ACP-MI "Membership Connection”

 Welcome to 2023! Your ACP Board is starting the year off strong with the publication of a new quarterly newsletter! This is the first of many upcoming newsletters aimed at informing, connecting, and engaging our members.


Advice Corner - Relevant and Valued

Petie Davis | May 5, 2023

Q:  We have had a business continuity program (emergency response and disaster recovery) in place for several years.  How can I help ensure that our program remains relevant and valued?

A: Programs that management wholeheartedly supports at inception, often fall victim to the ‘what have you done for me lately’ mindset as time passes and budgets tighten.  It is an irony in our field that leadership interest in our program spikes only when there is an incident – production or a service is interrupted for whatever reason.  When things are going smoothly, management may think that business continuity is not really needed and minimizes business continuity programs either with budget cuts or a reorganization that buries us many organizational layers deep and dilutes our effectiveness. Most of us are taught to execute business continuity in a reactive manner- if this happens, you take these steps.  While having a vital response plan/process is critical, it cannot be the only approach for your business continuity program takes long-term.

You need to add a proactive component – connected operational risk. This goes beyond a natural/geographic hazard risk assessment.  Risk in organizations is most often siloed; Security has their risks; Facilities has theirs; IT has their own as does Supply Chain, Human Resources, etc.  What business continuity can offer is to identify and highlight those risks that also represent a business continuity risk.  Here is an example from a large automotive manufacturer.  A plant identifies needed upgrades in their energy center and submits budget requests year after year with no result.  The upgrades are not viewed as critical by Purchasing.  Until, that is, business continuity points out that this one energy center actually supports two critical parts plants whose disruption in production would quickly impact downstream assembly plants.  What seems like a minor risk when siloed within Facilities, becomes a much bigger risk when viewed from a business continuity perspective. Another example involves getting funding to upgrade data centers. These upgrades are costly and may follow a set schedule for replacement that is protracted.  Adding a business continuity risk component to schedule for upgrades would help prioritize the upgrades ensuring that the data centers that represent the greatest business continuity risk to the company are addressed first.

How do you start identifying connected operational risks?  You first have to quantify the value of a plant or service to the company.  The value may be in terms of revenue and margin but it could also be in market share, impact on reputation, on regulatory compliance- whatever speaks to senior leadership.  Next, identify who are your biggest internal stakeholders.  Offer them your value insights, talk to them about their risks and which ones are also business continuity risks, and how the concept of connected operational risk may elevate the mitigation priority of their particular risk.

Advice Corner - Vendor Acquisition and Implementation

Matthew Engler | February 1, 2023

“For everything, there is a season….a time to keep, and a time to throw away…” Change in the environment is necessary for growth. And as businesses continue to change and evolve, business continuity professionals will need to keep up. This often means looking at new processes, understanding new technologies, and seeking alternative tools. As professionals, it will often be incumbent upon us to properly evaluate and manage these tools and vendors.

Ditch the RFP

Since businesses started buying products, the request for proposal (RFP) has been a tried-and-true method of gathering scrap paper from a vendor. Often requesting responses in triplicate (or quadruplicate), the RFP represented a small novel where the vendor tries to convince you that everything you asked for is available in their latest release. If you still depend upon lengthy RFP’s, please stop.

The RFP, as an exercise, provides very little benefit to modern acquisition. In most cases, you are already sending the request to vendors that can meet the basic needs. And any questions posed by the RFP will always be answered with a “yes”, regardless of the actual functionality. What might be a better approach is to look at those features you absolutely want to have, and have the vendor provide evidence of how their tool can meet it. This would often involve a conversation and demonstration.

As you evaluate the vendor, take those functionality questions and create a rubric. Decide what is most important to least important, and weight the responses appropriately. This can help to give a fair and unbiased look across multiple vendors when evaluating tools.

Plan for Contingency Amounts

Having made your decision, it is time to get funding. This can certainly be a stressful time, asking higher ups to provide the money to make your selection a reality. However, once funded, you may find that the project begins to have costs overruns. All of those features they demonstrated may require additional consulting hours or an add-on license. While we try our best to clarify all costs up front, things can be hidden or not clearly understood. And now you are stuck, with hat in hand, going back to the executives for more money.

As anyone who has built or renovated a house knows, costs exceed initial estimates. Often, construction will require you have a contingency fund to help cover these additional expenses. The same should be considered when looking at a vendor. Presenting a realistic picture to your executives at the start, can help soften the conversation later when you actually need to tap into the contingency budget.

Contingency funds for new home builds are suggested at 5-10% of initial estimates. The same logic could be applied here. If the tool estimate is $50K, a contingency amount of $5K is probably reasonable. Often, your initial authorization may not include that amount. After all, they don’t really want you to spend it. Nonetheless, should you require additional funding, management would have, at the least, a tacet awareness that this risk existed.

Maximize What It Can Do

With a shiny new tool, it is time to take it out and see what it can do. Often, when we are transitioning from one product to another, we start with the “like for like” approach. Don’t. You didn’t buy a new product in the hopes it behaves just as the old one. When deploying, take a fresh approach to your supporting processes and tools. This new product will probably have considerably more bells and whistles. We handcuff ourselves by taking a Ferrari and driving it like a minivan.

It is incumbent upon the deployment team to understand what the product or service can do and what the company should leverage. Can it replace other obsolete tools or processes? Are there more automated functions that can be created? The objective should be to maximize as much as possible. In order to do that, you should always use your own project management team. The vendor will provide project management, but they may not understand your business. Any company is benefited by having their own project management team assist in deployment.

Not at a large enough company for separate project management? Then the responsibility may fall on you. Understand that this is a necessary step in maximizing your acquisition. Don’t assume that the vendor’s project deployment team will be able to ensure you utilize all the parts.

Tools Without Process Solve Nothing

Imagine you are at a wedding. The cake decorator has created an amazing, 4 tier delight for the eyes. Painstakingly creating each icing flower and rosette by hand. Now imagine, someone just leaves a knife by the cake and lets each person cut their own piece.  Some will cut a square. Others will cut a pie shape. Kids will slice off frosting. And people won’t pay attention as the top tier collapses under the ever-disappearing bottom layers.

We often think that the newest application, platform, or tool will solve the inherent problems of our organization. They won’t. If your employees have never submitted Incidents through a ticketing system, the new ticketing system won’t suddenly change that. Processes, whether new or updated, need to accompany the launch. As the new tool begins to take shape, the project management team will need to step back and envision how they expect it to be used. Guardrails, often through process updates, need to be put in place.

If you are deploying a new platform for business continuity planning, how will people provide you data?  How will they sign-off on plans? How will they use the new crisis management features?  Nature abhors a vacuum, and without guidance, users will fill in the gap. But will that be how you intend the tool to be used? Workflows can be a great option to see how you expect the system to be managed. And don’t be afraid to completely update your process. Remember, if the tool is not “like for like”, the process won’t be either.

The prospect of new tools or new vendors can be exciting. It is an opportunity to freshen up stale systems and renew old processes. However, as the vendor manager, it will be important to select the proper tool and manage it.  Consider the best approach for acquiring the tool. Ensure funding will be sufficient even if problems arise during project launch. And maximize the tool through both project launch and process improvements. You will better serve your own needs and those of the organization.

  • Matthew Engler, CBCP – Matt is an ICT Risk Director for a Technology Services Provider. He has filled out more RFP responses than is healthy.