Learn Practice Implement Challenge

 

Here at the Erwood Group, we’ve created a new exercise methodology. A new paradigm for the way a business exercises, trains, and prepares for a crisis. It is called Learn, Practice, Implement, Challenge™ – The new exercise methodology to Increase Your business endurance. 

I’m sure you’ve heard the phrase “crawl, walk, run” before, right?

Now, go ahead and tell me what you mean by that exactly, and I bet you’ll have some trouble.

“Crawl, walk, run”is a phrase I commonly hear especially around exercises. It’s a phrase that I hate. It’s just too vague, overly simplified, and completely nondescriptive, leaving out key details about just how we are supposed to progress through to something bigger and better. Can you tell me what you’re supposed to be trying to achieve?

Of course, you can’t.

That’s why many years ago I came up with the phrase Learn, Practice, Implement, Challenge™ which provides not only the descriptive details but the overarching goal of what we’re trying to accomplish with each stage of our exercise progression.

First and foremost, we have our Learning stage:

Learn

Sounds simple enough. At this stage, we teach our new plan owners and participants what they should be doing. Learning. It is designed to get everyone in the same place. As a team. They learn they have a plan, what is in the plan, where to find the plan, how to update and maintain the plan (and who is responsible for that maintenance), and we go through the plan, especially the strategy section and steps based on the strategies.

At this point we walk the participants through each strategy, asking questions about the strategy validity, any potential for this not to work, dependencies required for the strategy to work, and any additional strategies or sub-strategies we can add.

Next, we walk through each step required to implement the strategies. Making sure details needed are captured and not left too vague makes the information impractical at best and unimplementable during a crisis at worst. For instance, if a recovery strategy calls out the reliance on a secondary vendor that vendor should be called out by name. And then tertiary vendors and so on. Think in terms of, if someone else other than my main team members had to implement this plan, what information would they need? 

At the end of this exercise, we still conduct an after-action review and collect all the appropriate data such as lessons learned, what went well, what worked, what didn’t and how can we improve. We’ll also ask if they would like to add any additional input and what kinds of other disruptive events have, they experienced in the past. All of this is done to create familiarity and training for future exercises as well. The entire process is about having the participants learn new skills and improving their current existing plans. 

Once these learning stage exercises are conducted and the plans updated to reflect the exercise outcomes and additional strategies the work begins to set up the next round of future exercises for the practice stage.

Practice

Usually taking place about a year after the learning stage, the practice phase starts to get a little bit more intense. Still, in a tabletop setting in most cases, the participants are expected to know how to access their business continuity plans, how to access information within the plan, and how to walk through the steps to invoke the plan successfully. This is usually done and presented as part of a scenario impacting the business and forcing the plans to be activated.

At this practice stage, the idea isn’t to do anything too hard but to present the exercise, have the team attempt to achieve a predetermined set of goals, and even guide them into the next steps through a series of questions or injects. They may do so exceedingly well or may fail and learn a series of lessons. The idea though is to allow them to practice their plan in a controlled environment where they can feel safe and make mistakes. But not to push them to the brink where it becomes a stressful overwhelming event where they learn nothing and feel defeated.

In some cases, it may be necessary to hold several practice sessions with the team before moving on to the next stage of maturity in the exercise progression. Perhaps twice a year or more. More on this later in another post. 

The point is some teams will need to practice a few times before their comfort and confidence levels allow them to move onto the implementation stage. As with the learning stage, we hold an after-action review session immediately following each exercise.

Implement

Next, will be to implement the plans during an exercise. Here we start with what is the overall purpose of the exercise, as in, what are we exercising? Are we testing the ability to send notifications? Implement strategies? Can the steps be followed that are needed to initiate and complete the strategy? Can vendors be notified and coordinated with? Can customers be notified and coordinated with as expected? Can key personnel go to and work from an alternate location or remotely?

For all these implementations and more, are they successful? Did they fail? If so, why? Can the cause of the failure be easily determined? What worked well? What didn’t? Where is there room for improvement? How were internal communications? Were there errors? What were they? Did we use alternate applications to access information? How did that go? Are we tracking things manually? Did it work effectively? Where are there stumbling blocks and bottlenecks?

So, to summarize this section, Implementation exercises are exactly that, implementation of parts of the plan such as a select strategy, communications internally or externally, notifications to team members or other teams, or the implementation of the whole or parts of the plan that would be needed to fit the scenario.

Once teams have had the opportunity to implement their plans, we will start to Challenge them.

Challenge

The challenge phase is exactly what it sounds like, we create a scenario or series of scenarios that begin to challenge the plan owners and participants. This is done to expand the teams’ capabilities, build massive confidence, and the capability to learn and improvise based on what they know and the strategies available to them within the plan.

This challenge phase is never done with the idea of forcing the team to the brink and forcing failure, but to provide a safe learning environment to expand their capabilities. In other words, don’t make it so impossible that they do fail, but challenging enough that it forces them to think, act, and improve upon what is there so they can be ready for real incidents should they arise. Put another way, the challenge level exercises should elevate the team involved and make them better for participating in the exercise.

I’ve seen some exercise designers and facilitators develop exercises where they knock-off (kill) many or all key personnel, make it impossible to contact vendors, and inject failure at every turn. Not that some of these things can’t happen. They do. But the idea is to provide a positive learning experience for the people involved.

If they aren’t learning at every stage or phase along the way and are just placed in a stressful situation where failure is the only or main outcome, they will walk away unhappy, discouraged, with less confidence, and less likely to look forward to or participate in another exercise.

In fact, if this has been the case, you may need to reinitiate the exercises at the learn or practice phase level again just to build up your team. 

So, get out there, and Learn, Practice, Implement, and Challenge your business continuity, disaster recovery, and crisis management teams.

As part of our challenge phase as businesses mature in the exercise phase to improve their preparedness, we offer world-class training and exercise to take their endurance to the next level. We have partnered with an academy award-winning special effects team to create real-world events and scenarios in a safe and controlled environment.

 

Keith Erwood is the COO, Co-Founder, and Principal Managing Consultant of the Erwood Group. The Erwood Group focuses on business preparedness, business continuity, disaster recovery, and crisis management. We create enduring businesses that Prepare, Prevent, Profit through planning, mitigation and exercising. #Endurance>Resilience

Are You Up to the Challenge?

 

Introducing the View 360 Report

The View 360 Report is our weekly subscriber-only Business Intelligence Report. Designed to provide the reader with Situational awareness of emerging threats that could impact their business and personal lives. Unlike other reports that just bring you the potential threats and risks, we provide direct actionable measures to mitigate the impact to your business and life.

View 360 is also designed to supplement our yearly Emerging Threat Report (sold separately) published in January of each year.

The contents of each View 360 Report are sent out to subscribers each week in an easy-to-read PDF text-based format. It includes a Situation Awareness Points Overview where we highlight each threat in bullet point form, below that we go through each bullet point highlighting the details of the threat including our opinion on the topic and what to expect, along with an occasional deeper insight providing additional comments, then finally actionable measures where we provide details on mitigations that can be implemented. Then we provide a Cyber Event update on cyber events that have occurred since the last View 360 Report. Next, we bring you information surrounding planned protests around the United States detailing the cause, the place and time the event is happening and the latest intelligence on how many are planning to attend or how many are interested in the protest. Finally, we bring you our weather outlook for the week.

We have also started a private Facebook-based group for subscribers only where we can provide additional updates on key events daily as well as host discussions.

Currently, subscribers can try the View 360 Report for free for 14 days and then will be charged $49 per month thereafter. You can subscribe directly to the View 360 Report here. Cancel at any time.

Grab a free sample copy of a previous View 360 report and be sure to subscribe so you don’t miss any emerging threats in the future.  

 

 

Yesterday, I shared some Golden Nuggets on the benefits of exercising your Crisis Teams and why we exercise. Today, I am going a little deeper on another major hidden and often overlooked benefit that exercises create.

Confidence.

Whether this is for Crisis Teams, Incident Management teams (or whatever you like to call your team), Business Continuity Teams, and especially Information Technology Disaster Recovery (ITDR) teams. Frequent, repeated exercises build confidence.

Confidence among the team(s) themselves, confidence in managers and executives of the business, and confidence from your customers and business partners. The most important place to build this confidence is among the teams that are doing the recovery work.  

As you might expect, a lack of conducting exercises among your teams has the opposite effect. It can cause your team to break down and literally destroys their confidence, which also negatively impacts recovery times and overall recovery.

Let me provide some deeper insight by using an example from some previous work I did.

Several years ago, I was consulting for a major airline assisting some of the IT teams to develop Disaster Recovery Plans, getting them to move beyond tabletop walkthroughs and doing “functional” exercises, as well as documenting the exercise to get credit during an audit.

It is important for me to state here that this was a project based on an internal audit outcome. I was working with the bottom performers on remediation based on that audit. These were groups that either:

  • Had zero plans in place
  • Never conducted an ITDR exercise beyond a tabletop walkthrough
  • Conducted a functional exercise but didn’t document it properly and received no credit for doing the exercise

I want to talk about a particular group within that project that I worked with and why they never conducted anything more than a tabletop walkthrough, and why they lacked confidence and were afraid to even think of doing anything functional.

During my first meeting with this group, I specifically asked the simple question:

Why haven’t you done a functional failover exercise in the past?

The reply may come as a surprise to many of you but didn’t surprise me at all. The response they provided to me was that they weren’t allowed to do anything beyond a tabletop walkthrough.

My follow-up question to them was, who said that they were not allowed to conduct a functional exercise?

The Response: “The Business” (specifically operations).

After some discussion, I learned that the “business side” in the operations leadership felt that the systems and application were too critical to do a functional failover exercise while the application was running in production.

However, the systems and application weren’t deemed or signed off as an application that was too critical to for such an exercise. Yet, every time the team submitted a request to conduct a functional failover exercise operations would reject it and say it was too critical.

Normally, with a set of systems and or applications that the business deems too critical to complete these failover exercises they elevate them as such, and the business signs off on it as well as accepting the risk of not having these exercises done.

Not really the best decision as there are ways to do these exercises even while in production. But that is not the purpose of this story.

You see, this team not only lost confidence but felt a distrust in their capabilities from business leadership. So much so. that after working with them in both the development of a runbook and tabletop walkthrough that when I proposed having them submit permission to conduct a functional failover exercise, I was told, “there’s no point, they’ll never sign off on it.”

I told them, let me worry about that, you just pick a date and submit the request.

Behind the scenes, I was working with my engagement manager to either get the business to approve the request, or bump the criticality up to properly accept the risk, and sign off on it.

We got the approval.

Over the next 30 days, I worked with that team on their runbook to ensure that every step was in there and that they knew how to properly document and track the failover exercise, including backout procedures.

When the day of the exercise came, they performed wonderfully and did everything right.

They hit a glitch late into the exercise and couldn’t do a 100% successful failover. But did achieve the following:

  • They learned a lot. They ran into several issues during the exercise and were able to overcome them and move forward
  • They properly documented what they were doing. Conducting log capture, taking screenshots of before and after states, taking notes as they moved through the process for later use
  • Completed an after-action and discussed lessons learned, things that went wrong, and things that went well

All of this, even though the outcome wasn’t a successful failover during the exercise. They learned immensely during the exercise. They learned they could depend on one another to complete their assigned tasks. And the business learned they could trust the team to do the failover exercise, without disrupting the production environment.

The most important part. They were happy as a team and gained massive confidence in their own capabilities. This allowed them to continue to conduct exercises, gain further confidence and learn new skills.

In the end, a successful exercise isn’t always about a successful failover or other such success. In fact, you can learn a great deal when you fail. And when you learn and build the lessons into your plans, that is when the real success comes.

That, and the confidence you gain will boost you and your team during the next exercise or incident.

So. Get out there. Exercise and build confidence in yourself and your team.

 

The reasons why we exercise are often varied yet sometimes misunderstood by many. Below I will share some of the many reasons why we exercise and perhaps you’ll gain some insights into Why We Exercise.

Let me let you in on a little secret – A Golden Nugget – even the professionals make mistakes.

This is at all levels, in all industries, it even holds true in sports.

But what I am talking about specifically here are first responders and emergency managers. We all make mistakes.

Why am I telling you this? Perspective!

First Responders and Emergency Managers consistently drill, practice, and run exercises regularly. Yet they still make mistakes. They also have great outcomes, but they do make mistakes.

After each exercise, drill, or real incident they hold a debriefing. This is done whether it was a tabletop or a large-scale multi-agency functional exercise or a real incident.

The debriefing covers:

  • What went well
  • What went wrong
  • How can we do better
  • This worked great and we should implement it more
  • What did we learn – Lessons Learned
  • What are your takeaways
  • Let’s revisit and have a conversation on what we need to improve on

The reason why they exercise so often is because  make mistakes. It’s also part of training and educating. Taking corrective action and using criticism and critique in a positive way. The repetition of doing assists both actual memory and muscle memory. Some actions also become habit. These habits can be both good and bad. It’s also an excellent way of highlighting bad habits so they are corrected.

When it comes to businesses, crisis teams don’t exercise nearly enough. Many will do this once, maybe twice per year. And if they do, that’s a lot.

But more than just frequency alone crisis teams in the business world need to also take a different approach and outlook. Every exercise should be looked at as an opportunity to learn, expand skillsets, stepping beyond comfort zones, and training for the future.

Additionally, every exercise does not need to be disruptive. It can be as simple as getting in a room, conference call, or zoom/teams/insert your other favorite video conference provider and having a discussion that asks:

  • What do we do when (insert event or impact)
  • How will we handle (insert event or impact)
  • Are we prepared for (insert event or impact)
  • Have we considered (insert event or impact)

In fact, this can be done far beyond crisis teams. Each of your departments and teams that hold regular team meetings or get-togethers can take 3, 5, 10, or even 15 minutes to discuss topics depending on what is on the regular agenda. This can be done every meeting, every-other meeting, or even quarterly.

You’ll see changes to your planning and preparedness levels. You might even see changes to your long-term culture. Trust me that’s a good thing.

This is why we exercise.

 

Over the past few years, business leaders have been reminded repeatedly of the unpredictability of doing business in an uncertain future. This has certainly been the case for the past two years as business owners faced devastation from both humanitarian and natural disasters.   

As the world gets riskier, being prepared for disruptions and disasters impacting your business is extremely important. Why? In addition to preventing severe financial losses, it can prevent companies from “closing their doors”.   

To celebrate April’s Financial Literacy Month, I will share examples of what happens when you do not have a plan and outline strategic steps on how to build a resilient organization during the next crisis.  

NOT PLANNING FOR THE UNEXPECTED 

Even seemingly small events can have major impacts on a business. Consider the following events causing major impacts to businesses:  

  • A car hit a fire hydrant in front of an antique bookstore causing damage to 1,500 antique books costing $300,000 in restoration and repairs. 
  • A bad database upgrade and upload resulted in the database transaction processing idled for seven days; resulting in the loss of two major clients.  
  • Even a trader was impacted by a power loss at his home.  Due to the outage, he was unable to execute a trade to exit a position and lost $70,000.00 in a single day.  

Tessco Technologies 

Let’s look at what happened with Tessco Technologies, a supplier of wireless communications products for network infrastructure, site support, and fixed and mobile broadband located in Baltimore, Maryland.  The business was not in a flood, fire, or earthquake zone.  In this case, the culprit was a faulty fire hydrant, which caused several hundred thousand gallons of water to be blasted through a concrete wall leaving the company’s primary data center under several feet of water.  It also left 1400 hard drives, and 400 SAN disks soaking wet and caked with mud and debris. 

PREPARE, PREVENT, PROFIT

Businesses don’t need to be located in a disaster zone to be impacted by a disaster.  The key to protecting your business is to prepare with a plan that is well documented and has strategies you can rapidly put into place.  

Below are five reasons why business leaders should prepare: 

  • Quickly respond and adjust to a disaster or disruption with strategies that allow you to shift and pivot your business for a more expedient recovery 
  • Reduce or even eliminate financial losses by implementing strategies that reduce the impacts 
  • Obtain better insurance rates and coverage for instant Return on Investment (RIO) 
  • Meet government, regulatory, and customer requirements calling for contingencies 
  • Maintain business reputation and share price 

A well-documented plan can help you quickly respond, adjust, and pivot to alternative strategies. As part of proper planning, it is important to know what the delayed and lost revenue to your business will be as well as the potential for increased expenses and other recovery-based costs that will impact your business.  

The first step is to calculate what your downtime costs would be. This is usually directly representative of lost revenue. It is important to note that even delayed revenue can have a significant impact on a business’ cash flow, whether daily, weekly, or monthly. Even if all your income is only delayed, having a reduction to cash flow can shut a business down quickly.  

By taking the time to do even basic downtime calculations you can begin to take steps to protect your revenue-generating processes. 

ASSESSING THE FINANCIAL IMPACTS OF BUSINESS DISRUPTIONS 

Many organizations skip the Financial Impact Analysis.  This is a mistake. Conducting a Financial Impact Analysis is critical to helping a business understand the actual financial impact a disaster or disruption can have on a business. With this process, businesses can select strategies to enable a recovery that makes sense financially and gives leaders peace of mind that no matter what uncertainties the future may bring, organizations will thrive and even profit for years to come.  Let’s take a look at the top five: 

  • Providing insight into Business processes and Applications that when impacted by disruption will cause the business to have lost or delayed revenues 

This first step will allow a business to determine estimated or in some cases exact dollar amounts in lost and delayed revenue from a disruption. Even a basic calculation of these lost revenues can quickly inform a business where they can and should focus their preparedness efforts. Notice this is preparedness, not recovery efforts. This is because a large part of getting this right is done during the preparedness phase pre-disaster.  

  • Allows for proper cost-benefit-analysis of (to implement) right-sized recovery strategies 

This calculation then allows the business to focus its strategies on key critical core functions that are most likely to be impacted by revenue losses and cash flow issues. This deeper insight helps the business to focus resources, time, and money on these critical functions with better data backup, record retention, and manual recovery strategies rather than through resources in business areas randomly that may not need as much or any strategies.  

  • Potentially reduced insurance premiums along with increased insurance coverage 

Additionally, presenting your insurance company with a well-thought-out preparedness plan in many cases can reduce your insurance coverage premiums, provide you with increased coverage, or both. Just recently I helped a large Biotechnology company obtain an additional $500M in coverage for a total of $2B in total Property and Casualty Insurance Coverage with zero additional increase to their premiums.  

  • Better insight for the selection of Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), and Maximum Allowable Downtime (MAD) 

Another key benefit is rather than selecting arbitrary Recovery Time Objectives (RTOs) for your business processes or Information Technology Disaster Recovery (ITDR), you can tie these to your financial impacts and set clear goals that are meaningful to your business.  

This would allow you to implement a preparedness or IT recovery strategy that enables you to recover in the time you need and more importantly, save money. 

  • Greater ability to measure effective Return on Investment (ROI) of Business Preparedness Measures 

When you take the time to do even basic financial impact calculations, it also becomes much easier to measure and obtain better ROI. Yet, many do not take the time to do these calculations because they believe it is too difficult, they don’t know where to start, or even how to apply the outcome of these calculations.  

MAKE YOUR BUSINESS MORE RESILIENT  

At the Erwood Group, our business is helping your business stay up and running after and ideally during a crisis or disruption. Whether you need help with business continuity planning, crisis, and incident management, or need better disaster recovery options, we’ve got programs and services to make your business more resilient so that you can prepare, prevent and profit even in a disaster.  

To celebrate April’s Financial Literacy Awareness month, I am offering a free consultation to help your business survive the next disaster and provide critical strategic steps to prepare, prevent and profit in an uncertain and unpredictable future.   

Contact Keith Erwood, Business Preparedness Expert, ERWOOD GROUP. 

Supply Chain Disruption Forcing San Diego Businesses to Make Tough Decision this Holiday Season

Local Crisis Management Expert Believes Distributions Challenges Are an Opportunity, Not a Crisis.

The Halloween decorations have been put away and we are now entering the holiday shopping season. Sticker shock will be this year’s theme, if you can find what your looking for that is. 

SAN DIEGO—The global supply chain crisis, which includes thousands of unloaded containers with merchandise lingering on ships in major US ports, coupled with skyrocketing gasoline prices, a worker shortage, and a huge increase in consumer demand, is forcing local companies to make some tough decisions heading into the competitive holiday season.   

According to Crisis Management and Business Continuity Expert, Keith Erwood, Business Preparedness Expert of ERWOOD GROUP, companies must decide three important questions:  will they pay higher prices upfront to receive overseas goods, pass the increased costs onto their customers, or retreat from overseas markets, all together.

Keith Erwood: “Our data and research indicate, things will get worse before they get better.   However, the supply chain disruption should be viewed as an opportunity, not a crisis, for our San Diego business owners. There are steps companies can make to ensure resiliency and identify key strategies you can take to build a stronger supply chain.’

To help local businesses survive this holiday season, Crisis Management Expert, Keith Erwood, Business Preparedness Expert of ERWOOD GROUP has outlined strategic steps to handle the supply chain disruption:

Diversity of Supply Base

To help untangle the global supply chain mess, businesses need to move away from depending on a single supplier overseas, like China or Vietnam and find local suppliers where possible to fill critical components or materials. This is because local suppliers can deliver products much quicker. It is also easier for a supplier to coordinate a shipment across the neighborhood than around the world.

Forecast Demand

Companies need to focus on delivering quality best-selling products to their consumer-base, instead of trying to keep shelves packed with non-essential slow-moving items.

Erwood said, “There is a false narrative being shared in the media right now that holding and buying increased inventory will allow businesses to meet high demand over the holidays.  This is a mistake.  If demand for a product decreases, deep inventory can become a financial liability and environmental waste.  This is especially true for technology, fashion, and perishable products that rapidly lose value and salability over time.”

Be Honest

Research and data at the ERWOOD GROUP predict supply chain imbalances will continue into June 2022, due to inflation, workers shortage, and the impact of the Delta variant around the world—especially in South Asia.

Erwood said, “For this reason, you must be very honest with your customer, even when it hurts. 

Plan for Recovery

Companies should think beyond short-term disruption to long-term company survival. Disruption can be seen as an opportunity to thrive and make tough business decisions, like a long-desired reorganization or cutting non-performing products and customers.

Buy Local

It’s no secret supply chain issues have taken a toll on small businesses importing materials.  For this reason, San Diego consumers must start buying from local businesses to change how they operate. By relying less on goods and services from outside markets you can boost regional and local economies.

GUEST BOOKING:

Keith Erwood is available for live guest segments. To schedule your interview, please contact, Kristi Angevine, Publicist, ERWOOD GROUP at kangevine@gmail.com

 

About ERWOOD GROUP

At the Erwood Group, our business is helping your business stay up and running after and ideally during a crisis or disruption.  Whether you need help with business continuity planning, crisis, and incident management, or need better disaster recovery options, we’ve got programs and services to make your business more resilient so that you can prepare, prevent and profit even in a disaster. For more information visit erwoodgroup.com 

VALUE

How Business Continuity Provides Value to A Business. There are many ways in which Business Continuity can provide a business with tremendous value. Not just during an activation of the plan itself, which may keep the business from suffering substantial losses, but even during times of normal business operations. How? You ask!

The first and most obvious to many is that business continuity planning helps organizations obtain reduced premiums on insurance. Another is that it assists in providing consistency across the enterprise and increased efficiency. Let’s look at each of these and others in more detail.  

  1. Reduced Insurance Premiums: It is well known that having a well-established Business Continuity Plan can assist businesses in obtaining a reduction in premiums for business interruption, supply chain, cybersecurity, and other forms of insurance.

Not certain if your provider will or has reduced your premium? Contact them and ask. If they aren’t willing to (though a majority will) start looking for a new provider that will.

In some cases, we have seen providers work closely with the client to further mitigate risk by providing additional assistance and suggestions. You might also find that an unacceptable risk before having a business continuity plan, becomes more acceptable with insurers now willing to underwrite the risk since you have written documentation on both mitigating and recovery should the risk occur.

  1. Consistency Across the Enterprise: Often, especially when spread across a large geographic area, a business will have different processes to complete the same task. This can often lead to confusion, inconsistencies, delays, lack of trained personnel, and frustration.

These disparate processes are easily found while creating the plan and easily consolidated into one or two (as a backup) processes for complete a specific task. This creates consistency across the enterprise, reduces waste, and even provides for more personnel in having knowledge of how to complete the same processes and tasks. This is also good for workforce continuity should the need arise, especially if having to move the process geographically due to business disruption.

  1. Increased Efficiency: Business Continuity Planning encourages the organization to perform deep-dive analysis into their processes. Mapping out the processes allows the business to find strengths, weaknesses, and inefficiencies and make improvements.

The refining of these processes over time helps the organization to increase efficiency maximizing operations for capacity, agility, and growth finally leading to better cost management.

  1. Meet Government Mandates: While there are currently no government mandates to have a business continuity plan, mandates do exist that can cause a business to meet severe penalties and fines if not met. Such as meeting payroll on time and accurately.

Having a business continuity plan in place for these processes ensures that they can be maintained effectively during a crisis or disruption keeping the business from facing steep fines.

  1. Meet Legal and Regulatory Requirements: In addition to governmental mandates, organizations face legal and other regulatory requirements to have business continuity and contingency plans. While it may not seem obvious at first, many businesses face Service Level Agreements (SLAs) and other contractual agreements that if unmet, can cost a business lost revenue and penalties.

In addition, businesses MUST meet requirements from regulatory bodies to have proper business continuity plans in place. Sometimes including specific requirements and within specific time frames. One such requirement is FINRA 4380. In addition, these regulatory rules have changed from time to time, only increasing in strength.

  1. Meet Needs of Clients and Business Partners: Having these Business Continuity plans in place allows the business to quickly meet the needs of its business partners. Many large organizations now require their vendors and business partners of all sizes to have and maintain a business continuity plan in place before they will even consider conducting business with them.

This gives the businesses that already have the plans and contingencies in place and obvious business edge against competitors and increased business value. as such businesses can command higher prices or premiums on goods and services they provide to other organizations.

  1. Increased Business Value: Organizations that have business continuity and contingencies in place can quickly meet the needs and requirements of their business partners. As such these businesses can command higher than normal prices and a premium when showing they can continue to support their clients and business partners during major disruptions.
  1. Reduced Business Liabilities: Business that have business continuity plans frequently find hidden exposures to the business and take steps to mitigate, reduce, or remove the risks and reduce the overall business liabilities that otherwise might have been unforeseen.
  1. Alignment of IT with Business Strategy: Business continuity planning assists the business in aligning business strategy with IT strategy. Too often businesses have communication and alignment gaps between business and IT strategy which leads to increased frustration on both sides.

Business continuity planning allows for the defining of critical, important, and non-essential processes along with supporting applications and other IT functions so that you can recover your critical processes quickly.  

  1. Alignment to Maturity Model: Business continuity planning allows for the natural progression to a maturity model from non-existent, to repeatable, through to the optimized level.
  1. Alignment with Risk Management: Businesses with mature business continuity plans successfully align with Risk Management to further reduce liabilities and have strong contingencies in place for risks that will have a high impact on the business.
  1. Alignment to Vendors and Customers: Business continuity planning allows you to take a closer look at your vendors and suppliers and see how they will handle your needs during a disruption. This also allows for deeper and closer partnerships with your first-tier vendors and to work together to achieve objectives during disruptions to either entity.

The same can also be said for your most important clients. Well defined contingency plans account for working with top-tier and other clients during disruptions.

  1. Institutionalization of Program: Organizations that implement and maintain their business continuity plans tend to develop institutionalized programs. Meaning the future life and maintenance of the planning itself becomes an embedded process within the organization.
  1. Preparedness as a Culture: Developing a solid business continuity plan likely will create a culture of preparedness and employees will take a natural course to ensure the continuity of new and emerging processes and tasks that develop.
  1. Maintain Operations During an Emergency: Business continuity plans enable organizations to operate after, and ideally during a major crisis or emergency that might arise within or around the business.
  1. Increase Return on Assets: Businesses with continuity plans tend to keep greater track of critical and important assets. This allows the business to take action to realize and recoup the value of assets. This can be done through getting the full life out of the asset, donating the asset, and many other methods to achieve monetary value out of assets that otherwise would have not been achieved.
  1. Safeguard Critical Business Assets: Business Continuity planning allows for businesses to better safeguard critical assets in a variety of ways. Whether through insurance, hardening structures, or other methods. Planning makes for the identification of critical assets to take further action when required.
  1. Safeguard Business Reputation: Business continuity planning with well-defined crisis communications plans can help mitigate and, in some cases, prevent major impacts on an organization’s reputation.
  1. Safeguard Employees: Business continuity plans can also account for the safeguarding of employees and their workforce.
  1. Training and Education: Business Continuity Plans that are properly tested and exercised makes for a greater success of recovery during a disruption through continuous training and education.
  1. Discover Hidden Business Value: Business continuity planning creates opportunities for finding hidden value in the business. This is achieved through consolidation and deduplication of processes that may overlap. Better and more refined processes and new ways of conducting processes. In some cases, it also leads to new ideas and opportunities to provide to clients and customers.

It is not uncommon for organizations with business continuity plans to be able to quickly and efficiently respond to market and geopolitical changes and increasing their competitiveness.

  1. Reduce Revenue Loss: Business continuity planning leads to reductions in revenue loss.
  1. Increase Return on Investment ROI: Numerous cases exist for increased ROI with Business Continuity, among them are better-defined Disaster Recovery strategies and implementations often leading to cost reductions.

Businesses that faced disruptions with well-defined business continuity plans, could react quickly and adjust leading to profits while competitors struggled to recover.

business continuity plan

 

Throughout the course of my career spanning over 25-plus years, I’ve witnessed many planners and organizations getting stuck during their continuity planning. This happens for a variety of reasons including how you manage the overall program. Here are some important ways on how to get ‘unstuck’ in your contingency planning.

The BIA phase is one of the most common phases that organizations and planners get hung up on and end up being ‘stuck’ in without making progress and moving on to the strategy selection and planning stages. This happens when you’re trying to get everyone through the BIA process prior to moving on into the other phases.

In large organizations with many business units and processes getting ‘stuck’ in this part of the business continuity process can easily derail your entire program. In fact, I have seen a healthcare organization 3 ½ years into their business impact analysis with an estimated six more months remaining until they thought they would complete this phase of the program. They also felt it wasn’t productive to move forward into additional steps prior to completing all BIA’s for the entire organization.

Three years in, it is highly likely that the data you collected in the beginning, is no longer valid. In most cases, a BIA should be completed every two years. In some cases, a BIA is completed once per year. So being 3 1/2 years in without further progress is not beneficial to the organization or to your program.

How to Avoid Getting Stuck

Solution

The best way to avoid getting stuck in the first place is to have a solid plan before you start with your first BIA. Determine how many BIA’s you will need to complete overall. Once you do this, you can easily break them down into smaller groups of four or five and plan out how many rounds of these groups you will have to do.

Start with your first group of business units and complete the BIA process with this first group. Once this is completed, move the first group into the strategy selection and planning phase and get your next group ready for their BIA phase.

Splitting your business units into groups allows you to continuously cycle them through each phase of the planning process. This allows them to move along in the process while the information is fresh, maintains the momentum, and rapport you built during the BIA process.

This also allows other groups and your management teams to see and experience the progress of your planning program which will contribute to your success.

What to Do If You’re Stuck

Time for Action

Here is how to get ‘unstuck’ in your contingency planning if you’re already in a situation where you might be having trouble moving the needle.  There are a few things you can do to start your planning moving forward again. Since you want your business continuity program to be successful, I recommend that you start with the most recent business departments that completed their BIA’s. Moving them directly into the strategy selection and plan building phase.

Then go back to where you started in the beginning and meet with the departments that completed their BIA’s the furthest back in time. Review the data that you have looking for changes and make the necessary adjustment to the data you gathered.

Once you do this you may find that you can move these business departments into the next stage of strategy selection and plan creation and documentation. In some cases, you may find that so much has changed, from personnel, processes, responsibilities, and even applications that you might have to redo the entire BIA process again.

Don’t fret, simply continue this process, and as you find departments that have little to no changes move them along into the next phase and redo BIA’s for those groups that have too many changes to quickly gather the data.

This may seem like you’re moving backward at times, but you’ll be making more progress than you were previously by moving business units into the next phases.

Keep the Momentum Going

Once each business department group completes the creation of their planning document, move them into a tabletop walkthrough to look for gaps. missing information, or something that might cause an issue during recovery.

These groups can then be placed into a maintenance category where the plan will be reviewed at least once per year. Hopefully, someone will be dedicated to keeping the plan updated as changes are made making this process of doing a yearly review much easier.

If you need more help getting unstuck in your business continuity program book a free consultation today

Book Consultation

 

The Importance of Business Continuity

The Importance of Business Continuity is an extensive Whitepaper first written in 2009 by our CEO & Principle Managing Consultant – Keith Erwood. It is newly updated with fresh content, new stats and important new information.

The Importance of Business Continuity is a great resource

Importance of Business Continuity open
Importance of Business Continuity open

For continuity professionals and practitioners as well as business owners, executives, and business managers who have or are looking to implement Business Continuity and Disaster Recovery programs in their businesses. 

For those new, to Business Continuity the Importance of Business Continuity provides a brief overview of what business continuity is and why you should have a continuity plan, but more importantly how to get started developing and implementing your own program for business resilience and preparedness. 

Inside The Importance of Business Continuity, you’ll learn more about minimizing downtime, Protecting strategic elements and assets, maintaining your reputation, communicating efficiently, resuming operations, how preparedness measures mitigate costs, methods of calculating ROI, and more. 

You’ll learn key statistics such as The impacts to a Pharmaceutical giant following a ransomware attack in 2017, a staggering percentage of small businesses impacted by breaches in 2018, as well as how much the average cyberattack is costing businesses of all sizes – hint, it’s over $100,000 and the amount may surprise you. 

The Importance of Business Continuity is a great resource to have at your fingertips or close by to facilitate discussions with your executive management team, crisis management team, IT recovery team, and anyone else that you might want to discuss business continuity or disaster recovery with. 

We’ve also updated our section on How to get started – including the basis, communications, data protection and more for larger businesses. The best part is it’s free.

We’d like to add here at the Erwood Group, we are driven by our purpose to our relentless commitment to preparedness so you can Prepare Prevent and Profit. The Importance of Business Continuity should help you do just that. 

Click the button below to be taken to the page to access The Importance of Business Continuity

 

Get Whitepaper

 

 

Coronavirus

Businesses face challenges in reopening after Coronavirus.  Why? Well, there are several reasons, from temperature checks and whether to do them, even if you can. Sourcing cleaning supplies, added security, enforcing social distancing, and finding out employees don’t want to return to work yet.

Below we mention some of these issues and provide some recommendations on how to handle each situation to make your reopening a little bit smoother.

Employees May Not Want to Return to Work Yet

With every disaster or major disruption, there is also a psychological impact. This is particularly true when it comes to the Coronavirus. The biggest reason your employees might not be ready or even refuse to return to work is they may feel unsafe.

Another reason for this is many employers are discovering they have to compete with higher unemployment payments that may be greater than the employee’s actual earnings.

Yet, another often overlooked issue may be how employees get to and from work. Employees that don’t have transportation, may look to avoid public transportation and even carpooling to avoid contact with other people. This may cause them to refuse to return to work.

Recommendations on Employee Safety:

One of the first things you should do when you first begin to consider avoiding challenges in reopening after coronavirus is to set up a series of one-to-one calls with your employees and survey them about returning to work. Find out their concerns, fears, and doubts directly from them. Don’t just assume they will all want to return right away. Some employees may need some extra coaxing.

Another thing you can do to ease this transition is to have employees meet at the worksite to visually observe and experience the proactive steps you’re taking to ensure the safety of not only them but customers and others who may come to the worksite. Have them experience and participate in the cleaning and sanitization process. Let them see and experience social distancing policies. Have them help set up for social distancing by actively measuring out 6-foot distances.

Have them wear their face coverings before entering the worksite and experience what it is like to wear it continuously while working and discussing the proactive steps being taken to overcome the challenges in reopening after coronavirus. Then reassess their comfort level. Do they still have concerns? Can they be addressed further?

Recommendations on Employee Compensation:

You may have to consider offering increased compensation policies or even a one-time bonus incentive to encourage employees to return. If for instance, you implement all the safety measures you can, and many employees still refuse to return consider increasing the hourly pay rate or a one-time return to work bonus. We witnessed businesses that remained open and offered a $2 per/hour increase encouraged people to return and increased the number of new applications for employment

There are currently discussions taking place on having government subsidizing a return to work through incentives. For example –Idaho is paying people $1,500.00 to return to work. Many employers that remained open during the coronavirus increased pay and offered other compensation incentives should employees become ill or perhaps exposed, such as increased sick leave and pay during quarantine periods.

Whether other Local, State, and Federal governments end up providing some type of return to work incentive remains to be seen.

Recommendation on Employee Transportation:

If you have employees that utilize public transportation, they may be concerned about traveling to and from work. This may be a bigger concern than the safety of your worksite. Additionally, some employees that car-pooled in the past may no longer be willing to do so.

While some of your employees may refuse to utilize public transportation altogether during this time, one of the solutions you can implement to reduce challenges in reopening after coronavirus is to allow employees to take public transportation to travel during off-peak times. This will allow them to travel and share contact with fewer people and less crowded transportation. This may take some trial and error since many businesses may implement the same policies. Also, Public transportation may allow for fewer riders, and commute times may increase. Anticipate and allow for this.

You may want to consider informing carpoolers that are not domiciled together to take extra precautions. Such as wearing face coverings while traveling together. Suggest they take other precautions as well, like those the CDC recommends for Ridesharing, taxi, and limo service.

As a last resort, if cost-effective and feasible you may want to consider hiring your transportation for employees. You can either have them expense their transportation or hire a shuttle bus that allows for social distance spacing provide pickup and drop off service for employees.

 

Social Distancing May be Harder Than You Think

Included in social distancing mandates in some localities is a reduction in the number of people allowed into a worksite. This reduction doesn’t just include customers, it includes your employees as well.

Some businesses will have the added challenges in reopening after coronavirus by having to select which employees can return, and which do not. On top of that, will you be able to have enough staff on-site to handle any customers that need service? Too little, and customers will have to wait longer than what they may deem acceptable. Too many, and your costs increase, and profits decrease. For some businesses, this will be a continuous balancing act and for others, it will be a non-issue.

The next challenge you’ll encounter is if your worksite has enough space and flow for employees to be socially distanced and still be able to work effectively. You’ll also have to consider breakrooms, restrooms, hallways, and small spaces, and what about the reception area?

Recommendation on Social Distancing:

Make sure you have clear and concise signage that explains the social distancing policy at your entrances and displayed throughout your worksite.

Next, you’ll want to incorporate clear visuals and signage that shows 6-foot distancing clearly. You’ll also want to implement a nonpunitive and friendly reminder policy where all employees can remind others, including customers and guests of the social distancing policy.

Temperature Checks Are Not A Panacea  

Employee Self Temperature Check
Employee Self Temperature Check

While this sounds like a great way to ensure employee safety, it includes its own set of challenges. Where will you source the preferred no-touch thermometers? Will you use and implement thermal cameras and where will you source them? Many scams are out there in sourcing for both – do your due diligence. Who will take employee temperatures? Other employees? Managers? Self-checks? Should you hire an outside vendor? What type of vendor? Will, you set up screens and barriers for the checkers? What about Personal Protective Equipment (PPE) and what kind? Will you record or not record temperatures? If you do you will have to comply with HIPAA, and how will you do that?

It doesn’t end there. What is your policy if someone has a temperature of 100.4°F? Sure, you won’t allow them access to the worksite, but then what? Do they need to self-quarantine? Do they need to go to a doctor? Get tested for COVID-19? How and when can they return? Also, they are now covered under the Americans with Disabilities Act (ADA). Once you send them off-premise, do you require contact tracing for those around that person? If so, how far back will you go?

Next, how will you go about getting the temperature? The CDC guidance calls for doing this before entering the facility or worksite to minimize exposure. This, however, has proven extremely difficult to implement and most employers that are implementing temperature screening are doing it just after the employees enter the facility. Outside increased temperatures of as little as 80°F and people traveling in hot cars have caused false positives. One client implemented utilizing a large swamp cooler outside the entrance to help reduce this. Another potential problem seen is people trying to reduce their temperatures with icepacks. How will you handle that?

Then we have compensation issues to worry about. Having employees waiting in line before the start of their shift or day can cause delays, lateness, and if required is considered part of work.

All of these issues combine to create immense challenges in reopening after coronavirus. Many businesses that start off planning to implement temperature screening tend to abandon it once they’re confronted with the challenges of implementing it.

Recommendations for Temperature Screening:

Now that you are aware of many of the challenges around temperature screening, the first step to take if you’re still considering this is to create a written plan on how you will meet these and other issues you encounter.

Once you address this through a written plan, conduct a walkthrough of the area where you will be doing the temperature screenings. Ensure that you will have enough space for the screener, any barriers you will use, and the person being screened. Next consider the time to check each person and how long it will take to check each employee, guest, and vendor entering the facility.

Next, we recommend hiring a vendor to do the actual temperature screening if possible. If you’re a small business and can’t afford to hire a vendor, utilize your employees to check other employees, or have them conduct self-checks.

Work out and talk through all the potential iterations of what will happen when an employee has a temperature of 100.4°F. Write these policies and procedures down, and do not deviate from them.

We highly recommend that you do not record temperature readings from any employee, whether normal, high, or below normal. Speaking of below normal. You’ll have to decide what to do when someone has a below normal temperature because it will happen.

If you deploy thermal cameras, we recommend people spend time training and getting used to them. There will be a learning curve as to where the camera picks up high temperatures and you may need to use a backup touchless check as well. From experience, thermal cameras work well and speed up the process overall but will also cause significant false positives when the outside temperatures climb. Some may require constant calibration as well as temperature changes occur in the surrounding environment.

Beware of Scams:

Always do your due diligence when researching vendors and products. We as well as clients have run into numerous scams and fake vendors while researching temperature screening solutions. Call clients listed on their sites and reach out to colleagues and see what they are using and where they obtained it. Also, never pay large upfront fees if you can avoid it.  

Handling Visitors and Vendors

Another area that presents challenges in reopening after coronavirus is how to handle visitors, guests, and vendors. Early on, it was typical to prevent visitors of any kind from entering your facility. Today as we begin to reopen, visitors of some types are more expected. However, there are different types of visitors and you may want to handle each differently.

One type of visitor could be anyone that shows up unannounced. This could include family members of employees, job seekers, new vendors, or even local officials checking in on you.

Each situation might have to be handled differently, but you should have policies in place to prevent confusion.

Recommendations for Visitors of Employees:

We recommend people visiting your employees that are not doing business with you remain and wait outside your facility. This reduces both the number of people going into your facility and the need for testing or providing PPE to people who enter your worksite. Employees can meet with family, friends, and anyone else outside the worksite.

Recommendations for Job Seekers:

Place signage outside refusing admittance along with a number where they can seek assistance if necessary. Provide them with an online URL application completion process or your jobs/careers website address.

Recommendations for Vendors:

All vendors should have face coverings or a mask when entering the facility. You should also require hand sanitizing before entering as well. If you are going to temperature screen employees, you should do the same for all vendors entering the site for an extended period of greater than 30 minutes. You can also choose to check all of them before letting them into the facility. Set all sales/marketing and non-essential, non-delivery-based vendor meetings to teleconferencing only.

Request all vendors to provide touchless only options for billing.

Recommendations for All Visitors:

All visitors with permission to enter the worksite should sign in and out and provide a cell phone number along with whom they are visiting and why. Face coverings and hand sanitizing should be required. Limit all face to face meetings.

 

Going Contactless

You will need to set up touchless or contactless methods of interacting with customers and vendors. This includes payment collection methods and the providing of goods and services.

Recommendations for Going Contactless:

First, ask your payment processing vendors about their contactless options and services that you can provide to your clients. If you accept card payments, consider collecting the payment information over the phone and directly inputting it into your payment processing systems.  We advise against writing it down and then putting it later. Additionally, you can offer to invoice the customer and accept payment later depending on the type of service you provide.

Next, come up with a delivery method to provide your goods and services to clients and customers. Offer curbside pickup and delivery. Allow, a limited number or one person into your establishment at a time to pick up your products.

Can you deliver some services through a teleconference, videoconference, or through the mail or email? If so, do it where you can.

Find additional ways you can provide goods and services to clients where possible.

Additional Needs

Consider what other additional needs you have. Some businesses require additional security and cleaning vendors. When you find you need a new or additional vendor, we have found it best to start early in the process and execute early. We have seen businesses wait and then be left with zero options in some cases. Find what you need, implement and you can always make adjustments as you go along.