Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

DRJ Blogs

DRJ Community Blogs
Oct 31
2013

The FEMA Private Sector Tip of the Week: Beware!

Posted by Tom Phelan in Untagged 

Tom Phelan

The Tip of the Week: Private Sector Beware! By Dr. Tom Phelan Thursday, October 30, 2013, 8:07 a.m. EDT – This morning I received an e-mail from fema@service.govdelivery.com titled FEMA Private Sector Resilience Tip of the Week. I usually scan these, but today, attempted to follow the enticing title through the thread provided in the e-mail.

FEMA Private Sector Resilience Tip 10/28/13: Prevent cyber threats from impacting your business systems network. http://go.usa.gov/WrPP.

Oct 31
2013

VA TECH Vindicated!

Posted by Tom Phelan in Untagged 

Tom Phelan
I have said from the start that notifying everyone in a community of a threat due to what appeared to be a domestic dispute is not a leadership or law enforcement responsibility. VA TECH has been vindicated. from the Huffington Post:
RICHMOND, Va. -- RICHMOND, Va. (AP) — The state Supreme Court on Thursday reversed a jury's wrongful death verdict against the state stemming from the April 16, 2007, killing of 32 students and faculty at Virginia Tech in the deadliest mass shooting in U.S. history.
The justices wrote that the state had no duty to warn students of the potential acts of the case's lone gunman, who initially shot two in a dormitory. Hours later, he killed 30 more people, then himself.
The parents of Erin Nicole Peterson and Julia Kathleen Pryde sued the state for negligence, contending that university officials should have warned the Blacksburg campus of the first shootings before Seung-Hui Cho killed the others, including Pryde and Peterson, at the classroom building Norris Hall.
Jurors in Montgomery County ruled in March 2012 and agreed with the families, awarding each $4 million. A judge later reduced the award to the state cap of $100,000 for each family.
The state argued that law enforcement officials believed the first shootings were the result of a domestic dispute and they concluded the larger campus was not at risk, even though the gunman remained on large.
In the opinion, the justices agreed, writing, "it cannot be said that it was known or reasonably foreseeable that students in Norris Hall would fall victim to criminal harm."
Oct 29
2013

BCM/DR/ERM Terms: The Difference Between a Disaster Mgmt and a Crisis Mgmt (An Outsiders View)

Posted by Alex Fullick in Disaster Recovery , Business Continuity Management , Business Continuity

Alex Fullick
Recently, I was asked to sit in on a meeting – not participate mind you – and listen to some discussions that were going on regarding a project.  The discussions revolved around requirements and were pretty intense and detailed at time.   The point is, there was a question asked about Disaster Planning and Business Continuity Plans (BCP) and if they had to include anything in their scope.  My ears perked up on this one…and yet, I had to keep quite.The question asked by one of the attendees was this, “What’s the difference between a disaster and a crisis?”  Of course, I wanted to answer this but a quick look and grin from the individual that asked me to attend, told me not to interrupt because she knew I was chomping at the bit to jump into the fray.What I found interesting was the explanation given by one of the meeting participants, who I found later, had no involvement in Disaster Recovery (DR), Business Continuity Management (BCM) or Emergency Response Management (ERM) for that matter.  They weren’t even up to speed on technology; he was a business analyst (BA).  But his description was something I thought I’d pass along to others because it really got the message across to people in the room; something many of us have stumbled over in the past when trying to explain our industry terminology to ‘outsiders.’   I’ve paraphrased all the comments by the meeting participants into two descriptions below.  Before I forget, I’m not stating one way or another whether he was right or wrong, just conveying some information that might help others when communicating the differences or terms related to DR, BCM and ERM.A Disaster Is…“An event that causes major problems for a company or community…”“A disaster is something that happens suddenly and you have to immediately respond to it…”“With a disaster you have impacts that are immediately apparent…”“…something major that stops us from working.”“…something that has gone beyond normal crisis management processes.”“Everyone is impacted and involved…”A Crisis (Management) Is…“…is the management of the disaster or emergency situation…”“…a group of knowledgeable leaders (Note: “leader’ wasn’t defined) that make decisions to ensure activities      start/complete when required…” “…a team that coordinates response  activities…”“…the Single Point of Contact for questions and guidance as to what to do…”“Following documented plans and procedures to help respond to the situation…”“…managing the situation before it becomes a full-scale disaster.”“…not everyone needs to be involved with the management of a crisis.”I thought it was rather interesting coming from someone not in the industry, especially knowing how much people get these terms (and others) confused.  At least not one asked what the difference is between a contingency plan and a recovery plan.The descriptions are rather simplified and effective.  People understood after a minute or two what was being discussed and it helped get the meeting moving.  With industry terminology, it can get very confusing because there are so many different variations on what both of these mean; even among industry experts, professionals and practitioners.   Corporations that offer DR/BCM/ERM services also end up using their own terminology as well, so that adds to the confusion.I thought this person didn’t too badly of a job of stating the difference.  Of course, I wanted to state a few things but since he got his message across to a large group that had difficulty understanding between the terms.By the way, when they were completed, they decided they didn’t need to include DR, BCM or ERM in their project (Hope that doesn’t become a jinx on their project…) **NOW AVAILABLE** “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility”and“Made Again Volume 1 – Practical Advice for Business Continuity Programs” by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com
Oct 29
2013

Hurricane Sandy One Year Later

Posted by Vicki Thomas in hurricane sandy

Vicki Thomas

Today, Oct. 29 marks the one year anniversary of Hurricane Sandy. This was the most devastating storm of 2012 and the second most expensive in the history of the United States. 

A quick online search reveals a range of opinions, facts and photography collections that tell the story of Hurricane Sandy. Lives were lost. Homes were destroyed. Livelihoods were crushed. People have started to recover - some areas of the Eastern Seaboard are in "better" condition than they were before the Superstorm Sandy hit. 

Oct 28
2013

A great honor

Posted by Annie Searle in Untagged 

Annie Searle

Events near the end of October have a way of forcing me to choose among equally enticing prospects.  Rather than attend this year's Executive Women's Forum in Scottsdale, I flew to Reno to help present the 2013 Hall of Fame Awards & Gala for the International Network of Women in Emergency Management and Homeland Security.  The event is only three years old.  I was honored and amazed to be inducted in 2011, along with Eleanor Roosevelt and Clara Barton.  Last year's inductees were splendid.  And this year, we kept the bar high.
Two distinguished Washingtonians were honored:  Mary Schoenfeld, a pioneer in the field of emergency management and school crisis management.  She's been in the field over 30 years and has written 5 books and countless articles. She is an inspiration to each of us.  Here, she is pictured in the president of inWEM, Dr. Jacqueline McBride, who also hosted the evening's festivities.
Also honored in memoriam was Ben Dew from FEMA Region Xand prior to that, Washington State emergency management.  He is the author of the strategy we now call "Neighbor Helping Neighbor."  More than one person remembered him and his "Never give up" mantra during the evening.
And there were others who received awards that evening as well, including four of the women pictured below.  Left to right:  Judge Renee Cardwell Hughes (Red Cross), Cheryl (on behalf of Delta Sigma Theta), Fire Chief Toni B. Washington, Dr. Meloyde Batten-Mikens (2012 awardee), and Fire Chief Debra Prior.
Here's Mary Anne McKown, author/synthesizer extraordinaire for some of our finest national documents, including the National Response Plan, the National Response Framework, and the National Emergency Communications Plan.  That's just a small taste of the work she began when she left Booz Allen become a government employee after 9/11.
Different stories for each of the awardees, but overall you could say that each of these women understands public service, the notion of giving back on behalf of something larger than yourself, and a keen desire to leave the world a better place.

Oct 25
2013

Government shutdown does not halt growth of data

Posted by Jarrett F Potts in Government as risk , DR , Data Backups , Data

Jarrett F Potts
During the shutdown, slowdown or whatever you call it, did you stop using your phone, sending emails or going to work? No. For the majority of us, the only thing that actually shut down was our goofy government and wonderful representatives (all of them). The fact is, the rest of the world just kept on working. We did not have a choice.

 Funny thing. This living being that is “big data” kept growing while we continued feeding it with our day-to-day use of electronics. You used Facebook and the bank and everything else. 

 Here’s the real question. Did the IT departments of the banks and Facebook shutdown too? Did all the data protection solutions in play stop working because the government decided not to do its job? Again, the answer is no.

Oct 23
2013

Disaster Recovery Compliance for Credit Unions– Impact, Testing and Analysis

Posted by Adnan Raja in Untagged 

Adnan Raja

 A disaster recovery plan protects a business's IT infrastructure and allows this infrastructure to recover quickly during a disaster. A recovery plan specifies the steps that a business needs to perform during a disaster and is typically kept in written form and in a secure environment. A DRP covers natural disasters such as hurricanes or earthquakes that physically damage the infrastructure or impair the ability of personnel to take appropriate action. It can also protect a business from man-made disasters such as acts of terrorism or equipment failures.

Oct 19
2013

Getting off the Roundabout

Posted by Ken Simpson in Thinking beyond ...

Ken Simpson

This is my first post on the DRJ blog, I appreciate the invitation to contribute and hope the readers derive some value from my contributions.

My primary aim will be to promote, or at times provoke, discussion. So I am going to link together an “opinion piece” on the blog with a discussion on the DRJ LinkedIn group. Sometimes it might even start the other way around!

Oct 18
2013

12 Tips, Trips & Traps: The Business Impact Analysis (BIA)

Posted by Alex Fullick in Business Impact Analysis , Business Continuity Management , BIA

Alex Fullick
Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective: 1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program. 2. No Timely Follow Up of Results – A BIA is conducted almost always in support of an enterprise-wide business continuity program. The real value of a BIA is the follow-up activities that lead to effective recovery strategies being implemented based on the BIA priorities of the business processes. Occasionally, so much effort and cost is put into the BIA that business continuity planners never get around to fully implementing the follow-up recovery strategies and plans. Without the implementation of these follow-ups, the value of the BIA becomes wasted. 3. No Agreement on Scope (Level of Detail) – This level of detail can span an entire spectrum. On one end, some BIAs will contain relatively little detail to provide a higher-level executive view of the analysis. On the other end, and far more prevalent, are BIAs that include for each business process its corresponding input dependencies, output dependencies, recovery point objectives, recovery time objectives, and financial impacts. The common mistake here does not involve selecting the right or wrong level of detail – what’s appropriate for one company may be totally inappropriate for another – but rather, failing to reach agreement among all relevant parties as to what level of detail best meets the requirements that are driving the BIA in the first place. 4. Minimal Executive Support – One of the factors that most influences the relative success of a BIA is the degree of executive support offered at the outset. The kickoff process usually consists of two parts: a widely distributed email and an initial presentation. The email should come from the highest level executive sponsoring the BIA and should be distributed to all parties who will be participating in the effort. The email should emphatically voice the executive’s support for the project and insist on the support of al participants, particularly during the interview process. 5. Poor Questionnaires – An important step of any BIA is the collection of data from business units. The manner in which this data is asked for often spells the difference between a full, timely and meaningful collection of data, and one that is delayed and incomplete. One of the best ways to avoid this situation is to develop survey forms that are thorough enough to capture all relevant information and simple enough for business users to complete quickly and easily. 6. Lack of Preparation for Interviews/Workshops – Interviews are the cornerstone of a successful BIA, yet few planners prepare adequately for them to ensure their effectiveness. Interviewers need to learn as much as they can about a given business unit prior to the meeting, including a thorough review of the respondent’s survey. 7. Lack of Critical Focus – Analysts frequently make the mistake of asking business users ‘what are the most important business processes within their department?’ The reason this is a mistake is because virtually all critical business processes have a large degree of importance and value – otherwise they would not be designated as critical – resulting in less likelihood of it being easy to prioritize processes according to value or importance. A much better question to ask is ‘how long can a business process be idle before major impact is felt? 8. Focusing on the Tools Instead of the Process – Some analysts who conduct BIAs become very focused on the tools they will be using in the collection, compiling and analyzing the data provided by the business users. The emphasis often shifts inappropriately from the process being used, to the automation that can be applied to the process. There is an inherent flaw in this approach. If a poorly designed manual process that is being used to collect and analyze the data suddenly becomes automated, what you typically end up with is a poorly designed automated process. 9. Ineffective Interviewing Technique – I have known more than a few BIA analysts who preferred to rely solely on surveys, questionnaires and emails to collect needed data. The example previously cited concerning the over-focus on tools shows how this can less than desirable results. Analysts often say that setting up interviews can be more hassle than it’s worth. They will mention how interviews often start late, or may be cut short, or have to be re-scheduled, or cancelled altogether. In my experience, the real reason some BIA analysts try to steer clear of face-to-face meetings is that they tend to use ineffective techniques when interviewing business process owners. 10. Insufficient Results Analysis – Analysts conducting a BIA collect a wealth of information during the course of their efforts. But the value of this information is sometimes diminished by poor or incomplete analysis of the data. Analysts need to look for trends, patterns, relationships and discrepancies among and within the data to ensure a thorough and meaningful analysis. 11. Unclear Presentations – Data that is thoroughly collected and well analyzed is sometimes de-valued by an unclear or confusing presentation of the information and results. Managers in general and sponsoring executives in particular, expect BIA analysts to summarize their results in high-level presentations that are succinct and effective. Unfortunately, this does not always happen. Analysts gather a huge amount of data in the process of conducting BIA. In compiling and analyzing this data, analyst sometime err on the side of presenting too much information rather than too little. 12. Undefined Scope – Often, the BCP focuses entirely on system restoration. Resumption of business needs to include the people and processes required to resume operations. Many BCP programs are headed up by IT departments. ‘Tunnel vision’ can often cause these departments to focus on system recovery and not take the people issues into account. During an event, the people issues are often the most difficult to resolve. The scope of a business impact analysis (BIA) pertains to the number of business units, such as Finance, Administration and IT, which will be participating in the effort. Don’t let your BIA efforts fall to the wayside; make sure you have strong BIA approach and you’ll end up with a strong BCM / DR program. (C) StoneRoad (A.Alex Fullick) 2013Alex Fullick is the author of several books including the latest, "Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program"  (Available at www.amazon.com or www.stone-road.com/shop.)
Oct 18
2013

A pair of debriefs

Posted by Andy Osborne in Exercising and testing , Business Continuity Management

Andy Osborne

By Andy Osborne, Consultancy Director at Acumen

It's fairly standard practice to hold some form of debrief at the end of an exercise or test, which is a very sensible thing to do. It helps to ensure that any issues and actions arising are captured and it's a good way to obtain feedback from the participants on how they thought things went. But some debriefs are a bit on the, well, brief side. Because it comes at the end of what can sometimes be a lengthy or challenging, sometimes stressful, session, it can be all too easy to make the debrief too brief. There can be a temptation to let people "get away" so that they can return to their day jobs. But the danger is that, once they do so, all the good stuff that the exercise teased out will be forgotten within a couple of weeks or, at best, vaguely remembered but not given the attention it deserves.

That's not to suggest that the debrief should be overly lengthy, just that sufficient time should be allowed  to ensure that everything that needs to be captured is, so that a follow-up action plan can be agreed.

And, whilst it may seem like a bit of a luxury, it can be very beneficial to hold two debriefs - a "hot" debrief immediately after the exercise or test and a second, "cold" debrief a couple of weeks later, after the proverbial dust has settled. Go on, be honest, how brief are your debriefs? And how many do you do? If you don't already do so, why not give the double-debrief a try after your next exercise or test and see what the results are like?