Integrity Consulting's Blog

October? Snow? Trick or treating in the snow? What? While it may be a treat for your kids, it sure is a trick to your business.

Didn’t we just have an Earthquake? Weren’t there some bad tropical storms and a hurricane just before that? This upcoming October snowstorm and these recent events prove to us that there is always another trick just around the corner for businesses to plan for, and if you are prepared correctly, you’ll get the treat of being able to focus on carving pumpkins this weekend instead of worrying about your business continuing to operate.

These types of events are challenging for organizations on many levels. Office closures, power outages, floods and collapsed roofs are just some of the issues businesses across the region have faced and will continue to face in future events. Without actionable plans and procedures, organizations and offices across the region may have to shut down, leading at best to lost productivity and sometimes resulting in something as catastrophic as going out of business. Most organizations could mitigate these risks by continuing operations with straightforward and tested continuity plans.

Many organizations lose productivity due to office closures because they are left without any means to continue operations and have to shutdown all processes due to an event like a snowstorm in October. Lost sales, market share, brand reputation and employee morale are some of drivers behind investing in continuity plans for your organization.

With proper planning and today’s affordable technology, businesses can remain functional in their most critical areas. Instead of closing down and losing productivity, organizations can continue operations without missing a beat.

What can your organization do? In a nutshell, it’s as simple as one, two, three.

1. Start with identifying your most business critical processes and procedures.
2. Then identify a range of solutions for crafting redundancy and resiliency into those areas.
3. Finally, integrate regular and documented testing into your routine operations.

Events like snowstorms in October remind us that it is vital to be proactive in your planning efforts all year, not reactive when it could be too late.

Good luck and have fun trick or treating in the snow!

Cloud Computing provides IT organizations several benefits; perhaps the most significant is the ability to reduce significant IT infrastructure capital expenditures (CAPEX).  It creates the ability to pay for the computing power that you need and when you need it.  Now that Software-As-A-Service offerings for CRM, Messaging, and Collaboration are widely in use, over the next 18 months, IT departments will shift their focus to the custom and business focused applications in their portfolios.

The cloud provides developers with ready access to computing resources for development and testing.  And, can dramatically simplify deployment.  However, without Platform-As-A-Service (PaaS) solutions, shifting applications development and delivery to the cloud can require developers to manage the details of virtual machines, execution threads, network connections, etc.  A fully featured PaaS tool provides the integrated development environment (IDE) that is the key to unlocking the power of the cloud for vertical and business specific solutions.

Last November, we published an entry recommending that IT organizations take a look at Cloud-Based Platform-As-A-Service (PaaS) tools as a way to get a handle the plethora of departmental or “long tail” applications that they are currently supporting (see:  November 3, 2010 – Are Long Tail Applications wagging your IT Department?).  Since that time, the market has continued to mature and although it still has a way to go, vendor offerings and solutions are taking shape.  Check out this recent Forrester Wave Report on PaaS to learn about some of the leading PaaS offerings.

If you are like me, you are sick and tired of hearing about the NFL Labor issues and are ready for all of that to be put to bed so we can enjoy some football again. In the mean time, and to replace the football gap in all of our lives, I wanted to discuss how an effective Business Continuity and Disaster Recovery program relates to a winning football team.

Let’s first start with taking a look at the NFL and what makes a championship team so successful. All teams have three specific “teams” – Offense, Defense and Special Teams – led by a collection of management and coaches. Within each of these “teams” there are sub groups or positions, such as the secondary, wide receivers or linebackers, who also come with a host of coaches and trainers. One of the keys that sets the Super Bowl teams apart is that all of the “teams”, sub groups, coaches and management work towards a common goal and understand the role that each “team” plays and how everyone supports each other.

A Business can be looked at in similar terms to the NFL, and specifically, an effective Business Continuity and Recovery Program. An effective program contains four specific “teams” – Business Continuity, Disaster Recovery, Crisis Management and Emergency Management – led by a collection of corporate leaders and influenced by additional departments, such as Risk Management and Compliance. Each of these “teams” has sub groups, which in Disaster Recovery for example, may include specific applications, infrastructure, data and Internet groups, amongst other system owners and business stakeholders. Similar to the NFL, in effective Continuity and Recovery program, all of these teams work hand in hand every day feeding each other information back and forth.

In the same way that a losing football team lacks a clear vision and identity, many corporations without effective Continuity and Recovery do not fully understand the roles that each team plays and the interdependencies between each. There is often confusion between roles in Business Continuity and Disaster Recovery, for example IT focusing on Business issues, which is similar to the Defensive Coordinator worrying about the Offense. This often turns into contention within the office, but if all sides understood their roles they would be able to work together as one team to support each other. As a starting point, here are some basic role definitions of each of the four Continuity and Recovery “teams”:

• Business Continuity – Program to identify the critical processes that need to be continued, and develop, maintain and exercise plans to continue, recover and restore business operations
• Disaster Recovery – Program to develop, maintain and exercise plans to continue, recover and restore IT services to support Business Continuity, including components such as infrastructure, telecomm, systems, applications and data
• Crisis Management – Process, structure and coordination of an organization’s response to a crisis in an effective and timely manner, including employees, stakeholders and the public
• Emergency Management – Planning and response to protect critical assets and employees from hazardous events, such as evacuation during a fire or shelter in place during a tornado

One of the most important aspects of an effective Continuity and Recovery Program is the communication between the key “teams” and ensuring that all of the “teams” are working together as one complete team towards the common goal of protecting the business, including it’s people, stakeholders and assets.

On any Main Street in America you’ll hear the average Joe making wind of “all of the crazy things going on in our world today.” Global warming, blizzards in the south, the Tsunami in Japan, etc. Indeed, the headlines are constantly filled with both natural and manmade disasters. If a dirty bomb were to hit your city, or say there was a mass shooter running rampant through the building next door, if the weather channel were to predict all time record snowfall over the next 24 hours – would you know what to do?

American’s have been conditioned through mass media and hearsay to run from disaster. Run from trouble headed your way, and you will be safe. Often times, this inherent response is flat out wrong. Not only can leaving be incorrect, but it can often be detrimental to the emergency situation at hand. Shelter in Place is an emergency solution that lives in the shadows of evacuation. It’s a concept not talked about enough, but one that has proven itself amply beneficial.

Shelter in Place is the process of taking immediate shelter WHERE YOU ARE – inside whatever building you happen to be in at the time of the emergency, or seeking shelter in an undamaged building nearby. This is not to be confused with going to a shelter in CASE of a storm. There are several events where shelter in place is the safest means of response; during a crippling snowstorm, for example, or in the case of a radioactive or biological contaminant release. It is important to follow the instructions of the government, for example if a mandatory evacuation is issued, then you should evacuate, and if shelter in place is instructed, do that.

The majority of Americans are not adequately prepared for shelter in place because they don’t know about it, and don’t know what to do. The answer is simple – stay put! But businesses and employees have not received enough education on the importance of shelter in place to get the message out, which is why it is up to individuals to inform themselves. Shelter in place keeps clutter off of roadways and will allow first responders to easily access roads and other transportation means to do their jobs as effectively as possible. Shelter in place also provides overall public protection from the dangerous situation. By moving around, you are likely to transport contamination with you, potentially impacting and harming others who may have been safe before you arrived.

This is all fine and dandy, but how do you prepare for staying in place for an unknown amount of time? There are things to think about and plan for: How will you communicate with others? Have you stored emergency supplies at work, including medications? Have you arranged alternate providers of care for those that depend on you? What will you do to prevent toxic substances from coming into your home or workplace during the emergency?

The National Capital Region (NCR) recently completed a behavioral analysis which in fact showed that a significant portion of those surveyed did in fact opt to shelter in place during a dirty bomb scenario, but noted that very few households, workplaces and schools have actual shelter in place plans. I encourage you, the reader, to engage in your own emergency preparedness plan.

In our posting from May 6, we discussed the need for ERM programs to be practical and understandable (simple per se) for them to be embraced by companies or organizations, and in particular some of the common terminology utilized in many ERM models (Risk Appetite and Risk Tolerance).  Just prior to this posting, the IRM (“Institute of Risk Management”) publish a paper titled “Risk Appetite and Risk Tolerance – A consultation paper from the Institute of Risk Management”.   We have reviewed the paper and we offer our response and thoughts in this posting.

In general, it is hard to argue against many of the concepts in the IRM paper, in large part because they are conceptual in nature and the intent behind them is to facilitate better management of risks within companies and organizations, which no one would argue is a bad objective.  However, as with many ERM concepts, the issue is not the concept itself, but how to apply the concept in practice.

To that end, I think we need to determine whether Risk Appetite and the development of broad Risk Appetite statements for an organization actually serve a purpose and add value to the risk management process.  I am not sure that it does.

Who does a Risk Appetite statement or statements benefit or serve.  Is it a general statement for or from the Board to communicate with executive management?  Is it a statement that would be used by investors, similar to mutual fund risk ratings, to assist them in determining whether the company’s Risk Appetite is consistent with their investment strategy?  It is difficult for me to see who really benefits from a formal Risk Appetite statement and how this serves to improve the risk management process.

Additionally, setting out blanket statements about the types and amount of risks that a company is willing to accept in advance is just does not seem practical or useful.  At its core, risk management is about effective and responsible decision making.  Risk decisions are and should be on a case by case basis and the risk management process should support analysis and decisions about strategy and operating policies that are specifically related to defined business objectives.

In keeping with our “simplicity” concept the ERM process should be about:

• What is our objective?
• What are we doing now?
• What could we do differently?
• What are the risks/impacts of doing things the way we are now versus the alternative approaches (What if or Scenario Analysis)?

In thinking about ERM in this manner, I am just not sure that a Risk Appetite statement plays a role or adds any value to the process.  The important thing is to have processes and activities in place to ensure adequate discussions and knowledge (within management and at the Board level) around current risks and as importantly future risks if certain decisions are made, adequately weighing the pros and cons.

The number one rule of thumb for Business Continuity and Disaster Recovery Planning is that plans are “living” documents. In short, this means that there is never a “final” plan. Plans are only complete for a stage in time but need to be continually maintained and updated for changes to your business, resources and the environment in which we work. A good plan is never final!

Where does your organization stand on the maturity model? If you are like many organizations, you are most likely in Stages 1, 2 or 3. However, no matter where you are in your planning process, there are always improvements that can be made to protect your organization from potential disaster. Each stage is represented with a set of characteristics or conditions, with their own set of affects to the organization.

Successful Business Continuity and Disaster Recovery Planning is an on-going process. There are always new changes to the business environment and new risks that must be planned for. “Hindsight is 20/20” is a phrase that could lead to potential failure. The key to protecting your business from known and unknown risks is to employ a “living” planning process and that no plan should ever be final. You might think your business can wait to implement a BC/DR plan, but disaster certainly won’t wait for your business.

In our December 14, 2010 post we noted that “Since 2006, Standard and Poor’s has rated hundreds of selected companies for their performance and capabilities in ERM, with only 3 percent of rated companies achieving a rating of “excellent.”   There are many hurdles in implementing an ERM program, many reasons companies and organizations have not fully embraced the concept and need for holistic, integrated risk management.

On the other hand, there are several, tangible benefits and reasons for organizations to implement a formal, comprehensive ERM program.  Some of these include:

• Facilitation of broad, cross-functional discussions regarding key business risks, as well as opportunities, across the enterprise
• Better / timelier information (i.e. Industry/Competitor/Economic/Regulatory/Regional News, Emerging Risks, etc.)
• Improved, comprehensive operational and risk reporting and the elimination of redundant risk management activities and/or functions
• Strengthening overall corporate governance practices (the obvious benefit)

In the coming weeks, we will be posting a series of blog posts that address the basic ERM process, common hurdles to implementation and possible ways to clear those hurdles. This week we will begin with issues surrounding the design of the ERM process and the terminology.

For ERM to be successful it must be practical, simple and understandable at all levels throughout the business.

Let’s look at a couple of commonly used terms within many ERM models, “Risk Tolerance” and/or “Risk Appetite”.  If asked several people, at various levels, within an organization (or even risk management professionals for that matter) what these terms meant and how they are utilized to help manage risk, I doubt you would get the same answer very often.  In most cases you may even just get a strange look.

Theoretically, it is supposed to provide an objective way to set a risk factor or threshold so that a company can measure the actual level of risk being taken against the pre-established thresholds, and make changes if the actual risk is outside the tolerance levels.  The issue is that it is, well, mostly theoretical and not easily understood in practical terms.

Norman Marks tries to tackle these terms in his blog post from April 14 titled “Just what is risk appetite and how does it differ from risk tolerance?” , but at the end of the day we are left with no real answers and as Norman states, many folks “…will have to wait for more practical guidance from ISO and its national organizations.”

It is possible that more guidance may be helpful, however an effective risk management process need not be akin to rocket science and what is really needed is for companies to define a practical, straight-forward risk management framework and approach that is right for their company or organization.  In other words “KISS”.

UPDATE: Ask for more guidance and you shall receive.  Just prior to this posting, the IRM (“Institute of Risk Management”) publish a paper titled “Risk Appetite and Risk Tolerance – A consultation paper from the Institute of Risk Management”.  IRM produced this consultation paper to provide guidance to directors, risk professionals and others in relation to that part of the UK Corporate Governance Code that states that “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives”.  However, the IRM hopes the guidance will resonate broadly with anyone interested in the subject of Risk Appetite and Risk Tolerance.

We will review the paper and provide our thoughts in the coming weeks.

Hopefully by now, your company has learned that this “social media” thing isn’t going away and it’s time to get in the mix. It’s clear that social media helps drive growth and profits. What might not be as obvious is how people are effectively engaged through the medium of social media. How do you get people to become a part of your social media community? How do you keep them coming back? There isn’t a one-size fits all answer, but there are several critical elements your business must do to foster sustainable engagement via social media.

1. Quickly Consumable Content: Because of the emergence of the 24-hour news cycle and the explosive expansion of social media, people are consuming more and more content every day. People are also increasingly becoming part of the “microwave generation” whereby we are increasingly accustomed to instant gratification. To keep people active and engaged you have to give them what they want, a steady push of quality content that people can quickly digest.
2. Personalize Your Community: Another cornerstone of social media is that everyone has a medium to let their voice be heard. Providing an arena for feedback, conversation and an exchange of ideas is paramount to community engagement and consequently the success of your social media efforts. Additionally, your business should personalize its presence within your social community by consistently responding to feedback, continuously engaging in discussions and as people rather than your company. For example, you can see that this blog post is written by David, not by Integrity Consulting.
3. Content Deployment: On what days do people consume the most content on social media sites? At what times? How often do people look for new content? There is a science to content deployment, and when your business decides to post a slideshow or a blog post could result in over a 200% difference in the number of comments and feedback. On facebook, more posts and comments occur at 11AM and 3PM than any other time of day, and Wednesday consistently experiences the most traffic while Sunday experiences the least. Information like this is useful when developing a content calendar (a schedule for when your business will post new content). But don’t let the calendar make your activity too rigid. It is always important to punctually respond to people’s comments and questions.

Your business has a community, whether it is virtually connected or not, and engaging that community is the first and most important step in using social media to drive growth and profits.

The social media ocean is enormous, and your business wading out into it might be understandably overwhelming. To make the social media realm less intimidating, it is important that your business develops a refined social media strategy to answer some important questions:

Who is your audience and what are your objectives?

• Is your primary objective to serve your existing community, expand you community or both? If you are trying to do some basic marketing and branding or your audience wants a simple community, Twitter or Facebook might suffice. However, if your audience requires something more engaging, your business might benefit more from having its own community.

What social media platform or platforms will your business use?

• Is Facebook or twitter the right platform for your business, or does your social-community-to-be need its own website? Or is the answer both? The answer to these questions may depend on the size of your company’s community, what features you want your platform to possess, any security concerns you might have, etc. These days a business’s presence on Facebook is almost necessary, but your business might need something more.

How will your business use social media to engage its community?

• What applications will your social media site have? What content will you create and distribute to your community? How frequently will you post new content? What communicative capabilities will your community have?

What community management controls will your business put in place?

• How will your business track, analyze and report moderation activities? What moderation guidelines will your business establish? How can your business turn negative posts into opportunities? What kind of analytics will your business use to assess how your content is trending or whether your message is getting across to your audience?

There are many things to consider before your business dives into social media and carefully outlining a strategy is a critical first step…remember, strategy without action is futile and action without strategy is fatal.

Social Media has quickly made a huge impact on our professional lives and that impact is only increasing every day. I’ve been discussing social media with many of our clients recently and have been listening to several fears about getting engaged with social media. Everyone seems to want to start, but is nervous to get going. While there are several risks and concerns that need to be addressed regarding the use of social media in the workplace, your biggest fear should not be of social media itself, it should be of not participating and engaging with your clients via social media. This illustrated by two of my favorite social media quotes from Erik Qualman, author of “Socialnomics”:

“We don’t have a choice on whether we DO social media, the question is how well we DO it.”

“The ROI of Social Media is your Business Will Still Exist in 5 years.”

Now, I’m a former athlete, a swimmer to be specific… Each day when we considered skipping out on practice, our biggest fear was that if we missed practice, our competition was likely out there practicing and getting better than us. It was not a fear of the risks of getting injured or other potential concerns. Very similar to athletics, your biggest fear in social media should be that someone else is doing it and your competition is getting better than you and taking your customers… not a fear of what people may say via twitter or comment on your blog posting.

Let me try to illustrate this via a hypothetical example.

There are two companies (made up names for fun), Homerun and Strike3, that both launch similar new products on Monday. Homerun uses social media, while Strike3 does not. Let’s see how each company plays out:

Homerun

• Launch Strategy: Markets product on their website and through all of their social media outlets, Twitter, YouTube, Facebook and LinkedIn.
• Day 1:

o   300 people find Homerun by searching for keywords through web and social search

o   Out of those 300, 5% (15) post/tweet – each of those has an average of 200 people in their social networks

o   Homerun has now reached 3,000 people

o   Obviously, only a small percentage of those people act on the information, maybe 2%

• Day 2: Homerun picks up 60 additional customers

Strike3

• Launch Strategy: Markets product on their website.
• Day 1:

o   25 people find Strike3 through standard web search

o   Out of those 25, only 1 posts something via twitter about the product (since there was no easy sharing established via normal social media means)

• Day 2: Strike3 picks up 1 additional customer

The above process repeats itself and Homerun reaches thousands of potential customers through their own trusted relationships, leading to an exponential growth of potential customers reached. Now, of course Homerun has to have a good product to sustain solid sales, but through a sustained effort and based on an articulated strategy, they will ultimately be more effective in marketing their product than Strike3. The fact is that only a small percentage of people that find a product actually post or tweet about it BUT… Those people each reach a wide number of friends, relatives, etc (people that likely have similar needs and beliefs). Qualman proved that people trust the word of people in their social networks more than advertisements.

You have one opportunity to grab the attention of those potential clients. Statistically, most of us don’t pass the first page of our search rankings and many never make it past the first few results. Furthermore, most of us will trust things found via social media because others (people we trust or follow or friend) posted it and therefore, once we find a company with the product we were looking for, we won’t search for another company. As I was reminded while out running the other day through my ipod, Eminem said, you only have one shot, one opportunity… don’t let it slip away.

Now that I’ve hopefully convinced you to jump in, there are real risks of social media and other concerns that we will continue to analyze in future posts. It is imperative to develop the strategies and policies for the most effective use of Social Media, but nothing should stop you from trying it! In future blog posts, I’ll also be sharing some ideas on how to get started on social media.

If you need more convincing that Social Media is more than the latest fad, watch this video.