Disaster Recovery Journal - Spring 2001 Issue- Common Pitfalls in DR Contract Services

Common Pitfalls in DR Contract Services

- by Jeffrey L. Nicolet, CDP, CSP, CBCP

Over the years I’ve worked on both sides of the disaster recovery engagement, as an employer hiring vendor services and as a DR consultant serving many different industries. During this time I’ve been gratified and frustrated at how some engagements were handled. I came up with a short list of pitfalls that can negatively affect your engagement. These points were discussed and improved with the help of the Contingency Planners of Ohio user group. Suggestion number one on both sides: sustained participation in local user groups!

Common Pitfall: “Not what I expected”
One common problem on both sides of the engagement is when reality doesn’t quite match up with initial impressions. Sometimes the true “current status” of a company’s contingency strategy is not as effective, as comprehensive, or as up-to-date as that company’s management thought. And sometimes the solution developed by the vendor / consultants fall short of the client’s expectations. Therefore it’s important for both sides to define a detailed project scope with clear boundaries. Typically, once I’ve had an opportunity to show clients the many facets, complexity, and overall size of a fully integrated contingency strategy they recognize that they were focused on only one small segment (and sometimes not the most important one to their business). The Statement of Work should provide for manageable chunks of effort with realistic expectations. And timely status reports should always “check back” to the mission, objectives, scope, and expectations to stay on target. Communication is the key to avoiding assumptions.

Common Pitfall: Failure to recognize the effects of change
While change in a project may be unavoidable (and is often desired), the impact to previous expectations needs to be understood. Changes in the employer contact personnel or changes in the assigned vendor/consultant staff will impact time and progress. Internal and external changes may impact business risk exposures. And project scope change, resulting from discovered exposures or through improved understanding, can alter the project’s very mission and objectives. Both sides must keep communication open and review the potential effects of these changing situations.

the employer/ business side

Common Pitfall: Unavailability of personnel or material
Unavailability of employer personnel or materials can waste a lot of time in the early stages of an engagement. Employers should try to ensure their personnel assigned to work with the vendor/consultants are not on vacation. A Senior Management sponsored “kick-off meeting” on the first day helps to encourage personnel to provide time and support to the engagement, and to set initial meeting schedules. Providing access to organization charts, personnel schedules, meeting calendars, telephone, and email lists are extremely useful. All previous material related to contingency planning (action plans, BIA/risk assessments, exercise reviews, etc.) should also be located and gathered prior beginning the engagement. I’ve frequently had to burn hours helping the employer look through shelves, file cabinets, and this or that computer system for documents that define what is backed up or what strategies were once in place (which is fine IF it’s part of the project mission). Depending on the nature of the engagement, process control manuals, entity relationships, business work flow diagrams, and policies and procedures documents may also be necessary.

Common Pitfall: Unnecessary delays to getting started
Unnecessary delays in preparing the work environment can also waste time at the beginning of an engagement. Employers should ensure that assigned workspace, on-line user accounts, guidelines for printer assignments, etc. are prepared. If on-site access is required ensure that badges, card keys, and appropriate site-specific security training is scheduled early on. Also provide information on any physical limitations to the engagement (restricted areas, no color printers, etc.) and any artificial/policy limitations (no email attachments, card key access hours, Standards for document format and approval procedures, etc.).

Common Pitfall: Under powered, over powered, or just a bad fit
The employer or business that hires a vendor/consultant team typically wants a specific problem addressed. It may be an exposure discovered during an audit, they may not have the personnel resources or in-house expertise to accomplish the objective, or they may have a compressed timeframe or deadline. Whatever the reason, it’s important for the employer to select vendor/consultant services best suited to address their current needs. The “one-man-band” may be insufficient to perform a timely risk assessment of an international corporation, while the full depth and breath of a national consulting service may be excessive if all you need is some expertise to provide vision and direction to your in-house contingency project. Since most contingency practices and disciplines transcend industry and technology configurations, decide if the vendor/consulting service must be “experts” to your specific environment. Also consider what methodology or philosophy is practiced by the vendor/consultant and how compatible it will be with your own corporate culture.

Common Pitfall: Run away costs
One of the most obvious (i.e. measurable) pitfalls is run away costs. The most common cause for this is change in the project mission or scope mentioned earlier. One way to contain costs is to fit tasks to the level (expense) of staff assigned. Use clerical staff to support the more expensive experts. If consultants are regional or out-of-state, utilize some off-site time to minimize their expenses. If the vendor/consultant relies on packaged software, does it stay after the engagement, is the cost included in the original estimate, and are there continuing support fees? Also remember that some vendor affiliated consulting groups may be pre-disposed to recommend their own software/service offerings.

Common Pitfall: Fix it and forget it
I’ve often seen companies attempt to remedy years of neglect through one massive engagement, only to then allow their efforts to lapse into neglect once again. Ultimately these “spikes” in funding and effort will cost more than continued support through the years (the risks and exposures between spikes makes this even more costly). If companies don’t have the budget resources to dedicate their own personnel to Contingency Planning, they should consider a long-term relationship by funding an annual consulting engagement of one or two months. Scheduling return engagements for annual review of exposures, impact, strategy, procedures, and documentation provides of continuity of vision and may reduce overall consulting rates. Vendor participation in an annual recovery exercise may also provide immediate accountability for results. Companies may also consider placing quality consultants on “retainer” to provide emergency support and expertise in the event of a real disaster situation.

Common Pitfall: Inappropriate delegation of responsibility
The employer/business must remember that they are the decision maker and risk taker. Vendors and consultants can make recommendations, but only the employer should decide on what threshold of risk they are willing to accept, and what strategies they will commit to implementation. They are the experts in their business process and environment, their business goals and direction, and any alternate methods of doing that business. No vendor or consultant should try to convince them otherwise. The employer also has the responsibility to extend the engagement’s value beyond turnover. They can accomplish this by ensuring the overall functionality and completeness at turnover through appropriate training and knowledge transfer, and through Change Management Controls and cultural integration practices.
the vendor services/ consultant team side

Common Pitfall: The cold start
The vendor/consultant team has an equal responsibility to hit the ground running. Unfortunately this is not always the case. Sometimes the consultants that arrive on the engagement aren’t even the same people that discussed the business need/RFP and negotiated the deal. It is obviously best to have the experts available from the beginning and to possibly obtain client materials for review prior to starting onsite work, but in lieu of that there a several things consultants can do to be better prepared. They should research the company, its history, its industry, and any governing regulatory agency requirements. They should investigate the business industry’s typical risks and response strategies, as well as typical regional risks and response strategies. Vendor/consultants should stay current in Contingency Planning best practices (one selection criteria I use is their involvement and leadership in the disaster recovery industry). They should develop a reservoir of material including Policies and procedures, overviews/process “blueprints”, and project checklists. These are not for the intent of forcing a company into a predefined mold, but to facilitate educational awareness, discussion, and as a seed for the finished product.

Common Pitfall: Superman syndrome
In an effort to win engagements some organizations may promise you a Superman. What’s even worse is when the consultant(s) think of themselves that way. Vendor/consultants should avoid “knowing” everything about the client’s business or technology. Trying to be the expert in everything (especially technology configuration) invariably leads to costly mistakes, wasted time, and cultural friction. Vendor/consultants should also resist the temptation to build the “perfect plan”. Provide a structured framework for growth and identify areas to be addressed, but don’t try to do the whole thing in one sitting. And try not to build beyond the client’s capacity to implement.

Common Pitfall: Excessive business disruption
Some disruption is unavoidable, but excessive disruption (from the client’s viewpoint) will have a negative impact on the willingness to implement, and possibly on the remainder of the engagement. Therefore vendor/consultants must constantly look for ways to accomplish their objectives without excessive business disruption. They should be flexible and adaptable to personnel schedules. They should ensure meetings are productive and result in decisions or actions. Any impact to normal daily operations should be reviewed for alternatives (in one case simply moving the time of night when backups occur provided a significant increase in protection). Conflict with other projects should be quickly addressed for business priority and engagement adjustments. Any recommendations that modify corporate policies, Standards, methodologies, and business practices should include a phased approach to minimize disruption.

Conclusion

While these pitfalls and suggestions may seem like simple common sense issues … they are! But all too often the company-defined process for selecting vendor consulting services and the focus on the details surrounding the work to be done, miss these very important points. So don’t let these common sense issues impact your project efforts.

Jeffrey L. Nicolet, CDP, CSP, CBCP, has over 20 years in IT best practices specializing in project management methodologies for Contingency Planning, Change Management, and Information Security. He has worked with numerous Fortune 500 organizations across multiple industries including pharmaceutical, light and heavy manufacturing, health care, financial business services, transportation / distribution, auditing, and legal services. He is a past-President of the Contingency Planners of Ohio, and is a frequent speaker at seminars and conferences.

«BACK to the Articles Index