Who writes the BC and DR Plans?

Okay, so you’re the internal Business Continuity subject matter expert (SME) for your company. That means you’re supposed to write all the plans: disaster recovery plans for the data center, network recovery plans, voice and data plans, etc., plus all the business continuity plans for each of the business functions, right? Wrong, in my humble opinion. While I agree you are probably the most qualified, if you write all these plans by yourself they become, ipso facto, your plans. You wrote them, you own them. You’ll get very little buy in by those who have to execute them at time of disaster. So I encourage BC planners to think more as facilitators and project managers that draw heavily on the involvement of others to accomplish a group goal rather than operate as a sole contributor. As the BCP SME, you are in an excellent position to design the format of the plans and then facilitate the cooperation of the other area SME’s to provide the content from both the technical and business sides of the house. Let me explain what I mean.

Disaster Recovery Plans. The technical side of the house should provide documentation, procedures, priorities, and the recovery timeline. They have a vested interest in the recovery process and often have to respond to various minor outages on a short time schedule, so their awareness of the need of written recovery plans is usually high because of past experience. Even if you have deep technical knowledge, involve others to provide the content of the plans. If you design a good format, they can easily fill in the blanks. And remember, a lot of the procedures only reside in their collective grey matter and have never been written down. Put on your consultant hat and guide them through the process of creating a plan that can be accomplished with or without them being available. That way they’ll own their section of the recovery and will tend to keep things up to date without your continued haranguing.

Business Continuity Plans. Business function staff are usually not predisposed to thinking about unexpected outages. You’ve seen their deer in the headlights look when there’s no dial tone, or the systems freeze up, or they have to leave the building. They need your help in designing and implementing their outage and recovery responses, but resist the temptation to do it all for them. I encourage BC SME’s to use the BIA process to get them to begin thinking about how they can continue mission critical functions without the support they’ve come to depend upon. (I refer to this as “evangelizing among the heathen” as you open their eyes to the fact they are expected to function as best they can during an outage to continue the mission.) As the SME’s for their area they are intimately familiar with the processes that must be accomplished, the priorities that will change during an outage, workflow changes, critical staff, etc. I suggest you hold a planning workshop for them and explain the format and content they will have to supply. (If you leave it up to them, you’ll get anything from a three ring binder to notes on a cocktail napkin.) But with your guidance, they will be able to write a plan that is truly theirs and will address all their requirements during the outage. I also encourage you to hold a tabletop exercise so they can educate their staff on what will be expected of them, work through any missing elements, and will they’ll feel the importance of what they are doing. This will happen much more so than if you wrote the plan and dropped it off like the Sunday newspaper delivery.

Conclusion. For some BCP SME’s it is a new thought to see themselves as facilitators rather than chief scribes. But I firmly believe that a feeling of ownership of the plans is a very important element of successful implementation during recovery efforts. With you acting as a consultant, the end product is more thorough, precise, complete, and stands a good chance of surviving the initial shock of an unexpected outage, especially if those called upon to execute the plan were the chief authors. As usual, I welcome your comments and feel free to contact me directly either here. Happy planning!

 

© Copyright and All Rights Reserved Howard M. Peace

Selling Management Trainees on Joining the BCP Team

Many modern corporations have instituted a management training program full of bright young college graduates that circulate through various departments to gain experience and operational knowledge in preparation for their careers. They usually have some choice in determining which departments they intern with. The question for today is: how do you attract them to your Business Continuity Program (BCP) as one of their assignments? Since you asked, here is how I have done it several times in my own career.

Sell the BCP Function. It’s vital that you sell them on the importance of what you do. They will probably never have been exposed to the business continuity discipline, but they all live technology-dependent lives. They’ve all experienced broken cell phones, laptops on the fritz, and application problems. What the BCP deals with is all that, and more, writ large. It will be easy for you to explain that the BCP is the guardian of the availability of essential corporate resources and you’re the ones who figure out what do to in the face of unexpected outages. Having experienced technology failings in their own lives, they will quickly grasp the importance of preserving access to the tools and data the company depends upon to continue mission critical functions.

Sell the BCP View. The Program touches all aspects of operations, administration, and facilities in ways few other departments do. Because of the broad corporate-wide scope they will have an in depth view into all the corporation’s essential activities and assets. By being involved in the Business Impact Analysis (BIA) for a business function they will learn all about the department’s mission critical activities and will understand how it relates to information systems and other departments. By being involved in the development of business continuity and disaster recovery planning they will have a ringside seat in watching the areas struggle with how they will continue those functions in the face of unexpected outages. Because the BCP addresses issues in all areas, they will have a wonderful opportunity to acquire firsthand knowledge of so much more than they would by sitting in a cubicle in some other department. (The BCP is, in fact, a step ladder in the cubicle farm.) They can also use the assignment to scope out where they want to land next. By then, they will have had a chance to meet the department management and gained the ability to take a lot of the guesswork out of whether they would like to intern there or not.

Sell the Management Exposure. Because of the important issues BCP deals with, they will have the opportunity to attend meetings with senior management across the organization. I often prepped my trainees for speaking and writing roles that gave them the kind of exposure interning in Accounting never would have done. I told them that shining in BCP could do wonders for their future careers. When their interning days are over, they will have had direct contact with the corporate decision makers and can approach them with a pitch to join their team, rather than cold calling.

Conclusion. BCP managers rarely tap the wealth of talent that resides in the management training pool, to their loss, I believe. By attracting great talent, treating them well, and giving them the view and exposure that will help them in their future careers, you will have a great resource to use for a while. You will also be making allies for the future who understand the importance of what you do. Who knows, the future CFO or HR Director may turn out to be one of your alumni down the road!

As always, leave comments and feel free to contact me directly.  Happy selling!

The Joys and Trials of the Consulting Life

Whenever anyone asks my wife what I do for a living, she replies ”He’s a pooper scooper. He solves problems no one else knows how to solve.”   I try to get her to say my job is to make mountains into speed bumps, but I can’t really argue with her description. As a consultant, I am usually hired to bring my subject matter expertise to bear on an internal problem that, for some reason, no one at my client has the knowledge, experience, or time to solve. Sometimes it’s to offer advice and at other times it’s to do the heavy lifting. After decades of consulting, I have found I’ve gotten better and better at it and come to really enjoy the process. First, let me tell you why I think it is an important field and why I think it’s fun.

Exposure to new industries. Over the years I’ve been exposed to a multitude of industries I never would have otherwise seen up close. I’ve consulted with clients who manufacture bricks, truck axles, electronics, clothing, pet supplies, and a myriad of other items. I’ve worked with clients who manage retail store chains, rental car outlets, and large distribution networks. I’ve consulted with technology companies, voice and data carriers, banks, credit card companies, credit unions, software vendors, hospitals, labor management firms, and government branches. Every industry has different processes, products, and priorities, but the tools I use, especially the Business Impact Analysis (BIA), have opened my eyes to the inner workings that either make the client successful or hinders their progress. I never tire of the learning process and have been blessed to see much, much more than I would have sitting in a cubicle for 30 years.

Exposure to new people. I love meeting and working with new people. I regard new contacts as presents I get to unwrap. Some wonderful friendships have evolved over the years and among my clients and coworkers have been some of the brightest people I have ever met. Exposure to them has made me all the richer in knowledge and friendship because of it.

Exposure to new knowledge and methods. In addition to learning about their industries, I’ve been exposed to better ways to do a number of the things I was supposed to be the expert at. There are many ways to crack a nut and I’ve often found that great ideas and methods are available if I’ll only pay close attention to what is being said and done already. I warn my clients that I’m a shameless stealer of good ideas and am always on the prowl for better ways of doing what I do for a living.

Exposure to new problems and solutions. More than once I’ve stood there scratching my head over a roadblock I’d never encountered before. Being challenged with a new problem always gets my juices flowing and I enjoy the satisfaction of standing back after solving it and seeing a job well done.

Opportunities to teach. I am a consultant that is committed to knowledge transfer. I have no interest in building dependent step children, so I work hard at equipping my clients to carry on successfully after I leave. I often will explain the “why’s” and not just the “what’s” about the project so the results can have lasting impact and be improved over time.

Travel to new places. Have you seen that Facebook app that has you click off all the states you’ve visited? I was really surprised at all the places my consulting career has taken me. I only missed the Dakotas, but there’s still time. Maybe I have some Gypsy blood, but I have definitely enjoyed crisscrossing the country and going overseas as a paid tourist.

Okay, now it’s time to look at the downsides of consulting. My wife likes to say, “There are bedpans in every job, and some days are bedpan days”. So, in fairness, let’s look at some of those.

The hardships of travel. Air travel has become increasingly more difficult in the years since 9/11. The lines are longer, security is much more onerous, carryon bags are smaller, and most flights are full, the seating is cramped and not laptop friendly (and why do corporate travel departments always stick you in a middle seat or in the one next to the bathroom at the very back of the plane?). When you arrive, you race to pick up the rental car and set about finding your hotel in a new city you don’t know. Depending on your per diem, you may find yourself staying at a Motel 4 and might have trouble finding restaurants that serve edible meals within your budget. When people tell me I’m so lucky to travel for a living, I tell them, “If you only knew….”

Being away from home. When my son was young, my wife used to say all the exciting things happened when I was away and not able to help (like the time he got bit by a chipmunk). Besides missing my family, I also missed out on being able to do some of the chores around the house at night so the honey-do list built up all week and Saturday became a work like a slave day. When you travel you also miss out on after school events and time with friends, and maybe date night with your wife.   The good thing about properly managing the travel, however, was that I was often able to be on site with a client for a week, get my arms around as much stuff as I could, and then work from home for a week or two before going back out the door.

Leaving your best work behind. I’ve had a number of projects that I was really satisfied with and would have loved to see how it all got worked out in the days ahead. It would have been very rewarding to be around to see the fruits of my labor get fully implemented, but I had to move on to the next client. I was able to leave them with a roadmap for going forward, but I wasn’t going to be there to see it taken to the next level. And as a consultant you always wonder if they’re going to take that report with all the great recommendations and stick it on the shelf as though you were never there.

So, as you can see, there are great joys and substantial downsides to being a consultant. For me, the joys have always outweighed the negatives and I’m still having fun. Leave me some comments and feel free to contact me directly.  Happy consulting, and be safe out there.

 

© Copyright and All Rights Reserved Howard M. Peace

 

Business Continuity As A Career? Really?

Yes, really! For a lot of good reasons, some of which I’ll discuss here. I admit I fell into it quite accidently. I was an honest programmer once, coding away in Assembly Language and COBOL in my youth. But the bank where I was working needed some information security programming done, then a security administrator for the Money Transfer and Wire department, and before I knew it I got moved uptown and became one of the first CISO’s in the country. Along the way, they told me there was this thing called business continuity and disaster recovery and it was going to report to me, too, so I’d better get up to speed on that as well. In that way, I was fortunate to participate in the evolution of a discipline that grew from just getting the lights to blink at the recovery center to addressing recovery needs for the business units across the globe. It’s been a great ride and here is why I think business continuity (BC) makes for a potentially great career.

You can see forever from here. The view from a cubicle in most departments is limited to only a small part of the overall business a corporation conducts. You’ll get an in depth familiarity with that department’s business, but that’s all. Whereas, working in BC will expose you to everything the corporation does: all the business processes in every department, the assets, technology, locations, future plans, etc. It’s a stepladder in the cubicle farm!

You meet the nicest people. Working in BC you will come in close contact with all the decision makers in the company. You’ll have regular interaction with department managers, middle management, and senior managers from across the corporation, many of whom you would never even have a conversation with at a company picnic. In your exposure to them you’ll learn their priorities, their vision, their management style, etc. You’ll also get a seat at the table for crisis management as they enact the plans you have developed. You’ll have a chance to shine in arenas you’d never be invited to otherwise, which can only help your career.

You get to do important work. Enlightened corporations and management recognize the essential part business continuity plays in ensuring the availability of technology, telecommunications, facilities, and staff resources in order to continue mission critical activities. The role you play in analyzing business and technical recovery requirements, creating workable plans for recovery from unexpected outages, and testing recovery capabilities can be the difference between full recovery and huge potential losses. That’s pretty important stuff!

You can qualify for professional certification. Years ago I got a phone call from an important figure in the field offering me a chance to have my certification grandfathered in for a mere $1,000. I declined because I thought the certification wasn’t worth the paper it was written on (and I didn’t have a spare $1,000). But all that has changed over the years to the point where the certification process is both professional and valuable. The testing process and in-field work experience required now represent a mark of achievement and has gained recognition as the distinction of a highly qualified professional in an exacting discipline. I’m proud to have the CBCP after my name. (On a side note, I once had a translator in Mexico City who had PDG after his name on his business card. I asked him what that meant and he said, “Oh, I gave myself that and nobody ever asks what it means. It stands for Pretty Damned Good”, but he wasn’t and I fired him after two days.)

You get to put your thinking cap on. Solving the problems of providing sufficient recovery capabilities that meet the business requirements in the timeframes needed at the lowest possible cost is a daunting challenge. New technologies, changing business requirements, new recovery vehicles (like cloud computing), and changing priorities will always present new obstacles to overcome. Succeeding in managing these well will keep the juices flowing.

Conclusion. Even if your neighbors don’t understand what the heck you do for a living, you’ll know it’s challenging, ever changing, and important. As always, leave me comments or contact me directly.  Enjoy BC and have some fun out there!

© Copyright and All Rights Reserved Howard M. Peace

 

BC/DR and the Corporate SDLC

Last year I had the opportunity to meet a senior member of a former client’s executive management team while we both spoke at a conference in Miami. I began by asking him if they still did a Peace Business Continuity BIA before any new system was put in place. He smiled at me and said, “So you’re the guy who worked with so and so back in 2000.”

One of my priorities then and now was to insert BC/DR considerations into the System Development Life Cycle (SDLC) so they would be addressed up front. There are some very important reasons for doing this.

Every major change should be preceded by a focused BIA.   A properly conducted BIA for the change will identify what new pressures will be brought to bear on the current state recovery strategy. New applications, business functions, and infrastructure changes can have a discrete and, perhaps, debilitating impact on disaster recovery strategies and business continuity planning. The BIA should be used to measure outage impacts for the new change and be used to measure the overall impact on recovery requirements. If the SDLC includes a BIA hook, it’ll happen.

Each BIA Impact Category should have a list of recovery requirements. For example, at the client mentioned above, I used the categories we developed in our Y2K work to separate the most critical (AAA) from the more deferrable (D). I then used the categories to delineate what recovery requirements each new application needed to include in their planning. For the AAA through B ratings, the developers were required to include local failover (multi-processor environment), remote failover at the recovery instance, written recovery plans for the application and business units supported, and annual failover recovery testing. Putting those requirements early in the SDLC made for far better upfront planning and trying to retrofit them later would have been impossible. It eliminates the ‘but nobody told us” excuse.

BC/DR considerations must be included in the budget. The final price has to include provisions for recovery from the very beginning because there will be no money available later. For example, a new AAA application will be required to run in a multi-processor environment for local failover, not a single-threaded server, and another one is needed in the recovery environment. Now we’re talking about two specialized servers, not one and some possible impact on the network response time. The project budget should include this additional capability. Pricing things right in the beginning will mean an accurate assessment of the true costs.

A Gap Analysis should be performed to determine the overall impact of the change. The current state recovery capabilities should be examined to determine if the change will open any gaps in the company’s ability to recover critical business functions in the timeframe required. The change can impact the data center, data and voice networks, and business area recovery, or all of the above. Any gaps discovered can affect budgets and project delivery timeframes and priorities.

Here is what you’re trying to accomplish: At some opportune point between the time some executive says, “That’s a great idea” and the time they reach for their wallet, you want BC/DR considerations to be addressed so the real price is known and the implementation plan is written accurately. If there are BC/DR hooks in the SDLC, all the recovery issues are addressed in a timely fashion and the fixes won’t need to be bolted on later, if at all. As always, leave some comments or contact me directly if you’d like.

© Copyright and All Rights Reserved Howard M. Peace

 

Decision Making At Time of Disaster

Every organization has their own structure and process for making decisions, especially those concerning the spending of money. However, when faced with an unexpected outage or disaster, things can change, sometimes unpredictably. Normal management processes can be completely disrupted depending on the nature of the event and the availability of the normal decision makers. For example, on 9-11, I had the exalted title of Director, Disaster Recovery and Business Continuance for a major technology company. Soon after the event began to unfold I found out that the CEO and CFO were on vacation together with their families and no one knew where. With air travel stopped dead and cell coverage overloaded, they were completely out of touch and unable to direct efforts to respond to the crisis. Additionally, almost all of the other senior management team were visiting a potential acquisition in another state and they were off the table also. In effect, the Facilities Manager and I were the only senior managers available to lead the crisis management efforts, and we were huddled around a small black and white TV trying to find out what was going on in the world. We soldiered on and made financial and management decisions normally above our pay grades and received confirmation that they were the correct decisions several days later when management came back on line. Afterward, I thought of a couple of items that should be included in our planning efforts. They are:

Management Succession Plans. In order to provide for the unavailability of key decision makers in a crisis, either personal or corporate, every manager should have a written management succession plan. Key leaders should formally identify who exactly should take over for them in their absence and what special authorities should be granted to them. (Remember Al Haig declared he was in charge when President Reagan was shot until someone reminded him that’s not what the Constitution says.) I developed my methodology when I was called in to consult with a family-owned Southern California Bank to write a plan for their IT Director. The Board had only recently found out his hobby was flying small acrobatic planes and they were worried that, God forbid, he crashed, no one knew what exactly he was working on or how to manage his department in his absence. After assuring him the Board wasn’t looking to replace him, I was able to work with him to develop his first written job description, identify key staff who could assume most of his time-critical responsibilities, develop a written status report format and schedule, and improve his future planning documentation. I also interviewed him about his decision making methods and war gamed some scenarios to expose how he would likely respond if he were on duty. Lastly, I arranged for another senior manager to spend two days per month sitting with him getting up to speed on current state developments. In the end, the Board felt they had closed a major gap in their recovery planning efforts and used the methodology to create plans for other key roles as well.

Refined Tabletop Exercises. I am a firm believer in the usefulness of tabletop exercises in testing all facets of disaster recovery and business continuity plans. The exercise is a conference room based walkthrough of how a company will respond to an unexpected outage scenario revealed at the start of the exercise. The one wrinkle I always include is the unavailability of at least one key decision maker (or key technical guru). If the scenario is imagined correctly, their absence will be used to identify areas of expertise, tribal knowledge, or key decisions which are not documented or delegated and are sorely missed. In my experience, the following often comes up if the key decision maker is not available:

  • Who has approval authority now for the emergency expenditures? (If the backup has a much lower limit, how does that get bumped up to cover the spend?)
  • Who has authority to increase corporate credit card limits for the traveling recovery staff? (Do they even have corporate cards? If not, how do we expedite this?)
  • Who else can authorize increased system access authority levels? (Who thinks through the security risks?)
  • Who approves the PR statement that goes out? (Think about a canned statement with blanks to fill in with actual details so the word smiths don’t take 2 days to invent the wheel.)
  • What do we say about casualties and injuries?
  • Can we send the hourly staff home and still pay them for the day? (On 9-11 I used HR’s snow day policy to authorize this. I put on my Pirates of Penszance Admiral’s hat as the guy in charge and declared it was snowing outside!)
  • Do we still pay people who can’t come in because of the disaster? (What is our normal policy and if we want to make an exception, do we have the authority to do that?)
  • Who can authorize unexpected overtime?
  • What are our legal and contractual obligations and can we get some mercy?
  • Do we notify our customers yet, and do we have to report this to a regulating authority?

If the people who make these decisions, and more, aren’t available, is there a management succession plan in place which delegates the authority to make the call in their absence? Don’t worry if you uncover missing elements, that’s what the exercise is meant to do: expose gaps that can be remediated.

Conclusion. Without good management succession plans in place the chances are that good decisions will not be made or even thought about until it’s too late. As a father, I have seen the truth in the old saying, “One child, one brain. Two children, half a brain. Three children, no brain at all.” (In extreme pressure situations, some managers tend to revert to this in the middle of “groupthink”.) In order to avoid confusion, conflicting agendas, and the Al Haig Syndrome, make sure everyone knows how decisions will be made in an unexpected event with key decision makers absent. As usual, leave comments here or contact me directly.  Happy decision making!

 

© Copyright and All Rights Reserved Howard M. Peace

 

Business Continuity & Information Security: They Need Each Other

Having played in both of these fields, I have become aware of the symbiotic relationship that many overlook. Both are important aspects of corporate risk management and should be natural allies. In the early eighties I managed both as the Data Security Officer for Manufacturers Hanover Trust in New York City. As one of the first CISO’s in the country, I came to understand the importance of both disciplines and had a ring side seat as they grew to maturity. In those early days the emphasis in Infosec was password changes (remember RACF on the mainframe?) and violation reports (Al Gore had not yet invented the Internet and PC’s were an oddity. I still have one arm longer than the other from carrying an Osborne around). Business Continuity barely existed and primarily the focus was limited to disaster recovery of the data center. In their current states, they influence and help control all aspects of the business and their responsibilities are now 24/7 and reach around the world. As they have matured, the playing field has changed, but their need for mutual cooperation has remained. Let me show you what I mean.

Infosec depends on good business continuity. Infosec needs a reliable platform that includes continuous availability of the tools they need to monitor and control access to the systems.

  1. Without a reliable recovery program in place, a denial of service attack (DOS) brings a company to their knees in a hurry. In effect, the DOS triggers a business continuity event. Infosec needs quickly restored access to determine the cause of the outage and repair whatever damage has been done.
  2. If the backup procedures are not correctly implemented, rebuilding the systems becomes problematic and can take much longer as they search through previous generations to find an uninfected version.
  3. If telecommunications can’t be quickly restored, the external (and internal) threats can’t be efficiently managed and the Infosec team will have trouble coordinating their efforts. (That’s why when planning recovery efforts I always want to know how the techies communicate with each other (phone, cell, email, IM, etc.) because those tools become critical to recover as quickly as possible.)
  4. A good BCP will identify any new access requirements that are necessary to accomplish recovery efforts. For example, new or increased VPN access, higher or increased level access authority, emergency contact information, increased approval authority, etc.

Business Continuity depends on good Infosec. Remember the old John Wayne flick The War Wagon? The plan of attack against the armored stagecoach was to force it off the safest path onto a trail where the security efforts could more easily be thwarted. Exercising a recovery plan can open the organization to increased security threats.

  1. During the recovery process user passwords are sometimes shared, defeating individual responsibility controls. “Joe’s not here, but I know his password” can sometimes lead to unauthorized access that exposes the company to fraudulent activities and the disclosure of information thought to be secure. (Threats include disclosure of Personal Identification Information (PII), credit card numbers, access to approval levels to release payments, etc.)
  2. Admin passwords can be used to bypass normal change management control procedures, leading to mistakes. “It’s an emergency, so we don’t have time to test this first, just go ahead and move it into production.” Famous last words as the system crashes, delaying recovery.
  3. System techs will sometimes leave remote access ports open to make their job easier during recovery, thereby exposing the systems to outside threats. Hackers love open windows.
  4. There can be pressures brought to bear to circumvent normal access approval procedures that require written, and sometimes dual, signatures. “The boss said it was alright, and it’s only temporary.”
  5. There’s never enough time to review access violation reports. Many strange things can go bump in the night when the watchers aren’t watching.
  6. Physical access at the damaged facility can get loose allowing unauthorized parties to wander around to see what they can find and what they can do. The card key access system is down, so doors get propped open.

As you can see, there is a great need for BCP and Infosec to work closely together to address the threats posed by security incidents and unexpected outages. They may be separate silos but there had better be a good bridge between them. As always, your comments are welcome and feel free to contact me directly. Be safe out there.

© Copyright and All Rights Reserved Howard M. Peace

The 5 Best Reasons for Using A BCP Consultant

Of course my favorite reason is because that’s how I make enough money for my family to eat and sleep indoors. But really, there are some very good reasons to reach outside your organization for subject matter expertise and experienced help in accomplishing your BC projects. The best reasons I can think of are:

  1. A lack of internal expertise. It may very well be that no one at your company has ever done a BCP project and there isn’t a clear understanding of how to go about accomplishing the assigned mandate. A directive has come down from on high to “go forth and business contingify, whatever that is, and, by the way, you have six months.” An experienced consultant can develop project focus, detail all the steps required, develop a reasonable schedule, and accomplish the tasks in the allotted time frame. A good consultant will also major on knowledge transfer rather than building dependent step children.
  2. A lack of internal resources. It’s especially true in smaller organizations, but most companies operate on a rather lean staff budget and they don’t have a pool of technical and business people sitting around with large open areas in their job description just waiting to take on a project of this magnitude. The leader of the project usually has an already crowded plate and nothing gets removed to make time for this new responsibility. A good consultant is a dedicated resource who can focus entirely on the project and should bring not just direction but strong shoulders to carry the bulk of the weight. I tell prospective clients, “I hire people to do things like wallpaper the kitchen because I have too many Howard things to do. Assign me part of your to do list so you can focus on the stuff that only you can do. Give me this project and I’ll get it done, and make you look smart for hiring me.”
  3. People tend to cooperate with outside consultants. The staff usually realizes the company is paying for this consultant and so they should probably cooperate so whoever brought them in doesn’t get a report that they have become a roadblock. Like many families, they treat outsiders with a little more deference than they would one of their own. This is not always the case, but a good consultant recognizes the obstacles and uses his powers of persuasion to get on calendars, run meetings efficiently, gather information as painlessly as possible, and honor everyone’s time pressures.
  4. A good consultant brings a deep well of experience. This BCP project is not their first rodeo, or least it shouldn’t be or you’ve got the wrong consultant. They may have even done similar projects at similar companies in the same industry. They should be able to provide insight on how your peers are doing BCP and be able to cross pollinate solutions and recovery methods from other industries as well. The consultant should be able to enrich the solution set with lessons learned on successful efforts performed elsewhere. They should have a clear understanding of the technology required to support the client’s recovery needs and priorities, a handle on realistic expectations for the time required for recovery, an ability to outline effective recovery strategies, and the ability to build the business case for BC/DR expenditures. He should also be able to identify a roadmap for the way forward to improved recovery capabilities (not just upsell opportunities for his firm). And, perhaps it goes without saying, he should have a good handle on project management metrics including adequate status reporting on the project’s progress and unresolved issues.
  5. Company budgets often have restrictions on hiring new staff. Even though the BCP project has high level support and has been deemed an important requirement for this year, the bean counters have convinced management that the people costs are the easiest and most important to control. The edict comes down, “No more hires this year”, and the door for adding skilled staff slams shut. You’d like to go out and find an experienced BC person to bring onboard, but that is not possible. However, consultant dollars often come from a different budget and since the project has a defined cost and duration, money becomes available to bring in an outsider to handle a short term project. When the project is over, he goes away and you are not saddled with the cost of an ongoing head count.

In a future blog I will discuss how to find and use a good consultant, but for now let me just encourage you to make use of the wealth of experience a good consultant has learned while someone else was paying for acquiring that knowledge. I realize mine is not an entirely objective opinion (my professional motto is, after all, ”Consulteo ergo sum” I consult therefore I am), but I believe the right consultant can be a tremendous resource for the success of your BC project. As always, I welcome your comments and please feel free to contact me. Good projects to you.

 

© Copyright and All Rights Reserved Howard M. Peace

 

5 Important BC Questions to Ask For Mergers & Acquisitions

It seems every day there is a new announcement about one company buying another one. Sometimes the target company is a competitor, other times it will be a company that will enable the buyer to complement or expand their portfolio of services or products. (For example, Verizon bought CyberTrust to acquire our extensive portfolio of professional services.) An early stage of the M&A courtship is the Due Diligence phase, where the buyer sizes up the target, checks the books, reviews production, and details assets. If everything looks good and the price is right, they walk the aisle together.

What does BC have to do with M&A? I’m glad you asked. Here are what I believe are 5 important BC-related questions that should a part of every M&A effort and should be asked of the target company:

    1. Do they have an active contract with a BC/DR vendor, and is it assumable? If the target company has a valid contract with a vendor it may represent an ongoing legal agreement and financial obligation that may not end with the purchase, or maybe can’t be assumed by the buyer if it so desires. Depending on the integration plans the buyer intends to implement, the arrangement may still be necessary for a length of time (and may need to be extended) or it could be unnecessary or redundant. Often times this is overlooked during the Due Diligence Phase and could turn out to be an unpleasant surprise later, effecting the actual cost of integration. (Always remember, management doesn’t like M&A surprises!)
    2. Do they have trained BC/DR staff? It has been my experience that those companies that do poor due diligence often don’t recognize the value of staff they are acquiring. By not addressing personnel issues right up front they find the cream of the crop walking out the door, taking their valuable skills and tribal knowledge with them, and are left with the less nimble folks who have fewer options, and maybe less skill and knowledge. Finding a trained staff who can implement a successful BC/DR program can be a valuable asset when evaluating the talent about to join the mothership.
    3. Are there any assets that can be used to augment the buyer’s recovery capabilities? Many M&A methodologies overlook technology and physical assets that would be a wonderful addition to the resources available to improve recoverability for the buyer. Instead of sending everything to a landfill in New Jersey or selling it for pennies on the dollar, the M&A team should be encouraged to keep an eye out for what seems to be redundant resources that could be used to upgrade the buyer’s current state of recovery and integrate new capabilities that will be needed for the newly acquired operations. Equipment I always look for includes telephone switches, servers, disc farms, tape management systems, routers, generators, UPS, and HVAC equipment. I also want to take a look at their facilities in case I find a great place to create a new cold/warm site, or find useful alternate telecommunications and power pathways, or provide an offsite business area recovery capability. Like sorting through a flea market or attic, you may find the technology equivalent of a Mickey Mantle rookie year baseball card.
    4. Have they done a recent Business Impact Analysis? A good BIA will tell the buyer what the most critical business processes are at the target and will help set expectations for priorities for the integration phase and ongoing recovery requirements and capabilities. I have on a number of occasions also used the ISO standards to review security and recovery concerns at acquisition targets to get a better feel for what problems might come along before the buyer’s name goes on the wall.
    5. How will the acquisition change recovery requirements at the buyer? If the acquisition goes through, it will inevitably change the scope and perhaps the way in which the buyer plans for disaster recovery and business continuity. The new addition to the company fold will bring with it new equipment, connectivity needs, business areas, and perhaps facilities. For example, the target may bring with them 100 new servers. Some of those servers may support critical operations that require immediate failover where none currently exists in the buyer’s backup location. Getting out in front of these costs will go a long way to determine just how great a deal this was. Including these expenditures during the Due Diligence Phase can help to effect a number of decisions regarding price, data center expansion, and additional recovery costs.

 

 

With these questions in mind, I always encourage the BC/DR manager to sit down with the M&A team to present these questions for inclusion in their due diligence methodology. Getting them to keep an eye out for this information you need, along with your potential shopping list, will increase the BC Program’s visibility and will perform a valuable contribution to a successful merger. Involvement in the M&A process will prevent a merger diluting the current state recovery capability and can serve to enhance and expand it. At the very least, BC/DR will get to look over the loot before it disappears out the door. Please feel free to make comments and offer your own suggestions and war stories.  And, as always, feel free to contact me directly. Happy merging and acquiring.

 

© Copyright and All Rights Reserved Howard M. Peace

5 Ways Consulting Resembles Curling

Okay, so for those who didn’t grow up with 3 channel black and white TV in the fifties, Curling is a Canadian sport involving ice, brooms, and large tubs. (For those from NYC, think of ice Bocce.) When I was a kid a thousand years ago, Curling used to come on one of the snowy channels we got and the season started after football season in the old days, before the playoffs extended to Valentine’s Day. In fact, Curling is now an Olympic sport, if you can believe it, and can be interesting to watch if you understand the rules. It occurred to me several years ago that Curling and consulting are the same sport. Keep reading. I promise to make sense of my analogy.

Curling begins behind a start line where a player moves forward and lowers the moving tub onto the ice with the goal of hitting a target 100 feet away. If the tub moves too fast, or if it strikes the target too hard, it will careen outside the scoring circle and the fans will shout obscene comments on the players’ ability and family heritage. The pace and direction of the tub down the ice is influenced by two players with brooms who will sweep the ice ahead of it in order to change direction and speed to enable it to hit the target and remain in scoring position, unless it is pushed aside by the opposing team. Got it? Now let’s compare the game to consulting.

  1. Every BCP consulting engagement has a target, whether it is a Business Impact Analysis, or a Business Continuity Plan, or a Disaster Recovery Test. It is conducted often on a rather slippery field with outside influences, some beyond your control, which will attempt to effect the outcome. Some of the players will have separate agendas entirely and some of your players will not be very adept at keeping things on target. The difference between curling and consulting is, unfortunately, that the target can move if it isn’t written in stone in the Statement of Work (SOW). Mission creep outside the scoring zone is a real possibility if you’re not careful.

2.  BCP Consulting engagements are a team sport. Any consultant who thinks he can accomplish the target without help will have no supporting players to keep the goal firmly in mind and the project on track. Cultivate cooperation toward your shared goal. Remember you are there to help your team navigate the mine fields and produce a mutually beneficial result. You are there to serve, not rule.

3.  As in curling, consultants are not allowed to smack the tub with the broom to keep it on track. This is sometimes very tempting, but don’t do it. It’s against the rules. Treat every opinion with respect, no matter how idiotic, and work hard at gaining consensus. Resist pontificating on BCP dogma and project management methodology and you’ll stand a better chance of hitting the target. Always remember, you can drywall with a sledgehammer but the cleanup is messy. You can make your point without leaving a gaping divot.

4. Use influence by getting out in front of the project. That’s what the brooms are for, influencing the project by smoothing the way toward the goal. You can use influence by subtly arranging the way for things to go at the speed and direction which will accomplish your goals. Recognize the staff power structure and the important players and enlist their help in keeping the project on target. Inexperienced consultants need to learn how to convince already busy people to do one more damned thing, for them. Consultants who don’t do “subtle” are rarely successful and don’t get return engagements.

5.  The game is over when the official (client) says so. Sure, I have had clients that were like Lt. Colombo (“Ah, one more thing…”) and they’ve tried to drag the project out before final approval (and payment). But always remember your goal is to deliver an end product that’s sits squarely in scoring position. The client should be confident that he got what he paid for and that his goals, not just yours, were reached. For me, the most efficient way to accomplish this is through consistent feedback throughout the project and vetting both the data and the conclusions. Don’t drop your final report off like a drive by newspaper delivery. Use drafts and rewrites until you both know your data collection is complete and accurate and that any conclusions and recommendations make sense and are on target. No surprises. I learned this while doing bank risk reviews for Lloyds of London in Latin America. At the end of the week, I would have all my findings and recommendations written down and would meet with the board of directors to lay it all out for them. Any changes that needed to be made were made with them so there would be no surprises when London took my report and made the recommendations requirements for renewed insurance coverage. If you take the same approach, you will have much happier clients and they will consider you for future engagements.

Hopefully, this advice makes sense and will help you to leave the clients happy and cheering as you hit the target and scored a successful project conclusion. And remember, the same analogy works for internal projects if you are an employee. Use persuasion and don’t just rely on policy to gain cooperation. Leave me any comments you might have, including any correction of my insight into a fine Canadian sport. Happy consulting!

© Copyright and All Rights Reserved Howard M. Peace