System
|
Topic: Contingency Planning -- ArticlesSix Steps to Crisis ManagementBy Ian S. Hayes and William M. Ulrich A new millennium will surely dawn on January 1, 2000. Less certain is what will happen when that day dawns. Mankind has never before faced a problem of the type and magnitude of the Year 2000 crisis. The problem is global and pervasive. It affects everyone -- governments, businesses and individuals. For most companies, the problem insidiously affects every aspect of their operations. With this scope, it is difficult to predict exactly what will happen at the turn of the century. Yet we must try to predict in order to be prepared. How bad might the century transition be? The answer depends largely on how well organizations complete their Year 2000 efforts. Until we are closer to the transition, we won't know for sure. Early signs indicate significant problems down the road. A mid-1998 study of the top 250 U.S. companies' securities filings shows that Year 2000 progress is crawling along at a 1% per month rate, meaning that, unless this rate increases, the average company will have completed only half its work by the end of 1999.1 The federal government is faring no better. Many federal agencies continue to receive failing grades for their Year 2000 progress, and continue to discover new, mission-critical systems that are in danger of failing. Global progress is even more dismal with most countries months to years behind U.S. efforts. All of these factors do not bode well for a smooth transition. A bumpy transition period will spawn a variety of pressing problems. Even in a conservative scenario, a company can expect a rising wave of concurrent failures, quality problems and outages. These simultaneous problems will fuel a rapid increase in support requests from users, customers and suppliers seeking assistance. Resource conflicts will arise as problems multiply. Contingency plans will need to be triggered. Legal liability will loom as damaging errors mount. Throughout this period, companies will face intense scrutiny from the public, stockholders and the press who will attempt to gauge the health and stability of the company. One way to view the impending Year 2000 transition is as an approaching hurricane. In each case, advanced preparation can greatly reduce the damage wrought by the crisis. The first step is to prevent problems by designing hurricane-proof buildings or creating Year 2000 compliant applications. This step has been the focus of Year 2000 projects to date. The next step is to prepare for known unavoidable problems. Boarding up windows and hoarding drinking water are two common contingencies for people in the path of a hurricane. Year 2000 contingencies include building inventories of supplies or moving year-end accounting closes. The final step in the process is to set up a way to deal with the unexpected or the overwhelming. This is the role of FEMA during hurricanes and Crisis Management for Year 2000 projects. These organizations monitor conditions, coordinate emergency responses, prioritize efforts and oversee the deployment of contingencies. Year 2000 Crisis Management covers the planning, organization, tools and procedures needed to handle whatever unavoidable problems might occur during the transition period. This white paper makes the case for Crisis Management. The first section of the paper describes the need for, and benefits of, Crisis Management. The paper then examines the six steps needed to successfully ride out the transition period, and how to clean up once the worst has passed. The Need for Crisis ManagementThe goal of Crisis Management is to minimize the cost and impact of Year 2000 issues on
company operations. In essence, a Crisis Management effort provides business benefits by
reducing business risk. A Crisis Management effort reduces business risk in three important ways. First, it reduces the number and magnitude of disruptions to business operations. With fewer and shorter interruptions, there is less impact on employees, customers and suppliers, and, therefore, on profitability. Second, Crisis Management saves money. Through quick and early problem detection and resolution, the cost and impact of unavoidable problems is lessened. Further, by coordinating the resolution of common problems, Crisis Management efforts reduce per problem handling costs. Lastly, Crisis Management efforts reduce business risk by enhancing legal protection. If problems are responded to quickly, fewer people are affected and damages are minimized, both of which result in fewer legal claims. A formalized Crisis Management process will also produce invaluable backup documentation and audit trails to strengthen legal due diligence defenses. To achieve these business benefits, a Crisis Management effort must perform several key functions. These include the ability to: Quickly respond to issues. Timely response to and resolution of problems reduces their cost and minimizes their impact. If problems compound or are allowed to fester, dependent or downstream operations may become contaminated, operations may grind to a halt, employees may be idled and customers may incur losses. Prioritize responses to maximize business benefits. From a business perspective, not all problems are equal. Some are mere annoyances while others have the potential to seriously damage or disrupt business operations. With a large number of simultaneous problems expected, not all problems can be addressed at the same time or with equal attentiveness. To ensure that the most business critical issues are addressed first, a Crisis Management effort will identify and prioritize issues according to their business criticality, and will then deploy resources to effectively execute the prioritized tasks. Facilitate orderly reporting and resolution of problems. With a large number of simultaneous problems, failures and outages, and an even larger number of affected users, customers and suppliers, it is essential to designate a central point of handling support requests and streamline resolution of shared problems. A Crisis Management effort provides a uniform way to log problems, to assign resources and to resolve problems, and to assist affected persons in self-determination and self-resolution of common problems. Manage completeness of responses. To deal with the deluge of problems and ensure that none are mishandled, lost, unassigned or ignored, and to trigger contingencies when required, follow through is essential. A Crisis Management effort designates an organization, and individuals, responsible for capturing, tracking and assigning problems for resolution, and for triggering and monitoring the execution of contingencies. Collect data about actions. During the crisis period, a company will need to keep a record of its actions to prove that it was responsive to reported problems. A formal Crisis Management effort will produce, as a byproduct, a written record that will serve to demonstrate reasonable levels of responsiveness in the event of litigation. Provide central point of contact for status information. Business executives, internal entities and external stakeholders will all want current status throughout the transition period. A Crisis Management effort meets this need by functioning as a central repository for all relevant project information and by reporting project status in a consistent way. To understand the timing of the Crisis Management phase, consider Figure 1.
A Year 2000 program begins with the project management phase where, activities are focused on avoidance -- finding and correcting issues before they can fail. These efforts decrease the severity of the impending storm as each item fixed is an item that cannot break. Even with these efforts, no company can avoid all Year 2000 problems. The magnitude of the effort means that mistakes will slip through. Moreover, many companies are dependent on outside entities for services and goods, yet have no control over their compliance. As the number of Year 2000 problems multiply, the avoidance techniques used in the project management phase no longer suffice. The company must shift into crisis mode. It must respond quickly to problems according to business priorities, trigger contingencies as needed and triage when demands exceed resources. This time period is the Crisis Management phase of the project. The final phase of a Year 2000 project is clean-up management. This phase begins when Crisis Management completes and concludes when the company returns to routine operations. It focuses on completing fixes that were suspended or shelved, undoing shortcuts and unwinding triggered contingencies. The Year 2000 Program Office plays a pivotal role throughout the life of the project. During the project management phase, it becomes acquainted with potential problem areas, develops approaches to avoid and minimize problems, and establishes relationships with many entities that are likely to be affected by problems occurring during the crisis period. Because of these relationships and accumulated knowledge, the Program Office is ideally suited to spearhead the Crisis Management effort. The Crisis Management period will begin when the number of date problems exceeds the ability of the organization to respond using its standard approaches, and will end when the number of problems drops below that level. The starting point will vary by company, industry and the overall state of compliance of local, domestic and foreign private and government sectors. A company's own state of compliance and its dependence on external entities will also affect the actual start and end dates. Many analysts now roughly estimate that the Crisis Management phase will run from September 1999 through April 2000. Preparing for Year 2000 Crisis ManagementAdvance planning and preparation are key to surviving the Crisis Management phase. During this phase, efforts are focused on quickly identifying and correcting problems to maintain uninterrupted business operations. These activities are, by necessity, reactive. No one can predict with certainty where and when problems will occur. To meet these dynamic challenges, a special management and organizational structure is required. This team will be empowered to prioritize and resolve problems, perform triage and trigger contingency plans all according to strict business priorities set by business executives. Most companies will deal with a set of common issues as they establish their Crisis Management efforts. Discussed below are six common steps that companies can take to prepare themselves for the Crisis Management phase of their Year 2000 efforts. 1. Successfully Complete Compliance Efforts The number of problems that will occur during the Crisis Management phase is directly related to the adequacy of a company's compliance effort. Each investment made in fixing a non-compliant component is a Crisis Management investment. Every component corrected is a component that cannot fail. Unfortunately, many companies are behind schedule in their remediation efforts. They must reduce the number of components that they plan to fix, targeting only the most critical ones for remediation. While this approach does make sense, it means that uncorrected medium and low-value components will likely encounter problems. Another increasingly popular time-saving measure is to scale back testing. Shortcuts in testing can, however, be extremely expensive as they permit errors to slip through into production where they can cause the most damage. Other areas, such as supply chain compliance, remain out of the control of most companies. They must rely on the efforts of external entities, such as vendors and suppliers, to achieve compliance and may be unable to ascertain the true state of compliance at those sites. Crisis Management teams can prepare for these potential problems by spending time up front to catalogue all instances of software and embedded technology where fixes are incomplete, pinpoint areas where testing is inadequate and identify vendors and suppliers that remain at-risk. 2. Develop Contingency Plans Contingency planning is a broad topic worthy of its own book. Simply put, Year 2000 contingency plans are action plans to protect business operations from problems in at-risk components or entities. For example, a contingency plan may call for manually creating invoices if an accounts receivable system fails, switching to an alternate supplier if a preferred vendor is disabled, or relying on generators in case of power failures. Contingency plans can be grouped into two basic levels. At the highest level are business process contingencies that focus on protecting revenues and market share, avoiding litigation and maintaining essential operations during the Crisis Management phase. Senior executives set the priority of these processes, and the process owner develops the necessary contingency plans. At the lowest level are component/entity contingencies that focus on ways to back up, replace or work-around individual items such as a critical computer system or piece of equipment, or even an important vendor or supplier. Contingencies fall into two categories: preemptive or event-driven. Preemptive activities focus on avoiding the consequences of Year 2000 failures rather than correcting underlying problems. For example, boarding up windows before a hurricane hits land is a preemptive strategy. So is shutting down a software application on January 1, 2000. It does not fix the application but avoids any problems that occur only in the initial hours of the new century. Because these contingencies are triggered preemptively, costs are incurred before any problems actually materialize. Conversely, event-driven contingencies are triggered, and costs incurred, only when a specific problem actually occurs. These contingencies focus on resolving problems to minimize their impact and cost, and to prevent them from contaminating downstream operations. Each business area that relies on a potentially affected component/entity or process must create contingency plans to protect its own operations. It is impossible, however, to develop contingency plans for all potential scenarios. Rather, plans should be created for all critical entities with a high likelihood of experiencing Year 2000 problems. 3. Develop Crisis Management Plans A Crisis Management plan is a fully documented, business-oriented approach for handling the Crisis Management phase. It defines how a company will operate and respond to problems during the transition, and ties individual contingency plans into a unified and prioritized whole. The plan addresses the most likely crisis situations, and offers a framework and support structure for responding to unexpected issues. Distinct from contingency plans, Crisis Management plans cover operations during the crisis period while contingencies cover work-arounds for specific problems. In many ways, a Year 2000 Crisis Management plan is simply another form of the standard business continuity plans that most companies have. It is similar in content, although different in scope, to disaster recovery plans. Most disaster recovery plans focus on a single catastrophic event, such as a natural disaster knocking out a key data center. In contrast, Year 2000 Crisis Management plans focus on a range of concurrent, widespread events that may affect any number of business operations. Crisis Management plans strive to ensure the continuity of critical business operations throughout the crisis period despite any problems that may arise. It is absolutely essential that executives prioritize business functions before the crisis period begins and identify these in the Crisis Management plan. In this way, when the deluge hits, problems affecting critical functions can be singled out for heightened attention and resolution. A Crisis Management plan will include:
4. Build a Crisis Management Organization A Crisis Management organization is a command and control structure that supports a company through the transition period by capturing, directing and tracking responses to all problems. Established by the beginning of the Crisis Management period, the organization should be phased out when the number of problems subsides to a manageable level. As shown in Figure 2, the Crisis Management organization is a matrix reporting structure composed of four areas: crisis response center, help desk operations, legal support and emergency response teams.
The crisis response center, evolved from the Program Office, is the nerve center of the Crisis Management organization, tracking and coordinating all efforts throughout the Crisis Management period. Its responsibilities include: establishing the Crisis Management organization, developing the Crisis Management plan, training all team members, managing the execution of the plan, prioritizing issues and responses (triage), directing problems to the proper emergency response team, triggering contingency plans, tracking and reporting problem status and documenting responses for legal protection. The crisis help desk is a specialized help desk that is the focal point for receiving and tracking all incoming issues. This function typically supplements existing help desk organizations. Problems, questions or issues that cannot be handled by existing help desks are escalated to the crisis help desk. Further, third parties that do not normally deal with existing help desks, such as external stakeholders, business partners and the press, will be routed directly to the crisis help desk to answer all inquiries. Together, existing help desks and the crisis help desk will serve as a central collection point for issues, answer queries, provide fixes and work-arounds, and deliver official communications. Members of the company's legal department staff the legal support group. This group ensures that audit procedures are followed and that proper documentation is captured, monitors potential legal problems and advises executives and crisis managers on any legal problems requiring their attention. Highly skilled individuals drawn from existing application support teams, business areas and factory crews comprise the emergency response teams. These individuals respond to Year 2000 issues that occur in their areas of expertise. Their mandate is to quickly assess the extent of a problem, repair and restore critical operations possible, determining if a contingency is needed and implementing manual processes, work-arounds or other types of contingencies. The crisis response center must train the staff selected for the Crisis Management organization. When the crisis period begins and problems start to multiply, companies cannot afford to conduct on-the-job-training. Training must cover the processes used by the Crisis Management organization and the tools and techniques that will support the team in their efforts. Several types of tools and technologies are essential to a Crisis Management effort, including project tracking, problem tracking, inventory management, configuration and change management, process management, databases, repositories, decision support, user-friendly interfaces, networking and enterprise communication software. Especially important, are tools to manage problems and their resolution, to manage the changes to affected, faulty components and to assist in managing and reporting on overall crisis efforts. ServiceCenter/2000™ by Peregrine Systems, Inc., is the first tool specifically designed to support all aspects of the Crisis Management phase. It combines many of the technologies listed above including inventory/configuration management, problem management and problem resolution, change management and an analytical decision support tool. One particularly interesting feature of ServiceCenter/2000 is that it gives end-users and supply chain partners, through Web interfaces, Internet-style technology and a knowledge base of problem information, a way to enter, review and resolve Year 2000 problems themselves, encouraging self-determination and self-resolution of problems and freeing Crisis Management resources for other tasks. In addition to deploying tools, the Crisis Management organization must define the processes that will guide it, and the company, in performing crisis management activities. These processes include methods to communicate problem information and report status, routines to capture, assign and track problems and methods for triggering contingencies and monitoring their performance. Together, the tools and processes implemented will enable the Crisis Management organization to analyze and understand the status of the company's crisis efforts and to report these results to senior executives. With a complete picture in hand, senior executives will be able to make critical triage and business continuity decisions, and comply with government reporting regulations, such as SEC disclosure requirements. Finally, the Crisis Management organization must conduct a trial run, or simulation exercise, to ensure that processes are feasible and adequate, that key personnel are not over-committed, and to ensure that team members and company personnel understand their roles during the crisis period. 5. Prepare for the Inevitable Before a hurricane hits, wise homeowners take the time to stow loose items, board up windows and secure valuables. Given the potential damages, these actions are prudent. Similarly, companies must prepare for the arrival of the Year 2000 storm by taking action to protect their assets and reduce the impact of any damages. Companies should strive to minimize their exposure to avoidable problems during the crisis period. One strategy is to freeze all unnecessary changes to IT, facility and other assets, allowing them a period to stabilize. This freeze period spares Crisis Management teams from dealing with non-Year 2000 problems introduced through routine maintenance at a time when they need to devote themselves to fixing Year 2000 problems. It also gives a company time to perform final re-testing and re-certification of business critical components. A company should also consider shifting or deferring non-essential activities, such as personnel reorganizations or marketing launches, until after the crisis period to avoid unnecessary disruptions. The Crisis Management team should ensure that backups of items vital to the problem resolution process are made. These items include the acceptance criteria for existing operations (to verify the correctness of these operations), listings of application source code and critical data, and debugging aids to assist in problem detection and resolution. Far in advance of the crisis period, appropriate personnel may need to trigger preemptive contingencies designed to avoid Year 2000 problems. Often, these contingencies have long lead times or are dependent on other functions or entities. For example, stocking up on extra inventory will require that manufacturing lines operate at peak capacity for some period of time during 1999. The crisis response team must prepare all employees for the expected impact of the Year 2000 on their jobs. Employees should be responsible for the compliance of their own jobs, and be prepared to identify and report any problems. If an employee's job will be affected by a contingency, the employee must know how to adapt his performance to conform to the parameters of that contingency. The Crisis Management organization must also ensure the availability of staff members critical to the success of the Crisis Management effort, especially during the transition period. Companies may need to offer incentive plans and/or accommodations during the transition to ensure that employees stay committed and available. During 1999, companies must monitor conditions in their market, industry and local areas. Depending on the compliance of other entities, Crisis Management plans may require adjustments. Companies must also monitor the level of problem reporting in their own organization to determine when to put the Crisis Management organization in a state of high alert. Lastly, every company should make plans to shut off all non-compliant applications and equipment and any functions that are not required to operate over the actual transition. By doing so, companies can avoid problems that will occur only at 12:00 midnight, reduce the number of employees needed to tend operations and enable controlled (phased) restarts of critical operations. 6. Manage the Transition The Crisis Management period will likely begin in 1999 as applications and equipment that look forward in time start to encounter date problems. As the company monitors the incidence of Year 2000 problems, it will know that the crisis period has arrived when the number of date problems exceeds the ability of the company to respond using its standard approaches. Based on the amount of incoming problems, and the ability of the Crisis Management organization to respond quickly, a company may need to adjust its Crisis Management plan. If problems are overwhelming, the company may need to triage problematic components consistent with their business priorities. During the crisis period, the Crisis Management organization will operate at peak capacity. Help desks will log incoming problems, and provide work-arounds and fixes to users and supply chain partners. The crisis response center will prioritize all work in accordance with business priorities and assign tasks to the appropriate emergency response teams. It will also track the status of the enterprise as a whole, report results to company executives and determine when to trigger contingencies. Companies will have to decide, based on circumstances at the time, how to conduct their business operations during the transition. They have three basic options. The least costly but most risky approach is to conduct "business as usual," bringing all operations online as though it were an ordinary business day. This approach is fine as long as the company is confident that it will face only minor problems. A more moderate, less risky approach is to run only the most critical operations, leaving less important or suspect functions idle. Finally, a safer but more costly approach is to use a phased restart where all operations are shut down and then brought online serially. This approach not only limits the influx of concurrent problems, it prevents them from contaminating downstream operations. Lastly, companies will need to handle any personnel issues that arise. At precisely the time that standard communication methods are most susceptible to failure, companies will likely need to communicate vital information to employees. At the time that companies most need their employees to be present to handle problems, employees may need to stay at home to deal with service disruptions or personal Year 2000 problems. In addition, if business operations are scaled back or shut down for extended periods of time, companies will have to cope with idled workers. The Clean-upAt the end of the Crisis Management phase, a company's work is not done. When the crisis eases, companies still have to clean up the lingering after-effects of triage decisions, work-arounds and contingencies. During this clean-up phase, the Year 2000 Program Office remains intact and is responsible for overseeing all clean-up efforts. Unwinding contingencies may involve working down excess inventories or re-automating procedures that were supplanted by manual work-arounds. Year 2000 patches and work-arounds for applications and equipment will have to be removed and replaced by more permanent appropriate fixes. IT departments will have to complete remediating low priority and other side-lined applications. The company, along with the legal department, will have to prepare for any potential legal action. ConclusionWe know that the Year 2000 problem is real. We may not know exactly how bad it will be, but we know there will be failures, interruptions, disruptions and inconveniences in virtually every area at the same time. Knowing this, how can we justify not being prepared? The simple answer is, we can't. When faced with a known crisis, the only reasonable course of action is to prepare. Crisis Management can help a company cope with the onslaught of Year 2000 problems and minimize the cost and impact of inevitable failures. By creating a crisis response organization before problems occur, and empowering it with processes and tools to do its job, a company will be poised to quickly neutralize problems before they spiral out of control. Considering the downside, it's a small price to pay. FootnotesIn March and June of 1998, TriaxsysÔ Research LLC of Missoula, Montana (www.triaxsys.com) conducted a study of the Year 2000 disclosures of the top 500 ranked U.S. companies as found in their securities filings. Results were published in Triaxsys Research Reports Vol. 1, No. 3, April 1998 and Vol. 1, No. 4, July 1998. About the AuthorsIan Hayes is the founder and president of Clarity Consulting, Inc., www.clarity-consulting.com in Hamilton, MA. Ian specializes in strategic consulting on the management and support of corporate business systems. A frequent speaker, senior editorial advisor for the Year/2000 Journal and contributing columnist for Software Magazine, Ian has advised dozens of companies on a variety of IT issues, including those related to their Year 2000 initiatives, and has written numerous articles on the topic. Ian has also served as keynote speaker for numerous Year 2000 seminars and sits on the Brainstorm Year 2000 National Symposium Series Board of Governors. |
|
Send mail to webmaster@systemtransformation.com
with questions or comments about this web site. |
Transformation
