By Allen Johnson
Business continuity consultants have no paper qualifications; there is as yet no formal degree in business continuity management so choosing a consultant is often a matter of trust and hope. This may lead to the wrong ‘expert’ being chosen and because business continuity issues are enterprise-wide, the mistaken decision can become very visible. The buyer now finds himself in a precarious situation. On one hand, he/she has spent company money by hiring in an external specialist and on the other hand his/her career now hangs by the thin thread of success that the incomer now controls. Get a bad outcome and the external specialist walks; but for the internal organiser, it is not the best ever career move! The end objective of the business continuity consulting project has to be to conduct a successful test, but perhaps you can understand the nervy position of the internal organiser; it is a tricky one to call and far easier NOT to test. Contingency plans count for little if they are untested. This article discusses the issues involved and begins with cases drawn from real life of how to get it wrong…
Case study one
The following is a true story distilled from a recent telephone conversation, between the Recovery Team Leader, we will call him VT, of a senior management recovery team from a leading London-based financial institution and myself (AJ). A minute or two into the phone call, the conversation went like this:
AJ: How did your desktop business continuity exercise go last November for you and the management team?
VT: It was very good. [It later transpires that this was a defensive reply that was untrue.] But I really felt the pressure and just being reminded about it makes me go cold.
AJ: Why is that?
VT: Well, we were given a scenario of a fire with people injured and all over the place and I was in charge of the IMT [incident management team]. As somebody used to a lot of pressure at work, I thought I could deal with this far better than I actually did. The consultant [external] facilitating it was really good though. He stretched us to breaking point and we made quite a few mistakes from which we learned a great deal.
AJ: And what were the main lessons that you learned?
VT: For a start, how difficult it all is. How hard it is dealing with managing a recovery process when faced with business requirements and injuries and death at the same time.
AJ: Pardon me?
VT: Yes. Until about thirty or so minutes from the end, we thought we were doing reasonably well when the consultant introduced a couple of issues that knocked the wind out of our sails. We were suddenly told that two employees had died as a result of injuries sustained in the fire. Their whereabouts was uncertain and their names were not known. That meant our priorities needed to change and much of what we had achieved was undone. I tell you, Allen, it almost derailed the management team.
AJ: And what did this mean to you and your team?
VT: Initially, we were shocked and confused, but eventually, we gathered our thoughts and set about trying to …………etc etc.
AJ: And how did it all end?
VT: We’ll probably do something similar sometime later this year, but I'll want to know a fair bit more about how the exercise is run. I will not have a repeat of the last one.
And lesson no. 1 for VT and his management team? Do not use this consultant ever again!
The first impression from the conversation was that VT volunteered how he ‘felt’ about the exercise and how it affected him. By declaring, "just being reminded about it makes me go cold", he was admitting that the exercise had left a significant and negative impression upon him personally. He was also unable to articulate any message or lesson of genuine worth that came out of the exercise.
Seemingly, as the exercise was in track and the team was making some positive progress, they were ’ambushed’ by the fatalities issue. Without any experience of such matters, the team ploughed on under the guidance (or do I mean stranglehold?) of the consultant. In reality, however, the authorities would report any fatality and the whereabouts would be known, and possibly the names, unless disfigurement rendered identity initially impossible, in which case, it is a mystery to know how the authorities knew they were employees. Also, as a first exercise of this type for this management team, the issues were unnecessarily complicated for this level. Furthermore, the serious matter of fatalities is everything to do with crisis management and almost nothing to do with business continuity; although I will admit there is a small overlap.
When asked, VT had no recall of the objectives of the exercise nor of the objectives of the consultant. However, in a post-exercise offline conversation, he also learned that his managing director was not best pleased at the outcome. It was reported to him that the MD's concise view was, "It was an [expletive] waste of valuable time". And one now has to wonder how this exercise, organised by VT, has affected the progress of his career. I suspect it has not helped him one iota.
Case Study 2
This is significantly briefer, but it was a telephone conversation between the business continuity manager of a global enterprise, one of the largest in the world, and yours truly.
BCM: I want to get your advice on testing our management team in using our BCP. We want to give them a real test to see how they perform under pressure.
AJ: What are your objectives for this test? [In his reply, BCM completely ignores the question, and continues…)
BCM: Yes, we want to take all of senior management in a coach and drive them off the road and into a ravine, killing 95 percent of them.
AJ: Pardon me?
BCM: We want to give them a disaster that is of September 11th proportions. We want to really stretch this team…
The only lesson to be gained from this is that this man is dangerous and should not be in charge of a business continuity management programme! Having your coach-partying senior management career off the road and into a ravine, beggars belief, particularly as they needed to reincarnate and come back as the principal recovery team. Our BCM is expected to run his exercise as described in the middle of May this year. I suspect he will be without employment by the end of May at the latest.
A third case study had a helicopter crashing into the HQ of a major insurer and spilling its payload of nuclear waste. Completely nuts!
And a fourth was for a large international bank which had its full complement of senior executives being flown to Paris and then ‘shot’ out of the sky by what was described as a seasonal shower of meteorites; no survivors. Unbelievable!
Whilst the intentions in all cases were supposedly well meaning, the execution and objectives in each case had not been well conceived or thought through. The appetite is there, but the planning and doing leave much to be desired. What is alarming is that these people are not as unique in their intentions as one would hope. Several years ago, the managing director of a famous stair lift manufacturing company stopped an exercise held at his south coast factory, where his employees were running amok and unmanaged in an uncoordinated test, some swathed in red stained bandages in a fabricated terrorist attack on his premises, located in the quietude of the Hampshire countryside. It dawned on him, after almost two hours of "playing at this game", that the people who had organised it were utterly clueless, and he had been duped into a test that had collapsed into a mayhem that was costing him valuable production time, as well as loss of face.
Testing plans is a skill that is much underestimated, mostly because it is not often realised that proper objective testing is done as a programme; a logical sequence of structured events that lead to a common goal.
The bulk of exercise scenarios that I encounter orbit around terrorist activity to varying degrees of severity. Whilst there is a modicum of merit in this plot line subject, there is a far greater threat from the plumber and the disgruntled employee. It is therefore the job of the consultant to use knowledge and skill to devise a scenario that supports the efforts of the exercising team so it may gain the most from the process, rather than concerning its members with the machinations of the authorities, etc.
But exercising and testing plans is without a doubt, the correct way to go.
Without a proper test, there are no facts to support any belief, either that plans will work, or that people will work, or that critical third party suppliers will work. Equally, such exercises and tests need to be based upon a proven methodology, otherwise they are likely to fail.
Of the >130 organisations that we (Scenaris) have guided through contingency tests, a little over 80 percent of them did not refer to their current plans during the initial stages. This fact is as strange as it is understandable; if people are ignorant of the contents of their plans, then there is no confidence in them; so they behave as if their plans do not exist at all, and default to their own initiative. Furthermore, in the initial stages of a testing programme, senior executives are expected to become expert recovery managers with neither knowledge nor expertise. It is also common that the interests of senior executives are aroused as the testing programme moves into gear. There are several reasons why this is the case, and two in particular. The first is to do with status and the second, with ego and they are thereby both related. When testing client organisations, our approach is holistic, so the absence of certain senior executives becomes obvious if their peers are present. Secondly, this is a very high profile process, and many senior executives have a wish to be seen to be in charge; even if the disaster is an imaginary one. They tend to ‘promote’ themselves into impossible positions and then expect operational staff to rescue them. Fortunately for senior executives, the latter also tends to happen.
Getting an organisation to objectively ‘re-boot’ itself from its recovery site, in order to test plans and their respective abilities to use them, is a non-trivial process that requires specialist expertise, which is not readily available. And this is a source of frustration to organisations that require to test, as well as being a risk for the staff member that has responsibility for them, as previously highlighted. In most enterprises we have encountered, there has been a prevailing reluctance to test anything other than the critical technological platforms. Whilst this approach has the merit of testing the technologies upon which the enterprise depends, it does not prepare the major operational functions of the business, and thereby limits the effects of recovery measures.
One way forward is to treat the organisation as a whole and to prepare it accordingly, for to do less would miss the target by enough of a margin to make a serious difference. To this end, those that are nominated as having recovery roles should be examined in most practical aspects of using their plans. By so doing, shortcomings are identified; exercising benefits are brought to plans and recovery teams alike; and the lessons learned are given a valuable context.
The programme must also incorporate those members of the organisation who have no documented role in recovery. Why is this? Because the alternative is to divide the staff population into two distinct groups; those with responsibilities, and those without; and this at a time when circumstances demand unity rather than division. So those without detailed roles in any plans must be told, up front, what is required of them. We have done this with over 9,000 people and the payback has been astonishingly positive.
In conclusion, whilst having contingency plans is both an important investment and a corporate governance matter, knowing how to apply them holistically is fundamental to establishing their worth. Therefore, regular testing should be seen as a prudent measure for all staff, and an overt expression that the organisation takes the matter seriously. Others that should benefit indirectly are customers, shareholders, insurers, auditors, regulators, trading partners, etc. Nothing any organisation ever does, will have as much impact and to do it successfully, you need a methodology that has been proven to be successful, with a track record of its pedigree, delivered by people who know what they are doing.
Allen Johnson, Scenaris Ltd.
MAKE A COMMENT
•Date: 10th March 2006 • Region: UK/World • Type: Article •Topic: BC testing
Rate this article or make a comment - click here