Do these 10 questions assess BCM awareness?

Here are ten (10) questions to assess employees’ business continuity management (BCM) awareness at a bank in Singapore.  My guiding principle in creating the questions was, ‘What should everyone in a company know about BCM?’

Screen Shot 2014-04-14 at 2.38.29 pmThe context: all employees of this bank must  complete each year an online awareness quiz on information security and BCM; 10 questions on infosec and 5 on BCM (so they’ll use 5 of my BCM questions each year).  Employees can take the quiz any time during a year; passing requires eleven (11) correct answers (a “gentleman’s C“). The bank has had BCPs for many years, but only one-third of the bank’s 200 employees are directly involved in the bank’s BCM program – annual plan reviews, continuity strategy decisions, annual recovery site exercises – as department heads or recovery team members. Two-thirds of the employees, then, may know nothing about BCM.

The bank had never assessed BCM awareness. Good BCM practice starts with a baseline assessment of  ’who knows what’, for which these questions were designed, followed by appropriate training for those who have BCM responsibilities. After the first round of assessment, the bank can decide on desired levels of awareness and competence for employees at strategic,  tactical and operational levels, as described in the BCI Good Practice Guidelines Module 2 Embedding Business Continuity, see pages 44-45).  For everyone else, this quiz may be all they get.

Как управлять непрерывностью бизнеса в условиях гражданских беспорядков?

English-to-Russian translation by Artem Rumiantsev, Kiev, Ukraine.

Мой коллега Натаниэль Форбс недавно написал отличную статью на тему событий в Киеве 18-21 февраля 2014 года, которая будет интересна профессионалам в сфере управления непрерывностью бизнеса (business continuity) в банковских учреждениях. Он также попросил меня перевести его статью для русскоязычной аудитории, что я с удовольствием и сделал.

Прочесть статью на английском языке: What’s the BCP for an insurrection?

Банки Украины с офисами не только непосредственно на киевском Майдане (Площадь Независимости), но и вокруг него, хорошо осведомлены о вероятности и последствиях гражданских беспорядков, которые происходили здесь в феврале 2014 года. Множество крупных публичных мероприятий проводятся на этой огромной символичной площади в коммерческом центре города. Дежавю́: украинская Оранжевая революция 2004 года происходила при участии практических тех же протестующих по той же самой причине на том же самом месте.

Легко представить, что протесты в Бангкоке, которые начались практически одновременно с событиями в Киеве, завершатся тем же насилием или сменой правительства, как это случилось в Украине в феврале 2014 года.

На этом панорамном обзоре киевского Майдана расположены приблизительно 3 головных офиса и 10 отделений различных банков. Отделения Банка Надра и Райффайзен Банка Аваль в Доме Профсоюзов (потемневшее от дыма здание в верхнем правом углу) сильно пострадали от пожара. Фото по ссылке сделано Ильей Варламовым. Разметка на фотографии – Артем Румянцев.

What’s the BCP for an insurrection?

Banks in Ukraine with offices in and around Kiev’s Majdan Nezalezhnosti (Independence Square or “the Maidan”) are well aware of the likelihood and impact of civil unrest (0:52 YouTube) that occurred there in February. Many large, public gatherings take place in its expansive, symbolic plaza in the commercial center of the city. Déjà vu: Ukraine’s Orange Revolution in 2004 featured the same combatants having the same conflict over the same issues in the same place.

It’s easy to imagine the current protests in Bangkok, which started about the same time, ending in similar violence or a change of government, as they did in Ukraine last month.

Banks Maidan Artem Feb 2014
There are three (3) bank head offices and ten (10) branches in this panoramic view of Kiev’s Majdan. Branches of Nadra Bank and Raiffeisen Bank Aval in the Trade Union Building (smoke-blackened building in upper right quadrant) were burned. Photo from by Ilya Varlamov. Labelling by Artem Rumiantsev.

My colleague Artem Rumiantsev, BCM Project Manager at a European multinational bank in Kiev, sent me his notes about the business impact of events between 18 and 21 February last week, “the most stressful days of riot.” I have supplemented his notes with comments translated to English – and many high-definition photos – from Ilya Varlamov’s LiveJournal.

Why PSA’s don’t work

For preparedness messages, as in stand-up comedy, timing is everything.

After thousands of Public Service Announcements (PSAs) like “preparedness for individuals” (in English and in Spanish), “preparedness for business” and “preparedness for New York City,” and websites like, only 6% of Americans have done any preparation at all, and just 17% say they’re ”very prepared” for disasters. You might conclude, as the authors of this article did, that The Preparedness Message Isn’t Reaching the Public (from the November 2012 issue of EmergencyMgmt magazine).

PSA’s do reach lots of people, of course, but they don’t seem to motivate people to prepare. Why?

No one is motivated by gory pictures or finger-wagging lectures from public figures. I know I’m not – and I’m generally receptive to preparation messages because I make my living spreading them. In fact, images of leaking nuclear power plants, collapsed houses, flooded villages, even distraught victims don’t motivate us; they overwhelm us. ‘Well, it’s hopeless’, we think to ourselves, or ‘I can’t do anything about it anyway.

Yet thousands of people all over the world donate generously to relief efforts for people they’ve never met in other countries- in Haiti, in Japan, in Indonesia – out of desire to help after a disaster. They won’t prepare themselves in advance, but they’ll willingly help others afterward.

BCI GPGs: no such thing as a “critical business process”

You will not find the words “critical business process” anywhere in The BCI’s new 2013 Good Practice Guidelines (GPGs). That’s good, because there is no such thing.

The BCI devotes half a page (page 51) to addressing the erroneous assertion that BCM is only for “critical” or “key” or “important” activities. That’s wrong. It’s folklore, a superstition. It is a shibboleth, a canard, a lie told by charlatans to deceive unbelievers. It is the first step on a road to perdition and professional damnation. At the end of that road, here be dragons!

Come on, even Internal Audit becomes urgent eventually.

Sinners! Fall to your knees and repeat after me: ‘I believe that BCM is for all business products, services, processes and activities!’ The purpose of business impact analysis (BIA) is, specifically, to prioritize them. The 2013 GPGs state that the outcome of a BIA is “a list of the organization’s most urgent groups of products and services” (page 54).

In my world, the outcome of a BIA is a list of all products and services (and processes and activities), prioritized in descending order of urgency, which is generally – but not always! -n reflected in their recovery time objectives (RTOs): the longer the RTO, the lower the priority. There is no process so “critical” that its failure will by itself cause a company to collapse.

Can you outsource business continuity management (BCM)?

My company has managed the BCM programs of three (3) companies – one large, two small – in Asia for a decade. When the first one hired us in 2003 to manage its BCM program, the Monetary Authority told them it was heresy to contract with consultants. Singapore’s financial regulator insisted that a BCM program must be executed by employees, managed by executives and blessed by board directors. Our client, one of five systemically important financial institutions (SIFI) in the Lion City, retorted (more politely than this), ‘you can tell us the outcome you want, but you can’t tell us how to get there.’ A brave – and farsighted – stand ten years ago.

Today it’s no longer apostasy to outsource BCM program management in Asia. It is easier to discuss if you call it ’outsourcing‘ instead of ’contracting’, however, but the guiding principle still is ‘you can outsource the work, but you can’t outsource the responsibility’.

Whether it uses employees or contractors, a company must still have a budget for its BCM program, and a clear statement of responsibilities – who does what. Its BCM program must still be overseen by an executive as a member of a BCM Steering Committee, and that committee should ultimately report to the Board of Directors. The company should have a BCM Manager or Coordinator who can be part-time or full-time depending on the size of the company.

What’s wrong with contingency planners?

This is the second part of an article that is the basis of my presentation for WCDM 2013. [The first part was What’s wrong with contingency planning?] They expand on thoughts I expressed in “Linking emergency- & business continuity management in resilience” in 2008, “Is the BCM profession a dead-end?” in 2010, “BCI-DRJ alliance: this is ‘thought leadership?’” in 2011 and in “Why traditional approaches aren’t working”, my presentation to the Australian National Security College in 2012.

I haven’t tried to develop a list of skills that resilience professionals ought to have, but I know the ones we have now aren’t enough. I’m happy to look for your comments on the WCDM blog; I’ll be ready to defend myself in June in Toronto.

Here’s Why I attend WCDM; I hope you will, too.

In 2012 the Australian Commonwealth Attorney General’s Department commissioned a report, CEO Perspectives on Organisational Resilience, as part of its Critical Infrastructure Resilience Strategy. To prepare that report, WCDM presenter Dr. Robert Kay and Dr. Chris Goldspink of InceptLabs conducted face-to-face interviews with fifty (50) CEOs of large Australian enterprises, the kinds of companies that could be expected to have some understanding organizational resilience.

What’s wrong with contingency planning?

Author’s note: This is the first part of a longer article that will become my presentation of the same title for WCDM 2013. It incorporates thoughts expressed in my articles “Is the BCM profession a dead-end?” in 2010, “BCI-DRJ alliance: this is ‘thought leadership?’” in 2011 and in “Why traditional approaches aren’t working”, my 2012 presentation to the Australian National Security College.

It is not yet fully developed, months before WCDM. In particular, I’m wondering if my analysis really does or not apply to both emergency management (EM) in the public sector and business continuity management (BCM) in the private sector. Your comments will help me refine my thinking. I’m happy to engage in a dialogue here or on the WCDM blog; I’ll be ready to defend myself in June in Toronto. Be sure to bring an ample supply of rotten tomatoes to my presentation…

Here’s Why I attend WCDM; I hope you will, too. This article is also available on the WCDM blog.

What’s wrong with contingency planning?

If your CEO asked you – a private-sector business continuity manager (BCM) – to list the major, long-term risks to your company, what risks would be on your list?

Or if an elected official asked you as a public-sector emergency manager (EM) to list the major long-term risks to your community, what risks would be on that list?

“I regret to inform you”…by text message

A human resources manager in Singapore told me during an exercise she planned to notify next-of-kin of  injured or deceased employees by text message (SMS). I was stunned. If there were a worse way to receive sensitive, painful information, I can’t imagine what it could be.

The rules for ‘breaking bad news’ are:
1. in person: never by phone, email or text
2. in time: anxious relatives want news – good or bad – as quickly as possible
3. in pairs whenever possible: a man and a woman are the best combination
4. in plain language: the facts, frankly and clearly
5. with compassion: as you would want your doctor to tell you.

Here is a page of tips for breaking bad news from Counsellor Suzanne Anderson MSW at SACAC in Singapore. You can learn more about death notification and practice doing it in Suzanne’s Crisis Communications & Crisis Intervention course.

Small business BCM: still pushing a rock uphill

Resilient Business NZ is one of many Sisyphean efforts to engage small businesses in contingency planning. A project by Welfare & Recovery Manager Jane Lodge of the Auckland (NZ) Council, Resilient Business NZ has simple menus, engaging photographs and international-standard BCM advice. But its initial self-evaluation questions include, ‘Does your business understand the Maximum Tolerable Period of Disruption?’ Gee, I hardly understand MTPD myself…

SisyphusMemories of two destructive earthquakes in New Zealand in the last two years may be enough to motivate owners of grocery stores, dry cleaners and coffee shops to prepare for disasters, but I doubt it. I hope Resilient Business NZ results in a measurable increase in preparation, because it’s a good idea, but it is basically another entreaty – like Canada’s B-Ready Now and the Singapore Business Federation’s National BCM Programme for SMEs – to small business owners to spend time and money they don’t have. A business owner isn’t looking for ways to spend money; she is looking for ways to make money (and aren’t we all?).

Small business BCM challenges the paradox of preparation: there is no return-on-investment in preparedness unless asteroids hit the planet or some other Extraordinarily Unlikely Event occurs. Resilient Business NZ tells business what they should do, but people don’t always do what they should do, or what their well-intentioned governments exhort them to do. They shouldn’t smoke, drink or eat supersized French fries, but they do anyway.