As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.






Please reset your password to access the new DRJ.com
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In
   

Create new account
(it's completely free). Subscribe

EDITOR’S NOTE: The DRJ Career Development Committee is supporting this series of articles featuring the career paths of industry professionals. Throughout this series of candid interviews, we hope to provide career advice to our readers by highlighting lessons learned, highs and lows, opportunities and challenges. The DRJ Career Development Committee promotes education, opportunity, inclusion, and excellence surrounding the exploration and evolution of career paths in all aspects of business continuity and risk management. Key elements of our mission include promoting open and candid discussions of career opportunities, providing mentorship, resources, and guidance to equip our membership with the necessary knowledge, best practices, and tools to succeed in their chosen career path.

Many years ago, Susan Brown worked for a financial firm as a computer operator. Performing disaster recovery was part of her responsibilities. Back then, business continuity didn’t exist. As disaster recovery evolved and business continuity was born, she took on those responsibilities. She continued to grow in her knowledge by going to classes to learn more, joined peer groups, and attended conferences to build her knowledge in this area.

Brown is now vice president of the business continuity and disaster recovery program at Guggenheim Partners.

She said she thinks most professionals deal with the challenges of management buy-in to build a great program. Many organizations she has worked for in the past have looked at it as an insurance policy or to address a regulatory requirement.

“I’ve always found ways to pull information out of my programs to show value but doing so was always a challenge because I didn’t have a system where all this data resided,” said Brown.

When Brown joined Guggenheim, she found a highly collaborative culture and well-defined program already in place, including crisis management teams and response and business continuity plans (BCP).  The BCPs had valuable information, but Brown identified opportunities to enhance the program she believed would be beneficial.  Brown credits Guggenheim’s focus on innovation and excellence as enabling her to work with business groups and make these enhancements immediately. Working directly with the business groups also allowed her to understand the value add of these changes.

Shortly after that, Brown completed an evaluation of seven business continuity management systems to help support the program. These systems were all in the Gartner Magic Quadrant. After documenting her evaluation and recommendations, the company accepted the recommendation and within three months they migrated all business continuity plans into the new system.

Brown performed training and created supporting documentation for the users of the system. This system has become more than just a business continuity management system, the data within is valuable. Brown has become the one whom different groups look to for this data. They use it for critical vendor contacts for the vendor risk management group, critical applications, IT projects which need contacts at third parties and data classification of applications. She is able to create timely reports for information requests or identification of incidents and areas impacted. The business units have more visibility as to their requirements vs. actual recovery capabilities, using signals which outline any gaps. With this, they are required to enter quantitative and qualitative business impact information to justify their requirements.  This information is then used to request funding to mitigate any gaps.

When asked about other achievements made in her career, “I believe I made a significant impact when I worked at The Chicago Board of Trade, as their director of business continuity, disaster recovery, and risk management,” said Brown.

She developed, recommended, and implemented a full disaster recovery program within eight months of her hire date. This was accomplished by collaborating with internal subject matter experts and executive management to understand what the priorities were and technology required to support these requirements.

As for lessons she has learned and still uses today, Brown said it is patience, perseverance, and “to know when you just need to roll with it.”

For advice to other professionals who are just beginning to embark on their careers in this industry, they should take advantage of industry training opportunities and their peers. “Get involved in user groups within your area. Your network can be a big help.”

Brown concluded by saying professionals should put the time in to learn about their company, culture, and people. “Find your allies because they will help you to be successful. Be available when you need to be, but don’t work so much that you don’t have time to live.  Enjoy life, after all, isn’t that one reason why we work?”

For more information on the DRJ Career Development Committee, contact Tracey Forbes Rice. Rice is a member of the Disaster Recovery Journal Editorial Advisory Board (EAB) and chairperson of the Career Development Committee. Rice has 20 years of experience in business continuity and risk management. As vice president of customer engagement at Fusion Risk Management, Rice brings customers together, partnering with them to develop innovative solutions and to achieve new levels of program success. Rice welcomes your feedback at [email protected]

Puppy Love: Have Your Executives Fallen Hard for Business Continuity?

Once, long ago, I was on a date with an attractive young woman and so enamored with her that I began to plan out when we could see each other again … while still on the date. That day we planned several more dates, and within months, we were married.

Has anyone ever felt this way about your business continuity program? Have your executives felt the pitter-patter in their chest whenever your program is mentioned? Have they casually ever walked by your office hoping to bump into you? Or planned the next meeting with you within a few days after your last one?

No? Me either.

It’s You, Not Them

It’s almost repetitive. The first year they loved you (or tolerated you) and then slowly, they started to pull away. Soon, you don’t even talk anymore. Ok, I’m being dramatic. But has this happened to you before? Maybe it really isn’t them. Maybe it is … us?

There are currently many articles out there which have been critical of the traditional BIA to BC plan model. Articles such as David Lindstedt’s “BCP is Broken” (https://www.linkedin.com/pulse/bcp-broken-3-reasons-paths-david-lindstedt/) outline some key reasons why this approach should be revised. 

Highlights suggest for the most part that BC hasn’t evolved much over the years and that we’re not able to prove our worth very easily. Rather than being the object of an executive’s affections, we haven’t engaged them in the program and created brand value.

I think there might be a way to change the way organizational leaders look at BC. But first, let’s examine the traditional “BIA to plan” cycle so we can figure out where things can go wrong.

Same Thing Different Day

Immediately upon getting the keys to my new business continuity program, I set upon the traditional path of developing a program. Plan. Do. Check. Act.

In the traditional sense, this means you identify the organization’s critical processes and dependencies, then create the proposed recovery strategies you’d most likely implement if that process fails. And then you test to see if there are any gaps.

Of course everyone’s program and culture are going to be slightly different. But tell me if the following steps sound familiar: 

  • Interview key leaders to determine their priorities. Do it whenever they will meet with you, which will be at 1 a.m. on a Saturday.
  • Create a BC steering committee filled with people that show up only after you beg them or after you wait by their car each evening after work.
  • Create a program policy and general risk assessment in a vacuum. Constantly remind people we have a policy.
  • Convince your executive a BC software tool will be helpful. Go through a rigorous process to find just the right one.
  • Implement selected BC tool and become the only primary user. Prepare to hold laptops up to users’ faces and tell them what to type when they finally log in.
  • Make every work unit in the entire company complete a business impact analysis (BIA). Explain what BIA means 4,000 times. Review this information for weeks and then try to get anyone who will listen to look at it with you. (Spoiler alert: No one really will.)
  • Create recovery strategies for each of the 10 risk scenarios you’ve identified ... by yourself.
  • Reset everyone’s password to the BC software tool 37 times a piece.
  • Write plans and checklists and arrange exercises to test the people who haven’t read the plan or checklists.
  • Realize it’s been a year and think about why you’re doing this work and where it all went wrong.
  • Repeat.
Where Did It All Go Wrong?

At the end of this traditional model you end up with a few very positive things. You will have process mapping data. You will have recovery time objectives (RTO). You will also begin to create BC plans for a specific scenario. And you possibly can make the case, that there is some understanding of BC practices amongst a large segment of your organization. But you also end up being about six to 12 months down the road.

And unless your business has a super emergency after this point, and every single plan is activated all together, it will be very difficult to convince people that this is all worth it.

I think there are three main factors why this cycle can be a bust and unsustainable.

Too time consuming.

This process can easily consume a year of your time, especially if you’re a one- or two-person operation. By the time you set up everything, conduct a BIA, develop recovery strategies, and get a physical printed plan to show off, it can be close to a year. What are you going to do if you have a business disruption in the first two months after you start? And how long can you expect anyone to wait before you can demonstrate that you made the business more resilient?

No undeniable value

It’s already very difficult to demonstrate value around a support function like business continuity. So, if you’re spending all your time sucking up money (time and tools for BC) and you haven’t made anyone really aware of the benefits of BC, you will end up with the classic question: “What does BC do again?” The truly “all-in” organization should be able to speak to one or two reasons why you’re there. And in my experience, plans aren’t the thing that makes people love your program. 

Lack of clear wins

Just because you have a documented plan, how does that translate into reduced risk? The traditional BIA may help you understand key information like critical processes and your RTO. And maybe during the effort, you find some areas of concern. But did you fix them during the cycle? This model doesn’t tend to yield very specific results or give you the ability to eliminate a single point of failure right away. You will need to dive deeper to accomplish that.

In my next article, I’m going to explain how thinking about a BC program in the same way you approach a new romantic relationship can bring completely different results. By making changes at the front end of the BC cycle, when you first meet and begin establishing your relationship, you can really change the way you generate interest and set yourself up for a relationship no one could resist. 

"MathewShane Mathew, vice president of professional services at Virtual Corporation, oversees the consulting and software implementation. Prior to joining Virtual Corporation, Mathew served in various leadership roles within business continuity and emergency management in both healthcare and governmental organizations. Mathew has led the creation and implementation of business resiliency and risk identification programs for several organizations, including governmental, medical centers, and a multi-site, national pharmaceutical division of a global healthcare organization.

 

READ MORE
DRJ Announces Retirement of Conference Director Patti Fitzgerald
It is with sadness and appreciation, we announce the retirement of Patti Fitzgerald. Patti has been an integral part of...
READ MORE
Making Preparations for DRJ Spring 2020 in Orlando
Our 62nd conference is quickly approaching, and we’re working hard to prepare for it. It takes months of behind-the-scenes work...
READ MORE
2020 Vision: Refocusing Your Program for the New Year
It’s almost the end of 2019. I’ll pause to let that sink in if you haven’t looked at the calendar...
READ MORE