Statistics – Cohort Study

It’s now 5 years since Hurricane Katrina hit New Orleans causing the breach of levees and flood walls in more than 50 places and flooding about 85 percent of the city, and the recent press coverage of the anniversary has prompted me to wonder about how many of the businesses that were disrupted by the flooding have survived.

The Business Continuity world is very short on statistics to back up its claims about the benefits of implementing Business Continuity Management, and it strikes me that New Orleans is probably a unique opportunity for some research to be done that will enable quotes such as “80% of the business affected by the New Orleans flood that did not have Business Continuity Plans did not survive, but 80% of those that did have Business Continuity Plans were still trading 5 years after the event”.

The New Orleans flood has created a wonderful opportunity to go back and look at the business that were in the city at the time, and do some research on the ones that have failed and those that have survived. It should be possible to compare the implementation of Business Continuity Management in each group, so providing the missing evidence on the benefits of Business Continuity through a classic cohort study.

So far as I know, this research is not being undertaken. Should the Business Continuity Institute be trying to find someone willing and able to do this research? Should it be down to the US Department of Homeland Security, or should one of the US universities that offer Business Continuity courses be sponsoring the research? Does anyone out there want a PhD in Business Continuity?

Cloud Computing – Guarantee

Since having a short article published by Continuity Central on the fact that suppliers of web-based data storage do not guarantee that they will not lose their clients data through offering an indemnity, I’ve been contacted by a number of suppliers trying to explain to me that this is not possible.

An example of the sort of comment that I’ve received from suppliers is “As we’re writing the data on a live basis to a large robust cloud based server farm over multiple redundant data centres we state as part of our service that there is zero data loss”. Very good, there’s no chance of data loss, so what’s the problem in offering a guarantee as there’s absolutely no chance of ever having to pay out? Of course, the concept of there being “no chance of data loss” is wrong – there’s always a chance, no matter how small the chance is.

However, I still don’t see what the problem is. My company, Merrycon, has an insurance policy that covers loss of data, and so do most organisations. Why can’t suppliers of web-based data storage offer an insurance policy as an option?

Let me use an analogy. If you send a package by post, there are various types of service that you can use. The cheapest service will not guarantee delivery, but you can opt for a more expensive option that will not only guarantee delivery, but will also pay compensation to the stated value of the item in the package. The difference in cost is actually an insurance premium.

 So, which supplier is going to be first to offer a slightly more expensive service that offers compensation for loss of data?

Keeping Plans Up to Date

Today I’ve been with one of my clients discussing the ever-present issue of how to get people to keep their Business Continuity Plans (BCPs) up to date. It’s not rocket science, all it takes is a little discipline and some time, but it seems to be one of the most intractable problems faced bymany organisations.

This particular client has an individual who is responsible for Business Continuity across the organisation, who has, with the help of Merrycon, developed a template BCP and produced BCPs for about 12 of the organisation’s sites. Each site has someone who has been made responsible for their site’s BCP, and these people have been trained in how to keep their BCP up to date.

The reality is that not one of these people has made any attempt to update their BCP, let alone exercise it! They have literally put it on the shelf, ticked the box saying that their site has a BCP, and have ignored it. A BCP has been produced for their site, and that’s all that they are interested in. They can now get on with their normal lives.

There are lots of potential solutions to this problem, ranging from additional awareness training through to bonuses for keeping the BCP up to date or disciplinary action if the BCP is not kept up to date, but the client hasn’t got the managerial will to implement something that might have some real effect.

This, unfortunately, is a very common situation, and seems to be solved only when the top management actively promote Business Continuity and make sure that everyone knows that it is something that is vital to the interests of the organisation. Such an attitude by top management seems to be rare.

Wish List Plans

Last week, one of my clients showed me some Business Continuity Plans that he had been given by other people working in the same sector that he thought might be useful in creating a template for his organisation to use, and asked me my opinion. On the surface they looked to be quite good, but on closer inspection they seemed to suffer from something that I’ve seen many times before – they weren’t really plans, they were wish lists.

A wish list differs from a plan in that the recovery requirements are documented, but not how they will be provided. It simply consists of a list of resources that the organisation wishes to have following a disruption to their operations, and when they need those resources to be available.

These lists are produced by putting the outcome of a Business Impact Analysis and a Continuity Requirements Analysis directly into the Business Continuity Plan without going through the stage of determining the Strategies and Tactical Options required to deliver the recovery requirements with clearly identified Recovery Time Objectives (RTOs). They are a shortcut to producing what looks like a plan, but in reality is simply a set of requirements.

This is actually quite acceptable if the plan makes it clear that the selected strategy is to do nothing until the incident has happened, and then to try to obtain the resources required. But this is obviously not the case as these wish lists usually contain Maximum Periods of Tolerable Disruption (MTPDs) that are measured in days rather than the months that would be characteristic of a “Do Nothing” strategy.

Why do people do this? Are they just lazy, or is it ignorance? Don’t they understand that if , for example, they require 1 Manager and 2 Administrators with 3 telephones, 3 PCs connected to the Internet, desks, chairs, and accommodation, that these have to be obtained from somewhere and don’t just magically appear?

In-house Business Continuity Professionals

At what point should an organisation consider employing a full-time business continuity professional to manage their business continuity programme? And if they employ one such professional, shouldn’t they employ two so that they don’t have a single point of failure?

I’ve been prompted to consider these questions by the experience of a client of Merrycon’s that has just lost its two full-time business continuity professionals in a short space of time (one retired and one moved to another job), along with all the knowledge that they had, and is faced with having nobody to manage their business continuity programme for some time to come. The client is also trying to slim down their organisation and save costs, and if they replace the staff that they’ve lost it will cost at least £60,000 in the first year. 

An alternative would be to outsource the management of the programme, which would reduce the risk of not having the skills and expertise available, would probably deliver a better service to the organisation because of the likely experience and knowledge of the staff employed by the outsourcing company, and would cost less. The only downside is that the organisation might feel that it has lost ownership of the programme, but would be a perception rather than a reality.

I’m meeting the client next week, and have decided to ask about whether they have considered outsourcing. I’m looking forward to hearing the reasons why it wouldn’t be a good idea.

Party Definition of Business Continuity

Yesterday we  hosted the annual general meeting of our road association, and my wife had invited everyone to a bar-b-q. She’s on the committee, and wanted to give the residents an incentive to attend. We got about 30 people along, which is probably the largest number that has ever attended the annual general meeting, but as is usual at these kind of events I was asked by someone what I did for a living. Inevitably, once I told them that I provided business continuity services, I was asked “Oh, that sounds interesting, what is business continuity?”

The BCI has a definition of business continuity, which is also used in BS 25999, which states that business continuity management is “holistic management process that…… and value creating activities”, just the sort of thing that you need to able to tell someone at a party if you want to appear boring and to get rid of them, but not the sort of thing that’s going to promote the subject to one of your neighbours on a sunny afternoon over drinks and a bar-b-q!

So what did I tell them? Unfortunately, I’m still looking for something short and snappy to tell people in these situations. If I was a dentist I could say “I fix teeth”, or if I was a doctor then I could say “I cure people of diseases”, but the closest that I can come for business continuity is to say “I make organisations more resilient”, which actually gives the wrong idea.

In the end I tried to explain what business continuity was, but this wasn’t much of a success either. My guest managed to get the idea that I helped organisations to survive after an incident had taken place, and I had to go into quite a lengthy explanation about putting business continuity in place before an incident, which they didn’t quite manage to grasp before they became bored and drifted away to find someone more exciting to talk to.

So, I’m still looking for that party definition of business continuity. 

Return On Protection

I’ve just come across a new concept (new to me, anyway) that might be of use in justifying expenditure on Business Continuity – Return On Protection (ROP).

ROP appears to have been proposed by the Ponemon Institute as an alternative to Return On Investment (ROI) when justifying expenditure on IT security and data protection. I have yet to investigate just how ROP is calculated, but the idea of being able to quantify the return on Business Continuity expenditure according to an accepted model is intriguing. However, the key to this is the word “accepted”.

According to the Ponemon Institute, the security technologies that scored the highest ROP were anti-virus and anti-malware software, and one of the highest-scoring governance features was the appointment of a chief information security officer. If this is applied in the world of Business Continuity, then we might find that the measure with the highest ROP might be a Business Continuity Plan, that the activity with the highest ROP might be an Exercise, and that the highest-scoring governance feature was the appointment of a Business Continuity Manager.

One the other hand, ROP might just be a marketing ploy to enhance the reputation of the Ponemon Institute and have no relevance to, or application in, the world of Business Continuity.

80% Myth – Again!

The myth that 80% of organisations that suffer some kind of disaster and don’t have a Business Continuity Plan fail within 18 months (or some variation on the theme) keeps raising its head.

A couple of weeks ago it was one of the “big 4” accounting consultancies quoting a similar statistic in their brochure on Business Continuity, now it’s a PR company in Scotland looking for reliable statistics on behalf of one of their clients. In the former case I challenged the “big 4” company but they have yet to confirm where the statistic came from, and it is to the credit of the PR company that they don’t want to use any statistics that aren’t reliable.

There is obviously a large demand for some kind of statistical evidence to back up the claims that implementing Business Continuity is worthwhile, so why hasn’t any such research been carried out? To my mind, this is an ideal subject for a PhD in Business Continuity – probably the first ever attempted! Think of the glory and the fame, becoming the first Doctor of Business Continuity, not to mention the fact that your research would be quoted for many years to come.

In fact, it’s just occurred to me that I need this information as well. As I write this blog I’m halfway through putting together a 2 hour presentation on Business Continuity, and to be able to quote statistics on the benefits of implementing Business Continuity is just what I’m looking for to start the presentation. As it is, I’ll have to resort to the statistics on incidents that can cause business disruption.

So, is there anyone out there willing to give it a go and undertake the research?

Online Data Storage

Today I decided that it was time for my company, Merrycon, to investigate the use of online data storage as a replacement for our current portable disk solution. There are a large number vendors offering all sorts of options and capabilities, but there is one thing that they all seem to have in common – they do not accept any liability for losing the data that they backup beyond the price that you pay for the facility.

The cost of online backup is quite low, which is one of the things that makes it attractive. However, the cost to an organisation of losing all its data is extremely high, and getting back the small price that you pay for the service will not, in any way, come near compensating for the loss of the data. As far as I’m concerned, the only reason for backing up data is so that it can be recovered if the original data is lost or corrupted in some way. In other words, unless you can be certain of being able to recover the data, there’s absolutely no point in backing it up.

The licence agreements offered by the suppliers of online storage usually contain a clauses such as “in no event shall XYZ be liable for damages resulting from loss of data, lost profits, business interruption, lost revenue, or lost business, in connection with the use of any licensed product or any other item or service provided under this agreement” and “XYZ’s entire liability for any and all claims … shall be limited to a maximum amount equal to the license and maintenance fees paid … you shall cause your insurers of data, if any, to waive any right of subrogation against XYZ”.

So, you purchase a service to protect your data so that it can be recovered, but you have to insure your data against loss as the supplier won’t accept liability for looking after your data. Why won’t they guarantee that the files that have been backed up can be recovered? Is there a problem? Haven’t they got any confidence in their ability to hold the data securely?

The immediate result is that I have decided to continue with our current backup arrangements. At least I know that it works!

Exam Success

One of the things that I do is to provide BCM training through Continuity Shop, and earlier this year I was giving the BCI’s GPG course that is primarily used by delegates as a final preparation for the BCI’s Certification Exam. At the time, I was faced with a dilemma regarding the Exam and the Course insomuch as the Exam was still based on the BCI’s 2008 Good Practice Guidelines (GPG) whereas the new 2010 version of the GPG had just been published. Did I teach the latest version, or something that was out of date but which would prepare the delegates for the Exam.

In the end I took the decision to teach the latest version, pointing out where any of the material differed from the 2008 GPG. This was for two reasons. Firstly, I don’t like teaching something that’s out of date, but secondly, everything in the GPG 2008 is actually covered in the GPG 2010. The 2010 version covers the latest thinking and brings in new ideas, but essentially, if you know 2010 you will know 2008. Anyway, that’s what I told the delegates.

Some of the delegates were going to wait until the new Exam became available, but most were looking to take the Exam as soon as possible, which would mean that they would be taking the 2008 version. I asked them to let me know their results, and up until yesterday the 3 delegates that had taken the Exam had all achieved passes with Merit – which is required if you want to join the BCI as a full Member. Yesterday I received 2 more results, and I was extremely pleased to hear that they had also achieved  passes with Merit.

So, vindication of my decision, so far.