DRJ's Fall 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 31, Issue 1

Full Contents Now Available!

Thomas Paine, one of the founding fathers, around the time of the American Revolution wrote a document, called “The Crisis.” We have all heard one of the famous lines in this document many times, “These are the times that try men’s souls.”

A little later he wrote a document for the army titled “Common Sense.” In spite of the fact that both of these documents were written by a patriot and dreamer more than 200 years ago, we might believe the titles are about the disaster recovery/business continuity industry today.

Business continuity planners are similar to Thomas Paine in that their profession and ideals are new. The profession of business continuity planner has only been around in the business world for a little more than 35 years. It only started coming into its own when organizations become very dependent on computers. Disaster recovery/business continuity planning (DR/BCP) as a profession by all standards is new to the business world, and the discipline it requires is still being debated. The DR/BCP profession and the recovery planning professionals who make up the industry are “the new kids on the block” when compared to most other professions and/or disciplines such as sales, accounting, human resources, or auditing.

As the new organizational unit on the organization chart (and having very few if anyone in the organization that really knows what the business continuity planner brings to the table) the business continuity planner is almost always in an uphill battle for a place of influence in the organization. One of our main challenges is to make sure that everyone understands that recovery planning resembles the founding fathers and the American Revolution. If they made mistakes, the Union could not survive; if business continuity planners make mistakes, the organization might not survive.

In more than 30 years of consulting, I have helped nearly 1,000 clients develop their plans and presented hundreds of seminars and classes to thousands of attendees/students. During this time many of these clients, former students, and colleagues kept urging me to share my approach to disaster recovery/business continuity.

So a few years ago I decided to ask my long-time senior associate Tracy Cowan to assist me in the development of the “BCP Made Simple” set of tools (DVDs, seminars/classes, and software). Needless to say, we used the common sense method.
Over the years I have found the common sense method to be the real answer to effective recovery planning. If the job is done right the first time, it will not have to be repeated every three to five years. If the job is done right, it need only be updated and enhanced.

I believe that during plan development more critical information will be contained in one document than exists in any other single document in the organization. It may very well be the single biggest self examination an organization has ever done of itself. At the end of the day management will feel like they received something of real value and therefore a good return on their investment (ROI).

Every business continuity planner at some time in his/her career has said or at least thought, “These are the times that try men’s souls.”

A lot of this kind of thinking comes from the job the business continuity planner performs every day. Business continuity planners are thinking about or really dealing with some form of crisis almost all the time. The objective of this document is to bring a little common sense to the way business continuity planners carry out their responsibilities in order to satisfy management, vendors, decision makers, plan users, and anyone else who may be affected if a real crisis happens and the implementation of the recovery plan is necessary. Some might call it “old school,” but when the chips are down this method works. There is no substitute for a tried, tested, and effective method that works.

In the common sense and simple method the business continuity planner needs to answer, document, test (rehearse/exercise/practice), and keep current the following seven questions:

  1. What needs to be done?
  2. Why does it need to be done?
  3. When does it need to be done?
  4. Who is going to do it?
  5. Where is it to be done?
  6. How is it to be done?
  7. What resources are needed to do it?

The approach is vertical, top down, one process/function at a time. This is where everything gets discussed and documented. What is required to activate and make operational the process/function, including resource requirements? After each one is finished take the next highest priority/critical process/function on the list and do it all over again until all processes/functions are completed.

The business continuity planner must keep in mind that some processes/functions may have the same priority/critical rating assigned to them. Given that during a recovery effort, there may be a limited amount of resources available to be used, a sequence number must be assigned to each priority/critical processes/functions.

Use of the sequence number is a way to further define the priority/critical processes/functions to the next level and to assure the available resources are used by the processes/functions in the order of their ability to deliver the desired results.

Another thing the business continuity planner must keep in mind is the recovery point objective (RPO) required of each organization unit including IT, data communications, and voice communications. The organization as a whole cannot meet its recovery time objective (RTO) if the organizational units do not meet their RPO. Keeping this in mind the business continuity planner must add in the factor of the data recovery objective (DRO) which would be the lead time to recover any lost data that must be reconstructed. The DRO may be automated or hard copy. A great deal of the business continuity planner’s responsibilities center around these seven questions being answered, keeping them current, and making sure everyone knows what role he/she is to play during plan testing and if the plan ever would need to be implemented.

 Business continuity planners have the responsibility to make sure that everyone understands that recovery planning is not just the business continuity planner’s responsibility, it is everyone’s responsibility.

The business continuity planner provides the methodology, is the coordinator, leads the effort, sees that meetings are scheduled, and facilitates those meetings. He or she oversees the development of the plan document and the leadership to get the job accomplished. It is critical that everyone takes the time and expends the energy to make sure their part of the organization is properly prepared to meet any unexpected crisis the organization may experience.

The business continuity planner should not work in a vacuum where they are doing everything by themselves. This is an uphill battle most of the time, but they have not done their job if they can’t get everyone to participate to some degree – some a little and some a whole lot more. This requires the plan and the planning process be kept simple. The process must be easy to understand and must not be written in too technical terms I call “computerizes.”

The business continuity planner must take the time during plan development to ensure that all plan users are educated on the roles they are to play if the plan would ever need to be implemented. Waiting until implementation is too late to educate, and it is no time to practice or to do role playing.

Times and technology change as do the names planners may attach to some of the planning methods and tools used today. However, there can be no substitute for an easy-to-understand approach that has a sound set of basic items documented in the plan.

The “New Kids on the Block” must follow a time-tested and sound method of development. They must make sure the essential requirements of a disaster recovery/business continuity plan are available, the time is spent to research requirements, analyzed the data collected, develop recommendations and/or alternatives, get management approval, and see to it the information is written into an easy-to-read-and-understand document. Business continuity planners who follow the common sense, “BCP Made Simple” method will be well on their way to meeting the expectations of their management and the rest of the organization.

Below are common sense, suggestions any planner would be well advised to follow, no matter how experienced or inexperienced the planner may be; from the novice, to those who have been performing plan development for many years:

  • Know as much as possible about the organization and why it exists. To accomplish this review the:
    -    Organization chart
    -    Mission statement
    -    Vision statement
    -    Annual reports
    -    News releases
    -    Policies
    -    Management style (from the top down)
    -    Industry regulations
    -    Government mandates
  • Receive senior management approval for the following items:
    -    The scope of the recovery planning program
    -    Acceptable recovery time following a disaster
    -    What is very important, and what is not quite as important
    -    Who will and who will not be available to spend about an hour every two to four weeks with the planner to participate in the plan development (the hope is that no one will be off-limits)
    -    The recovery program budget
    -    Be a part of the formal kickoff of the program
  • Conduct a business impact analysis (BIA) – simple or full-blown – even if management is reluctant to approve a full-blown BIA. Just answering the first three questions above could account for as much as 50 to 70 percent of the BIA effort. If they are not answered by conducting a BIA, they must be answered during plan development. Therefore, why not do a BIA? By conducting the BIA the organization will get a number of other benefits, such as education and the justifying of the strategy that will be followed during plan development. However, that is a subject for another article. Consider showing management an estimate to develop a full-blown BIA and the impact it will have on the overall plan development schedule. It will come pretty close to being a tradeoff. Use the organization chart to establish recovery teams of selected staff members who will have the responsibility to represent their organization (unit) during team meetings. This will include the following:
    - Team leader
    - Alternate team leader
    - Team members
    - Alternate team members
    - And sometimes a scribe who will be responsible for documenting the meeting and the written plan (both hard copy and/or electronic)
  • Choose a data collection and documentation methodology and train a minimum of one staff member from each team (organization unit) on its use.
  • Schedule and conduct a series of team meetings. These meetings should last for no more than one hour each time the business continuity planner meets with each team. The business continuity planner should know exactly what they need to accomplish during the meeting. Once it has been accomplished conclude the meeting. By keeping the meetings short and to the point the attendees will feel you have not wasted any of their time. Normally three to four meetings, scheduled two to four weeks apart are needed to accomplish the required results. It is a good idea to keep a good record of who attends the meetings. Have a sign-in sheet, pass it around, and have each attendee sign in.
    Information technology (IT, computer)
    -    Operations
    -    Hardware
    -    Scheduling
    -    Production
    -    Backups
    -    Systems
    -    Technology
    -    Applications
    -    Other IT units

  • Each business unit team, including the business units responsible for providing the following support services to IT and the other business units, such as:
    -    Facilities
    -    Data communications
    -    Voice communications
    -    Purchasing/procurement
    -    Security
    -    Legal
    -    Human resources
    -    Office services
    -    Public relations
    -    Etc.

  • Command center team is to be convened if a possible plan implementation seems to be necessary. The command center team will have the responsibility to recommend that a disaster declaration be declared (which will cause the disaster recovery/business continuity plan to be implemented) or not to declare a disaster. Then the organization will follow normal problem solving resolutions. If a disaster is declared, they will coordinate the interaction between teams and implement whatever strategy the recovery effort will follow. At a minimum the command center team should be populated with:
  • - A command center leader (normally the business continuity planner)
    - Alternate command center leader
    - Scribe
    - Initial response team made up of representatives from facilities, security, IT, voice and data communication and maybe a couple of business unit team leaders
  • During the team meetings:
    -    Discuss and establish dependencies each team has on any other team or organization, internally or externally, for their ability to perform their processes/functions
    -    Develop step-by-step tasks for each process/function to be followed by each team during the recovery plan testing and implementation. This is accomplished one process/function at a time. Keep in mind, the priority/critical list developed earlier and the sequence number assigned to each process/function. This is necessary to meet the overall organization’s RTO, the organizational unit’s RPO, and assure the RDO required to meet the service level commitment (SLC) can be met.
    -    Develop the skills required to perform the required task(s)
    -    Document the resources needed in order to perform the task(s)
    -    Define off-site backup items that must be available during a recovery effort (both hardcopy and electronic)
    -    Define other organizational resource requirements
    -    Develop work schedules including sharing of limited resources
    -    Define any special items such as if travel arrangements that may be needed, how they will be made, how credit cards will be supplied, how spending limits will be approved, how off-site material will be retrieved, how special accounts will be set up by accounting to keep track of the recovery effort expenses, etc.

  • At a minimum collect and document the following resource information:
    -    All computer application systems
    -    All business processes/functions
    -    All IT processes/functions
    -    Staff call tree information such as name, title, reports to, work phone number, home phone number, address, and if possible cell phone number
    -    Hardware, IT, IT-related, data and voice communications, and all other hardware such as fax machines, postage meters, copiers, inserters, call directors, etc. (This information should include the number of currently installed devices and the minimum number of each required to operate. Include all pertinent information about the devices.)
    -    Supplies
    -    Space requirements
    -    Furniture requirements
    -    Staff required to carry out the process/function (this information should include current staff size and minimum required to operate.)
    -    Procedures used
    -    Hardcopy information used
    -    Vendor information
    -    Customer information
    -    Security contact
    -    You may also want to include the fire department, police department, hospital information, but 911 should be all that is needed.

  • Schedule and conduct several table top tests during the final stages of each team’s plan development. There are many components that are critical to making sure the plan is accurate and can be tested without requiring a great deal of time by any team.

After a number of table top tests and after everyone feels good about the state of their plan, schedule and conduct an all-team test with the command center team in charge. This test should be scheduled for several hours and results reviewed with each team and a report given to senior management.

In summary, I always tell my clients it is critical to add to the security and protection of their organization by reducing their risk as fast as possible. They can go a long way toward doing this by developing a base plan as fast as they can. Right now they have the support of management and they recognize the need for a disaster recovery/business continuity plan. As time goes by, management will have many other things on their plates. Keep them happy and informed by writing a short weekly status report (one page or less if possible). Make sure to point out in the report what is going well and what needs more attention.

I tell the client to worry about adding the bells and whistles later when they have time to do testing and maintenance. That is where following the common sense method comes into play. If they take too long to put a plan in place, they will find themselves maintaining what they are still trying to develop. By using this method maybe, just maybe, the business continuity planner will not often find themselves thinking, “These are the times that try men’s souls.”

Norm Harris, CBCP, Certified Recovery Planner, is chairman, president and CEO of Norman L. Harris & Associates.