Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 29, Issue 4

Full Contents Now Available!

DRJ Blogs

This is some blog description about this site

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form
Recent blog posts

Posted by on in DRJ Blogs

Charlie giving some key hints and tips for ISO22301 certification.


Early this week I was in Fremont, California supporting a company through their ISO22301 audit. We have been working with them for a year to get them ready for the audit. Monday and Tuesday were the days that the auditor was on site. We had already taken half of the company (the part based in Sweden) to ISO22301 certification, so were fairly confident that we would pass the audit. A different auditor is always an unknown entity. This meant that the audit was, as always, approached with a little apprehension.


This post was originally published on the RES-Q™ Services Blog.

A commitment is defined as being responsible for something; to pledge or obligate oneself to something; to entrust; to consign.


Posted by on in DRJ Blogs

 I finished a new article on insider threats a couple of weeks ago.  You can find it on our website (www.anniesearle.com) in the Research section, under "Articles by Annie."

I am on my to New York City via Boston tomorrow morning.  I'll be participating again this year in the Global Risk Forum hosted at New York University.  The theme of the forum is regional resilience, against a variety of growing threats that even highly prepared organizations now have to monitor.  I've been asked to contribute remarks around how even resilient firms can up their game at this time.

Once I'm back next week, I'll be accelerating work on a new book for executives, about operational risk.  More on that soon.

Hits: 1153
  • Identifying business processes
    • How critical are they to the business? 
    • What are the RTO's for them? 
    • What is the supply RTO for them from IT? 
    • Are they relying on the applications, or could be done manually in case of disaster? 
    • If there are gaps within Supply / Demand RTO --> negotiate with the Sr. Mgmt to either implement the changes or sign off on accepting the risk
  • Assess the potential external / internal risks for the company
    • What are the disruptions to the business? (i.e. natural disasters, flu pandemic, building not available, e.t.c.)
    • What are the internal risks? (i.e. access privilege violation, information theft, e.t.c.)
    • Create "Criticality Matrix" to assess the probability of each of the risks happening to an organization. This could be on a High/Medium/Low basis
  • Review all DR/BCP Plans
    • Start off with the Tier 1's critical applications and go down the list
      • Conduct plan review called "Tabletop" with plan builder to review and update the document
      • Then conduct "Walkthru" with the plan builder presenting the plan in front of all stakeholders. You can also invite internal/external audit to assess the process
      • Conduct a functional test 
  • Vendor management
    • How often were the vendors reviewed? 
    • How often are the vendors visited? Top 10 critical vendors must be visited on an annual basis. This could be merged with the Security Assessment. 
    • Obtain information on data center locations, disaster recovery tests, contact persons, as well as dates and times of the past and future tests
    • Record information within plans and ensure that each plan requiring vendor application to be available possesses this vendor information
  • Functional Testing
    • How often are the critical applications tested? 
    • Is the testing methodology aligned with the corporate goals? Are you getting service disruptions during the tests? 
    • How often are Tier 2,3,4 applications tested? 
    • Were multiple concurrent tests conducted at once? (e.x. testing 20 applications as a bundle in datacenter failover test). 
    • Review the Test Certifications to ensure they possess critical information, such as: test times, applications tested, hardware tested, issues are logged, resolutions are found, physical signatures of the testers are obtained, Sr. Mgmt approvals
Hits: 672

I read a lot of articles on the key benefits of the cloud, and how cloud computing can be used help to ensure business continuity and speed disaster recovery and in some cases the cloud services themselves can become a major component of the disaster recovery plan for on-site systems and services, but cloud services are not perfect, and while they sometimes offer redundancy and data protection, they can also lead to problems caused by updates or network failures.

Remember last year when a disruption at Amazon shut down Instagram, Vine, Airbnb And IFTTT?

Ultimately it is the user’s (data owner) responsibility to address their data as part of the overall business continuity management system.


By Jacque Rupert, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog

The business impact analysis (BIA) and risk assessment are foundational elements of every effective business continuity program; however, in our experience, many business continuity planning participants experience a lot of confusion regarding the definitions, relationship, and expected outcomes between the two processes. This confusion often results in outcomes that fail to drive preparedness.

Avalution acknowledges that there are many different ways to design and execute BIA and risk assessment processes, depending on the objectives for each. We also know that many experienced business continuity professionals have strong opinions on this topic, which may not fully align with our view. This article simply aims to provide Avalution’s perspective on how to best design and execute the BIA and risk assessment processes to achieve results that align with how management views business continuity risk.


Posted by on in DRJ Blogs


For the past week I have been working with a company in California and getting them ready for ISO22301 certification. I will speak more on the lessons learned from the certification in next week’s bulletin. In preparation for the audit I have been helping the local coordinator and senior managers develop their local business continuity plan for the loss of their Californian Headquarters. The other half of the company which is in Sweden has already been ISO22301 certified.

As well as developing a local plan for their California Headquarters, I was building into the plan how an incident that impacted on Sweden would be managed. A number of senior managers are based in California, their marketing department is there and they are NASDAQ listed.  This means that any disaster which could have a major impact on company operations has to have a California element. This applies to worldwide sales offices, as well as their Swedish office, where most of their IT is housed.
In developing their plan I suddenly realised that this was the first plan I have ever written that spans across time zones. Plans I have written in the past have involved the incident team, especially the strategic team, working almost office hours with a slightly early start and a later finish. On the whole no interested parties wanted to hear from them in the middle of the night, so they could go home ready for the next day. As people prepare to pack up and go home for the day in Sweden, the working day in California is just beginning. If you worked long hours over both time zones then the team would be working 24/7. With a small senior management team this would not be possible.
Working with a company that has such an international operation has given me a lot of food for thought about the handling of incidents.
1. Think about how you are going to manage an incident if it is going to be across many time zones.
2. The second point is about managing the media. When I was talking to the senior managers as part of the exercise it occurred to me that most media case studies and learning points come from businesses that service customers rather than business to business companies. This company does something quite obscure and before working with them I didn’t know what their technology did. That got me thinking, would anybody in the media actually be interested in an incident that involved them? I thought that the only people who would be interested are their customers, the industry and their investors. An incident involving them is never likely to make the news so they have to think about their reputation amongst a very small pool of people rather than the “court of public opinion”. This makes their communications strategy easier as there are fewer players but also more difficult in that it is difficult to hide an incident in a small industry.  There will inevitably be a lot of speculation, especially from your rivals! If you are a B2B organisation, you should think about how your communications strategy could differ from the usual ones you hear about.
3. My final point was this, how do you tell the customer? This company provides an ongoing support service to their customer in terms of bug fixes and new security upgrades. An incident could delay these. If there is an incident that could delay routine fixes for a short while, do you tell your customers or not? They may not notice the incident at all. On the other hand if you’re spending millions with a supplier, would you not think you are entitled to hear about any potential delay in a bug fix or a support call? We decided after a long debate it depends on the circumstances. This I think is a very difficult call. The lesson to be learnt here is that you should think through different types of scenarios and practice this during exercises.


Originally posted on Rentsys Recovery Services’ blog.

According to Accenture's 2013 Global Risk Study, regulatory requirements rank as a top-five risk category for financial, government, insurance and other industries. In fact, 30 percent more companies plan to increase their compliance efficiency.

The rising concern with compliance stems from both changes in legislation (such as Basel III and Dodd-Frank) and tighter corporate governance requirements.


Posted by on in DRJ Blogs

Business Continuity methodologies have been around for decades. Business processes, technology, culture, markets, media and communication have all changed – yet BCM is still virtually the same.It shouldn’t surprise anyone that ‘Selling BCM to the C-Suite” is a problem of epidemic proportions.

Executives see little – if any – value in current BCM methods and plans.Auditors have progressed beyond accepting BIA compilations and door-stopperBCPs as evidence of BCM compliance.They have a new yardstick: ‘stress-testing’ your ability to respond to disruptions & resume operationsagainst all odds. They are questioning your organization’s ability to continue to deliver critical products & services following any interruption.That’s the new raison d’êtreof BCM programs. And as an industry, we’ve been failing to meet that objective.


The purpose of anIncident Readiness Programis to enhance the ability to respond effectively toanybusiness disruption and restore those assets (Business Processes, facilities, technology, suppliers and people) that are critical to the delivery of that organization’s Products & Services.

The Planning Phase of the program enables the organization to identify the critical assets at risk, prioritize the resumption of business processes, map dependencies necessary for effective response & recovery, and develop actionable plans. Testing and exercises should be designed to find the gaps in recovering those critical assets – both strategic and operational. The Incident Management component of the program establishes the organizational structures and tools for command, control and communication during a disruptive incident.


Posted by on in DRJ Blogs

By Andy Osborne, Acumen
Originally posted on Oz's Business Continuity Blog

I like writing. I like reading too, although with everything else vying for my attention, I don’t get nearly enough time to read for pleasure.

On the writing front, I blog when I can, although not as often as I’d like, I write my "Tip of the Month", the odd article here and there and I have a couple of books to my name so far – just in case you didn’t know, and in a blatant and shameless piece of self-promotion, they’re called "Practical Business Continuity Management" and "Risk Management Simplified", available from www.practicalbcm.co.uk and www.rmsimplified.co.uk or from your favourite online bookstore! I also write newsletters, match reports and website content for my hockey club and, of course, there are various reports and the interminable e-mail treadmill that we all have to contend with.


Posted by on in DRJ Blogs

The very best web design service provider. Higher premium sites presently economical find out even more by Client Solution Innovations

Hits: 255

By Ross Ladley, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog

Business continuity is an often talked about risk management practice, especially with what appears to be an ever increasing number of serious disasters, including Superstorm Sandy, the California wildfires, and the Japanese Tsunami – and that’s only natural disasters! Disruptive incidents can stem from major events such as these, but they can also originate from events that are far less visible and widespread, including sprinkler malfunctions, power outages, supply shortages, and an IT disruption.

This perspective discusses why organizations make the decision – or should make the decision – to invest in business continuity planning.


Posted by on in DRJ Blogs

It’s been an extraordinary month, with scenarios that include missing planes; another round of deaths at Fort Hood just as the report on lessons learned in the Washington Shipyard was released; a Supreme Court decision that makes us wonder if the justices believe that free speech is the same as money; and, right in our backyard, a devastating mudslide from which all the bodies still have not been removed.


Posted by on in DRJ Blogs

Change Management is often times the most overlooked aspect when it comes to Disaster Recovery. Not only does it not get enough attention, but we often times forget that building a recovery footprint is just as important as maintaining it. 

Has your server been operational in sync with the production environment? Have all the new production changes been replicated over to the DR? How can you be assured that your applications are still functioning? 

It is critical for members of the DR/BCP teams to reside on the change control board. This would allow for resiliency teams to screen all changes proposed to go into production for tasks associated with the recovery footprint. If the change must be implemented, usually a DR team member notifies the change management group with the appropriate information. However, with the recent changes in Remedy and ServiceNow, it is made fairly simple. Adding a button to flag the proposed change for DR deployment will not cost a lot for your company. However, the return on investment is a good night's sleep that your footprint is well maintained and ready to go. 

Hits: 2137

Posted by on in DRJ Blogs

After tsunamis, protests, hurricanes and wildfires, it would be expected that very few management teams would be unaware of their company’s vulnerability to disruptions like civil unrest and extreme weather.

Unfortunately a survey released by the APQC (American Productivity & Quality Center) last year revealed that may not be the case and past their Tier 1 suppliers, they have very little visibility. It’s a matter of transparency (or lack thereof). Let’s take a closer look at the data and figure out why and how ISO 22301 can increase transparency and help increase awareness leading to better decision making and preparedness. (APQC, 2013)

The overwhelming majority of respondents reported that their organization’s leaders were concerned to extremely concerned about:


Two months to the day before the start of the 2014 Atlantic hurricane season and right on schedule a variety of seasonal outlooks have come out in the last few weeks.  I’m not a meteorologist but I worked in the global corporate meteorology industry for 22 years so I know how much effort, research and dedication goes into the production of a well thought-out seasonal forecast.  And the how much is a LOT.

The primary components of a seasonal forecast are to review the current environmental setup factors and then carefully compare them with similarly behaved seasons over the last 80 to 100 years in order to come up with what are called analog years.  Occasionally a sexy new predictive model comes out and from what I observed the seasonal outlooks are sometimes tweaked or otherwise weighted one way or another depending on how much faith is put into the newer models.  The shorter, less geeky version of this is that loads of passionate devotion go into the outlooks, not to mention lots and lots of discussion and sharing of experience.  There is screaming.  People throw things.

And sometimes, more often than not, the outlooks are fairly accurate.  The skill of meteorologists and the accuracy of the science have increased dramatically in the last 20 years, even in the last 5 years.  But nature is nature and those of us in hurricane country remember last year, which was predicted to be the hairiest, scariest hurricane season in decades.  Do you remember any storm names from last year?  Neither do I.  And I’m a weather geek.


Posted by on in DRJ Blogs






By Eric Thompson, solutions architect for Rentsys Recovery Services, Inc. Originally posted on Rentsys Recovery Services' blog

Today, almost every newspaper or tech magazine you pick up is either singing the praises of the cloud or pointing out its shortcomings. The challenge is transitioning from talking about cloud to actually implementing a cloud-based solution so you can judge its usefulness for yourself. 

If you're ready to take the cloud plunge, follow these three steps to be best prepared. 

Tagged in: Cloud

Originally posted on Rentsys Recovery Services' blog

Earlier this year, the Disaster Recovery Preparedness (DRP) Council released the results of an annual benchmark survey that graded businesses worldwide on their state of DR preparedness using a scale of A (best) to F (worst). The report revealed some disturbing news: 3 in 4 companies are at risk due to incomplete or nonexistent disaster recovery plans. Fortunately, the DRP Council offered this nugget of encouragement: We're starting to identify DR best practices. Specifically, the survey results showed that businesses that scored an A or B had three things in common:

  • They built detailed DR plans.
  • They defined specific DR metrics for RTOs and RPOs.
  • They tested DR plans more frequently. 

The report is very clear that these goals are key to being a good student of DR preparedness. Now let's take a look at what solutions you can use to get a passing grade on your business's DR plan.