Disaster recovery and business continuity plans are based on evolving technologies and, like the dinosaurs, some aspects of these plans will become extinct. We can dissect a comprehensive BC/DR program into separate categories — process, technology and communications — to discover those areas that have become dinosaurs and thus, to a large degree, extinct ways of thinking.
As a long-time business continuity professional and self-professed “disaster geek,” I’m intrigued by the way documentaries on the Discovery and History channels often tie into business continuity ideas. One evening I happened upon a documentary that explored the issue of the dinosaurs’ extinction, and it occurred to me: What if they were wiped out in the catastrophic flood for which Noah built his ark? What if Noah made a decision that the dinosaurs were just too big to fit in the boat and the concern for their care and feeding became a reason to look at other solutions?
Maybe he reasoned that there were similar, smaller species that were less of a drain on space and resources. For example, perhaps he decided to save the dove in place of the pterodactyl; both were flying mammals, but one was certainly easier to maintain. As well, this move allowed more room for critical species which served a definitive purpose — the cow, for example.
Yet was his decision to implement such a severe solution worth wiping out an entire species?
This led me to think about processes and technologies many of us in the field of business continuity use today. How many dinosaurs do we encounter and battle on a day-to-day basis? How do we produce optimal solutions with limited space and capacity priorities? Perhaps most challenging, how do we handle immediate decisions regarding process and tools while maintaining a broad, consistent vision that can efficiently and effectively incorporate the outcomes that result from these decisions?
The more I thought about it, the more I was struck by the number of dinosaurs that lurk in so many of our industry’s programs. At one time many of these programs may have been considered cutting edge or best practice, but how often have they been revised and updated? Have the programs kept up with the way a particular company has changed? What about technologies that were not in place initially, but are now readily available and can be incorporated?
It’s notable that the fields of disaster recovery (DR) and business continuity are both based on evolving technologies. So, like the dinosaurs, will some aspects of DR and BC programs soon simply become extinct? Indeed, one can dissect a comprehensive BC/DR program into separate categories like process, technology and communications to discover those areas that have become dinosaurs and thus, to a large degree, extinct ways of thinking.
A key strength many business continuity professionals tend to demonstrate is the ability to create repeatable process. This is utilized when conducting business impact assessments (BIA), risk assessments (RA), continuity strategy and plan development, and even incident response and crisis management. Because many companies have had to trim operational costs and cut back in recent years, this could be a perfect opportunity to look at cumbersome, redundant or outdated process areas that might hamper your ability to fully assess a company’s capability to continue operations.
For example, what type of process and guidelines do your BIA reviews cover? Have you considered the following:
- How are you alerted or informed of new processes, procedures and technologies that the company is using from year to year?
- Are the impacts utilized in BIA updates current with company risks, priorities, acceptable “downtime” (e.g. two hours) or legal/financial changes in the industry?
- If you utilize a tool or vendor to support your efforts, have you confirmed that they too are up-to-date?
- Is the manner in which the BIA is conducted current? Have you taken full advantage of the approach? For instance, if a particular group or company is completing a BIA or RA for the first time then it will likely be necessary for you to spend a great deal of energy educating them to ensure you are getting robust and accurate information. However, if the process has been completed a number of times, it may be time to streamline it by asking yourself, “Are there aspects that could be automated? Could the process owners take ownership of the BIA and provide the results back to the BC department for review, making it more of an automated, hands-off procedure?”
Crisis management is another process area ripe with opportunity for improvement in many organizations. I recently attended a series of meetings to discuss crisis and emergency management, and one of the key topics was public-private partnerships in a crisis response. This debate is continuing to evolve as a concept of “old school versus new school,” and was demonstrated beautifully in an exchange between two participants, Sally and Ed (not their real names), who were discussing the need to work together. During their discussion, the topic of communication and event response arose, and quickly shifted to the space constraints and location of an emergency operations center (EOC) in proximity to Ed’s business.
Sally was a huge proponent of using the EOC as the best means to respond as a team with the expectation that everyone would handle the response in person. Ed explained to Sally that he would not likely be heading anywhere in a disaster event as he was well-prepared to mange the crisis at his business using many of the technologies they both had available to them: webinar, LiveMeeting, telecom, Facebook and Twitter.
Sally’s response was, “I won’t use webinars in an event because nobody pays attention and, besides, they are all checking email or focusing on other things. Face-to-face is our plan.” Ed then asked Sally if she expected him to support a response, to which she replied, “yes.”
“Then,” Ed said, “you had better learn how to use webinar effectively.”
This interaction illustrates that one can get overly comfortable with the known at the expense of tremendously beneficial and increasingly common new technologies. Indeed, we as continuity professionals need to have a clear understanding of social media and the other common communicative techniques those who we are serving use and how we can adapt our practices to them. Of course, there is an absolute need for a traditional EOC and equipment. But with the amount of business travel many companies now require of their employees, the expanse of regional and international territory they operate in, and a proliferation of alternate work arrangements like telecommuting, it is critical to take a look at whether current process and protocol address all these emerging needs.
The same concept can be applied to the business continuity plan. For years we have all repeated the mantra of “one copy on your computer, a copy at home and a hard copy of your plan with you at all times.” I am still a firm believer in that mantra, but my questions to the BC community are, “Does your approach include the ability to have that plan on a Smartphone in some secure fashion? Is it contained somewhere on a hosted site that could be accessed via intranet if the company was having issues?”
Once again, the focus should be on weeding out the dinosaurs of concept and practice so as to repurpose to new, streamlined methods.
Technology changes so fast these days; it can be an arduous challenge to keep up with the latest tools, systems and options that are available. Not everyone engaged in continuity planning has a thorough knowledge of technologies that could be leveraged to best safeguard the company, yet they are often tasked with determining solutions. It is critical in today’s environment that the BC professional find options and methods that resonate with them and their environment.
One option that is increasingly popular these days is “cloud computing.” Not only does this option buttress the company’s processes through off-site hosting of information, but it also provides an opportunity for businesses to stop expending funds and personnel time in procuring hardware and licensing, and completing upgrades, maintenance and repairs.
The continuity professional should stop and consider this question: How much longer will companies continue to fund or operate their physical infrastructure as this technology grows and becomes a more effective way to manage IT infrastructure? Are you ready to be proactive instead of reactive to this trend?
Another common and persistent area of dinosaur technology is legacy systems. In some disturbing cases, they are being utilized for critical processes, yet these systems are often no longer sold or supported or even compatible with the new technology coming into the organization. The BC professional has a duty to dig for these dinosaurs and uncover where there may be a critical function or process running on equipment that is no longer manufactured, with spare or replacement parts hard to find. Once discovered, one should have a thorough business case in place for management so that they not only understand the price tag to potential solutions, but the overall risk of not pursuing a solution.
As a continuity professional, have you taken the time to fully understand what new technology/solutions exist or are you still locked into hot-site/cold-site options? If you were to meet with your DR partners, could you fully engage them in conversations around strategy options and how IT recovery decisions impact continuity of business operations?
Today’s consumer expectations for seamless delivery are far more demanding than ever before, requiring that both the business continuity and disaster recovery teams understand how their decisions impact each other. For instance, if you, as a business continuity professional, have always communicated internally that your critical systems or processes could be down for the standard 72-hour window before your company experienced notable impact, it is not likely that the disaster recovery teams have assigned much priority to the task of recovering the systems in a quick and urgent manner.
As well, if the business then decides to make a change to customer processing in order to better compete — say, for example, they introduce a 24/7 web presence for customers to place orders — when and how is that communicated, both to and between each of the DR partners? There are many options in today’s current environment that allow for a cost-effective, fully redundant solution regardless of the size or type of business you have — if you know what they are.
Communication options continue to explode all around us. Several years ago, emergency communication tools consisted primarily of a pager, a quarter for the pay phone and a paper call-tree that was carried in a wallet. Much like the conversation I described earlier between Sally and Ed, the primary tools that are presently used to communicate in a crisis or notify employees are vastly different than even a couple of years ago. We witnessed this first-hand during the tragic events that befell Japan in 2011. The number of people who used social media like Facebook and Twitter proved that not only are these tools extremely efficient and effective, but they allowed for much quicker and successful communication than some strategies many of us still have in place. In fact, most, if not all, of the public sector sites have moved to providing updates via Twitter and Facebook, allowing anyone to have current information right at their fingertips.
I am certainly not saying that media outlets like television or radio are dinosaurs — to the contrary, we need to get our information from every source we can during an on-going crisis event. What I am encouraging is that you review the tools you leverage in an event to ensure you have all the current methods and technologies available. Add that Facebook or Twitter account to your toolkit, see what mobile applications might be available and leverage them. If your management balks at this change (remember back in the day when company-wide email access was not available?), help them understand that first-responders, emergency managers, and many other critical sources are all heading down the social media path.
Of course, this is just one area to explore. Other areas may include how you notify teams and employees — are you still using call trees or have you looked at blast notification options? How many employees no longer have land lines, and what happens if the electrical power goes out and the cell towers and internet connections go down? I believe it’s a worthwhile investment for all organizations to take a close look at their current communication, monitoring and information gathering methods and then seek improvement.
Our industry has been around for many years and continues to evolve with the rapidly changing technology. But we must ensure that we keep up; our companies cannot afford to do otherwise. Evolution is not only inevitable, it is necessary to ensure a company prospers and its systems are adequately and appropriately protected. Such protection, though, requires a forward-thinking, proactive continuity professional to guide the way.
I encourage everyone to take a good, hard look at your programs, processes, tools and technology and ask, “Where are my dinosaurs?” Are the current systems and processes I have in place the most effective and efficient means to continue critical business operations? While it may not be practical or sensible to eliminate or address all the gaps you discover, it may spur you to look ahead to new trends and technology so that you too can leverage the new solutions today’s environment provides.