As presented at DRJ Spring World 2015.
Presenter: Robert Edson, Vice President, MissionMode
While business continuity management as a discipline continues to develop rapidly, it’s clear that many companies worldwide are failing in terms of disaster readiness. There’s no doubt that business continuity management is complex, but there are things every company can do to speed up their BCM maturity curve.
In this presentation, Edson takes an in-depth look at common pitfalls as well as solutions to improve program effectiveness that any company can implement. He shares results from MissionMode’s Readiness Survey and experience gained working with MissionMode clients including Gap, Inc., Xcel Energy and others to illustrate how the right combination of teamwork, templates, testing and tools helps organizations enhance their business continuity programs.
2. Business Continuity Readiness Overview
Business Continuity Management (BCM) as a
discipline continues to develop rapidly, but…
Source: CI/KPMG 2013-2014 Benchmark Study
“75% of
companies worldwide are
failing in terms of Disaster
Readiness”
Source: Disaster Recovery Preparedness
Benchmark Survey, 2014
7. Right Team – Executive Sponsorship
Multiple studies have shown the linkage between
C-Level involvement and BCM Program success
8. Executive Sponsor Roles
• Select/review BCM team leadership
• Secure funding to support BC/DR initiatives
• Lead steering committee
• Weigh-in on key decisions
• Request/review key metrics
• Create a business continuity
culture
9. Right Team – BC Team Roles
63% of companies claim between 0-2 of full-time employees
dedicated to BC/DR.
Let’s Explore Three Key Roles:
BCM Director/Lead Functional Leads External Stakeholders
10. Case Study: Creating a
Continuity Culture – Gap, Inc.
Challenge: Building relevancy for a new global
business continuity program in an organization
that had only spotty BC/DR initiatives previously
Keys to Success:
• Clear “Source of Power”
• Short chain of command to executive sponsor
• Company wide visibility
• Foster team-wide relationships/break-down organizational silos
• Technology-driven processes
• Celebrate wins
11. The Right Templates
What templates are required depends
on the event types you need to
prepare for. Top threats include:
1. Severe Weather
2. IT Issues (outages, breach, virus…)
3. Power Outages
4. Natural disaster (flood, earthquake)
5. Physical Violence
6. Fire
7. Epidemic
8. Product delivery/quality
9. Scandal/reputation
10. Theft
12. Team ID
• Primary
• Alternates
Risk Assessment
• Situation
Monitoring
• Team Activation
Impact Assessment
(Go/No Go)
• Impact
Assessment
• Go / No Go
Decision
Template Creation
Response Planning
• Communications
• Functional
Assessment
• Plan Checklists
Recovery
• Communications
• Damage
Assessment
• Repair planning
• Vendor Impacts
Metrics Review
• Pre-Event ID
• Decision Speed
• Communication
effectiveness
• Recovery speed
13. Case Study – Xcel Energy
Standardizing Incident Management
Challenge: Poor response record to outages based on
siloed approach to emergency response
Keys to Success:
• Regulatory driven requirement to improve metrics
• Top-down mandate to create standardized approach
• Lead appointed to champion enterprise-wide effort
• Flexible tool selected to pre-populate templates (teams
members, contact preferences, messages, task lists)
• Standard process, customizable by division – flexibility
• System applied to both emergency and routine
operational events
14. Drills – Practice Makes Perfect
Writing a plan on paper and making
it work in a real emergency are
wildly different. Testing critical for:
• Team training
• Breaking departmental silos
• Validating plan effectiveness
• Testing support tool configuration
16. The Right Tools:
Incident Management in the Digital age
Business Continuity has gone virtual for good reasons:
• Redundancy/systems access key in an emergency
• Increasing geographic dispersion of BCM teams
• Simplified information access speeds decision
making
• Affordable, easy to use tools
remove barriers to automation
17. Key Functionality for BCM Efficiency
Effective
Communications
Simplified Project
Management
• Intelligent Alert system
• Escalates alerts across devices
• Personalized message delivery
• GIS mapping for location-
specific alerts
• 2-way messaging with one
touch response
• Easily integrates with IT systems
• Real-time dashboard for
delivery/receipt
• Virtual Collaboration Platform
• Pre-populated templates
• Messages
• Task checklists
• Document library
• Centralized event dashboard
• Operational logs with time
stamping
• Intelligent alerting
• Rich media sharing
• Mobile app
18. Case Study: Driving Efficiency with
better tools - Birmingham Airport
Challenge: Consolidated emergency response teams across the
airport. Needed paperless, centralized system for logging and
managing both routine operational and emergency issues.
Keys to success:
• Ease of use
• Accessible anytime/anywhere
• No need to change current processes – easy start up
• Logged activities are time/date stamped for regulatory compliance
• Centralized dashboard of events allows management to get up to
speed quickly – great for shift changes
• Use system daily – becomes second nature vs. only for crises
19. Metrics Matter
Most commonly tracked metrics:
• Completion of drills
• Incident response performance
• Completion of objectives
• Awareness generation
• Operational performance
(SLAs)
BCM programs that systematically track and report on key
performance indicators reach maturity faster.
Source: Continuity Central Survey
20. Don’t be a Statistic
• 25% small businesses close each year due to inability to
recover from a disaster
• 180 of 350 businesses shut down in the World Trade
Center disaster never reopened
Instead…Build BCM Program Maturity with
the Four T’s Approach
While BCM Program maturity continues to grow, overall levels of readiness are spotty:
This year’s CI/KPMG benchmarking study showed an 8pt increase in the number of respondents self-reporting program maturity
BUT at the same time 2014 Disaster Recovery Preparedness benchmark report showed 75% of companies failing.
MissionMode’s own Readiness Survey results show something in between
Our Readiness Survey asks respondents to rate themselves on a wide variety of readiness factors pertaining to:
Team
Planning
Risk assessment
Response effectiveness
Post response evaluation
Then it gives calculates a weighed Readiness Score on a 0-100 scale. Of the hundreds of organizations who’ve taken the survey, we’re seeing an average readiness index of 58
A full third of respondents are still feeling very or slightly unprepared.
Planning and testing is a fairly large gap:
7% have no plans in place at all
22% have preliminary plans drafted, but no training or testing
32% have plans drafted and trained but for only some event types, not all events
In contrast to the CI Benchmarking study results, only 20% of our survey respondents have both the templates and the tools in place for incident management
The majority have templates without corresponding tools and processes for execution
If you’re interested in learning your organization’s Readiness Number, you can find out by taking our Readiness survey at www.missionmode.com/be-ready
Or visiting us at booth #514.
So why are so many organizations having trouble reaching program maturity? Well as most of you in this room know – Business Continuity Management is hard work!
The fact is it takes a highly disciplined approach to achieve program maturity and many programs lack the support they need to succeed.
That’s why MissionMode has created the Four T’s approach to help companies struggling with achieving BCM program maturity identify and fix the issues that are holding them back.
The Four T’s to BC success include:
Team
Templates
Testing
Tools
And a fifth success factor not starting with T – a metrics driven approach
The First T is Team
And the right team starts with Executive sponsorship in the form of a single C-level person responsible for BCM success and an executive steering committee to monitor and guide the overall program
Studies prove that programs with executive support beat programs without support on nearly every metric
The CI Benchmark study looked at this issue in detail – a few highlights from the chart above:
Programs with steering committees are:
- 63% more likely to do test exercises
105% more likely to do BCM Performance Reviews
92% more likely to do Technology recovery testing
In fact, companies without steering committees are 3 times more likely to have no BCM performance metrics in place at all
Since it’s clear that executive sponsorship is critical to program success,
It’s worth a deeper exploration of the role of the executive sponsor.
This person or team must get Business Continuity on the map as an internal business priority
On the map with the full executive team
On the map across all divisional siloes
On the map with each employee
Companies that are good at this actually create a Business Continuity Culture
2. This person needs to select and manage the BCM team leadership and support this team with Funding, and key risk assessment decisions
Executive leadership is critical, but day-to-day success will be driven by the team itself:
Some organizations have teams of full time employees dedicated to business continuity management, but this isn’t the norm. 63% of companies report having between 0-2 FTEs dedicated to BC/DR program management.
The right team has three major roles:
BCM Director/Program Lead: This person is responsible for organization and management of the company-wide effort. Including: determining what events to prepare for, making sure the right teams are in place for each event type, drafting and documenting plans, ongoing testing, collection of metrics post event and ongoing optimization of the program
2. Functional Leads: To successfully respond to any disruptive event take a cross functional approach. Team leads need to be identified to manage communications, ensure facilities security, support customer service, manage operational impacts and more. For each event type, a different team is required.
3. External stakeholders: these may include public safety officials, suppliers, media and others who need to be kept in the loop in the event of an emergency.
Michael Lazcano was hired at GAP 8 years ago to help them create a global BCM program. Previously, they had no clear plan in place although certain divisions were more developed than others.
-Luckily Michael had a clear management mandate and support
-The management team made this a high visibility initiative where failure was not an option
-But that alone was not enough – GAP was very geographically driven at the time and Michael had to work hard to create a global team that would work together to make this effort a success-Relationship building across multiple face-to-face sessions helped
-Celebration of wins was also key
But they couldn’t have achieved the level of global compliance they have attained without a technology driven approach.
Planning and template creation is one of the most critical factors for BCM program success.
The first step of the process is to identify which events you need to prepare for. Doing some preparation across a wide number of events is less effective than doing complete detailed planning and training across a smaller number of events. Plan to tackle whatever you can manage to completion before moving to the next event type.
This slide illustrates the most commonly experienced event types.
Over 50 % of companies with BCM programs in place, activated their teams for weather, IT and power related issues in 2013.
Planning and template creation is a six step process which needs to be repeated for each event type you choose to tackle:
Team Identification: Functional team leads and alternates plus external stakeholders need to be identified. Contact info for multiple devices should be stored for emergency notification purposes
Risk Assessment: Someone needs to be responsible for monitoring risk and specific triggers identified which would merit BC Team activation
Impact Assessment: Plans should cover who, how, and what information will be gathered to facilitate decision making and how that information will be shared across the full team.
Response Planning: each functional team needs to use planning templates to create their detailed plans. Templates should include checklists of likely impacts and must be easily sharable
Recovery: This stage is about execution and communication. Because of team interdependencies, full visibility of the situation dashboard facilitates better coordination
Post Event Review: As part of the template creation process the team should determine which metrics will be measured to evaluate success.
Xcel Energy had a real problem. Each business unit had their own approach to incident management and none did it particularly well. They were incurring fees for not meeting regulatory standards on outage response.
Management determined that they needed to a standardized approach cross company and appointed a champion to lead the enterprise wide effort
They opted in implement MissionMode’s Situation Center for management of both routine and emergency events and pre-populated the tool with templates for everything from power outages, severe weather risks, IT issues and more.
Templates included team members/alternates, contact preferences and data, check lists, and pre-approved alert messaging, operational log procedures
They evaluated the best processes across the company and used these when developing the enterprise-wide approach. Were able to configure the tools around their existing best practices vs. having to develop whole new processes.
Because the system is used for both routine and emergency events, adoption was much quicker than for organizations that only deploy their emergency response solutions infrequently.
One of the biggest issues faced by companies looking to improve their BC program maturity is overcoming the cross functional problem.
Because BC teams very often include groups of people not used to working together, the more practice these teams get the better. Performance of practice drills is highly correlated with BC program success.
People benefits of Drills:
Training team members on their specific roles
Creating a common goal across the team
Breaking down silos
Process benefits of Drills:
Validate the plan
Make sure all bases covered
Test/train use of support tools
Creating and managing effective drills is a key role of Business Continuity team leadership
It all starts with strong test plans – drills need to be happening all year long across different event types and functional teams.
Each test plan will include a scenario, expected response and KPI’s
The BC team lead needs to create internal urgency around the drill by demonstrating importance to all team members – it helps when there is a steering committee in place to make sure drills occur and monitor results
The Lead will first review the test with the team so all members know what is expected. At some point after, but not previously scheduled, the drill will be launched.
Afterwards, the team will meet to review KPIs and evaluate their performance. Results will be communicated to management and, if needed, templates will be adapted to fill gaps identified by the test exercise.
The right tools can help structure a BC team effort and make sure that key steps don’t get missed. They help standardize response and reduce the learning curve for BC Program maturity
In this age of connectivity and mobility – there are huge advantages to equipping your BC team to be completely virtual
Last year Gartner’s Hype Cycle Report suggested that the virtual incident management system had officially “come of age”. The main drivers of adoption from their point of view included:
Manage relationships with all internal and external stakeholders of an organization
More efficiently manage response, recovery and restoration actions
Communicate critical information internally and externally
Review and report on the incident so that an organization’s business continuity team can utilize the data for future training and improvements
BCM program leads need two primary tools to speed and simplify incident management. First is fully featured emergency notification and second is an incident management system for to serve as your virtual command center.
This chart highlights some of the key functionality you want to look for when sourcing emergency notification and incident management solutions:
Birmingham Airport realized huge efficiencies when they adopted an automated incident management approach.
Were consolidating teams and downsizing – needed to make it easier
Employees distributed across wide area – needed anytime /anywhere access
Needed to get away from paper-based logs for regulatory compliance.
Lots of different employees using this solution. HAD TO BE EASY to use!!
Run three shifts a day – having all routine and emergency events documented on centralized system made shift changes and management updates much easier and quicker
Again, not to sound like a broken record, but daily adoption and use for routine events made it much easier for them to learn new tools
As I showed earlier, companies that have BCM Program effectiveness tracking in place perform better in terms of program maturity.
That being said almost half of those surveyed in a Continuity Central study on BC Program measurement said they had absolutely no tracking in place.
THAT IS A PROBLEM, but it’s a problem that’s easily fixed. You don’t have to create a major complicated dashboard for BC metrics. Some will even be qualitatively reported, but the act of tracking and reporting results will make a big difference.
Continuity Central found that the for those organizations that do have BC/DR program KPIs in place, the top metrics included:
-Completion of drills
-Incident response performance (speed, effectiveness, compliance with plan)
-Completion of program objectives
-Internal program awareness generation activity (building a continuity culture)
-Meeting SLAs
Being at this conference already demonstrates a desire to not be a statistic like the ones here
-One of the 25% of small businesses that close each year due to the inability to recover from a disaster
One of 180 businesses that never reopened after the WTC disaster
By adopting the Four T’s approach to Crisis Management, you can be sure your organization will climb the majority curve in a consistent, disciplined fashion and achieve your BC readiness goals faster.
Want to get your readiness number. Visit MissionMode at booth #514 or take our Readiness Survey online at: www.missionmode.com/be-ready