You guys I'm like really smart now. You don't even know. You could ask me, Kelly what's the biggest company in the world? And I'd be like, "blah blah blah, blah blah blah blah blah blah." Giving you the exact right answer.


-Kelly Kapoor
The Office


Friday, December 17, 2010

Certifiable Business Continuity

As I pursue business continuity I am curious about the value of certifications. The curricula for business continuity programs is still gelling. In addition,  no national standard exists to provide a common baseline skill-set for the exams. As a result, certification is typically based on a well known standard like BS-25999 and often requires a candidate to demonstrate work experience. I have also noticed some consultants with self-imposed titles like "expert consultant" which is both equally valid and equally subjective to the titles awarded by companies granting certification.

Ultimately the value of certification is proven by the knowledge of those attaining the certification in the workplace. This, in turn, causes greater demand for those certified, which increases demand by those looking to be employed in the certifying role. Because BC is still in its infancy, there is not a lot of information available to assess the value of current certifications.

In addition, I just don't know if I buy the format of exams for BC certification. BC requires a lot of writing, marketing, project management, research and analysis. Assessing this by means of a multiple-choice test seems inadequate, although admittedly some of the certifying organizations also require that applicants demonstrate experience.  This, however,  seems to also be an admission that the tests they require applicants to complete are an insufficient form of assessment.


Friday, December 10, 2010

Faith - Black Swans and White Doves

   As I research and organize my company's business continuity plan, I can't help feeling how unfortunate it is that  I have to leave my Faith outside the plan. By Faith, I mean my politically-incorrect and empirically challenging position that I am the product of a loving God who died for me. This is not to suggest relying on Faith alone or abandoning planning and preparedness activities, only lamenting the de facto censorship of the day. A key component of Faith is humility.  Humility is most often learned through experience (the BIA being an example of such). The need for humility is a (loud) subtext in Nassim Nicholas Taleb's The Black Swan.

   Taleb clearly indicates the danger presented by relying on human knowledge or self-assuredness in one's ability to predict future outcomes. He focuses on the need to consider the "outlier" - the inexplicable event that occurs beyond our ability to predict. He does not suggest a Faith-based approach to risk assessment, rather devoting his energies to savaging his critics and established "experts" in probability and risk prediction. Taleb goes on to prove than many "experts," assured from their previous (random) successes or wholly focused on their specific risk models, actually performed worse than amateurs (but were better at rationalizing failure). In discussing an analysis of two thousand predictions from security analysts, Taleb notes:

What it showed was that these brokerage-house analysts predicted nothing - a naive forecast made bt someone who takes the figures from one period as predictors of the next would not do markedly worse. Yet analysts are informed about companies' orders, forthcoming contracts and planned expenditures, so this advanced knowledge should help them do considerably better than a naive forecaster looking at the past data without further information.

     Taleb attributes this to "epistemic arrogance."  This arrogance fuels our desire to explain. As we are innundated with more and more information (what Taleb refers to as the "toxicity of knowledge") we are led to come up with bigger stories or more complex models to mask our inability to make sense of it all. "I don't know"is no longer acceptable - particularly from "an expert." 

   In a recent article Tim Keller, refers to a book by David Denby, film critic for the New Yorker. The book is called Snark. Keller writes:

 He [Denby] observed that a tone of snide, mocking, ‘nasty and knowing,’ speaking was coming to dominate our public discourse. ‘Snark’ aims not just at refuting someone’s position, but also at destroying their ‘cool,’ erasing their effectiveness, trying to get control of and sully the person’s image with the public. Opposing views are not treated with respect but instead with snarling disdain and ad hominem mockery. Even many regular editorial writers in major newspaper do little more than ridicule. Denby pointed out that politics has been a major source of snark, since insinuating, insulting, and demonizing the opposition (rather than re-spectful arguments) often wins elections. But the Internet has put ‘snark’ on steroids 

   Keller is senior pastor at Redeemer Presbyterian Church in NY city and, I want to stress, his article does not advocate being "nice" as an alternative. "Nice" people are some of the most awful people I know. Rather, he, like Taleb, goes on to prove how dangerous belief in one's intellectual superiority can be:

According to Proverbs, what happens to the scoffer, the man or woman who always has to be right, who derides rather than engages opposing views? Proverbs says that the first result is loneliness (9:12). Scoffers impress the impressionable if they are allowed to hold forth (19:25; 21:11) but as time goes on, the scoffer not only destroys relationships but is listened to less and less by the public (24:9.) Often the scorner has valid points, but because of his or her dogmatic and proud attitude, no peace is possible inside a community. This is because scoffers don’t know how to affirm and live in harmony with people who don’t agree with them on everything. The problem is, as Kidner says, ‘the mischief he does is not the random mischief of the ordinary fool, but the deeper damage of the ‘debunker’…’ (Kidner, p.42)


Taleb does an outstanding job of challenging his reader to think outside of current models and to abandon established risk prediction dogma.  Ironically, in his own haughty way, he is demanding the humility of his reader by showing the limits of our own knowledge. He is demonstrating the need for something greater by scoffing at the scoffers who came before him.


Taleb appears particularly humble as he visits Amioun, his ancestral homeland in Lebanon. Armed only with a copy of the writings of Seneca, he visits the cemetery where several relatives are buried and muses on his mortality: "I wanted to prepare myself for where I will go next." Taleb, then advocates stoicism as an outlook, concludinf "A Black Swan cannot so easily destroy a man who has an idea of his final destination." After what felt like a long walk with the self-professed flaneur Taleb, it seemed he was still unsure of this destination.

  During both disaster planning and response, the qualities provided by Faith are essential: humility, hope, focus and strength. In planning for or managing a crisis, isn't it wiser to look into the face of a loving God than to the abyss of unfathomable outcomes?

Social Media and Motivation, DARPA, 99 Luftballons

   The pop group Nena put out a music video in the early 80s called "99 Red Balloons." The German version is actually much better, but only if you don't speak German.

The war machine springs to life.
Opens up one eager eye.
Focusing it on the sky.
Where 99 red balloons go by.

   DARPA, well known for being a fan of 80's pop, launched a red balloon challenge last year. In a nutshell, they put 10 large, (red), weather balloons in undisclosed locations throughout the US and offerred $40000 for the first team to find all 10. A team from MIT was able to accomplish this feat in under 24 hours by using social networking technologies.  Rather than the "one eager eye" Nena references, the MIT team was able to engage 10000 eager eyes - 5000 people helped them.

   The solution to such problems, however, lies in the ability to attract a motivated, focused audience, not just churning out tweets. MIT accomplished their goal by establishing a financial incentive for each person who assisted them, which rewarded sources proportionate to their contribution's value in locating a balloon. They also provided a simple interface for participants to report this information.  In addition, the team was able to foster an atmosphere that gave many participants a sense of belonging.  While there is no way to control social media, the DARPA exercise demonstrates that it can be directed and channelled through a system that engages and motivates participants.

   The key to channelling this resource seems to be identifying a powerful motivator and selecting an appropriate platform.  John Orlando identifies in his article "Harnessing the Power of Social Media in Disaster Response"  how disasters have spawned spontaneous creation of social media sites used to provide information or direct volunteers. In such instances, the motivation is the strong degree of sympathy and emotion elicited by the event.

   The folks at Forrester divide social media participants into specific categories, each with different ways of participation and motivations for doing so. They stress understanding these motivations as the first phase of any social media strategy.

   I am really fascinated by methods to engage the audiences of social media for a specific goal and will continue to share my findings. Please feel free to share yours as well.

Web 2.0 Rant

   I admit to flinching every time I hear the term "Web 2.0" used. So often it is applied in presentations by salespeople or consultants with the meaning "you should buy what I'm selling because I am a smart person" rather than its objective definition. To see if the term has been applied correctly, I recommend doing the following the next time it is referenced in a presentation:
  1. Raise your hand
  2. Ask the speaker "Is Web 2.0 the one with the blue 'e' ?"
  3. Wait
The speaker will either:

1. Quickly agree with you and move on to another topic
2. Pause for 10-15 seconds while they struggle for a polite way to respond

If this begins to occur regularly, perhaps together we can banish the use of this annoying buzzword.

Social Media and Business Continuity

   I really enjoy the blogs at Forrester Research. I got hooked after reading Groundswell by two Forrester analysts: Josh Bernoff and Charlene Li.  Sometimes their passion for their subject was a bit overwhelming and read a bit like a Sham-wow ad, from my cynical perspective, but the wisdom and depth of their analysis is truly exceptional.

   Augie Ray, also a smart person from Forrester, has a post entitled "Seven Things Your Organization Must Do Because of Social Media." The overlap between his instructions and the objectives of a business continuity plan really struck me. Specifically:
  • Listen
  • Participate
  • Respond
  • Move Faster
  • Understand every employee is a marketer (as well as a source of information)
   This post and Groundswell make it clear that you cannot adopt a middle-of-the-road approach to social media. Specifically, by ignoring the technology a company makes itself susceptible to risks associated with the misuse of it. This does not mean, however, that every body shop, grocery store and mutual insurer should immediately leap into the fray. The folks at Forrester show that a company can subject itself to even more risks by hurriedly embracing a platform.

   A well-defined social media strategy is a critical component of a business continuity plan, but like the plan itself, needs to be tailored to the organization. These strategies can be active or passive. A passive strategy is simply a set of guidelines that establish how employees should use social media - either at home or at work and a daily/weekly search on dominant social media platforms for the company name and other terms relevant to it and its line of business. An active strategy would incorporate a presence on social media platforms relevant to the company, which could be leveraged to request support or broadcast information during a disaster or business interruption

  To understand more about how to develop a social media strategy and platforms best suited to your organization, read Groundswell and consult Forrester's Social Technographics Tool.

Tuesday, December 7, 2010

A Dash of Business Continuity

   The growing regulatory pressure has encouraged many companies to begin a business continuity initiative, yet few seem to understand what is sufficent in terms of business continuity. A plan by itself is useless, without training. Training will not be effective unless it is endorsed, if not mandated, by senior management. Senior management is often too busy with competing priorities to dedicate significant time or attention to initiatives like business continuity. The temptation in such a situation is to try to create a "lite" version of business continuity that does not require the direct involvement or support of senior management, but this is ill advised and can lead to an ineffective overall plan.

   Consider a company that has some employees trained in an office that is threatened by a hurricane. As the storm approaches, the business continuity team in the office mobilizes and begins monitoring the storm through the NOAA and local OEM office. They then establishe contact with the business continuity management team in the company's main office.  The local office manager, who has not been trained in the protocols for business continuity, tells everyone to get back to work and stop screwing around on the NOAA site.  "You work for me - not for the disaster recovery guy in HQ."  As the hurricane's impact becomes imminent the following evening, the BC protocol dictates that a  broadcast message should be sent to all employees notifying them to seek shelter and to not come into the office the next day. The BC-trained staff hesitates: should they get the manager's approval? They do, after all, "work for [him]". The confusion resulting from a watered-down plan can be worse than no plan at all as it will slow response time and can result in conflicting directions and priorities.

   This is the equivalent of being given 5 gallons of paint to paint a house. You are better off only covering one side of the structure than diluting the paint to make the 100 gallons you need and creating a mess for yourself in the process. Specifically, ask senior management if there are certain offices where the plan can be implemented in its entirety. In this manner you will be able to pilot the program on a smaller scale and train staff in the appropriate procedures.  These offices may then be used to market the initiative to senior management for the necessary endorsement.

Social Media and Business Continuity



   Social media resources such as Facebook, Twitter, and blogs provide opportunities to market company services, shape brand identity, gather customer feedback, and even facilitate a disaster response. On the other hand, failure to establish a presence and a strategy to leverage these tools provides competitors and detractors opportunities to use them in order to define the company as they see fit, causing damage to the company’s reputation and potentially compounding the impact of a disaster.  Creation of an effective social media strategy will mitigate this risk, promote the company to targeted audiences, and establish a network that can facilitate disaster response and recovery efforts.

Social Media Risks

   The absence of a social media strategy poses a significant risk to a company’s reputation. In a recent survey by Deloitte, 74% of employees responding said they could easily damage a company’s reputation by using social media.[1] The forum provided by social media could allow employees who blog or post concerning the company to publicly express negative views about the company. In addition, they may express controversial opinions or post rude or objectionable content, which could cause a company to be guilty by association. Employees can also divulge company confidential information online, such as new business ventures or challenges facing the company and the names of customers and partners. Furthermore, social networking sites are increasingly being used by cybercriminals to gain confidential access from users.[2]

Addressing the Risks

      While the above challenges have caused some companies to simply ban access to social media sites from the workplace[3], a more effective strategy involves education and the establishment of clear guidelines for employees. Concealing one’s identity on a social networking site is as simple as creation of a separate user account and restricting access from the corporate network will not prevent employees from participating via personal, hand-held devices or their home computer. As such, employees need to be encouraged to embrace the spirit of the company guidelines, not the law. Effective guidelines, in other words, encourage employees to behave in a positive manner while using social media by showing them why prudent online behavior is in their best interest. For example:
Blogging
Microsoft has a bone-simple blogging policy. Be smart. We ask the same of you.
 Please be smart in your online activities. They reflect on both you and the agency.
The ability to publish things that may never go away and can be forwarded endlessly,
 well, it gives us pause and we hope it does you, too.[4]

These guidelines often provide a resource where employees can go for clarification on the acceptable use of social media, such as their manager and/or the company code of conduct.[5] Limitations imposed on employees often require that they separate their personal and corporate identities online. This can include a disclaimer in a blog post that the opinions expressed are personal in nature and not those of the company. In addition, companies often set limits on what employees cannot reveal about the company through social media, such as impending business plans, or names of customers or business partners.[6]
     Another important component of a social media strategy is training.  This training should reinforce the company guidelines as well as address protection of privacy and personal information. One company, for example, included a section in their policy forbidding the use of location-based social networking tools during customer visits, which could be used by competitors to track their salespeople.[7]

Reaping the Benefits  

   An effective social media strategy not only mitigates the risk through policy and guidelines, but maximizes the benefits of a company’s social media usage. Forrester Research recommends the use of the POST method to develop this strategy. This is short for People, Objectives, Strategy and Technology, and identifies the series of decisions that a company should make in composing its strategy. [8]
   The first consideration an organization should have is the people or target audience. Before anything else, the company needs to understand what social networking tools its audience uses in order to be able to reach them.[9]
   After identifying the audience, the strategy needs to clearly define the objectives it intends to accomplish.[10]  These might include gathering customer feedback on new product offerings or marketing enhancements to current services.
   Strategy, as defined in this method, is the process of understanding how the use of social media will change relationships with the target audience and planning the steps to make it happen.[11] This involves anticipating the response of the target audience and planning for it.
   The final phase in this method involves selecting one or more types of social media technology to reach the target audience and meet the objectives.  The method emphasizes that selecting a platform first is a common pitfall, which can limit effectiveness by failing to reach the target audience or by being incompatible with the company’s objectives.[12]

Business Continuity and Social Media

   A social media strategy needs to go beyond mitigating the risks posed by this technology; instead it should leverage it to improve company resilience.  On the most basic level, social media provides a means of notifying a large group of people during a crisis, including the surrounding community, company employees, customers and members of the media.   FEMA, the CDC and many groups of first responders have embraced Twitter for this reason.[13]  
   Beyond the ability to help coordinate a response, social media resources also provide access to a vast network of information and assistance during a disaster. For example, less than two hours after the Virginia Tech shootings, a Facebook page called ‘I’m OK at VT’ appeared and allowed those at the university to confirm they were unharmed.[14]  In addition, as Hurricane Gustav approached the Gulf Coast, a web forum was created on the “Ning” social network that helped coordinate volunteer assistance for the area.[15] Decentralized, organic responses of help like these are common during disasters, and organizations that are able to take advantage of them have a distinct advantage in their response and recovery efforts.[16]
   Tapping into social networks can also alert a company to “creeping crises” and provide a means to respond to them. Being engaged in the same social media networks as customers, employees and business partners provides an organization access to real-time feedback[17] on these events, which can be used to take action before the situation escalates. A social media presence also will gradually build followers or contacts who can provide support or information in an online, public-relations crisis.[18]
   The absence of a social media strategy is both a reputational risk and a missed opportunity. A strategy that incorporates clear guidelines and training for employees will significantly mitigate the risk this new technology poses. Basing this strategy on a specific technology platform that is used by target audiences and that facilitates its objectives can significantly enhance the company’s reputation. In addition, it can provide much needed access to volunteers and other sources of information when responding to a business interruption, disaster or public relations crisis.      


[1] Leonard, Matt; Search Engine Journal (2009)
[2] Bradley, Tony; “Networkworld” (2010)
[3] Bradley, Tony; Networkworld (2010)
[4] Greteman Group;  Social Media Policy (2009)
[5] Ibid.
[6] Cisco; Cisco Internet Postings Policy (2008)
[7] IBM; IBM Social Computing Guidelines (2010)
[8] Bernoff, Josh; Empowered (2007)
[9] Ibid.
[10] Bernoff, Josh;  Empowered (2007)
[11] Ibid.
[12] Ibid.
[13] Collins, Hilton; Emergency Managers and First Responders Use Twitter and Facebook to Update Communities (2009)
[14] Orlando, John;  “Continuity Insights” (2010)
[15] Lewin, Elisabeth; Hurricane Gustav Spurs Volunteers, Relief Via Social Media (2008)
[16] Orlando, John;  “Continuity Insights” (2010)
[17] Kenton, Chris; Crisis Management Essentials for Social Media (2009)
[18] Ibid.