Starting a Business Continuity/Disaster Recovery (BC/DR) Program – Part II

This series is dedicated to providing direction for applying Project Management principles to starting a Business Continuity or Disaster Recovery (BC/DR) Program.  This is the second installment of a multi-part series.  In this installment we will focus on the Project Planning phase.  The first installment of this series can be reviewed by clicking here.  Subsequent segments will be aimed at additional phases of starting a BC/DR Program, on improving an existing BC/DR Program, and on elevating a mature program to a new level of efficiency and effectiveness.

The Project Planning Phase

It is important to understand that the project planning phase is a critical part of managing the project. Many projects fail before they begin due to inadequate planning at the outset.  Consider that you may deliver an incredible collection of project deliverables that check all the boxes for management in regards to content, presentation, and usefulness, but if those deliverables are provided late and/or over budget, the project will be considered a failure.  This needs to be spot on for success.  The quality of the deliverables, their timeliness, and the adherence to the established budget all need to be in line with the plan provided to management.  In addition, this phase may be the most difficult to execute successfully, especially for those new to project management.

Here are some of the items that need to be developed in the project planning phase:

  1. Work Breakdown Schedule (WBS)
  2. Milestones/Gantt Chart
  3. Cost Management Plan
  4. Communication Plan
  5. Risk Management Plan

In many ways each of these items is a project plan within the overall project plan.  The individual documents allow the management of the major aspects of the project.  It will take a considerable effort to develop them, but the work will be rewarded as they will serve as resources as the project progresses enabling you to stay on plan.

Work Breakdown Structure (WBS)

A WBS is a hierarchical breakdown of the deliverables of the project.  In creating the WBS, focus on the end goal and stay high level.  The WBS simplifies the project into manageable pieces that can analyzed for cost and efficiently managed for completion.  The WBS is a graphic representation of the project scope.  To start out, name the project and list the major deliverables under the project title.  Our project can be named Create a Business Continuity Program.  Earlier we identified three deliverables:

  1. Business Continuity Policy
  2. Business Impact Analysis
  3. Threat Evaluation

With the highest levels of the WBS graphed, focus on breaking down each major deliverable into smaller elements.   A good rule of thumb for breaking down the major deliverables is called 8/80.  The smaller elements of the deliverables should take between 8 and 80 hours of work to accomplish.  Go no smaller than eight hours for an element.  If an element takes longer than eighty hours, continue to break it down into smaller parts.  In addition, each work element should be completely independent.  There should not be any overlap between elements; each should be unique.  The elements may need to be broken down to different levels.  Some elements may require multiple levels of breakdown while others require none or few levels.  Do not feel as though all the segments need to be broken down to the same level.

Once the deliverables are broken down according to the 8/80 rule, attach a percentage representing the amount of work that element requires in relation to total work required for the project.  Indicate the budget allocated for that element as well.

The 100% rule should be applied to the WBS.  The 100% rule holds that the top level of the WBS represents the total work and budget of the project.  The rule also holds that each level of the WBS should also represent 100% of that level’s total work and budget.  See below.

The high level deliverables should add up to 100%.  The levels below must also add up to 100%.  Here we can see that 2.1.1 and 2.1.2 add up to 100% of the work and budget for level 2.1.

There are many websites that provide information about creating Work Breakdown Structures.  Most include examples and templates that can be downloaded.

Milestones/Gantt Chart

Milestones are key events in the lifetime of project. Mapping milestones and comparing progress to them ensures that you are not too deep into the details of the project and are keeping the overall project on course.  The milestones of the project include critical deadlines, key dates unrelated to deadlines, and deliverables. A milestone chart is great for reporting and presenting to management since it summarizes the key stages of the project without getting too detailed.

Identifying the milestones involves setting a sequence to the major elements of the project.    To create a comprehensive milestone chart, refer to the work breakdown structure, but understand that milestones are not isolated to only items in the WBS. Consider also key organizational events and initiatives that overlap your project.  Also consider any periods in which the project team will need to focus its time and effort on other unrelated activities.

The timeframes for completing each milestone will vary greatly by the size of the organization and the staff that will perform the project activities.  The ability to outsource portions of the project is also a factor to be considered.  In calculating the expected dates for the project milestones, consider required predecessors.  Milestones will commonly require that one or more other key activities, deliverables, or other milestones are complete.

There are multiple templates available for milestone charts.  The link below provides templates for MS Office.

https://templates.office.com/en-us/Project-timeline-with-milestones-TM00000009

A Gantt chart further breaks down the items in the work breakdown structure into tasks with defined timelines for completion and relationships to other tasks that serve as predecessors and/or successors.  A Gantt chart can also be used to identify the resource(s) responsible for completing each task.

In a Gantt chart, each tasks is represented on a row.  A timeline appears along the top or bottom of the page, and a bar is drawn on the task row to a length representing the length of time required to complete the task.   The graphic below is a very rudimentary sample.

There are multiple software programs available for creating Gantt charts and many templates for creating them within MS Office.  Here is a link explaining how to create a Gantt chart in Excel.  There are many tutorial videos like this on YouTube and elsewhere on the web.  If you feel it is important to link tasks together, visibly display connections between tasks and milestone icons, track resources, and involve constraints, it may be best to use a project management software program.

To create the Gantt chart, add the major elements from the work breakdown structure; then break out each major element into the individual tasks required.  Prioritize the tasks in accordance to how they may relate to each other and which tasks may be predecessors to other tasks.  In some cases tasks may need to be completed in tandem, but for our BC/DR project, linked tasks will most often have a finish-to-start relationship.  In a finish-to-start relationship, the predecessor task needs to be completed before the successor task can be started.  More information about task links is available here.

Review each task and draw the bar for each to represent the duration for the task.  Determine the resource responsible for performing each of the tasks.  When complete, review the resources assigned to tasks to ensure that no resource is over-allocated.

Cost Management Plan

The Cost Management Plan summarizes how project costs will be controlled.  The plan is not simply a summary of the expected costs for the project.  It includes a description of the method and manner in which costs are being estimated, and how the available budget will be periodically utilized.  It includes the estimated cost of each activity and a schedule of when costs will be incurred.  It also defines who has the authority to change the cost management plan and the procedure for how the costs are changed. The cost management plan should also define how costs will be reported and how often. Leverage the work breakdown structure in creating the Cost Management Plan.  In creating the WBS the budget amounts should have been tagged to each task.

For the BC/DR project, examples of cost contributors are the wages of the staff involved in the project, the purchase and implementation costs of any BC/DR and/or project management software (if applicable), the costs of outside consultants (if applicable), printing costs, the price of access to references such as those associated with historical disaster data, the wages of those who will be interviewed for the BIA, and the wages of those who will review and approve the BIA.  Travel may also be a cost depending on the delivery method for the BIA.  Travel may also be a factor if travel is needed for the threat evaluation and/or meetings to present on the status of the project or the final project findings.  Your organization may have its own standard policies for what contributes to project costs.  For example, some organizations do not account for internal staff when determining the cost of a project.  Assuming that your organization does account for internal staff in cost planning, ensure that you include the time it requires to update the project planning documents and the status reporting required of management.  These activities are essential and should be part of the overall project cost.

Determine if your organization has a template for creating a cost management plan.  A template will greatly simplify the process.  If your organization does not have a template, there are a multitude of templates available on the web.

A cost variance action plan may be required for the cost management plan.  The cost variance action plan designates actions and identifies individuals responsible if the costs of the project begin to escalate beyond the original plan.  The cost variance action plan sets specific percentage category ranges and defines actions and escalation points of contact based on how far the cost of the plan has deviated from the original plan.

Determine if your organization requires your cost management plan to incorporate cost performance or cost variance metrics.  If so, there are a few additional project management concepts with which you will need to be familiar:

Schedule Variance (SV) is the completed work to date compared to the planned schedule.  We calculate the Schedule Variance by subtracting the Planned Value (PV) from the Earned Value (EV).

Step 1: Determine the Planned Value (PV) for the project.  Planned Value is calculated task by task for each task that should be completed at the current point of the project.  We need to look at each task and determine what percent complete it should be given the current date.

Look at the example below:

Let’s assume that it is March 1st. The Planned Value (PV) for the tasks that were planned to be completed by March 1st is $4,150.  This is simply the total budget amount for all project tasks that should be completed as of today.  (If the date fell within the start and end date for any task, we would need to calculate the percentage of the task that should be completed by the date.)

Each of the tasks above should be complete; however, Task 2 is only 75% complete, and Task 4 is only 50% complete.  Tasks 1 and 3 are 100% complete.  Now we can calculate the Earned Value (EV) of the tasks by multiplying the planned budget amount for the task by the percent completed of the task.

Task 1 = $1,000 x 100% = $1,000

Task 2 = $400 x 75% = $300

Task 3 = $2,000 x 100% = $2,000

Task 4 = $750 X 50% = $375

The Earned Value (EV) = $3,675

Now we can determine the Schedule Variance (SV)

Schedule Variance = Earned Value (EV) – Planned Value (PV)

Schedule Variance (SV) = $3,675 – $4,150

Schedule Variance (SV) = -$475

A negative Schedule Variance indicates the project is behind schedule.

Cost Variance (CV) is the difference between the Earned Value (EV) and the Actual Cost (AC) of the project.  If the cost of the project is over the budget projection, the Cost Variance will be negative.  You can determine the Earned Value for the project by multiplying the total budget of the project by the percent complete for the project.  For example, let’s say we have completed 15% of the project, and the total budget for the project was $75,000.  To date, we have spent $10,000.

Step 1: Determine the Earned Value (EV) of the project.

                EV = Project Budget x Percent Complete of the Project

                EV = $75,000 x 15%

                EV = $11,250

Step 2: Determine the Cost Variance (CV) of the Project

                CV = Earned Value (EV) – Actual Cost (AC)

                CV = $11,250 – $10,000

                CV = $1,250

                The project is currently under budget by $1,250.

There are multiple resources available on the web for providing project metrics like those above.  Here are just a few:

https://edward-designer.com/web/pmp-earned-value-questions-explanined/

https://pmstudycircle.com/2012/05/planned-value-pv-earned-value-ev-actual-cost-ac-analysis-in-project-cost-management-2/

http://www.pmknowledgecenter.com/dynamic_scheduling/control/earned-value-management-three-key-metrics

Communication Plan

The communication plan defines the data, frequency, and methods utilized for delivering information regarding the project.  Communication is essential to keep stakeholders informed and to manage expectations.  To develop your communication plan, start with documenting the audiences with whom you will need to communicate.  For the BC/DR project, this may include the following:

The Project Team – people working on and overseeing the project

Vendors – external organizations providing services for the project or systems like a BC/DR software

BIA Participants – those people who will perform assessments of business processes

Site Managers – individuals who may be helpful in performing the Threat Evaluation

IT Management – individuals who will be interested to know the business needs for system and infrastructure derived from the BIA

Vendor Management – individuals who will be interested to know the business needs for external organizations derived from the BIA

Department Heads – department leads who will review and approve BIAs and will need to understand their RTOs and the dependencies on their processes

Project Sponsor – the individual who approved the project and may be funding the project through their assigned budget

The list of possible audiences is varied; thus the type and frequency of information delivered will vary as well.  Meet with the audiences to determine what type of information they would like to see and how often it should be delivered.  Also, discuss the method of delivery.  E-mail, reports, in-person meetings, and virtual meetings may all be utilized for project communication.

To manage the communication requirements, it may be advantageous to create a communication matrix.

Adopt a standardized format for all communications.  Adhere to the defined format and remain consistent throughout the project.  If available, utilize a site on the organization’s intranet to store all communications and project-related documents.  Socialize the URL and provide links in the communications delivered.

Once the communication plan is developed, consider adding key communication activities to the Milestone and Gantt charts.  Create recurring reminders in your e-mail/calendar program to help ensure communications are executed according to schedule.

Risk Management Plan

The Risk Management Plan identifies the risks that pose a threat to the success of the project and captures related remediation activities.  For the BC/DR project, create a risk matrix.  The risk management matrix will facilitate the capture of risk information for the project.  Include the probability of each risk and a measure of the impact the risk would have on the project if it were realized.

The probability ratings can also be captured as ‘low’, ‘medium’, and ‘high’.  Tasks with high probability and high impact are the primary concern.  These tasks can set the project back significantly or even require that the project be terminated.  Rank the risks in terms of probability and impact to facilitate efficient management of the project risk.  Think through the mitigation strategies carefully to ensure your project can be completed successfully.

Tasks from the mediation column of the risk matrix should be added to the project plan as they become applicable.  Be proactive wherever possible: if steps can be taken to avoid a risk, add those tasks to the project plan, and carry them out as if they were part of the normal work required.  New milestones may be necessary if any of the remediation activities are required in response to a realized risk.

With the risk management plan completed, you are through the project planning stage.  Keep in mind that each of the materials developed in this phase are living documents that will need to be updated regularly throughout the life of the project.  If managed properly, they will serve as valuable resources to help ensure success.

Starting a Business Continuity/Disaster Recovery (BC/DR) Program

This series is dedicated to providing direction for applying Project Management principles to starting a Business Continuity or Disaster Recovery (BC/DR) Program.  This is the first installment of a multi-part series.  In this installment we will focus on the Project Initiation phase.  Subsequent segments will be aimed at additional phases of starting a BC/DR Program, on improving an existing BC/DR Program, and on elevating a mature program to a new level of efficiency and effectiveness.

Starting a Business Continuity Program

Launching a BC/DRBC/DR Program requires its own plan.  This is not a plan as in a recovery or response plan, but a plan in the sense of a project plan.  Starting a BC/DR is no different than starting any project, and success essentially hinges on your project management skills.  You may want to reach out to the Project Management Office (PMO) if you are fortunate enough to be part of an organization that has one.  The PMO may be able to provide an experienced project manager who can assist by applying current project management theory and techniques to the initiative.  If your organization does not have a PMO, or a resource is not available, then gaining a basic understanding of project management is the starting point.

There are many available information sources for project management principles.  The Project Management Institute (PMI) http://www.pmi.org/ is the leading authority in the field.  The PMI offers training and certification and most community colleges and universities offer courses in project management.

So let’s take a real-life approach to this and assume that you were invited into your supervisor’s office or your supervisor’s supervisor’s office on Friday afternoon, and, due to some outstanding work in a field that has nothing to do with business continuity or project management, you were “offered the opportunity” to start and lead the organization’s business continuity program.  You will do this, of course, while managing your non-business continuity, non-project management work responsibilities.  I feel your pain.  So, here’s where you are: you didn’t sleep much this weekend, you have a huge new project in your lap along with a bunch of other things on your already-full plate, and you’re probably not getting enough time, money, or people to make it happen.  Step 1 – keep reading.

This is still a project, and we still need to approach it as such despite the possibility that we are short on time and resources.  Here are the basics we need to know about project management and its application to starting a BC/DR.

Project Initiation

Project initiation is the first phase of project management.  Project Initiation is typically where a business case is created to provide the rationale for undertaking the project and proving that it is feasible.  Management will use the business case to ultimately determine if the project will be approved.  This may have already taken place and the project assigned to us after the fact.  If, however, we will be part of creating the business case, there are a ton of templates available online as well as recommendations for writing a good one.  Check internally first because there may be a standard template specifically for use by your organization.

The Business Case for a BC/DR
The business case needs to explain the why for performing the project.  Focus on describing the need for the project and how it solves an issue that the organization is facing.  Provide examples that are not exclusively IT focused as this can expand the scope of the case beyond traditional boundaries and allow areas like Supply Chain, HR, and other customer impacting areas to be included or considered. Without a BC/DR Program, the entire organization is at risk.  The organization could experience a disruption that causes injuries to associates and/or the inability to provide the products and/or services normally provided to clients.  Without a BC/DR Program there is a risk in regard to providing the safest possible working conditions for employees, and there are operational risks that could include regulatory and contractual breaches, diminished reputational status, financial loss and loss of financial opportunity, and a diminished competitive capability.

The goal of the project is the creation of a program that is focused on improving safety for all personnel and raising the state of readiness for the organization by understanding and mitigating risk and instilling an ever-improving culture of resilience.  The business case should demonstrate the value of performing the project.  For this part refer to the Business Continuity Institute (BCI). http://www.thebci.org  The BCI is a leading authority in the field of business continuity.  The BCI offers a paper for download that details how business continuity delivers ROI.  http://news.thebci.org/news/business-continuity-delivers-return-on-investment-164635  This section can also leverage relevant industry requirements.  These are often the driver for the creation of a BC/DR Program.  Depending on the industry, the ability of an organization to continue operations can hinge upon proving it has an effective BC/DR Program.

While the benefits and ROI of implementing a BC/DR Program can be difficult to express numerically, one way to do so is to establish the cost of downtime.  The factors involved in determining the cost of downtime will vary greatly from industry to industry and organization to organization, but if we can have a few minutes with the CFO, we may be able to derive a dollar amount that can adequately highlight the value a BC/DR Program will bring.  (The CFO would make a great Executive Sponsor – keep this in mind for later.) Ask for an estimate of the losses expected for a day where no work activity could be performed.  If you are part of an organization where the products and services provided are extremely time-sensitive, the cost of downtime may be measured in hours, rather than days.  In either case, the value of a BC/DR Program is in improving safety for employees and mitigating against the cost of downtime.  Be careful not to infer that a BC/DR Program will ensure safety or that downtime can be completely avoided.  A BC/DR Program can only promise to improve safety and minimize downtime.

The business case will also need to detail the requirements for the project.  In this section we need to provide information on what will be done, who will do it, how it will be done, and the timeline (when) for completion.  Who will depend on how many people we can involve.  If it’s just going to be you, you may want to include estimates for contracting with outside consultants.  If it is just you, be savvy with the timeline estimate because the revision process for the business case will most certainly include shortening the project time frame.  These project requirements will set you and the organization up for success.  Understanding your current team’s high-level bandwidth, level of effort, and deadlines will help you determine the resources required to meet your project goal.  We see too often organizations asking employees to “Just Do it!” and these eager employees struggle with trying to do more with limited resources.  Planning will provide a logical progression to achieve success and meet your organization’s goals.

We can be more certain regarding what will be done and how it will be done.   Here are some traditional deliverables (what will be done) for the project:

  1. Business Continuity Policy

  2. Business Impact Analysis

  3. Threat Evaluation

Understand that there is a debate within the Business Continuity industry over whether to perform the Threat Assessment or the Business Impact Analysis (BIA) first.  We will not wade out into that discussion in this installment; although you can see we’ve placed the BIA before the Threat Evaluation.  Our position is that the BIA should come first; however, there is enough flexibility in the sequence that they can be performed concurrently if desired.

The Business Continuity Policy will establish the requirements and responsibilities for the BC/DR Program.   The Threat Assessment will examine the likelihood, impact, and state of readiness for threats to the organization, and the BIA will establish the Recovery Time Objective (RTO) for the processes engaged by the organization.  (The RTO is the measurement of time in which a business process or service must be recovered following a disruption.)  Note that we are referring to our deliverable as a Threat Assessment, rather than a Risk Assessment.  These are two different things.  A threat assessment is identifiable with standard business continuity procedures while a Risk Assessment is wider in scope.  The Threat Assessment and BIA will provide the background and organizational understanding for establishing the program.

Prior to writing the Business Continuity Policy, it will be helpful to review a few resources:

The documents above will give you the essential steps for completing the tasks required to starting a program, and, more importantly, will provide you with an overall understanding of what is necessary for establishing a successful BC/DR Program.

As you formulate the Business Continuity Policy, cite the need for a Steering Committee.  The Steering Committee should include an executive sponsor – someone from upper management who agrees to serve as the chair of the committee.  (Recall the reference made earlier to the CFO.) The executive sponsor provides a valuable top-level presence to the program, functions as the voice of the program to other members of executive management, and assists in avoiding and ending impasses that could occur between equals.  Include a suggested structure for the Steering Committee.  In addition to the Executive Sponsor/Chairperson and the BC/DR Manager, propose that leadership from the business areas of the organization also serve as committee members.  Their support for the program will be essential to long term success.  We will eventually request each business area participate in the BIA and in building and maintaining recovery plans.

 Designing and delivering an effective BIA is a major endeavor.  The Business Case should include the BIA scope, design, and delivery method(s).  There is some cross over here between Project Initiation and Project Planning.  We will need to plan the project at least at a high level in order to provide an idea of the scope of the BIA.  Determining the scope of the BIA is the first task.  The size and structure of the organization as well as the staff that can be allocated to the task will be considerations.  If the staff is not considerable, but the size of the organization is, it may be necessary to implement the BIA in carefully planned phases or to narrow the scope to a limited portion of the organization.  Part of that determination should include the implementation method(s).  Face-to-face meeting are preferred, but they may not be feasible given resource restrictions.  The use of a business continuity software tool may  help as well.  Distribution of electronic files developed in Word or Excel can be effective, but compiling the data for analysis and reporting can be time consuming.  A blended approach to implementation is often required given restrictions on travel and staffing.  If company culture allows consider engaging an external consulting firm to collaborate on the design and provide the delivery of the BIA.  This may be the best possible use of any financial resources the project may include as the results of the assessment will be delivered along with external endorsement.

As for BIA design requirements, capture the need to measure impact using a qualitative and quantitative method.  Many organizations allow BIA participants to provide their opinion on how serious the impact of the outage would be within their area of specialization.  This is not recommended as most people are passionate about their work and find it difficult to provide an estimate of impact without allowing that passion to bias their assessment.  If specific criteria are provided for determining impact, the BIA results are more likely to represent an accurate depiction of how an interruption would affect normal activities.   This will be vital for selecting appropriate recovery strategies later.  Include the time frames in which RTOs will be expressed.  Provide a Tier structure that defines how processes will be categorized.

The policy should also state that the BIA will capture dependencies on IT assets and vendors.  Speaking with IT leadership is advised as IT may already have RTOs and classifications for applications and assets.  Sharing the same measurements, if possible, will simplify the mapping of IT dependencies and the identification of gaps between business needs and IT capabilities.  Detail the need for IT to provide current application Recovery Time Actual (RTA) and Recovery Point Actual (RPA) information.  The RTA is a measure of time in which it has been demonstrated that an application or other IT asset can be recovered.  The RPA is a measure of time indicating the true age of the data associated with an application that can be recovered by IT.   In some cases a disruption may mean that data entered into an application will be lost if it was entered within a certain time period prior to the disruption.  These measurements will ideally come from the results of IT recovery exercises, rather than estimates of what is currently possible.

Include the minimum requirement for refreshing the BIA in the policy.  Many organizations will perform the BIA on an annual or bi-annual basis.  The available methods of delivery and staffing will factor into how often the BIA can be repeated.  If a software tool to support the BC/DR Program is available, indicate that the BIA should be updated whenever there is a change in how a process is performed, where it is performed, or if the technology utilized or the role of a supporting vendor is amended.  Maintaining BIA data continually allows the organization to be more confident in the selection of strategies for recovery and more efficient in managing the resources allocated to enabling those strategies.

The Threat Evaluation should provide a score for potential threats to the organization that considers the likelihood of the threat and the expected impact if the threat were realized.  The Good Practice Guidelines provides a useful scoring model for threat assessments.  Enhance the model by accounting for any mitigation measures in place to reduce each threat.  This will ensure that the most likely and most impactful threats come to the forefront.  In order to determine the likelihood of each threat, examine historical disaster frequency data.  Here are a few websites that may be helpful:

https://www.unisdr.org/we/inform/disaster-statistics

https://ourworldindata.org/natural-catastrophes/

http://www.ifrc.org/world-disasters-report-2014/data

http://www.emdat.be/database

https://www.fema.gov/disasters/grid/year

Understand that accounting for every conceivable threat is not possible.  Try to keep the analysis simple.  The assumption should be that both the BIA and the Threat Assessment will evolve and improve over time and as the organization changes.

The policy should include specifics for program assessment and reporting.  Include information on the standards that should apply to the program based on your review of IS22301 and other relevant industry-specific requirements.  Your location in terms of state/province and nation may require additional compliance standards for the program.  The standards ultimately adopted by the organization, as well as those applied by your industry and government entities, will drive much of the design of the status reporting that is necessary for the program.

Internal and external audit findings should be part of the program reporting requirements.  Reach out to the Internal Audit Department if possible to request a collaborative effort on areas of compliance and to introduce them to the relevant standards.  For BIAs, include reporting on completion rates, updates, reviews, and overall approval statuses.  Outline reporting on the RTO and Tier results from the BIA.  Reports detailing dependencies and any gaps between business needs and IT and vendor capabilities should be outlined.  Sample Threat Assessment reports are available online.  The threat assessment is not something that will need to be refreshed often.  It will rather be repeated for all locations for the organization and for newly acquired locations should the organization experience growth.

Following the advice provided here, a very persuasive business case can be developed to support the need for a BC/DR Program.  With the steps provided herein completed, we are through Phase 1 of the project.  Watch this space for the next installment covering Phase 2 – Project Planning.