Monday, December 21, 2009

ERM-BC-COOP: Short sightedness


Too many "business continuity" practitioners seem to have a very narrow, "headline" focus.

A decade ago, these people focused on three characters: Y 2 K .

Y2K - Year 2000 - was when the DOS world was slated to unravel because software for DOS-based machines was unable to roll over to the (take your choice) the last year of the 20th century or the first year of the 21st century.

Y2K was all about microprocessors and software. There was a "business" connection outside of the data center since many non-computer devices had microchips embedded in them - everything from time clocks to coffee pots, elevators to electronic room keys.

On January 2, 2000, the world breathed a sigh of relief that nothing disruptive occurred. Few cared to admit what COULD have happened if not-ready processors and programs had not been ferreted out and made ready or replaced.

(Don't get too relaxed; we're going to do it again in 2011(?) for Unix-based systems.)

I live in Florida. In a lot of ways, it's not what it used to be, but in some ways the newcomers have "blended in" and adopted the Cracker mentality. One of those ways is that on December 1, the only hurricanes any one cares about are the ones from Suntan U - University of Miami (to which I add: Go 'Noles1, but that's another story).

Here as elsewhere along the Gulf and Atlantic coasts, people put hurricanes out of their mind as soon as the season ends and refuse to consider it until - no, not the beginning of the next season the following June - a storm threatens. (To their credit, some south Florida counties - and maybe others elsewhere - have toughened wind mitigation laws and, since Andrew's massive destruction, gotten serious about building code enforcement.)

Today's "Y2K" is "The Flu." Take your pick: pig flu or bird flu. (Anyone who ignores "regular" flu is foolish, but despite it being flu season, only the exotic influenzas make headlines; a pity.)

Many, far too many, practitioners - once I was included in the pack - think that the flu threat translates into an empty office. That, they - we - thought, was pretty easy to mitigate: send everyone home and let them work from a virtual office.

That's fine except that not everyone CAN work from a home office or WiFi hot spot.

Most manufacturing operations require a production line of some sort. Most office and manufacturing operations depend on vendors and those vendors either require a production line or produce a service that cannot be provided from the vendor's home.

I once had a Fortune 50 client that truly was "strictly office." Even then, all of my clients personnel were equipped to work "on the road."

While my client's operation was perfect for its staff, that staff depended on manufacturing operations, print-and-mail services, and call centers, all of which had to have in-plant staffing. If any of the facilities closed, my client had a problem.

In the process of creating a plan for this client we decided to see if the vendors had real business continuity plans so my client would know if the vendor could meet its Service Level Agreements (SLAs) "no matter what" or if my client needed to find another/supplemental vendor or help the current vendor become less likely to miss its SLAs.

Since this plan was put to bed in December of 2000, I always consider ways to assure non-office operations are protected, even if I'm working for a "strictly office" organization.

There are many vendors we rarely consider. If the Toshiba notebook on my desk fails, I need to contact Toshiba and arrange for an advance replacement. If my DSL goes away, I'll need to contact the provider. If the router or modem fails, I'll need to hike over to the local modem-and-router purveyor to buy replacement machines.

Then there is ink for the printer, and paper and envelopes to feed it.

And electricity to power all that (but not the phone; I have a POTS unit on my desk that does not require AC input - in storm country, everyone needs one).

Even in my own little office, shared with Spouse and Franklyn, the Rotten Rabbit, I have many external dependencies.

Enterprise Risk Management (ERM) practitioners need to think beyond the confines of an office building; an "empty office" event can mean much more than just an empty office.

1. "Noles" are Seminoles; the reference is to Florida States University, nee' Florida State College for Women (until after WW II). Unlike some colleges, universities, and professional sports teams, FSU has the support of the real Seminoles who, by the way, still have not signed a peace treaty with the US government.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
Currently seeking staff or staff consulting opportunities
JohnGlennMBCI at gmail dot com

No comments: