Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 29, Issue 4

Full Contents Now Available!

DRJ Blogs

This is some blog description about this site

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form
Recent blog posts

Originally posted on Rentsys Recovery Services' blog.

Outsourced IT is nothing new, but as Verizon Wireless’s recent report "Better Outcomes for IT Outsourcing" points out, digital transformation is changing the face of outsourcing. Customers want flexible service delivery models, ways to improve inefficient processes and spending models based on opex versus capex.

But with the rise of cybersecurity issues, tightly wound supply chains and customer expectations for always-on service, you need to make sure that any vendor with access to your data and systems is fully vetted. Before you involve any third party in your IT processes, make sure you know the answers to these questions:


Walk into almost any office, ask if they’ve got a response and recovery plan, and they’ll often point to a dusty shelf and tell you that yes they do. Next, ask them when their response and recovery plan was last updated. Chances are they won’t be able to reply with the same amount of certainty.

Despite businesses being aware that there are an increasing number of threats to their valuable data, often their response and recovery plans are outdated and don’t reflect technological change.

In this year’s Business Continuity Institute Horizon Scan survey , it was noted that cyber-attacks are now the top threat facing businesses, with 82 per cent of survey participants expressing their concern about them. With the repercussions of a cyber-attack being as significant as they are, it’s more important than ever that your disaster response and recovery plan is kept reassessed and updated on a regular basis.


In creating business continuity plans, every organization completes a series of risk assessment exercises. Without this general risk assessment, it would be impossible to prioritize what BCM plans are needed. Which disruptive events are most likely to impact your business? Your employees? Your clients? Your suppliers? Research suggests the top 10 risks tackled by business continuity teams include:

  1. Severe Weather
  2. IT Issues (outages, breach, virus…)
  3. Power Outages
  4. Natural disaster (flood, earthquake)
  5. Physical Violence
  6. Fire
  7. Epidemic
  8. Product delivery/quality
  9. Scandal/reputation
  10. Theft

Clearly some sub-set of these event types should be addressed in any business continuity planning effort. Today’s goal, however, is not to discuss this high level risk assessment process, but rather, to review best practices for evaluating a specific threat as it arises to determine if it merits activation of BCM teams and plans.

Monitoring Early Warning Signs

Effective event-specific risk assessment is to have some early warning detection in place. To best manage unplanned incidents, it helps to have visibility into the potential disruptions before they occur. Obviously, certain types of disruptive events are more easily monitored than others. Weather, for example, can be monitored closely via the National Weather Service, Accuweather and other sources. Most major storms are predicted in advance, enabling close monitoring by BCM teams. Similarly, floods and fire warnings are often weather-related and threat levels can be monitored closely.


Posted by on in DRJ Blogs

I like to tell the story about a client who could not understand why I would honor a commitment to teach rather than give the firm more hours in order to make more money. "Why would you want to do that?" he asked. I answered that I could reach more people interested in what I had to say and at the same time influence the next generation of risk leaders.


I continue to write books and articles and accept public speaking engagements for similar reasons. Translating concepts and ideas into action is as relevant in the corporate world as it is in the classroom, where theories and frameworks from textbooks are blended with examples of risk from the real world. The examples of financial loss from poor risk management are plentiful. And since the field of risk management is so new, frameworks and standards continue to evolve. Staying right on the cutting edge of thought and practice is a priority.


Posted by on in DRJ Blogs

Speedy! What do you consider when you hear the word 'disaster'? A great many people think about a tremor, a storm, or even some national cataclysm. As these sorts of disasters are to some degree phenomenal, they do happen. In any case, with the end goal of this article, "disaster" has a much more extensive significance and subsequently is significantly more normal of an event. For the rest of this post, a disaster is any occasion that causes both of the accompanying: 

  • The demolition of all online operational copies of an association's information and/or applications. "Online operational copies" incorporate both the creation copies and any prepared to-run reinforcement copies that can be put in the generation part promptly and, ideally, consistently 
  • The loss of access to all online operational copies of the association's information and/or applications for a sufficiently long stretch, such that a recovery operation will be quicker and more practical than sitting tight for the online operational copies to return on the web. 
  • In the case of a characteristic disaster or national cataclysm, the association's first target is to guarantee the insurance and well being of the individuals in hurt's way; once this goal is accomplished, or if the individuals have not been set at further hazard by the circumstance, the most astounding need undertaking of the IT office is to get the business-discriminating frameworks running again as fast as could be expected under the circumstances. Any disappointments to resume operations can and will aggravate the impacts of the disaster and debilitate the survival of the said association. Basically expressed: disaster recovery is particularly essential! 

I recall route back when if a customer required a specific recording from our outsider check office we didn't have the one they were searching for! We had each other one they required for that day, however there was that one a couple of times that we essentially couldn't discover for reasons unknown. Murphy's Law strikes constantly be prepared for it-arrange ahead and take after these snappy recovery tips: 

  • Maintain off-site information reinforcements keeping in mind the end goal to minimize recovery times in circumstances where the physical resources of the essential focus are still operational, reinforcement information documents must be accessible on mainly put away tapes; a far reaching tape chronicle is vital. Keeping up a forward library of information on tapes is justified regardless of any expense to your organization. 
  • Inventory all IT resources keeping in mind the end goal to rapidly and effectively recuperate anything, you should first comprehend what needs to be recouped. On the off chance that you at present don't have a stock of both substantial and elusive resources, make one now-well, don't quit perusing this, however you get the thought. You require a point by point stock of equipment, programming, information, and so on that needs to be recuperated and show them regarding need so your group is not left pondering where to start the methodology. 
  • Never leave remain solitary information from the management business-discriminating information and docs are progressively being put away onto tablets and desktop PC drives; your information recovery management ought to fuse subtle elements on how this particular information will be moved down and recouped first. Remember that a tablet or desktop PC can likewise be lost in the same disaster; make a point to keep their information put away offsite also. 
  • Formally report the management. A disaster recovery arrange for that exists just in somebody's mind is no management by any means. While we'd rather not consider the possibility of genuine harm or passing, its conceivable that some key representatives won't be accessible after the disaster. They may be out of town and generally inaccessible amid a recovery operation. In the event that the recovery management exists just in those individuals' heads, the remaining staff won't have the capacity to execute it. Despite the fact that it might be conceivable to mechanize the start of some recovery methods and utilize the framework to authorize the fulfillment of agendas, its vital to keep printed version printed copies of the recovery arrange in different secure areas, including at the recovery site. An management for restarting the association's frameworks that is bolted inside an application that is occupied will be pointless when the time comes to launch the recovery operations. 
  • Test your management I used to be an IT enrollment specialist and large portions of the hopefuls I met with had incredible 'book smarts' regardless needed in certifiable circumstances. Indeed, the same remains constant with your surroundings discussing what may happen and what really happens are two unique creatures. In any complex framework or procedure, what meets expectations in principle regularly fizzles by and by. Opportune testing not just guarantees that the recovery management is suitable, additionally goes about as a vital preparing toll for your staff-both IT and non-IT. Careful discipline brings about promising results has never been more genuine of an announcement. 
  • Do not disregard security-commonly, keeping in mind the end goal to get up and running rapidly, numerous IT offices will spurn their ordinary security conventions: as a rule, this is a terrible thought. Sooner or later and time, your association created security managements and strategies and bypassing them now, may build the starting dangers. Likewise, please store all passwords and other touchy data offsite; they will render themselves futile on the off chance that they are at a site that is unavailable. 
  • Ask for help-when making a DR management, guarantee that you counsel with other people who have encountered the same (or near to) the same circumstance and that you take point by point notes when talking with them. The individuals who have been through this catastrophe can offer all the more continuous experience and conceivable managements that both worked and fizzled for them-their experience can turn into your 'experience'. 
  • Last considerations as experienced and fight tried as your IT group may be, you ought to dependably search out an outside hotspot for shooting gaps into your management; this may be a stun to your inner self, however would you rather have a pariah show your imperfections before the disaster brings you down or have them demonstrate to you industry standards to flawless your answer? Your call, boss!

For more information about business continuity management and plannings visit: www.bcmconsultingservices.com

Hits: 1191

Imagine being U.S. Secret Service Director Joseph Clancy. It’s only been a little over a month since he was appointed permanently to the top position at the Secret Service on February 18, and he’s facing yet another scandal the likes of which caused his predecessor, Julia Pierson, to resign under pressure last fall.

When news agencies blast headlines such as CNN’s “Gate-crashing agents make 4 Secret Service scandals in 3 years,” you know you have a reputation management crisis that requires immediate attention.

Lawmakers Scrutinize the Secret Service Following Recent Blunders
In our 24/7 news and social media cycle, the top Secret Service gaffes that received the most media coverage and congressional scrutiny included:


It’s a fact, business continuity management (BCM) programs that consistently perform well-orchestrated drills get better results when dealing with real crisis situations.

Practice Makes Perfect

Running practice drills is a key role for any business continuity program leader.  Drafting BCM plans and making sure they work effectively in a true emergency are two wildly different things. Planned testing is critical from a number of standpoints:


Originally posted on Rentsys Recovery Services' blog.

One of the key benefits of cloud services is that they enable faster and more cost-effective disaster recovery (DR). So once you've selected a cloud vaulting service and your data is tucked safely into the cloud, you can check DR off your to-do list, right? Not necessarily. 

While cloud vaulting solutions can lend themselves to a DR strategy, simply sending your data to the cloud isn't enough. There are a few components you need to look for to ensure your cloud solution has what it takes to meet your DR goals.


Organizations both large and small need to have business continuity planning in place to manage unexpected business disruptions.  Whether these events are triggered by severe weather, civil unrest, product failure or any of a myriad of other factors, the time to figure out how to manage an incident is not when that incident occurs.

Getting Started – The Right Leadership Model

Typically a Business Continuity Manager is identified to lead the planning and preparedness process, and one of that person’s first responsibilities is to assemble the right team and governance structure.  For Business Continuity Management (BCM) to be effective, it is essential that the effort receives organization-wide visibility and senior management support. Studies have shown that BCM programs with executive sponsor and senior management advisory boards or steering committees in place are significantly more successful at meeting their recovery time objectives than those with less senior management support.  Executive leadership is required to:


Challenge: Developing a high-performance business continuity program is hard work and requires significant resource commitments and upper-management support. Respondents to the MissionMode Readiness Survey report varying levels of readiness with under 40% claiming to have business continuity management (BCM) plans in place across a wide number of potentially disruptive event types:

38% – Comprehensive BCM plans developed and trained across a wide variety of event types

37% – Plans developed and trained across a limited number of event types


Posted by on in DRJ Blogs

Are they the same?  Seems the BCP/DR industry has some mixed messages about the difference if any of these two terms.  Taking the definition of Recovery Time Objective from BCM Institute it states RTO is the: "Time goal for the restoration and recovery of functions or resources based on the acceptable down time in case of a disruption of operations" while it documented the Maximum Allowable Downtime (MAD) as "the absolute maximum time that the system can be unavailable without direct or indirect ramifications to the organization."  

They obviously appear related; but are they different or really identifying the same thing simply; how long before the impact is too great?

If my MAD is 6 hours (the maximum my system can be down is 6 hours), isn't my RTO also 6 hours (the objective to have the system recovered or the impact is too great)?


Last week, students in my risk seminar heard from UW seismologist Bill Steele, in particular about the Cascadia subduction zone we live in, including what advance planning and management of risks associated with a major earthquake can be done in advance.

This week, students will hear from Erika Lund, who oversees the City of Seattle's Disaster Recovery Plan, which is an entirely different framework from which to view a disaster.  Among the questions asked of  the Executive Advisory Group, to which Mayor Ed Murray appointed me, were:  how will the Seattle community handle short and long term recovery efforts?  How can we return our economy, education system, social service network, and other vital aspects of our community to full function?  How can we use a disaster as an opportunity to rebuild our community better than it was before? Who is responsible for making such decisions and with whose input? How and when will they be made?

Erika will describe the planning process today and talk as well about the identification of the core values that are a part of the plan.

Someone asked me yesterday if I don't find the world a very depressing place.  I answered that I do not, in part because of inspired work like this, and the people who give their time to do it.

Hits: 1746

Posted by on in DRJ Blogs

This week Charlie suggests some actions organisations may take to prepare for severe weather.


With the severe snow and blizzards in the United States last week and also snow in Scotland, I thought I might put together some thoughts on the actions you could take in advance to plan for a heavy snow fall. As we are not yet out of the winter you may need to plan for snow.


Originally posted on Rentsys Recovery Services' blog.

Xaas cloud solutions are infiltrating the tech world: infrastructure-as-a-service, software-as-a-service, platform-as-a-service, desktop-as-a-service (DaaS) and so on. Of these, DaaS probably spends less time in the spotlight than its counterparts, but it's nevertheless gaining in popularity.

Last year, according to 451 Research, the market for virtual desktop infrastructure (VDI), which is the foundation for DaaS, grew 30 percent in the span of a year. It's expected to repeat that growth pattern through 2017. 


This week Charlie discusses the recent terror attacks in France and what they mean to business continuity managers.


The terrorist attacks in France last week remind us, if we need a reminder, of the dangers and impact of a terrorist attack. The attack on Charlie Hebdo and a Jewish supermarket were quite shocking and the large demonstrations in response to the attacks show the determination of the French, and other world leaders, that they will stand up to terrorists and the principle of freedom of speech.


Posted by on in DRJ Blogs

To all members who work at multi-national companies:

Is there a website that multi-national members use to monitor natural disasters worldwide?

We inform Sr. Management when there are disasters (Hurricane, Cyclone, Tornado, Earthquake, Flood, etc.) that could impact any of our facilities.



It won’t be long until we publish Reflections on Risk III.  Toward that end, we would like to invite any of our readers to submit a proposed research note for consideration, especially if such a note provides an alternative view of the topic or specific recommendations for managing the issues involved.  With readers in ten countries other than the United States, we particularly encourage submissions from Europe, the Americas, the Mideast, Africa and Asia.  With research notes, our aim is to move past conventional or historical explanations toward proposed solutions, guidelines, policies or regulation that reduces the amount of human or financial loss.  Without multiple perspectives on what are often muddy issues, it is difficult to see how we are headed for anything other than greater world disorder, higher levels of cultural gridlock, religious extremism, and the increased possibility of cyber-wars among nation states.  Please take a look at guidelines for submission here.

 We are not half way through the first month of the New Year, yet older operational risks have presented themselves across various critical infrastructure sectors in the form of human and financial loss from terrorism, cyber skirmishes, mishandled vendors, unexplained airplane crashes, and failed internal controls.  Of all the loss events, the Most Creative Explanation to the Regulators Award must go to Honda,  a company that undercounted certain claims, and then explained that “its own internal investigation found that it misinterpreted what issues should be counted.” (USA Today, Jan. 8, 2015)  The fines imposed by regulators on the transportation and banking sector sound large when described, but are easily expensed and there is no sign that behavioral change is on the way.


People ask: “What is the best experience a business-continuity analyst can bring to the table?” Well, one of the biggest things about business continuity is that it revolves around understanding the business process—knowing how an organization works. You can’t determine how best to recover an organization until you first understand how that organization normally operates.

When you’re looking at skill sets in this vein, the role of the business analyst is really an excellent starting point for the aspiring business-continuity analyst. So now we’re looking at exactly what a business continuity analyst does. A business continuity analyst will possess a variety of different skill sets—and they will all fit into business continuity planning and management.

One of the first roles is mapping business processes. A business analyst will typically do this in any one of a few different formats. We use something called the operation blueprint. This essentially maps all of the different steps to the business process. It also then links-up all of the supporting resources. Those would be your information-technology assets, your people, your vendors—essentially anything that would support the operation of each different business process, function or activity.


This week Charlie suggests 10 New Year's resolutions that Business Continuity Managers may want to consider.


Happy New Year to all readers. I hope you had a good holiday!


Originally posted on Rentsys Recovery Services' blog.

If you’re not an IT person but are involved in business continuity and need to be familiar with your business’s disaster recovery (DR) plan, how do you know if your organization is using the right data backup and recovery solution? The specific answer will vary based on your organization’s size and industry, but one thing holds true for all organizations: You need a solution that can back up your environment, not just your files. We’ll explain why.

File-Sharing Services