DISASTER RECOVERY 
JOURNAL
P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

EXECUTIVE PUBLISHER
Richard L. Arnold, CBCP
richard@drj.com

EDITOR-IN-CHIEF
Jon Seals
jon@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

ASSOCIATE EDITOR
Ed Pearce, CBCP
ed@drj.com

ASSISTANT EDITOR
Pamela Clifton
pamelaclifton@hotmail.com

COPY EDITORS
Jim Hammill, CBCP
Richard Sandhofer
richards@drj.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
 mercedes@drj.com

CIRCULATION
Laura Baugh
 laurab@drj.com

EXECUTIVE COUNCIL
Mike Croy, Forsythe
Jeff Dato, MBCP, KPMG
John Jackson, IBM
Edward S. Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting Inc.
Pat McAnally, SunGard Availability Services
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard
INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk
Japan: Shinji Hosotsubo
Crisis Management and Preparedness Organization
Phone: 03-3519-6270
fax: 03-3519-6255
hosotsubo@cmpo.org
Brazil: José Carlos Ferreira
Disaster Recovery Mercosul
Phone and fax: 011-3666-9506
jocaff@uol.com.br

Click Here for a Printable Version

Staying Profitable
By Telling the World About Your Business Continuity Plans

By Chris Scheffler

A sound continuity program can differentiate a strong, reliable company from its competitors, but how many business continuity professionals have actually met the company’s potential customers?
To really show the value that BCP brings, tell the world how robust continuity planning puts your company ahead of your competitors.
As the owners and authors of the BC plans, we know them inside and out, and we are well-suited to describe the plan to prospective customers, insurance carriers, investors and auditors. We also have the most to gain when we highlight the value BC brings.

Introduction
Does your company sales force have first-hand knowledge about your business continuity plan? If not, how can they convince a prospective customer that your BCP can differentiate your company from your competitors?
Similarly, a BCP should assist in developing your insurance program, but does your risk manager have enough information to be effective when highlighting your BC program to the insurance markets?
Your customers are critically dependent on the goods and services your company provides, and they’re being asked to stake their reputations and their profits on your performance. A compelling description of how you’ve protected your operations, built resiliency into your systems, and will stay up and running even during adverse conditions, could put your company ahead of your competitors who may not have a good story to tell.
In addition to your customers, how you plan to protect your operation is of vital interest to your insurance company. They too are betting millions you will recover quickly after a crisis. Your investors want to know how you’ve protected their investments and your auditors are looking for compliance with corporate governance standards.
Each “audience” is essentially looking for the same thing; to understand your operations, to see your commitment to protecting your assets, and to know you have a plan for prompt restoration after a calamity.
Companies have long been effective in educating their executives with regard to their continuity plans, typically through internal presentations from the BCP group to upper management. These same educational materials, properly presented, can become a powerful tool in separating you from your competitors.

But isn’t our continuity plan confidential?

Absolutely. That’s why a high-level summary with enough detail to describe the highlights of your program, is invaluable.

What should a good summary include? Your summary should offer a brief outline of how you’ve addressed each of the business continuity subject matters:

  • Corporate support
  • Emergency response
  • Vulnerability assessment and mitigation techniques
  • Business impact analysis
  • Recovery strategies
  • Implementation
  • Training and awareness
  • Maintenance and exercise
  • Crisis management
  • Coordination with public authorities

Although your emphasis should be on how you’ve mitigated your risks and your recovery strategies (this is where the rubber meets the road as far as your customers and insurance carriers are concerned), each subject has key elements that should be included in an effective summary.

Corporate support: How does executive management support and participate? Highlight how your organization has a culture that supports continuity, how your corporate commitment stems from a commitment to client satisfaction and that your continuity plans are designed to minimize the impact to your customers. Discuss the investment you’ve made in physical protection, recovery planning and training and awareness.

Implementation: Describe your programs implementation process and the organization of your BCP group, the management, staff and budget. If BCP is the responsibility of employees outside the BCP group, even better. This allows you to describe what policies support this culture, how employee commitment is measured in their performance appraisals, and how BCP is integrated into the procurement process.

Vulnerabilities and mitigation: After introducing the culture and structure, it’s a good idea to detail the physical protection that helps prevent losses in the first place. Mention how you’ve assessed your vulnerabilities and describe your fire protection, physical security, building and equipment maintenance. Highlight construction features that are designed for specific hazards such as earthquake.

Emergency response, training and awareness, crisis management and communications: Briefly describe these programs. Who participates in these programs and how are they kept up to date?

Business interruption analysis: This was a critical step in your continuity planning. Describe this process. Which departments participated? Did it include facilities, equipment and suppliers? Describe how you’ve prioritized your functions into critical and non-critical groups. Was there a process for validating recovery time objectives?

Maintenance and exercise: Describe the process for maintaining and exercising your program and how you’ve coordinated with public authorities. Describe some of the analysis. What did you learn during the testing of your programs and how you were able to improve them? What is your strategy for updating the plan?

Focus on the Recovery Strategies
The recovery strategies are likely to be the most interesting to your reader so don’t skimp on the effort you put into this part of your summary.
There are several elements that a savvy reader will look for in your recovery plan, such as facilities, equipment, inventory and computer data. If an item really doesn’t impact your recovery, then consider describing why it doesn’t. Your reader will see this as “one less thing to worry about” during a recovery.

Remember, however, to err on this side of caution and “if in doubt, leave it out.” It will be easier to answer follow-up questions later than to retract something that should not have been included. Here are examples of what to describe for each strategy:

  • Facilities
    • Highlight protection features like sprinklers, earthquake upgrades, and fire prevention and emergency plans.
    • Discuss your building specifications, alternate sites and your perception of the buildings available in your area.
    • Explain how you might address some special considerations for your facilities sucha as high-bay areas, clean environments, or unusual power demands.
  • Manufacturing and Test Equipment
    • Describe how you’ve reduced downtime through preventive maintenance and spare parts.
    • Describe excess capacity that could be used in an emergency.
    • Assess whether your equipment is generally off-the-shelf versus being custom-built.
    • Highlight if you’ve crafted work-arounds for some operations.
    • Mention alternate sources for the equipment. For example, if your R&D group uses much of the same equipment, or if outside vendors might be able to perform some part of the process.
  • Raw Materials Inventory
    • Describe your general approach for raw materials inventory. Are materials kept off-site? Are these received in small batches every week or less frequently but in larger batches? If received in batches are they all kept together or is the stockpile divided into safe locations?
    • Highlight the physical protection, such as sprinklers and security.
    • Describe if raw material stocks are segregated from hazards.
    • If you keep buffer stocks of certain materials, describe how these are protected and segregated.
  • Finished Goods Inventory
    • Described how these are managed and protected.
    • Explain your policy for getting finished goods out the door.
    • If yours is a batch process requiring stockpiles, explain how these are segregated and protected.
  • Information Technology
    • Describe physical protection of your systems like building construction, fire protection and natural hazards.
    • Offer some insight about your business impact analysis including how the systems were evaluated, what types of priorities were used and how often it is revisited.
    • Outline your recovery strategy (hot-site, cold-site and in house systems.)
    • Provide some of the highlights as to how your facility, systems, network, applications and data would be recovered.
    • Explain the frequency of backups for applications and data.
    • Describe testing and maintenance of the DRP.
  • Infrastructure and Utilities
    • Describe preventive maintenance and redundancies.
    • Describe how you’ve identified and protected critical utilities.
    • Mention alternate sources.
    • Describe arrangements you may have with vendors for rental equipment.
  • Employees
    • Describe how you will protect your key personnel through evacuation planning and drills.
    • Discuss strategies for transportation to recovery sites.
    • Describe abilities for workplace recovery plans and working at home.
  • Suppliers
    • Describe how you may have reduced dependencies on sole-sources.
    • Outline how you evaluate your vendor’s facilities and their BCP’s.
    • Describe other stop-gaps you have in place, such as safety stocks of critical sole-source supplies.
  • Transportation
    • Describe the BCP of your key vendors, and how you could make use of alternative transportation modes (land, air, water)
  • Vital Records
    • Outline how you’ve identified vital records (such as engineering drawings and contracts), how they are being preserved and how you would access them in an emergency.

Ensuring Success
Use the right level of detail to lend credence to your summary. Inadequate detail could lead your reader to question whether or not they can give your plan much credit. Too much detail could scare your reader into believing the operations are too complex to understand and manage.
Although it’s not strictly related to BCP, you should briefly describe your operations, products, services and facilities. Your company probably already has something suitable within its sales literature, internet homepage, or SEC filings.
If you can, provide success stories about how your BCP was effective in an actual event. It will be particularly poignant if your examples include something we’ve all experienced, such as a regional power outage, a hurricane or a winter storm. Describe your approach to continuous improvement and how you’ve incorporated lessons learned. Understand the varied audience, and avoid industry jargon. Be factual and complete. Make it evident why you believe your programs are robust.

Conclusion
Putting business continuity to work for your business before a disaster strikes includes tooting your horn about how you’ve built a reliable and resilient program. As planners, we’re the best equipped to describe our company’s good programs. We also have the most to gain by showing that continuity planning can pay dividends when our customers and partners understand the quality of the programs we’ve worked so hard to build.

Chris Scheffler is a business continuity planner in California’s San Francisco Bay Area. He has 15 years experience evaluating the threats facing business of today and helping clients stay profitable through planning and mitigation. With an insurance background, he understands what “outsiders” look for when determining how much credit to give a company’s business continuity plans. He can be reached at (925) 726-9622.

©Copyright 2005 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.