Charlie Waters
, , , ,

Business Continuity Part 5

Chapter 2 – Critical Business Information

Hopefully we have all recovered from the somewhat heavy lifting of doing the risk assessment and business impact analysis.  In this chapter we will document several different lists that may be needed during a business continuity scenario.  Most of this information you will already have in various systems like a Customer Relationship Management (CRM) or accounting/billing system.  And it will be good to have all of this captured in one document just in case.  For our purposes, TCS will define the following teams: Management, Service, Human Resources, and Finance.  You could start with a similar structure, depending on your organization, and adjust later if needed.

2.1  Team Call List

In this section we will document the home and work contact information for each employee under his or her respective team.  Easy peasy.

2.2  Team Task List

Now we will define, for each team, a set of tasks to be performed throughout the duration of the business continuity event.  This is a who/what/when list for each department in our case.  Think through your business “People, Process, and Technology” structure again and identify the essential tasks to be performed, deprioritizing the non-essential tasks if necessary.  And, yes, I intend to get maximum use of our PPT graphic since this concept keeps coming up in our discussion.

2.3  Team Action Plan

The Action Plan will feel somewhat redundant to the Task List you just created.  The way the tool (and sample text) treats this section is defining the Continuity-specific responsibilities and tasks on a per-team and per-site basis where the previous list dealt with the continuation of routine work functions.  It is likely some personnel will have more tasks defined in one list than the other depending on the specific role and delegated tasks.  Some (managers in the case of TCS) will coordinate more heavily on managing the continuity and recovery communication and coordination where our Service Team will remain mostly client facing.  This is a little nuanced and the most important thing is the essential tasks are defined in your plan in one place or the other.

2.4  Team Customer List

Now we will create a list of our key customer contacts.  Since the app provides a separate list for each team, you may want to separate a billing contact versus other contacts.  For TCS this includes a list of our technical points of contact and billing contacts.  If you have defined a Management team like we have, then you could also list key management contacts in that section separate from your primary contacts.

2.5  Team Critical Equipment List

Continuing with our critical lists…we want to document essential equipment.  Think through what items you might need to keep your department going and enter the item, quantity, vendor source, item number, per item cost, and total cost for each row.  As before, the list will be broken down by department.  It would be a good idea, if you have a redundant site or an agreement to use another facility, to keep enough inventory stored to provide quick access to essential equipment.  Otherwise, try to identify a local vendor where you would acquire the equipment with short notice.

2.6  Team Software List

Now we will create a list of software required to run your business.  If you are leveraging hosted or cloud software, then it may be possible to operate with minimal critical requirements for downloadable software.  In fact, a key business strategy would be to move in that general direction.  For example, if you are using Microsoft 365 with hosted email and cloud document storage, perhaps you could get away with using a Chromebook (or any devices with a browser) and get by until your normal setup could be fully restored.  Another effective solution, especially for line of business applications that are not yet cloud-ready, is to use a Terminal Server for remote access to these applications. TCS offers a cloud backup solution where the Terminal Server can be run virtualized in the cloud until the on-premise servers and data are be rebuilt. We are aiming for the lowest cost minimum functionality needed to run the business and the trend is moving in this direction, so it’s worth checking with your IT company and software vendors to assess these capabilities before a disaster.  In fact, I wrote my first article for TCS on this subject a little over a year ago: Strategy: Turning Your Business Inside Out. While not ideal, my computing requirements and our business systems would (by design) allow me to operate on a Chromebook with no additional installed software.  My business phone number could be forwarded to my cell, and voila!

2.7  Team Supplies List

Now is time for me to admit having a dark sense of humor…it’s true!  When I read the provided example Supplies List, I couldn’t help but wonder what kind of bad day DHS was aiming for when they put together this list…

This reads like items needed after a zombie apocalypse.  I would add shovel and rope and consider my list complete, but I digress 😊

But you get the drill by now…put together a list of supplies you may need and hope your rainy day is less dramatic than what DHS thinks you will need.  And if you think I’m making this up, Google “CDC” and “Zombie” and see what comes up.

2.8  Team Telecommunications List

The reality for TCS is we are small enough where most of these lists can be done in one place.  We just don’t need 1000 items in 20 different department lists, but your mileage may vary. Simpler is better in my opinion.

For Telecommunications, we want the vendor, account number, support number, and the name and email of your point of contact – most likely an account representative.

My goal is to adopt StarLink satellite Internet, at least as a secondary provider, as soon as service is available in our area.  This would make a great backup connection that doesn’t rely on ground-based cabling/fiber infrastructure.  As Elon Musk says, “Plug in socket, point at sky.  These instructions work in either order.”  How about that for getting your Internet access back up and running post haste?!

2.9  Team Vendor List

Critical vendors.  Document them.

2.10 Team Vital Records List

This list includes backups…you are backing up to the cloud, right?!  Critical data, intellectual property, contracts, diagrams.  The best plan here is to have everything in digital form then ensure you have local and cloud copies/backups of this data.  And when we say backup, we mean geographically redundant storage…not keeping a data tape in a separate room from your server. 

<soapbox>If your technology vendor cannot explain in simple terms how they know your backups are executing and the data integrity is validated daily, then it may be time to shop around for someone who gets this.</soapbox>

Time to pat yourself and your team on the back!  By my count we are 56.8% complete with our plan.  In Chapter 3 we will walk through Plan Administration and Maintenance.  This next section is the catalyst that enables companywide adoption through training and awareness.  It also will develop the process for ongoing plan maintenance, thus not becoming an outdated binder on the shelf that is no longer relevant to your business. 

TTFN!

/by
Charlie Waters
, , , ,

Business Continuity Part 4

Pour the Coffee

Let’s put on a pot of coffee and roll up our sleeves for this one.  We are about to get into the meat of the Business Continuity Plan and we will want to slow things down and focus on our business functions.  The good news is when we are finished with today’s effort, we will complete Chapter 1 and be 40% finished with the Plan.

And if you have followed our guidance during the Pandemic, your company operations should be flexible in a variety of conditions due to adopting work from home solutions.  This can include laptops, VPNs, IP phones, cloud applications and document storage, or other technologies that help extend your business functions outside of your brick-and-mortar environment.  For TCS, this becomes a game changer and creates an almost seamless transition across all business functions to shift from the office to a home/remote office setup.

1.6 Risk Assessments

We will now document and score what threats may impact our People, Process, and Technology.  As you can see from the screenshot above, we will assess/score the Probability of the threat, the Business Impact of that threat, and our ability to Control the threat.  Each of these will be scored on a scale of 1 to 5, 1 being “Low”, “No Impact”, and “Good” respectively and 5 represents “High”, “High Impact”, and “Poor” respectively.

The tool provides a sample threat list like the one pictured below:

Also, an example of the Risk Assessment table is provided:

Take time to read through the list of threats and look at the examples on how you may score the threats, along with a summary of how the threat could be mitigated.  Each organization will vary in the type of threats, the scoring, and how the threats are mitigated.  This is where you want to spend some energy deliberating on this and work with your team to come up with a comprehensive list.  This exercise could expose some areas where you may need to do more to beef up your continuity strategy.

TCS ended up with 13 different areas but most of them could be at least partially mitigated by defaulting to a work from home strategy.  This may not be possible for all your team, especially if their job function is dependent on equipment or systems on premise.  A helpful tip is to review the Houston County Pre-Disaster Mitigation Plan located here:

https://www.houstoncountyga.org/skins/userfiles/files/Houston%20Co%20PDMP%202020%20(Public).pdf.

This plan addresses many external threats common to our region and can inform your mitigation strategies or affect your scoring because some of these threats are being mitigated at a higher level already.  There is no absolute right or wrong here and the important thing is that these threats are considered and addressed in some logical fashion that is appropriate for your business.  A useful strategy I learned from attending the GBA Southern Operations and Technology School and by working with other Risk Management professionals is to rank order the threats by multiplying each of the 3 score areas (Probability x Impact x Control).  This will give you a composite score for each threat category ranging from 0 to 125.  Understanding these threats as a ranked list can help prioritize spending to further reduce risk if there are gaps in your capabilities.  Of course TCS is available to consult with you regarding your business technology strategy to better align with your mitigation plans.

1.7 Business Impact Analysis Summary

In this step we want to describe how you determined what to include and leave out of your risk analysis.  What business functions, processes, and interdependencies did you consider?  This does not have to be perfect, and it will likely change over time as you revise your plan, but we want to get a basic statement down on paper and go from there.  Part of our BIA statement included factors studied by Houston County in their plan and we made certain assumptions as a result.  For example, the frequency of tornadoes and floods are addressed in their document.

In the BIA Summary example pictured above, you will see how the Plan will document your different business units and its functions along with the associated manager, processes, and related risks.  Additionally, you will want to determine the maximum time you will allow for a critical function to be down, and the daily revenue loss caused by the loss of business function.  The Recovery Time Objective (RTO) will inform how you prioritize your resources before and during a disaster to recover these functions.  Defining the RTO and RPO (Recovery Point Objective) also helps IT know what business continuity and disaster recovery (and backup history) you need to recover business functions, including the information systems and data.  The lower (in number of days or hours) your RTO and the narrower your RPO, the more expensive the technology solutions will be to achieve the desired goals.  This will be a calculated tradeoff between the capital and operational cost of the technical capability versus the likelihood and (financial or business reputation) impact of an event.  This is a conversation to be had with your IT folks well before a disaster.  It will not be helpful to have an undefined RTO only to discover recovering your data from the cloud will take days and you want that business system up in hours.

1.8 Business Continuity Strategy

In this section we want to describe, at a high level, the overall approach to maintaining continuity of your business functions.  This will include basic details of a secondary site for temporary operations along with a map and contract information for that site.

1.9 Emergency Operations Center (EOC) Locations/Contacts

This section is straightforward.  You will list each of your Emergency Operations Center locations, a named point of contact, and a phone number for each site.  This could be one site, or you may define multiple.  It is a good idea to have a prearranged agreement with another organization if they have space to accommodate your business continuity team in an emergency.  This could be a reciprocal agreement.

1.10 Alternate Site Locations and Contacts

You will want to complete a similar list for alternate sites for business operations.  This could be the same as your Emergency Operations Center or a different location.  If you have an offsite storage facility, you will want to document that in the appropriate section as well.

1.11 Organizational Chart

During a disaster is not the time to try and figure out who all works where and reports to whom.  Take the time now, if you do not have one, and document the business functions, management, and staff across your business.  If you have this already, simply copy and paste image into the space provided.

1.12 Team Descriptions and Organization Chart

If your business continuity team will differ in personnel or structure to your org chart, it will be helpful to create a similar chart to define your Business Continuity Organization structure.  An example is provided below; however, this is overkill for TCS being a smaller company, so we opted just to keep our regular org chart knowing the CEO and COO will quarterback the continuity and recovery efforts while Service is busy supporting our clients.  Your mileage may vary.

1.13 Emergency Response Plan Summary

You will summarize the key elements of your Emergency Response Plan in this section.  This plan is separate and distinct from the Business Continuity Plan, although there is overlap.  The BPC will focus primarily on recovery and mitigation and the ERP will focus on preparedness and response.

Okay, time to hit the pause button until next week.  From here we will document various teams and essential lists that are critical to business operations.  This will take us into Chapter 2 of the tool/plan – Critical Business Information.  For those who like checking boxes, here is where we are until we take this up again.  Good progress!

/by
Charlie Waters
, , ,

Business Continuity Part 3

We are continuing from where we left off after the second installment of this series.  Now that we have the app installed and running, it is helpful to revisit where we are on the Site Map.

Preliminary

Title Page

A straightforward title is good.  Ours is simply “TCS Business Continuity Plan”.  Add a date and then move on to the next sections.

Version History

Versioning your document will help you track revisions over time and facilitate distribution of these changes.  The best practice here is to replace the entire document with an updated version to ensure subtle changes are not overlooked if you were to merely swap out pages.  Fill out the remaining information to track who implemented and approved the changes and why changes were made…maybe “Baseline Plan” initially and “Annual Update” thereafter.

Good news is the app shows we are now 4.5% complete.  This is positive feedback for those who enjoy checking boxes and striking through task lists.  In fact, if you have that type in your organization, they are likely a good resource to oversee this effort.  Attention to detail being a key trait as well.  This is not a project to pencil whip.

When you feel stuck or need some extra help, there are often Sample Text links plus the Help menu option is a great resource.

Confidentiality Statement

Your Business Continuity plan is proprietary, sensitive, and confidential.  You do not want this information getting into the wrong hands.  Accordingly, the plan should only be distributed to those accountable and/or responsible for its execution.  Further, the Confidentiality Statement should reinforce the requirement to keep this information close to the vest.

For TCS, we used the sample text and tweaked it a bit from there.

There is an option to add a footer to the document as well.  Marking every page as “Confidential” at a minimum would make sense.

When you Mark Complete and Forward,BCPG will mark this done in the Site Map and increment the overall progress on the progress bar at the top of the app.  Otherwise, if the section is not complete and you want to skip around, it is best to use the Back and Forward buttons.

Business Continuity Plan Distribution/Update List

Much like the section for Version History, we want to track when and to whom the plan is distributed.  For example, collecting a hard copy printout during an employee off boarding would be advisable.  Further, it is helpful to demonstrate that your plan is a living document and an integral part of your business continuous improvement and regulatory compliance process.

Be sure your only copy of the plan is in your building.  An office flood or fire would be made worse by losing this document as well.  Cloud storage and (tracked) off site physical copies are recommended.  Business owner and/or CEO?  Keep a copy at your house.  In fact, I would ensure all key personnel responsible for managing the business continuity process have a physical copy at home.  This would help in a widespread regional event (maybe driving to the office is not an option) and a grid-down situation (Internet or power outage, for example).

Chapter 1 – Overview and General Information

1.1  Overview

The plan overview provides a summary of the plan’s purpose and contents.  Again, we went with the sample text and adjusted from there.  At this point the tool shows we are over 11% complete.  So far, so good.

1.2 Scope

The guidance under “Scope” is to limit the BCP to one facility/office.  This is to allow for variations between different site locations.  If this does not apply, like TCS only having one office, simply put the address of the main site.  Larger organizations, or businesses with sites that vary significantly in function, may want individual plans per facility accordingly.

1.3  Business Continuity Program Policy

After simplifying the language in the BCP policy, I thought it would be important to add a line linking this policy to any regulatory requirement – I did so as follows: “TCS recognizes the regulatory requirement and the practical benefit of risk reduction achieved by maintaining a robust BCP program.”  Also, I downgraded the language of maintaining a “Certification Program” to “employee training”.  While it is essential for employees to understand their role under the plan, many small businesses cannot support a formal certification process and, as a result, shouldn’t state this in their plan.  This needs to be practical and workable, not some pie in the sky formality that cannot be managed effectively.  That’s my two-cents, at least.

1.4 Planning Assumptions

Okay, time to put your thinking caps on for a while.  Some of the next few sections will be very specific to your organization and its staff and your technical (or manual) capabilities.  One this Covid has taught TCS and many of its clients is that business continuity need not be a far stretch from everyday mobility capabilities.  In fact, my very first blog article for TCS was on the topic: https://choosetcs.com/2021/01/14/strategy-business-inside-out/.  And we followed up on that concept with a recorded webinar now shared on our TCS Education Youtube channel.  If you can design your workflows and technology around a mobility-first mindset, you are well ahead of the game in the assumptions you can make during a disaster.  Because of this, thinking through this section of the plan was a straightforward process.  If yours is not, it may be time to work with TCS to strategize on how to enable these capabilities for your organization.  This cannot be an afterthought!

1.5  Objectives

Next you will want to list the objectives of your plan.  This will include the goal and focus of your plan, the scope, and what kind of events your plan will address.  Here are a few objectives in our plan:

  • The BCP will primarily focus on maintaining service delivery where other business functions will be deprioritized until Service has maximized its capabilities.
  • The BCP will seek to ensure the health and safety of TCS employees and its clients.
  • The BCP will provide practical steps and guidance for TCS to restore and maintain its operations.
  • The BCP will define under which conditions the formal plan will be activated, but this will not prevent taking needed actions before the plan is in effect.
  • The BCP will address natural and man-made disasters, including: flood, fire, hurricane/tornado, ice/snow, pandemics, utility service outages, and cyber attacks.

Marking this complete now puts us at the 20% mark.  With that, we will hit the pause button for now and pick up next time with “Risk Assessments”.  We will want to camp out a bit on this one, so this is a good stopping point for now.  Before the next session, you will want to think back on the “People, Process, and Technology” business model to help you identify what things in your business could be at risk, and impacted, during an event.

/by