Fall World 2016

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 29, Issue 3

Full Contents Now Available!

DRJ Blogs

This is some blog description about this site

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form
Recent blog posts

The 1980’s Tylenol poisoning murders spurred panic, wide-spread fear, and perhaps the best-ever corporate response to a major public relations crisis. James E. Burke, then CEO of Tylenol-maker Johnson & Johnson, died on September 28 at the age of 87. He will be best known for his strong, decisive leadership and what has widely been recognized as a model of exceptional corporate crisis management. Fortune magazine named him one of history’s 10 greatest CEOs.

There are 5 truths we can learn from Mr. Burke’s handling of the poisoning disaster—lessons in the right way to handle a public relations nightmare.


A lesson we can take away from the recent severe weather and fires across the country is disasters can happen anytime, anywhere. No one can control where or when emergencies may happen but we can take steps in advance to prepare. Today, I am excited to announce a step towards better preparing local communities before disaster strikes – the 2012 Community Resilience Innovation Challenge.

This new opportunity is designed to assist local areas in building and revitalizing community-based partnerships through innovative initiatives and programs designed to advance the nation’s resilience to disasters. Funding levels range with a maximum of $35,000 and applications are open to all local, state, and tribal agencies and governments, business entities, associations, organizations and groups.

The Challenge program is supported by the Rockefeller Foundation and FEMA and will be administered by the Los Angeles Emergency Preparedness Foundation to encourage local communities to engage in creative activities that enhance disaster resilience. FEMA’s goal through the Community Resilience Innovation Challenge program is to emphasize the importance of planning and engaging the whole community, across all social sectors, to effectively respond to disasters.


Life as a BCM practitioner in any organisation can sometimes feel like you have been sentenced to solitary confinement. Often working in isolation and surrounded by your ‘adversaries’, it can be a lonely role as you struggle to embed BCM into your organisation and to win over some of your strongest critics. Coupled with the need to be a ‘jack of all trades’ that requires you to be knowledgeable, persuasive, inspirational, and highly-organised as well as a skilled facilitator, being a BCM practitioner can be a really tough job.

Just when you feel your energy levels dwindling and see your enthusiasm ebbing into the distance, along comes the BCM World Conference and Exhibition – the one that reaches the parts other conferences cannot reach, filling you with renewed energy and rekindling your passion for the discipline that is the love of your life.

The BCM World Conference reunites you with your allies, puts you alongside the ‘already convinced’ and ‘converted’ and offers you temporary release from your ivory towers, allowing you to dip into the cool pool of BCM and immerse yourself in a world where you feel safe and understood.


Posted by on in DRJ Blogs

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted to help address concerns regarding health care data security and privacy.  As part of the administrative safeguards of this act, health care facilities are responsible for backing up their data and having a disaster recovery plan in place for responding to emergencies. 

In general, health care facilities are responsible for maintaining the availability, integrity, and confidentiality of their patients’ Protected Health Information (PHI).  If a patient arrives in the Emergency Room in the middle of the night, the physician needs to be able to access the patient’s electronic health records quickly so that they can address their needs effectively. 

Therefore, data backups are imperative and a disaster recovery plan is essential to ensure that Protected Health Information can be recovered and restored in a reasonable amount of time if an unexpected event occurs.  The health care facility’s disaster recovery plan should outline data priority and failure analysis, testing activities, and change control procedures. 

Tagged in: HIPAA Data Security

After every conference I undoubtedly get a variation of the same question, "How was the show? How was the attendance?" And every year I give the same response...... "Show was great. Wish the attendance was a bit higher." I think we all know that BCP and DR are some of the first casualties of budget cuts. Well, conference privileges get cut before BCP and DR. As we go into budget season for most organizations I suggest you fight a bit harder to attend local and national conferences. Sure we all benefit from the content and keeping up with the latest technology but one of the most under-valued benefits of attending conferences is the networking that just happens. Networking doesn't just happen in the sessions or at the vendor exhibits. It can certainly also happen at the bar, or at the Gym, or while checking out the local surroundings. This networking is very hard to report back on, but I believe in this virtual world we live in now that one hand shake at a conference can create an everlasting relationship..... For the record this blog is purely the opinion of Fairchild Consulting and the Arnold's had nothing to do with influencing this blog ;o)

Hits: 1688

Posted by on in DRJ Blogs

It is extremely important for businesses to have a Disaster Recovery (DR) plan in place for situations where downtime or data loss may affect the business’ ability to continue operating smoothly and effectively.  To protect your data, it is essential that you know what you’ve got, understand what’s at risk, and then create a Disaster Recovery plan to keep risk at a minimum.

Disaster Recovery ties directly into business continuity because with so many businesses relying on their websites and/or the Internet in general, the loss of data could greatly affect their revenue.  The reality is that if your information system is taken down due to a flood, malware, hack attack, etc., you have both a business continuity and disaster recovery issue on your hands.

When putting together a Disaster Recovery plan, there are several key factors that will need to be considered so that the plan is as effective as possible.  Take the following factors into consideration when creating a DR plan for your business:


Posted by on in DRJ Blogs

I was first given responsibility for disaster recovery planning in 1985 while working at, what was then known as, Bank of Virginia in Richmond, VA. We were a UNISYS shop and had a mainframe recovery subscription with a company whose name I no longer remember that had a UNISYS recovery facility in Warminster, PA. I have been working in the fields of disaster recovery, business continuity, emergency response and crisis management, in a corporate management or consulting capacity ever since. You do the math to determine how many years’ experience that equates to – I am not sure I want to!

But, even after all those years, I am still learning new things, new techniques, better solutions, better methodologies, etc., each and every day. And, through conferences such as the just completed 2012 DRJ Fall World, I accelerate that learning process and I meet more and more people that help me grow and learn along the way.

Way back in 1985, I started attending industry conferences, user groups and professional training seminars. Throughout the years, I have attended numerous DRJ conferences – first as a practitioner; then, after gaining experience and confidence, as a presenter; and then, after being employed by DR and BCP services organizations, as a vendor. This year, although I am back in the consulting industry with a new company – I attended the conference once again in a practitioner capacity – and had a wonderful experience.

Tagged in: DRJ Conference

By Brian Zawada & Jacque Rupert, Avalution Consulting
Article originally posted on Avalution Consulting’s Blog

The introduction of ISO 22301 (Societal security – Requirements – Business continuity management system) more closely aligns business continuity to the broader risk management discipline. A major contributor to this alignment is the standard’s requirement to understand the organization’s “risk appetite” (a term not used in BS 25999). 

ISO 22301’s definition of risk appetite (Section 3.49) is the “amount and type of risk that an organization is willing to pursue or retain”. The standard makes reference to risk appetite in two sections:


I wish I could tell you that my summer was spent vacationing in some exotic location without internet access; or I was deep in remote third world countries performing humanitarian work for international charities; or that I won the lottery and was out spending my new found fortunes ­ ­­- but, I can’t.  Instead, being a consultant who has to work when the work is available, I spent my summer busy with delivering client projects.

For me, that is a hopeful sign.  This bares hope of a sign that the economy is picking up and companies are now able to support projects, such as business continuity planning, that are often deemed deferrable during down-times.  This bares hope that budgets are starting to allow for monies to invest in consulting assistance for projects, such as disaster recovery planning, where the in-house expertise is lacking.  And, this bares hope that companies are starting to put more emphasis on and giving more attention to business continuity planning and related topics.

But, the end of summer vacations, the start of school, football season kicking off in the United States are all signs of the calendar changing to Fall.  And, in our profession, that means DRJ Fall World.  I am happy to report that I am typing up this blog page from my hotel room at the San Diego Sheraton Hotel and Resort at DRJ Fall World 2012.  It is Monday afternoon and we are off to a tremendous start.


Posted by on in DRJ Blogs

Disaster recovery is constantly being influenced by trends in the IT industry.  These trends are forcing businesses to reevaluate how they plan, test, and execute their disaster recovery plans.  The following are a few IT trends and how they are affecting the disaster recovery strategies for businesses in every industry.

Tagged in: Disaster Recovery

Posted by on in DRJ Blogs

cPanel is a Linux control panel used by many web hosting companies because not only is it one of the most intuitive control panels available, but also it is relatively cheap to use.  cPanel allows you to control and manage every aspect of your website and is compatible with Linux applications like Fedora, Mandriva, CetOS, and Redhat Enterprise Linux.  In addition, there is a plethora of plug-ins available online for this leading control panel.

The demand for cPanel on cloud computing platforms is very high due to the high amount of stability, security options, ease of deployment, speed, and wide array of features it offers.  From adding sub-domains and email accounts to installing scripts and checking bandwidth, the control and flexibility provided by cPanel is unsurpassed.

Tagged in: Data Backups

In 2010 following the earthquake devastation in Haiti, I became concerned about the use of tarps and similar temporary shelter materials because of the strong possibility of a hurricane later that same year. Haitians were spared the any serious hurricanes in 2010 and 2011, but in 2012, they were seriously impacted by Hurricane Isaac.

What I proposed in 2010 was to use ConEx containers for temporary shelter, feeling that they were in abundance and more durable than tarps.  I shared my thoughts at DRJ in Orlando with Hector Fulgencio and Cole Emerson.  Hector was familiar with ConEx containers from his work in the shipping industry. Cole has vast experience in disaster response.  The consensus among us was that there was indeed a surplus of containers in the U.S. and the military could offload them and place them using heavy lift helicoptors. This would not necessitate using the ports in Haiti which had been seriously damaged. Since ConEx containers are transported via the sea, there would also be no need for the damaged and overcrowded airport.

ConEx containers have been used successfully for shelter both by the military and by the private sector. If properly ventilated and secured to the ground, they are far more resilient than a temporary shelter made from a tarp.

Tagged in: Haiti Quake.

The goal of Measured programs is to develop a resiliency program that is efficiently sized to mitigate risk while monitoring critical data elements to manage risk as the business demands. Measured programs are developed and maintained by utilizing three steps.  The first step takes into account an organization’s current state of readiness and resources available to them. The second step reviews industry best practices and determines application to your organization.  The third approach requires the implementation of program monitoring and dashboarding to provide data intelligence for senior leadership to identify a change in the risk profile and its potential impact to the organization.  This data will drive actionable items to treat, transfer, terminate, or tolerate the risks at hand.

Hits: 2121

At a conference I recently attended there was a lot of conversation around PS-Prep which bled into the discussion of “Why get certified” or, the more generic question of, “Why perform business continuity planning?” An oft repeated answer to this question, echoed by business continuity planners around the world is, “Because without a plan you will not survive as a company.”

I think this is a disingenuous answer without any history to support it. Where exactly is the evidence of this fact? What historical data can you share with me, or the CEO you are trying to convince, that this is the case? I am confident that you can dig up cases of small companies that did not survive a disaster, but where is that story about the big guy who did not survive the disaster?

The one and only case study I can think of off the top of my head is Enron, but that was a disaster of a different kind.


Posted by on in DRJ Blogs

Since 2002, my S-Corporation carried "Errors and Omissions" or Professional Insurance coverage. As an independent BCP/DR consultant, are you adequately insured? In 2008, my insurance carrier expanded coverage (known as the Bell endorsement) to include insurance for several crisis and emergency conditions that might create a business loss and hence a claim. The items covered may be of interest to you. They were not available in all states.


As an independent BCP/DR consultant, do you have the following coverage?


Posted by on in DRJ Blogs

According to a Wall Street Journal article (see Penn State Warned On Accreditation at http://online.wsj.com/article/SB10000872396390444318104577589174048808462.html?mod=ITP_pageone_1 ), "Pennsylvania State University's accreditation is "in jeopardy," one of the nation's primary accrediting groups warned the school, in the latest fallout from the Jerry Sandusky child-sex-abuse scandal. "

The Middle States Commission on Higher Education, the WSJ reported, "said there was 'insufficient evidence' that Penn State was complying with standards related to governance and integrity, as well as meeting financial obligations. "

Should a risk management practitioner have seen this coming? Or is the threat just another "black swan" that no one could have anticipated?


Posted by on in DRJ Blogs


California is assessing homeowners who live in vulnerable, fire-prone areas a fee to cover the cost of fire protection services, including very expensive suppression of wild fires.  It’s about time someone acted to place the cost of protecting vulnerable properties on those who own them.



Posted by on in DRJ Blogs

In a business world that is embracing the cloud more and more every day, it is interesting to see that, while the cloud benefits companies in several ways, these companies seldom demonstrate their advantage from the cloud in terms of ROI (return on investment).  This may be because many of the benefits from cloud computing are intangible and may not be fully realized until further down the road.  

Therefore, to calculate returns from cloud computing, a business will most likely not employ the standard ROI calculations.  Instead, the company may use one of the following ways to determine ROI from cloud computing:

  1. Rate of adaption in the market:  With the flexibility that the cloud offers in terms of quick transitioning of capabilities, businesses can adapt to ever-changing market trends and therefore improve standing against competitors in the industry.  Consequently, increased revenue may be realized due to their ability to grab market share at an improved pace.
  2. Utilization and control of resources: The scalability of cloud computing allows businesses to avoid under or over utilizing resources, which in turn ensures effective capacity utilization and the avoidance of waste.
  3. Cost of ownership:  With little to no barriers to entry and the low skill level needed to configure and use cloud infrastructure, businesses can save the money that would otherwise be used for staff training, installation, and maintenance of the infrastructure.
  4. Growth potential:  As a business in today’s world, it is important to have room for growth.  Traditionally, if a business demanded additional resources (in terms of infrastructure and IT personnel), it may have taken weeks to acquire the infrastructure and to train/transition the staff.  However, with cloud computing, resources can be scaled almost instantaneously to accommodate the growing demands of the business.

Depending on the specific needs of your business, you may calculate ROI in any one of these ways, or another.  As you can see, it may be hard to quantify the returns on cloud computing, even if the benefits are quite substantial. 

Tagged in: Cloud Computing

Today’s small business owners face daily challenges in running their businesses, and one of the more difficult challenges is managing business continuity and disaster recovery planning; however, the primary focus for most business owners is on their core business competencies, not on becoming resiliency experts.

Because investments in business continuity and disaster recovery planning directly impact the bottom line, there is a constant need to achieve real business benefits and mitigate costs against a backdrop of time pressures and limited business continuity skills. To add to this pressure, many small businesses are now looking toward cloud services, and what they may offer. However, this can add even more complexity and apprehension in adopting business continuity and disaster recovery planning methods.

What other challenges to you face when convincing small business owners to adopt business continuity and disaster recovery practices?

Hits: 1711

Posted by on in DRJ Blogs

By Glen Bricker, Managing Consultant, Avalution Consulting
Article originally posted on Avalution Consulting’s Blog

The goal of any recovery plan, regardless of the size or nature of the organization, is to protect life, minimize damage from an event, and quickly resume the delivery of critical products and services to meet customer requirements.  How this is accomplished, however, not only depends on the nature of the organization, but also its customers, size and resources, and culture.  The objective is to build plans that are based on realistic requirements, fit within the organization’s culture, and remain cost effective and appropriate.  The remainder of this article will discuss these characteristics and how they are incorporated into recovery plans.

The key to a great recovery plan is building what is appropriate. For example, it would be inappropriate to implement five levels of command structure and multiple plans in a thirty person company, or expect a single team in a multi-site, global organization to do everything.  In a large organization recovery plans are typically broken down into multiple plans that are owned and maintained by specific departments – emergency response will be owned by a Facilities or Security group, crisis communications will be owned by Corporate Communications or Public Affairs, and operational recovery plans will be owned by the business units.  All of these elements will be controlled and directed by a central Crisis Management Team and Plan.  In a smaller organization a single plan could suffice for most of these activities with limited addenda for specific critical functions.