With three major quakes and thousands of earthquakes along with a 60%+ chance of another richter 6+ scale event in the next few days, Wellington is well and truly on the move again, so much for John Key thinking we’re dead and gone.
What could be dead and gone is your business if you haven’t done some business resilience planning and come up with a strategy for dealing with a large disaster. Surprisingly, despite living in New Zealand, which is one of the most active areas on the planet (we’re up there with Japan) we don’t do this well. Strangely, neither do Japan.
No surprises there. It’s a business area that is dominated by suit-wearing consultants charging $200+ hour, it takes months, its boring, and it often doesn’t get to the guts of what’s important in your business.
But it doesn’t have to be. The image in the blog shows what I’ve developed over time, I call it “The Resilient Stack.” It’s a good guide I use with customers to help with Resilience Planning. Here’s how it works and how you use it.
In order of priority, you start at the top of the stack and work your way down.
Directors have certain obligations under New Zealand law in regards to resilience planning. Directors can be personally liable if they screw this up and something happens to the company they are in charge of.
Directors need to ask their CEO and General Management Team a couple of questions, and this is usually where the process kicks into action. Those questions are:
- What would happen if we suffered a disaster?
- How long would it take for our business to recover from a disaster?
- What what would we recover first? Second? Third? What’s the priority for recovering our services?
- Where is the Business Continuity Plan that documents how all this works and what I need to do?
- Have we ever tested that plan to make sure it actually works?
- Are their any “business killer” events that we know of? (Disasters that will ensure that the business ceases to exist.)
Chief Executive and General Managers
Responsible for the operation of your business, your senior team should be able to answer all the questions that the director’s have asked with confidence, as well as be able to demonstrate that plans will actually work.
They are also responsible for undertaking Business Impact Analysis, the process of determining which services are important, the order in which they should be restored, how they will operate until they are restored, and the maximum time that each services can be unavailable.
As a bare minimum, every organisations should have an Executive Leadership Crisis Management Plan. A document that describes at the very least, where that team goes to manage a disaster, and some basic roles and responsibilities.
Business Continuity Planning
Every company should have a business continuity plan that describes what they do following a disaster and how they will manage delivery of services to customers while the services are being restored. Business continuity plans include a Master (company wide) with sub-plans if the organisation is large enough, for each business area. I.e. Finance, Manufacturing, Human Resources, ICT, and so on.
Each plan describes who does what, how they do it, and how processes are run manually (if necessary) while services are unavailable. For example, Human Resources will need to be able to manually pay people until the payroll system is restored.
Technology Crisis Management
If you want to scare your CIO or your IT Manager (and yourself), go and ask them these questions:
- Can you recover all of our ICT services?
- How long would that take?
- What order would they be restored in?
- Do you backup everything?
- Do you regularly test those backups?
- If we are reliant on an ICT team or outside ICT companies, how do we know they will be available after a disaster?
- Do you have a crisis management or business continuity plan for ICT?
- Do we have disaster recovery plans and can I see them?
- When did you last test disaster recovery?
If they can’t answer those questions to a high-degree of confidence then you’ve got a problem.
ICT is critical infrastructure for businesses these days managing all communications, including telephony, and a company needs to know the answers to those questions. Losing your ICT could result in the loss of your company. Imagine if you could never retrieve your customer database or financial records.
As a minimum, the ICT team (given size of course), should have a tested and verified ICT Crisis Management Plan that allows them to respond post disaster. In addition, no matter how ugly the numbers are, they should be able to tell you how long it will take to restore every ICT service and how much data each will lose.
This is critical. Because it shows how long you are going to have to run your business continuity plans until the service is restored and how much recovery you will need to do.
For example, payroll again. Let’s say that your IT Manager tells you it will take a fortnight to restore and you’ll lose up to a week’s data. That means that your business continuity plan for Human Resources needs to be able to carry out a manual process for at least a fortnight and when they get access back to Payroll, they’ll need to load in the last week’s data, before it can be ready to be used.
Depending on size, you would expect all ICT departments to have a Master Disaster Recovery Plan (this shows the interaction between ICT services and the order in which they should be restored) and as a minimum critical services should have tested Disaster Recovery Plans (how the actual service is restored).
Without those elements, your business is at risk of not being able to return to operation.
Supply Chain, Cloud, and Outsourcing
As a minimum, contracts that you sign with your supply chain, Cloud providers, and outsource partners need to have a provision for resilience planning and disaster recovery. You need to be convinced that they can return to operation after a disaster.
It’s very high-level, but these are the basic elements to Resilience Planning. It’s something you can do yourself, there is plenty of resource on the web. However if you need to do it faster, you’ll need a guide.
For the technologists out there, its also worth looking at Cloud as an option. Often services delivered from Cloud are far more resilient than your own and a lot cheaper.
In a spot of shameless self-promotion, as well as Cloud, the company I own also does this work. You can find more information here.