Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

Jon Seals

Most agree that working from the top down, meaning to first identify corporate objectives, then focus on the details of how to achieve them is what most managers wish they could be doing more of. However, the reality is most managers are so busy with day-to-day activities that little time is left over to work on the big picture. Everyone agrees the role of ERM is for risk management to be involved in the "key business decisions," however, some misinterpret this as interviewing only the senior executives in "big picture" assessments. In reality, aligning day-to-day activities of all managers to the strategic objectives set senior leadership, and then aggregating and analyzing this information is the winning approach.

So how is this accomplished?



Computerworld — Not long ago, IT consultant Mark A. Gilmore was called in to help an IT department that was struggling with project overload. "They'd gotten this kind of attitude -- the executive vice president calls it 'Burger King Syndrome,'" he recalls. "Their approach was, 'You can have it your way.'"

The business executives believed IT could supply whatever they wanted, whenever they wanted it. Salespeople had gotten into the habit of asking the development team to create applications within a week to fulfill promises they'd made to customers. As a result, IT employees were spending about 80% of their time reacting to crises or struggling to meet impossible deadlines rather than calmly planning their workloads, says Gilmore, president of Wired Integrations in San Jose.



Network World — When the moderator of a panel discussion at the recent RSA conference asked the audience how many thought their risk management programs were successful, only a handful raised their hands. So Network World Editor in Chief John Dix asked two of the experts on that panel to hash out in an email exchange why these programs don't tend to work.

Alexander Hutton is director of operations risk and governance at a financial services firm (that he can't name) in the Greater Salt Lake City area, and Jack Jones is principal and Co-Founder of CXOWARE, Inc., a SaaS company that specializes in risk analysis and risk management.



CLUSTERS of corporate techies hunched over their laptops one recent evening in Mountain View, California, feverishly trying to figure out how RK Industries hacked into and stole critical information from its rival, EntraDyn.

It’s a common occurrence, but in this case the firms were fictitious, and the event—a simulated exercise put on by security firm Symantec—featured rock music, a buffet and an open bar for the participants. Even so, it had a serious purpose: Increasingly under Internet attack, more and more businesses are using “cyberwar games” to learn how to spot and counter the tricky tactics used by hackers.



BC shares common goals and objectives with other management activities. When
John Bartlett CBCI, DBCI

implemented correctly and with maturity, BC can provide significant benefit through the sharing of key information and the prioritisation of activities.

The Business Continuity Institute (BCI), a recognised world leader in setting and communication best practices for BC, states that an organisation’s vulnerabilities in its business and operating model can be categorised into seven areas: Reputation, Supply Chain, Information and Communication, Sites and Facilities, People, Finance and Customers. It can also be argued that the categories of Technology and Processes should also be included in this list. Anything that can affect one or more of these categories can potentially disrupt the organisation and therefore should be reviewed and/or considered by the organisations BC.

That does not mean that the BC function should manage areas that could introduce a vulnerability under these categories, but it does mean that BC should perform a Quality Assurance and Governance role to ensure activities that could introduce vulnerabilities are being performed correctly, diligently and with the necessary controls. This will ensure BC remains a pro-active measure within the organisation as well as a reactive one.



The official hurricane season is June 1 through Nov. 30, and every year there are named storms and predictions. Each of us has a personal responsibility to have our homes and businesses prepared.

Disasters can hit the economy hard and with tourism being the number one industry in Manatee County we must embrace the concept of year-round preparedness and be able to jump back quickly for the good of our community.

If you think about it, we are focused on preparations for hurricane season, but emergency preparedness can help a business survive when any kind of disaster strikes.



Let’s face it. We are always online in one form or another. If I am not watching television, checking mail, or using one of the 44 apps I have on my smartphone, then I am probably sleeping. Because of these use patterns, the demands on application availability are on the rise, and data is exploding. So let’s think about these two forces and how they impact disaster recovery (DR) planning for your businesses. These forces increase the DR workload for IT staff. As a result, your IT staff may be spending more time on DR instead of supporting strategic and revenue-generating projects. In other words, IT is only helping to maintain the business, not grow the business.

Cloud disaster recovery may be the answer

How do you overcome tight budgets and leaner IT staff when you are constantly being asked to do more with less? Well, you might consider “out-tasking” DR management by using cloud-based disaster recovery services.



Every managed services provider (MSP) has had a question or two on backup and disaster recovery (BDR). To help answer some of the top questions we reached out to disaster recovery (DR) and business continuity (IC) solutions vendor Datto  to find out what MSPs have been asking them. Take a seat, grab a pen and paper, and pay attention to what we've learned in this MSPmentor exclusive. But don't worry, there won't be a test.

Datto Sales Manager Hallett Nichol helped us with his insights on this topic. His answers focused on costs, bandwidth and local recovery capabilities.



The highly regulated health care industry has long generated attendant compliance risks. However, a recent spate of legislation and updated regulations, a new Office of Inspector General (OIG) Special Fraud Alert, and increased government enforcement actions are shining a bright light on some of the top compliance risks facing today’s health care professionals. This article reviews the risk areas of strategic relationships and patient information and offers smart steps to consider for health care organizations seeking to mitigate such risks.

Risk areas: strategic relationships, patient information

Federal and state government mandates calling for improved reporting of patient outcomes are among factors driving the formation of strategic relationships between hospitals (providers) and physician groups, providers and health plans, and providers and pharma/medical device manufacturers. The increasing proliferation of risk-/gain-sharing partnerships such as Accountable Care Organizations (ACOs) and other physician-owned entities (aka physician-owned distributorships, or “PODs”) generates numerous compliance risks. Of particular note are risks associated with provisions and regulations such as the following:



Getting people to think about business continuity and include it in their daily lives is one ofthe most difficult and underestimated aspects of a business continuity programme, yet it can make or break the perception of how successful the programme is. It doesn’t matter how good your resilience and continuity are, if people do not know about it, what to do in an incident or how to maintain it, then you have failed to achieve some of the fundamental principles of implementing business continuity.
This requires communication in the form of education, training and awareness on your organisations business continuity at all levels: staff, management, Directors and key suppliers. Embedding business continuity in the organisation requires an organisational culture change. Organisational culture is often described as ‘the way we do things’, which can be broken down into a collection of shared values, working styles and patterns of behaviour, typically enforced by a set of strong social controls which establish behaviour and control the behavioural patterns. Industry experience has shown that behaviour change initiatives fail to achieve lasting commitment unless attitudes and beliefs are also engaged and corrected. One such attitude which occurs frequently as a barrier to BCM is: ‘it will never happen here’ or ‘it will never happen to us’. In 2003, when embarking on my first BCM project in Oman, I heard these exact comments when discussing BCM threats and risks relating to Cyclones, Hurricanes, floods, industrial disputes and civil disorder/strikes.