Use It. Share It. Grow It
1. Standards - Standards have to be continually updated as to new innovation/technologies which may apply to maintain business as well as Disaster Recovery Centers. BP’s lack of maintaining and exploring new approaches of deep water containment has relied on traditional containment processes, while the disaster has pushed BP to explore new technologies and approaches to the detriment of US$ billions damage to the US economy. What are the industry standards, what are the US government standards? Why couldn’t BP become the showcase on providing the best in class standards vs. being seen as the worst offender which will create new legislation and force further requirements down to industry costing billions. One should consider to always routinely review your standards as well as include latest and greatest innovation/technology designs/approaches. Become the best in class and set the bar, where clients and colleagues in your industry look to you as the leader.
2. Program – Programs have to be continually tested and tried quarterly to prepare for various scenarios including worst case scenarios. The Program should be a practice run encompassing all aspects of a disaster identifying all probable accidents, emergencies, and/or threats. BP’s lack of maintaining the standards as well as lack of communication processes, has allowed for a quick detriment to the overall corporate well being (loss of capitalization, revenue and loss of cash) and reputation causing deeper concern with potential customers as well as investors. One should always have a strong Program with a Leader to take charge who has been tried and tested on all scenarios. The leader should also have a strong program of staff who are the cream of the crop within the organization.
3. Policies – are mandated by the management of an organization that are to be performed according to a design plan, and supporting all business functions within an organization inclusive of IT. These policies have to continually updated for refinement as well as feasibility and reality. It is nice to have policies in place, however, most policies have either lacked verification or have not included the proper buy in to provide practicality. BP’s lack of maintaining their policies has created a complacent organization in which trust is lacking and buy in could have provided true practicality to quickly implementing the program. One should consider consistently reviewing your policies not only at a corporate executive level, however, test them out at the lower echelons to ensure practicality.
4. BC/BCM Plan – This is the actual plan itself which is a set of documents, instructions, and procedures which enable a business to respond to accidents, disasters, emergencies, and/or threats without any stoppage or hindrance in its key operations. Also called business resumption plan, disaster recovery plan, or recovery plan. While BP’s may have had a BC/BCM in place for the Gulf Disaster, the plan seemed faulty due to communication management as well as now coherent approach to provide adequate leadership. BP’s seemed to falter due to lack of administering and/or perception as well as maintaining an updated plan based on new technologies, approaches, requirements from the government, investors etc. Perfect case was the Plan included comments on protection of Walruses. One should consider making sure good leadership is involved, that communication is critical to a plan because it provides perception of you and your organization as well consistently update the plan as an evolving document not as static and dormant.
5. BC/BCM Planning – This is the actual planning of building the plan as well as testing all the procedures to ensure continuity of a firm's key operations in the event of an accident, disaster, emergency, and/or threat. While BP’s plan was in place based upon planning, it seems that no true testing and/or true scenarios including worst case scenarios were ever tested like the Deep Water Horizon blow out. Why were they not tested? Did the plan and planning not include worst case scenarios and how to resolve and mitigate the risks to the US environment and to the fiduciary responsibility for its investors? One should consider to always test every scenario as well as develop new scenarios to plan for future disasters. One should always be thinking ahead versus being complacent.
6. Guidelines – are in place based on recommendations to a design and may be used or not depending on the situation or could be altered depending on the circumstance. BP’s guideline were never fully communicated to the public, which made the public non-trusting of communication which continually shifted and or changed. One should always be very specific and follow the guidelines as long as the outcomes are becoming successful, if guidelines are not producing the results they were most likely not practical based on the testing of all the scenarios. These guidelines are your step by step approach to make things happen, one needs to consistently validate.
7. Procedures – provides the specifications for implementing the BCM Plan. While the procedures were in place for BP based on the outdated, un-tested plan. BP’s procedures have been perceived as bureaucratic, lack of response, lack of leadership, lack of urgency. These procedures require strong leadership to drive decisions as well as break the barriers within the organization. This leader should have full authority to move the organization through the disaster. Just like war plans are based on scenarios, you must rely on your general in the field to make it happen. While these procedures may have been in place, they lacked a general to make things happen, which has further damaged BP’s reputation and perception to the public.
8. Resource Planning and Deployment – this concept is to ensure when disasters and/or threats hit that proper resources are in place and have been targeted to deploy the solutions and support. BP seemed to lack the resources required to not only work on the Deep Water Horizon blow out, however, also the buoys for New Orleans, the Claims processing, the connection with local governments, etc. Disaster planning is not to provide someone a job, it should be your brightest and smartest within your organization by section/department. If as a company you can’t provide the resources look outside for outsourcing arrangements, and have them partner with you. One must remember focus on your core competencies and allow others to support. If BP would have focused with partners in advance, several US$ millions or billions could have been salvaged as well environmental impact could have been less severe.
9. Organization Structure – this describes structure of the organization, leadership as well as the communication within the existing organization of how things will work and operate if a disaster occurs. This requires also redundancy of skill sets and expertise. While BP may have a vast set of employees and great pool of resources, we are unsure of whether BP really had described internally to all facets of the business about the business continuity/disaster team approach, as well as had the most dedicated and talented pool to manage the operation. One should consider always to place the best resources and leadership in the positions when disasters/problems occur, because they know the organization and its capabilities as well can provide better perception to the market place.
10. Business Impact Analysis - A business impact analysis is the primary tool for gathering information and assigning criticality, recovery point objectives, and recovery time objectives, and is therefore part of the basic foundation of business continuity. Good practice indicates that a Business Impact Analysis should be reviewed as a minimum annually but more frequently in the event of: (1). A particularly aggressive pace of business change; (2). Significant changes in the internal business process, location or technology, and (3). Significant changes in the external business environment – such as market or regulatory change. While BP may had an annual business impact analysis, it should have created a more frequent approach, due to (1). Pace for drilling in deeper water created significant business risks as well as changes; (2). By drilling deeper it created significant challenges internally as to process, and safety technology which was not proven; and (3). Huge down side to external business environment from local and state governments to now Federal government restrictions.
11. Security - this is one of the top priorities, especially in Disaster Recovery or within an IT department. Conformance has to be tested and validated regularly. Concerning BP’s security audits there seems to be a failure not only from the Federal government audits and approval of broken equipment, but also from internally BP’s audits. One should consider to outsource all audits to another company which would provide objectivity vs. totally relying on an internal audit or even your outsourced partner.
12. Documentation - This is an important aspect to constantly update your documentation for any procedural, guidelines, new technologies, contacts etc. BP as well as the whole industry seemed to be complacent around this area and continued to maintained existing wording regardless of the inherent risks and business impact analysis changes and or challenges.
13. Audit Management (Risk Analysis) - This is one of the most costly and time consuming approaches for business and is often seen as an evil or as an un-warranted insurance policy. Risk and Audit procedures should consistently be reported and provided to Senior/Executive Management as well as the Disaster Leader who would be responsible in case a disaster or threat occurs. All audits should provide weaknesses as well as remedies for action/resolution. Audits should be performed by outside parties, which would provide objective stance and not tied to over successful of BP’s bottom lines. It seems that several of the auditors were courting for new jobs, thus providing acceptance to provide good will. This good will and lack of objectivity has cost not only BP’s US$ billions, however, also has created an economic crisis for the America and its Industry leaders.
14. Service Level Agreements – This provides a written agreement between two entities which are operating whether internally or externally in nature. In IT, the SLA is usually between business and IT. BP’s service level agreement most likely was in place between BP and Transocean, however, it seems that procedures of the SLA may not have been in place or was strong enough to warrant the cost cutting measures which put the Deep Water Horizon well into danger and risk, resulting in US$ billions for BP and America but also the loss of life. Service Level Agreements have to be solid and adhered to by both parties, and not subject to shorting the system and/or contract. Contracts are put into place for reasons and clarification as well as to protect alls interest. It seems that BP as well as Transocean both ignored their contractual obligations based on pressure to quickly access the well, however, just like in IT when you play with the triple constraints: Scope; Costs; and Schedule – one will impact the other detrimentally. When budgets are cut, schedules have to be shortend resulting in quality and processes not seriously being reviewed for major impacts.