Saturday, June 30, 2012


Dennis C. Hamilton continues his series on crisis management, looking at how to conduct effective exercises.
Although the ‘In-crisis decision making’ information series formally concluded with the previous article, ‘Majority rules decision making’, we have decided to continue the series as a means of responding to the overwhelming number of questions and information requests received.
In this and subsequent articles We will be providing some thoughts and suggestions on a variety of related topics; the first of which addresses one of the most frequently asked questions; how do you exercise or train for in-crisis decision making?

Like so many things in life, in order to become proficient in any physical or mental process, it is necessary to practice. Some say there is no better learning curve in crisis management than managing through an actual crisis. To some extent I believe this to be true. However, what you actually apply during a crisis is your capabilities that exist at that time, including: inefficiencies in how your organization responds to a crisis; how it is managed; and how decisions are made.
Decision making is enhanced when you listen and learn; then incorporate what you already know, blend it altogether and, ‘poof!’, a decision will emerge. The risk of failure increases when you only consider what you know as an individual. As such, what you really must ‘exercise’ is the TEAM’S ability to make decisions.

Before we get into some details, a couple of definitions may be of value:
Decision making can be regarded as an outcome of mental processes leading to the selection of a course of action among several alternatives. Specialists apply their knowledge in a given area to making informed decisions. For example, medical decision making often involves making a diagnosis and selecting an appropriate treatment (the decision).

Exercise, in our context, is the application of thought processes to apply knowledge and information in order to enhance or maintain a team’s decision making capability. It is an activity that requires mental exertion when performed, challenging the knowledge and capabilities of those involved.
Exercising is using knowledge and skills you already possess, you simply want to use them in situations where you are expected or required to apply them.
We will now focus on how a crisis response team prepares itself for in-crisis decision making through training and exercises:
Exercising a team’s decision making capability is an essential component of what should be your organization’s crisis management ‘continuing education & training program’. My crisis management methodology for a continuing education & training program is comprised of four major elements that need to be briefly discussed in order to put training of the crisis response team into perspective. These are:

Program standards & skills reinforcement exercises
The objective of standards & skills reinforcement exercises are to reinforce crisis management policies, standards, disciplines and in-crisis processes through exercises that force the participation and the application of the knowledge and skills of all team members equally. All primary members and designated backups of the crisis response team need to participate.
Alternatively styled exercise sessions:
- Multiple short (20 minutes to one hour each) situational exercises are designed to trigger an emotionally charged condition within the exercise. This would test / exercise the inter-play and interdependence of team members while under pressure and while attempting to make significant consensus based decisions within minutes of being engaged.
- Scenario exercises (one to three hours each) are designed around highly possible or probable events. Creating a plausible situation where stress, anxiety, rumours and speculation would realistically occur, forces the team to assess changing conditions, make in-crisis decisions, obtain executive concurrence, apply in-crisis operating standards and manage disagreements and opposing fundamental beliefs.

Crisis simulation exercises
Defined as an interactive, full participation, role playing exercise whereby the crisis response team is provided with a crisis scenario incorporating significant variations (changes to the scenario) for the purpose of coaching individual and team responses; particularly focused on situational assessment and in-crisis decision making. A crisis simulation exercise requires participation from all team members for 1 to 1.5 days and, in order to create a more realistic state of crisis, aspects of the exercise could take place over a one to two week period.
The primary objective of a crisis simulation exercise is to establish and maintain a realistic state of crisis to fully assess all key aspects of control, decision making and emergency response in an event-driven scenario.
Participation on the part of the executive management, business leaders, other internal stakeholders, as well as external agencies and organizations all contribute to the CRT learning process by creating a realistic environment in which to perform.

Pre-event response planning
Pre-event response planning is defined as a process of response identification in advance of known or expected events that directly or indirectly endanger people, image or operations of the organization. While similar to an exercise in terms of how it is performed, the resulting plan becomes an operational deliverable of preparedness.
The primary objective of the workshop is to identify tasks or activities that should or could be carried-out by various operations or functions within the organization based on a time-line of probable and evolving events and circumstances. While the primary objective of pre-event response planning is to exercise the analytical capabilities of the crisis response team it also provides the ideal arena to identify precautionary and preventative measures that can be taken now to prevent or mitigate the impact of the selected event.
Educational programs / knowledge transfer forums
The objective of this type of information forum is to share information that will enhance the organization's overall crisis management capability. All primary members and designated backups of the crisis management team should attend.
Crisis response team members can directly contribute by providing an operational overview of how their department functions during various emergencies or can arrange for presentations or workshops with external organizations that provide vital services (i.e. stress counselling). Emergency management related external agencies could provide a working understanding of role, interaction and expectations on the part of the respective agency and the organisation.

Failed outcomes of crisis management exercises
Exercises, particularly major ones, unfortunately often fall far short of meeting an organization’s aims for a number of reasons, including:
• Lack of participation on the part of team members (as this is such a common problem that it will be the focus of the next segment of this series).

• Too little ‘action’ to maintain interest and focus on the part of participants.
• Too simple to challenge the team’s skills and knowledge levels.
• Too complex or disjointed events creating a no-win scenario for the team.
• Not enough ‘fun’ to generate enthusiastic participation.
• The exercise is based on a scenario most believe to be improbable or unrealistic.
• Exercises developed by individuals who are not experienced or qualified to do so.
The building of a crisis management exercise must not only deal with the above challenges head-on, development criteria must also include:
• Creating conflict situations to force opinion and consensus.
• Forcing inter-dependent decisions to be made to show consequence of their actions.
• Reinforcing crisis management principles, policies, standards and the in-crisis process.
• Coercing the knowledge participation of every discipline (team member).
• Creating an environment for participation of designated backups.
• Gaining exposure within the executive (crisis management team) and senior management hierarchy.
• Including the crisis management team in the assessment and consideration of actions taken by the crisis response team.
• Presenting scenarios that require multiple disciplines to cooperate to achieve success.

Critical success factors
The adoption of most, if not all of the following critical success factors will greatly enhance the quality of the exercise, the active participation of team members and deliver on the expected benefits to the organization for the efforts applied.
• By far the most important critical success factor is to make the exercise ‘fun’ for the participants. That doesn’t mean it can’t be tough, stressful or full of challenges; it only means that if you want continued support and participation, they had better enjoy the experience.

• Put in the effort required – building and facilitating an exercise is a significant undertaking; recognize that for a crisis simulation exercise every hour of the actual exercise will require 10 to 18 hours of development time depending on the experience of the developer and facilitator.

• Don’t build an exercise to fail! I have no idea why some promote that failing is a positive learning technique; it only creates anxiety, disappointment and will negatively impact their desire to participate. Let’s never forget that for most organizations, participation on their crisis response team is not in their job description, they are in effect ‘volunteers’. Nonetheless, as the size of an exercise increases so must the complexity and challenges, and with that the probability of success diminishes. For crisis management, we are not teaching them how to do their job; they already know that.

• Team dynamics and interaction will probably point out at least one member of your team who wants to push their individual agenda and views on others by stating or implying they are an expert or by being loud or even rude. These ‘bullies’ try to get their way most often by putting down other’s opinions versus gaining support for their own opinions. The crisis response team is critical to your organization’s effective response to a crisis. As such, you should not have room for bullies; it is acceptable and recommended that you replace them.

• Do what you can to make all members of your crisis response team feel they are important to the organization; including the little things around conducting an exercise.

- Provide a large meeting room with lots of work space versus the confinement of most crisis command centres.

- Inform executive management and senior managers of the members of the crisis response team that vital exercises are being conducted to ensure the organization will be successful in response to a crisis situation. Send your announcement a few times before the event takes place. Spontaneous participation by management personnel may be the outcome.
- For every major exercise have a senior executive thank the crisis response team for their dedication and efforts; a pat on the back goes a long way with all of us.

- Provide coffee, snacks, lunch; whatever you can do as a minor thank you for their time and effort.

- If possible, conduct a major exercise external to the office. Not only could it generate a higher than normal participation rate, it can go a long way to creating a realistic scenario of events impacting your facility.

• Bottom-line on participation – if you don’t have 90+ percent confirmed for participation in an exercise, cancel or reschedule it and, on behalf of the team, reprimand those who forced you to reschedule. If you don’t have full or close to full participation it is not possible to draw the key conclusions necessary; too many vital skill sets and knowledge sources would be missing. Don’t forget to publicize to executive management the reason for canceling the exercise and those responsible for the cancelation.

• While I am certain that most organizations recognize how imperative it is to have at least one designated backup for every primary member of the crisis response team, it is equally imperative to have the designated backups participate ‘equally’ in all components of your crisis management continuing education and training program.

• Turn off the cell phones. If someone on the team needs to be reached for any reason, you can be certain that a way will be found.

• Do not allow the use of laptop computers during any exercise unless they are being used to support the team’s efforts. As difficult as it may seem for some people, you really can survive without seeing your emails for a few hours. If you are conducting a full day exercise, you will unfortunately need to provide a break in the proceedings for people to check their emails.

• Your exercise developer and facilitator cannot be a member of the crisis response team; otherwise your ‘team’ will be missing a key resource during the actual exercise. To achieve any level of success, your exercise developer and facilitator must be well experienced in the development and facilitation of crisis management exercises.

• Never build an exercise that has a catastrophic impact on your organization, such as a massive loss of life. It is virtually impossible to realistically create a scenario that could be effectively managed by the crisis response team and concluded within the prescribed time frame.

• For major exercises role-playing participants (non CRT members); both internal and external, are crucial to the level of success you will achieve, but be very selective! Ensure these role-players have the personality to be convincing, willing to follow an exact script and above all else, they do not contribute information that was not pre-established and that they do provide all of the information they were scripted to present.

• Keep the exercise rolling; lulls or delays in the exercise for whatever reason are deadly. Schedule role-players, provision of new information (calls, memos), impact changes of the event, providing results from previous decisions, etc. on a constant basis (every few minutes); particularly in the first hour of a major exercise; after which the frequency can be variable based on the desired progression and outcome.

• Keep exercises realistic in terms of what most believe will happen and the probable impact of any event. Your probability of success will be determined in the first 10 minutes of an exercise. If the team is not engaged because they do not believe the scenario to be realistic your exercise objectives will not be achieved. Select threats or events that are either highly probable, have been stated by executive management as being a concern and / or is one of the ten threats or events that are of greatest concern to the crisis response team (in terms of their ability to manage the situation).

• Walk before you run – a full crisis simulation exercise is well worth the effort, but it’s not a great place to start. Phase in your training by providing program and skills reinforcement exercises or conducting a pre-event response planning workshop. Your objective in training through exercises must always be success!

My company, CRPC, has developed and facilitated crisis management training programs for organizations throughout the world and consistently achieved success when the suggestions and critical success factors presented were applied. Yes, it’s difficult and takes considerable effort, but being able to provide assurances to your executives and other stakeholders that you are fully capable of responding to and managing any crisis is the reward.
Author:  Dennis C. Hamilton

Cultural factors are a key challenge for consistent global risk management: Aon Risk Maturity Index

Aon Risk Solutions has published new findings from its Aon Risk Maturity Index, an online tool created to empower risk and finance leaders to assess the development level of their organization's risk management structure and implementation. Participants most frequently identified cultural factors as a key challenge to instituting a consistent, global risk management approach in key emerging markets: Asia-Pacific (excluding Australia and New Zealand), Central America, Eastern Europe, Middle East/Africa and South America.

"Just as an organization must consider cultural differences in its decisions around new market or product entry, it must also consider cultural differences when setting its risk management framework strategy," said Michael Joiner, associate director of enterprise risk management for Aon Global Risk Consulting.

Aon Risk Maturity Index questions focus on corporate governance, management decision processes and risk management processes. Specific to this finding, participants were asked, "For each region in which your organization operates, please indicate the key challenges to instituting consistent risk management approaches" and were given the following multiple choice set of factors to consider: legal/regulatory, logistics/geographic, economic/financial, cultural and human capital/talent.

"As many businesses sharpen their focus on remaining competitive and sustainable in a world of uncertainty, this finding reminds us of the importance of starting with a solid understanding of both the environment in which an organization operates and the complexity of risks it faces," said Theresa Bourdon, group managing director, Aon Global Risk Consulting – Americas. "The Aon Risk Maturity Index is generating data that can be used to drive insights on business practices globally. As we expected, we are beginning to see interesting trends in the overall risk maturity of organizations based in different parts of the world.

"For example, in more mature markets where risk management has historically been a key component of an organization's operations, cultural challenges are less of an issue. In these cases, organizations are able to focus on the challenges driven by legal/regulatory, economic, human capital and logistics issues."

Looking at the remaining regions, human capital/talent factors were the most frequently identified challenge for organizations with operations in North America. Logistics/geographic factors topped the list for organizations with operations in Australia/New Zealand and Western Europe. Analysis also suggests the key challenges identified are consistent across major industries.


Supply chains today are extremely complex — and as they are now global, they are extremely long as well. This scope and complexity creates a web of interdependencies that is hard to track. Indeed, many companies live in ignorance of the risk posed by one part of their supply chain: until disaster strikes.
Supply chains are multilevel and comprise the flow of goods and materials, information and money within and between organizations. The outward manifestation of supply chain is the physical transport and distribution networks that move goods from one point to another, but as important are the communication networks across which information passes. Today’s supply chains, with their emphasis on efficiencies and just-in-time delivery are hugely dependent on these less visible networks.

Watch for the risks
Today’s supply chains face three broad types of risk. The first of these is the loss of power. Many outlets at the one end of the supply chain simply don’t have backup generators; during a power outage, they cannot transact with customers given today’s payment methodologies. In addition, ordering systems are increasingly linked to electronic tills, so loss of power affects replenishment. And, of course, stores selling perishables would be severely affected by extended loss of power to refrigeration units.
The second major category of risk is loss of fuel. One immediate result is loss of transport, which means that the movement of goods and people is halted — and consider that the average supermarket might be replenished up to 12 or more times a week. Perishable goods in transit would be at risk and, of course, so would backup power-generation plans, which typically rely on diesel generators.
The final category is loss of people, primarily through industrial action and pandemics. Obviously, without people, operations are compromised or even impossible.
Each of these losses can affect any company within the supply chain, with knock-on effects of greater or lesser severity.

But is it in the budget
Even from this brief description, it’s clear that even the simplest supply chain has multiple vulnerabilities, the number of which grows exponentially in relation to the supply chain’s complexity and scope.
The case of a local producer of specialty mushrooms to the European market demonstrates some of these interdependences. After listing on the stock exchange and a year’s stellar growth, the company folded. One reason was poor harvesting practices, but the other two concerned loss of power and loss of transport. Loss of power meant that the temperature controls necessary for mushroom growth broke down, and port congestion meant that the perishable product spoiled.
Even more to the point is Land Rover which, in the early 2000s found itself unable to produce its best-selling Discovery model because the company that supplied the chassis went broke. The chassis manufacturer’s failure was the result of an ill-advised foreign venture that had nothing to do with its business with Land Rover. Land Rover learned the hard way that the failure of single point of dependency is catastrophic: luckily, there was a happy ending and the company was able to recover.

Learn the lessons
My point is that the interdependencies within a supply chain can be so complex that a business can find itself at risk from something totally unexpected somewhere in a complex web of business partners. Conversely, a business might itself be so important in a supply chain that its failure would put the whole chain at risk.
Your own company’s continuity thus depends on the continuity of the entire supply chain. It’s therefore very important to know your suppliers well, especially those that are important. In fact, I believe that companies should not procure from suppliers without ensuring that an effective and current business continuity plan is in place: “No business continuity plan, no business,” should be phrase on your procurement staff’s lips!
In other words, your business continuity plan must include credible business continuity plans for all suppliers as well—their success is your success, but their failure is also your failure.


We are in the middle of a big evolutionary leap in data recovery services, says Justin Lord.

A decade ago, server recovery was a manual process that took four to five days on average to complete. In fact, anything up to a week was acceptable. The solution was almost invariably on the client's site using dedicated infrastructure — the lack of bandwidth meant that replicating data between offices simply was not financially feasible.
The bursting of the dotcom bubble provided the impetus for a range of new hosted services and had a major impact on the disaster recovery services, as companies began to outsource hosting services. In turn, this prompted the growth in replication and co-location, mostly located within the same city, as connectivity costs and bandwidth issues remained a key constraint for the industry.
Over time, as we all know, connectivity prices started to come down, and bandwidth became more available in outer city areas. As a result, data centres could be moved to outlying areas, and dual-site solutions became more standard. And as the demand and expectations rose, so did the pressure on business continuity providers to guarantee resilience. Today, we are seeing triangulated gigabit solutions becoming commonplace — and clients really benefiting from the reduced latency.

Greater connectivity into multiple data centres has also driven an increase in the demand for on-site services like remote hands, monitoring portals that allow clients to monitor power and temperature, and the rise of service-level agreements. It also led to an increase in the concept of the single solution that included hosting, storage, networking and many of the associated managed services. In essence, this means a wide variety of services across platforms within the company can be fused back into a single recovery service — continuity as a service.

What does the future hold?
Given where we are now, it's worth looking at where we are likely to be going in the future. It's clear that infrastructure as a service and platform as a service will play a growing role in disaster recovery. They are not new, but they are changing the way companies use disaster recovery services by making recovery solutions more operationally relevant.
It must be borne in mind that the traditional hosted services I described at the beginning of this article are sometimes still quite sufficient for certain areas of businesses. Consequently, a business continuity company must still offer these types of services. Where there is considerable evolution is around the area of availability and network services. When it comes to availability, we are seeing more demand for managed backup and recovery, virtual server replication and high-availability solutions generally. Networks are obviously critical in today's connected environments, and so Internet bandwidth, voice and network recovery, point-to-point connectivity, MPLS recovery and managed security are also growing strongly.

Recovery services are becoming more operationally relevant and increasing the continuity of the business that is being offered, not specific services. In this context, it's obviously very important that one provider delivers the full service — everything hangs together so it's best if one company has responsibility for it.
Professional services play a hugely important role in this emerging business continuity landscape. They can help companies decide which components need to be hosted in Tier 3 data centres/centers or require fully managed services, by establishing how much the business depends on each component of the IT infrastructure.

Taking business continuity into the mainstream
Several services flow from the concept of continuity as a service, and complement it. These include managed services and replication services, but I especially want to highlight virtual server hosting, which creates fully resilient resource pools for clients to recover critical business applications. This on-demand capacity can also be used for normal daily operations at times when it is not required for disaster recovery — which is most of the time, after all.
Obviously, this resource pool's primary function is for business continuity, but it is there to be used for whatever the client wishes, for example, for R&D. It gives clients a seamless real-time recovery if that's what they want, which can include other services like call centres, telephony, work stations and so on. This fusion of services is possible because it all sits on the virtual infrastructure within the service provider's campus.
Continuity as a service is about evolving traditional recovery services into operationally relevant services that provide clients with virtual resources that can be used for much more than disaster recovery. It's all a very long way from the manual on-site recovery over several days, with dedicated infrastructure that basically stands idle for most of the time.

Author: Justin Lord

Thursday, June 28, 2012

Richards Rumelt: The evaluation of Business Strategy

Professor Richard Rumelt is a leading thinker on corporate diversification strategy and the sources of sustainable advantages to business strategies. Here we review Rumelt’s landmark article The Evaluation of Business Strategy, where he proposed four key tests of business strategy.
According to Rimelt, strategy should not be implemented before a proper evaluation has taken place. Strategy evaluation is a  key part of the strategy process, which attempts to look beyond the obvious fact regarding the short-term health of a business to the more fundamental factors and trends that govern organizational success. Rumelt defines strategy as:

                  ….a set objectives, policies and plan that, taken together, define the
                                    scope of the enterprise and its approach to survival and success

The challenge of evaluation

Rumelt states that no matter how it is carried out, the result of a business strategy evaluation should provide answers to these three questions:
·       Are the business objectives appropriate?
·       Are the major policies/plans appropriate?
·       Do the results confirm or refute critical assumptions on which the strategy rests?
However, answering these questions is not always straightforward, as there are some issues that will always make evaluation difficult:
·       Each business strategy is unique – strategy evaluation must lie, therefore, on a kind of ‘situation logic’ that looks at the circumstance of each problems and tailors the strategy accordingly
·       Strategy is centrally concerned with the selection of goals and objectives.
·       Formal systems of strategic review, while appealing in principle, can create explosive conflict situations, between managers and employees who may be unreceptive to the idea of change.
It is impossible to test a strategy absolutely but it can be tested for critical flaws. Rumelt proposes the following broad criteria or principle of strategy evaluation as a basis for testing these flaws:

1.     Consistency: the strategy must not present mutually inconsistent goals and policies.
Rumelt argues that inconsistency in strategy is not merely a flaw in logic. One of the main purposes of strategy is to provide a sensible framework for organizational action, which fits organizational objectives and values. Rumelt cities the examples of high- technology organisations facing a strategic choice between offering customized high-cost products with high custom-engineering content and standardized lower cost products that are sold at higher volume. If senior management does not clearly spell out a consistent view of the organisation’s position on these issues, there will always be conflict between the sales, design, engineering and manufacturing functions.

2.     Consonance: the strategy must represent an adaptive response to the external environment and to critical changes occurring within it.
Rumelt’s test of consonance focuses on the organisation’s ability to match and at the same time adapt to it environment, while competing with other organisations that are also trying to adopt and prosper. However, he argues, the main difficulty in evaluating consonance is that most of the critical threats to an organization come from the external environment, and so threaten all organisationsin that industry. Strategic decision- makers may be so absorbed on how to achieve competitive advantage over their rivals that the threats is only recognized after the damage is done. Rumelt also points out that forecasting techniques such as trends analysis do not normally expose potentially critical changes that come about as result of interaction between trends.

3.     Advantage: the strategy must provide for the creation and/or maintenance of a competitive advantage in the selected area of activity.
The test of competitive advantage is to see whether the strategy will allow the organization to capture the value it creates. Competitive strategy is the art of creating and exploiting those advantages that are most telling, enduring and difficult to imitate. Therefore, Rumelt says, the strategy must provide for the creation and/or maintenance of a competitive advanyage arising from one or more of the three roots: superior skills, superior resources and superior position.

4.     Feasibility: the strategy must neither overtax available resources nor create unsolvable sub-problems.
Rumelt’s final test of evaluation is feasiblility, which looks at how well the strategy would work in practice and how difficult it might be to achieve. In other words, does the organization have the physical, human and financial resources available to effectively implement the strategy? In order to establish this, it is useful to consider the following:

·       Does the organization have the problem-solving abilities and special competences required by the strategy?
·       Does the organization have the ability to integrate the activities involved in implementing the strategy?
·       How will the competition react and how will the organization cope with that reaction?

The process of strategy evaluation

Rumelt states that the process of strategy evaluation can happen as an abstract, analytical task (sometimes performed by consultants).  But more often than not, it is a fundamental element of an organisation’s planning, review and control processes. Some organisationns carry out strategy evaluation informally and infrequently while other have formal, detailed strategy review procedures that they carry out on a regular basis. Either way, the quality of strategy evaluation and organizational performance will be determined more by the organistion’s capacity for self- appraisal and learning than by the analytic technique employed.

In most organisations, comprehensive strategy review is sporadic, and is usually triggered by a change  in leadership or financial performance. Rumelt argues that this is a good thing – he claims that if strategy review was a regular event, the evaluative questions would become automatic and this inhibit thorough reflection. He also maintains that if a strategy is good in the first place, it does not need constant redevelopment. Another reason for not reviewing the validity of a strategy too frequently is the need to convince competitors that the organization stands firm by its strategy, which fixed and unshakeable.

Strategy evaluation is the appraisal of plans and their results, which affect the principal mission of an organization. Its focus is the separation between obvious current operating outcomes and the basic factor, which underpin success or failure in the chosen industry. The result of strategy evaluation is the rejection, modification or authorization of strategic plans. It is impossible to demonstrate conclusively that a particular strategy is optimal or that it will work. However, Rumelt’s four tests of consistency, consonance, advantage and feasibility provide a basis for effective evaluation. A strategy that fails one or more of these tests has some fairly serious flaws. A strategy that passes all the test cannot be guaranteed to succeed but is undeniably better placed for success than one that is shown to be flawed.

Sunday, June 24, 2012


Your organization has spent considerable resources preparing for disruptive events, and now a crisis is looming. Plans are in place, detailing assigned roles and responsibilities that involve crisis leadership, as well as response and recovery procedural execution. But, will your crisis management team leader be effective? Will your response be successful? Often, one of the most significant key success factors is the choice of crisis leadership.
The best crisis leaders have a unique combination of natural abilities and learned skills that make them effective. The purpose of this article is to summarize the skills that Avalution’s team identified (and witnessed over the course of many crises) as being keys to success in hopes that each remains top of mind when selecting and developing the crisis leaders in any organization.

Choosing a leader
The individual chosen to lead an organization’s crisis management team (CMT), the group charged with leading the response to a disruptive event, is a key determining factor of its success or failure. Selecting an individual best-suited for a crisis leadership role should be based on leadership ability and the traits necessary to lead in an overly stressful and often ambiguous situation. Job title should never be the singular driver when making a decision as to who is best-suited to lead a CMT, but this person must be a well-respected member of the senior leadership team that has the necessary power and influence to commit the organization to a course of action.
Before we dive into the details of the natural and learned traits that make a CMT leader successful, we have a few high-level points to keep in mind before embarking on the selection process:
1. Involve your business continuity steering committee (or a similar governance body) in the CMT leader selection process. Present a job description that highlights the role and key success criteria, and then identify candidates – primaries and alternates – that could successfully carry out the role.
2. Culture is key. Each organization makes decisions in different ways. Choose a leader that complements the organization’s decision-making culture and can help streamline this process when time is of the essence.
3. Leading and managing the response to a disruptive event is not one person’s job, it’s a team effort. The CMT leader cannot perform all the tasks necessary for an effective response — the leader’s role is to set objectives, communicate goals and eliminate roadblocks that impede the team’s progress throughout the response to the disruptive event. As such, ensure that the chosen CMT leader is surrounded and supported by a team of cross-functional, knowledgeable representatives from throughout the organization.
So, what does it take to be an effective CMT leader?

Natural characteristics
Just because an individual displays great leadership skills during times characterized as ‘business as usual’, doesn’t necessarily mean the same will be true in a crisis situation. In our experience, the following behavioral, or natural, characteristics described below are found in the most effective crisis management team leaders:
Persuasion – An effective crisis leader must inspire people to follow them – not demand it. This may sound simplistic, but a true CMT leader must have the innate ability to calm, motivate and empower team members during the response to a disruptive event. It is imperative the leader maintain the skills and expertise essential to establishing authority. The leader must instill confidence and connect emotionally and intellectually with both executive leadership and other crisis management team members.
Guts – Not all leaders are able to quickly and confidently make decisions in crisis situations with incomplete information at hand, but that tends to become the norm when responding to a disruptive event. Famed American author Ernest Hemingway provides the simplest and best explanation of the characterization of guts, defining it as “grace under pressure.” Skills can be taught, but the ability to keep a level head in a very tense situation, quickly make decisions, and lead a team (and organization) through a disruptive event is an intrinsic gift (one not easily taught).
Balance – Many organizations value collaboration as a key part of day-to-day decision making (and rightly so), but in a crisis situation, there often comes a time where a decision needs to be made immediately, even if the facts seem incomplete and obfuscated. There is an intangible ability a crisis leader must have — to know when it’s time to stop the discussion and start making a decision that commits the organization to act.

Learned skills
Although many other traits enable effective, day-to-day organizational leadership (most of which also apply to crisis leadership), senior leaders with the following three principles – when combined with the natural, behavioral abilities described above – are often exceptional crisis management team leader candidates.
Communication – It is no secret that well-executed communication strategies are integral to an effective crisis response. However, communication as a crisis management team leader is more granular than the organization’s overall communication strategy. A crisis leader must combine their natural abilities to inspire and empower with clear, direct communication. A CMT leader must deftly and transparently communicate goals and objectives with executive leadership and CMT members throughout an organization’s response to a disruptive event.
Purpose – A CMT leader must provide clear direction in organizing and maintaining the response effort. In addition, the leader needs to easily adapt to changing and often volatile situations without losing focus of the overall strategic goals for the CMT and, ultimately, the organization. Following proven response strategies detailed within the organization’s plan documentation, the leader will be able to successfully meet the goals and objectives of the organization.
Business continuity comfort, knowledge and participation – It is essential for the guiding force of the response and recovery process to have an intimate knowledge of the organization’s business continuity objectives and purpose. A crisis leader must be actively involved in the planning and continual improvement process. Additionally, the CMT leader must grow and evolve with the program through participation in testing and exercising the program.

In conclusion
Selecting the most appropriate crisis management team leader is an important task that requires careful thought and examination. The most effective crisis leaders have a unique blend of objective-oriented and task-oriented professional traits, and will deftly oversee the ‘big picture’ while seeking out tasks on the critical path to success. They demonstrate the right touch in dealing with unpredictability in people and situations. They provide clear direction over the situation and are able to identify and empower others within the team and organization that have a capacity for adapting behavior to changing situations. Effective CMT leaders will not have all the answers—in fact, they shouldn’t. Through effective communication, persuasiveness, and a driven purpose, the CMT leader should inspire the team to go find the answers and come to the best decisions to execute the most appropriate actions for the benefit of the organization.


Cloud computing has the potential to change how organizations define, manage and deliver information technology. It can help reduce the need to integrate new technologies in order to keep pace with growing server capacity demands, greater storage requirements and increasingly complex networks.
The capacity of cloud computing can be dynamically scalable to meet peak processing needs and to reduce consumption during off-peak times, thus enabling organizations to use technology more cost effectively. With either an existing Internet Protocol (IP) network or a series of dedicated high-speed lines, cloud computing can provide rapid access to resources and help drive efficiency, standardization and best practices while allowing the business to retain its customisation and control capabilities. Such an elastic and scalable approach makes it possible to benefit from emerging technologies more quickly because the cloud provider is responsible for the design and integration of these new technologies. As a result, the organization gains greater information-processing capabilities to support its growing IT needs and can reallocate time, resources and money to more business-focused opportunities.
Cloud computing is evolving, so not all workloads are immediate candidates for cloud deployment. Your organization may still require a combination of traditional processing and extended, remotely delivered services. However, for many workloads, simply plugging into the cloud can provide access to an almost endless amount of virtualized resources to meet your information processing needs.
This white paper examines important considerations for effective resiliency program management within a cloud design. One crucial factor is how the new cloud-based design will impact your organization’s existing ability to protect underlying IT systems and critical applications, as well as the associated information and data requirements that support the business. Additionally, it is important to ensure that the cloud-based functionality allows for continuous processing across your organization to sustain business success.

Assessing resiliency requirements
The migration from a traditional processing capability with a somewhat static design to a more fluid, cloud-based initiative undoubtedly increases the level of resiliency needed to sustain business operations. To address these resiliency needs, your organization should first evaluate:
  • Which workloads will be acceptable for processing outside of the traditional data center/centre.
  • Whether cloud connection will be through the internal private network or through the public Internet
  • The benefits and tradeoffs of using a public versus a private cloud
  • Whether the cloud will include storage or computing services
  • How distance might restrict how far the organization can place cloud content.
To help ensure comprehensive business protection at the enterprise level, it is important to define an integrated approach to resiliency.
The next step is to conduct an assessment to help ensure zero impact to your business operations during the transition to cloud. This assessment also provides insight into how the existing architecture will impact your current design and helps to determine the potential impact, if any, as the delivery model changes. Critical areas to assess are:
  • Business functions. Defining and mapping business functions helps to ensure that modifications will not impact your existing system access, application dependencies and cross-site communications that are critical to optimal performance.
  • Performance objectives. You will need to revalidate service level agreements (SLAs), recovery time objectives (RTOs), recovery point objectives (RPOs) and security parameters for all critical and noncritical workloads that are candidates for cloud services.
  • System capacities. To sustain complete business operations, you must have the necessary system capacities in place at all times (such as scalability, performance and throughput), and these should address both short- and long-term outages.
  • Information accuracy and integrity. Ensuring consistent business operations is critical at all times, but it becomes increasingly important as your organization introduces flexibility into the overall environment. The ability to quickly move workloads through automated processes puts a greater focus on how information is handled relative to data currency, synchronization, availability and secured access.
  • Validation of the capability. This is an ongoing concern because the rapid change associated with the combination of physical and virtual resources results in more frequent modifications to the environment that are also more fluid in design.
To help ensure comprehensive business protection at the enterprise level, it is important to define an integrated approach to resiliency. Avoiding multiple or conflicting approaches resulting from piecemeal strategies is particularly critical if you are considering a combination of traditional and cloud capabilities.
In most instances, you will need to revalidate and redefine each of the critical assessment areas to maintain resiliency across your organization. Identified changes should be validated immediately upon introducing the modifications into the overall environment to prevent or reduce the impact that an adverse event might have on business results. This is where a well-defined resiliency strategy proves vital.

Developing a cloud-based strategy
An important first step in establishing a resiliency strategy within a cloud design is developing a detailed breakdown of the mandatory components of an effective program. Thoroughly reviewing your current resiliency program allows you to determine how you will need to modify existing capabilities to adapt to changes in the production environment when moving to a cloud-based design. Figure one depicts the components of a resiliency program.
Once you have established the crucial resiliency components of the program, you must then consider how to incorporate recovery into your design. Critical questions to ask include:
  • What are the cross-platform requirements and challenges?
  • How will backups be processed, and where will they be stored?
  • From a data standpoint, what are the recovery objectives (RTOs and RPOs)?
  • How will recovery processing be performed?
  • How will these cloud components be integrated into the overall resiliency program?
  • How will the design be validated? (How frequently will it be tested? At what scale?)
Figure one

Figure one: Components of a resiliency program

In-depth resiliency analysis
When detailing the design of a cloud-based resiliency program, you will need to look at several variables that are critical for processing end-to-end business transactions. First, you must consider how to position key applications and supporting information. Additionally, you must determine your server capacity and throughput needs, as well as identify distance limitations for data synchronization and transfer. Another key variable is how you will address cross integration of heterogeneous platforms to ensure seamless processing. Finally, you will need to be certain that the new program will not impact your existing service levels. A detailed analysis that looks into the following areas can help address these issues.
Defining the infrastructure for cloud must take into account the numerous challenges associated with cross-platform integration.

Business functions
A thorough evaluation of all of the business functions is the first step in determining which workloads may be candidates for cloud computing. An analysis of the detailed process flows ensures that you have identified each process relative to the inputs, outputs and dependencies (both internal and external) needed to meet your business objectives.

Service level objectives
One of the most critical success factors in the deployment of any cloud implementation is keeping the existing service level objectives intact. You must manage the requirements for continuous and high availability SLAs, as well as business resumption metrics for RTOs and RPOs, in accordance with existing agreements so that your business remains protected from any adverse event that could interrupt production operations. These metrics should be reviewed and validated during both the business functional assessment and detailed technology blueprint analysis to ensure a consistent cloud design going forward.

Technology blueprint
The next step is to define and analyze the technology blueprint for all of the system, data and application components that correspond to the associated business processes. This analysis provides information about the options that will be in place to effectively position the supporting infrastructure for both in-house and remote cloud processing. The organisation must take into account adequate processing capacity, positioning of systems and data, and the integration of multiplatform technologies when redesigning the current production environment.

Documented connectivity requirements
Once you have defined the combined infrastructure—local production and remote cloud—you must identify the detailed networking requisites. Data transfer abilities need to focus on application latency considerations along with bandwidth sizing for both peak and off-peak processing. System and application connectivity considerations should include remote operations and end-user access for both internal and external entities, as well as monitoring and management functions in support of operational status and reporting capabilities.

Parameters and metrics for validation
Validation of the newly defined resiliency capability requires that detailed objectives are identified by a combined effort involving the business functional areas and the IT community. Testing scenarios must focus on achieving business results that are delivered according to documented parameters, with specific metrics used to evaluate the accuracy of the resilience capability during period exercise events.

Recommended design principles
Implementing identified design criteria not only facilitates an effective design, but can also ensure that an ongoing resiliency capability will remain in place to protect the business as the cloud capability takes form and continues to evolve. Standardization and consistency are critical to verifying that business protection, data integrity and overall enterprise-level protection strategies are in place to support the underlying IT resources of the future integrated cloud design.

Defined workload dependencies
A criticality analysis is often a direct output of a business impact analysis and will reveal the detailed dependencies from a systems, application and data perspective. This helps determine how work is flowing throughout your organization. Without these linkages, it is essentially impossible to determine the impact of an outage as it relates to the combined environment of a virtual, cloud-based infrastructure.

Mapped access to systems and data
Leveraging the infrastructure blueprint is a crucial component for architecting a clear view of the operational requirements needed to execute business transactions. This analysis will serve as a cornerstone for the eventual architecture that you will implement, ensuring performance and consistency across the applications environments to drive seamless business operations. Technology decisions will be based upon this analysis, providing the detailed resource requirements from a capacity and functionality perspective.

Verified connectivity to all virtual processing sites
Connectivity will play a critical role in the outcome of your cloud processing environment. In addition to the day-to-day operational characteristics, it is important to design a network that is flexible with full redundancy and dual pathing to avoid any single points of failure that may compromise production operations. From a resiliency standpoint, the same holds true for the additional requirement of connecting any-to-any from all production sites to all recovery sites at any given point in time.

Defined information accuracy and integrity (RTO/RPO)
Yesterday’s challenges of cross-platform recovery, whereby systems and data are dissimilar and synchronization is a major concern, may be exacerbated when attempting to recover multiple systems across multiple locations within a cloud design construct. More specifically, if business functions are split across sites using a combination of traditional processing and cloud design, determining the common synchronization point may be much more difficult. You will need to coordinate backups over distance, whereas in the past, these same backups were done within the same site with the same operations staff. Documenting recovery objectives will become increasingly more important as the ability to restore systems and data becomes more fragmented.

Scoped performance and throughput
Any component of the environment that is recovered during an event must maintain the equivalent production environment characteristics needed to sustain business resumption. This includes maintaining all aspects of processor and storage performance, decreasing all application latency and providing optimal end-user access speed to avoid impacting the ability to deliver agreed-upon service level objectives. Each of these processes is critical to resuming operations as quickly as possible and reducing the growing backlog that you will encounter during any prolonged service interruption.

Defined and documented business resiliency objectives
Defining discrete testing and validation objectives will help your organization meet its resiliency requirements. A detailed business impact analysis, accompanied by a formal risk profile, will reveal those areas that you will need to exercise periodically to ensure that you have achieved complete business resiliency.

Your cloud implementation must allow for continuous processing of transactions that enable business success, regardless of where your systems, applications or data reside. Business resiliency should be an inherent attribute within the fabric of the cloud design and, as such, needs to be part of your critical design efforts.
It is important to gain a detailed understanding of how cloud computing will be delivered and to review how you established the current resiliency strategy to protect your business. Many questions must be answered relative to how the new design will modify the existing strategy, taking into consideration several key recovery disciplines.
This knowledge serves as the baseline for further assessment of how changes to the production environment will impact the ability to continue delivering optimal service in support of business needs. From an implementation standpoint, identifying a structured set of design principles can help guide this effort. Focusing on standardization and consistency not only establishes the initial effort, but also serves as a framework for future cloud enhancements.