The Manager’s Guide to Simple, Strategic, Service-Oriented Business Continuity

The Manager’s Guide to

Simple, Strategic, Service-Oriented

Business Continuity

A Rothstein Publishing Collection eBook

Rachelle Loyear

MBCP, AFBCI, CISM, PMP

Kristen Noakes-Fry, ABCI, Editor

EPUB ISBN 978-1-944480-38-7

PDF ISBN 978-1-944480-39-4

203.740.7400 • 203.740.7401 fax

info@rothstein.com

www.rothsteinpublishing.com

smalltwitter    smallfb   smallinkedin

COPYRIGHT ©2017, Rothstein Associates Inc.

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher.

No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein.

Local laws, standards, regulations, and building codes should always be consulted first before considering any advice offered in this book.

EPUB ISBN 978-1-944480-38-7

PDF ISBN 978-1-944480-39-4

203.740.7400 • 203.740.7401 fax

info@rothstein.com

www.rothsteinpublishing.com

Preface

Business continuity planning and management (BCM). It’s a topic in most organizations that brings a lot of enthusiastic agreement about the critical need to do it, and often a lot of head ducking and looking the other way when the actual planning needs to be done. It’s no secret among BCM professionals that the most difficult part of managing a continuity program is gaining traction for the work. While executives often claim to support the need for a robust BCM program, the reality of having to run the business and deal with day-to-day work often takes priority when to do lists get long.

At the same time, in a best-case scenario, personnel in the organization understand the need for a plan in case something goes wrong, but may not have the time to devote to plan development or documentation, or sometimes even really know where to start. At worst, they see the entire exercise as a waste of their valuable time. After all, they’ve been doing fine so far without a plan. Why go to the trouble of taking time out of their already busy schedule to develop one now? All these things can lead to the actual work of planning being handed off from person to person until it gets to the one person who has no one left to hand it to. And, sadly, that person often does not actually have the information needed to put together a real, workable plan.

Why I Wrote This Book: The Origins of the Three S’s of BCM Success

If this sounds familiar to you, then you are not alone. In countless conversations with BCM professionals I’ve had over the years, I have heard again and again the lament that they didn’t have enough support, or authority, or resources to get the job of planning done. I was in the same position. I was responsible for several hundred department plans for an enormous enterprise, yet the reality was that I had few subject matter experts willing to write them, no matter how many software training classes I gave or how many your deadline has passed emails I sent.

Finally, I decided there had to be a better way to engage and build support for my BCM program with non-BCM professionals - my program partners in the organization. I sat down with a colleague and we talked about our experiences. When we did get a plan complete, what was good about it? How did we get it done? Why did it work in one case and not another? We got out a pen and a whiteboard and made notes and scribbled and planned, and that conversation was the beginning of what I’ll talk about in this book. It was the beginning of completely revamping and reinventing the BCM program. It was also the beginning of an incredibly successful BCM program in that company and in others as I and other BCM managers had begun to embrace and espouse what I now call The Three S’s of BCM Success - or 3S to shorten that up a little:

1)    Simple.

2)    Strategic.

3)    Service-oriented.

How the Three S’s Can Change Your Effectiveness on the Job

This book is all about how those three concepts can completely change the work life of any manager tasked with business continuity responsibilities:

How with a change in your mindset and program, you can gain an incredible amount of traction and support from all of your BCM program partners in the business who have the critical information needed for your BCM plans

How you can change from having people in your organization avoiding you in the hall, aware that they have missed yet another planning deadline, to having them actively seeking you out when they have an update to make to their plans.

In Part I of the book - for those readers who might be new to the world of BCM - I give you an introduction to what BCM is and a high-level overview of what it typically encompasses. Then I dive into the topics of why BCM seems so complicated to so many of the BCM program partners that you must engage with to build and manage plans. In Part II, I show how you can change that complexity, and reboot your BCM programs using the 3S model to gain internal traction, participation, and support. Finally, in Part III, I cover how to put it all together to run an ongoing program that will support your organization’s needs now and into the future.

Stories from the Front Lines: BCM in the Real World

Throughout this book, you will see boxes with what I am calling Stories from the Front Lines. These are real-life stories that I’ve collected from BCM professionals at conferences, seminars, and training sessions, and also some from my own experience. Names of people and organizations have been changed to protect the innocent.

These stories are told in first person as they were told to me. Some may have happier endings than others, but if you have worked in the BCM field for a while, many of them will sound familiar to you. If you have not, then these real life war stories will hopefully provide you some dos and don’ts for implementing your own BCM program.

At the end of each story, I include a few Life Lessons Learned bullet points to show you how using any one of the 3S aspects either helped or could have fixed the issue in the story.

So if you are ready to:

Completely change your approach to the problems of BCM buy-in.

Find new ways to engage and support your BCM program partners and subject matter experts.

Develop easier-to-use policies, procedures, and plans.

Improve your overall relationships with everyone involved in your BCM program.

See how three little words can change your work life.

...then let’s get started on learning about building better BCM!

Rachelle Loyear

New York City

March 2017

Table of Contents

Cover

Title page

Copyright

Preface

Part I: Traditional Business Continuity Management:What Does and Doesn’t Work

Chapter 1: Traditional Business Continuity Management:An Overview

1.1 Business Continuity Management Defined

1.1.1 What’s in a Name? Talking the BCM Talk

1.2 Business Continuity Management Standards and Organizations

1.3 Business Continuity Management Common Terms

1.4 Business Continuity Management Common Approaches

1.4.1 The BCI Good Practice Guidelines Model

1.4.2 DRI International Model

1.4.3 ISO and ASIS International/BSI Standards Model

1.4.4 Comparing the Standards in a Five-Phase Risk Cycle

References

Chapter 2: Traditional BCM: The Roadblocks to Success

2.1 Things That Get in the Way of a Successful Program

2.1.1 Business Continuity Is Not Core Business

2.1.2 Executive Support Is Not Everything

2.1.3 Complexity Is Not Your Friend

2.1.4 BCM Is Rarely a DIY Effort

References

Part II: A New Solution: The Three S’s of BCM Success

Chapter 3: Introduction: The Three S’s of BCM Success

3.1 Three S: A Philosophical Change in Approach

3.1.1 A Simple Philosophy

3.1.2 A Strategic Philosophy

3.1.3 A Service-Oriented Philosophy

Chapter 4: The First S - Simple

4.1 Initiating a New BCM Program

4.1.1 Get Executive Buy-In

4.1.2 Create an Executive Communication

4.1.3 Meet with Senior Leaders

4.1.4 Your Next Level of Meetings

4.2 Analyzing the Business Needs for a BCM Program

4.2.1 BCM Program Goals

4.2.2 BCM Program Policy

4.2.3 BCM Program Procedures

4.3 Building the Program and Program Components (Plans)

4.3.1 Who, When, Where, What, and How - The Basics of Planning and Templates

4.3.1.1 Who: Team Roles

4.3.1.2 When: Response Times

4.3.1.3 Where: Response Locations

4.3.1.4 What: Team Resources

4.3.1.5 How: Plan Tasks and Checklists

4.3.2 Allowing for Complexity as Needed

Chapter 5: The Second S - Strategic

5.1 Determining Business Tolerances

5.1.1 Finding the Critical Functions

5.1.2 Finding the Critical Functions Using a Business Impact Analysis

5.1.2.1 The Complex Approach to BIA and Why It Is Bad

5.1.2.2 Identifying Critical Functions Without a BIA

5.1.3 Performing a Strategic BIA

5.1.3.1 Identifying Assets and Asset Owners for a Strategic BIA

5.1.3.2 Valuing and Prioritizing Assets with Your Asset Owners

5.1.3.3 Identifying Hard-to-Find Critical Functions and Dependencies for a Strategic BIA

5.1.3.4 The Purpose of Asset and Critical Function Prioritization

5.1.3.5 Completing the BIA Questionnaire

5.1.4 Performing a Strategic Risk Assessment

5.2 Allowing the Business to Decide What It Needs

5.2.1 When BCM Program Partners Minimize Criticality

5.2.2 When BCM Program Partners Inflate Criticality

5.2.3 Ensuring the Correct BCM Program Partners Are Making Strategic Decisions

References

Chapter 6: The Third S - Service-Oriented

6.1 The Do-It-Yourself vs. Do-It-for-Me Person

6.2 Let Subject Matter Experts Be Subject Matter Experts

6.3 The Planning Process

6.4 Get Better Plans by Sharing Best Practices

6.5 Plan Management Software - Benefit or Barrier?

Part III: Putting It All Together For Results

Chapter 7: The 3S BCM Program in Practice

7.1 Testing and Exercising

7.1.1 Simple Testing and Exercising Programs

7.1.2 Strategic Testing and Exercising Programs

7.1.3 Service-Oriented Testing and Exercising Programs

7.2 Program Maintenance

7.3 Responding to a Business Disruption or Crisis

7.3.1 The Service-Oriented BCM Team During a Business Disruption or Crisis

Chapter 8: Looking Ahead - The Growth of Organizational Resilience

8.1 The Future of Business Continuity

8.2 The Evolving Global Risk Situation

8.3 Organizational Resilience

8.4 Embracing Organizational Resilience

8.5 Organizational Resilience and the 3S Model of Business Continuity Management

References

Chapter 9: Final Thoughts - Where Do You Go From Here

Appendix A: Example Procedure Documents

A.1 Example Emergency Response Procedure Document

A.2 Example Crisis Management Procedure Document

A.3 Example Crisis Communications Procedure Document

A.4 Example Business Continuity Planning/Requirements/Templates Procedure Document

Appendix B: Example Tiered Plan Template Requirements

B.1 Critical Function/Department Template

B.2 Medium Impact Function/Department Template

Appendix C: Example Plan Documents

C.1 Example Crisis Management Plan

C.2 Example Functional Area Business Continuity Plan

C.3 Example Facility Business Continuity Plan

Appendix D: Example Crisis/Disruptive Event Checklists

D.1 Example All-Hazards Universal Checklist

D.2 Example Severe Weather (Hurricane/Winter Storm/Other) Checklist

D.3 Example Flood Universal Checklist

Appendix E: Business Impact Analysis and Risk Assessments

E.1 What is a Business Impact Analysis (BIA)?

E.2 What is a Risk Assessment?

E.3 BIA Asset Valuation Methods

References

Credits

About the Author

More from Rothstein Publishing

Part I

Traditional Business Continuity Management:

What Does and Doesn’t Work

This part of the book will take a look at the world of business continuity and a few closely related topics such as crisis management, emergency response, and organizational resilience. I explore some of the standards and guidelines that drive the traditional approach to business continuity management (BCM) programs, and then consider some alternative ways to think about those standards to allow you to get your BCM program up and running quickly and simply without getting bogged down in all the details of traditional BCM.

Are details always bad? No. But in my opinion, there’s a time and a place for them. Thus, in this book, the time is later and the place will be where you find yourself wanting to dig a little deeper into a particular topic or needing a more granular plan for a very complicated function. Starting out, there’s no need to make things any more difficult than an undertaking as large as a BCM program can already be.

In Part I of the book, I cover:

Chapter 1 - Traditional Business Continuity Management: An Overview

Chapter 2 - Traditional BCM: The Roadblocks to Success

Chapter 1

Traditional Business Continuity Management:

An Overview

I begin Chapter 1 by diving into the basic topics of what business continuity management (BCM) really is, what standards and guidelines have been the base of most traditional BCM programs, and how those traditional base standards can be simplified and made more accessible to people who are new to participating in a BCM program - whether they are running the program or being asked to contribute to the planning process as subject matter experts from departments that need continuity plans.

A Note on Chapter 1 for the Beginner:

If you are approaching BCM for the first time, a few basics in this chapter will ensure that through the rest of the book we are all beginning from the same basic understanding and terminology. Whether you:

Have been tasked with implementing a BCM program in your organization.

Think your organization might need BCM and would like to know more about how to build a program.

Are a business subject matter expert who has been named as a contributor to a BCM planning program.

...this