The Ready Blog
We have collected our 13 past blog postings into a single white paper. You can view it here: 13 Simple Things to Protect Your Business
Finally in my 27 years of consulting in business continuity and disaster recovery, I have seen far too many examples of disjointed, siloed plans. I have seen readiness programs that produced several feet (yes, several feet on a bookshelf!) of documentation that are impossible to navigate because there is no rhyme or reason to the architecture and layout of the procedures to be executed in an emergency. Imagine standing in front of the bookcase and trying to decide which plan or document to be used next, particularly when you have just minutes to respond.
So, keep it simple. Just one plan for everything – hurricanes, fires, floods, pandemics, computer failures, critical supplier failure, etc.
- One set of procedures
- One to three teams to deal with all disruptions
- One contact list
- One plan owner to maintain the plan
After all, you are probably not a Fortune 100 company.
If you have already developed a readiness program and you want to find out if it’s good enough, find someone to assess the program for you. You are most likely too close to your program to do it well yourself.
This need not be a colossal exercise costing way more dollars than you want to spend. Any reputable and experienced consulting company should be able to take a very quick look at your readiness plan and summarize the gaps at a high level. I do it all the time for prospects that tell me they are in good shape.
You can also ask your external auditors to take a look. The audit firms are much more aware of the qualities of a good readiness program than they used to be. If you have an internal auditor, you might ask for an assessment.
Finally, if you really are determined to assess your readiness program yourself, you can look to the standards referenced above in “11. Develop your Continuity/Disaster/Emergency plans”. Or to keep it really simple, look at our blog posting “Are you ready? 7 challenges to assess your business continuity program easily”.
However, there is a commonly accepted set of things you should do to develop a good readiness program. If you’re interested, you can go an look at standards established by the International Standards Organization (ISO), the National Fire Protection Association (NFPA), or the Canadian Standards Association (CSA).
This chart illustrates 12 steps common to all the standards:
- Starting Off – planning how you are going to develop your readiness program
- Self Assessment – what have you already done that you can use in your readiness program, such as evacuation procedures, computer backups, and so on.
- Risk Assessment – what are the bad things that are most likely to happen to your business? what can you do to stop them from happening? what can you do to reduce their impact?
- Business Impact Analysis – what are the most critical activities you do regularly? when do they become critical? what do you need to get them back in operation – facilities, equipment, people, computer applications, paper records?
- Recovery Strategies – how are you going to achieve what you decided in the Business Impact Analysis? what additional infrastructure or services do you need in place?
- Crisis Management – who is in charge when the bad thing happens to your business? what will they do?
- Emergency Response – what immediate response procedures do you need to protect your staff, visitors and assets, such as evacuation, bomb threats, medical emergencies, power failures, and so on? who will execute those procedures?
- Business Continuity – What procedures will your people execute to get those critical activities back in operation as fast as you decided in the Business Impact Analysis?
- IT Recovery – what procedures will your IT staff or service provider execute to get those critical computer applications back in operation as fast as you decided in the Business Impact Analysis?
- Training – how will you train your people to respond as you have planned?
- Awareness/Exercising – how and how often will you practice the procedures you have developed?
- Keeping Current – How will you keep your new readiness program alive and well? who will own the program?
When something bad is coming at you, you need solid, trustworthy information to help you make decisions. Many disruptive events take time to arrive or develop before they significantly affect your company. You have days of warning for hurricanes, cyclones and floods. You have maybe a day for ice and snow storms. You have hours or even minutes for tornadoes and tsunamis.
So it makes sense to have information delivered directly to you with warnings about those impending events.
There are many Internet weather services that will send you e-mails or text messages with weather warnings for your business and home location, either directly to your e-mail or your cell phone. Check out your favorite weather service and you are likely to find their weather warning service pretty quickly.
There are other sites with information and push messaging services for other events. Here are some sites to start you off:
- Weather.com - provides e-mail and mobile phone weather alerts for the USA (only).
- The National Terror Alert Center- is administered by the American Department of Homeland Security.
- Weather Underground Severe US Weather Map and warnings. Also has a mobile website for your cell phone or Blackberry browser. A linked site can also support iPhones.
- WeatherWatchers.ca- sends you emails of weather watches and warnings as issued by Environment Canada. But watch out for the Internet Explorer bug, which is described in the site.
- Google Alerts - Sign up for email updates of the latest relevant Google results (web, news, etc.) based on your choice of query or topics.
- AccuWeather - Get daily forecast and severe weather watches and warnings emailed to you from AccuWeather.com.
- Continuity Central Newsflash - Newsflash is an occasional email update sent out only when a significant business continuity news event happens. Continuity Central is an information resource for business continuity professionals.
- www.wunderground.com/tropical - Atlantic satellite map, sea surface temperature and hurricane advisory providing links to weather information around the world.
- www.nhc.noaa.gov – National Oceanic and Atmospheric Administration
- Your utility company will typically have a web page and/or a notification service about current power outages
- www.fema.org – U.S. government Federal Emergency Management Agency
Your contact list should include contact details for:
- Board members
- Critical suppliers
- Critical customers and clients
- Emergency services
The contact details should include:
- Name and company
- Phone numbers (work, home, mobile phone, alternate phones)
- E-mail addresses (work, personal)
- Blackberry PIN numbers
A scanned or digital signature is a very good idea for companies that require specific endorsements. It can be as simple as signing a piece of paper, scanning it, and trimming the image with Microsoft Paint to create a signature image file that can be added to documents as required. Store the signature image file safely and securely offsite so that you get to it when you must. There is no guarantee that the signing officer(s) will be available when you most need them.
Also a pre-allocated and documented chain of command for standby authorizations for extraordinary expenditures is vital. You will most likely need to spend more money when you are executing your readiness plans.
So far, I’ve talked about protecting your data, e-mail and key documents. Now it’s time to talk about office supplies. This is not about pens, pencils and pads of paper. You can buy those when you need them. This is about those supplies that are unique to your business, including:
- Company letterhead
- Deposit books
- Company seals
- Pre-printed forms, such as purchase orders and order forms
Keeping them safe means storing them safely offsite. Store enough that you can carry on your critical business activities until you can reasonably replenish the office supplies. If you are using pre-printed forms and letterhead, check with your printer to see if they keep and emergency supply for you. Some do.
Here is a method to quickly identify some potential business recovery issues that may be a risk to your organization, simply by asking a question. If you are a small or medium-sized business and want to perform a check on these commonly identified recovery issues, go through the following questionnaire:
- Will technology applications and systems be available within the required time frames of the business? For example, if your sales force needs e-mail servers to be available to them within 24 hours after a disaster, can your IT department or vendor recover e-mail within that required time frame? Apply this same question to other critical applications and systems. Often times a business unit will need an application recovered within in one time frame but IT can only recover it in another time frame that will not meet the requirements of the business.
- Do business units run critical applications that your IT department or vendor are not aware of and as a consequence have not planned recovery of? Many business units subscribe to or download applications that become critical to performing critical functions within their respective department. However, these can often escape recovery planning by IT.
- Does your IT department or vendor have a recovery plan for the user Help Desk function? Often the Help Desk function is critical to assure that an incident does not adversely impact users of other areas of your organization not directly impacted by a disaster. Your IT department should have a recovery strategy and plan to quickly mobilize and recover the Help Desk function. If user technical support is outsourced, your vendor should have multiple sites that can accommodate users at all of your office locations.
- Is your network bandwidth and capacity adequate to allow users to work remotely if they cannot work from their offices? With today’s technologies, many companies adopt work-from-home recovery strategies for staff but fail to test network capacity to determine if the strategy is viable. At the time of a disaster they could very well find that response time is very slow and unproductive.
- Do users know how to access applications and systems remotely? Are users’ personal or alternate computing systems part of the recovery strategy and are they compatible with the organization’s remote access network? Is your network security effective enough to prevent malware or viruses infiltrating the company’s network from users’ systems? Waiting until a disaster to determine if users can deploy a remote work strategy is not the best idea.
- Is the IT department responsible for replacing computing equipment for users or are the business unit departments responsible? Have assessments of the quantity of replacement equipment and minimum configurations been made? Often business units assume that IT will be responsible for replacement equipment but IT will be preoccupied with recovery of critical applications and systems and not have available resources.
- Have plans been made to replace workstation equipment such as scanners, printers, fax machines, telephones? Again, this is an item that can often fall through the cracks in planning.
- How often is data physically sent off-site or remotely backed up? Some companies back up data daily however they fail to send the data off-site for a day or longer. This means that several days’ of data could be at risk of loss.
- Have strategies and plans been developed for re-directing telephone, fax lines or smart phone services? What will happen if your telephone system is interrupted? Many companies omit addressing telephone communications in their business recovery which could result in missed customer calls or other important calls for days after a disaster.
- Have critical hard copy files such as building plans, original contracts, employee documents (i.e. employee assigned beneficiary forms) been imaged or copied and sent off-site for storage? Re-creation of some critical documents, such as building plans, can be cost prohibitive or even impossible.
- If you rely on alternate work sites, do you have enough seats to accommodate all staff? Be sure that not all business unit departments plan to relocate to the same internal site. Coordination of staff relocation is very important when an organization has multiple departments or business units.
- If you rely on vendors for technology or business support, have you inquired as to what their recovery plans are if they suffer a disaster? An outage affecting an important service provider to your business could have a significant impact to your ability to deliver products or services to your customers.
- Do you know how to initially respond to a business interruption and how to manage it? Many companies don’t realize that the initial response to an incident is critical to recovery of operations in the hours and days to come. However, many companies don’t know how to escalate an issue or know who is in charge. If there is not a well-thought out incident escalation process for identified members of management to use, then recovery of operations will be severely hindered or delayed. We refer to this activity as crisis management. Effective crisis management of an incident will not only help to mitigate financial losses but also loss of potential business and reputation in the market place. It is also important to exercise the crisis management team just as you would recovery planning.
If you have positive responses to those questions that apply to your organization, then you are probably in good shape for responding and recovering from a disaster.