Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

DRJ Blogs

DRJ Community Blogs
Category >> DRJ Blogs
Oct 18
2013

12 Tips, Trips & Traps: The Business Impact Analysis (BIA)

Posted by Alex Fullick in Business Impact Analysis , Business Continuity Management , BIA

Alex Fullick
Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective: 1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program. 2. No Timely Follow Up of Results – A BIA is conducted almost always in support of an enterprise-wide business continuity program. The real value of a BIA is the follow-up activities that lead to effective recovery strategies being implemented based on the BIA priorities of the business processes. Occasionally, so much effort and cost is put into the BIA that business continuity planners never get around to fully implementing the follow-up recovery strategies and plans. Without the implementation of these follow-ups, the value of the BIA becomes wasted. 3. No Agreement on Scope (Level of Detail) – This level of detail can span an entire spectrum. On one end, some BIAs will contain relatively little detail to provide a higher-level executive view of the analysis. On the other end, and far more prevalent, are BIAs that include for each business process its corresponding input dependencies, output dependencies, recovery point objectives, recovery time objectives, and financial impacts. The common mistake here does not involve selecting the right or wrong level of detail – what’s appropriate for one company may be totally inappropriate for another – but rather, failing to reach agreement among all relevant parties as to what level of detail best meets the requirements that are driving the BIA in the first place. 4. Minimal Executive Support – One of the factors that most influences the relative success of a BIA is the degree of executive support offered at the outset. The kickoff process usually consists of two parts: a widely distributed email and an initial presentation. The email should come from the highest level executive sponsoring the BIA and should be distributed to all parties who will be participating in the effort. The email should emphatically voice the executive’s support for the project and insist on the support of al participants, particularly during the interview process. 5. Poor Questionnaires – An important step of any BIA is the collection of data from business units. The manner in which this data is asked for often spells the difference between a full, timely and meaningful collection of data, and one that is delayed and incomplete. One of the best ways to avoid this situation is to develop survey forms that are thorough enough to capture all relevant information and simple enough for business users to complete quickly and easily. 6. Lack of Preparation for Interviews/Workshops – Interviews are the cornerstone of a successful BIA, yet few planners prepare adequately for them to ensure their effectiveness. Interviewers need to learn as much as they can about a given business unit prior to the meeting, including a thorough review of the respondent’s survey. 7. Lack of Critical Focus – Analysts frequently make the mistake of asking business users ‘what are the most important business processes within their department?’ The reason this is a mistake is because virtually all critical business processes have a large degree of importance and value – otherwise they would not be designated as critical – resulting in less likelihood of it being easy to prioritize processes according to value or importance. A much better question to ask is ‘how long can a business process be idle before major impact is felt? 8. Focusing on the Tools Instead of the Process – Some analysts who conduct BIAs become very focused on the tools they will be using in the collection, compiling and analyzing the data provided by the business users. The emphasis often shifts inappropriately from the process being used, to the automation that can be applied to the process. There is an inherent flaw in this approach. If a poorly designed manual process that is being used to collect and analyze the data suddenly becomes automated, what you typically end up with is a poorly designed automated process. 9. Ineffective Interviewing Technique – I have known more than a few BIA analysts who preferred to rely solely on surveys, questionnaires and emails to collect needed data. The example previously cited concerning the over-focus on tools shows how this can less than desirable results. Analysts often say that setting up interviews can be more hassle than it’s worth. They will mention how interviews often start late, or may be cut short, or have to be re-scheduled, or cancelled altogether. In my experience, the real reason some BIA analysts try to steer clear of face-to-face meetings is that they tend to use ineffective techniques when interviewing business process owners. 10. Insufficient Results Analysis – Analysts conducting a BIA collect a wealth of information during the course of their efforts. But the value of this information is sometimes diminished by poor or incomplete analysis of the data. Analysts need to look for trends, patterns, relationships and discrepancies among and within the data to ensure a thorough and meaningful analysis. 11. Unclear Presentations – Data that is thoroughly collected and well analyzed is sometimes de-valued by an unclear or confusing presentation of the information and results. Managers in general and sponsoring executives in particular, expect BIA analysts to summarize their results in high-level presentations that are succinct and effective. Unfortunately, this does not always happen. Analysts gather a huge amount of data in the process of conducting BIA. In compiling and analyzing this data, analyst sometime err on the side of presenting too much information rather than too little. 12. Undefined Scope – Often, the BCP focuses entirely on system restoration. Resumption of business needs to include the people and processes required to resume operations. Many BCP programs are headed up by IT departments. ‘Tunnel vision’ can often cause these departments to focus on system recovery and not take the people issues into account. During an event, the people issues are often the most difficult to resolve. The scope of a business impact analysis (BIA) pertains to the number of business units, such as Finance, Administration and IT, which will be participating in the effort. Don’t let your BIA efforts fall to the wayside; make sure you have strong BIA approach and you’ll end up with a strong BCM / DR program. (C) StoneRoad (A.Alex Fullick) 2013Alex Fullick is the author of several books including the latest, "Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program"  (Available at www.amazon.com or www.stone-road.com/shop.)
Oct 18
2013

A pair of debriefs

Posted by Andy Osborne in Exercising and testing , Business Continuity Management

Andy Osborne

By Andy Osborne, Consultancy Director at Acumen

It's fairly standard practice to hold some form of debrief at the end of an exercise or test, which is a very sensible thing to do. It helps to ensure that any issues and actions arising are captured and it's a good way to obtain feedback from the participants on how they thought things went. But some debriefs are a bit on the, well, brief side. Because it comes at the end of what can sometimes be a lengthy or challenging, sometimes stressful, session, it can be all too easy to make the debrief too brief. There can be a temptation to let people "get away" so that they can return to their day jobs. But the danger is that, once they do so, all the good stuff that the exercise teased out will be forgotten within a couple of weeks or, at best, vaguely remembered but not given the attention it deserves.

That's not to suggest that the debrief should be overly lengthy, just that sufficient time should be allowed  to ensure that everything that needs to be captured is, so that a follow-up action plan can be agreed.

And, whilst it may seem like a bit of a luxury, it can be very beneficial to hold two debriefs - a "hot" debrief immediately after the exercise or test and a second, "cold" debrief a couple of weeks later, after the proverbial dust has settled. Go on, be honest, how brief are your debriefs? And how many do you do? If you don't already do so, why not give the double-debrief a try after your next exercise or test and see what the results are like?




Oct 15
2013

Welcome to the revolution: Data protection the easy way!

Posted by Jarrett F Potts in data protection disaster recovery , Data Protection

Jarrett F Potts

When did data protection get to be such a pain? We all know that data is growing quickly and that the types of data are constantly changing, but that doesn’t change the basics of storage management. The old rules still apply, leaving some IT professionals wondering what really has changed and how those changes affect their shop.

Oct 14
2013

Planning for Every Scenario is “for the Birds”

Posted by Courtney Bowers in Business Continuity , Avalution Blogs

Courtney Bowers

By Stacy Gardner, Avalution Consulting
Originally posted on Avalution Consulting’s Blog

Why “Chicken Little” and “Black Swan” Planning is NOT the Way to Respond to Recent Catastrophic Events

Oct 11
2013

Earthquake planning

Posted by Annie Searle in Advice From A Risk Detective

Annie Searle

In yesterday's operational risk seminar that I teach at the University of Washington, our guest speaker was UW seismologist and information scientist Bill Steele.  In the first hour of class, he used a presentation he had recently made to state government on the development of an alert system that could mitigate certain types of public safety issues during an earthquake.  I've seen parts of the presentation before, and was struck again by the message that is driven home: disaster preparedness reduces costs over the long run.  And it may also reduce business interruption costs by as much as 20%.  Despite these facts, we are a long way from having an effective earthquake alert system in this state that could provide up to 3 minutes of warning before we felt the shock; and that could also be used to stop trains and elevators, and alert schools so that children could drop, cover and hold.

In our seminar the previous week,  I had talked about neuroscientist Tali Sharot's book, The Optimism Bias: A Tour of the Irrationally Positive Brain.  For those of you who might be curious, I've included a link to her TED talk.

Oct 11
2013

12 Things NOT to Include in Your BCM / DR Plan

Posted by Alex Fullick in dr planning , DR Plan , Documentation , BCP , BCM

Alex Fullick

When disaster – or a crises – strikes, organizations must be able to refer to a plan to help guide them through the tasks they need to consider executing to respond, restore and recover, systems and operations. All to often when a BCM / DR plan is pulled off the shelf or printed from a file, one ends up with a document that is huge in nature and breadth though rather slim and small in usable content.

This is because many organization put everything they can think of into their BCM/DR plans, which more times that naught, overshadows the actual content needed to be followed; the stuff that provides the detail on what to do. A BCM / DR plan should be action oriented not full of irrelevant information; irrelevant at the time of disaster, not irrelevant to the overall program.

Oct 08
2013

8 TIPS for COMMUNICATING DURING A CRISIS

Posted by Alex Fullick in Tips , Responsibility , Leadership , Disaster Response , Crisis Management , Business Continuity Management

Alex Fullick

To most people a crisis is bad and for the most part, they’d probably be right. However, an organization can do good things when they are hit with a crisis; some may even say there is an opportunity. The situation itself might be bad enough but it it’s not being managed correctly or communications aren’t approached in a positive way, the crisis can be compounded because the media and the public will think there are more things being hidden by the organization.

If it seems that an organization isn’t prepared – through its communications and response actions – the media and public may start to go ‘hunting’ for more information and uncover other details of the organization that the organization may not want released. Not that they are bad examples on their own but compounded with the existing crisis they will seem larger and could create another crisis or even escalate the existing one. The organization will then be fighting more than one crisis on its hands.

Below are some tips for how to communicate during a crisis; some do’s and don’ts and tips for ensuring good communications when speaking to the media and the general public.

1. Lawyers Aren’t the Face of the Organization – This is one of the biggest mistakes organizations make when communicating with the media and public; they let their lawyers do the talking. Lawyers are good at what they do don’t get me wrong, they just aren’t the ‘face’ of the organization. Often they will speak in terms that the public either don’t understand or don’t want to hear. The public wants to hear what the situation is and what the organization is going to do about the crisis, not the legalities it’s taking to find blame (which is what the lawyers will be trying to do to wither minimize or remove the burden off the shoulders of the organization).



Oct 07
2013

50th DRJ Conference

Posted by Vicki Thomas in DRJ Spring World

Vicki Thomas

It's time to celebrate - in 2014 at DRJ Spring World we're celebrating our 50th conference!! DRJ Spring World 2014 promises to be our best yet and you can be confident that we're looking forward to learning, growing and celebrating with you.

While it might seem early to start thinking about your 2014 conference plans - we couldn't disagree more. Now is the best time to get started with mapping out and deciding on your education, networking and learning opportunities for 2014.

Sep 30
2013

Emergency Preparedness In Action

Posted by Vicki Thomas in Emergency Preparedness

Vicki Thomas

Nearly two weeks ago at 8:48 a.m. an OC Transpo bus collided with a Via Rail Train in the city of Ottawa, Ontario. Six people were killed and over thirty people were injured. These are the basic facts of this terrible collision. It will take months for Transportation Safety Board of Canada investigators to understand (as best they can) what might have caused the collision.

I live in Ottawa. This accident occurred a mere 1 mile from my house. I used to take a bus to work that crossed that very same level train crossing. It is so very hard to understand what happened and how this could have occurred. As can be expected, there was lots of speculation on what could have caused the crash - but the reality is we won't know anything for a very long time. 

Sep 17
2013

6 ways to secure your backup and archive data

Posted by Jarrett F Potts in Security , Encryption

Jarrett F Potts

Data protection is important in today’s world, but at times people forget the simple steps that need to be taken to secure access to that data. As an afterthought, securing your data should be taken seriously. Below you will find six ways to secure your data and data protection solution.

Restrict access to clients

It may seem elementary, but securing the clients with a username and password is the first line of defense against hackers or people accessing your data who should not be. Adding a password to each laptop, server and workstation is not only important, but is also paramount when trying to secure your environment. There are different levels of passwords, and now systems even let you use patterns to secure access to clients.