What can ITSM learn from Hurricane Irma

Article first published 21st September 2017

I recently had the opportunity to take a short break between contacts and booked a holiday in Cuba. Unknown to me this was about to coincided with Hurricane Irma (Sept 2017) moving from the Mid Atlantic across the range of islands. Out of every life experience I try to draw some learnings, especially in the ITSM space and this once in a lifetime event certainly taught me a lot. So, let’s look at what happened and draw the comparison.

We started our break in the Cayo Coco region, which quickly became known to be in the flight path. Once this was confirmed we were moved West, 9 hours across the island to an area with hotel capacity to take the 1200 people and outside of the known path. Once established there, the hurricane changed again and our hotel was put on hurricane watch and then full blown emergency procedures implemented as the eye was due to pass close by.

Whilst this is predominantly an ITSM reflection it would be wrong not to acknowledge both the Melia Hotel Managers at Cayo Coco and Valadero and our Thomas Cook holiday rep, people who demonstrated incredible professionalism in their operational ranks .

So, once it was evident that our evacuation location was now in the direct path, all residents were briefed and taken to a safe area under the hotel. This was a large area under the hotel which actually housed the kitchen prep and inbound delivery area. The Hotel Manager assumed the crisis manager role and introduced his deputy and the crisis operating model (in three languages) and then the carrier reps provided specific client updates through the duration.

Putting the crisis management element to one side, part of the focus of this article is on service. We were in the throes of a natural disaster with over 500 “paying” guests. It would have been easy to drop the level of service and yet throughout the incident food was continually provided, the toilets were cleaned and the holiday makers endured over 18 hours in basically an access corridor without any cross words and no alcohol! In fact, the ratio of staff to guests was around 1:5 (an observation I am planning to cover in a later article).

So, what compelled me to write this article? Well its quite simple, in ITSM we regularly talk about 3 things, service design, DR and Service / SLA’s but too regularly organisations do not take this seriously or do this well and I challenged myself to ask why? What is the under-riding factor?

If I reflect on the example of Irma it was clear on a number of things

1) There was a plan. This was not created a few days before. The level of service maintained and the level of execution could only be put down to strong planning and regular modelling / simulation

2) There was a clear mandate – protect life and continue to deliver outstanding service

3) The outcome (for point 2) was never in doubt. There was no hesitancy, management crisis or shortfall in delivery. Everything “just worked”

Now in reflection I would suspect two things ensured this happened.

Firstly, the event was life protecting dependent. Both the hotel chain and the holiday carrier had a duty of care. That was clear in the approach and a 99.95% outcome in this area would just not be acceptable. I would suggest that the service aspect was a secondary consideration but in our ITSM terms, all they decided was that the Vital Business Functions were set with a very high bar.

Secondly, they were used to the natural phenomenon. Whilst this was a Cat 4-5 Hurricane, lower categories are not uncommon, as are tropical storms, therefore at some point there would always be expectation to initiate the plan. I would suspect this was not a procedure given lip service in a management meeting or taken out of scope due to a cost or time over-run.

So why the reflection?

Each year, the UK media seems to report significant IT failures and I am sure on a global scale they occur just as regularly and yet in most cases the true root cause never gets reported. We, as ITSM professionals can speculate on it and I am sure our experiences of working in different organisations can cite system failures that should never have happened or should have been recovered much more quicker with a better level of service. In simple terms, feedback regularly tells us that we let our customers or users down.

Watching the recovery process during Hurricane Irma peaked my interest in a number of areas:

1) Do we approach any service with a mindset that our common “natural disasters” happen? In our world, this could be a cryptolocker type attack, a significant database corruption or a major datacentre / infrastructure outage. As a service function, we have a right to be the voice of doom and approach service with a mindset that our “Irma” is always out there

2) As part of service design do we challenge the architects to put the potential points of failure on the table and then have clear options to mitigate them. More than this, do we actually turn these scenarios into service metrics?

3) Once those are clearly identified and solutioned we then put our service hat on and take up our position of “is the contractual SLA good enough or as a collective is a higher-level outcome our goal”

4) Regardless of the answer to the above question, once that is agreed that becomes the recovery objective. In essence we reset the bar, if a 4hr recovery is our agreed outcome then failure to achieve this should be taken in the same mindset as the mandate demonstrated by the crisis team in Cuba (ie not an option).

Acceptance of point 4 above is not uncommon and I am sure that a lot of organisations go through the 4 steps above during major projects and implementations, the problem is they fail to turn them into an executable outcome that only has a guaranteed conclusion of success. By that I mean truly exploring the “what ifs”, getting the recovery process clearly documented, testing them and then throwing in a curve ball at the last minute! (on a complete side note, I recently watched the film Sully and it was interesting to see the “simulated outcome” turned around significantly once the “human factor” was added in, but that’s for another day).

Maybe it needs a change of perspective? Maybe if a life depended on it or if service was truly king then the focus on service design, recovery, continuity and ensuring that the customer continues to receive the same level of service in the face of adversity regardless of the cost would be more prevalent in the ITSM service cycle.

In closing, I suspect the real benefits of V3 (if you hang your hat on this model) as still not being realised and as an industry we sitting in a hybrid world of acknowledging V3 as a framework but working in a V2 comfortable manner, otherwise the elements of Service Strategy and Service Design in their new guise would be ensuring that services designed and implemented (certainly in the last 6 years since the 2011 refresh of V3) would be closer to the service excellence I recently experienced.

If you have enjoyed reading this article and would like to discuss in more detail, I would welcome your thoughts on this.

Ten top tips for Major Incident Management

Article first published 12th June 2017

When I was looking to have the website redeveloped, it was a good opportunity to look at the old blog articles. A great deal of these were written with a different focus and technologies had changed significantly, but every now and then I came across one which I felt was still pertinent. This article contributed to by a good friend and colleague of mine still (in my opinion) hits all of the spots.

Our top 10 tips:
1. Information is key – The last thing you want to be doing in the middle of a major system failure is scrabbling around for information. Worse still is sat that knowing that all the information you need is saved on the hard drive of the system that has just failed. To manage a major system failure you usually need the following things: o Key contact names and number o Copies of any support agreements o Technical information and if possible, system diagrams These items alone will not guarantee you a fix, but they do provide you with all of the raw information you need to get the right people together and to make the right decisions. Make sure all of this information is held in a paper format, ideally in a file that can be accessed easily. Assign an owner and if anything changes make sure it is updated.
2. Deadlines help focus the mind – One of the first questions we always ask at the start of a major system failure is “when do we need to get the service back?” Now there are always two times’, the time the customer would like it back (which is normally in the next hour!) and the time the customer actually needs it back. Working to an unrealistic and unnecessary deadline causes corners to be cut and poor decisions to be made. This can result in only a partial success which just comes back to catch you out later on. Deadlines should be driven around key business activities and if flexibility exists always take the latest window. Experience has told us that if a technical person tells you how long it will take to fix, always multiply it by 3.
3. When to have a plan b – Having clearly understood deadlines also allows you to re-plan when things are not going well. If you have been working on a strategy for 12 hours and you only have 4 hours left, it may be prudent to start considering other options. It is not normally efficient to approaching a problem from various angles. Firstly, resource and costs do not normally allow it; secondly, it pays to have all of your knowledge working in the same direction. BUT occasions do occur when no matter how long you have been working on it or what resource has been thrown at it, the break through has not been made. The hardest (and sometimes bravest) decision is to ask all of the support people to down tools for a short period of time and to start consider contingency plans or other avenues of investigation. Normally they will want to continue to explore their current theory and that’s fine, but at some point you have got to start putting other eggs into the basket and getting the framework of these into place.
4. If needed, allow one to direct whilst another one writes – I had only been in the job for 6 weeks, when I received a phone call from my boss telling me our main computer room was on fire. This resulted in multiple systems failing and having to juggle a lot of deadlines and support people. The approach was quite simple, he directed the operations and I recorded everything, no matter how trivial or insignificant. From the times that people arrived on site, to decision we made (and who signed them off) down to things we needed to check and key deadlines, it was my responsibility to capture everything and then remind my boss of any key points or key times. This is only really relevant for big system failures or when you lose a few systems at the same time, but by clearly define the roles of the “manager” and the “scribe/reminder” the problem can be managed much tighter with key issues not being missed. Also when you come to trace your steps later on (to prevent it happening again or to review what worked and what did not), you will be surprised the small details that are recorded.
5. Conference calls – Most system failures normally involve 4 groups of people:
a) Those controlling it
b) Those trying to fix it
c) Those who are directly affected
d) Those who are indirectly affected but just want to be involved
The most time consuming part of managing a system failure is normally around the areas gathering information, making decision and keeping people updated. Depending on the size of the groups involved, the most efficient way to do this is to utilise one of the many telephone conference call services advertised on the internet. With rates of around 5ppm billed directly to the caller bill, these can be a low cost method of updating large groups quickly as well as discussing possible options without people feeling left out. Be aware that these non face to face meetings need a strong person in the chair and the expectations of meeting need to be outlined at the start. Due to people’s attention span tending to drift quickly, the chair should take the opportunity to recap and clarify points on a regular basis.
6. Don’t change anything without … – Recording it and making sure, everyone who needs to agree to it. It is so easy in the heat of a major system failure to stumble across a possible fix and to make changes in quick succession with no real rationale of why you have done it. Worse still, if the changes do not work (and notice the emphasis on “changes” as it normally results in several), it is very difficult without referring back to records, to remember exactly what was changed and why. This is especially relevant if several different individuals have provided the support over a prolonged period (as at the point of regression, some of them may be catching up on their sleep). Agreement to change to important for two reasons; Firstly, most changes come with a risk. The risk that you may extend the outage or the risk that it may do more damage that the current situation you find yourself in are two which spring to mind very quickly. Therefore, it is essential that in controlling the system failure, you set up a small group of people who will validate any decisions and where necessary question the reason for them. These do not have to be people from the end user community, but it is benefitial to have someone who understands the business and can explain the impact if the change causes further issues. Secondly, some changes need a level of technical understanding. A change to “system x” to resolve a problem may seem straight forward but in doing so may cause a new problem for “system y”. It is essential that all changes are considered within the scope of all of your computer systems, not just the one that is broke.
7. Trade off full service for vital business functionality – The common approach when dealing with a system failure is normally to want to restore the full service but when deadlines are short or the availability of technical support is limited consideration should be given to restoring vital business functionality only. Vital business functionality as the name suggests, looks at restoring only the key aspects of a system that the business needs to continue its operations to maintain a state of profitability or customer satisfaction. It is not normal for companies to have this documented for each system (although that would be beneficial), but generally is discussed near the start of a system failure to establish requirements early on. This gives the technical support the option of restoring a partial service to keep the business going or to try to fix the full problem.
8. 18 hours is enough! – Whether it is the support staff or the person managing the system failure, productivity and accuracy start to get impaired at around 12 hours into the fault. Once you hit 18 hours, your effectiveness is significantly diminished. Strangely, this does not seem to be influenced by when you last woke up from a nights sleep, so whether the problem starts at 9AM or 9PM the 12 & 18 hour rule seems to be the same (the difference is in your personal recovery time after getting the next good nights sleep!) Whenever a system failure is drawn out and due to its impact on you business you are working into the late hours, you should always aim to have a handover point somewhere between the 12–18 hour mark. Don’t forget, that this handover should include a full briefing of all the decisions that have been made and any courses of action that are currently being considered along with a summary of key milestones that are due to appear.
9. Blame has no place in restoring the service – It is so easy in the heat of dealing with a system failure to start looking for someone to blame. This is normally linked with the question why? Why did it happen? Why did we do it at that time? Why did we listen to that advice? Why didn’t we take a backup? All of these whys are great questions and actually add to the prevention next time, but during the failure they can encourage negative feeling or create barriers. No matter how much you want to pin the blame on someone or something, it should always be avoided, your energy is best invested in finding out why the failure has happened and what you need to do to fix it.
10. Restoration is only half of the job – Once you have returned your service back to a useable state, it may be time to take a deep breath and pat both yourself and any people who have assisted you firmly on the back. But good problem management does not stop there. The next steps involve fully understanding and documenting both the reason for the failure and what actions were taken to restore the service back to normal. Following this, actions to prevent it happening again need to be identified and where costs allow, implemented.