Ground Rules:

-A Crisis Communication Committee must be formed and trained

-Lists with all relevant names and phone numbers must be available
-Only one person must be responsible to talk with the press
-Internal communication system must be in place to collect and to give continuously
information

It is not easy to make a balanced BCM

-A BCM plan is more than just a recovery of IT systems;
-Plan should also include eg. crisis mgt, facilities mgt, resumption planning
-Within the mgt their should be agreement about max. accepted downtime for business
processes, procedures in case of crises
-The costs for precautions like a redundant IT environment in another site, should be in
balance with business costs during an incident
-BCM is not an IT issue, it is a Business issue
-BCM plans should be maintained!
Welcome to Recovery Chronicles

Education: What is BCP?

Business Continuity Planning (BCP) is the advanced planning and preparations necessary to:

identify the impact of potential loss

formulate and implement viable recovery plans that ensure continuity of services
administer a comprehensive training, testing and maintenance program.

In other words, BCP is what companies and organizations do to stay in business.

Business Continuity Consulting Services: BCP Methodology

We use a structured, verified, five-phase methodology to analyze potential areas of vulnerability, define viable strategies and implement
your plans.

Phase One: Initiation

We meet with your project team to validate the scope of the plan, identify key people and take an inventory of the processes or business
units needed for the project. This phase sets the parameters, establishes the sponsorship of your executives and employees and trains
your team in the project objectives and methodology. In addition, our consultants meet regularly with your project managers and staff to
maintain open, two-way communications.

Phase Two: Business Impact Analysis

The goal of the BIA is to define the operational and financial impacts of an interruption to your business. In addition, the BIA reveals
recovery time objectives and interdependencies needed to develop effective strategies for more precise plan development.

Phase Three: Strategy Development

Using the information from the BIA as a foundation, business continuity strategies are formulated and budgetary costs developed. The
critical time frames and impacts from the BIA will be used to determine which contingency strategies are viable. These strategies will be
developed and budgeted to define contingency and implementation requirements.

Phase Four: Plan Development

Only after phases I, II and III are completed do we develop the actual recovery plan. We attend to the smallest details throughout,
knowing that an incorrect phone number or misplaced data file can derail your recovery efforts. It is important to note that we develop
your plan objectively, without bias toward any vendor-specific technology platforms, programs, or support facilities.
Phase Five: Testing and Maintenance
Through testing and training exercises, we verify that the plan functions correctly and will be used effectively. By including tailored user
procedures, we also ensure that your staff follows a regular, certified schedule of maintenance, testing and update procedures.

http://www.strohl.com/Consulting/BCPMethodology/default.asp

Education: What is BCP?: Essays & Articles How to Plan for Organization-Wide Business & Service
Continuity

Singular, isolated business or service disruptions as well as large-scale, community-wide disasters have shown
us that a well designed and tested organization-wide recovery and continuity of operations plan must be in place.
The frequency and severity with which singular and regional disasters are occurring today prove that planning for
the emergency response phase of disaster recovery alone is simply not enough.

As organizations look to extend their recovery planning efforts beyond the life safety and emergency response
incident management issues and move beyond data center and critical applications recovery concerns to address
'continuity of operations', organization-wide planning can seem overwhelming. There are, however, certain
planning elements which are common to all public and private sector organizations, no matter how large or small.

A successful planning methodology, which will assist you not only in recovering, but ensuring continuity of your
core, strategic, revenue-generating business and service units, operations and processes, as well as their
important administrative or staff support business units, will include:

Prevention:
Prevention addresses the positioning of those measures and activities that will lessen the possibility or the impact
of an adverse incident occurring in your organization. The primary goals and objectives of the Prevention phase of
a business continuity program are to protect the organization's assets and to manage risk.

Response:
Response is the reaction to an incident or emergency to assess the damage or impact and to ascertain the level
of containment and control activity required. In addition to addressing matters of life safety, Response also
addresses the policies, procedures and actions to be followed in the event of an emergency.

Resumption:
Resumption refers to the process of planning for and/or implementing the resumption of only the most time-
sensitive business operations immediately following a disaster.

Recovery:
Recovery is the process of planning for and/or implementing expanded operations to address less time-sensitive
business operations immediately following an interruption or disaster.

Restoration:
Restoration is the process of planning for and/or implementing procedures for the repair or relocation of the
primary site and its contents and for the restoration of normal operations at the primary site.

Step 1: Project Initiation

When developing your business / service continuity program, you will need to determine its objectives, gain senior
management support and allocate the necessary time and resources to develop, exercise and maintain the plan.

Your plan's objectives should include:

Minimize interruptions to business/service operations

Resume critical operations within a specified time after a disaster
Minimize financial loss
Assure clients/customers/community that their interests are protected
Limit the severity of the disruption
Expedite the restoration of services
Establish awareness so that management and staff understand the implications of a disaster upon
services
 Maintain a positive public image of the organization

As you begin to develop the plan, the following assumptions should be defined:

The organization's business/service goals and objectives

The organization's policy on business/service continuity planning
Business / service interruption scenarios that pertain to each plan's functional area and/or location
A "minor interruption" and "major disaster" in terms of business / service impact and anticipated duration
of outage
What will be reused / recovered and to what capacity levels over what period of time
Which business / service operations will be resumed immediately
Which business / service operations will not be resumed immediately and when they will be available
Which business / service operations are expendable
What resumption and recovery strategies are to be employed and what are the priority sequences
associated with each
What resources need to be pre-positioned and what are their interdependencies.

As you conduct your review, you will probably find that some levels of recovery planning exist in some business /
service units. For example, the Safety / Security, Facilities, or Vital Records departments may have plans in place
to recover their own operations. In many cases, the Information Systems or Information Technology department
will have a documented contingency plan for information systems / technology functions. It is important to
integrate these independent plans so that all critical and interdependent components are in place to ensure a
successful recovery.

Can you expect to recover everything? Can each department's or business unit's needs be considered the
number one priority? Of course not. What are the real priorities? What is the cost of risk to your organization or
community? (Cost of risk is a way of measuring the degree of risk by examining several of the worst possible loss
scenarios.)

Step 2: Business Impact Analysis

A Business Impact Analysis is a proven method of determining this cost of risk by identifying the impact of
business or service disruptions and helping you to target those operations and processes which require recovery
planning.

A Business Impact Analysis will identify:

Financial and operational impacts -- when they begin and when they're most severe, for example:

Financial Impacts

Lost sales
Loss trade discounts
Contractual penalties/fines

Operational Impacts

Negative public image

Loss of shareholder confidence
Employee morale

Extraordinary expenses

Rental of temporary premises/equipment

Moving equipment and supplies
Media reconstruction

Current state of preparedness

Technology requirements for recovery
 Special recovery resources
Critical information systems support

The key steps in conducting a Business or Service Impact Analysis are:

Define the assumptions and scope of the project

Develop a survey to gather the needed information
Identify survey recipients and provide needed education
Distribute the survey; collect and review responses
Conduct follow-up interviews where needed
Modify survey responses based on interviews
Analyze survey data
Verify results with business/service unit management
Prepare a report -- present findings to management

Today's automated technology can greatly expedite the data gathering and analysis process and help you present
the information to senior management in professional charts and graphs which clearly indicate the analysis
results.

Step 3: Plan Construction

When you've completed your Business or Service Impact Analysis, you will be ready to develop your recovery
strategies and build your business / service continuity plans.

Consider the following when building your plans:

Note: This checklist encompasses only a portion of the business/service continuity planning effort.

Write your plans so that you can recover equally well in a singular, community-wide or hazardous
material disaster.
Ensure that your emergency response plans are expanded to address 'continuity of operations' planning
beyond the incident management and emergency response and business resumption and recovery
phases.
Ensure that your pre-qualified, critical suppliers of services and supplies will be available to you when
you need them. Your vendors must have their own disaster recovery and business continuity plans and
responding to your needs must be a part of their plans. Ask to see documentation of this response
commitment.
Establish a notification list that identifies who needs to be notified in the event of a disaster at any of your
locations and provides procedural information on how they will be contacted (no matter whether or not
there is power available).
Pre-identify critical resources (communications equipment, supplies, hardware, specialized workforce,
etc.) and determine the time frames needed to not only mobilize them but fulfill delivery commitments.
Establish telecommunications recovery procedures for voice and data, including switching capabilities
and backup networks.
Address the possibility of denied access to your facility due to assessment of structural integrity, forensic
investigations, and/or toxic contamination. (Plan for at least a 24 - 72 hour delay in getting back into your
facility -- even for just site/damage assessment. If it is necessary to test for hazardous materials, your
access can be delayed several weeks or longer.) Determine the parameters for declaring a disaster
and moving off-site to your hot site, cold site or internal warm site.
Determine who authorizes this move and other emergency acquisitions and what special accounting
procedures need to be established for tracking these disaster-specific costs.
Determine the location of your command center(s), its requirements and what special security/access
control procedures you need to establish in advance.
Determine when you implement your Crisis Management Plan.
Identify and arrange for the relocation of your strategic revenue-generating and administrative/staff
support functions. Determine what special needs these departments and personnel have.
Ensure that the pre-identified locations will be available in both a community-wide and singular disaster.
Research what real estate transactions need to be completed prior to a move.
Determine how you will resume your production and distribution capabilities and get your finished goods
to market.
 Determine how your Crisis Communications Plan will address the continuity of positive communications
to your clients, employees and the public regarding your recovery progress.
Determine what issues you must address to be sensitive to global cultural and philosophical differences.
Identify your recovery teams and their tasks.

Step 4: Exercising and Maintaining the Plan

The litmus test for any business / service continuity plan is that it works when executed. To ensure your plans
work, exercise them. Make certain that the logistics, procedures and tactical strategies you developed are sound.

Plans must be exercised to determine whether:

Your organization and its critical vendors are prepared to cope with a business/service interruption or
disastrous event; anywhere in the world you have operations.
Backed-up data and documentation stored off-site are adequate to support resumption, recovery and
restoration operations
Inventories, tasks and procedures are adequate to support resumption and recovery operations
Plans have been properly maintained and updated to reflect actual resumption and recovery needs and,
in particular, any changes to the organization.

The information contained in a business/service continuity plan must be kept alive. Organizations are constantly
changing --- businesses are acquired, merged and divested; new operations and processes begin, some cease;
people leave, are hired, promoted, etc.; customer commitments and supplier relationships change; locations
change; responsibilities change; priorities change; etc., You cannot rely on outdated information.

In today's constantly changing environment, where people are often asked to do more with less, it's a challenge to
maintain a living plan. Although you may maintain the text portion of your plan, such as corporate policy in a word
processing document, if a disaster occurs, you don't want to have to be searching through a manual looking for
action lists, notification procedures, critical vendor information , etc. Automated planning systems are invaluable in
developing and maintaining your continuity plans and helping you quickly access the information you need in the
event of a disaster. We have available to us today, cutting edge technology which provides for easy integration
and expansion of existing plans, as well as customization within these planning tools to address organization or
industry specific terminology and needs.

The challenge of organization-wide planning can be more easily met through the utilization and implementation of
the above recovery and continuity planning methodology.

http://www.strohl.com/Education/WhatisBCP/EssaysArticles/orgwide_planning.asp

So much to do, So little time

by Abby DeLotto, Senior Consulting Project Manager

Successfully orchestrating business continuity planning throughout the enterprise can be complicated
for experienced business continuity practitioners as well as those new to the job. BCP managers and
coordinators in every industry are challenged constantly to be effective and efficient.

So how do you know if youre charting the right course for your organization? Often, its as simple as
reviewing, understanding, and applying the basics of business continuity planning. Although these
basics may seem obvious to some, overlooking or misunderstanding them can prove detrimental to
your overall BCP. These fundamental basics include:

Clearly understanding the risks your business faces

Knowing whats essential to the survival of your business
Equipping your organization with the proper tools to facilitate the recovery
Organizing and training your people to perform business differently when necessary
Documenting how your business will perform under crisis conditions
Coordinating communications within and outside the organization
 Identifying and remaining cognizant of the business changes that affect your plan
Finding the best ways to gauge the effectiveness of your firms continuity plan
Properly managing and staying on top of the evolution of BCP in your organization

A planners approach, time frames, and available resources may differ dramatically from company to
company. But the goal is the sameto produce solid continuity plans that protect an organizations
essential services.

Session Spotlight: Building Corporate Awareness

No matter how many dedicated resources you have, explains Doreen Norako of Brown
Brothers Harriman, the more you know about Business Continuity Planning (BCP) the more
you realize that it needs to be an enterprise wide effort. That is why Norako feels that
creating a corporate awareness program that encompasses everyone from administrative
assistants to senior management is critical to the success of a companys BCP.
Welcome to Recovery Chronicles
Session Spotlight: Building Corporate Awareness

No matter how many dedicated resources you have, explains Doreen Norako of Brown Brothers
Harriman, the more you know about Business Continuity Planning (BCP) the more you realize that it
needs to be an enterprise wide effort. That is why Norako feels that creating a corporate awareness
program that encompasses everyone from administrative assistants to senior management is critical
to the success of a companys BCP.

This is something Im passionate about something I believe in, Norako says when asked why she
volunteered to lead the Building Corporate Awareness breakout session at the 2004 International
User Group Conference. Corporate awareness is key to communicating BCP to all levels within an
organization.

New Survey Investigates BCP Budgeting and Staffing

Strohl Systems and Contingency Planning & Management have released the results from the second
in a series of quarterly surveys that provide information about the business continuity industry.

The online survey conducted between April 24 and May 8 asked participants questions pertaining to
BCP budgeting and staffing. The survey found that 43 percent of organizations have had a BCP
program for one to five years and 27 percent have had a BCP program in existence for six to 15 years.

When asked which department was ultimately responsible for planning, 36 percent responded that the
IT department was in charge, 18 percent indicated that they have an internal BCP department, 11
percent said risk management, eight percent said security, and almost six percent said financial.
Twenty percent of the participants said other departments were responsible including facilities,
operations, administration, and BCP committee.

Certainly, not all organizations are the same in terms of operations, budget, and staffing, says Brian
Turley, President of Strohl Systems. Larger companies have more to protect and consequently will
dedicate more resources to BCP. I think these numbers represent the starting point for staffing and
funding a business continuity program.

Other significant results from the survey are:

21 percent of the respondents indicated that their organization has had an established BCP
program for less than a year while almost six percent indicated that they have been planning
for over 15 years.
 30 percent responded that the executive sponsor was a vice president, 15 percent said CIO,
13 percent said CEO/President, 11 percent said manager, six percent said CFO, and 22
percent said other. Other responses included director, senior vice president, COO, and a
committee of executives.
51 percent said that their organization has less than 10 employees responsible for planning
and plan maintenance, 29 percent said between 10 and 50 people were involved, seven
percent said between 50 and 100, and 12 percent said over 100.
43 percent said their disaster recovery/BCP budget was less than $100,000, 26 percent said
between $100,000 and $500,000, 11 percent said between $500,000 and $1 million, and 14
percent said over $1 million.
39 percent indicated that their BCP budget represented less than two percent of their IT
budget, 14 percent said it was between two and four percent, five percent said it was between
four and six percent, four percent said their BCP budget was over six percent of their IT
budget, and 35 percent were unsure.

While we do not recommend that companies base their BCP budget on a percentage of their IT
budget, the numbers do give an indication as to the level of maturity of the BCP program when
compared to the IT budget, says Turley.

The results of the first study, which polled organizations about the focus on BCP following the
September 11 tragedy, are available online at
http://www.strohlsystems.com/CompanyInfo/Survey/Jan_2002.asp.

Business Continuity Planning and the Organization: Whos the Boss?

Its often said that, other than your spouse or significant other,
you cant pick your family members. We love our parents and
grandparents, but in almost every family, there are people that,
had we had the opportunity to select, they might not have
been chosen.

Its usually that way with the person to whom we report and
where we report in the organization. When were hired into a
company, or accept a promotion into a position, its unlikely
that well be able to dictate who our boss will be, or in which
part of the company he or she will find themselves positioned.
Its too bad, because more than almost any function in the
company, business continuity planning needs to be placed in
the organization where it can be most effective.

Best Case Scenario

Placement of business continuity within the organization is of
critical importance. Depending on the expected scope of the program, BCP should report to someone
with administration or oversight responsibilities for the entire company.

For maximum effectiveness, ideally, BCP will report through one of the following line authorities:

The chief operating officer or chief administrative officer;

Within a corporate level reporting relationship, not branch or division level.

BCP doesnt need to report directly to the COO or CAO, however it should report to someone who
does report to these levels. Since BCP needs to address the corporation (both business and technical
recovery) having it as a part of the COO or CAO chain of command will simplify how decisions are
made, and the perspective of areas that must work with the BCP teams.

The key factors in placement of the BCP function are to avoid compromising a planning programs
objectivity and integrity, and getting the needed visibility within the organization to be effective.
Tier Two
Having BCP report to risk management is a pretty good choice. Risk management, in its broadest
sense, usually addresses far more than just the purchase of insurance or the management of claims.
Risk management is usually involved with the protection of corporate assets, usually through
insurance, but often through mitigation efforts associated with real estate, construction, and the
selection of office space. In addition, risk management takes on the purview of the entire corporation,
has connections to safety, security, facilities, and has many other relationships within the corporation
that BCP will need to develop.

Other locations within the corporate structure that could work for BCP would include the legal
department, the audit department, and sometimes, human resources. These functional areas all have
a broad corporate perspective. Each can carry some risk to BCP though, especially considering the
potential for compromising BCP decisions.

IT Limitations
Having the BCP program report to the technology or computer department severely limits the visibility
of BCP within the corporation, and forces the company to see BCP issues and activities as only a
technology problem. It forces BCP to compete with internal technology projects and maintenance.

Several other conflicts are likely to result, including:

IT organizations are equipped to address complicated technical issues and problems, but are
usually not knowledgeable about business issues. In the majority of cases, IT sees BCP as
recovery of complex technology, and often staffs BCP with technicians, not individuals with
broad based business skills. Business department heads and personnel sometimes discount
the credibility of BCP;
Critical to the success of a BCP program is the ability to manage through a business
disruption. When BCP is located within the IT department, the event management team(s)
become more focused on technical issues, and not how to manage the business. Except in
rare cases, IT has typically not been accepted as a source of business management
expertise, but of support for the technical requirements and resources to facilitate business
operations;
In situations where implementation of a technology solution is in competition with BCP, the
technology solution can override any risk factors supporting BCP;
Testing activities and results are likely to be skewed in favor of the technology side, not the
business continuity side. Design choices that result in reduced implementation or operations
costs will usually be chosen simply because the impact on the IT budget will not be as great or
will be more operationally manageable;
Allocation of resources, both financial and human, will be used to protect the technical
recovery processes, not business processes. Business areas will not be given adequate levels
of support to define, understand, identify, and implement solutions to mitigate risk.

Other Considerations
Last, but not least, ideally the BCP program will be granted authority over continuity issues for the
entire corporation and not just a branch or division. Certain BCP issues need to be seen from a
consistent perspective, and not from a local one. Independent BCP spheres of authority will
complicate the ability to share common templates for plan structures, recovery concepts and
strategies, and commonly negotiated contracts and resource agreements.

As in all cases, there are certain to be exceptions that break the rules cited above. At the same time,
BCP is somewhat of a political activity, which best operates within a company when there is little
confusion and even less chance that strongly differing positions on critical issues will affect
recoverability. Strive to place

BCP into an environment where authority lines are clearly defined and needed decisions are not
hampered by complex, confusing reporting relationships.
In cases where divisional structure is required, clearly identify and assign accountability over areas
and divisions to reduce conflict and eliminate redundancy.

Dealing with Reality

So, what do you do, if like the family situation, you find yourself reporting someplace other than an
optimal situation?

First, considering your responsibilities within the corporation, determine if and how the reporting
relationship is limiting your effectiveness. If you report inside the IT department and your job is to
recover the data center, then you really dont have a problem. But, if youve been charged with the
responsibility to develop the corporations BCP program, including business department recovery, then
youll need to know whats working and what isnt.

Its almost impossible to have an effective BCP program

without a steering committee or cross-functional team,
made up of key leaders from the corporation. You can use
this team to help facilitate the implementation of BCP
throughout the corporation. Through a continuing
relationship with them, youll come to have a much better
grasp of the corporate issues that will likely arise within
the BCP program. They can also be allies to ensure that
the program is getting the resources and support it needs.

Next, understand the limitations under which you will be

working. Perhaps, with the support of those above you,
you can work to overcome some of the issues outlined
above, especially as they relate to competition for
financial resources needed for the BCP program.

At a minimum, youll want your business department customers to know that youre working to support
their needs. They can help you learn more about their business functions, and the issues and
challenges that theyll face in building plans, strategies, and ultimately having to execute their plans
during a business disruption.

Lastly, you can help management understand how the positioning of BCP can have an impact on the
programs effectiveness. They may come to realize the risk the company runs if the program cant get
the support it needs to put the needed resources, strategies, and plans into place.

Regardless of where BCP reports, its possible to have a successful program. But like everything else
in business, you have to understand the limitations under which you have to work. Knowledge,
combined with perseverance and strong allies, makes the difference.

http://www.recoverychronicles.com/mediapr/enewsletter/june2004/359/article.asp

Consultants Corner: Building an Internal BCP Marketing Program

If a business continuity plan (BCP) Director or Manager is commiserating with you about the tough
parts of the job, one of the things youll inevitably hear is that building BCP awareness is tough, yet
critical. And if you share stories about this vital part of BCP, youll find yourself talking about a
newsletter, or maybe sending out Red Cross materials or having an emergency hotline.

All of these and perhaps dozens more ideas are important to awareness, but we all know that BCP is
a tough sell, except perhaps the day after a major earthquake, terrorist attack or hurricane. And even
then it might not be easy. Personally, I think we have to change our approach. We need a BCP
Marketing Program.

Getting the Message Out

When General Motors introduces a new car or Procter & Gamble a new soap, they spend lots of time
and money designing a program to sell their product. Here are some of the characteristics that come
into play:

Gaining an understanding of the customer: This can be accomplished through conducting

surveys, holding focus groups, interviewing, etc. This will give an understanding of what they
want from the product and how to best market to them.

Carefully crafted messages: There might be hundreds of versions of the materials and
messages that customers will receive, and its important that they are clear and
understandable to avoid the customer getting the wrong interpretation.

Carefully selected avenues to get the message out: Options include print, newspaper,
radio, internet and even television to get the point across to potential customers.

A consistent message: Visuals, keywords, documents, features, etc., should all have the
same look and feel so that the message is consistent every time its heard or seen.

Regular check-ups: Checking back regularly to ensure that the message is being received as
it was intended is always prudent.

Consistency: Repeating the messages over and over again is effective because it always
takes a long time for new products to be accepted by a customer base. Yes, some products
are hot overnight, but in order to build long-term customer loyalty, it will take some time. Its
also important to keep the underlying message about the product the same to build a
familiarity with customers.

Why is BCP any different?

If insurance companies can sell insurance with a good marketing program, why cant we sell BCP with
one? It doesnt have to be a huge investment, or take a staff of writers and graphic artists. But we
must recognize that awareness programs require consistent messages delivered over long periods of
time through a variety of media outlets and forms to capture the broadest audience. Perhaps your
corporate communications or marketing areas can help you build a marketing program and keep it
viable.

Your BCP program should also have a logo or icon on all documents, plans, memos and reports to
give it the visibility it needs. Going back to General Motors and Proctor & Gamble, consider how
familiar their logos have become. An icon for your BCP program can have the same effect.

Theres so much more to BCP than being able to write a plan or call a meeting. We also need to
become more of an expert in how to define a tough concept and market it to our constituencies.

http://www.recoverychronicles.com/mediapr/enewsletter/march2005/418/article.asp

New Survey Examines Third-Party Alternate Site Usage

A recent Strohl Systems and Contingency Planning & Management survey of business continuity
planning professionals found that 43 percent of organizations use a third-party to host alternative
sites. Alternative sites are backup business locations to be used when the primary facilities are
inaccessible.

This survey, conducted online from October 21 to November 4, asked BCP professionals about the
types of products and services they use. Results showed that 35 percent of organizations choose to
use an internal solution for their alternative site strategies. Eight percent use mirroring or shadowing
and four percent indicated that they have reciprocal agreements.
We have seen an increased interest in internal solutions, said Brian Turley, President of Strohl
Systems. By-in-large though, more companies are still using third-party solutions and I dont see that
changing in the immediate future.

Other significant results from the survey are:

Of those that use a third-party solution, 11 percent said the total length of the contract was one
year, another 11 percent said two years, and 39 percent said three years, five percent said
four years, and 34 percent said five years.
49 percent of the respondents said they use BCP-specific software with a relational database
to build their plans. 34 percent said they use a word processing program and spreadsheets,
five percent said they use BCP word processing templates, and nine percent said none of
above.
45 percent of the respondents reported that they use a word processing program to conduct
business impact analyses (BIA). 25 percent said they use BIA-specific software, eight
percent said they use a BCP software package, and 19 percent said their organization does
not conduct BIAs.
48 percent of the respondents said they do not use BCP consultants at all while 46 percent
said they use consultants occasionally, when needed. Five percent said they use consultants
to manage the entire program.

The results of the first study, which polled organizations about the focus on BCP following the
September 11 tragedy, are available online at
http://www.strohlsystems.com/CompanyInfo/Survey/Jan_2002.asp.

Results of the second study, investigating BCP budgeting and staffing, are available online at
http://www.strohlsystems.com/CompanyInfo/Survey/April_2002.asp.

The results from the third survey, focusing on BCP activation, are available online at
http://www.strohlsystems.com/CompanyInfo/Survey/July_2002.asp.

UGC Session Spotlight: Defining and Developing Teams

 When does a group become a team?
The very success of your BCP Program rests on the answer to this question.

Do you know the answer? And do you know how to help a group of people
become a cohesive team? If you were unsure, then youll want to be sure to
attend the Defining and Developing Teams session given by Northwestern
Mutual Lifes Ralph Borzyczkowski during the International User Group
Conference at the Atlanta Hilton from October 17 20, 2004.

It seems to me that one of the most vital components of achieving BCP success, says
Borzyczkowski, Coordinator of Business Continuity Planning, is making sure you have the right
people with the right skill sets applied when and where you need them.

With more than 20 years experience creating and managing BCP programs for a range of industries
including government, manufacturing, and utilities, Borzyczkowski explains that rather than the BCP
manager understanding all technical aspects of certain recovery actions, its more important to know
how all the pieces interrelate and be able to put them together correctly. In fact, Borzyczkowski likens
BCP managers to orchestra conductors; I dont need to know how to play the cello, but I do have to
know when they need to come in and how loud they need to play.

So how do you create your orchestraoops, I mean BCP teams? Borzyczkowski says that during the
Defining and Developing Teams breakout session he will explain the key points BCP professionals
need to take into consideration. Starting with determining what skills are required for certain roles and
how to identify individuals with the experience to handle the responsibilities, Borzyczkowski will explain
in detail how to build, shape, and mold your recovery teams.

One of the points Ill be making is how to conduct the initial BCP team meeting and how to schedule
them on an ongoing basis. Borzyczkowski says that team meetings are critical to the BCP process
because they provide a venue for an exchange of information amongst the various groups. You can
send e-mails until youre blue in the face, he says, but there is nothing like the team leaders being in
the room and hearing one another. It promotes a cross pollination of the teams and gives us a chance
to brainstorm. Plus, each team leader walks away with a high-level understanding of what others in the
organization are planning for and doing.

Borzyczkowski believes that real life examples will help illustrate the points hes making so hes not
going to be shy about sharing his experiences. In this business, you learn from your own mistakes
and those of your peers, Borzyczkowski says. Thats why Ill be sharing stories about things Ive
been successful with as well as those mistakes you wouldnt want to replicate.

Consultants Corner: Getting Executive Support for your BCP

Successful Techniques to Garner Executive Support for BCP How many times has it been said, There
just isnt enough executive support for a BIA, plan development, or testing? Budgets are tight, hiring
and staffing to fill critical BCP roles are stretched thin, and attracting the attention of busy executives is
sometimes more challenging than asking for and obtaining that long overdue raise or vacation.

As challenging as it may seem at times, the importance of getting executive support and buy in for an
organizations business continuity planning (BCP) program cannot be understated and moreover is a
critical component to the overall success in recoverability and long-term survival.
Without that buy-in from key executives, a business continuity program at best, will limp along with
minimal attention to detail. At worst, it is bound to fail at the least opportune moment placing the
organization in jeopardy. Employee direction, opinion and perception of what is critical and important
to an organization is often taken from the top and promoted based upon the decisions and opinions of
executive leadership. If an organizations leadership supports a business continuity program, then the
organizations employees will follow the lead.

A successful BCP program ultimately relies on the support given and derived from the executive
decision makers. The following techniques are suggestions to get started in obtaining that important
executive support and buy in.

Start Small, Be Realistic

Attempting to tackle and sell an entire BCP program with all its components, requirements, and costs
all at once could be asking for trouble. Executive time is usually at a premium and is focused on the
day-to-day operations that make the organization function. Often they have minimal time to discuss a
new and long-term program that might be viewed as nice to have, but not necessarily a must have.

Instead of presenting the risk assessment, emergency response, business impact analysis (BIA), plan
development, strategy, and testing together, consider focusing on and presenting just the initial
component of the BCP program. Start with the BIA or risk assessment. Furthermore, provide enough
detail on the importance of conducting these initiatives, but be cautious not to get excessively
complicated in the detail and risk loss of focus.

Show Value
In the early stages of BCP, look for ways to present the conceptual aspects and benefits of conducting
a BIA. In order to obtain senior management support, present and illustrate the expected benefits
resulting from a BIA. These expected benefits include knowledge gained in documenting the critical
operational and financial impact exposures, dependencies, resource requirements. Show how that
data will help in determining recovery strategies.

Also discuss other valuable organizational information that can be derived from the BIA process. This
additional information includes detailed information on process flow engineering that could be used to
help validate existing organizational methodologies. This supplementary information from the BIA can
be used in a variety of ways to help improve the overall organizations business practices.

It is vitally important to identify to senior management what the key elements are that a BIA will help
identify and the primary focus of the BIA itself, which is gathering and analyzing the critical information
needed to make valid decisions to protect the organizations business practices and assets. However,
use the additional benefits to help sell the program.

Dont Oversell
Most people rely on support from others. However, occasionally things are presented to be something
that they in reality are not. In getting executive management support and approval in a BCP program,
it is particularly important to be as precise and straightforward as possible about exactly what will
occur and not occur with the BCP program.

In addition, displaying a solid understanding of the specific benefits to be gained from continuity
planning will help build confidence in those whose support and approval is needed. Promoting BCP to
senior management and presenting the actual benefits without over selling it will assist in shaping a
framework of mutual trust and respect. As the program moves forward this will help to solidify on-going
support.

Identify Costs and Resources First

Costs and resources are always an issue. Be prepared with good estimates on the anticipated
investment of people, time, and money for the program before approaching the executive team.

There are many resources available in the industry to help determine cost, time and human resource
requirements for BCP. Many consulting firms and vendors can assist in this area and provide some
realistic estimates on cost and resource requirements for the typical phases of a BCP program.

Be Available and Committed

The real work begins once a foothold has been established. Often after a BCP concept has been
presented, an executive may want to follow-up to discuss the program. This is where support is either
won or lost based upon the availability and commitment of those in charge of the BCP program. Also
be visible to the executive team as a driver of the program so they understand and recognize the long-
term commitment to the organizations success.

Build Upon BCP Visibility

If BCP was not a consideration in an organization 10 or even five years ago, then chances are this has
changed over the past few years. With increasing geographical exposures, man-made threats, and
regulatory requirements, the need for business continuity is all adding up to the call for deliberation
and action in planning in most organizations today.

The good news is that all of this attention to BCP has had a positive affect and influence by
highlighting the need for proactive planning in most organizations. In addition, the increased visibility of
BCP has also assisted professionals in getting a place at the organizational table and has helped
bridge the divide between those whose role is delivering BCP and the executive teams whose support,
acceptance and approval are required for a successful BCP program.

The downside is that there are potentially more stresses and pressures put on organizations than ever
before. Simply having a business continuity plan in place and tested once every few years is no longer
acceptable. Today, annual BIAs and reviews, quarterly plan updates, and bi-annual testing are not
uncommon practices in a growing number of organizations. Leverage the increasing visibility of BCP
and successfully promote it to executive leadership in order to garner the support needed for BCP.

The success or failure of business continuity programs hinges on the level of executive support
received. Uninterested senior managers will often relegate the program to obscurity. In order to be
successful, BCP professionals need to garner executive support and keep it.

Best Practices for Tabletop Exercises

(Editors note: This is the second of a four-part series, written by Strohl experts, that discusses best
practices for conducting different types of business continuity planning tests and exercises. Last
month featured advice on structured walkthrough exercises. Future articles will discuss functional
exercises and full-scale exercises.)

Having a completed business continuity plan does not mean it will lead to an effective recovery when
employed or that the people assigned to teams fully understand their tasks and responsibilities in a
recovery situation. Only through repeated and continuous testing can planners have a measure of
assurance that the plan will work as designed and personnel will know what to do.
 The tabletop exercise is a popular and fairly uncomplicated method of
testing a business continuity plan. This type of exercise provides valuable
training to recovery personnel and enables planners to enhance continuity
plans without causing major interference of normal operations.

The Disaster Recovery Institute International (DRII) defines a tabletop

exercise as, one method of exercising teams in which participants review
and discuss the actions they would take per their plans, but do not perform any of these actions. The
exercise can be conducted with a single team, or multiple teams, typically under the guidance of
exercise facilitators.

Planning the Exercise

No matter what type of exercise is being presented, its best to have an exercise planning coordinator
assigned. This person selects the type of exercise to be performed and is responsible for selecting the
components of the plan to be exercised. For a tabletop exercise, its the responsibility of the
coordinator to:

Identify the objectives;

Develop an initial exercise scenario and narrative;
Identify the participants;
Chair the exercise participants meetings;
Distribute minutes;
Facilitate the exercise;
Perform a post exercise analysis;
Develop a scoring method relative to the response of the participants as their plans are
implemented during the exercise.

The Scenario
The key to the tabletop exercise is the scenario. It must be definitive and sensible; a scenario related
to threats that could occur and one that matches the organizations need at the time of the exercise.

The scenario should identify and describe the type of disaster that has occurred and the extent of
damage or disruption to the facility and area. In addition, the scenario should detail what recovery
capabilities are available and the status of backup or recovery resources. Finally, it should outline the
time of the event and duration of the exercise.

During the exercise, the scenario should enable the recovery teams to test the notification procedures
(call trees and contact lists), recovery management, recovery operating procedures (tasks and
responsibilities), the staffing of the teams and overall communications. Consideration must also be
given to limitations as to what can be done in the exercise. Its best to identify any assumptions that
need to be in place for the exercise.

A chronological sequence of events will illustrate the mock disaster by identifying:

The hypothetical moment of the disaster (time of day, day of month, part of year);
The cause of the disaster;
The method of notification;
A description of the events of the disaster leading to the declaration and activation of the plan;
A description of the regional implications;
A description of the role of the civil authorities and their activities during and after the disaster;
Any actions that have been taken prior to activation of the plan;
The damage to the facility;
The status of all personnel;
The status of alternate processing locations, vendors and suppliers, backup storage
arrangements and utilities.
Based upon the effectiveness of the pre-exercise meetings, the exercise will almost run by itself with
team members knowing what has to be accomplished. Exercising is a primary means of training. In
any actual recovery effort, the best team members are usually those who have participated in
exercises.

Post-Exercise Analysis
As soon as possible after the exercise, all participants should meet to discuss, evaluate and document
the exercise results. Topics would include a review of the exercise schedule (i.e., date, time, location),
exercise objectives both logistically and operationally and the identification of personnel who
supported exercise activities.

The planning team should then formulate recommendations based on the events that occurred during
the exercise and start planning for next exercise.

Consultants Corner: Best Practices for Structured Walkthrough Exercises

(Editors note: This is the first of a four-part series, written by Strohl experts, that will discuss best
practices for conducting different types of business continuity planning tests and exercises. Future
articles will discuss functional exercises, tabletop exercises and full-scale exercises.)

With any type of learning, objectives must be set to make it meaningful. This is true of business
continuity planning and exercises. There are several types of exercises planners may choose to test
their plan. Once such type is a structured walkthrough.

The Disaster Recovery Institute International (DRII) defines a structured walkthrough as: One method
of testing a specific component of a plan. Typically, a team member makes a detailed presentation of
the component to other team members (and possibly non-members) for their critique and evaluation.

Beyond that, its an exercise used to review a specific part of a plan in order to obtain feedback from
team members. In addition, it can be used to obtain agreement on strategies, to identify gaps, to verify
assumptions and to gather additional information.

Its important to verify details of a business continuity plan to ensure that various parts of the plan will
work. This is particularly crucial with rather complex plans to ensure a recovery strategy can be carried
out successfully at the time of disaster. Structured walkthrough exercises are mini drills that can be
conducted to ensure parts of a plan work.

The Value of the Exercise

In planning a structured walkthrough exercise, it is important to have specific objectives identified.
Objectives should identify specific outcomes, be consistent with the goals of the overall plan and be
measurable. With objectives in place, an exercise becomes more meaningful and valuable. Results
can be used to improve strategies, training, procedures and many other facets of recovery.

A structured walkthrough exercise promotes collaboration and coordination. Working together and
synchronizing tasks within and between teams are factors that tie the finer details together to enable
successful, faster and/or more effective recovery of a business unit or enterprise. Good ideas can
generate other ideas, making meetings like these worthwhile. A structured walkthrough provides the
circumstances to identify interdependencies between teams and business units.

Structured walkthrough exercises can also identify training needs. While conducting the exercise, it
may become apparent that some team members would be comfortable carrying out designated
responsibilities but may require additional assistance or need alternates. Cross training becomes
necessary. With more complex recovery plans, beginning training with plan components makes
training and learning more manageable and less overwhelming.
 Locations
Structured walkthroughs should be conducted at a single facility with the team
being tested. If dependent teams are involved and they are in the vicinity, they can
attend the walkthrough at the facility where it is held. However, many organizations
have offices geographically dispersed and other methods may be practical, such
as conducting the exercise via webinar or videoconference, to enable team
members, alternates, and dependent teams to participate.

Participants
A structured walkthrough exercise is an opportunity to learn if additional clarifying
details are needed in a plan. Experts who may have provided information for plan development but
had not seen how the information had come together will have the opportunity to view the whole plan.
The structured walkthrough demonstrates how the information has been organized and assembled.

As plan details are communicated, the team can consider potential issues that need to be considered
and the situation allows for groupthink decision-making on how potential problems could be mitigated.
Interdependent teams could also participate to verify any assumptions made about the actions. What-
ifs can be introduced into the discussion to evaluate the teams abilities to respond to various
scenarios. Scenarios could range from simple to complex.

Scoring
If its decided that an exercise will be measured or scored, scoring criteria can be developed in several
ways but should be established beforehand. Scoring should be meaningful, practical and quantitative.
Everyone involved in the exercise must agree to the scoring method that will be used and understand
it.

The structured walkthrough exercise is an opportune time to discuss how well the plan component will
be able to score and look at potential barriers or bottlenecks that could result in a low-scoring exercise.

Scheduling
Structured walkthrough exercises are good checkpoints during plan development or in preparation for
a larger, more complex exercise. These exercises should be conducted with enough time to follow-up
with identified updates or revisions to meet plan development deadlines. Participation of key
individuals may be more critical in structured walkthrough exercises, especially if they are used for
evaluation purposes to ensure that an important plan component will work.

Exercise Follow-Ups
After an exercise, its important to summarize the outcome and identify any necessary follow-up
actions. Often times, much discussion will have taken place making it easy to lose sight of main goals
and objectives. A few good practices and thoughts include:

Briefly review the objectives for the exercise and determine if they have been met.
Highlight the lessons learned, issues identified and any solutions discovered.
What unexpected events turned up and how were they handled?
What were the impacts and what could be done to address situations like these?
Document responsibility and completion dates for follow-up action items.
Briefly document the results of the exercise including objectives, outcomes and follow-ups.
Other details that may prove valuable include: duration, date, location, type of exercise,
participants, method used for conducting the exercise, e.g., in-person meeting, webinar, etc.
Distribute the results to appropriate personnel.

Regular reviews of specific plan components are valuable, not only for recovery from disasters, but for
everyday improvement or troubleshooting, keeping a plan updated, having it ready for auditing and
training. The more exercises that are conducted, the more personnel learn and the better you will be
able to recover. To quote General Dwight D. Eisenhower: Plans are useless, planning is essential.

Best Practices for Tabletop Exercises

 (Editors note: This is the second of a four-part series, written by Strohl
experts, that discusses best practices for conducting different types of
business continuity planning tests and exercises. Last month featured
advice on structured walkthrough exercises. Future articles will discuss
functional exercises and full-scale exercises.)

Having a completed business continuity plan does not mean it will lead to
an effective recovery when employed or that the people assigned to teams fully understand their tasks
and responsibilities in a recovery situation. Only through repeated and continuous testing can planners
have a measure of assurance that the plan will work as designed and personnel will know what to do.

The tabletop exercise is a popular and fairly uncomplicated method of testing a business continuity
plan. This type of exercise provides valuable training to recovery personnel and enables planners to
enhance continuity plans without causing major interference of normal operations.

The Disaster Recovery Institute International (DRII) defines a tabletop exercise as, one method of
exercising teams in which participants review and discuss the actions they would take per their plans,
but do not perform any of these actions. The exercise can be conducted with a single team, or multiple
teams, typically under the guidance of exercise facilitators.

Planning the Exercise

No matter what type of exercise is being presented, its best to have an exercise planning coordinator
assigned. This person selects the type of exercise to be performed and is responsible for selecting the
components of the plan to be exercised. For a tabletop exercise, its the responsibility of the
coordinator to:

Identify the objectives;

Develop an initial exercise scenario and narrative;
Identify the participants;
Chair the exercise participants meetings;
Distribute minutes;
Facilitate the exercise;
Perform a post exercise analysis;
Develop a scoring method relative to the response of the participants as their plans are
implemented during the exercise.

The Scenario
The key to the tabletop exercise is the scenario. It must be definitive and sensible; a scenario related
to threats that could occur and one that matches the organizations need at the time of the exercise.

The scenario should identify and describe the type of disaster that has occurred and the extent of
damage or disruption to the facility and area. In addition, the scenario should detail what recovery
capabilities are available and the status of backup or recovery resources. Finally, it should outline the
time of the event and duration of the exercise.

During the exercise, the scenario should enable the recovery teams to test the notification procedures
(call trees and contact lists), recovery management, recovery operating procedures (tasks and
responsibilities), the staffing of the teams and overall communications. Consideration must also be
given to limitations as to what can be done in the exercise. Its best to identify any assumptions that
need to be in place for the exercise.

A chronological sequence of events will illustrate the mock disaster by identifying:

The hypothetical moment of the disaster (time of day, day of month, part of year);
The cause of the disaster;
The method of notification;
A description of the events of the disaster leading to the declaration and activation of the plan;
 A description of the regional implications;
A description of the role of the civil authorities and their activities during and after the disaster;
Any actions that have been taken prior to activation of the plan;
The damage to the facility;
The status of all personnel;
The status of alternate processing locations, vendors and suppliers, backup storage
arrangements and utilities.

Based upon the effectiveness of the pre-exercise meetings, the exercise will almost run by itself with
team members knowing what has to be accomplished. Exercising is a primary means of training. In
any actual recovery effort, the best team members are usually those who have participated in
exercises.

Post-Exercise Analysis
As soon as possible after the exercise, all participants should meet to discuss, evaluate and document
the exercise results. Topics would include a review of the exercise schedule (i.e., date, time, location),
exercise objectives both logistically and operationally and the identification of personnel who
supported exercise activities.

The planning team should then formulate recommendations based on the events that occurred during
the exercise and start planning for next exercise.

Consultants Corner: Best Practices for Conducting a Functional Exercise

(Editors note: This is the third of a four-part series, written by Strohl experts, that discusses best
practices for conducting different types of business continuity planning tests and exercises. June
featured advice on structured walkthrough exercises and July focused on tabletop exercises. Next
month we will feature advice on full-scale exercises.)

Exercising a disaster recovery or business continuity plan can be stressful on even the best recovery
planner. When plans need to be tested, many methods exist. Often, management wants to see that all
plans are tested and that systems and business functions can recover from even the worst scenarios.
Because holistic testing of all plans simultaneously is potentially a logistical nightmare, and often
difficult to evaluate, you may need to consider narrowing the testing focus to one or two functions at a
time. This type of test is known as a Functional Exercise.

The Functional Exercise is as close to recovery -- without actual movement of people or equipment --
as an organization can get. It is a simulation designed to test procedures and personnel in relation to
recovery of a critical function.

The primary goal of a Functional Exercise is to evaluate and test the recovery procedures for a critical
function in reaction to a specific simulated event. It is generally focused on exercising the plans,
policies, procedures and staff knowledge of the recovery requirements and tasking. The objective is to
execute specific plans and procedures and apply established policies, plans and procedures under
crisis conditions. The Functional Exercise requires the presentation of complex and realistic problems
that require specific responses from test participants.

The key components of a functional exercise include a realistic scenario, a controlled environment,
timed information release, detailed evaluation criteria and personnel in the roles of exercise controller,
simulators, players and evaluators. People in these roles have the following responsibilities:

Exercise Controller: One or two individuals to lead and moderate the exercise;
Simulators: To lend authenticity to the unfolding scenario;
Players: To react to information provided by utilizing plan documentation; and
Evaluators: To determine the effectiveness of the simulated recovery effort.
It may take several weeks to prepare detailed scenario and evaluation materials relating to the
function being tested. It is important to fully understand the planned recovery strategy and recovery
event timing prior to developing the test scenario.

The scenario should be realistic and therefore should be based on an actual potential event.
Scenarios should include specific times and dates of events. The first time a functional exercise is
conducted, avoid the introduction of mass casualties. It is permissible to simulate injuries, or to place
key personnel out of reach (e.g., the supervisor who wrote the majority of the plan may be
unreachable atop Mt. Kilimanjaro for the next two weeks). This enables other members of the team to
use the procedures as documented and identify missing details.

Identification of what to test is equally important. Determine what function(s) will be tested such as
accounting and finance or customer service. There are two schools of thought when it comes to
prioritizing the testing of plans. One is to start small and work up to more difficult functions. The other
is to test the most critical functions first. It is often considered best to conduct the first test on the
recovery of a small but critical business function. This will help work out the testing logistics and
timing. The second and succeeding tests should be conducted based on criticality of each function.

If testing a function such as accounting and finance, it is important to understand each of the critical
processes and their recovery timeframe. In addition, understand the process dependencies within to
the accounting and finance plan. An example of likely processes tested for an accounting and finance
plan is illustrated in the chart below.

Controlling the exercise is critical to success. The controller should set the stage for the test and
provide rules necessary for a successful test. Critical control components include:

Detailed knowledge of disaster recovery and business continuity planning policies;

Demonstrated executive management support;
Documentation of timed information release;
Script development for simulation participants;
Scenario time clock (disaster + minutes / hours);
Player instructions and rules that include simulated usage of only off-site materials and usage
of specific plan tasking;
Evaluator worksheets that allow the documentation of problems encountered and solutions
identified;
Test recap documentation (inclusive of plan change requirements and strategy revisions); and
 Follow-up meeting(s) with participants to review lessons learned and to emphasize importance
of implementing changes to the plans.

The environment is typically stressful due to the need for teams of players to communicate in an
orderly manner with other teams. This communication can be managed in writing or via phone. If in
writing, runners should be available to bring questions from one table to another. If via phone,
numbers for each team table should be published.

Keep in mind that the test may last several hours and breaks are to be taken as often as needed.
Allow participants to be objective concerning their own procedures and to make suggestions that may
enhance their recovery capability. Constructive suggestions can be made by each team in support of
their needs relating to other teams. These suggestions should be documented by the evaluator at
each table.

A table should be provided for each team, the controller and management and simulators (who also
are available to run notes from one table to another). Tables should be set up with note pads, pens,
phones, three-part memo forms (1. recipient team, 2. evaluator, and 3. coordinator / management) and
water.

At each stage of information release it is important to recap key accomplishments such as access to
recovery site(s) and restoration of computing infrastructure. As new information is presented, the
scenario time clock should be advanced. Allow sufficient time for appropriate tasks to be reviewed and
accomplished by each team. If critical issues cannot be resolved (e.g., it is discovered that backup
copies of information needed to recover are not stored off-site) note the problem and proposed
solution and instruct participants to proceed as if the problem was resolved.

Once the logistics have been organized, have fun. Provide some unimportant but humorous details to
the scenario as it unfolds. Or, provide awards to teams for things like the loudest table, the most
overcrowded table, the table that drank the most water, the first table to use up all of their supplies or
the table receiving the most phone calls.

If people enjoy the test, the atmosphere will be more relaxed. The more relaxed they are, the more
willing they will be to participate in the learning process and that is the ultimate goal of the exercise.

Consultants Corner: Best Practices for Full-Scale Exercises

Editors note: This is the fourth of a four-part series, written by Strohl experts, that discusses best
practices for conducting different types of business continuity planning tests and exercises. June
featured advice on structured walkthrough exercises; July focused on tabletop exercises and August
discussed functional exercises.

A full-scale exercise is the only type of exercise that enables an organization to come as close to
recovering from a disaster as possible and therefore, the closest an organization could come to
verifying its ability to continue operations in a real disaster. It is the most complex type of exercise and
could last several hours to several days. Careful planning and execution are critical to avoid
interference with actual production or operations.

Aside from all the other benefits that come with exercising recovery plans, such as building confidence
in recovering and continuing operations following a disaster, a full-scale exercise is an incredible
opportunity to create awareness. It also requires considerable preparation and follow-up. Senior
management support and commitment is essential as several months to a couple of years may be
required for coordination, planning, administration (of the actual exercise) and follow-up.
Structured walkthroughs, tabletop, functional, and isolated operational exercises (e.g. recovering a
server in a test or lab environment) are helpful and recommended in preparing for participation in a
full-scale exercise.

Participants
A full-scale exercise could be limited to the organization and its management, business and IT units,
crisis management, communications, facilities/security, risk management/insurance, legal, hr, internal
audit, and/or purchasing/receiving teams.

A full-scale exercise is also an opportunity for an organization to

interact with other organizations, private or public, including: key
vendors, customers, the community, offices in other cities, states,
or countries, primary responders in the public sector (e.g. local,
state, or federal emergency management; police; fire; emergency
medical units; hospitals; Red Cross; FEMA; military), educational
institutions, utility service providers, public transportation or animal
care organizations.

Full-scale exercises lend the circumstances for personnel, who might otherwise only meet or work with
each other for the first time in an actual disaster, to work together in person, to develop and enhance
relations and understand and improve communication styles.

The Scenario Putting the whole story together

Careful planning of the scenario and scripts should include all scheduled participants. It is important to
create very realistic scenarios as well as exercising basic aspects of the plan. Well thought-out
sequencing of events to ensure all parts fit together at the right time with the right people is essential
to the flow of the exercise as individuals realistically act or react to responses provided. However, if the
exercise starts to go awry, it is the job of designated personnel, such as exercise masters, adjudicators
or umpires to make necessary adjustments to keep the exercise going smoothly. Script writing for a
full-scale exercise involving multiple situations occurring simultaneously, could be equated to writing a
movie script that will be acted out in real life but without room for second takes.

Scheduling
Scheduling as far in advance as possible, avoiding other critical deadlines an organization may have,
major holidays or other events in the area, enables better preparation and increases participation.
Teams have time to develop clear and meaningful objectives, update plans, and train for and practice
their roles and responsibilities before the big event. Scheduling logistics, such as obtaining locations
and peoples time, can get quite complex depending on the number and types of sites and participants
involved.

Working with the Media

If the exercise will involve external agencies, it is a good idea to provide the media advanced
notification and for the media to provide advanced notification to the general public so they are not
alarmed if they see a mass casualty incident down their street, for example. Work with the media to
identify strategic locations where they can setup their equipment and observe the exercise without
being inadvertently mixed into it, unless that is actually part of the scenario.

This type of exercise provides a very good setting for practicing with the media and strengthening the
media communications plan. Understanding how to meet the medias demands will increase their
likelihood of receiving and delivering more factual messages to the public in an actual event.
Exceptions for media involvement would be exercises involving highly confidential information.

Safety and Security

Whether its gaining security access to an internal or vendor recovery site, ensure there are
procedures in place and that recovery site and recovery team members know these procedures so
that only authorized personnel are allowed into restricted areas. Proper registration and visibly wearing
officially distributed identification are not uncommon with full-scale exercises involving multiple
agencies or organizations.
On the Big Day
Use of vendor sites and equipment may be charged by the hour, so arriving early to be able to begin
the exercise on time would be

highly desired. Participants may also need to arrive early to

register and report to their assigned posts. Volunteer victims
may need to be prepped or staged.

Identifying a way to officially start the exercise is a small but

noteworthy element to prevent confusion in the event, particularly
if the exercise includes external organizations. An exercise could
begin with a phone call or e-mail/text message to various exercise
officials. Depending on the way the exercise is structured, other announcements, such as basic
ground rules and the first part of the scenario may also be revealed at this time.

Conversely, its also important to have a way to officially stop the exercise in the event that a real
incident would occur and a true response become necessary.

During the Exercise

A good practice during any exercise is to try and maintain a certain calm. Keeping calm is essential for
clear thinking and therefore good decision-making and proper actions taken.

Another good practice is to have assigned team scribes for logging progress, objectives met or unmet,
issues or discoveries made during the exercise. The effects, with post-exercise (and post-disaster)
activities including debriefs, analysis, reporting and recommendations for improvement, particularly
with an exercise of large magnitude, are far-reaching as it is easy to quickly forget important details
when there are a lot of things going on in an unfamiliar environment.

After the Exercise

Formal acknowledgment for everyones efforts as soon after the exercise as possible is paramount in
showing appreciation as well as for garnering continued support for post and future exercise activities.
In a post-exercise debrief, or also known as a hotwash or post-mortem, it is important to keep it
somewhat structured but informal so participants can feel comfortable contributing their observations
from the exercise. Such meetings typically occur immediately after or within a few days of the
exercise. Emphasize that the intent of the exercise is for it to be beneficial and one in which all
participants can learn from. Be sure to include input from management on their perspective of the
exercise. Valuable information is often captured in post-exercise meetings for plan improvements as
well as successful planning of future exercises.

In addition to the debrief, more in-depth meetings with teams for review and analysis is also important
for addressing team-specific details or lessons learned. This information is useful for evaluation and
education and for identifying improvements for response and recovery to an actual event as well as for
future exercises.

An extensive investment of time and money goes into the planning and execution of a full-scale
exercise. Reports of results may be distributed as appropriate to management, stakeholders, recovery
teams, employees, vendors, customers, investors, and the media, as well as to the industry via
articles, presentations at conferences or association meetings. The content and sensitivity of
information reported will, of course, vary according to the audience and the sensitive nature of the
exercise conducted. Identified improvements, for example, may be confidential and should only be
shared with the respective organization.

In addition to fulfilling certain industry requirements for conducting exercises, full-scale exercises are
the best form of hands-on training for disaster preparedness. And, as a result, they exhibit
managements commitment and dedication for managing disasters and continuing operations.

Business Continuity and Pandemic Preparedness

The challenges that we will face in a pandemic will be vastly different from other response situations.
An influenza pandemic is likely to occur almost simultaneously across countries and communities. It
will demand that every aspect of our communities be self-sufficient, able to deal with the outbreak of
illness should it hit. Political leaders, employers, school leaders, healthcare leaders, faith-based and
community organizations, families and the media must all be informed, engaged and actively involved.

U.S. Department of Health and Human Services,

March 13, 2006

Avian Flu
The threat of a pandemic is nothing new. In the past few years weve heard of monkey pox, SARS and
West Nile Virus. Why is the threat of an Avian Flu pandemic different?

In terms of human history, pandemics happen rather frequently. Major influenza pandemics were
recorded in 1918, 1957 and 1968. The Spanish Flu of 1918 killed an estimated 20 50 million people
worldwide. Infectious disease experts think the world is due for another major outbreak.

The current virus that is causing the most concern is the avian or bird flu. It is caused by Influenza A
viruses that occur naturally among birds. A type of avian flu, known as H5N1 is of most concern. As of
March 8, 2006, H5N1 has been detected in 37 countries on three continents and has infected 175
people, 96 of which have died.

Currently, there are no known cases of H5N1 being transmitted from human to human. Should it
evolve, however, it could become a pandemic. While the probability that H5N1 can mutate into a
pandemic is still relatively low when compared to other risks an organization may face, its impact could
be huge.

The World Health Organization (WHO) has speculated that between two and 7.4 million deaths could
occur worldwide. In addition, if H5N1, (or some other disease) was to reach pandemic status, it could
cause significant disruptions to businesses and organizations worldwide. The International Monetary
Fund has predicted that H5N1 could cause a sharp but only temporary decline, in the world
economy. The IMF further advised businesses to step up their continuity planning in the face of this
threat.

What Planners Need to Know

Pandemic planning is unlike planning for natural disasters or other disruptions. There will be no
physical damage to operations or facilities; the damage will most likely manifest itself in high levels of
absenteeism. Also, the disruption will not be over and done with quickly. Pandemics usually come in
waves. Each wave lasts six to eight weeks and subsequent waves gain in intensity. Organizations
could experience two or three waves of the pandemic that span the majority of a year.

The major issue organizations will have to deal with is unavailability of key personnel. The employees
may be deceased, sick, caring for a sick relative or simply afraid to come to work due to the possibility
of coming in contact with people who may be contagious. Organizations will have to consider
alternates and cross-training of personnel, teleworking procedures and revising and clarifying human
resource procedures regarding absenteeism and potential travel and meeting restrictions.

Secondly, organizations need to be concerned about suppliers who may be decimated by

absenteeism for the same reasons as noted above. Alternate suppliers and work-around procedures
should be considered in the planning process.

Along these same lines, the organization should stockpile cleaning supplies. This will ensure that if an
employee or visitor becomes ill, the facilities can be sterilized quickly to mitigate the spread of the
disease. Planners should also identify several cleaning services to sanitize facilities if needed.

Other materials that may need to be stockpiled include food, drinking water, cots, masks and surgical
gloves. Should an organization come under quarantine, either by local health officials or through
voluntary isolation, planners need to have a process in place to feed and house employees.
Finally, and most importantly, communications is crucial. Planners need to provide personnel with
information regarding the status of the plan. For example, WHO has identified six phases of a
pandemic. H5N1 is now in phase 3. Planners should build plans with triggers according to the WHO
phases. If the situation changes and WHO updates the status of H5N1, planners should communicate
any new information to employees and any tasks the contact is expected to perform in lieu of the new
information.

Survey: Business Continuity Budgets Rising

Continuity professionals have always had concerns about the amount of resources they receive to
build plans, but there is good news in regard to business continuity budgets. The amount of money
organizations are spending on continuity is on the rise, according to a survey jointly conducted by
Strohl Systems and CPM-Global Assurance.

The survey found that 35 percent of the 459 respondents have an annual business continuity budget
over $500,000 (US), compared to only 30 percent who said their budget was that high in 2003 and 26
percent in 2002.

The survey also found that more organizations are building comprehensive business continuity plans.
Sixty-nine percent said they had a plan that covers all business units, 22 percent reported that their
plans only cover critical functions and nine percent said their plans only cover IT functions. Four years
ago, only 55 percent had a comprehensive plan, while plans at 24 percent of the organizations
covered only critical functions and 21 percent covered only IT functions.

Other findings from the survey include:

Which department in your organization is responsible for business continuity planning?

30 percent said the information technology (IT) department was responsible for BCP, 21 percent said
they had their own BCP department, 15 percent responded that risk management handled BCP, 10
percent said security, six percent said financial, and 18 percent chose Other. Other replies included
various committees, operations and emergency management departments.
What is the title of the executive sponsor of your organization's BCP program?
Thirty percent said a vice president was in charge of planning, 16 percent said it was a chief
information officer (CIO), 13 percent said it was either a CEO or president, 11 percent said manager,
eight percent indicated CFO and 22 percent said Other. Other responses included COO or committee.

How many years has your company had an established BCP program?
50 percent said they had a program in place for 1 5 years versus only 13 percent who have had a
program for less than a year. Thirty-eight percent of organizations have had a program for more than
five years. In 2003, 18 percent had a program for less than a year and only 32 percent had a program
for more than five years.
How many employees are involved in planning and plan maintenance in your organization?
47 percent responded less than 10, 30 percent said 10 to 50, nine percent said 50 100 and 14
percent indicated that over 100 employees were involved in the effort. In 2003, only 45 percent said
they had less than 10 employees involved.

Its encouraging so see organizations making a greater investment in business continuity, said Brian
Turley President of Strohl Systems. But it is most encouraging to see that the number of organizations
who are building a comprehensive program is on the rise. A plan that covers all aspects of the
organization is the best way to make sure you are ready to prevail over a disruption.

The full results of the survey can be found at

www.strohlsystems.com/MediaPR/TopNews/Surveys.asp.

Case Study: Why Any Plan is Better Than Having No Plan

Having difficulty getting a business continuity program started isnt as unique a situation as one might
think. Budget cuts, lack of management support, staffing or resources can all be to blame. Regardless
of these issues, its vital that companies make it work and do whatever it takes to begin the planning
process. As we are all aware, a disastrous event can happen at any time, whether it be from human
error or good old Mother Nature. The following is an example of such a situation.

Getting it Together
A few years ago, I was on a consulting assignment for a company that was dedicated to implementing
a business continuity planning program. Their commitments were in place and the program was slowly
progressing. The organization had two facilities separated by only a few city miles, but they were on
different power grids and serviced by different central telephone offices. One facility housed much of
the back office operations while the other was mainly the data center.
All the critical resources were defined through a business impact analysis performed in the first phase
of the program. These identified resources included employees, teams, tasks/responsibilities,
processes (in recovery priority), equipment, software, vendors, clients, vital records and supplies. All of
this critical information was placed into LDRPS, which the organization utilized in support of the
development phase of their continuity plans. Plan drafts
were produced, updated, and distributed for review and
the training phase was in the process of being prepared.
Training was to consist of a walkthrough with the key
recovery personnel from each group/department plan.

All of these procedures went according to plan, but

again, as youre most likely aware, a disastrous event
can happen at any time. In this organizations case, on a
late Friday afternoon at one of their facilities, an
electrical contractor made a critical error and caused two
major events: destruction of the power distribution
center to the entire multi-story building, which in turn
lead to the second, a localized fire at the distribution
center that filled the entire building with a white acrid
smoke forcing the tenants to evacuate. Vehicular traffic was blocked for the surrounding two blocks,
and tenant employees were scared and confused. Many had no idea what was expected of them.

The Aftermath
What went right? Since the department managers were involved in the BIA and were working on plan
reviews, there was an understanding of how they were to respond to an incident:

1. Key individuals reported to the designated Command Center at the alternate location (the data
center) and began to identify the resources needed to initiate the recovery.

2. In the existing telecommunication recovery plan, main telephone numbers that handle inbound calls
were identified. These numbers were routed to a large conference room at the alternate site.
Additional telephones were also installed and manned by designated staff. Messages were logged and
forwarded to the proper personnel via hand delivery.

3. Vendor reports, critical since they supply a consolidated listing of companies the organization
utilizes for replacement of critical resources, provided the necessary resources to support personnel at
the alternate site.

So what went wrong? Since the planning program was still in development, there were a couple of key
areas that almost brought the recovery process to a halt:

1. At the Command Center, a few management personnel reported and offered suggestions on how
the recovery should be directed. These individuals were not identified as essential and at times, were
actually a hindrance. Calmer heads prevailed and these people were reminded they had no role in the
recovery since they were not assigned any responsibilities or tasks in the recovery process.

2. The second and most significant area was that of the hot site vendor. Contract negotiations were
underway and vendor policy is to not supply services or enter into a contract if a company is
experiencing a disaster while a contract is being negotiated. Fortunately, this was not a regional
disaster and the vendor (either out of sympathy or business savvy) permitted access to their recovery
services as contract details were quickly finalized.

As a result of this stroke of good luck, the major critical applications and functions were recovered and
operational at the hot site and the staff was ready for the opening of business on Monday. Although the
primary location repairs were completed in time for business that same Monday morning, there was
concern that power to the facility might not be stabilized. Because of this, the decision was made to
remain at the hot site for two additional days. By Thursday morning the primary location was
completely functional.
Initial Vital Steps
This organizations success story can be attributed to them taking those first initial steps toward
implementing their continuity planning program. Even though there were only drafts in place with
absolutely no testing having been done, the leaders completely utilized what little they had and the
result was an effective restoration of their critical processes. Imagine if their planning program was
never initiated or thrown on the back burner. Its safe to say that the company would have had
problems in being ready for the opening of business not just on that Monday morning, but possibly well
into the week.

Personally, I dont believe that management often questions the need for a planning program (from a
regulatory perspective or even as just good business sense), but as stated before, its a matter of just
getting started.

Survey Says: Best Practices for Business Continuity and Crisis Communications

Over half of the respondents to a recent survey feel that their business continuity plan could
not withstand wide-scale communications failures in the event of a large regional disaster.
But, the news is better for organizations that use an automated emergency notification system.
As seen below, sixty-eight percent of the survey participants who use an emergency
notification system said their organization could withstand a wide-spread communications
failures while only 43 percent of those who do not use one thought they could recover
effectively following a Katrina-like event.

Click to enlarge image and view the results of the entire survey.

Overall, fifty-two percent of the 669 business continuity planning (BCP) professionals who participated
in the jointly conducted Strohl Systems and CPM-Global Assurance survey said they didnt think their
plan would hold up in the event of communications failures, while 48 percent thought their plan would
work despite those possible outages.

Having stable communications is vital to the success of a business continuity plan, said Brian Turley,
President of Strohl Systems. After Hurricane Katrina struck the Gulf Coast, we all saw first-hand how
recovery can be hampered by a lack of effective communications. Following each and every disaster,
we always hear about that one means of communications that worked all the way through. After 9/11 it
was Blackberries and after Katrina and the London subway bombings it was SMS text messaging. The
key is to diversify your communications strategy. You cant just rely on one or two means of
communications to get your message out. Today, you need five, six, seven, or more ways to
communicate.

Approximately 25 percent of the survey participants said they use an emergency notification system,
27 percent said they plan to explore purchasing one and 48 percent said they do not use an
emergency notification system.
Clearly, organizations who use an emergency notification system are much more confident in their
ability to carry out their business continuity plan if they experience a regional disaster, said Turley.

The survey also revealed other interesting facts about how organizations view BCP and crisis
communications post-Katrina. Some of the findings included:

67 percent have reviewed their organizations BCP emergency notification procedures since
Hurricane Katrina struck;
84 percent of the BCP professionals said their organization has a plan in place to contact
employees prior to known disasters (hurricanes, winter storms, etc.);
Only 37 percent of the respondents indicated that they have reviewed their communication
providers business continuity plans. Of those who have, 60 percent thought their plan could
withstand a regional communications outage. Of the 63 percent who havent reviewed their
communication vendors plans, only 42 percent thought their plan would work in the event of a
wide-scale outage; and
54 percent of the respondents have tested their call tree in the last six months 25 percent in
the last month alone. Another 13 percent have tested their call tree some time in the past year,
eight percent last tested their call tree over one year ago and 25 percent have never tested
their call tree.

Organizations that take business continuity seriously, plan on a comprehensive basis, said Turley.
Effective business continuity planning programs plan for the possibility that communications may be
sporadic at best. These organizations take the time to evaluate and purchase an emergency
notification system, review their communications providers business continuity plans and test their call
trees.

Further results of the survey can be found at http://www.strohlsystems.com.

Survey Says: Majority of Organizations Now Use Internal Recovery Sites

A recent survey jointly conducted by Strohl Systems and CPM Global Assurance has found that 51
percent of organizations now use an internal hot, warm or cold site as their primary alternate site
recovery strategy. Thirty nine percent use a third-party alternate site, four percent have a reciprocal
agreement and six percent indicated none of the above.

This marks a drastic change in the business continuity industry. When the same question was asked in
October 2002, 43 percent said they used a third-party provider and only 35 percent said they had
internal recovery sites.

As the cost of equipment has continued to decline, many companies are acquiring the knowledge to
build their own internal recovery sites, said Brian Turley, President of Strohl Systems. This trend has
really accelerated over the last several years and we many of our customers are coming to us asking if
we can assist them with building an internal site.

Other results of the survey include:

When asked which event most concerns them from a continuity of operations perspective 49.2
said accidental disasters, 36.5 indicated natural disasters and 14.3 responded intentional
manmade disasters such as terrorism.
27 percent of the respondents said they use a virtual command center when testing or
activating your plans.
The majority of respondents indicated they receive strong executive support for their BCP
program. On a scale of 1-5 (5 being tremendous support and 1 being weak support) 57.8
percent said they would rate the level of support as a four or five. Only 5.1 percent rated their
executive support as a one.
Thirty-three percent of the respondents said they use an automated notification system (up 8.2
percent from October 2005) and 26.2 percent said they plan to explore this solution.
 Fifty-eight percent have exercised their plan in the past six months, with nearly a quarter of all
respondents having tested it in the last month. Conversely, 17 percent have never tested their
plan and nearly seven percent tested their plan over one year ago.

By all accounts, business continuity plans should be tested on at least an annual basis, said Turley.
It is good to see the majority of organizations doing this, but the number of organizations with an
untested plan is still too high. Those organizations are needlessly risking their operations by blindly
trusting an untested plan.

The survey was conducted from Oct. 11 - 26 and included 322 responses from all major industries
sectors. CPM-Global Assurance is a monthly publication that focuses on business continuity, security
and emergency management and can be found on the Web at www.contingencyplanning.com.

Conducting a BIA for Evolving Industry

by Don Hughey, Senior Consultant, Strohl Consulting Services

When a business entity recognizes the need to develop a prudent corporate posture to survive todays
unexpected disruptions, its necessary to take a fresh perspective of the companys mission-critical
operations and its individual operating units. However, the mission-critical functions of the company
may not be as obvious or apparent as they once were. Taking stock of priorities before proceeding is
essential in todays world of morphing industry. Today, we find company dynamics complicated by
mergers and acquisitions. Workflow that once moved independently within separate organizations now
must come together in a new stream. The new organizations processes and supporting automation
may consist of many separate design and development efforts. So how does one start?

Prior to developing and documenting a recovery program, it is wise to revisit the entire organizational
structure. It is important to identify the specific areas that provide the primary financial contributions or
operational controls necessary to keep the company viable.

This process should begin with understanding and defining the recovery requirements. The most
important of these requirements is reestablishing each business function with an adequate recovery
time-window for each. It is essential to ensure that the correct and most cost-effective recovery
strategies are chosen.

The business impact analysis (BIA) has evolved as the recognized vehicle for defining and
documenting business continuity requirements. However, the BIA, or its equivalent, should analyze the
business processes needed to define the type of programs requiring implementation. In some cases,
the financial loss may be so great, or the operational controls so critical, that providing for
uninterrupted production is necessary.

When establishing a business continuity planning (BCP) team, it is imperative that each operating
unit assigns a business coordinator(s) and department level participants to assist the BCP team.

The business coordinator will be expected to do the following:

assist the BCP team to define the specific business functions within the operating unit
assist in developing or approving a specific business units BIA questionnaire
provide work space at the operational site for the BCP teams presentations, interviews, and
workshops when necessary
identify the proper BIA participant from each business function to assist in defining the units
recovery requirements
assist in scheduling meetings with the BCP team and its participants
coordinate the distribution, completion, and collection of BIA questionnaires
schedule presentations of the BIA findings and recommendations to the proper steering
committees
 The BIA questionnaire should contain questions intended to gather all information listed as
expectations from the participants. Questions should be designed to lead the participants through a
logical thought process. The questionnaire should begin with something simple and familiar, such as
describing the functions of a department. Impacts should be considered by timeframessuch as the
first day, second day, first week, second week, etc.progressing through the first potential month of
disruption.

Participants must be knowledgeable in the operations of their business functions, including the units
operational impact and the financial implications of a business disruption. Disruptions may or may not
include the availability of the operating units location, as well as the interruption of supporting
technology platforms. These facilities are obviously dependent on various utilities such as power,
water, and communications.

The participant will be asked to provide information, such as the following:

description of the service performed by the unit

operational controls affected by potential disruptions
financial implications of disruptions
staffing levels currently supporting the business function of an operating unit (both employees
and contractors)
minimum staffing levels to operate under emergency conditions, including special contracted
skills
resources required by the operating unit in normal conditions and over time, such as work
space, office equipment, communications (both voice and data), computing platforms and
application systems, and vital records and supplies
critical time periods for the business function
backlogs of work in normal course of business and backlog accumulation during downtime
historical data relating to previous disruptions
special skills or licensing required for staffing the business function
dependencies on internal and external sources for the workflow of the business function
reliance of internal or external functions and units on the information or service supplied by the
business unit

Several methods are effective for answering the BIA questionnaires. Here are two:

1. Distribute the questionnaires to the participants after reviewing their content and intent. The
participants can answer the questions at their own pace and return them for review. This
method should be followed by an interview with each participant to resolve any issues found in
the initial review.
2. Bring the participants together in a workshop and have the answers provided by the
participants. This method requires a major research and planning effort on behalf of the
moderator prior to the workshop in order to move through the questionnaire in reasonable
time.

After the BIA questionnaires are completed, the process of analysis and summarization can begin.
Analysis and reporting findings are the key to obtaining management concurrence and funding.

As we move into the next century it will continue to be important to take stock often of your BCP
efforts and methodology to keep up todays changing industry climate. It will also be increasingly
important to account for flexibility when setting standards. In the next article we will touch on these
issues as well as take a closer look at analysis and reporting.

http://www.recoverychronicles.com/MediaPR/enewsletter/7_1/32/article.asp

Reporting Business Impact Analysis Results, II

by Don Hughey, Strohl Systems Senior Consultant

 In his last issue Don presented the process for initiating a business impact analysis. He
took you through the selection of the proper participants and creation of the survey
questionnaire. This article picks up with the assumption that you were successful in
distribution and eventual receipt of the completed questionnaires.(Click here to review
previous article)

If you were diligent in the design and creation of the questionnaire, you now have all the
information you need to analyze the requirements of the business units, select the proper
recovery strategies, develop the plans, and start the training programs. Simple isn't it?

Well there are a couple steps still to be done in the business impact phase. At this point in your
project, participants should have provided such information as the following: description of the
service(s) performed by each operating unit, business process, and business function.

operational controls affected by potential disruptions

financial implications of disruptions
staffing levels currently supporting the business function(s) of the operating unit (both
employees and contractors)
minimum staffing levels to operate under emergency conditions including special contracted
skills

Resources required by the operating unit in normal conditions and over time during emergencies such
as the following:

work area space

office equipment
communications (both voice and data)
computing platforms and application systems
vital records and supplies
most critical time periods for the business function
backlogs of work in normal course of business and backlog accumulation during downtime
any historical data relating to previous disruptions
special skills or licensing required for staffing the business function
dependencies on other internal or external sources for the workflow of business function
reliance by other internal or external functions on the information or service(s) supplied by the
business unit

If you elected to use the Strohl Systems BIA Professional tool for your project, you should already
have the formats necessary to print the associated reports and graphs for your questionnaire. If you
did not use the BIA Professional tool, you should create a database and the necessary reports to
analyze your information.

Begin your analysis with a summary review of each category of data as well as the detailed
information for each business process and business function. One of the primary concerns should be
to assure that the total financial exposure approximates the actual revenues of the business. This is
the first sanity check. It is not unusual to find that several survey respondents have taken the credit for
identical revenue streams. Similar review will determine if the reported resources approximate actual
resources.

Where variances can be identified, you should begin to create your interview scripts. Each respondent
to your survey questionnaire should be scheduled for a follow-up interview. Be courteous and brief
yourself on the contents of each survey prior to meeting with the respondent. These interviews should
not require more than forty-five (45) minutes to an hour each.

The advantage of this approach is that you are able to speak to specific issues with your participants
about the information they have previously had the opportunity to consider. There should be no "cold"
interviews. Frequently, you will find that you are able to validate, edit, and improve the respondent's
initial answers. Update your database with the revisions and recreate your summary and detailed
reports and graphs.

It is not unusual to have workpapers at this point that may include several hundred pages of data.
Obviously, all the data will be entered into the planning process; however, determine which issues are
truly significant enough to report. The executive committee that will provide your funding will probably
want to see no more than a 10 to 15 minute presentation of summary data, which is key to the funding
approval process. Keep the executive summary report to a few graphs and no more than one or two
pages.

Create a detailed report for distribution to the participants. But again, remember to include only
pertinent information since you have all your detailed graphs, charts, and reports to back up your
report.

I frequently provide the detailed report only after determining the recovery strategies and associated
costs to be recommended for implementation. You can then publish a combined document containing
the recommended strategies, their costs, and your logic supported by the appropriate survey details.

Knowing how to approach your BIA can be just as important as knowing your vulnerabilities. And
following simple but necessary steps can make your BIA effort more efficient, thorough, and can save
you a lot of headaches later on.

http://www.recoverychronicles.com/MediaPR/enewsletter/7_2/55/article.asp

Why Do So Many Information Protection Programs Fail?

Tom Peltier

The missing factor in an effective information protection program is employee involvement. Many
organizations go to great lengths to develop an extensive set of controls and countermeasures,
purchase the latest technology, design in audit trails, and print out security logsand still security fails.

Often times this is the result of not understanding the culture and direction of the organization and its
employees. To develop an effective information protection program, it is helpful to examine war
stories to see where controls failed in other organizations. Inevitably, these stories expose six key
elements that lead to the breakdown of information protection programs.

The Big Six

Uncontrolled or Inadequate Access

An employee working for a manufacturing facility in the Midwest was passed over for a promotion.
Wanting to know who was better qualified, he decided to access the human resources system. Once
in the system, he found that employees were listed by job classification bands and then rated
numerically based on their last appraisal. He felt that this was some good information, so he printed it
out and then made enough copies to post on bulletin boards, coffee machines, and in the cafeteria.
The investigation turned up who was responsible for the postings and, during his exit interview, it was
learned that he had gained access by using the director of HRs password. The HR directors
password was still the default, new user password the first four characters of his last name.

In November 1988, Robert Morris, Jr., a graduate student in computer science at Cornell, wrote a self-
replicating program called a worm and released it on the Internet. The program was flawed, and it
began to replicate and re-infect machines at a much faster rate than he had anticipated. In 1988, there
were almost 62,000 Internet host systems, and it is estimated that Morris brought down about 10
percent of those systems. The estimated cost of dealing with the worm at each installation ranged
from $200 to more than $53,000. Today there are nearly 20 million Internet host machines and a worm
of the Morris magnitude could cause genuine havoc.
The ability to control access to systems, data, and information is a vital element of any information
protection program. As these examples show, this first line of defense is often easily breached and
problems can occur.

Vague or Undefined Responsibilities

A large engineering firm was converting to PCs and having employees move mainframe applications
to their desktops. Rules were changed and the customers were not informed. After about six months in
the new processing environment, an office administrator called the help desk to request that her Excel
spreadsheet be restored. The help desk directed her to the LAN administrator. The LAN administrator
asked for her backup diskettes. She asked the LAN administrator about the backups that operations
normally used to restore her old mainframe applications. Without the necessary backups it proved
impossible to retrieve the Excel spreadsheet.

A construction firm in Atlanta had a rather lax backup and storage policy for diskettes. It seems that
one weekend 50 diskettes disappeared from the offices. Of these 50 diskettes, 10 were considered to
be crucially important. These 10 diskettes were so critical to the operation of the corporation that if
they were not found the company faced the real possibility of going out of business. They were in the
process of taking out an ad in the Sunday papers. They would offer a reward, no questions asked.
Luckily, the ad never ran. The police discovered that a maintenance employee had taken the diskettes
home and was reformatting them so that his kids could play games on their new home computer.
People dont leave out important diskettes, do they? was his defense. Just by sheer luck did this
company avoid disaster.

Backups have always been a sticking point in the information systems environment. With the
movement to distributed processing, the need for users doing and storing backups has increased.
Often times, though, the users arent informed as to what their responsibilities are. If backups of a
workstation are done at all, they are normally stored in the same area as the workstation and the
same diskettes are reused.

Inadequate Training of Personnel

The use of e-mail in business is spreading rapidly, and in many organizations the e-mail system is now
the place for office gossip and other conversations unrelated to work. Although some of the exchanged
information on e-mail is personal or frivolous, the system also frequently carries vital organization
information. The information mix raises many moral and business issues that must be addressed.

In a recent Detroit Free Press article, two companies that were in litigation because of alleged
discrimination lost their cases because of e-mail messages uncovered in the discovery process. In
both instances, private communications between supervisors contained language that was used by
the plaintiffs attorney to support their clients claims. In each case, the message could have been just
an off-hand remark made between two colleagues. These off-hand remarks cost each company
financially and in their public image.

With e-mail, there is a false sense of privacy. But e-mail correspondence is as private as a post card.
Many employees fail to understand the need to protect classified information. When working through
the courts to determine if information is in fact a trade secret, the courts look for four keys:

1. There was some cost to develop this product or process;

2. The product or process will provide some form of competitive advantage;
3. The product or process is not generally known;
4. The information is kept secret both externally and internally.

Where most organizations fail is in the need to keep the information secret both externally and
internally. Many employees fax sensitive information in clear text or will discuss such information over
cellular or wireless phones. When this behavior occurs, the information is no longer confidential and
becomes public domain.

Unnecessary Temptation
All too often employees are able to stay in a job assignment long enough to determine what would
trigger an audit or review. One such individual worked for the federal government as an analyst. This
person was responsible for reviewing expense reports and then submitting them directly to
disbursement for printing. No one checked his work. In fact no one questioned any of his activities until
a mortgage processor couldnt make his assets match his earnings. This individual was paying almost
solely in cash for a $350,000 home in the Washington, DC area, had a number of very expensive
automobiles, country club memberships, original oil paintings, and was re-married with two children.
He was able to afford all of this on a salary of $40,000 per year and while paying $1,000 a month in
child support.

It seems that he discovered that many departments were not using all of their travel and expense
money. With what little was left over, it seemed a shame to turn it back to the government so he began
to create expense reports for himself. Over an 18-month period he wrote checks to the tune of $1.2
million. Had it not been for the mortgage processor, his scheme might never have been uncovered.

When it comes to the loss of company secrets, one of the most dangerous and hardest to spot threats
is the trusted employee. The most likely candidates are employees who may have incurred large
debts due to gambling habits, personal circumstances, or drug use. According to Insights magazine,
10 percent of workers are abusing drugs and/or alcohol on the job. Other reasons include involvement
with labor/management disputes or individuals who have entrepreneurial personalities. The typical
computer criminal is a non-technical user of the system or application who has been around long
enough to figure out what would cause an audit.

Disgruntled Employees
During a corporate downsizing, a companys LAN administrator was let go with two- weeks notice.
Feeling that he was being treated unfairly, he decided to put a 4 megabyte cap on the system
directory. Three months after he left, the office came to a halt until the problem could be found and
corrected.

The Business Software Alliance (BSA) and Software Publishers Association (SPA) have installed
hotlines to get and supply information on copyright compliance. Last year BSA got 7,000 calls on its
hotline, about half of them were employees who wanted to report companies that were using
unlicensed software. Of the calls to complain, nearly 500 resulted in cases with recoveries reaching
almost $4 million.

The possibility that a disgruntled employee may provide problems for a company is a very real threat
these days and needs to be addressed.

Password Problems
When Commonwealth Films, Inc., was shooting the video Mums The Word, the director was setting a
scene that had an employees password taped to the side of the terminal. The technical advisor was
concerned that what was being shown was outdated. The company where the video was being made
had an extensive employee awareness program that stressed password security. Leaning into the
cube across from the video setup, the technical advisor asked, If you were going to post your
password, where would you do it? The woman pointed to a note on her workstation and said, Mines
right there.

The Internet is also a threat to passwords. Password sniffer programs monitor a systems network
interface port and collect login information, including passwords. After the program is put into the
system, the attacker is able to obtain privileged status on a target host system.

When doing an initial security review, looking for passwords may be no more difficult than turning over
a keyboard, opening an unlocked middle desk drawer, flipping to P in a rolodex or looking for a note
posted to the monitor.

Sensitive Information in the Trash

Stealing peoples garbage is easier than most people think, and it also provides a wealth of
information. Most trash bins are placed with easy public access and the good spy will always dip in.
An owner of a bottled gas company in the Midwest proudly boasted to friends and colleagues that he
rooted around like a pig in his competitors dumpster and was able to get their customer lists.

The 2600 magazine - the quarterly guide for the American hacker - ran an article on how to become a
member of a contract cleaning crew to gain access to companies.

The Supreme Court has ruled that the Fourth Amendment does not prohibit the search of garbage
placed outside the premises. It is legal! Many private investigators now openly advertise garbage
retrieval services. Your trash is valuable, so encourage the destruction of all waste paper. Provide
shredders to meet the needs of all employees, both at work and away.

What to Do?

Obtain senior management approval and support

Tie security issues to business objectives and/or the mission statement. In order to sell an effective
program and get the buy in from senior management, it will be necessary to identify to them how this
process will improve the organizations mission. Every organization has a bottom line, find out what it
is and make sure security issues are always discussed in terms of how they will support that goal.

Establish Enterprise-wide Policies

The key to any successful program is to have published policies. The policies must meet the needs
and the culture of your enterprise and customers. When developing policies, remember to keep things
simple information should be short and to the point.

Implement an Enterprise-wide Awareness Program

It is vitally important to keep the message in front of employees. It is not sufficient to just publish the
policies. Employees must be made aware of their existence. Annual policy reviews should be
implemented for all employees. Because of the legal implications, contract personnel may need to
review the policies during contract negotiations.

Implement an Enterprise-Wide Business Continuity Plan

Organizations must develop and regularly test business continuity plans. Aside from the legal and
regulatory requirements, the investment in an effective BCP makes good business sense and supports
the concept of protecting the corporations assets. A documented and tested BCP displays
managements due diligence in protecting stakeholders investment in the enterprise.

Monitor Compliance
Whenever a new security project is about to begin, the staff should take an evening or two and do a
walk-about. Walk through the office environment and check to see the current level of compliance to
some very minor security controls. During this initial review, check for five key elements:

locked offices;
locked desks and file cabinets;
locked and password protected workstations;
diskettes are locked in a secure location;
any additional information is securely locked away.

These five controls will provide a good indication of the current level of concern over computer and
information security. Normally the non-compliance levels during this initial review will be 90 percent
and higher. Use this information to gauge the information protection programs effectiveness by doing
another walk-about after the program has been rolled out.

Another key element in the monitoring compliance is to establish a positive working relationship with
the audit staff. Audit and information protection are concerned with the same issues. It can be very
beneficial to work together to present a consolidated front in getting security controls accepted.
Make Compliance an Appraisal Item
Most employees are required to read and sign an annual conflict of interest statement. Work with the
audit staff to create a similar document for information security. This document could be included with
the conflict of interest statement and reviewed annually with the employees.

Summary

Just as steps are taken to protect employees, it is just as necessary to involve the employees in
protecting information assets. Information must be protected from unauthorized access, modification,
destruction, and disclosure. If the enterprise fails to do this, there will be a loss of customer
confidence, competitive advantage, and ultimately jobs.

The message of information protection must be published and presented to the employees through an
effective awareness program. This program must include regular reminders as to the need to protect
corporate assets and who is responsible for protecting those assets.

Information protection is not rocket science. It is taking basic business principles and applying them to
the information assets of the enterprise.

The BCP Sell to Executives is Tough, but Does It Have to Be?

Selling BCP to upper management has always been a challenge. But the problem may be in the way
youre presenting continuity planning, not the BCP concept itself. The bottom line is that when
communicating BCP ideas and proposals, you have to stop being a planner and start being a
salesperson.

We know thats easier said than done. So here are some tips you can use to transform your BCP
presentation into a BCP sales pitch.

Whats In It for Me?

Executives make business decisions based on facts, and those facts habitually center on investment
and return. If an executive spends $20 million to build a new facility, you can be sure the projected
return has been calculated and banked on. Therefore, it makes sense for business continuity
professionals to present BCP programs to senior managers in terms of return on investment, rather
than introducing a multitude of technical details, potential disaster scenarios, and recoveries.

Unfortunately, most business continuity professionals dont have much experience thinking about how
they will formulate their pitch because they approach BCP from a different viewpoint. Typically a bunch
of data, Power Points, and handouts are gathered without stopping to think about the objectivehow
long do I have and what are the executives key interests?

Executives are very busy and their time is valued, so go in with concise facts and conclusions that
explicitly state what you want and why. If you present a solid, compelling case in five minutes, an
executive may spend two hours with you to figure out a game plan. But if you take 15 minutes to
explain ineffectively what is needed, the executive may dismiss the entire proposal. Obviously, it is
important to go in armed with a "hook," something that will immediately grab the executives attention.

Knowing something about the executives interests helps, too. They are inclined to give more time to
issues that are important to them, rather than how many hurricanes hit Florida last year.

You should think of executive managers as customers and yourself as a salesperson. Good
salespeople first listen in order to determine the customers wants -- not necessarily their needs. Most
of the time, people buy what they want, not what they need. For instance, many contingency planners
will claim that their recovery time objective (RTO) is 24 hours. They also realize that what the business
needs is an RTO of eight hours; however, they know the executives wont spend the extra money to
shorten the RTO. Inevitably, then, they end up selling them what the executive will buy, not what they
actually need.
How to Approach the Big Objection
Most people hate objections. But salespeople expect objections and prepare for them. Of course, the
most common objection is, why should I spend money on this when weve never had a disaster?
Rather than hoping the question will be avoided, take it head-on. Be prepared to explain why
contingency planning is a prudent business decision. And dont be afraid to bring it up before the
executive does. When questioned about money or any facet of a pitch, you dont want to say, wait, Ill
get back to you. You may not get an opportunity for follow upthis could be your one-and-only shot.

Reference Selling
Another way to avoid objection is to formulate a solid reference sell: "If companies A and B, our two
biggest competitors, already have these sorts of plans in place, shouldnt we?" For example,
companies arent driving to the Internet because executives recognize its tremendous potential but
because everyone else is. If an executive thinks he or she will need to allocate money for web
development to stay competitive, that same psychology can be used to garner money for BCP.

What business would want the competition to take customers away because it was down and
vulnerable and didnt have a plan? Here again, BCP can be presented as a return on investment that
keeps a company ahead of the game. Pointing out what other companies do and how their BCP
places them in a better financial position can help to legitimize your BCP budget requests, as it puts
the executive in the position of wanting to stay competitive.

The Power of Fear dont under estimate it

No executive wants to explain to stockholders and customers why the company doesnt have a plan in
the heat of a crisis. And no CEO wants his or her picture on the front page of newspapers because the
company had to lay off 1000 people because it failed to prepare for a disaster. Additionally, the Foreign
Corrupt Practices Act implies that CEOs are potentially criminally liable if they leave their companies
vulnerable to an avoidable situation. And even if executives have bylaws that protect them from
actually going to jail or losing their homes, stockholders or board members still can sue them
personally.

As a BCP professional looking for buy-in this is not an obscure threat but a risk reality. Stockholders
will ask, why werent we prepared? We have a manufacturing plant in Kansas, and we never thought
about a tornado? We have an office in Florida, and we never thought about a hurricane? We have a
headquarters in California, and we never thought about an earthquake?

BCP is Insurance
Present BCP as another type of insurance. Your company spends a considerable amount of money on
fire insurance, and youve never had a fire. Theyll spend money on liability insurance and never face a
lawsuit. Would you expect your executives to say, lets cancel the insurance to save money.

Point out that BCP is actually better than insurance. Insurance only pays for loss after the fact; BCP
protects before the fact. Additionally, insurance is limited in what it may pay to replace infrastructure,
such as a distribution plantnot to mention the customers and employees you lose while waiting for
the new building.

Power in Numbers
Dont try to sell senior management on BCP without enlisting allies. Your pitch will be much more
effective if you can point to other departments and explain how their managers believe BCP will
benefit them too. Allies can include managers from sales, marketing, IT, security, human resources,
and facility planning.

For example...

Sales: A company selling its products to just-in-time manufacturers can use its business
continuity plan to demonstrate that product will be delivered despite any business disruption.
Human Resources: As a requirement to OSHA and other government agencies, your HR
department needs to report employee health and safety information at certain times. Some
BCP planners may not think of that as part of their contingency plans, but it is.
It is, therefore, possible for planners to approach different departments and say, "heres how we can
help each other." The departments can benefit from having a plan in place, and you can use those
departmental allies to further demonstrate the need for BCP.

The Visibility of The Web

One of the most dramatic developments to contingency planning is the Internet. People are trying to
figure out how to use it to enhance their businesses. The CEO and other executives are discussing it.
The board of directors is asking the CEO why the company isnt doing more with it.

The Internet is so highly visible that it dramatically increases the risks to companies. Use this to your
advantage. For example, in a traditional brick-and-mortar business, if computers go down, theres still
product on the shelves; no one knows that there has been a 24-hour interruption. But if someone is
buying online and your website goes down for even half an hour, someone will know it right away.
Although the Internet has enhanced a companys ability to move product to market, it also has caused
an incredible increase in reliance on technology and, therefore, an incredible increase in the need for
business continuity planninglucky you.

Beyond using the presence of the Internet to point out the increased need for planning, you can use
the Internet itself to make contingency plans visible to every level of the business. A BCP home page
on your intranet can include a list of employees trained in CPR, recovery team contact information,
escape routes from facilities, test schedules, access to BCP software, etc. Use that fact to show the
easy accessibility of your BCP program.

Obtaining executive buy-in becomes easier with contingency plans more visible. Contingency plans of
the pasteven if they were automatedresided on somebodys laptop or in binders on a shelf.
Nobody else saw them. Now, plans can be where every person in the company can see them.

Occasion, Contemplation, and Effort

Combining sales techniques with available technology, information, and industry insights will go a long
way in securing greater visibility, respect, and understanding for your BCP endeavors. But in the end,
executive buy-in is only as good as the time, thought, and effort put into the BCP pitch. Use these
simple suggestions to put yourself in a better position for success. Ultimately, you will garner the
means and resources to elevate your BCP programs to levels that best protect everything you work so
hard to achieve.

About the Author

A certified business continuity professional, Ted Brown offers in-depth seminars on selling contingency
planning to executive management and negotiating alternate site contracts. Before joining Strohl as a
vice president, he was a sales executive with IBM and led its Business Continuity and Recovery
Services division from zero revenue in 1989 to hundreds of millions in 1998. He can be reached at
tbrown@strohlsystems.com or 800-634-2016.

Consultants Corner: How to Motivate Employees for BCP

The harsh reality of business continuity planning (BCP) programs in most organizations is that a very
few BCP professionals are charged with leading and managing the efforts of a large employee
population, wherein each person has a full plate of responsibilities and other bosses. Even in
organizations where good BCP practice is a fundamental expectation or critical compliance
requirement, BCP related activities rank remarkably low in employee interest.

So, how does BCP leadership motivate the people they need to produce the desired results? How
does one find the necessary skills and devotion to develop successful initial plans and keep them
working toward better, tested plans as the business changes? What might make an employee want to
volunteer time to work for BCP?

Many of your firms employees volunteer their time and talents to activities that reward them even
though theres no paycheck involved. Look around your workplace. Youll see evidence of volunteer
behavior in the form of office decorations, commendations, plaques, etc. However, each person
considering a volunteer role develops a personal evaluation of needs, wants and possibilities before
they agree to lend a hand. This self-interest inventory includes three major groups of motivational
levers.

Personal: Any activity that expands personal horizons or requires skills not used at work may be
attractive. Personal enrichment, pride in achievement, participation in a team effort, solving problems,
learning something new or teaching others may be sound personal reasons to volunteer. Professional:
Any activity that offers improved career prospects may be worth the time. Public recognition of
personal achievement, participation on a successful team, gaining training and work experience,
improved job security, skill and business knowledge recognition and positive performance appraisals
can be powerful motives to volunteer. Community: Any activity that can enhance a persons visibility or
status in the organization may be a community motivator - a reason to volunteer. Situations or projects
that offer increased exposure to senior management, leadership, professional enrichment, recognition
or advancement opportunities will drive involvement.

BCP leaders should recognize what motivates people to contribute something other than their
normal job and pull those levers with participation offers and rewards that satisfy them. Its
not shameful or two-faced to do this. In fact, it may be the only way to creatively engage
people who are not accountable to the program but who are essential to its success. Here are
some examples to consider for building this approach and the motivators to which they
appeal.

Motivation & Engagement Tactics Personal Career Community

Skills & Knowledge Recognition

Preparation: Consider the skills and knowledge available to the program today, where they currently exist and what is needed to take
the next steps or for the long term. Investigate ways to advertise these needs, capture information received and track progress
toward goals.

Advertise for business process, technical, project management or other knowledge required to
X
tackle business continuity problems. Publicly recognize the contributions.

Post a directory of skills and the names of skill holders willing to help others with building
X X X
continuity plans, strategies and tests of all types.

Include holders of BCP industry certifications, internally trained personnel and those who
X X X
serve emergency service-related roles in their home communities in the skills directory.

Good Idea Awards

Preparation: Identify the types of rewards, notes, issues and certifications that the program will issue to acknowledge volunteer
participation and good works. Consider the timing of award and which types applies to which participants or groups to ensure even-
handed appreciation.

Best workaround solution X X

Best risk reduction or mitigation idea X X

Great test scenario or approach X X

Catch of the quarter - critical business or technology change, plan efficiency gap closed, etc. X X X

BCP Hero of the Month X X

Lessons Learned - the hard way (make it humorous but not embarrassing) X X X

A how to you can use X X X

Program Participation Recognition

Preparation: Work with human resources to ensure recognitions and awards are appropriately logged in personnel files in a way that
managers will include them in the employees performance evaluation. Classify those recognitions that may contribute to career
advancement.

Personal notes from program and/or sponsoring executives to the employee. X

Personal notes to participants managers thanking them for making the employee available to
X X
help out.

Training hours taken or classes conducted X X

Testing veteran - hours of test participation in functional, simulations or alternate site tests X X

Number of tests designed and managed X X

Plan development team reward for initial plan completion and walkthrough X X

Hats, team pins, pennants, shirts etc. for completing a difficult set of test objectives (in time,
X X
under budget)

Team depth award for teams that test successfully with alternate members (the primaries were
X X
out of town and the plan still worked)

Training & Enrichment Opportunities

Preparation: Offer training in how to succeed within the BCP program on an ongoing basis. Publicize the opportunities broadly,
reward achievement with a note in personnel files and distribute certificates worthy of display. Keep a BCP program specific record of
participation levels, dates and skills evaluation.

Offer emergency preparedness organizations opportunities to present personal/home safety

and security, disaster recovery practices to employees. Provide or sponsor emergency kits to X
participants for home use.

Offer BCP and related training on a variety of topics and competency levels (e.g., risk
assessment, mitigation techniques, business continuity concepts, plan & strategy building, test
X X
planning, preparation, execution, change management, performance tracking, related software
tools instruction, etc.).

Offer leadership training opportunities to employees preparing to fulfill high-impact or high-

X X X
visibility roles in executing continuity plans.

Offer public, media relations and internal communications training to designated corporate
X X X
spokespersons and alternates.

Encourage funded participation in CEU rated classes or functions directly related to the BCP
program including progress toward professional certification where practical. Encourage the X X X
use of achieved certification levels on business cards.

Solicit ideas for additional training needs periodically. Post ideas under development for
X X
feedback and interest in attending.

Develop and deliver internal BCP conferences, user groups and road shows using a
combination of volunteer, sponsor and external presenters to deliver your messages and X X X
training.

Nearly all these tactics will engender a positive sense of community around BCP, an essential reward
for volunteering. The cumulative effect of publicly acknowledging volunteers is to make others take
note and want to join - - just what your program wants and needs. However, if your program doesnt
meet at least one of the basic motivational needs, employees will continue on a business as usual
basis until extra effort is mandated or a motivator comes along.

Be honest and clear about what is needed from employees. Select those persons whose skill,
knowledge or position are essential to the programs success, but dont limit the outreach.
Open a dialog with all employees to uncover the untapped and interested employees then
nurture their efforts with a job-well-done, great idea, or look what we saved,
recognitions. Done well, this approach will pull the motivation levers where help is needed
and spread the word that BCP is alive and well.

About the Author

Abby S. De Lotto, MBCP, is a Senior Consultant and Project Director with Strohl Systems. As a senior practitioner
of more than 18 years, she has extensive crisis planning experience and in-depth knowledge of business
continuity methods and practices. She has been published in numerous periodicals on a variety of disaster
recovery and business continuity topics. She can be contacted at adelotto@strohlsystems.com.

Welcome to Recovery Chronicles

Q & A: Why Test?
The difference between a business continuity plan, and a business continuity plan that is regularly
tested is immeasurable. How important is it to frequently test your plans? It could be no less than a
matter of life and death.

Strohl Consultant Dennis Oldham sums up the key to testing in three words: Practice, practice,
practice! He went on to explain that most companies that exercise their plans on a regular basis feel
that they can handle a recovery situation, but many are never as ready as they could be. There are so
many little things to consider, and its vitally important that every one of those little things be tested.

Some common questions regarding testing include:

Q: What types of tests are there?

A: There are several different types you can perform, ranging from minimum preparation to the most
complex. The most popular types are:

- Structured Walkthrough The most basic type of test that takes place in a group meeting setting
where the main purpose is to ensure that critical personnel from all areas are familiar with the BCP.

- Tabletop Drill The participants choose a specific event scenario and apply the BCP to it. The main
goals here are to practice team interaction, as well as decision-making and problem-solving skills.

- Functional Testing A drill that involves the actual relocation of personnel to another site in an
attempt to establish communications and coordination as defined in the BCP. The main focus here is
to test the emergency management capabilities of groups in an actual recovery situation.

- Full-Scale The most comprehensive type of test. With this test, all or most of the BCP is put into
action. The main goals here are simpleto simulate an actual recovery situation as closely as
possible. The exercises in this case usually are longer, and should evolve and develop just as they
would in an actual crisis.

Q: Im confident that my business continuity plan is complete and capable of helping us recover from a
disaster. Why must I regularly test it?

A: Theres a big difference in believing that your plans are able to sustain continuity and knowing that
they can. Really the only way youll fully realize if they can is by testing them. Its also important to
understand that your plan is a living document, and is never really finished. As your organization
changes, so does your BCP.

Q: How can I automate testing?

A: Using Incident Manager, youre able to organize all of your essential recovery details electronically
and in turn, manage your recovery more effectively by replacing chalkboards, grease boards,
flipcharts, and paper updates. You can also use Incident Manager to test the viability of your plans and
make necessary adjustments prior to a real-life business disruption.

Q: What goals should be achieved with every test?

A: A test can be considered worthwhile only if the results are analyzed and compared against your
original objectives, and then acted upon.

Ask yourself these important questions:

- Were the test objectives completed?

- What gaps did we find?

 - What actions must we take to bridge those gaps?

- What approach should we take for our next test?

Oldham sums up testing this way: A good test will reveal the flaws in your plan. If
you conduct an exercise and found nothing wrong, you didnt dig deeply enough. If
you find that even the rookies on your teams can get through a test easily, you
have a good plan.

More information about BIA Professional and Incident Manager can be found here
or by contacting Strohl Systems at 800 634-2016 or at info@strohlsystems.com.

Consultants Corner: Developing Business Continuity Awareness

Karen Donoughe, Strohl Systems Consultant

Many business continuity planners have run headlong into the brick wall of apathy when trying to
foster awareness in their organization. A lack of commitment from senior executives or a non-existent
motivation among plan builders can doom the program to failure from the start.

Clearly, an organization that has built strong awareness around business continuity planning has the
advantage of greater buy-in from plan builders and executive support when it comes to acquiring
needed resources.

When the majority of an organizations employees dont buy into the planning process, it results in a
plan that is not maintained or tested. The plan may get completed, but it will be bare minimum and
lack details at best. In a worst-case scenario, when senior management neglects business continuity
planning, the planners are left without enough resources or motivation to get the plan completed.

Here are some simple things business continuity planners can do to help build and nurture BCP
awareness across the organization.

For those dealing with flagging executive support:

Use third party groups such as auditors, regulators or customers to help show the importance
of business continuity planning.
Show them how your competitors are building business continuity programs.
Use the program to generate publicity for the organization. Publicize exercises to the local
media and community to show the organizations commitment to ongoing operations.
Use an emergency notification system such as NtiFind to make some more mundane
organization announcements such as benefits changes or inclement weather closures
Use current events to underscore the importance of business continuity planning. News
stories about companies going out of business due to disruptions are a great source for this.
In the wake of the Minnesota bridge collapse, a number of government agencies began
circulating memos to all departments to determine if a similar disaster could occur in their
jurisdictions. Plans were reviewed to see if they were prepared to deal with a similar scenario.

For those dealing with apathy among the rank and file:

Make BCP part of the business unit managers job description and ensure that is included in
their annual review. For example, a large pharmaceutical company was experiencing a
problem with BCP accountability. They added business continuity into performance reviews
and plans were then completed on time and more thoroughly. It also promoted discussion
between employees and their managers and with other departments, raising awareness of it
throughout the organization.
Mention the plan in internal publications often.
 Make exercising the plan fun and always bring food. A lunch and learn at a state agency
featured MREs (meals ready to eat). Attendees were grossed out initially, but it provided a
talking point and when they tasted them they were actually surprised.
Have the marketing department produce give-aways that highlight the importance of BCP.
Home disaster kits are a great idea.
Social events make it something they want to attend versus something they dread.
Instruct employees about fire prevention and home preparation.

Some other ideas to help generate support and awareness across the organization include:

Provide public recognition of personal achievements in BCP. Has someone in your

organization developed a successfully executed plan, or been more involved than anyone
else?
Use BCP tools for other purposes to generate familiarity and comfort. For example several
companies have used BIA Professional to take lunch orders, host cookie baking contests or
survey employees about paint colors.
Include articles about BCP in your organizational newsletters and on your Intranet website.
One major financial services company even made sure that a link to the LDRPS log-in page
was on each departmental Intranet home page.
Make business continuity training a part of new employee orientation.
Provide tours of your recovery location to employees.
Host a BCP event. For example, one large financial services company holds an annual BCP
conference to which they invite their own employees from all over the world. At this
conference, they have vendors, give-aways and provide informative and timely information
about BCP.

The bottom line is that business continuity managers have to make participation in the
planning effort fun and rewarding for everyone involved. As often is the case, if there is
nothing in it for them, they wont want to help you. But if participation means increased job
satisfaction, prospects or recognition, others will be eager to lend a hand.

About the Author

Karen Donoughe is a business continuity consultant for Strohl Systems. She
joined the Strohl Systems Consulting team after working over five years as a
Product Specialist at Strohl. She is a certified business continuity planner with
over eight years of experience in the field. She can be reached at
kdonoughe@strohlsystems.com.

Survey Says: Best Practices for Business Continuity and Crisis Communications

Over half of the respondents to a recent survey feel that their business continuity plan could
not withstand wide-scale communications failures in the event of a large regional disaster.
But, the news is better for organizations that use an automated emergency notification system.
As seen below, sixty-eight percent of the survey participants who use an emergency
notification system said their organization could withstand a wide-spread communications
failures while only 43 percent of those who do not use one thought they could recover
effectively following a Katrina-like event.
 Click to enlarge image and view the results of the entire survey.

Overall, fifty-two percent of the 669 business continuity planning (BCP) professionals who participated
in the jointly conducted Strohl Systems and CPM-Global Assurance survey said they didnt think their
plan would hold up in the event of communications failures, while 48 percent thought their plan would
work despite those possible outages.

Having stable communications is vital to the success of a business continuity plan, said Brian Turley,
President of Strohl Systems. After Hurricane Katrina struck the Gulf Coast, we all saw first-hand how
recovery can be hampered by a lack of effective communications. Following each and every disaster,
we always hear about that one means of communications that worked all the way through. After 9/11 it
was Blackberries and after Katrina and the London subway bombings it was SMS text messaging. The
key is to diversify your communications strategy. You cant just rely on one or two means of
communications to get your message out. Today, you need five, six, seven, or more ways to
communicate.

Approximately 25 percent of the survey participants said they use an emergency notification system,
27 percent said they plan to explore purchasing one and 48 percent said they do not use an
emergency notification system.

Clearly, organizations who use an emergency notification system are much more confident in their
ability to carry out their business continuity plan if they experience a regional disaster, said Turley.

The survey also revealed other interesting facts about how organizations view BCP and crisis
communications post-Katrina. Some of the findings included:

67 percent have reviewed their organizations BCP emergency notification procedures since
Hurricane Katrina struck;
84 percent of the BCP professionals said their organization has a plan in place to contact
employees prior to known disasters (hurricanes, winter storms, etc.);
Only 37 percent of the respondents indicated that they have reviewed their communication
providers business continuity plans. Of those who have, 60 percent thought their plan could
withstand a regional communications outage. Of the 63 percent who havent reviewed their
communication vendors plans, only 42 percent thought their plan would work in the event of a
wide-scale outage; and
54 percent of the respondents have tested their call tree in the last six months 25 percent in
the last month alone. Another 13 percent have tested their call tree some time in the past year,
eight percent last tested their call tree over one year ago and 25 percent have never tested
their call tree.

Organizations that take business continuity seriously, plan on a comprehensive basis, said Turley.
Effective business continuity planning programs plan for the possibility that communications may be
sporadic at best. These organizations take the time to evaluate and purchase an emergency
 notification system, review their communications providers business continuity plans
and test their call trees.

Further results of the survey can be found at http://www.strohlsystems.com.

A Healthy Business Continuity Plan

The role of BCP in the Healthcare Industry

By Jennifer Lewis

What would happen if you woke up at 2 a.m. with chest pains but the area hospitals were closed due
to a smallpox outbreak? What would happen if you couldnt get lifesaving blood work because the labs
couldnt process the results or your health insurance provider couldnt process the authorization? What
would happen if you were scheduled for surgery but the computer network containing your patient
records was down due to a computer virus?

These are just a few of the scenarios that keep business continuity planners at hospitals and
healthcare organizations across the country up at night and focused on the task at hand. Healthcare is
the one thing you hope you will never need, but when the time comes, the availability of healthcare in
this country is often taken for granted. Business continuity planning (BCP) professionals in the
healthcare industry want to keep it that way.

The Heart of the Matter

At the heart of every hospital is the basic desire to care for the sick and injured who walk through the
door. To do this, every hospital must be prepared to assist the public regardless of the circumstances.
Though a hospital is essentially a business, in a disaster the primary focus lies in providing lifesaving
care rather than keeping an eye on the bottom line. This fact is the backbone of every health
organizations BCP.

When initiating business continuity into a health system, you must keep in mind that patients are
number one. You have to understand that, says Kathy Lee Patterson, Disaster Recovery Specialist for
Affiliated Computer Services, the nationwide corporation that oversees Information Technology for
numerous hospitals throughout the country including the University of Pennsylvania Health System.

Patterson goes on to explain that this focus on patients extends to all aspects of continuity planning.
When you are conducting a business impact analysis and interviews, you need to talk to the clinicians
in terms patients and patient care instead of clients or customers or you are going to turn them off
quickly, she says. You cant just talk to them with the typical DR/BCP language speaking only of
business processes or profits and losses. Patients are the first priority to the clinical staff so you have
to listen carefully to their concerns and speak to them from a patient caring aspect in order to obtain
operational and financial impacts.

Angela Devlen, Team Lead of Corporate Disaster Recovery Planning for Boston-based Partners
HealthCare which includes Brigham and Womens/Faulkner Hospitals, Dana-Farber/Partners
CancerCare, and Massachusetts General Hospital, came to BCP in 1995. Prior to that, Devlen worked
as an Emergency Medical Technician (EMT) in ambulances and emergency rooms throughout
Canada. While an EMT, Devlen took part in the mass casualty disaster planning drills as required by
the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). This regulation
dictates that all hospitals must, have an emergency management program so that patient care can be
continued effectively in the event of a disaster.

My background helps me in the day-to-day communication with the clinical staff, says Devlen. I have
enough of a fundamental medical background that I find I have a better understanding of a specific
departments needs.

Not every BCP professional in the healthcare industry has a history of working in trauma centers or
emergency rooms. Skip Skivington worked in several of Kaiser Permanentes medical centers as an
environmental health and safety director before becoming Department Director of Healthcare
Continuity for the entire enterprise. Currently, his job responsibilities include creating in excess of
30,000 plans that cover every one of Kaiser Permanentes departments and business units. As the
nations largest not-for-profit health maintenance organization serving more than 8 million people in
nine states, these plans contain the means and methods for the continuation of healthcare for both the
patients and the communities we serve.

Skivington explains that serving the local community is central in

Kaiser Permanentes social mission. We have a strong belief that
were not just a healthcare provider but that we have to give back to
the communities we serve. In the past we have spearheaded a large
number of outreach and involvement programs in addition to
providing medical services to the communities.

The importance of supporting the local community was recently

emphasized when President Bush signed a $4.6-billion bill requiring
public health organizations to bolster their ability to respond to a
terrorist attack. Health facilities are now mandated to have bioterror
advisory committees that review potential risks and create failsafe
emergency restoration plans.

The Technology Factor

If patients and the local community are number one, then technology
is a close second in the healthcare industry. In just the past five to
seven years, hospitals and clinicians have become considerably
more dependent on computer systems to assist with the daily business operations. This presents both
an opportunity and a challenge to business continuity planners.

In many cases, the increased reliance on computers has been the driving force behind the creation of
comprehensive BCP plans within hospitals. For hospitals operating during a regional disaster,
continuity of operations becomes even more critical because the patient load increases dramatically.
Therefore, it is important that the technical infrastructure and critical applications the clinicians rely on
to deliver service are uninterrupted. In 1996, the Health Insurance Portability and Accountability Act
(HIPAA) was created requiring healthcare organizations to produce documented recovery plans for all
computer systems, software applications, and advanced medical technology.

When selling senior management of a hospital on incorporating BCP into their mission, I always hope
that there are some clinicians in the conference room, says Affiliated Computer Services Patterson. I
ask them what they would do if they didnt have those systems for an extended period of time, and all
of the sudden they realize that they couldnt enter patient menu requests electronically, couldnt
schedule appointments electronically, the pharmacy couldnt dispense drugs as efficiently, they
couldnt see x-rays as easily, or get blood results as quickly. And thats just the beginning. Once you
get the clinicians thinking about how their patient care is related to computers, youll have their
undivided attention and support.

However, unlike a typical business entity, different hospital departments may work on separate
computer networks or systems. In many cases, departments will purchase their own equipment
without informing Information System management or the business continuity planners. These
systems, therefore, are not backed up by Information Systems nor incorporated into the Information
Systems BCP. These independent systems and applications may be extremely critical to the
departments mission and would be revealed upon performing a BIA, explains Patterson.

Multiple computer systems arent the only technology BCP professionals must take into consideration.
Hospitals rely daily on a multitude of highly specialized equipment from bone density scanners to
electrocardiogram machines all of which business continuity planners must take into account.

Technology is helping to drive this industry, says Skivington of Kaiser Permanente. Everyone wants
more advanced technological procedures because that equates to living longer, better lives. As
consumers, were driving that technological need. But being on the other side trying to plan for that is
incredibly complex.
The Start of a Healthy Plan
Determining risks in an organization that has hundreds of unique departments, thousands of
employees, and countless patients and visitors in the facility at any one time is no easy task.

At Kaiser Permanente weve developed three tiers of potential risks, explains Skivington. At the
uppermost level we look at the overall risk of something like a bioterrorism attack that will affect the
entire nation. Then we evaluate our risks by region. Finally, we look at it from a local perspective which
includes the department level through a business impact analysis.

Patterson says that she prefers to start the BCP process for every hospital she works with by
conducting a business impact analysis. A BIA is one of the best tools for uncovering risks, impacts
and critical applications because important dependencies will be revealed once you start asking
questions, she says. It is also an excellent method of initiating the training and awareness process
within the hospital regarding BCP.

While healthcare organizations and typical business corporations use many of the same BCP
methodologies to determine and mitigate risk, there is a slightly different twist in the healthcare
industry. Unless a BCP professional starts pulling up patient records to learn the exact cost of specific
procedures for every individual, it is almost impossible to ascertain the financial impact of a
department being down. More important is how that departments unavailability is going to impact
patient care.

Many BCP professionals integrate a walk-through into the BIA process to determine which
departments have documented work-around procedures that explain how to continue providing care
without computers, telephones, or vital medical machines. Some departments like the Emergency
Room typically have comprehensive, up-to-date work-around procedures in place because of the
numerous walk-ins, drive-ins, and ambulances arriving at their door every day. A department without
work-around procedures could potentially disrupt patient care throughout the hospital. For example, a
laboratory that is responsible for providing results to key departments could easily disrupt hospital
operations if its computers go down and there are no documented work-around procedures.

The Price of Planning

Even though hospitals and senior management
within the hospitals have long been focused on
contingency planning, finding the money to support
a continuity program is a tough task. According to a
joint survey conducted by Contingency Planning &
Management magazineand Strohl Systems, a
provider of business continuity software and
services, 46 percent of hospitals spend between
$100,000 to $500,000 per year on business
continuity planning. Frequently the team responsible
for developing and updating the plans is significantly
smaller than those found in other industries. The
same survey indicates that two-thirds of hospitals and healthcare organizations employ less than 10
full-time BCP professionals and only three percent have more than 50 planners on staff. In contrast, 50
percent of companies across all industries have more than 10 full-time planners, 18 percent of which
employ more than 50 planners.

According to Bill Rider, Manager of Data Security and Disaster Recovery at Johns Hopkins Hospital,
his organization has always been seriously committed to BCP. Even with this commitment, Rider, who
has 17 years of disaster recovery planning experience, says that he is always interested in garnering
even more support from all areas of the hospital. One way he accomplishes this is by starting small
and publicizing the results as he goes to create awareness about the program. What happens is that
as you do work on the plans and communicate out your results, it becomes easier to look for funding
and support, Rider says.

Running Tests
Assessing and compiling the data from a completed BIA into a plan can be a complicated process due
 to the size and complexity of healthcare organizations. Most large organizations
today use automated BCP software to assist with the organization of information
into a sound plan. This type of software is designed by top BCP experts and can
reduce the amount of time and money required to build and maintain plans
making it especially useful for organizations with limited resources to dedicate to
BCP.

With business continuity plans in place, the next step is testing the plans.
Fortunately, in the healthcare industry, testing is nothing new. To be in
accordance with JCAHO, hospitals must conduct disaster drills a minimum of
twice a year. Some organizations, like Kaiser Permanente, are planning on
incorporating their BCP tests into those existing bi-annual tests. Other
organizations perform tests during documented down times or planned events
like a scheduled power shutdown.

Were taking a crawl walk run approach, says Johns Hopkins Rider. We started with a very
basic eight-hour hotsite test. The next test was 16 hours and we restored a few applications and fine-
tuned a few results. The most recent test was 24 hours long and we were able to successfully bring up
several clinical applications and re-established our network connection.

While that was going on, Rider also developed a contingency plan in the event that Johns Hopkins
data center had to be evacuated but not shut down in order to address things like biochemical alerts.
We recognize the need for continued service and the currency of data so we created an alternate
operations support center a dark site so that we can operate our data center remotely, he says.
Now were looking at the possibility of mirroring and journaling to create localized redundant systems
to help improve our recovery point objectives.

Insuring Against the Worst

According to the US Industry and Trade Outlook, more than 85 percent of employed adults in America
rely on some form of health insurance to assist with medical expenses. This reliance makes BCP as
important for healthcare insurance companies as it is for hospitals.

People want to make sure that the company insuring their health is going to be there when they need
the help, says Jerald Ness, Corporate Data Security and Business Continuity Planner for Wellmark
Blue Cross and Blue Shield, the largest provider of health insurance in Iowa and South Dakota.
Healthcare is one of the most important things to each and every one of us. People want to make
sure they dont have any issues regarding their health insurance. We cant afford to let our customers
down.

Ness made the jump from audit services to business continuity planning more than 10 years ago
because of the need he saw within the company. Shortly after he began work on the companys plans,
Wellmarks corporate headquarters in Des Moines, Iowa was hit by heavy rainfall and floodwaters.
Local rivers crested to 28 feet above normal and the city was left without safe drinking water. Though
at that time many of the detailed plans werent yet written, Wellmark was able to provide uninterrupted
service to their customers because they had taken the time to sit down and conceptualize what they
would do in an emergency. The flooding disaster only intensified Wellmarks commitment to solid
business continuity planning.

The New World Order

Although hospitals and health insurance companies across the country were already working on
continuity plans in accordance with JCAHO and HIPAA, the events of September 11 and the ensuing
anthrax attacks highlighted the importance of business continuity planning for the healthcare industry.
Since then, there has been increased pressure to ensure that hospitals can withstand any attack,
emergency, or disaster.

In the last year, Rider indicates that he has seen a significant increase in interest in how he is planning
for the uninterrupted continuity of service for Johns Hopkins. In fact, Rider says that two other
hospitals within the Johns Hopkins organization have approached him for more information about
building comprehensive BCP programs for their facilities.
I think that there is just now beginning to be a recognition in the healthcare industry that there needs
to be BCP/DR plans for every department in the enterprise, Rider says. Its a new and exciting
evolution in both the healthcare and disaster recovery industries and I think were just at the tip of this
iceberg.

Consultants Corner: BCP and Insurance Impacts

Over the last several years, one observed trend in the business continuity planning (BCP) field is the
increased interaction with the risk management practice. This makes sense from a variety of
viewpoints. One key area is that both risk management and BCP efforts must be enterprise wide. They
must be able to break down business silos in order to properly ascertain exposures, reduce risk,
obtain a fair price for protection (whether insurance or hot sites, record storage, etc.) and determine
enterprise continuity direction.

Another area where both risk management and business continuity can have a quantifiable synergy in
reducing both risk exposures and cost to the organization is in impacting commercial insurance costs.
While there may not be direct insurance credit, effective risk assessments and continuity strategies
can reduce the need for business interruption coverage limits. These could be reduced as recovery
time is reduced.

Several real-life examples highlight potential areas where developing effective continuity strategies
can impact and reduce insurance coverage.

Reducing Recovery Time to Reduce Insurance

The site of the first anthrax attack in 2001 on the former
American Media, Inc. building in Boca Raton, Florida
was still going through decontamination as of June
2005. If their mail handling had been done in a
separate facility, their main operation may have
continued operations uninterrupted.

Mail handling procedures became a big issue in the

United States shortly after the anthrax scares. Many
organizations conducted training sessions, provided
dust mask and gloves or installed expensive mail
handling equipment. While these steps may have
provided some protection to employees, the key was segregating the potential exposure.

One organization had their mailroom located in their main operational computer room that housed over
400 servers. The potential business interruption and recovery costs caused by a mail bomb or anthrax
letter in their mailroom were considered unacceptable. It was recommended that the mailroom be
relocated. The organization made the decision to build a separate building just for handling mail.

Another organization, a gaming company, offered several areas that impact on insurance coverage.
Because of the nature of the industry and of the company itself, several unique strategies were
developed.

In concert with the companys slot machine engineering staff, it was recommended that the company
develop a SWAT type emergency team. This would consist of a team of cross-state licensed slot
engineers (currently, only those residing in a certain state can work on slot machines in those states).
By having multi-state capable engineers, the company could significantly shorten their recovery time
(particularly if engineers are lost in the event).

The BIA findings also pointed out that the time to replace slot machines was unacceptable. It would
take at least six months to a year for machines to be built, delivered and state certified. It was
recommended that a slot warehouse of at least 500 machines be developed instead of instantly
reselling them on the open market. This would allow the locations to maintain operations and at least
some income even if they lost all of their slots in a disaster.
A third unique area involved facility security. State regulations require that gaming operations must
have security cameras and video recording capabilities in place and functional before gaming can
open for the day. The BIA indicated that all locations used different types of security cameras and
replacement time could be several months. It was recommended that because several locations were
considering replacing either their cameras or video recording equipment that all locations should use
the same brand of equipment and that the replaced equipment be kept in a warehouse for possible
use in the future. Each location should also order at least a handful of extra new cameras that might
be able to be shared with the other locations in a disaster mode.

D&O Coverage and Marketing to Insurers

Effective continuity plans may also have an impact on Director and Officers (D&O) coverage. Risk
managers often must present the results of their insurance coverage renewal to their board. They are
often being asked to give an overview of the organizations business continuity status and initiatives at
that time. It provides an excellent forum to show how BCP can impact insurance costs.

Still another way to potentially reduce premiums via excellent risk management and business
continuity programs is to market those efforts to current and prospective insurers. Coverage and
pricing can be reflection of those carriers underwriting personality.

Some may be very conservative and may not place much emphasis on those efforts. Others may
emphasize only physical controls. During the renewal process, presentation of your risk management
and continuity efforts should be highlighted. This should include the steps in risk assessment and
mitigation plus your continuity strategies and thinking. Making a good match with a progressive and
flexible carrier can result in considerable premium savings.

While there may not be a formal insurance premium credit for business continuity, it is a part
of an underwriter's evaluation of the overall management. If a risk has a documented plan, it
becomes part of the underwriter's justification for applying additional credits, using a deviated
company or providing coverage enhancements.

About the Author

Al Sawchak, CBCP, ARM, ALCM is a senior consultant with Strohl Systems. He has over 15
years experience in BCP with extensive international, insurance-industry and risk management
consulting experience including claim management, data warehouse systems and loss control.
He can be reached at asawchak@strohlsystems.com.

Survey: Best Practices for Business Continuity and Crisis Communications

Do you use an automated emergency notification system to contact employees, vendors, or

customers?
In the wake of Hurricane Katrina, have you reviewed your organization's BCP emergency
notification procedures?

Do you have a plan in place to contact employees prior to a known disaster (i.e. hurricane,
winter storm, etc.)?
If your organization was to experience a regional disaster, do you feel your plan would be able
to withstand wide-scale communication failures?

Have you reviewed your communication providers' business continuity plans?

When was the last time you tested your call tree?

If your organization was to experience a regional disaster, do you feel your plan would be able to withstand wide-scale
communication failures?
(vs. Do you use an automated emergency notification system to contact employees, vendors, or customers?) (2005)
If your organization was to experience a regional disaster, do you feel your plan would be able
to withstand wide-scale communication failures?
(vs. Have you reviewed your communication providers' business continuity plans?) (2005)

http://www.recoverychronicles.com/mediapr/enewsletter/december2005/477/article.asp
Recovery Time Objectives A Critical BCP Component
Dennis Oldham, CBCP

What is a Recovery Time Objective (RTO) and why is it important to the business continuity planning
process?

An RTO is the length of time from the moment of interruption until the time the process must be
functioning at a service level sufficient to limit financial and operational impacts to an acceptable level.
A realistic RTO enables the planner to set recovery priorities based on business needs and
justifications, NOT emotions or opinions. Continuity or recovery strategies based on realistic RTOs
tend to be much more cost-effective than those based on estimates or guesses.

When defining an RTO, there are three important questions to be answered for each process (or for
example, a business function or computer application system) to be recovered:

1. How long can the process be down before the organization begins to incur financial and
operational impacts that may threaten its stability?

2. What is the minimum level of service required initially? In other words, when the process
comes back up, does it absolutely have to be at normal service levels or can it be brought up
to some lesser level for the first few days? In most cases, a level of service that limits (not
eliminates) financial and operational impacts is acceptable for initial recovery. This is referred
to as a sustaining level of service.

3. How long will it take to bring the process up to the initial level of service at the recovery site
once recovery starts?

Adding up how long these three processes will take will give the planner the process RTO.

How do you determine each of those timeframes?

A Business Impact Analysis (BIA) can supply the information needed to define the length of time the
organization can operate without the information or services provided by the process. The BIA can
measure the magnitude of financial and operational impacts, when they begin and how rapidly they
escalate, interdependences on other processes, etc.

Owners of the process should be able to define the minimum level of service that can sustain the
organization initially. The BIA can also gather this type in data. Also, owners of the process will be able
to estimate how long it will take to bring the process back up to the sustaining level. Again, the BIA
can gather this information. Then, estimate the costs for providing recovery of the process in the
timeframe specified by the RTO. Senior Management should review and concur with the RTO for each
process and its associated recovery costs.

More information about BIA Professional can be

found here or by contacting Strohl Systems at
800 634-2016 or at info@strohlsystems.com.

Consultants Corner: A BCP Survival Guide

to Mergers and Acquisitions

For survivors of the 1990s, the words mergers

and acquisitions still bring about a feeling of
dread. They may not be as prevalent today, but
they still cause a fair amount of uncertainty.
The result is often less staff, which means more work will be required of fewer people to accomplish
the same number of tasks. Business continuity planners, who are not revenue generators for
organizations, are often very vulnerable. But unfortunately, during these times of intense change,
organizations too are often very vulnerable to business disruptions. With all of this change, how can a
planner ensure that their revamped organization is properly protected?

Continuing the Continuity

Changes to the operational environment will surely follow the merger. There will also be changes to
the organizational structure and possibly the physical environment meaning there will be new
processes to protect. But before new plans can be built, the current continuity plans will need to be
supported for some time after the merger is accomplished.

Logically, any reduced staffing related to business continuity planning should be delayed until the new
plans are completed. In fact, the normal fall-out and staff turnover that occurs during this period
creates a new challenge just to retain and support the necessary skill levels to maintain the status quo
for the existing BCP programs.

If no acceptable plan existed for one or both components of the merger, then an interim strategy must
be developed and implemented until a long-term solution can be developed and tested. Start with a
business impact analysis (BIA) to determine the minimum survival requirements of the organization
and use that information to develop the strategies for a minimum plan.

If plans do exist for both of the merged entities, the process of combining the two plans should also
begin with a BIA to determine the plans' adequacy for the new entity. Remember to keep an open mind
when reviewing any existing recovery strategy. Any plan that is documented and tested is better than
no plan at all.

Moving Forward
One of the key considerations in the initial plan review should be to determine the contractual
obligations for the existing recovery resources and the remaining term or expiration dates of existing
vendor contracts. Make sure that there are no automatic renewal clauses that might extend the
contracts beyond the time that is needed for review, creation, and implementation of new contingency
or recovery strategies. If the timing is critical, document the fact that new planning and analysis is
underway and put the vendors on notice that no automatic renewals will be honored beyond existing
obligations until the process in complete.

After completing the review of existing plans, create a project plan for the effort required to sustain and
support the existing plans for the duration of their expected lifecycle. Be sure to document the time,
resources, and costs that will be required to bring the plans to acceptable levels.

Survey the merged operations to determine the business impact of a disruption to their individual
business functions. If the results of a previous BIA exist from the pre-merger period, redistribute the
previous survey to the business units and request that the managers of the business units update their
information to reflect the current organizational structure.

Prior to distribution of the BIA survey questionnaire, assure that the design of the survey is sufficient to
determine all relevant and critical information associated with the business impact analysis phase of
business continuity planning.

Making the Pitch

Utilize the results of the BIA to document and present to senior management the exposures to the
newly created organization from both a financial and operational perspective. Because image and
branding will be a major concern to the new organization, do not forget to stress the customer service
and uninterrupted product delivery aspects of the merged operations. From all the alternatives
available for business continuity and recovery, select the most appropriate (meaning those that
support the required recovery time-frame) and investigate the cost of implementation to assure
survival of the new organization at acceptable service levels.
Submit the BIA and associated recommended strategies to senior management for budget approvals.
Be prepared to compromise and negotiate when necessary based on the response to your request.
After all, improved profitability was probably the genesis of the merger from the outset.

About the Author

Don Hughey, a Senior Consultant with Strohl Systems, has over 25 years experience in the business
continuity planning industry. He specializes in crisis planning and recovery for the banking industry and
is a national authority on alternate sites. A certified business continuity planner (CBCP), his industry
experience includes banking, communications, securities trading and brokerages, government, health
care, insurance, manufacturing, mortgage banking, retail, transportation, warehousing and distribution,
petrochemical, and various high-technology products and services. He can be reached at
dhughey@strohlsystems.com.