Prioritizing Policies & Procedures
Just now discovering our Business Continuity Blog Series? Get caught up with The Need For Adaptive Recovery, Assembling Critical Information For Decision-Making, Succession Planning in the CoVID19 Era and People Impact Analysis →
In March, we tried to anticipate appropriate topics for our Business Continuity Series. Little did we know the series of events that would transpire.
This week, in the middle of the CoVID19 pandemic, and with US and Global Economies fluctuating, we see our global community protesting for policies and procedures that will hopefully lead to meaningful racial reform.
In many ways, I find this post difficult to write in a context of disaster recovery when contrasted against the magnitude and importance of the racial and equality reforms needed.
The words prioritizing, policies, and procedures - they seem so sterile, perhaps so out of touch with the human side of all this, as though we can truly solve problems by changing a law or guideline, writing a manual, improving training, or mandating a different behavior.
So, I am torn on how to address this. It seems disingenuous to Ahmaud Arbery, to George Floyd, to their families and to the problem of racism and discrimination that lead to these deaths to not address them.
Out of respect, I am taking a moment in this blog to recognize Ahmaud Arbery and George Floyd and asking you to kneel for 8:46 minutes today, or 2.23 walk/run, and meditate on doing the right thing for people. That should always be our priority, and it's well overdue.
It may be true that the law cannot make a man love me but it can keep him from lynching me and I think that is pretty important, also. - Taken from Martin Luther King, Jr.’s address at Western Michigan University, December 18, 1963
Out of all the disaster recovery policies and procedures we could discuss in light of the pandemic, and subsequent financial shifts, those policies and procedures that address equality and human rights simply have to be the highest priority at all times, every day, all day.
Compound Issues are a Problem
In light of the CoVID19 pandemic, one may wonder what, if anything, would need to change with existing disaster recovery policies and procedures. It may seem that what is already in place is valid.
At one point in my career, I was consulting with a major fortune 500 client that had two data centers, one in the northern part of a state and another in the southern part of the state. The sites were relatively close. They had a mainframe with synchronous replication to a bunker site and a need for a zero recovery point objective. There is a fault line through the middle of the state between the sites.
We discussed risks beyond the data center, like the inability of people to get to the recovery site to rebuild systems. Topics of large scale civil unrest, the fault line shifting, and state-wide travel bans seemed too unrealistic for the client to consider.
Failing to Stay On Top of Changes
Teams are reticent to revise written policies or procedures or to review them frequently. There is often a "Set and Forget" mindset unless there is a disruption that leads people to consider them again.
“There is a growing consensus that the industry must plan for events of wider geographic scope and greater physical disruption than in the past, including those that involve loss or inaccessibility of critical staff or of widespread telecommunications or other services disruptions. City-wide disruptions may be the benchmark for planning purposes going forward, and regional disruptions also need to be considered.” - Summary of "Lessons Learned" from Events of September 11 and Implications for Business Continuity
Do We Ever Learn?
The Disaster Recovery Plans for the World Trade Center has become one of the leading sources for lessons learned for disaster recovery planning. Of those lessons, the top few are:
Pay attention to your people and how they continue to work (Workforce Resilience)
Communicate often and frequently with your people, even when nothing has changed, to help quell the rise of unnecessary rumors and fears
Look beyond the requirements for IT and Operational recovery as the Financial Requirements of recovery may well become the most significant challenge
Be constantly vigilant over revising and updating procedures and policies. Technology changes, connectedness changes, and dependencies increase more rapidly than expected
Here are two quotes from an article written in 2011 almost nine years ago.
In the years since 9/11, corporations have been forced to consider more flexible work environments that allow employees to work remotely during a disaster through the use of virtual private networks (VPNs) or other means, such as hand-held devices like smart phones. Gartner analyst Roberta Witty believes the most important 9/11 lesson may seem altruistic, but it's really about survival of the fittest: Companies have to care for their workforce. Analysts today say regular gap analysis is still a key component to disaster preparedness. - ComputerWorld 9/11: Top lessons learned for disaster recovery
Two years after 9/11, some businesses were already putting aside the urgency for making necessary updates to the DR policies and procedures. Is it really easier to ignore a problem and wait until you're forced to address it? Do we have to wait for a law like Sarbanes Oxley before we commit to doing the right thing?
We have to press for implementing true meaningful change and prevent recurring issues.
“An online poll of Tech Update readers suggests that companies are still resistant to change. Of approximately 250 respondents, only 10 percent said their company had changed its disaster recovery plan since September 11. A whopping 50 percent said their company doesn't yet have a plan in place. "September 11 is losing its effect,” ” - How 9/11 changed disaster planning (2002)
Where is the Proof?
In all of these daily examples we see right now, from the pandemic response, inappropriate police field tactics to disaster recovery, and business continuity policies and procedures, what should be the priority? It is my opinion to have constant vigilance over the quality and viability of these policies and procedures. To do this, you will need to understand how effective these policies and procedures are and what external changes are taking place that will impact your best-laid plans that could go very astray.
If we look at the origin of the word policy, it gets its roots from the Greek words for evidence, proof, demonstrate, and show. I submit, we often think about and miswrite policies. We often write what is allowed or not allowed, and what should be done or not done in the event of situation x and y and z. These are procedural descriptions. Instead, policies should describe tests for how we know our procedures and practices are practical and viable in an ever-changing world.
“The origin of “Policy” probably from medieval Latin apodissa, apodixa, based on Greek apodeixis ‘evidence, proof’, from apodeiknunai ‘demonstrate, show’.” - Definitions from Oxford Languages
Write Good Tests
We can borrow a page of Test Driven Development Practice (Kent Beck), where developers first write a test for their code to fail and pass against before they write their code. In this context, I am proposing we use the policy as the test and the procedure as the code. Let's call it "Test-Policy Driven Procedures".
If our policy should be focused around generating the following:
"Customers rate our product return experience ~8/10, citing the return experience as a major reason they shop at our store more than 80% of the time."
Then a procedure such as:
"Returns will only be accepted on Wednesdays, with three forms of ID, with the original receipt, and in the original shopping bag," is likely to fail the policy test above.
The approach to Test-Policy Driven Procedure provides innumerable value, including:
First defining how to measure your success before investing in the design of a procedure
Having the knowledge that the procedure works or recognizing the need for revision to pass the policy test
When employees get into a complicated situation, better-written policies can help them easily find a solution.
Actions and procedures should be in alignment with values. Testable policies help define how to measure adherence to these values.
The contrasting Business Continuity examples in the table below may serve as a good starting point for discussion within your organization.
Perhaps a bit altruistic and contrived for some, why not drive to a higher level of compassion and transparency?
Believe in your people, and your organization can rise to higher levels
Demonstrate that belief by including them and their needs in your BCP
Write testable policies and put the data into your analytics engine
Use validation data daily in your dashboards to understand where your procedures are compliant and where you have risks
Take action preemptively
How well are you able to track compliance with procedures in your organization? Are the actions of your employees in line with the companies values? How robust is your business continuity plan? Perhaps it is now time to take a closer look at how your data is working to keep your business stronger.
Jim Szczygiel has been working as an Information Technologist since the early nineties. Most recently Jim has held roles as a consultant, product manager, data analyst, sales, and solutions architect along with working with agile and extreme programming teams. Jim has provided services in hundreds of different fortune 500 clients in the sectors of; Chemical and Natural Resources, Finance, Insurance, and Manufacturing. Read More