Treating the Causes of Bad Management Reviews

Faults & Fixes: Bad Management Reviews

Senior management engagement is critical to business continuity success, so it’s becoming more and more common for organizations to involve management when designing and implementing business continuity programs.  However, after the initial implementation project wraps up, it is much less common for organizations to regularly engage management on program direction, capability, and maturation, via what the management system concept calls a “management review”.  While the concept of management reviews is relatively new to the business continuity profession, when fully implemented and combined with appropriate messaging, management reviews are the best way to get management to participate actively and stay engaged, as well as close program gaps and improve performance.  Continue reading

How, When, and If to Implement Business Continuity Software

Business continuity planning software can add significant value if it complements a strong program that has management support, competent personnel, and the information necessary to establish requirements, identify strategies, and document plans. While software will not “do business continuity planning for an organization”, it can provide an already-built and structured approach that automates what could otherwise be a manual internal process, freeing practitioners to focus on program maturation.  That said, not all software is right for every organization, so it is important to ensure any selected software is a right fit BEFORE trying to implement it.  Many organizations approach software selection anticipating that the software vendor will show them what they need or tell them what features best fit their program; however, without first understanding the program’s current state, needs, and capabilities, odds increase that organizations will select software that does not align to the current state program and could thus require significant additional customization or result in ineffective use.

This article discusses common business continuity software myths and selection issues and provides recommendations on factors to consider before deciding to pursue, select, and implement a business continuity planning software solution, so that you can get the most value from whatever option you select. Continue reading

Integrating Cyber Security and Business Continuity

The last several years have continued to see an increase in the sophistication and volume of cyber threats, with a 42% increase in targeted attacks in 2012 (as reported by Symantec, in its 2013 Internet Security Threat Report).  The range and types of threats vary greatly as well; in June 2013, InfoSecurity magazine listed the top five specific IT cyber security threats as: data breach, malware, DDoS, mobile threats, and industrialization of fraud – each of which requires a different preventive and response approach.  An Ipsos survey for Lloyds Risk Index 2013 indicated that cyber risk is the third biggest concern for CEOs when assessing organizational threats, jumping nine spots from the previous year’s ranking of 12th.

In most organizations, monitoring and response has continued to develop and mature within IT to proactively address vulnerabilities.  That said, there may be opportunities to better integrate IT’s response to such illicit activity with the organization’s business continuity program and structure, so that if an event does occur, the organization ensures a timely and coordinated response.  After all, cyber security incidents can have business continuity implications and impacts that extend far beyond IT. Continue reading

Why Documentation Is So Much More Than Just Documents

Part of Avalution’s Conforming to ISO 22301 Series

This perspective takes a look at ISO 22301’s requirement for documentation, which includes documented processes and procedures, as well as evidence of business continuity planning execution.  The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the spring of 2013). Continue reading

Multi-Site Disaster Response and Coordination Best Practices

Most organizations that have experienced a crisis would likely agree that advance planning is critical to enabling an effective response. When a disaster impacts several sites simultaneously, it makes coordination even more chaotic, so the importance of a defined structure increases. Organizations with multiple facilities or sites, especially those within “at-risk” regions, should take proactive steps to prepare their organization for events that require a widespread and coordinated response. Specifically, these preparedness steps include enabling coordination, communication, and adherence to organizational policies in advance of a disaster to ensure all sites implement appropriate response procedures. This article summarizes best practices that help enable sites to work together and execute common, approved response strategies to minimize impact and reduce confusion. Continue reading

Why You Should Pay Attention to Business Continuity Standards (Even If You Aren’t Seeking Certification)

Standards…ugh! Even though the business continuity profession appears to be paying some attention to the topics of standards development and organizational certification, you may be tempted to skip over these articles and ignore the opportunity to review new or revised standards when released (especially if you feel organizational certification isn’t right for your organization). However, many reasons exist as to why all organizations (and BC practitioners) should not only pay attention to standards, but also seek opportunities to incorporate applicable elements of them into their programs to improve performance and enhance credibility. Continue reading

Planning for Every Scenario is “for the Birds”

Why “Chicken Little” and “Black Swan” Planning is NOT the Way to Respond to Recent Catastrophic Events

It seems that every week, there’s a story in the news about a catastrophic disaster happening somewhere in the world.  The last five to ten years have seen what appears to be unprecedented numbers of global natural disasters, leaving some to wonder if the whole 2012 end of days conspiracy theorists are perhaps onto something.  While it might seem like the world is ending, overacting to these events or trying to plan for every worst case scenario is not productive and could DAMAGE your business continuity program.  This article will discuss why focusing on these types of outlier events do not generate value or management interest, as well as discuss ways you CAN tweak your risk assessment and planning to ultimately gain more value without trying to tackle impossible planning standards. Continue reading

Applying Root Cause Analysis (RCA) to Business Continuity

Though many business continuity standards emphasize the importance of tracking corrective actions to address identified issues, the recently published ISO 22301 (and previously BS 25999-2) also requires conducting a root cause analysis – looking not just at an issue, but its cause and how it can be prevented in the future.   Root cause analysis (RCA) is an approach that seeks to proactively prevent reoccurrences of the same adverse event or systems failure by tracing causal relationships of a failure to its most likely impactful origin, then putting measures in place to mitigate underlying causes to ultimately help prevent recurrence of the adverse event in the future.  While common in disciplines that deal with extreme precision and protection of life (e.g. quality and environmental health and safety), there’s no reason the business continuity discipline cannot benefit from a similar approach, particularly for practitioners looking to fully implement ISO 22301.  This article explains root cause analysis and identifies how organizations can benefit from implementing the concept in a business continuity context. Continue reading

Selling the Business Continuity Case to Executive Management

If your organization has not already invested in business continuity, selling the “business continuity” business case to executive management can be difficult.  Many believe that since they’re already paying for insurance, investing in business continuity is paying for the same end result twice.  However, getting management committed to the concept and requisite investment can often depend on how you sell the benefits, focus on your audience’s key priorities, and keep the pitch realistic and relevant.  This article summarizes specific topics and techniques to help management see the value business continuity can bring to your organization. Continue reading

Moving Beyond Magnetic Tape Backups

Since individual technologies seem to change at a rapid-fire pace, it’s shocking how long magnetic tape media has survived (first used in 1951 to record computer data, it outdates hard drives and is now approaching 61 years of use!).  Although innovative new mediums (e.g., hard drives and solid-state storage) have exponentially increased speed and reduced the physical size of storage over the decades, cost and/or scaling issues left magnetic tapes as the logical disaster recovery choice for most organizations.  Recent innovations in both storage mediums and performance enablers, however, may be the catalysts necessary to finally move beyond tape.  This article will explore one alternative, electronic data vaulting and the use of virtual tape libraries, and compare its benefits and shortcomings to magnetic tape. Continue reading