblivious to the needs and wants of clientele.

Yes, it is true that some businesses do get lucky and do sell a product or service so desirable that even the most jaded client will return following a monumental crises (BP comes to mind). However, as many corporations have learned throughout history, there are many more organizations waiting in the wings for any opportunitity to seize revenue and client-base from these negligent organizations. Similarly, with each any every service or product disruption, the patience of clientele wanes and the desire to stray elsewhere increases.

Until the NHL begins to respect the desire of its clientele, whose only want is access to a continuous and dependent product on the ice, it cannot be considered mature, functional or sustainable. I would suggest that an investment in a functional risk management department could go a long way in moving the NHL in the correct direction. Not only would such a department determine that the risks associated with any lengthy lockout far outweigh the benefits, they would ensure that, should the business go the lockout route, they are as prepared as possible to continue operations in some capacity  (if not suggest the utilization of a crisis communications team to protect the image of the organization, which as of late, appears to be in tatters). Heck, even employees are developing and preparing for implementation of their personal contingency plans (playing overseas).

Until investments in risk management and contingency planning are made, the NHL will continue to operate under the assumption that their clientele-base is infinite and forgiving. Unfortunately, I fear that the patience of this client-base is waning and the desire to seek the product elsewhere is growing ever stronger.

What do you think?

Thank you for reading,
The Continuity Blogger

Why Contingency Planners SHOULDN'T Seek Ongoing Executive Support

Lately, I have seen no shortage of articles discussing ways in which to garner executive leadership support for contingency planning programs. Getting executive support and buy-in has been somewhat of an obsession for contingency planners for some time now, and seeing these articles arise continuously has made me question why those in our field have been discussing this topic for eons, while gaining support from executives continues to elude. Though I understand that a base level of support is necessary in order to establish and fund a program, support and involvement not required on an ongoing basis to develop and operate an effective program. In fact, I often wonder if the issue here is twofold -  a. professionals in our field are confusing “support” with “involvement of executives in day-to-day decision making” and b. professionals in our field have never truly considered why ongoing executive support is required, as far as they are concerned, it just is.

I would argue that only a base level of support from executives is required to effectively operate any contingency planning program. In fact, I would suggest that, based on experience, executives will respect any individual and any contingency planning team more if they have been able to connect with and provide valuable services to middle managers and employees. My argument is simply this – contingency planners may be more productive, valued, and respected within their organizations if time were spent offering valuable services and guidance to the organization as opposed to spending much of their time preparing reports for and seeking the blessing of executives. Spending time justifying your existence to executives will only get you so far before questions are asked, whereas those spending this same time working with those involved in the business will ultimately be able to prove their true worth, and integrate themselves in the day-to-day life of the organization.

Are we at a crossroads? Should “gathering executive buy-in” be removed from best practices and replaced with “integrating with and meeting the needs of middle management” ? Should gathering executive support continue to be a core key practice but redefined? Or should we continue with the status quo, spending endless hours seeking buy-in and praise from those at the highest levels?

Thanks for reading,

The Continuity Blogger

Input and Partners Wanted

For quite a while I have been seeking ways in which to turn my risk management and contingency planning knowledge and expertise into something more. Sure, I love my day job as a contingency planner for a successful financial firm, but I have reached a stage where I feel I am capable of doing something more.

Hence this blog, initiated nearly a year ago to help me connect with other contingency experts across the world, and used as a place for contingency planners of all stripes to share ideas and best practices. While the blog has been marginally successful, it has really not transformed into what I had originally expected. Site hits have been disappointingly low, and, after numerous attempts at signing up for and using AdSense I have given up.

So I turn my attention and efforts elsewhere - specifically, I am seeking thoughts on (and partners in) a new online contingency planning template supply website. The idea is for the creation of a one-stop shop for contingency planners and organizations to come to purchase (for a nominal fee) all sorts of templates developed by myself and any other partners (examples include: BIAs, BCPs, Crisis Management Plans, Emergency Management Plans, Evacuation Plans, and so on). I am even considering purchasing templates from those across the field, and reselling these to those in need (with a portion of sales going to the template developer). Finally, I am hoping to eventually offer online contingency planning consultancy services in which organizations can submit a request for information or services and have their inquiries addressed and / or contingency planning documentation produced in a relatively short and painless manner (this would be a particularly useful service to small and medium-sized businesses whom are seeking some level of planning, but whom do not wish to hire a full time employee to facilitate and perform this planning).

What do you think? Does this idea have legs? Would you be interested in joining on as a partner?

Thank you for reading and enjoy the long weekend!
The Continuity Blogger

Guest Bloggers Wanted!

Several months ago, when I began blogging, it was my desire to create a place in which contingency planners of all stripes could come to share ideas, best practices, information on past experiences, and so on. Though I have enjoyed posting my own content and have received some feedback, I do feel that the blog can be more interactive.

Given this, I have decided to open up the site to guest bloggers. I am impartial on subject matter and your qualifications, assuming that the focus of your post will be contingency - related.

I invite any interested individuals to reach out to me.

Thank you.

Tearing Down the Silos Can Only be Beneficial

As mentioned in previous blogs, I work for an organization in which risk management is taken very seriously by most levels of management. In fact, our Risk Management Team meets with our President and CEO, and each VP on a monthly basis to discuss risks associated with their department’s activities, mitigation / control activities utilized to manage those risks, and so on. A deep-dive, ‘high-level risk’, presentation is delivered to our board of directors on a quarterly basis; it is the VP whom owns the risk who delivers this presentation (discussing finer details of the risk, ways in which the risk is being managed, plans for addressing the risk should if come to fruition, and so on).

In my nearly two years since joining the organization, I have seen great strides made by the Risk Management Team. Risk management was a foreign concept to many within the organization, but is now a term that each and every executive, senior manager, and middle manager has come to understand and appreciate.

So why am I praising my organizations Risk Management Team? Simple – the work this team performs on a daily basis not only instills the preparedness mindset across the organization, but helps reinforce the idea that significant mitigation and management of risks can go a long way to reducing the likelihood and / or impact of any potential crisis. It is my belief that organizations cannot simply rely on business continuity planning, nor should they rely solely on risk management professionals, to protect them from potential catastrophes; these two groups of individuals must work together in a holistic fashion to ensure their organization is as secure as possible to avoid, and if necessary, manage any of a serious of crises heading their way.

I would love to hear how you do / don’t interact with other like-minded professionals in your workplace.

Thanks,

The Continuity Blogger

Carnival and Costa: A Tragic Situation Becomes a Disgraceful Situation

It is simply amazing that, in 2012, Carnival Cruises has underestimated the power of traditional media, social media, and the public at large. The company has done everything in its power to make the tragic sinking of one of its fleet (and associated loss of life, an impending environmental crisis, and so on) a public relations crisis. Over the past two years, we have watched Toyota, Research in Motion (RIM) and British Petroleum (BP) walk this path before, and in all cases, the outcome was not favourable for the corporations. Carnival Cruises, and its subsidiary Costa, appear to be headed down the same path. Senior executives refuse to accept responsibility for the situation, and instead, blame the actions of a single employee (who should be reprimanded but not made a scapegoat). In fact, there was a series of events leading up to the initial collision which cannot be pinned solely on one employee.

The negativity surrounding the situation has been exasperated with an initial refusal from senior management to visit the site and console victims and their families, and has only now been made worse, following word that the company has offered a 30% discount to those victims willing to travel with Carnival and Costa on a future cruise. Word of this insulting offer has set off a firestorm of criticism in traditional media (http://www.miamiherald.com/2012/01/23/2604320_p2/carnival-faces-a-hostile-pr-tide.html) and social media alike.

One would like to think that Carnival and Costa witnessed the firestorm unleashed on Toyota, RIM, and BP over the past several months and would appreciate the kind of damage such negative publicity can have on the long term earnings / survival of a company. Unfortunately for Carnival, the repercussions of the recent negative publicity will last for months, if not years, and will ultimately take a bite out of the organizations bottom line.

It is 2012, and any multi-national organization should have the experienced and specialized communications / public relations staff on call to deal with these sorts of situations. Any organization that does not have access to such resources (whether they be employee or consultants), whom have not performed the proper crisis communications / sensitivity planning, and whom do not respect the power of the media and the public, are more than deserving of the fury unleashed upon them.

It is unfortunate that we must watch multinational organizations continue to make the same mistakes time and time again…

In your capacity, would you have dealt with this situation differently? How have you dealt with public relations crises in the past?

I look forward to your comments,

The Continuity Blogger

Starting the Year Right

After a superb Christmas and New Years and a wonderful trip down south, it is back to reality for me. The year ahead will be just as hectic, and important, as last year. This year will be the last year of significant plan development for my organization's contingency planning program - after this year, all of our critical business lines and business units will be equipped with completely functional business continuity plans. While I am not indicating that future years will be any less crucial to the well-being of the contingency program, they will be focused on program and plan maintenance, testing and exercising, and awareness. Until then, I continue to try and balance building the program with maintaining and testing the program - not an easy task considering I am solely responsible for the program (as I have indicated in previous posts).

It would be easy to become discouraged with so much work ahead, but if there is anything I have learned during my career, it is that proper planning, resource and time management can quickly put fears and anxieties at ease. Year after year I dedicate a week or two to completing a detailed annual plan - goals and objectives, and the activities required to meet those goals and objectives, are plotted on a spreadsheet. Resource requirements and timelines are determined, and the plan is given a seal of approval from senior management. 

Though I am sure there are other ways to address new year jitters, I find that this approach has proven effective for me. A lack of proper planning can lead to poor time management, missing targets, and will leave you looking and feeling disorganized and incompetent.

I am curious on what you do as a new year begins. Please feel free to share below!

Thanks,

The Continuity Blogger