This is some blog description about this site
Charlie discusses how the UK power supply crisis could affect your organisation.
A couple of weeks ago one of the lead stories in the news was the fire at Didcot B Power Station, a gas power station in the South of England. The station, which within the last couple of days has just been brought back on line, now has the power output of about 350MW; roughly half its normal capacity of around 700MW. The issue of power supply to the UK has been in the news for the last couple of days. The spare power capacity within the UK a couple of years ago was 17%, has now been reduced to 5%, and this may lead to the possibility of loss of power or brownouts.
A brownout is an intentional or unintentional drop in voltage in an electrical power supply system intentional brownouts are used for load reduction in an emergency. They can have a number of different effects on electrical systems, which can vary from the lights dimming, to burnouts of electrical motors. Equally worrying is that it can affect digital circuits in unexpected ways, such as make an electric motor run backwards, or it can cause them to produce false readings.
The management of power supply within the UK has been a creeping crisis for many years. The governments have failed to invest in new power supply, lacking the political will power to build new power stations, which are usually controversial. Cracks in a number of nuclear power stations have put some stations out of action leaving the country with limited spare capacity. The further loss of generating capacity coupled with a very cold winter, leading to increase in demand, could cause brownouts to occur or areas to lose power.
So what should we as business continuity people be doing?
1. Perhaps the first action is to ensure you have an up to date inventory of your existing standby generators and any generator contracts you have in place. Once you have identified where you have standby generators, look at when they were last run and how well they are maintained. It is also important to check when the calculation was made on the size of the generator to be purchased and is the generator meant to power the whole building or only parts of it. Often generators were purchased and several years later the power requirement for the building has increased making the generator inadequate to power the whole building. You need to check whether the generator has been tested “on load” powering the whole building with all the normal machinery up and working so you can make sure it can power the whole building. Often generators are tested to see if they will start and run but they are not actually tested “on load”.
2. Once you have made sure that your generator can power the whole building or at least the critical bit, it is worth checking back through your BIA to check the critical services are being hosted in the building, or does the building have a standby generator for historical reasons and no priority activities are being undertaken in the building. There may be an opportunity to move higher priority activities into the building to take advantage of the protection the generator gives.
3. Once you have established which of your sites have standby generators then you can look at the impact off loss of power or a brownout would have on your operations. This may lead to business cases needing to be written and funding granted for the installation of standby generators. The only caveat on generators, I once heard a statistic that up to 50% of standby generators don’t work when they are call to work in an emergency so make sure that yours is well maintained!
4. Earlier in the bulletin we talked about the possibility of having generators on call but hot having a permanent one on site. Trying to hire on the day of the incident may be difficult as, if the incident is widespread, then everyone may be trying to hire them and the number and types you require may not be available. If you think hired in generators are a solution then you may consider several issues; having them “pre-plumbed”, the power requirements of the building before the incident occurs so you know the size of generator and on the day of the incident all is required is the call to be invoked and for the generator to be plugged into a socket and then the building is connected to power.
One of our many roles as business continuity managers is to "horizon scan" and identifies new threats. Possible power issues have been highlighted on the news and it is our role to review the threat for our organisation and suggest appropriate mitigation measures.
Charlie Maclean-Bristol, FBCI, FEPS, Director of Training, PlanB Consulting. PlanB Consulting is able to provide continuity planning risk assessments, advice and contingency plans for any organization. www.planbconsulting.co.uk
Charlie Maclean-Bristol, FBCI, discusses whether the time has come for business continuity managers to make contingency plans for an Ebola pandemic.
Spain is now dealing with the first case of direct infection of Ebola in Western Europe; the first Ebola death has occurred in the United States; and the World Health Organization has warned that ‘Ebola is now entrenched in the capital cities of all three worst-affected countries and is accelerating in almost all settings’. So has the time come for business continuity managers to make contingency plans for a possible future Ebola pandemic? I think the answer to this question is, yes, we should be.
I am not suggesting that you immediately go out to the supermarket and buy lots of tinned food and water, barricade the house, be prepared to operate on battery power and bottled gas and then lie low.
What I am suggesting is that we should be quietly thinking about how a possible Ebola pandemic might affect our organization; thinking through what an Ebola plan might look like; and monitoring the situation to ensure that you are ready to react if the situation escalates further.
So what at this stage should business continuity managers be doing?
1. One of the first tasks we should be doing as business continuity people is looking at what our possible exposure to Ebola is. What is our staff exposure to the disease, do we have staff travelling in areas, which have had cases of Ebola? As the disease spreads further, which most commentators are saying that it will do, then cases of Ebola may arise in a variety of places. We may have to react quickly if our staff are in the same area or they may be stranded by a country travel ban.
2. What is our supply chain exposure to the disease and does it involve West Africa? Again, like staff travelling, as the disease spreads and turns up in expected areas then it may affect our supply chain.
3. If the disease was to take hold in our country how would it affect our organization and would it create more work for us or less? If we work in an organization that would be responding to a pandemic (for example healthcare services) or are a supplier to such an organization, then it is likely our workload will increase. If our organization supplies essential services or part of the country’s ‘critical infrastructure’ such as power, food, water, etc. then we will be under a lot of pressure from government to keep working. Whilst if our organization does not supply something critical then we can perhaps temporarily close down our organization without a major impact beyond our own employees. Any contingency planning should reflect how it affects the individual organization!
4. Once we understand our exposure, then we should be engaging with senior managers in our organization and discussing our organization’s exposure and what action we should be taking at the moment. It we have no exposure then perhaps we should be agreeing to continue to monitor the situation. We may want to agree at this stage what sort of events might trigger further action. If we have a larger exposure then perhaps we should start some contingency planning and engaging with those parts of the business or people who may be at risk.
5. I think at this stage it is very important that we are not seen to panic or to overreact, as this might undermine any other contingency planning for other events; may undermine the credibility of the individuals involved in contingency planning; and may undermine any further escalation within the organization if this is required. Especially if there is a risk to our organization, some measured communication to staff informing them of appropriate risk reduction measures to take, any travel bans and what to do if they think they have been in contact with someone with the disease may help reassure them that you are thinking about the risk and taking appropriate action.
6. It may be appropriate for your organization to carry out some contingency planning to cover scenarios such as loss of a key supplier; if a staff member becomes infected; or if parts of your organization were quarantined. This may involve dusting off influenza pandemic plans and other contingency plans and seeing how appropriate they are in response to Ebola and amending the plans accordingly. I suspect if there was a full pandemic, government would in the main very much dictate the response and precautions to be taken by businesses and individuals.
7. I think, in the end, if we do nothing else we should monitor the situation on a day by day basis; so that we can react quickly if Ebola might, or is likely to, have an impact on our organization.
Charlie Maclean-Bristol, FBCI, FEPS, Director of Training, PlanB Consulting. PlanB Consulting is able to provide continuity planning risk assessments, advice and contingency plans for any organization that has an exposure to Ebola risk. www.planbconsulting.co.uk
The Dallas hospital treating the Ebola patient has just announced that the patient died.
The Liberian public health and airport security personnel in Liberia did their jobs, and checked outgoing passengers at three distinct checkpoints. But airport personnel can do little when patients lie or the patient didn't know that what was thought to be malaria was actually Ebola.
We've patted ourselves on the back in this country for the sophistication of our medical capabilities, yet as I listened to the story today of the patient being sent away from the hospital in Dallas when his isolation and treatment might have meant that he would have lived, I thought once again of Dr. Atul Gawande's book, The Checklist Manifesto.
This type of error is called one of ineptitude, as opposed to one of ignorance, presumably. We don't know if this was an Ebola-specific checklist; one prepared by the hospital itself; or one from the Center for Disease Controls. A quick read of Gawande's book might be very helpful, especially if the checklist has more than 5-7 items on it, without what Gawande calls "pause points." His book is full of stories of how pilots, builders of skyscrapers and surgical teams perform extremely complicated feats, and how using checklists that involve every member of the team makes a difference. His work in this respect for the World Health Organization has made a large impact: deaths after surgeries have been reduced significantly by the implementation of several simple procedures that are part of the checklist.
I would also recommend the book to the new acting director of the Secret Service and to the panel that is currently being constituted to review the disturbing procedural/process failures over the last several years for the organization charged with guarding the president. It may be that those procedures or processes have become shopworn. Certainly it must be the case that, unless on a form of high alert (the United Nations responsibility, for example) agents' situational awareness is at an all time low. Whether this is a factor related to the move from Treasury to the Department of Homeland Security or not is difficult to estimate, but will undoubtedly be reviewed by the panel.
The tipping point I mentioned last week seems more vivid as weeks go by. Yet there was one piece of good news this morning: that it appears Nigeria, the most populous and also most well-off African country in terms of infrastructure and medical personnel, has contained Ebola. We just can't move quickly enough to get more personnel, hospitals, emergency operations centers and supplies deployed in the remaining countries.
In Tolly’s Handbook of Disaster and Emergency Management Principles and Practice (edited by Lakha & Moore, 2004) a rising tide crisis is described as a: “Problem which creeps up gradually, such as occurs in the case of organised crime, corruption, a developing infectious disease epidemic or a steady stream of refugees into a country. There is no clear starting point for the crisis and the point at which it becomes a crisis may only be clear in retrospect.”
At present the disease is out of control in Sierra Leone, Liberia and Guinea. The latest news from the BBC says that in Sierra Leone there are five new cases of Ebola every hour and that a total of 765 new cases were reported in the West African state in the last week alone.
The problem is compounded by the fact that there are only 327 hospital beds in the country. The disease has killed 3,338 people so far. The situation is made even worse by the fact that 10% of Ebola deaths have been health professionals. Those trying to prevent the spread of the disease are being killed by it.
When the present outbreak was first known about there was little interest in Europe and the Americas. Although the disease has a high mortality rate, and there is little known about it, previous outbreaks have always been kept under control quite quickly.
This outbreak has been the worst to date and Western countries only started paying attention when the crisis started to affect them. Britain had William Pooley, the nurse who contracted Ebola in Sierra Leone but has since made a full recovery. While for the USA there were two missionaries who were brought back home for treatment and a man who returned from Liberia with the disease and is presently in a Texan hospital. The outbreak now features regularly in the news.
The USA has deployed troops to Liberia to set up field hospitals and healthcare facilities. Earlier this month, Britain said it would build facilities for 700 new beds in Sierra Leone but the first of these will not be ready for weeks, and the rest may take months. According to experts, one and a half million people could be infected by January if the disease is not halted.
I think for us, as business continuity people, a creeping crisis is one of the most dangerous types of events. It slowly builds and you suddenly find yourself in the middle of a major incident when you should have recognised it earlier. Not recognising the crisis early on may compound the effect on the organisation and lead to increased negative coverage. This is especially true when the crisis involves death or injury to customers or members of the public.
So what should you do to prevent this happening?
1. Understand your organisation’s possible vulnerabilities and make sure that any incident involving them is analysed to see if it might turn into a major incident or crisis.
2. Have mechanisms in place that look for common incidents across the organisation, especially if you are a large organisation operating at multiple sites or across many different countries. By encouraging all parts of the organisation to report issues and by analysing them centrally, you can identify patterns before your customers or the media do.
3. Think ‘worst case scenario’ and ‘what if something else happened at the same time?’ If we understand these then we can monitor the event and if they seem to be heading in the wrong direction then we can prompt the organisation to take early action and prevent the incident becoming a crisis.
4. There needs to be someone within the organisation who is responsible for identifying potential creeping crises, who can flag up potential events. This may be allocated to you or may rest elsewhere within the organisation.
With this monitoring and horizon scanning in place hopefully we can identify incidents before they become a crisis and have a major impact on our organisation.
Charlie is one of the Directors of PlanB Consulting. PlanB Consulting is a boutique consultancy specialising in providing business continuity, disaster recovery, ISO22301 and crisis management consultancy to clients in the UK and beyond.
This week Charlie discusses the Scottish referendum results.
I have written about Scottish independence before, but thought I would revisit the topic now that the referendum has been and gone.
After a long and hard fought campaign, Scottish voters backed remaining in the union by 2,001,926 votes to 1,617,989.
The result has prompted a lot of questions about what direction the country should take, with many suggesting that all UK countries should be given more powers.
As well as questions there are of course lessons to be learned, particularly in terms of the management of the referendum, which are relevant to us as business continuity people:
1. The most obvious observation is that there was a major failure of risk management by David Cameron and his advisors. As he thought the pro-independence supporters were going to lose the vote (the opinion polls were roughly 70% 'No' and 30% 'Yes' at the time) he decided not to put ‘Devo Max’ on the ballot paper. This was probably the preferred option for the majority of people. He thought the vote would not shift much, the ‘No’ vote would win comfortably and he didn’t then need to give Scotland more powers. After he originally agreed to the wording of the question, the support for independence grew and as the vote drew closer it looked increasingly likely that independence would happen. It seemed like this possibility was not taken into account when the question was being agreed and the basis for the election was negotiated. If you take a risk and the odds seem to be stacked in your favour you have to consider what you are going to do if the odds seem to shift against you.
2. Two weeks before the poll, with the ‘Yes' campaign looking increasingly strong, it seemed that there was no contingency plan in place. Momentum is very important in politics and it seemed to be firmly behind the ‘Yes’ vote. This caused the three party leaders to seemly panic and abandon Prime Minister's question time in order to hot foot it to Scotland and passionately argue for the Union. They pledged they would give extra powers to Scotland and said they would lay out a timetable for implementing the granting of these powers. To most people this seemed a panic measure and as though they had suddenly woke up to the fact that they might lose. Horizon scanning, as we should all be doing, and some local knowledge, might have told them that the passion for this debate was stirring in Scotland. The ‘Yes’ campaign had a very successful grassroots campaign which was turning many voters’ heads. Contingency plans and identifying the danger early on would have prevented the visit by the three leaders as being seen as a panic measure.
3. After an incident it is often said that organisations are never the same again. Pressures and the impact of the events have a lasting impact on the people who are involved. In Scotland this is most definitely the case. A whole section of people have been energised by the debate and want to pursue their goals of social justice and independence further. I was hearing on the radio that many people are in mourning as they genuinely felt that there was going to be a vote for independence, even if that was not what the opinion polls were telling them. The debate and the vote have changed Scotland. How this will manifest itself and the legacy of the referendum will become clear in the next few years. The important lesson for us is to learn that after an incident your organisation is likely to change and the change may be fundamental.
4. Lastly there is a very important lesson for incident communications from the event. During an incident people hear what they want to hear. Anything which reinforces their point of view is listened to and they don’t hear the logically-reasoned counter argument. It seemed to me that certain sections of the ‘Yes’ campaign would only listen to facts which supported their own argument and blocked out any that disagreed with them. When all three parties said Scotland couldn’t continue to use the pound, their reaction was not to propose an alternative currency but to claim those saying this were bluffing. When a number of senior members of the EU said that Scotland would not automatically become part of the EU they again claimed that this was not true and quoted another source which said they would automatically become members. We need to recognise that people may think they are victims in an incident and blame your organisation. However much you say it is not your fault, they have set in their mind it was your organisation which caused it and they will not listen to any communications from you. Just because you put out a firm rebuttal with lots of reason why it is not your fault there is no guarantee that the ‘victims’ are listening. You may have to redouble your communications or use different methods and channels to reach them. You may just have to recognise that in the end they will always believe what they want to believe and that any communications may never change their mind!
We will see how the situation pans out over the next few months.
Food is a universal language. So is man’s need to survive. Whether in the business world or the kitchen we need a simple recipe for business continuity success. In this four part series I’ll introduce you to the four basic courses necessary when cooking up an appetizing and rewarding business continuity program. This week the focus is on doing what’s good for us…exercising and eating our veggies!
DRJ Fall World is just around the corner, so now is the perfect time to turn our attention to the companies who help us ensure we can provide you with a top-notch learning and networking experience.
Gold Sponsor: Send Word Now: Headquartered in New York City, and founded as a direct result of personal experiences during 9/11, Send Word Now is the leading worldwide provider of on-demand alerting for crisis communication. The company’s easy-to-use, web-based emergency notification solutions and mobile applications are today utilized by businesses, government agencies, universities and non-profit organizations to ensure fast, effective and two-way communication when it is needed the most. Send Word Now's enterprise-class and award-winning notification service is capable of transmitting tens of thousands of voice and text messages in minutes, while ensuring a full audit trail for after-action reporting and follow-up. Its conferencing and workflow solutions keep everyone informed and connected to the people and information necessary for safety and resilience. At Send Word Now, a Silver Sponsor of DRJ Spring World 2014 and Gold Sponsor of DRJ Fall World 2014, every message counts.
- Coop Systems: myCOOP is COOP System’s breakthrough continuity planning software. The patented design was built from the ground up by world-class eCommerce developers.
- Dell: Good communication is at the heart of every successful business. Eliminate the hassle, risk and stress of email management and be prepared to communicate with your team anytime anywhere with Dell Cloud-Based.
- Deloitte: Deloitte is widely acknowledged as a leader in security by prominent analyst firms. Breadth of capabilities across the disciplines of risk management, IT consulting and organizational transformation allows us to define an approach that can efficiently and effectively align people, process and technology.
- EBRP: eBRP Solutions Inc. provides web-based tools and utilities, as well as consulting services. ESN develops tools and utilities focused on core requirements.
- Forsythe: Since 1971, Forsythe offers technology and business consulting services, technology leasing and products from all leading IT infrastructure manufacturers.
- IBM Business Continuity and Resiliency Services: In a world where data is the new natural resource and “always on” is standard, IBM has the proven expertise, knowledge and technology to ensure the continuous availability of your business. IBM’s portfolio ranges from innovative cloud services to full-scale compute, data and applications resiliency and recovery solutions. Please come visit us at booth 401/403 or ibm.com/services/continuity to find out how IBM can help keep your business ready, running and resilient in any condition.
- MIR3: MIR3 is the premiere provider of intelligent notification and response software for business operations or any area that needs reliable two-way notification.
- Strategic BCP/ResilienceONE: Strategic BCP leads the way in elevating the productivity and relevance of business continuity management (BCM) professionals. We help save time and money.
- Sungard Availability Services: Sungard Availability Services offers a complete portfolio of solutions to help keep people and information connected and achieve uninterrupted access.
Honestly, the sponsor and partner list for DRJ Fall World 2014 is a rather lengthy one, so we suggest you click on over to the Sponsor page to learn more about the great companies coming together to give you a fantastic conference experience. We're super thankful to our sponsors for their contributions and for the enabling the creation of DRJ Scholarship Program.
Looking forward to seeing you in 14 days in San Diego for a great few days of focused learning, discussion and networking. If you haven't registered - not to worry, there is still time! And don't forget to watch this video to get a sneak peak of what we've got planned for you.
As a reader of the DRJ blog, you know that we're busy getting ready for DRJ Fall World. Our 51st conference is happening very soon so we thought it would be useful to remind you of the information you need to have a successful conference experience.
When: September 7 -10, 2014
Where: Hilton San Diego Bayfront (1 Park Boulevard)
What: The industry's leading conference that brings together the top experts in BC/DR for information-packed days of learning, networking, and relaxing. With a theme of Building Your Program Using Best Practices, you'll leave San Diego with the skills, knowledge and confidence to equip your company with a program that really does work.
Why: Because constant learning is one of the keys to personal and professional growth. Meet with your peers and industry leaders to share ideas and learn from each other. Talk about what has worked in your organization and what hasn't worked. To learn about the latest tools, software, and services that can help you do your job more effectively and efficiently. Because DRJ has the skills, experience, and mojo to give you a conference that is all about value for your dollar and time.
Cool Stuff: Download our Guidebook App and use this handy mobile app to stay up-to-date with the latest news and happenings at DRJ Fall World. Update the schedule with your selected sessions, break-out tracks and workshops. Connect with your peers and grow your contact list. Review the conference maps in advance and plan your visit to our packed Exhibit Hall.
Conference Agenda: Download the agenda and plan out your days at DRJ Fall World.
Fun Times: Not only is DRJ Fall World all about learning, but it's also about relaxation and downtime. We've scheduled two hospitality events for you - a Welcome Reception on Sunday evening and a Hospitality event hosted by Send Word Now on Monday evening. Relax in one of the many nearby restaurants and pubs, take in a walk, jog, or all-out run on the nearby paths, take a dip in the heated saltwater pool, or check out the San Diego Embarcadero.
Sneak Peak: Watch this video to get a sneak peak of what you'll experience in San Diego in early September.
We'll see you in very soon in San Diego! It's going to be a great few days of learning, networking, and connecting.
Corporate executives largely understand the importance of backups. Even though businesses recognize why they need data protection only a few have implemented a seamless backup, archive and disaster recovery system. Why? The lack of time, resources and energy appear on the surface to be the problem. Too many other IT and datacenter issues get in the way. At the source, however, the problem may simply be repeating pitfalls that foil successful implementations.
Here are three of the ultimately game-ending pitfalls that companies have experienced when implementing data backup and restoration incorrectly. These problems take the wind out of the sails for an IT datacenter.
Pitfall #1 : Not selecting the right backup method
Most commonly, organizations do not select the method of backup which will work best for them. Organizations mostly think in terms of media-based holding tanks for their backed up or archived data. That is, they visualize their data in full, incremental or differential categories.
Full backups copy entire data sets and are resource intensive and time-consuming. The thinking follows to then capture the incremental changes made since the last full backup. After a week of incrementals they then conduct a full back up on a weekly or periodic basis. However, these incremental backups are time-consuming to restore. Therefore, many organizations opt for differential backup, which is similar to incremental backup, but it contains all data that has changed since the last full backup, not just the last incremental backup. Here again, the issues of resource hogging and time consumption that plague incremental backups resurface. At times, differential backups can even stretch to the next working day and slow down the entire system.
Organizations would do well to consider innovations such as synthetic full backup and incremental-forever backup. Synthetic full backup is similar to incremental backup, but reduces restore time by combining the existing full backup with the data from the incremental backups. Incremental-forever backup entails a full backup only one time when implemented, but then completes incremental backups forever.
There are many factors to consider when it comes to selecting the right backup system.
Organizations need to consider factors such as retention time according to service level contracts, the technology at their disposal, the nature of operations and other factors when deciding on the data backup and restoration system to use.
Pitfall #2 : Ignoring the "Restoration" Part of the Equation
Most organizations consider only the time it takes to restore the data when selecting an appropriate data backup and restoration system. Data restoration, however, goes beyond the restore time. For instance, the organization may want to review and perform file level restores rather than restoring the entire data set. Disasters do not always lead to the requirement of full backups. For instance, a system that does not allow file level restores may be useless if you want to get hold of a single file or data set that is corrupted or deleted inadvertently.
Pitfall # 3: Not Having a Data Retention Policy Upfront
Another ignored area when considering the issue of backup and recovery is the data retention policies. In the age of big data, a considerable chunk of most organizations data is considered junk and of no future use, but organizations continue to hold onto it. A well thought out data retention policy that retains only important and useful data, weeds out duplicate data and ensures the legal and compliance requirements with regards to data archiving and retention are met would streamline the data backup and retention policy effectively.
STORServer backup appliances, powered by the IBM Tivoli Storage Manager platform and CommVault Simpana 10, incorporate integrated backup, archive and disaster recovery capabilities that not only make this crucial process easy, seamless and fast, but also results in considerable cost savings. Contact us today to learn more.
Food is a universal language. So is man’s need to survive. Whether in the business world or the kitchen we need a simple recipe for business continuity success. The second “course” of this four part series takes a look at how picking the right strategy for your business continuity plan is key for its success. Also, to help deliver the “main course” I’ve invited a special guest chef - IBM’s own, Chef Watson.
Don't know if you've heard the news but DRJ Fall World is just around the corner - September 7 - 10 in San Diego. We've fine-tuned our agenda, have a got a great line-up of industry experts to lead the numerous sessions, and we're rolling out the red carpet during our hospitality events.
And to top things off, we've extended the $100 registration savings discount to August 14. This means you have two more days to take advantage of the discounted registration fee.
As you know we want you to get the most value possible at our conferences. This is why we want you to take advantage of the DRJ Fall World pre- and post-conference courses. These courses allow you to extend your learning and to make the most of your travel and education budget.
The 1.5 day long pre-conference courses are held on Saturday Sept. 6 from 9:00 a.m. to 5:00 p.m and Sunday Sept. 7 from 8:30 a.m to 11:30 a.m. These courses require an additional registration fee.
Here's a look at our pre-conference courses:
- Everything You Need To Know To Design A Successful Exercise: in this interactive and dynamic course you’ll learn how to design a successful exercise from the ground up. You’ll leave the workshop with a draft of your next exercise planned and a copy of Regina’s new book. (Presenter: Regina Phelps, CEM, RN, BSN, MPA, president, Emergency Management & Safety Solutions. Cost: $1495 per person.)
- Advanced IT Disaster Recovery And Technology Resiliency Planning And Certification Workshop: with a focus on advanced IT DR planning concepts within the realm of BC and DR planning, this workshop examines the role of technology in facilitating BC and DR planning. You’ll develop strategies to build a strong technology centric DR program and there is the opportunity to gain certification as a “Certified IT Disaster Recovery Planner”. (Presenter: Sudhir Gadepalli, chief mentor and strategy officer of Enterprise Resiliency Services. Cost: $1695 per person.)
- IT/DRP/Certified Business Resilience IT Professional: in this Certified Business Resilience IT Professional (CBRITP) course you’ll learn how to develop, test and maintain an IT disaster recovery plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. You will receive a workbook and a take-home disaster recovery plan template and you can optionally take the CBRITP certification exam. (Presenter: Rick Wellman, senior business continuity and resilience trainer and consultant for Sentryx. Cost: $1695 per person.)
Be sure to visit the DRJ Fall World website to register for our pre-conference courses and to get more details on these top-notch learning opportunities. We're super excited to be presenting our 51st conference and really looking forward to seeing you and meeting you in San Diego.
Originally posted on Rentsys Recovery Services’ blog.
In today’s world, many, if not most, companies are either part of a regulated industry or have been identified as a critical vendor in a customer’s supply chain. These organizations are audited by regulatory bodies such as the Federal Deposit Insurance Corporation and the Office of Civil Rights or by another third-party auditor.
If your company falls into one of these two categories, you’re likely aware that most auditors look to see if your organization has implemented sound risk management and mitigation controls for safeguarding mission-critical data and business processes.
However, as more and more companies and their vendors adopt cloud solutions, you might be wondering what factors auditors consider when evaluating whether or not a cloud solution is compliant.
As a provider of private cloud vaulting and recovery services for regulated industries like finance and healthcare, Rentsys Recovery Services is, in auditors’ eyes, an extension of our customers’ organizations. As such, we’re expected to protect and recover each organization with the same level of scrutiny as the institution or practice’s employees. Because it’s imperative our services are conducted in a safe and sound manner while complying with applicable laws and regulations, we’ve become familiar with the key areas auditors view as potential issues.
Use the guidelines below as a starting point for determining whether or not you or your vendors will pass muster with your auditors.
- How sensitive is the data that will be placed in the cloud (e.g., confidential, critical, public)?
- What controls are in place to ensure is properly protected?
- Is any data whose disclosure could harm the organization or its customers appropriately encrypted or protected?
- Are there controls in place to ensure the integrity and confidentiality of the data?
- Is the data stored or processed overseas?
- Does the cloud solution have an adequate and tested plan to ensure the continuity of operations as well as its ability to recover and resume operations if an unexpected disruption occurs?
- Does the plan account for the availability of essential communications links?
- Does the cloud solution meet regulatory requirements for safeguarding customer information and other sensitive data?
- What controls does the service provider have to ensure the integrity and confidentiality of the data?
- Have the internal controls been evaluated by another auditor?
When determining the feasibility of cloud for your organization, most auditors will expect you to perform thorough due diligence and a risk assessment. Keep in mind that though security, availability and privacy are key elements of sound risk management and risk mitigation controls for cloud services, you may need to consider other elements specific to your industry. A thorough risk assessment should bring those considerations to light.
Just like the kids who are anxiously looking at the calendar and counting down the number of summer vacation days left - we're also counting. The only difference is that we're excitedly counting the days left until DRJ Fall World 2014.
Our 51st conference is being held in San Diego, CA from Sept. 7 - 10. Yes, very very soon. This means that we want you to be ready and prepared for our industry-leading conference. Make sure you've sent in your registration from and have reserved your hotel room at the Hilton San Diego Bayfront.
Along with the many learning opportunities available to you at DRJ Fall World, don't forget about the networking you'll be able to do. Thanks to the hospitality events, the welcome reception, the exhibit hall and our networking breakfasts/lunches - you'll leave the conference with an updated contact list of peers and experts who can help you out at anytime.
Here's a closer look at a few of the sessions available to you at Fall World 2014:
- Are you Insane? It's Time to Think Differently Before Doing Any BIAs!: it's time to take a different look at your BIAs, including the key decisions that need to be made before asking a question, why it matters to fully understand the organizational hierarchy, and the risks associated with taking short-cuts. Discover what the ramifications are for not taking the time to understand the footprint of your organization and what the ultimate goal is of your BIA. (Managerial Session 1 - Intermediate/Advanced. Presenters: Michael Gifford, MBCI, CBCP is a director within enterprise readiness services for U.S. Bancorp and Stacie Herzog, CBCP is a business continuity manager for U.S. Bancorp.)
- From Samba to Waltz: Choreographing Disparate Activities to Create A Holistic, Top-Notch Enterprise Continuity Program: disparate activities within an organization have a tendency to become outmoded and ineffectual. Learn how drawing on the available IT resources, leverage existing tools, creatively use human capital, along with refined data collection and aggregation, and well defined messaging, you can effectively create a resilient firm-wide continuity program. (Managerial Session 2 - Intermediate/Advanced. Presenter: Marc Kantor is the head of business resilience (business continuity and crisis management activities) for Voya Financial.)
To learn more about the sessions, break-out tracks, workshops, and pre/post-conferenc courses available at DRJ Fall World, download our conference agenda.
Don't forget to mark September 7 - 10 on your calendar! We look forward to seeing you in San Diego.
By Jacque Rupert, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog
Nearly all business continuity professionals understand the importance of the business impact analysis (BIA) as the primary means for laying the foundation of a business continuity program. However, many professionals struggle to receive executive buy-in, as well as the necessary resources and support for the process. This article dispels common myths in attempt to help remove barriers to obtaining support and contributes to the creation of the business case for performing the BIA in any organization.
If you would like to learn more about the purpose and expected outcomes of the BIA, please check out: The Relationship Between the Business Impact Analysis and Risk Assessment.
BIA Myths – Dispelled
In order to build the business case for performing a BIA, we must first dispel the myths associated with the BIA process and its relationship to business continuity planning.
- Business continuity plans can be created without a BIA
Business continuity plans are actionable documents designed to enable organizations to execute their business continuity strategies. Business continuity strategies are developed to meet business requirements during downtime. Business continuity requirements (recovery time and recovery point objectives), quality of output at the recovery time objective, capacity to deliver outputs at the recovery time objective compared to normal operations, and resource needs for the recovery process all must be gathered, analyzed, and agreed to – a process normally referred to as the BIA. In short, realistic and effective business continuity plans cannot – should not – be developed without performing a business impact analysis.
- IT disaster recovery plans can be identified without a BIA
Similarly to business continuity plans, IT disaster recovery plans are technical documents designed to enable organizations to execute IT disaster recovery strategies. IT disaster recovery strategies enable IT to meet business requirements during an IT outage. Without an effective requirements gathering process, IT disaster recovery plans and strategies will not align to business requirements – leaving IT operating in a silo and detached from business objectives.
- BIAs are expensive, time consuming, and require too much effort from the business
When scoped correctly, the BIA actually saves organizations time, effort, and resources. One of the primary outcomes of the BIA is the identification of the resources necessary to deliver the organization’s most important products and services. By focusing on protecting against the loss of key resources, or investing in strategies to enable recovery following the loss of key resources, organizations can ensure that the right resources are protected and the organization invests in the right level of planning.
- Identifying the impact of downtime provides no guidance to the organization
This argument could not be further from the truth; however, it has been made in a few forums following a post regarding the relationship between the BIA and risk assessment, so I will address it. Because organizations cannot “boil the ocean” and spend endless resources to protect every business activity and dependent resource, understanding downtime implications assist the organization in prioritizing risk mitigation activities and business continuity strategies and capabilities. Again, this ensures the right level of preparedness.
- The BIA is a flawed process because questionnaires rarely enable the collection of good data
Many business continuity professionals equate a BIA with a series of questionnaires. Although questionnaires can be an appropriate method to collect discrete BIA data, it is often an insufficient method for gathering the entire gamut of business information necessary to enable business continuity planning. Instead, we recommend using data gathering interviews or a hybrid approach (where interviews and questionnaires are both used) in order to deliver actionable results in a cost-effective manner.
The Real Value Proposition
Having addressed some of the myths and objections associated with performing the BIA, we can focus on the true value that the BIA provides.
- Enable proper spend on business continuity strategies and capabilities
One of the most valuable aspects associated with the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts of downtime enables the organization to develop the business case and appropriate justification for the prioritization of business activities and supporting resources (which is often expressed by assigning recovery objectives). If recovery objectives are properly vetted and approved by management, the organization is set-up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in appropriate spend.
- Identification of legal, regulatory, and contractual requirements and obligations
Many organizations do not have a clear, unified understanding of external stakeholder business continuity requirements. In fact, it is very rare to see any entity within an organization that has a grasp of what is required of the organization during a disruptive incident, and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to have a thorough understanding of these requirements and to enable the appropriate level of business continuity planning.
- Confirmation or modification of business continuity program scope
As mentioned, the BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding the organization’s dependencies and interdependencies, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding the impacts of downtime of those activities and resources, the organization can identify which critical activities need to be performed, regardless of circumstance, which may have an impact on the program’s scope.
- Capture preliminary business continuity plan content
The BIA can be leveraged as a tool to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to understand key plan components, such as existing controls and recovery strategies, key teams and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to key stakeholders (as opposed to starting with a blank template).
Implications of Not Performing a BIA
When organizations choose not to perform a BIA, a few common performance issues occur which have widespread implications on the effectiveness of the business continuity planning effort as a whole.
- Subjective recovery objectives and confusion regarding recovery priorities
Without a formal BIA process, the organization will lack focus and objectivity in assigning priorities and recovery objectives. Without management-approved recovery objectives, different organizational entities will have different priorities, leading to confusion regarding what capabilities to invest in and prioritize for implementation. For example, IT will lack necessary data and justification for assigning recovery objectives and investing in disaster recovery capabilities.
- Capability gaps and inaccurate program scope
Lack of a top-down program scoping and BIA process leads to misalignment between management’s expectations and program performance. Implementing strategies and plans without approved requirements can lead to under preparing and/or over spending, which could lead to gaps in business continuity capabilities. In addition, without fully understanding the business before implementing strategies, the organization may become aware of risks and gaps as the program matures, leading to steady, ad hoc scope increases – ultimately resulting in inefficiencies and over or under spending in capabilities.
- Lack of justification for investment in preparedness
Many organizations attempt to implement business continuity programs, but cannot connect with management to gain necessary traction for the program. The BIA begins to answer the questions that management is asking – what are our business continuity requirements and how much do we need to invest to get there? Without the BIA, the organization simply cannot thoroughly answer this question.
Save your organization from wasting time, resources, and effort by performing a business impact analysis. If done properly, the BIA will enable the organization to invest in the right level of preparedness – ultimately protecting the delivery of the organization’s most important products and services.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for assistance with your business impact analysis and risk assessment, we can help! Please contact us today to discuss your unique needs.
Avalution Consulting: Business Continuity Consulting
Our consulting team regularly publishes perspectives (shorter, independent articles) that touch on the trends currently affecting our profession and the strategic issues facing our clients. This is one of our most recent posts, but the full catalog of our perspectives – over 100 published since 2005 – can be accessed via our blog.
Food is a universal language. So is man’s need to survive. Whether in the business world or the kitchen we need a simple recipe for business continuity success. In this four part series I’ll introduce you to the four basic courses necessary when cooking up an appetizing and rewarding business continuity program. Let's get started... Remember the "devil(ed egg) is in the detail".
It's not just that airplanes have been disappearing, or shot down, or that the infectious disease Ebola is out of control in parts of Africa, or that Tel Aviv travel was suspended by major airlines when shelling came too close to the airport . Travel risk has always been an issue for corporations whose employees are spread round the globe. In this morning's New York Times article, Joe Sharkey goes inside a gathering of corporate travel managers to better understand their concerns, including legal and ethical risks, given the last week or so of travel events.
If you're traveling on your own and don't have a corporate travel office to rely upon to filter out threats and make best recommendations, then your best bet is to go to the Department of State's website and read through the threat analysis they perform on countries you might visit.
If you're just learning to travel, then the "On The Road" chapter of Advice From A Risk Detective will be of use.
No one wants you to stop traveling. But we do want you to make safe choices at a time when many parts of the world are less stable than usual.
Some conferences are known for the learning component. Others have a reputation as being great for networking. What sets DRJ Fall World (and Spring World) apart from these conferences, is that our conferences are widely recognized for both the learning and networking aspects.
We've designed our conference schedule to ensure that you can maximize your learning opportunities with sessions run by leaders in the industry who are recognized for their knowledge and their ability to teach and share information. To extend this learning and to foster strong networking we've arranged for ample opportunities for you to meet with industry experts, your peers and industry service providers to discuss issues/trends/themes within business continuity and disaster recovery.
So when you're looking at the Fall World conference agenda, remember that your learning opportunities extend beyond the conference room to casual meet-ups, the hospitality events, the exhibit hall and other networking opportunities.
Our goal is for you to leave DRJ Fall World with a packed contact list, lots of new information to consider and apply to your organization and a zest for continuing your BC/DR education.
Here's a quick look at some of the networking and hospitality events we have arranged for you:
- Welcome Reception: This is the first event held in the exhibit hall on Sunday evening. Relax in this fun environment while exploring the hall, meeting other attendees and enjoying drinks and snacks. (Sunday Sept. 7 5:00-7:00 pm)
- Monday Night Hospitality: This fun evening is held on-site and features fun, food and entertainment. This is an excellent way to end the first full day of the conference and to make some lasting networking contacts. Sponsored by Send Word Now. (Monday Sept. 8 6:30-8:30 pm)
- Networking Meals: All attendees of Fall World 2014 enjoy six full meals during the conference at no additional cost. Our networking tables make it easy to interact with peers in your field or related industries.
Our packed Exhibit Hall is open during the three days of our industry-leading conference. You'll be able to meet and discuss with leading innovators and service providers and attend product demos.
And don’t forget Fall World 2014 is being held at the outstanding Hilton San Diego Bayfront hotel and conference center. You’ll have a chance to mingle with conference attendees before and after sessions and even connect for an evening exploring the surrounding area.
The countdown to registration savings is on! Register before August 7 to save $100 on your registration fee and to be entered in a draw to win a Kindle Fire HD. We want to see you in San Diego from September 7 - 10 and have done our best to ensure you can get discounts on hotel room rates, savings on airfare and discounted car rentals.
If you're looking for the best way to extend and maximize your education budget - DRJ Fall World is your answer.
We don't really want to keep pointing out the date... but, July is almost over and August will be here very soon. To be more specific, August 7 will be here soon and if you want to save $100 on your DRJ Fall World registration, you need to register before August 7.
For those of you who have already registered and those of you who do register before August 7, your names will be entered in a draw to win a Kindle Fire HD. That's right, not only do you save on your conference registration and first choice at the sessions, but you also get the chance to win a prize!
Along withe registration discount for our 51st conference, we've also arranged for special savings on your hotel room at the Hilton San Diego Bayfront and discounts on car rentals and airfare.
There is a block of rooms set aside for DRJ Fall World attendees, so make sure you book soon to secure this low rate - once the block of rooms is booked, the special discount rate is gone.
And now here is a look at some of the Solution Track sessions being offered on Sunday, September 7 from 4:00 - 5:00:
- Solutions Track 2: Five Disaster Recovery Flaws Your Last DR Test Missed: How confident are you in your company’s ability to recover in an emergency? Are you convinced that your data center is resilient? Doron Pinhas, the chief technology officer at Continuity Software, will teach you about the top five critical recovery flaws that your latest DR test likely missed. Learn how these impact your business and how to make sure that you never make the same mistakes again.
- Solutions Track 5: How Many Nines? Understanding RPO And RTO Metrics For BC/DR: It is important that you understand the true differences between a 99 per cent and 99.999 per cent recovery point objective (RPO). This difference can add up to a lot of downtime and lost data. Learn about the differences between recovery time objectives (RTOs) and RPOs, determine how to apply them to server workloads, and learn guidelines for selecting the right DR technologies for the right workloads. Mike Robinson is a senior product marketing manager at NetIQ Corporation.
- Solutions Track 7: Millions Of Threats? Three Situations! Let’s Plan: What really is the best way to approach BC/DR planning? Is it time to look past the traditional thinking of best practices and consider the “actual” best practices instead? In this session with Skip Williams, BCI’s 2014 North American Business Continuity Consultant of the Year, you’ll learn about a controversial new option for easing your BC/DR planning - plan for three defined situations instead of endless “potential” threats.
We look forward to seeing you in San Diego from September 7 - 10! If you're looking for a bit more help in convincing your manager of the value of attending DRJ Fall World, we suggest you download our Justification Kit. Use this document to help demonstrate how valuable attending the top industry conference is to your organization.
We and our sponsors recognize that not everyone can manage the costs associated with attending our conference. This year we're very pleased that thanks to some very generous sponsors, we're able to offer the DRJ Scholarship Program. To find out more about the DRJ Scholarship Program, email email@example.com.
It might only be July, but you know how the summer is - the days seem to pass by very quickly and before you know it - it's September. This is why now is the time to download the DRJ Fall World Agenda and to take advantage of our registration savings.
Our 51st conference will be held from September 7 - 10 at the Hilton San Diego Bayfront. We received such excellent feedback on this new venue that we've decided to return for a second year. This stunning hotel and conference center has all the amenities you need for a successful learning and networking experience at DRJ Fall World. Along with outstanding rooms, you'll discover the nearby restaurants, the salt water pool, and the perks of being close to the San Diego Embarcadero. We have arranged for a special room rate for conference attendees, so we recommend you book your room sooner than later to take advantage of this special pricing.
With a central theme of Building Your Program Using Best Practices, we have put together an agenda that offers you a range of learning opportunities that allow you to gain insight from the industry's top experts. Choose from workshops, general sessions, and break-out tracks that all focus on the latest trends, techniques and views on business continuity and disaster recovery.
Download the agenda today to determine how you'll spend your time at Fall World. To help you gain some insight into the learning and networking opportunities offered at our conference, here's a quick look at three of your options:
- Solutions Track 1: Operational Resiliency For A Virtualized Environment: Many organizations have a pressing and urgent need to reduce risk and accelerate the process towards operational resiliency. This can be a very challenging process. Learn how to protect and recover your data and applications. Gain insights and advice on how to reduce hardware costs, recovery complexity and streamline IT operations. Peter R. Laz, MBCP, MBCI, is a managing consultant in Forsythe’s Business Continuity and Disaster Recovery practice. (Sunday 4:00 - 5:00)
- General Session 2: Achieving World Class Critical Communications: based on real world examples, this session will provide you with unique insights into the role communications plays in business continuity, along with the capabilities and emerging trends of emergency notification technology. Tony Schmitz, president and CEO of Send Word Now, is leading this session and will draw on his years of experience to demonstrate why communication is the backbone of business resiliency. (Monday 9:30 - 10:30 a.m.)
- General Session 7: Robots Are (Not) People, Too: there is a lot of exciting robotics technology emerging that is designed to aid in disaster relief while helping to spare emergency and recovery personnel from potential harm. With this advance in technology come many questions about the impacts of robotics and how to safely use this technology. Learn about the proactive steps for recovery-workforce and individual resilience from Robert C. Chandler, Ph.D, a professor of communications and director of the Nicholson School of Communications at the University of Central Florida.(Wednesday 8:15 - 9:15 a.m.)
Visit the DRJ Fall World website to learn all about our conference and to register online. Don't forget that if you register before August 7 you're automatically entered in a draw to win a Kindle Fire HD!