What I saw was a plan drawn up by a Human Resources person who had little understanding of how a "real" plan is put together, but who none-the-less had an understanding of her organization and a concern for its well being. There is merit in the HR person's effort and unlike some amateur plans, this exercise won't endanger anyone; in fact, it may offer some protection.

Critical processes

The third step in creating a plan is to identify critical processes, the processes which determine why the organization exists. The answer is NOT "money."

The question: What product or service does the organization provide or supply?

Every organization - commercial, industrial, government, non-profit - without exception provides a service or supplies a product. That service or product is the reason the organization exists. If you think InfoTech is the raison d'etre for the establishment, in 99 percent of the time you are wrong; InfoTech is a critical resource (read "risk"), but normally not the product or service that generates income.

The local welfare office dispenses money, it does not "make" money in the sense that is "sells" a product. It is, rather. funded by government - that's us, folks - to efficiently provide a service. It needs a viable Business Continuity plan to assure it meets its mandate; senior agency management needs a viable Business Continuity plan to protect itself - "CYA" if you will, and the funding government needs a viable Business Continuity plan for the welfare department to assure its funding is used wisely. It should go without saying (but it won't) that the funding government also needs its own Business Continuity plan (known in US government circles as a Continuation of Operations Plan - or Continuation of OPerations plan; in either case, a COOP).

The politically correct version of "CYA" stands for "Cover Your Assets," and I always am politically correct.

Looking for risks

Once the critical processes are identified, it's time to go In Search of Risks.

Risks can be found anywhere and every where. They can be sneaky and overlap one another or appear in several broad categories.

Is a hurricane a risk? Ina broad sense, yes. But what, really, is a hurricane?

• Strong, sometimes very strong winds.
• Flying debris.
• Loss of power.
• Lack of access.
• Loss of communications.
• Coastal storm surge.
• Torrential, "cat and dog" deluge.

Where is "flooding?" It's covered with storm surge and torrential rain, just as "hurricane" is an umbrella risk for the list above. It pays to list risks in each and all of their representations, from the gross (hurricane) to the fine gain (lack of access resulting in loss of personnel).

Planners must - not "should," but "must" - sit down with functional unit Subject Matter Experts (SMEs) to ferret out all the risks; an isolated planner sitting at a desk will miss risks - the only way to identify the off-the-wall risks which can turn a disaster condition into a true disaster is to "explore the possibilities." Initially, nothing is to far fetched to consider. I recommend that even experienced planners work with their peers to undercover risks that may have been overlooked; tyros and planners-for-a-day (like our HR person who DID seek help) certainly should "seek professional help."

Risks can be shared across functional units. Bring together personnel - managers and selected staff from different functional units (FUs) - provides a group dynamic which often uncovers shared risks; the manager of FU "A" rattles off a list of risks to the group; the manager of FU "B" checks off the unit's risks, perhaps including one or two that borrowed from the previous manager. As the second manager recites the FU "B" list, the first manager often pipes up "Ahh, I forgot about that; add it to my list, too."

A word about HR. This functional unit, while normally not a profit center, has a risk which can cost the organization some "really big bucks." It's called "I-9."

Rating process

Once the risks are identified, they need to be rated.

This is a three-step process.

The first thing to determine is what does the risk cost if it occurs. Cost can be lost revenue or actual cost, including penalties. Some Functional Unit (FU) managers can provide cost information, but typically this is a number known only to the Chief Financial Office (CFO) and those who report to the CFO. Don't despair; visit the CFO and get the "real" data.

Try to capture costs on a process basis. If a process generates $1 each time it occurs, multiply that by times-per-hour - usually a good base figure. Extrapolate this figure to day, week, and 30-day month for lost revenue for each period. On the flip side, if personnel are unable to do their jobs for an hour, day, week, 30-day month, how much will it cost in wages and benefits? Two sides of the same coin.

Bear in mind that losses may vary by time.

The second step in risk rating is impact on the organization. Unlike all the previous "process-based" efforts, this process is enterprise-based.

Although many organizations operate in silo mentality, with each FU knowing only its responsibilities, Business Continuity is concerned with the total picture. If on FU fails, what will be its impact on the entire organization? If a risk directly impacts only one FU- InfoTech, for example - if that FU's failure impacts profit centers, then the risk has impacted the entire organization and denigrated its ability to provide a service or produce a product - the financial "bottom line" is jeopardized.

Many planners rate risk impact on a scale of 1-to-3 or 1-to-5, with "1" being no or minimal impact and "5" being severe impact. Labels, however, are not critical, but they must be consistent.

The third step is rating each risk's probability of occurrence. How likely is it that a hurricane will visit Houston TX? How likely that there will be a snowstorm in the Negev?

For Houston, the probability of a hurricane is high ; for the Negev, the probability of snow of any quantity is minimal.

Rate each risk's probability using the same scale as its impact.

Finally, prioritize the risks using the impact and probability of occurrence results.

Risks with the highest ratings need immediate attention; risks with the lowest ratings need minimal attention and can wait or perhaps can be ignored altogether.

As long as you're here

As long as you have everyone gathered together talking about risks, collect information about work-around options. What can be done to maintain at least a minimum level of service until business as usual can be restored? Pencil and paper in lieu of software, networks, and servers?

Having asked that question, ask how long can a work-around be sustained before it becomes (nearly) impossible to catch up later>

How long can be operation be completely "down?" For most - not all, but most - organizations, this is 3 business days.

How much information can be lost before full restoration is restored?

After restoration to business as usual, how long will it take to move the "work around" effort to the normal operation - for example, if copying from a paper document to an electronic file, how many minutes/hours will it take for each paper document. How will the transfer be accomplished: with regular employees working more efficiently, with regular employees working overtime, with supplemental staffing, with a combination of options? Are there any security or confidentiality considerations?

Finally, find out if there are any regulations, manuals, and other required documentation, including forms, which are needed. Where are these documents and, for consumables, what is the volume of forms used in a typical day? Multiple this by the number of days to replace the forms (order, print, deliver).

Recommendations

Armed with the information about risks - probability, impact (including financial) - the planner needs to provide recommendations to avoid or mitigate the risks. Typically there are multiple ways to handle the risk, the most expensive usually is to avoid it.

Avoidance and mitigation options take research. One of the best resources of information are the vendors who offer the avoidance or mitigation options. Determine what is needed, as specifically as possible, and find vendors who deal in the product or service. Be up front with the vendor; let the vendor know you are seeking information; your inquiry is a Request for Information, not a Request for a Proposal or Quote - at least at this stage. You want product information and a ball park or Manufacturer's Suggested Retail Price (MSRP). The organization may have a purchasing relationship with specific vendors, but that normally is not the planner's concern. (Purchasing will deal with vendors later.)

Unless the planner is privy to the organization's long range (5 years or more) business plan (and the planner should be for best results), the Standard Operating Procedure (SOP) for presenting recommendations is according to the risk's priority. If the planner deems a risk so great that it must be avoided (as in a 24*7 process), then the avoidance option(s) are presented first, with a brief statement justifying the recommendation and the MSRP.

Management will make the avoid/mitigate/ignore decisions.

Put it all together

Once the information is collected, create a document for management. Bear in mind that management is notorious for not spending more than a few minutes reading documents, no matter how critical.

Create a short Executive Summary summarizing the findings.

List the critical processes and the risks to each process; unlike the Summary, this section can be detailed..

Finally, list the risks and the recommendations, including why a specific recommendation was selected as the best option.

---

The first item in a Business Continuity plan is to acquire Very Senior Management sponsorship for the plan. Lacking VSM Sponsorship, the consultant planner should pack up his or her bags and look for a new client; the staff planner needs to update and distribute his or her resume for there never will be a viable Business Continuity plan.

The second step in a Business Continuity plan effort is to develop a very specific Statement of Work (SOW) and the related Project Plan. Without a SOW and Project Plan, the project has neither direction or timeline milestones - like Charlie on Boston's MTA, the plan could continue forever. (See http://dnc2004.tripod.com/id23.html for details of Charlie's ride on the MTA.)

Plan Part 2

 

 

---

John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others at http://JohnGlennMBCI.com/ may be sent to Planner @ JohnGlennMBCI. com.