Ideas on How to Collect Data for a BIA

How best to collect data input to a Business Impact Analysis-BIA [1] in a hospital setting?

There are a number of methods to obtain the necessary perspectives and information which create the foundations of the BIA. These methods are common to any data gathering exercise and may include interviewing, questionnaires, and workshops. [2]

In an environment like a hospital, I think performing the initial tasks to create a BIA can best be approached using the interview method. Also, by concentrating on one functional group at a time, I believe it does a better job of preserving the integrity of the BIA. The interview method can and should be systematic with defined and repeatable questions in a particular order. [3]  I suppose one could combine this approach and also send out an educational document to help prepare the interviewees for the session. This would be more efficient and give the employee the opportunity to do some research instead of just guessing during the interview. After all, we’re seeking accurate information, not just raw speculative data.

In my experience, questionnaires are useful to an educated audience, especially when review or repeat activity is necessary. However, to an audience of employees not accustomed to business continuity terminology or experienced in disaster preparedness, it may be a confusing or overwhelming task. There is quite a bit of overhead associated with the creation, distribution, collection, and interpretation of questionnaires [4]. In particular, some essays are necessary to gather the most useful information. Analyzing and understanding essay response may require iterative interactions with the respondents. In the end, it almost becomes an interview of sorts. This approach is very time-consuming and I wouldn’t recommend it. [5]

The advantage of workshops is about saving time. The disadvantage, as any good interviewer would tell you, is that we see ‘group-think’ develop live during the session. This group-think certainly helps to build consensus, but can mask some of the more subtle yet possibly important data points. [6]  Why does this masking occur? Well, the quieter folks just don’t speak up in a group setting, or what is heard sounds close to what a person was going to say and therefore the clarity goes unsaid. As more vocal strong speakers voice their ideas, others begin believing that what was said is correct, despite any previous thoughts they may have had. In my experience during search and rescue on the scene of dive emergencies we strive to separate witnesses in order to obtain ‘virgin’ untainted statements and observations. I believe the same is true of interviewing for the BIA. Last point on avoiding group think: If it’s decided to use the workshop or group meeting, a good solid facilitator will be key to successfully gathering the critically accurate information.

Summary

While each of the methods stated may work to obtain the necessary data for the BIA, it’s my preference that the one-on-one interviewing coupled with prepared, systematic questions, is the most useful approach.

References:

[1] Business Continuity Institute. 2008./ “Good Practice Guidelines: Section 2:Understanding the Organization”. ver. 2008.1, pg 4
BIA: “…process for evaluating the impact over time of a disruption to an organisation’s ability to operate”;

[2] Cobb, Steven.” Weekly Instructor Commentary for Week Four”, Norwich University MSBC

[3] “Business Continuity Impact Analysis, State Office of Resource Management, Texas. Retrieved 9-28-09 from http://www.sorm.state.tx.us/Risk_Management/Business_Continuity/bus_impact.php

[4] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates. Chpt. 5.

[5] Hallberg, Lillemor. “Some Thoughts About Interviewing“. Retrieved 9-29-09 from http://www.informaworld.com/smpp/section?content=a794904615&fulltext=713240928. Published in International Journal of Qualitative Studies on Health and Well-Being, volume 3, Issue 3, 2008., pages 130-131.

[6] Hansen, Robin. 26-JUL09. Overcoming Bias.com. “Who Will Fight Group Think“. Retrieved 9-29-09 from http://www.overcomingbias.com/2009/07/who-will-fight-group-think.html

_________________________________________________________________________________

Business Impact Analysis: Resolving Discrepancies

How do we handle getting different answers from different people about the same disruption periods or effects of loss when conducting a major analysis task in business continuity?

‘Prevention is the best medicine’, is a common phrase typically associated with the medical field. The best way to handle discrepancies and validate data is to educate those participating in the process and offer transparency in the approach and method of gathering the data. Begin with early communications and inclusion of those who will be involved in the Business Impact Analysis-BIA. [1]

The following is the general approach I recommend for any organization, but particularly one with as many diverse and dependent functions as a hospital (A typical hospital organizational structure includes: “Administrative Services, Informational Services, Therapeutic Services, Diagnostic Services, Support Services” or other variations.) [2]:

  1. Target function: Begin with choosing the functions one at a time. Since an enterprise-wide analysis can be a lengthy process, it may be helpful to begin with some of the key functions and build a plan which addresses the more critical business elements. [3] As an example, a hospital, like any organization, has an infrastructure of diverse functions, hopefully working together to provide the best patient care and safe and rewarding environment for the employees. [4] [5]
  2. Select the people: It’s important to determine who from the target functions will be key individuals who can offer the most accurate perspective. The people we speak with should be close enough to the daily tasks and work to understand what needs to get done, what process or procedure is used, and also has an understanding of information flow and dependencies. However, we need to also select middle management or supervisors that have a broader understanding of the interface to other functions. By selecting the right participants, the number of incidents of discrepancy can be reduced. [6]
  3. Education and transparency: People seem to respond well to being informed and being included. So, now that we have the target function(s) and selected the key participants, it’s time to educate. By educate I mean be transparent and include the participants in a general understanding of the goals of the project (Business Continuity-BIA [7] or Risk Assessment-RA [8]) and how they can help. Also, describe the steps of gathering information, when they will be asked to participate, and how they will have the chance to review the material before it is included in the final analysis.
  4. Resolution: Now it’s time to share what’s been collected with the participants. In my experience (borrowed from a recent COOP plan implementation), we can resolve discrepancies with a ‘de-conflict’ or resolution meeting. (Of course, there are some that suggest the term ‘de-conflict’ is a new word indicating poor planning by managers. I’m trying to avoid that. [9]) However, this can be a great opportunity to reach a common understanding and ferret out and resolve discrepancies. I see a resolution meeting as a very necessary step prior to launching into a full analysis.

Summary

The approach I’ve described can be used to effectively reduce the incidence of discrepancy regarding perspectives on disruptions periods and their impact on business. The fine nuances of the incident and its impact on tasks can be better understood when we select a variety of key people with both a detailed and broad interface perspective of the essential functions.

Communication, education, transparency, and inclusion can go a long way toward mitigating and resolving viewpoints. This is best accomlished well before beginning the data-driven analysis of critical functions and the impact of disruptions.

References:

[1] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates. Chpt. 5.

[2]  “Hospital Organizational Structure“. Retrieved 9-29-09 from http://74.125.155.132/search?q=cache:nht9uxFfDkcJ:www.cte.unt.edu/health/curriculum/Organizational_Structure_of_a_Hospital.ppt+hospital+organizational+structure&cd=1&hl=en&ct=clnk&gl=us

[3] Cobb, Steven.2009. “ Weekly Instructor Commentary for Week Four”, Norwich University MSBC

[4] Business Continuity Institute. 2008./ “Good Practice Guidelines: Section 2: Understanding the Organization”. ver. 2008.1.

[5] Miora, Michael. 2007. “Performing a Business Impact Analysis: A White Paper by Michael Miora. Retrieved ,9-28-09 from https://norwich.angellearning.com/AngelUploads/Content/MSBC_LOR/_assoc/msbc_sem01/msbc_s1_reading_page/pdf/wk04_miora-bia.pdf

[6] “Business Continuity Impact Analysis”, State Office of Resource Management, Texas. Retrieved 9-28-09 from http://www.sorm.state.tx.us/Risk_Management/Business_Continuity/bus_impact.php

[7] Disaster Recovery Journal: Glossary. 2009. Business Impact Analysis-BIA: “A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event.”

Retrieved 9-29-09 from http://www.drj.com/index.php?option=com_glossary&func=display&letter=R&Itemid=297&catid=35&page=1

[8] Disaster Recovery Journal: Glossary. 2009. Risk Assessment/Analysis-RA: “Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.”

Retrieved 9-29-09 from http://www.drj.com/index.php?option=com_glossary&func=display&letter=B&Itemid=297&catid=35&page=1

[9] Urban Dictionary. May 2009. Retrieved 9-29-09 from http://www.urbandictionary.com/define.php?term=deconflict

Risk and the Bottom Line

Regardless of the apparent value of an initiative, there will always and probably should be a measure of skepticism before funding approval. Risk managers and business continuity professionals can accomplish great things for organizations and societies as a whole by learning how to tie their initiatives to the bottom line of the company.

Often, “… BCM efforts do not get what they need because they are considered discretionary projects that do not contribute directly to the organization’s profitability.” (1)  I believe that executives at all levels hold a real responsibility to appropriately manage the wealth of an organization, whether that wealth is tangible or not. Therefore, we can fully expect to have to defend spending levels for any of the business continuity and risk assessment programs.

There are a number of ways currently in use today which can aptly demonstrate program value:

  • Risk Chart Matrix (2) (4) … used to qualitatively describe risk as high-low and correlate with probability of occurrence
  • Financial Impact Analysis (4)  … cost of loss or loss of profit as measured by metrics which are pertinent and critical to the business and the stakeholders, i.e. unproductive hours worked due outages, volume revenue of customers changing suppliers due to delay in deliveries, law suits due to failed products or services, etc.
  • Business Continuity Maturity Model (5) … an open-source self-assessment tool available for free download which has become an industry standard
  • RASCI (6) (7) … a generic methodology used to generate viable communications, especially to key decision-makers.
  • Lifecycle-BC Model (8) … designed to help quantify the business continuity from a programmatic approach

The volume of additional tools and methods across the various disciplines are astounding to me. For example, in the field of security, the risk assessment guidelines created by ASIS post 9-11 provide an enormously thorough set of methods and tools. (3) (9)

All of the methods and tools in the world won’t, in and of themselves, guarantee success in gaining acceptance for funding an initiative. However, I believe without using such tools and without quantifying the specific financial loss due to risks, BC programs will remain a difficult sell to executives

In the end, we would do well to understand the revenue at risk or cost avoidance data for each functional unit, product, service or business entity. Then, describe BC not as a cost center activity but as a cost avoidance and revenue loss reducer

References:

(1) Kotheimer, Carl J. and Coffin, Bill. May 2003.  “Risk Management“, Risk Management Society Publishing, Ohio. Retrieved 9-22-09 from http://findarticles.com/p/articles/mi_qa5332/is_5_50/ai_n29001753/.

(2) Cobb, Steven.  2009 ” Week 3 Lecture”, Norwich University MSBC

(3) Cobb, Steven. 2009 ” Weekly Instructor Commentary for Week Three”, Norwich University MSBC

(4) Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques”, Rothstein Associates.

(5) Virtual Corporation. revised April 2007. “Business Continuity Maturity Model”. Retrieved 9-22-09 from http://www.virtual-corp.net/html/bcmm.html

(6)”RASCI Model”. Retrieved 9-22-09 from http://www.valuebasedmanagement.net/methods_raci.html

(7) “RASCI Model”. Retrieved 9-22-09 from http://it.toolbox.com/wiki/index.php/RASCI_Model

(8) Nelson, Doug.  9-22-09 webinar by Continuity Insights eConference, Central Risks, Inc. also retrieved at http://www.control-risks.com/default.aspx?page=875

(9) “General Security Risk Assessment Guidelines”. ASIS International, 2003

____________________________________________________________________________________________

Does a BC Plan ‘Protect’ the Enterprise?

If the purpose of a business continuity plan is to protect the enterprise in case of a major disruption then why should we be concerned with what type of disruption occurs?

I’ve read in a handful of references a definition of business continuity and the misnomer for me is the word ‘protect’. I’m not intending semantics, but I think we can all agree that a plan to continue a task after an incident does not actually protect anything. The fact that a BC plan is being implemented means that an disruptive event has occurred. The word protection may imply protection from further damage. It is with that context that I respond with the remainder of this discussion entry.

It can sometimes be better to ‘just plan for anything that might happen’ using a general business continuity plan without regard for the type of disruption. Cobb suggests that it’s not the job of business continuity management to protect “…the entire organization against every eventuality”. (1)  Perhaps not, however I think we should try to plan for the resources, build awareness, and be capable of easily implementing a BC plan “…whatever disruptive circumstances affect your [organization].” (2)

I found it very interesting to consider the concept from Burtles regarding investment wisdom, where he says “… it is possible to achieve 90% protection at a reasonable cost”. (3) Thus, the argument is made that planning for the majority of types of risks may be sufficient.

A case can be made that any well researched and designed continuity plan will be sufficient for most unexpected events, disruptions, and certain types of disasters. This is particularly true, if all functions across the enterprise have provided their perspective and input to the plan.

However, in the case of emergencies and more broad disasters, it will be valuable and useful to consider a more prudent approach. The prudent approach would consider the prevalent types of risks, their likelihood of occurrence, and the areas with most probable critical impact to essential functions.

It may not be possible or practical to consider all causes of disruptions and therefore not reasonable to build a plan to do so. Reasons for not developing a full scale risk assessment, business impact analysis, cost-benefit analysis and continuity management plan across all functions may be obvious – time, money, and the feeling that it won’t happen to them. “There is no need to advocate that all professional firms spend fortunes on Risk Management and Business Continuity.” (4)  Convincing executives, stakeholders, and the general masses that a major disruption could, in fact, ‘happen here’ can be a tedious and frustrating task. A recent survey found that many “… businesses are willing to accept the risk… due to their perceived unlikelihood…” (5) of incidents actually occurring to their organization. Thus, executives may feel a  business continuity plan is not necessary. However, senior leadership often fail to recognize that a number of common threats have nothing to do with geographic location or the threat of natural disaster. (5)  Many such issues can impact  whether it is a good idea to consider all types of disruptions.

Summary

A business continuity plan does not actually protect, but does help make us aware of our capabilities and prepare us to take action during any crisis.

The likelihood of certain types of risks which can cause disasters may be more of a reason to consider all risks versus events which would be described as disruptions.

Reasons for not considering all risks may be time, money, and belief that a disaster will not occur or has a low likelihood.

I recommend this recipe: Assess highest likelihood of risk exposures and create a plan designed to maximize continuous operation of critical functions which are most impacted by those exposures.

References:

(1) Cobb, Steven.” Weekly Instructor Commentary for Week Three”, Norwich University MSBC

(2) Value Generation. Oct 2008. “Risk Management and Business Continuity Planning in Professional Practice”. Retrieved 9-21-09 from http://www.valuegeneration.co.uk/NewArticles.html

(3) Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques”, Rothstein Associates.

(4) Value Generation. Oct 2008. “Why Bother With Risk Management and Business Continuity Planning -It’s a Crisis Now with the Credit Crunch?”. Retrieved 9-21-09 from http://www.valuegeneration.co.uk/NewArticles.html

(5) Carson, D. and Zawada, B. 2000. “Business Continuity Planning and the Ten Most Common Pitfalls to Avoid in the ‘New Economy'”. Disaster Recovery Journal, Volume 13, Issue 2.

_________________________________________________________________________________

Business Continuity Readiness

Are You Ready?

Are You Ready?

• People

Planning includes Delegation of Authority, Succession Plan, Contact Information, Team Leader or Support Roles

• Facilities

Identification of Primary Facilities, Alternate Facilities, and Tertiary Facilities. It’s important to determine the minimum essential requirements necessary to continue operating business and services. For example: telephony, internet, furniture, secured access, equipment, and staff.

• Process

Process includes all standard operating procedures, system accountability and functions, e.g. how to start up the computer systems, HVAC, power grid, etc. as well as soft systems like routine transactions and tasks.

• Equipment

Can be the actual infrastructure of buildings, vehicles, furniture ,computer data center etc. and/or can be the tools of the trade, i.e. machines, presses, lab equipment, vehicles, etc.

• Records

Not all records are necessarily vital during a disruption. Consider identifying the most critical records to continue the mission of the business during and subsequent to the disruption. Most Data Centers have done a thorough and accurate job of back up and recovery for decades. However, redundancy is only part of the issue. Consider both hard and soft copy materials, documents, files, etc which may be needed prior to electronic systems getting back up and running.

Getting Buy-In

How do we convince a client, customer, manager or C-Level executive that there is a need [for business continuity planning]?

Be realistic, times are ‘always’ tough, budgets are ‘always’ tight, and management or clients are ‘always’ wondering why they should spend any more money. This is especially true if you are trying to get a business function to ‘buy-in’ to a continuity plan.

  • “It will never happen to us…”,
  • “… no major disasters here since ’06″…, [that’s 1906!] “
  • … no, we’re not on a fault line, we don’t get hurricanes or tornados, and there hasn’t been a fire around here since the old grain mill collapsed”.

Sound familiar?

So, here is my two cents on approach.

My general approach is to listen, educate, seek engagement, gain initial support, conduct assessment, evaluate and recommend.

First, I listen carefully and seek to understand the challenges and strategies of the business. I also think it’s important and helpful to bring some education to the audience, as well. (1)  I can provide information regarding:

  • how external factors can impact the business, including a SWOT analysis, standards and regulations, customer needs etc
  • the current state of internal processes and how the company might react during a crisis
  • practicalities driven by acceptable practices and techniques in similar industries to ours
  • the right time period with which to introduce the BC topic (2)

BIA

Proposing a Business Impact Analysis may be appropriate. This can be accomplished by using recent events or statistics to demonstrate or suggest need.

  • Although using recent events to conjure alarm or get attention for the need of a BC plan may work, it could be short lived attention. Boards and executives can too easily dismiss the crisis as a short-term problem which does not deserve long-term attention. (3)
  • There are a number of good studies which provide current statistics on business continuity and disaster recovery. These statistics, when used sparingly, can serve as comparison of the target organization and those in a similar business. But, it can also work against you. For example, I learned that 72% of companies polled in a recent survey have never experienced a disaster.(4) Therefore, if it – a disaster – hasn’t yet happened to this company then it may be more difficult to get their attention to make a plan.

How long will we need to fuss with this?

I do not expect management to approve a never ending process. Instead, I begin with justifying the value of a short, exploratory project. The project provides an assessment of the state of the business as it relates to readiness.  A ‘baby steps’ approach to engender support often is more successful. If the assessment proves there is no need then the activity ends. If, on the other hand, the assessment points out opportunities for improvement, then I begin the task of getting a champion on board before proceeding with a more broad planning process.

I incorporate the budget information along with other critical process elements into the plan in phases including:

  • achievable milestones with discrete deliverables
  • results-based outcomes, i.e. life-saving,  financial and brand impact

An argument can be made to offset the upfront  and ongoing planning costs with the value of these results. For example, calculate total losses per day for various degrees of recovery capability- “Senior managers understand more clearly when you can demonstrate how much risk they are taking” (5) and show what the return on investment is to avoid, mitigate or recover from that risk.

So…

With this approach, the champion and/or decision-maker(s) is able to consider and approve portions of the plan perhaps on a fiscal year basis. Each year or after particular milestones, there can be a re-evaluation step, which includes budgetary considerations. Hopefully, the value of the results to date helps ensure an ongoing repeatable BC process.

References:

(1) Cobb, Steven.2009. “ Weekly Instructor Commentary for Week Two”, Norwich University MSBC

(2) Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates.

(3) Graham, Julia and Kaye, David. 2006. “A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance”, pg 71-72.

(4) Balaouras, Stephanie. “The State of BC/DR Preparedness“. Disaster Recovery Journal. Winter 2008. pgs.15-22

(5) CIO Online Magazine. 2009. “IT Drilldown: Security” retrieved 9-13-09 from http://www.cio.com/article/40287/Business_Continuity_and_Disaster_Recovery_Planning_Definition_and_Solutions?page=4#9

____________________________________________________________________________________________

System Restored, All is Well, – NOT!

Once the technician or data center staff restores our system all is well – or is it? What are your experiences?

Our troubles continue well after power is restored, the logon screen returns, or the databases are re-synched,  I think. You’ve certainly experience this, right?

I support the position that for all situations there is a residual time subsequent to the disaster and start of recovery in which a system is not at 100%. Recovery from a crisis of any significant magnitude is always a challenge. There would be a finite backlog trap(1) even if, in some cases, resumption is easy and swift. [There is a mathematical way to calculate the non-zero nature of ‘the trap’ in all situations which we’ll leave for another discussion.]  Since “…existing backlog, or response time, starts to grow immediately…” (1) from the inception of the system insult, there would need to be an appropriate protective strategy in place to account for optimal recovery. If, as Burtles (1) states, the backlog is at least five times the downtime, it seems impossible to have a situation where there is zero or negligible time when ‘all our troubles are over’.

Entire businesses offer products and services that provide solutions which prevent data loss, minimize, or shield through fault-tolerance (2), the impact to end-users, and/or accelerate recovery from disasters. A few include IBM, Sun Microsystems, Fujitsu, Hitachi, EMC and others. I’ve worked for some of these companies as a reliability and quality assurance engineer. Large scale systems required significantly complex mathematical models for the precise purpose of calculating failure modes and effects criticality analysis-FMECA (3). Based on my experience, our troubles do continue for some period of time even past when computer systems are up and running, data is restored to a proper restore point, and users (customers) are continuing with their work as before the data crisis occurred.

Additionally, I offer an outlier consideration in disaster recovery with an example of something I call a ‘soft disaster’- one that is non-physical, but does impact the brand or financial stability of a company. A ‘loss of data’ crisis due to invasion of systems or databases can be a disaster to a business which can cause a number of recovery challenges. In the case of the Gap company (4), simply retrieving the stolen laptop intact with its data files would not stop the clock on time to recover. A company like Gap would need to spend quite a bit of funds on incident analysis, security plan reviews, creation of updated protection policies, and possibly modifications to existing risk assessment and business continuity plans, not to mention brand rebuilding.

References:

(1) Burtles, Jim. “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates, 2007

(2) My description of Fault Tolerance: The ability of a system to manage failures or disasters in such a way that the customer or user does not experience the disaster directly or if experienced, does so gracefully.
“Fault-tolerance or graceful degradation is the property that enables a system (often computer-based) to continue operating properly in the event of the failure of (or one or more faults within) some of its components.” retrieved 9-7-09 from  http://en.wikipedia.org/wiki/Fault-tolerant_system

(3) Kececioglu, Dimitri. “Reliability Engineering Handbook-Volume 2“, Prentice Hall, 1991 pg 473.

(4) Athow, Desire. “Gap loses data on 800,000 job applicants“, 01-OCT07 retrieved 9-7-09 from http://www.itproportal.com/security/news/article/2007/10/1/gap-loses-data-800000-job-applicants/

____________________________________________________________________________________________

Champions of Business Continuity

Every project needs a champion. Figuring out who it is may not always be apparent. What do you think?

For Business Continuity Planning-BCP and/or Continuity of Operations Planning-COOP making the determination of the appropriate level in the organization is an important first step to any successful project.

In order to ascertain what is the appropriate level in the hierarchy for the BC champion, I would first like to determine three things:

  • What is the scope of the functional organization under consideration?

Are other organizations reliant on this business unit’s BC plan? Is there a top-down or bottoms up impetus for the plan? Has there been a recent event which is driving the need for the plan?

  • What is the type or nature of the business, i.e. public or private sector?

Understanding the industry, private or public sector will play a role in approach to management. Public sector may be dictated by the norms of governmental bureaucracy including typical job descriptions for various roles, i.e. risk management, emergency manager, public safety. In private sector, a host of possible champions may include IT, human resources, risk management, facilities and buildings department.

  • From which perspective is the BC plan being developed – micro or macro?

Is it a support function, independent group or the larger enterprise? What is the anticipated scale of the plan coverage? Are there geographic location considerations?

The champion should be someone with a vested interest in the organization, high enough in the hierarchy to sponsor the project including financial approval. Burtles strongly believe that the champion comes from the highest levels of the company and even at the board level (1). The champion should also have the clout to influence peers and upper management to understand and support the merits of the BC plan value proposition and ROI (in terms of human value and business survival). The very nature of a champion implies it is a person who is considered a leader whether by rank, title or simply the ‘get it done’ person that others aspire to follow.

The champion would need to have a vested interest in the level of the functional group desiring to create a BC plan. Cobb posits that we can find an essential business function within any unit of an organization (2).  I interpret this to mean that theoretically, a business continuity plan can be created for each and every team, department, function, group, remote office site, division and company organizational unit. These smaller focused plans support the micro sufficiency suggested by Burtles (1).  Once developed and exercised, I can imagine that the essential elements of each plan can be combined in some fashion to create larger and larger BC plans applicable to the larger organization. Therefore, the champion would need to have a vested interest in the specific mission critical functions within the effected scope of the plan. For example in the private sector, a regional manager would be interested in developing a plan to ensure continuity of distributed offices/factories/facilities within his/her responsible geography (3).  An example in the public sector could be a municipality where the city emergency manager or public safety director may be the champion (4). This is often the case since city officials typically consider preparedness to be within the scope of such offices.

Alternatively, Miora offers the concept of an enterprise-wide approach to preparedness.  By bringing together a cross-discipline approach to Incident Management, it appears possible to make a case that the champion would need to have a more macro view of the business. (5)  I believe there should be only one champion at a time. For the enterprise-wide approach to be successful, the champion would need to be much higher up in the hierarchy.

The recent July 2009 BSI survey (6) shows that the vast majority of persons most engaged in the BC Plan are the Board, CIO, CEO, Executive VPs and Exec Directors. This may lend credence to the need for persons higher up in the organization being the champion.

From project management, particularly Six Sigma champion selection, the champion is often a person whose very reputation or position in the organization clears the way for the planning project to flourish. As Cobb (1) points out, BC planning is more a process than it is a project. So, it’s less important from which organization is the champion than to what degree can the champion support, defend, an lend credibility to the value of the business continuity process as a valuable contribution to the business (7).

Summary

In conclusion, I believe the champion plays a key role in the success of the business continuity planning process. Understanding the size, scope, and nature of the business or public sector entity is crucial to choosing the appropriate champion from the appropriate function at the appropriate level. The champion should be a person who has and uses influence to help support the BC plan through all stages of the process.

References:

(1) Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates.

(2) Cobb, Steven.” Weekly Instructor Commentary for Week Two”, Norwich University MSBC

(3) Minnesota Fire Service: Emergency Manager Job Description
Retrieved 9-12-09 from http://74.125.95.132/search?q=cache:L5_czpLMeG4J:www.minnesotafireservice.com/pub_emergency_manager_job_description_sample_county_city_ordinance.doc+%22job+description+of+city+emergency+manager%22&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

(4)  City of Chandler, AZ . Job Description RISK MANAGER, retrieved 9-12-09 from http://www.chandleraz.gov/hr/salaryplan/description.aspx?id=R013

“The primary function … is to administer and supervise the comprehensive risk management program…, including loss control, and external liability claims. Work includes planning, coordinating, and monitoring insured and uninsured losses; insurance coverage and premiums; liability claims handling; and the development and selection of cost-effective insurance coverage for liability risks, and evaluating programs to reduce, eliminate, or transfer potential losses and risks to the City.”

(5) Miora, Michael; 2003. “Incident Management“, ContingenZ Corp.

(6) BSI; 16JUL09. “International Business Continuity Management Benchmarking Report-An Executive Summary“.

(7) Portny, Stanley E. 2007. “Project Management for Dummies“. 2nd Edition. Retrieved 9-12-09 from

http://books.google.com/books?id=ultuqooePuQC&pg=PA28&lpg=PA28&dq=best+%27champion+of+a+project%22&source=bl&ots=CKvzjM-kA2&sig=QpHk0A6c35Y9HuKXZeWWU-6bmFU&hl=en&ei=Dc6rSsz9Ko_UNeSK8fIN&sa=X&oi=book_result&ct=result&resnum=3#v=onepage&q=best%20%27champion%20of%20a%20project%22&f=false

Are We Asking the Right Questions About Risk?

  1. What are your exposures to risk?
  2. How likely are they to occur?
  3. If they occur, what will be the impact to your business?
  4. What is Business Continuity?
  5. What is Continuity of Operations?
  6. Who should be interested?
  7. Which planning solutions can help you be prepared?

Business Continuity – Who’s Interested?

Private Sector – BCP Plan

Many successful businesses have a plan for the inevitable and unforeseen. The BCP provides a shared, coordinated and well understood business critical process that is part of the very fabric of an organization’s strategic plan. The plan is applicable even during more common but significant disruptions.

Examples: Banks, Childcare Centers, Construction, Energy, Finance, HVAC-Facilities-Critical Operations, Hospitals, Non-Profits, Pharmaceutical, Research Labs Retirement Homes, Universities, Utilities

Public Sector – COOP Plan

COOP is a basic building block of any emergency planning program.  It also has applicability well beyond large-scale disaster events.  There are many potential situations when a COOP plan will be activated without a true emergency or disaster.

Examples: Airports, Fire Departments, Ambulance/Rescue Units, Government organizations, i.e. courts, correctional, military, Municipalities: cities, towns, counties, states, Universities and Educational Institutions

Organizations with a Need for Continuity Planning:

  • Organizations governed or impacted by compliance
  • Companies or agencies who provide critical services to others, especially in preparation for disruptions or during disasters
  • Larger than 20 employees or smaller if significant financial impact can occur due to disruptions
  • Multiple functional groups and/or multiple locations or geographic areas

Who is Interested:

  • C-Level Leaders, CEO, COO, CFO, CIO
  • Compliance Officer, Human Resources, Information Technology
  • Risk Management, Legal Counsel, Shareholders
  • Emergency Management, Safety Officer, Security Chief

Risk Exposure

Describing RISK

Potential Emergencies –

  • Localized Acts of Nature
  • Accidents
  • Technological or Attack-related Emergencies
  • Other Significant Disruptions to Routine Business

Common Disruptions-

  • Facility issues that affect the workplace, such as plumbing leaks, HVAC problems, loss of power and other utilities
  • Workplace disruptions, such as relocation to new office space or the reorganization of divisional units.
  • Workforce reduction issues, including high levels of absenteeism due to sickness/Pandemic Flu, loss of key staff due to attrition, and the inability to hire sufficient new workers in a timely manner.

Continuity of Operations Plan Definition

Continuity of Operations Plan-COOP

Continuity of Operations Planning is an internal effort within individual component entities, agencies, or government organizations to ensure the capability exists to continue essential mission-critical functions across a wide range of potential emergencies.

Business Continuity Management

Business Continuity Management: SELF-CERTIFICATION?

The 9-11 Commission produced a number of guidelines including language of Title IX where voluntary preparedness standards is defined as “… a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as… (ANSI/NFPA 1600).” (1)  The Public Law 110-53 is an evolution of the commission recommendations regarding preparedness standards. (2)

While Title IX specifies that the private sector businesses which meet the voluntary standards will be considered in full compliance, oversight would be necessary as with any other standards of compliance. Typically entire 3rd-party organizations and businesses build up around providing certifications. As is often the case with many certifications across multiple disciplines, the certifying agency, or organization becomes an educational for-profit company. A complete learning business is built around the creation of curriculum, seminars, web-based learning, conference sponsorship, and exams which make use of existing ‘official’ standards. For example, BSI, ISO, FEMA-DHS, and other agencies issue standard operating guidelines which become the fodder for certification. Often these agencies provide their own certifications in the public domain, many of which are often self-paced training culminating in an exam and either certification or proof of completion.

It’s not unexpected at all that a company or business would desire to build up an internal certification program. However, the corporate learning organizations have been somewhat impacted by the current economic situation and these self-certifying programs, if not already built, may take a back seat to more pressing business survival training efforts.

References:
(1) Avaluation Consulting.   “Introducing Title IX: Voluntary Certification”, 28JAN08 retrieved 9-6-09 from  http://www.avalution.com/Perspectives/Lists/Posts/Post.aspx?List=84617ae8-ef98-4ebb-9dda-b6f73f4b5466&ID=45

(2) FEMA, “DHS Selects ANSI-ASQ National Accreditation Board to Support Voluntary Private Sector Preparedness Certification Program”, 30JULY08, retrieved 9-6-09 from http://www.fema.gov/news/newsrelease.fema?id=45280
____________________________________________________________________________________________Should

Uses wordpress plugins developed by www.wpdevelop.com