BCI South Midlands forum meeting minutes - March 2016

BCI South Midlands Forum

Promoting Best Practice In Business Continuity

17th March 2016T-Systems, Milton Keynes

Attendees: Paul Butcher, Sue Stallard, Mike Eaton, Greg Mendelsohn, Janine Price, Ian Griffiths, Josh Subair, Lisa Greaves, Julie Rhone, Caroline Rushmer, Angie Blannin, Jon Mitchell, Stephen Austin, Ian Clarke, Jim Smith, Philip Scutt, Greg Stacey and Lorna AndersonApologises: Clare Phipps, Carole MacKay, Mike Carlin, Corrine Forester, Ian Griffiths, Norman D’Urso, Gareth Compton, Janice Hodgson, Carl Mayfield, Andy Fyfe, Gareth Howell, Ray George, Christopher Glennie, Peter Joy and David West

Welcome & IntroductionsPaul welcomed all and gave a warm welcome to newcomers – Josh Subair, Philip Scutt, Angie Blannin, Stephen Austin and Jon Mitchell.

The theme for 2016 is Crisis / Incident Management where we will be looking at the process, case studies and software that can be used. Continuity 2 kicked off our 2016 meeting with an overview of their software and how it ca be used to support the Crisis / Incident Management process.

Continuity 2 – Lorna AndersonLorna first provided us with her background in Business continuity and her experiences then gave an overview of Continuity 2 before focusing on the Incident Management module. Unfortunately we were unable to provide a demonstration of the software.

Horizon Scanning and Current perceived threats The session started with a look at the Top 10 threats as documented in the BCI Horizon Scan report 2016:

These also seemed consistent with other studies. During discussions it was obvious that the different business sectors had varying views which was borne out by the Retail Resilience report for 2016:

1 | P a g e P a u l B u t c h e r M B A M B C I & S u e S t a l l a r d F B C I



Confirming that each sector sees different threats to its business. Janine, from Home retail Group, attended the last Retail meeting and talked us through the threats. Fire was a surprise at number 1 but felt this was because of the high number of retail outlets – Shops, Stores, branches, etc. The interesting finding in this report concerns the apparent difference between perception and actual causes of disruption. Retail organisations are likely to be concerned about fires (63%), human illness (62%), and cyber attacks as well as physical security (51%). Invoked plans, however, involved incidents related to unplanned IT and telecommunications outages (33%), adverse weather (33%), and product quality and safety incidents (25%)It was no surprise that terrorism had moved higher up the list due to the recent events in Europe (Paris, Brussels) and potential threats to up and coming high profile events such as the European Championships in France and the Olympics in Rio. The one threat that appears to be missing is Political – mainly the EU referendum and the US election especially around the uncertainty of a Trump win. Some very good discussions were had during this session which highlighted the appreciation of Threats on the different business sectors.

Showed video https://youtu.be/4jxOXbpTmnkTesco Carlisle Flood video https://www.youtube.com/watch?v=7OLOExgk_2o

BC ClinicA question was raised in relation dealing with the supply chain and whether anyone had a set of questions that could be used to send to suppliers. It was suggested that the 3PQ (Third Party Questionnaire) developed by members of the London “BANG” would be a good starting point. A copy is attached.

A general discussion focussing on the Continuity2.0 was held. Those who had read the proposals agreed that it was nothing more than should be included in general BC currently. (Details relating to the document discussed is attached).

BCI UpdateSue gave a brief update and the details are below.

Business Continuity Awareness Week (BCAW) theme is ‘return on investment’ and will be held 16th - 20th May 2016.

BCI Position Statement on Organisational Resilienceo Paper available http://goo.gl/OzJfdF

BCI World 2016o London 8th & 9th November 2016

BCI European Awards 2016o Confirmed the categories

Appeal for Tools and Templates Looking for contributions for the ‘Working Papers’ series


https://www.youtube.com/watch?v=7OLOExgk_2o

https://youtu.be/4jxOXbpTmnk



The general consensus was that tools and templates would not be provided and shared generically.

AOBNone

Close and Next MeetingPaul thanked all for their contributions to the sessions and Sue and T-Systems for the meeting room and facilities.

2016 Meeting Schedule- June 16th - September 22nd - December 8th

Unless stated all meetings will be held at T-Systems, Milton Keynes and will start at 14:00.Note that these minutes will be available on the BCI website.Please also be aware that we have a LinkedIn Group – BCI South Midlands Forum Group: https://www.linkedin.com/groups/2964433


https://www.linkedin.com/groups/2964433



Continuity 2.0The information below is available on the Continuity 2.0 website - http://www.continuity20.org/

Manifesto Summary MatrixPrinciple Continuity 1.0 Continuity 2.0

Deliver Continuous Value

Practitioners dictate the work according to sequential methodology and provide documentation at the end of long cycles

Customers direct the work according to needs and culture; practitioners provide frequent, shorter-term, customer-informed deliverables

Document only for Mnemonics

Practitioners create documents as final and required deliverables

Customers create documents as mnemonics

Engage at many Levels of the Organization

NA(Practitioners focus buy-in efforts exclusively on executives)

Practitioners consciously engage many people at many levels of the organization

Exercise for Improvement, not for Testing

Auditors conduct exercises as a test of the ability to recover within RTO targets

Departments participate in exercises to practice and improve response and recovery capabilities

Learn the Business

Practitioners collect data about the business

Practitioners strive to understand the culture and operations of individual organizational areas

Measure and Benchmark

Practitioners count the numbers of documents, exercises, and refresh dates

Practitioners and customers measure preparedness and recoverability

Obtain Incremental Direction from Leadership

All executives approve the complete scope of the program before launch

Individual executives provide iterative direction

Omit the Risk Assessment and Business Impact Analysis

Practitioners require completion of RA and BIA documents before planning can begin

NA

Prepare for Experts focus externally: Departments focus internally: 4 | P a g e P a u l B u t c h e r M B A M B C I & S u e S t a l l a r d F B C I

http://www.continuity20.org/



Effects, not Causes

Identifying and preparing for a host of specific threats

Improving response and recovery capabilities for unavailability of people and resources

A Manifesto (part 1 of 4)

Definition:Continuity 2.0 is a methodology for continuously improving an organization’s response and recovery capabilities, with a focus on the continued delivery of services following an unexpected unavailability of people and/or resources.

Drivers:Despite tremendous revolutions in technology, organizational practice, and global business in the last fifteen years, Continuity 1.0 methodology has become entrenched. It has made only small, incremental adjustments, focusing increasingly on compliance and regulations over improvements to organizational readiness. This has led to a progressively untenable state of ineffectual practice, executive disinterest, and an inability to demonstrate the value of continuity programs and practitioners.

Purpose:Continuity 2.0 transforms or eliminates the majority of traditional instruction and convention in preexisting best practices of the continuity planning industry. It refocuses the discipline and its practitioners away from outdated and ineffectual “best” practices on to proven practices. Continuity 2.0 better equips continuity practitioners for their work, thereby enhancing their abilities to limit potential damage to organizations’ brand, capital, functions, and revenue following an incident or disaster.

Scope:While the principles of Continuity 2.0 may have implications for IT Disaster Recovery, Emergency Management, Life Safety, and related fields, they are targeted for the discipline of Business Continuity. Drawing from the definition, the scope of Continuity 2.0:

Differentiates Continuity 2.0 from resilience, sustainability, and other related initiatives;

Establishes boundaries and guidance for discipline, practice, and critique; Provides a framework for ongoing involvement with Boards and executives; and Allows for immediate, innovative, and valuable improvements.

Principles:There are nine principles of Continuity 2.0. No single principle takes precedence over any other, nor is there an expected sequence; together the principles should be applied as holistically as possible. They appear below in alphabetical order.




Deliver Continuous ValuePractitioners should not wait to deliver value all at once, at the conclusion of their preparedness efforts (even if this were possible). Instead, work should build upon itself so that practitioners are continually providing deliverables that are useful to the organization. Continuity 2.0 adopts relevant practices of agile, lean process improvement, and other proven practices to enable continuous incremental value.Practitioners should create deliverables that can stand alone in manageable chunks. Practitioners should segment work into business relevant outcomes, producing frequent, shorter-term, additive, customer-informed deliverables that provide value early and often.While value should not be created outside of the sphere of preparedness planning, neither should it be dictated by strict methodology and predetermined deliverables. Deliverables must be informed both by the direct needs of individual department leaders, within an existing situation, culture, and mission, and by the expertise of the practitioner.Continuity 2.0 discourages a sequential approach. Continuous value, coupled with the core mission of continuous improvements in response and recovery capabilities, leads to the adoption of a non-linear approach that adjusts to ongoing feedback from all participants. The order in which the practitioner delivers value should be dictated by the situation, not the methodology.

Document only for mnemonicsThe goal of Continuity 2.0 is the continuous improvement of response and recovery capabilities, not the accumulation of documents.Evidence clearly demonstrates that most people cannot pick up an unfamiliar and complicated plan at time of disaster and use it for an effective and efficient response. Documentation alone must not be the primary guide, desired deliverable, or measure of preparedness efforts.Documentation serves only to support thinking and discussion involved in preparedness. Each responder must have as much of a visceral, immediate, and intuitive understanding of the roles, responsibilities, and actions required of him or her as possible. Documentation is effective only inasmuch as it provides a reminder of the processes that participants developed and practiced over time.


Engage at Many Levels within the OrganizationTraditional planning methodology focuses almost exclusively on gaining executive support. This exclusivity of focus follows from the fallacy that the majority of necessary information, resources, and support for a successful continuity program are known and controlled by executives.Many key individuals from various levels of the organization greatly influence preparedness outcomes. The continuous improvement of response and recovery capabilities requires identifying and gaining the support and ongoing engagement of these key individuals as well as executives.




The practitioner must obtain meaningful information in order to effectively prepare the organization for disaster. Most times such information can only be obtained from front line staff or subject matter experts, and often only after having first built a relationship of trust.Furthermore, it is not the practitioner or the executives who will be restoring systems and services at time of disaster. Response and recovery will require dedicated effort from people at every level of the organization. These are the people who most need to know the procedures and possess the competencies to continue the organization’s services. Developing these capabilities requires appropriate and ongoing engagement.

Exercise for improvement, not for testingContinuity 1.0 standards called for measurements but were unable to offer examples. As Brian A. Jackson of the Rand Corporation notes, “The limits of many of the means of assessing preparedness have led to interest in the use of exercises… As a result, whether or not a plan has been exercised is frequently used as a proxy measure for assessing its preparedness value.”Business continuity exercises are not reliable measures of recoverability. There are significant limitations in using an exercise to simulate a real disaster, and serious problems in using an exercise to validate an organization’s capacity to hit its defined Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs).Exercises should be used to support the continuous improvement of response and recovery capabilities. They should neither be used as tests of recoverability nor as reviews of planning documentation. As such, the focus of exercises should be to:

Get comfortable working and making decisions in a (simulated) post-incident or post-disaster environment

Know the structure and practice the initial actions of designated response Teams Increase awareness of resources, procedures, and competencies needed to respond

and recover Identify areas and owners for short- and long-term improvements

Learn the BusinessContinuity 1.0 focused practitioners more on strict methodology and prescribed compliance than on the genuine effectiveness of the services they supported. Practitioners did not understand the business and were unable to address the real concerns of executive leadership.Continuity 2.0 encourages practitioners to learn the mission and culture of each department, and to understand the systems and services involved. Response and recovery processes cannot be bolted on to a department’s pre-existing structure and environment. Alien and artificial processes cannot be easily adopted and will soon be forgotten, thus will likely be discarded at time of disaster. Processes that align with the day-to-day nature of the department will be more effective when most needed.Practitioners need to establish relationships with those responsible for responding to incidents. The practitioner must be integrated into the culture of the department to provide informed guidance and to periodically review and coach the continual work of improving response and recovery capabilities.




Practitioners must move beyond collecting data about the business, improving their business acumen by learning the vision, mission, and operations of each area within the organization as well as the language of leadership within the context of continuity of services.


Measure and BenchmarkMeasurement is crucial to Continuity 2.0. Reliable metrics and key performance indicators (KPIs) were not addressed in Continuity 1.0. This oversight resulted in an inability to demonstrate the business value of practitioners’ efforts to executives and other key stakeholders.The final measure of preparedness is the effective response and actual recoverability of a system or service (or a holistic collection of both) at time of disaster. Organizations cannot afford to wait until time of disaster to know to what degree they are prepared to recover from a significant physical or staffing loss.Measuring an organization’s capability to respond to and recover from an unexpected unavailability does not have to be difficult. Measurement should focus on the following three factors:

Resources: The degree to which resources that will be required at time of disaster will be available

Procedures: The degree to which each individual responder fully knows and has internalized his / her duties at time of disaster

Crisis Competencies: The degree to which each individual responder, operating in conjunction with other responders, will be able to function throughout the duration of the disaster.

Measurements indicate where an organization can invest to improve its capabilities to recover. Benchmarking provides the evidence that such investments have provided the intended results. Practitioners must benchmark existing levels of preparedness as early as possible within an organization, and then again at regular intervals.Measurement and benchmarking provide a quantitative foundation for Continuity 2.0. In this way the organization can be confident that the developed procedures, additional resources, and improved capabilities are contributing to the desired result – the continuous improvement of response and recovery.

Obtain Incremental direction from leadershipContinuity 1.0 insisted that the practitioner obtain formal support from executive leadership before any work could begin. Standards dictated that all program objectives be identified, documented, and approved by the executive team before the practitioner could even begin work to prepare the organization.Continuity 2.0 believes that executive leaders know their business well enough to identify the most critical functions and put the right people in charge of them, thus providing a command and control structure for the preparedness program and its practitioners. Work can begin quickly within individual areas based on the specific needs and knowledge of the accountable and assigned leader in each area.8 | P a g e P a u l B u t c h e r M B A M B C I & S u e S t a l l a r d F B C I



Using an incremental approach, the practitioner can consistently deliver value and make beneficial course corrections based on regular feedback. The successful practitioner of Continuity 2.0 must carefully navigate competing constraints while ensuring that Board members and senior leaders are aware of their risks for fiduciary accountability, loss of revenues and capital, inadequate or inapplicable insurance, and impact to brand. Practitioners should partner with individual leaders to determine the most effective and efficient actions and investments that will improve the organization’s capability to respond to and recover from disaster, while keeping such efforts aligned in the context of business priorities.

Omit the Risk Assessment and Business Impact AnalysisThe risk assessment (RA) and the business impact analysis (BIA) form the backbone of Continuity 1.0. They are considered fundamental components in virtually every best practice guide and industry standard. Employing these two practices leads practitioners along a trajectory that further entangles their work in the many related techniques of Continuity 1.0, along with the negative outcomes of these techniques. Practitioners should eliminate the use of the risk assessment and business impact analysis.Risk AssessmentThe results of a risk assessment may lead the practitioner, leadership, participants, and organization as a whole to prepare for and mitigate threats that never materialize while other non-identified threats materialize instead. Preparing for the wrong threats is a waste of resources and may lead to a false sense of security that further jeopardizes the organization. Other threats can be known and mitigated but still materialize, such as cyber attacks, disgruntled employees, and utility or infrastructure disruptions. It is precisely because bad things will happen, despite the best efforts of very capable risk managers, that continuity planning is so critical. (See additional points in “Prepare for Effects, not Causes.”)There are also significant liabilities for continuity practitioners who do not possess the training and expertise to properly implement and follow through on a risk assessment. Risk assessment is a technique of risk management, a discipline with its own body of knowledge apart from business continuity. Administering a proper risk assessment and implementing the resulting action items may necessitate deep knowledge of actuarial tables, information security, insurance and fraud, state and federal regulations, seismological and meteorological data, and the law. Typical continuity practitioners do not possess such deep knowledge; those who do are most likely specifically trained as risk managers. Continuity 2.0 practitioners as such should eliminate the risk assessment from their scope of responsibility.

Business Impact AnalysisThe purpose of a formal business impact analysis is to identify an organization’s services along with the potential daily or hourly loss, usually in terms of money, that a disruption of the service would have on the organization. Over time, the purpose of a BIA has changed, expanded, and become indistinct. The term BIA now often includes recovery time objective (RTO) and recovery point objective (RPO) data, response and recovery strategies, upstream and downstream dependencies, and other information.




The BIA as a measure of estimated losses should be abandoned. Its main purpose was to help leadership identify the most critical services and to set a prioritization for continuity planning efforts. The discipline should eliminate the BIA because:

The goal of quantifying the impact of disaster is likely a non-starter from the beginning. Rainer Hübert’s article, “Why the Business Impact Analysis Does Not Work,” makes a compelling argument for the industry to abandon the practice of BIA work entirely because of the “very costly and even fatal misinterpretations and misrepresentations” inherent in the process.

Executive leadership can be trusted to identify critical services based on their experience and knowledge of the organization (as discussed in “Obtain Incremental Direction from Leadership”). Individual leaders can set general direction and prioritization for preparedness planning.

Because of the increasingly nebulous and confused understanding of the term BIA, along with the many connotations and associations that the term has within the tradition of Continuity 1.0, both the practice and term itself should be entirely abandoned in Continuity 2.0.

A Manifesto (part 4 or 4)

Prepare for effects, not causesContinuity 2.0 focuses on the three major effects of an incident:

1. Unavailability of location <note> 2. Unavailability of people 3. Unavailability of resources (physical or virtual)

A vast number of circumstances and combinations of cascading events can lead to one or all of these effects. An organization cannot responsibly afford to plan for so many causes. Fortunately, a relatively robust response and recovery strategy can be generated and effectively executed from a short list of intelligently combined options. The organization can mix and scale a portfolio of response and recovery processes as the incident unfolds and the situation changes. Often the response to effects can be relatively simple if staff is trained to evaluate from among a short set of known options and then act as agreed upon in advance. This allows the organization to remain flexible and efficient in its management of the incident.Properly we could consider there being only two categories of effects, people and resources, as location can indeed be classified a sub-element of resources. However, actual practice in the field has shown that customers understand the work better, are more receptive, and are more engaged in the process if the practitioner calls out location as a separate category.

PostscriptWe should expect Continuity 2.0 to evolve.This is neither a principle nor a corollary derived from the nine principles, though it should not be surprising given the nature of the Continuity 2.0 methodology and its focus on flexible and incremental approaches to produce continual value.10 | P a g e P a u l B u t c h e r M B A M B C I & S u e S t a l l a r d F B C I



Continuity 2.0 should remain open for critique and improvement, serving as an ongoing proven practice, with hopes that an orderly, structured, and systematic approach can be established to support it.

Corollary: Continuity 2.0 is not ResilienceWhile commentators and academics will deduce many corollaries from the original nine principals of Continuity 2.0, this one is of such particular import that it should be called out from the start.Continuity 2.0 is not “resilience.”Resilience is an inter-discipline. Resilience does not represent a discipline in its own right; rather it connects theoretical and practical tools from a set of disciplines in a unique way and therefore warrants its own sphere of study, practice, writing, funding, and subject matter experts.Organizational and community resilience is in an uncertain state at present. There is a great deal of debate as to which disciplines resilience should pull from and how to measure its effectiveness. Continuity planning is one discipline among many that will likely contribute to the inter-discipline of resilience. But business continuity should no more morph into resilience than should IT DR, cyber security, risk management, sustainability, or strategic planning become resilience.

Business Continuity 2.0 and the Gestalt SwitchVery recently I was speaking with my fellow Continuity 2.0 proponent and partner in crime, David Lindstedt. He mentioned a term I had never heard before: Gestalt Switch. The gestalt switch (or shift as it is also known) occurs when one’s perception of something changes. The image below is a classic example. It is of either an old woman or a young woman with her head turned away.




In some cases the shift is easy. Other times we instantly spot one image but struggle to undo what we are perceiving in order to see something else. The same goes for ideas and concepts. Most of us have been there at one time or another. That ah-ha moment when the light bulb goes on and we suddenly understand something we’ve struggled with for some time. The difficulty stems from trying to view the new paradigm from the vantage point of the old one.In terms of Continuity 2.0 Manifesto and our recent published works, both David and I have noticed some interesting phenomena. Naturally, we have our detractors. You can’t please everybody. But there is a fair percentage of people who do not feel that Continuity 2.0 is much of a departure from the old ways. Many argue that the manifesto reflects how the discipline is, and should, be practiced (Here, here!!) despite the fact that published standards reflect something completely different. There is also a contingent that, although they argue David and I are wrong, will proceed to essentially make our case for us. They agree the Business Impact Analysis is improperly executed industry-wide, that our profession must devote as much time to line-level managers and individual contributors as we do to executives, and that documentation is a thing of the past. I believe the common theme is that critics in both camps are looking at Continuity 2.0 from their old Continuity 1.0 paradigm.Herein lies the switch.When the principles are evaluated independently of one another, David and I can see how many, perhaps most, practitioners would take issue with much of what we’ve proposed. But these components are only part of a comprehensive framework. In Continuity 1.0, eliminating the Business Impact Analysis does not make any sense. Just about everything 12 | P a g e P a u l B u t c h e r M B A M B C I & S u e S t a l l a r d F B C I



within the old approach revolves around or is directly dependent on this process and its results. Continuity 2.0 seeks to define a new approach in which both the process of the Business Impact Analysis, as well as its deliverables, are completely unnecessary.

Some detractors have tried to argue that our manifesto lacks proper structure. They point to our intentional refusal to put a specific order to our principles as evidence of a lack of organization or priorities (in the interest of impartiality, they’re listed alphabetically). But this is the reason we’ve called them principles. One does not prioritize one’s principles (or shouldn’t anyway). One can get into some very difficult ethical dilemmas trying to do so. The Ten Commandments are ordered, but I don’t believe there is an intentional hierarchy. Is it OK to kill someone (Commandment #6) if you are asked to by your mother or father since it falls after the Commandment to honor them (#5)? I think of Continuity 1.0 as being very linear. By contrast, Continuity 2.0 is more holistic. The old methods and standards dictate what must be done and, to a certain degree, how it is done and when. There is an ordered progression of activities. But Continuity 2.0 seeks to change that paradigm but applying principles to the entire effort. In essence, the principles apply no matter what activity you happen to be performing. If you are exercising your program it is important to deliver continuous value, engage at many levels of the organization and use documentation as appropriate and not as a driver of execution (obviously, the other principles also apply but that would have made for a rather unwieldy sentence).Consider also that Continuity 1.0 seeks to define processes for managing a business continuity program or system. Continuity 2.0 seeks to define a framework for preparing organizations to continue business in the event of a disruption. It is a rather subtle difference but the ramifications are significant. This changes the focus from how to effectively manage the teams and mechanisms of business continuity to how businesses can be better prepared. One can argue that the objective of a business continuity management system is to better prepare an organization. That is true, but Continuity 1.0 speaks to how an individual or team executes the steps to prepare an organization but provides little to ensure those steps are done to the greatest advantage. It is internally focused on the execution of activities and the delivery of materials. Continuity 2.0 is about the organization and how change is executed for its own benefit. Coupled with the consistent application of all principles, this makes the effort more effective and moves us closer to doing things right rather than just doing things. The difference is subtle, but I believe it represents a wholesale change of perspective.




For now, my objective is to continue to make the case for Continuity 2.0. Many people are on board and we are grateful for the support we have already received. For those of you that are opposed or on the fence we really need to hear from you. Significant change will not happen by preaching to the converted. We need to open a dialogue and argue our proposal on its merits. But that means we need to discuss the entire concept and not just the pieces that make up the whole.I will quote one of the contributors to Gestalt Psychology, Thomas Kuhn: “Paradigm shifts do not occur because of a single convincing argument. Rather, different arguments convince different scientists.” In this case, we practitioners are the scientists. We all have reasons for our beliefs which are personal to us. That is the reason why this needs to be a dialogue and not just a promotion or sales pitch. I feel there has been too much marketing as it is. I am eager to argue based on individual concerns but I need to hear what they are.

Executing Continuity 2.0 (In Three Easy Steps!)Recently David Lindstedt and I posted a Manifesto detailing how current approaches in continuity planning might evolve into Continuity 2.0. Now I turn my attention to looking at how Continuity 2.0 might be applied in practice. The following example is by no means definitive. Remember that The Principles are not about order of execution. The three steps suggested here provide just one example of how the principles could be applied in a fairly concise execution. So, without further ado… a practical approach to Continuity 2.0 in Three Easy Steps.

Step 1: Exercise! Tabletop it. Execute your recovery strategy. Evacuate your building. Recover your technology. It doesn’t matter. What matters is determining what is in place right now. Today. This is not about testing against a pre-defined recovery time. It is about determining what your recovery capability realistically looks like and areas where it can be improved. This is also an opportunity to apply The Principles:




Document only for Mnemonics. I’ve noticed a tendency among some practitioners to lead their participants during exercises. Some provide buckets of materials for reference then correct individuals if they go off script. Don’t be that person. Work within the existing environment to see what comes naturally. If there is documentation but it is not referred to then do not expect it to be used during an event. Consider other options.

Learn the Business. Nothing brings the priorities of an organization into stark contrast like a disaster. Even a high-level exercise scenario will get people thinking about what matters most and how best to apply available resources in order to recover most effectively. Take note of the resources that are discussed most frequently or cause the most concern. Observe how individuals work with one another and the ability of teams to work together in stressful situations.

Prepare for Effects, not Causes. When exercising, just like in a real event, the focus will be on restoring resources and functionality. The scenario event is secondary. The impact may be to workspace that supports multiple businesses in which case priorities will naturally emerge. You may choose to take out a technology system or external service that supports multiple critical services, in which case the priority of those functions is moot since systems and services are predominantly process agnostic.

Measure and Benchmark. There are really two concepts at play here:

1. Benchmarking is about the traditional measurements but not using the traditional approach. Instead of front-loading your intended recovery time, go into the exercise with no expectation other than to determine what the realistic time to recover actually is. Just as important, it should be determined what functionality or capacity would be like in the recovered environment. More often than not, recovery means doing without some features, resources or full capabilities. Once you’ve determined both, you’ve established a benchmark.

2. Measurement is about how effective your response and recovery will likely be in a real event. Recovery – and how it can be measured – comes down to 1) processes / procedures, 2) resources, and 3) capabilities. This means using the exercise to identify:o Whether tools and materials are sufficient to support your response and recovery

efforts.o If you have adequate resources to perform response and recovery activities and

restore impacted functions.o How capable participating team members are in executing their responsibilities.

There is one additional key to effective measurement: It should not be in the hands of the practitioner alone. All participants should evaluate the response and recovery process and provide their own input to the final measurement. The more input, the more accurate the final figure. After all, who better to determine what is needed and how effective the execution went than your participants?15 | P a g e P a u l B u t c h e r M B A M B C I & S u e S t a l l a r d F B C I



Step 2: Analyze. You are Exercising to improve, after all. This isn’t about where things went wrong. At the end of the day people are going to respond based on their natural inclinations. You may not like it and it may not be most effective but it is reality. Start there.

Processes and procedures. Do people have the instructions they need to respond and recovery effectively? Just as importantly, are the materials, data and resources they need adequate? Tools like process maps, fishbone diagrams or value-stream maps are also great for those that are familiar with them. For those that are not, keep it basic. Work with participating team members to identify improvement opportunities or brainstorm solutions. Remember that this is not about getting people to follow documented procedures. It is about seeing how people naturally respond and react and identifying ways to make them more effective.Resource measurements should be straightforward (though this is not a guarantee) since we are mostly talking about physical things. You either have it or you don’t. Of those items that you are missing, determine what is either necessary, important or merely helpful.Capabilities can be somewhat subjective which make participant input all the more essential. To the observer (including the BC practitioner) teams may sometimes appear combative, but that may just be how that particular group of people function best. Get agreement from participating team members about their capabilities. Solutions vary and may be as simple as providing greater training. But skills, experience and personality types can all contribute to making teams either effective or downright dysfunctional.You now have a laundry list of improvement opportunities. It is time to move on to…

Step 3: Solutions! When stepping through this process for the first time it is best to start slow. Take steps that are relatively minor and easy to implement. Some will be no brainers or require little in terms of effort and cost. Implement these immediately. You are now on your way to Delivering Continuous Value!Bigger changes that require more significant time, effort or capital investment provide opportunities to obtain incremental direction from leadership. Larger scale changes will very likely need to be reviewed with executive management for input and approval. Lead off such conversations by sharing the improvements already implemented. This isn’t about getting support for the program. It is about sharing results and taking action for future steps. This is closer to how executive management operates. By starting with your accomplishments you build immediate credibility and set the stage for diving into the meatier work to be done.Be certain to share:

1. The support among participants for proposed change(s),2. The intended benefit in terms of capacity or recovery times, and3. Any associated costs

There is no need to bite off more than one can chew. If there is a plethora of improvements that can be made, provide management with just a portion. To build relationships and credibility it sometimes makes sense to have smaller conversations more frequently rather than conducting one large presentation where the entire inventory of changes is reviewed. 16 | P a g e P a u l B u t c h e r M B A M B C I & S u e S t a l l a r d F B C I



Start with the easiest, the most impactful or the items you are most confident in. The successes that follow will make subsequent conversations easier and future approvals more likely.Remember to Engage at many levels within the organization! For changes to be effective you WANT executive support but you NEED the backing of your ground troops. This involves your subject matter experts, line-level managers, supervisors and team leads. Anybody who will have a role to play in response and recovery activities. People will grudgingly do what management asks of them even if they do not agree with it. In a recovery situation, however, people will not immediately recall that edict from the first quarter and fall back on what they know and what they accept. Make sure you have support down to the individual contributor level.Congratulations! You’ve made it back to Step 1: Exercise! But now you have a benchmark against which to measure improvements. Is the recovery time lower or has effectiveness or capacity increased? Perhaps both? The results now provide the measurements that can be reported back to leadership. Results are tangible and the dialog becomes much more action-oriented.Re-evaluate your measurements for improvements as well. This will demonstrate that for X time and $$ spent, confidence in the organization’s response and/or recovery capabilities improved by X%. These go far in demonstrating reliability and improving confidence in the organization’s ability to respond and recover. Some improvements may not have the intended benefit which is why we make small, incremental changes and re-evaluate frequently. But now you have qualitative data and not merely a list of steps executed.That’s it! I’ve intentionally kept this example high-level. I’ve also tried to avoid specifics that could discourage the flexibility necessary for Continuity 2.0 to be most effective. I’ll provide additional approaches in the near future so please do not consider this the only or best method to executing the principles. I just had to start somewhere.

Scrum Cards

How do you start with Continuity 2.0?Continuity 2.0 will look different for different people in different organizations. It's supposed to.

We wanted to make some concrete suggestions to get you started.

Use the cards below as ideas and guides to action. Pick a card, get to work, and quickly deliver value. Then pick another card and do it again. Consider using these cards as a ready-made




The order in which you provide value is not dictated by Continuity 2.0 methodology. To reinforce this point, the cards appear in random order below. You can shuffle the order again by pressing the "Shuffle" button.

You may wish to watch this brief video guide. Additional materials below.

Improve Resource AvailabilityIdentify what resources (equipment, software, documents, etc.) will need to be readily available at time of disaster. Work to improve their availability.

Partner with those who know best: subject matter experts and front-line staff who are most familiar with the business.

Measure ImprovementMeet with leaders, influencers, and stakeholders for a specific area. Show them past and current measurements of preparedness. Indicate where their area has improved over time and where there are still gaps. Work with them to set targets for continuous improvement.

Confirm Services and PrioritiesPartner with leaders, subject matter experts, and front line staff in an area of the organization. Learn and (re)confirm their mission and how their area operates. Maintain a straight-forward list of the services they offer. Prioritize this list.

Set Service Recovery ScopeIdentify a service that needs to continue regardless of circumstances. Take the time to learn about that service. Determine what it means for this service to remain at least minimally available under not-normal circumstances. Assign an owner and alternate(s) responsible for recovering the service.

Measure and BenchmarkMeasure existing capabilities. Select a department, service, or incident response team. Think of the individuals needed to respond to a disaster. Determine their degree of preparedness of:

Resources Procedures Crisis competencies

You can develop your own metrics or use a tool such as The Readiness Test™.

Update Incident Response TeamsWho is responsible for what at time of disaster? It is essential that everyone knows their role. Ensure that there is an effective and efficient team structure for response and recovery.




Make sure that it fits with the unique culture and mission of the individual area. Assign at least one individual and one alternate to every role.

Improve Recovery and Continuity ProceduresSelect a service. Build upon existing capabilities. Develop and improve on a portfolio of responses for the three consequences of disaster:

Unavailability of Location(s) Unavailability of People Unavailability of Resources

Improve Incident Response ProceduresBuild upon existing instincts, processes, and past experiences. Help those who have to respond to an incident to do so efficiently and effectively. Partner with an area to think through what will need to be done in the minutes and hours following disaster. Make continuous improvement to capabilities.

ExerciseWhether it's a tabletop exercise, a full simulation, or something in-between, those who will respond to an incident need to practice. You are looking for areas of improvement, so focus on reinforcing activities that went well and identifying areas and owners for short- and long-term improvements.

Strategize with Leaders and StakeholdersDetermine the leaders, influencers, and stakeholders for a specific area. Learn what is of value to them and what benefits you might provide. Obtain incremental direction for short-term deliverables and quickly turn-around work products. Consider using an Agile approach. Establish relationships within the area and continue to improve their recoverability.
