Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 30, Issue 4

Full Contents Now Available!

DRJ Blogs

DRJ | The premiere resource for business continuity and disaster recovery

Never, say never… 

Never, say never… 

Previously we wrote about the fall-out from the Lac Megantic rail disaster – the deadliest Canadian rail disaster since 1867.  Many lessons were learned from the two-year investigation that followed.  While less catastrophic, the recent post-Hurricane Harvey Arkema plant explosion near Houston, Texas, will also reveal its own take-aways.

However, even without results from investigations into the Arkema explosions, these incidents deliver a critical lesson: ‘Never say never’.

The 'perfect storm' in Lac Megantic

At Lac Megantic, there were 18 factors that led to the rail disaster, taking 47 lives and devastating an entire town.  Each factor, considered in isolation, never would have predicted the disaster that resulted: a short-cut on an engine repair; a small engine fire; an improper brake test; insufficient brakes set; a train left unattended at the top of a hill.  While any one of these factors would have not created the disaster that resulted, unfortunately, for the community and the rail company, many of them collided on one fateful night.

...
Continue reading
182 Hits
0 Comments

7 Emerging Trends in Disaster Recovery Industry

7 Emerging Trends in Disaster Recovery Industry

For most business executives, finding a way to keep their businesses running even in the event of a disaster cannot be overstated. In fact, disaster recovery and business continuity are fast becoming the most important IT conversation that business leaders are having to discuss with their staff as well as train them on the protocols to follow when a disaster strikes. On average, business organizations take 1-9 hours to recover from a disaster. Each hour costs an average of $700,000.

In any disaster recovery procedure, the first few minutes and hours after a business system crashes are extremely crucial. For most enterprises, the rest of the recovery process is determined by how well events unfold in the period immediately after the disaster hits the business process.

Failure to be adequately prepared for a disaster has the potential to wreak havoc on the reputation and financial standing of the organization. What’s more, a poorly managed disaster can scare customers away. A Business Continuity Institute poll conducted by risk experts found that 85% of the people who took part in the survey had concerns that their businesses were at risk of a cyber-attack within a period of 12 months from the time the poll was conducted.

...
Continue reading
1515 Hits
0 Comments

Emergency Response, Disaster Recovery and Business Continuity: Putting Incidents in Context

Emergency Response, Disaster Recovery and Business Continuity: Putting Incidents in Context

You’ve likely heard the terms before and may have a vague idea of their definition, but how do emergency response, disaster recovery and business continuity really work together during an incident? This blog post will walk you through these phases.

 

Putting Incident in Context

You are sitting in your office building and the fire alarm goes off. Following health and safety procedures, you head outside and smell smoke. You can see flames coming from the top two floors of the building. The fire department has arrived and is setting up to put the fire out. Your colleagues are moved away from the building, and anyone who is hurt is treated. You are left to wonder when, if ever, you’ll be able to come back to work.

Within three days your IT group has you set up with a laptop so that you can work remotely. You and your colleagues work together online and through conference calls. Eventually, after the damage to the office is fixed, you get a notice that everyone can return to work as normal.

...
Continue reading
460 Hits
0 Comments

New Year's Resolutions

We are just a few days away from 2017, wondering what it will bring.  Everyone is deciding what their New Year's resolutions will be.  What will you do differently in your personal life?  And what changes are you going to make in your business and professional life?  This is the perfect time to reflect on what went well for your company this past year; and what was less than perfect. It is also the prime time to do some planning and preparation.

Incidents have a global impact.

One only needs to look back on 2016 to remember how many natural disasters occurred.  This was one of the deadliest Atlantic hurricane seasons since 2005, spanning all the way from mid-January to the end of November.  Out of 1,766 deaths this season, 1,659 were attributed to Hurricane Matthew alone.  There were also massive earthquakes in Ecuador, Italy and the Solomon Islands, and rampant wildfires in the Southeastern United States.  At first blush when these incidents are looked at separately, the impact might not be considered all that high.  However when you really think about the global impact of incidents like earthquakes, sudden flooding, snowstorms, power outages, fires, and hurricanes, you quickly realize how these seemingly isolated incidents resulted in real impacts on your bottom line.

The New Year is the time to start.

I suggest you take this week to get ready for the year ahead. Do a threat risk assessment.  Really look at the results of this process and consider how these threats will impact your business and bottom-line.  Next, take action.  Work with a proven leader in the industry to put together a business continuity plan. When done effectively, the creation and implementation of this plan doesn't have a big impact on the day-to-day operations of your business.  Ultimately you will have the peace of mind that your company and its assets are protected in the event of disaster.

...
Continue reading
1161 Hits
0 Comments

3 Ways Your BCP Can Help You During The Holidays

Demonstrating return on investment is one of the main barriers to launching a new Business Continuity Plan (BCP) project. Many organizations have difficulty justifying the expense of building a BCP and funding it’s maintenance over time. A healthy organization that has never experienced an interruption may focus on the real possibility of a zero ROI. If an organization is able to dodge the proverbial bullet, it’s true, the project may never yield much return. However, even in the case of extreme luck, there are three distinct ways that a BCP helps you with non-emergency operations in your organization.

1 – Holiday Closures

With the holiday season upon us, business closures can be a difficult puzzle to solve. Whether in the manufacturing or service sector, it can be tough to determine how to shutdown and restart the business. Add in the need to share these impacts both inside and outside of the organization and this task can seem enormous. Thankfully, a solid BCP will give you the information you need to make this happen. The BCP tells you which critical processes need the most attention; it includes instructions for internal and external communications; and it lists all critical vendors, suppliers and customers that may need special attention. The BCP acts as a manual of steps for a short term holiday closure. The New Year will ring in the return to operations-as-usual.

One important item to note is that using the BCP in such closures serves as a plan exercise. This will help identify any pitfalls in the plan and inform the next iteration. Exercises ensure your plan becomes an even more robust and useful resource.

...
Continue reading
1006 Hits
0 Comments

Control in the Chaos

Emergency Management Market Skyrockets

When we heard the report based on new market research that the incident and emergency management market is projected to reach $114 billion by 2021, we weren’t surprised. But what people may not realize is why the market is exploding. The report notes the growth is due to “changing climatic conditions, increasing government regulations and norms, extensive usage of social media to spread information, and increased threats of terrorist attacks.”

Pretty sobering. Every one of those key drivers are out of our immediate control. We don’t like to feel out of control. In fact, the feeling of being out of control is a leading cause of anxiety and depression. It can lead us to act irrationally or at the very least, make us irritable. The truth is, we feel safe when we are in control.

An interesting study found climate change ranks among the top 20 greatest fears of U.S. adults and nearly 40 percent of people have anxiety about terrorism. These are serious numbers. So what can a company do to alleviate some of these fears?

...
Continue reading
1021 Hits
0 Comments

Lessons Learned from Matthew's Aftermath

Hurricane Matthew, a category 5 hurricane that disrupted life along the Western Atlantic for nearly two weeks last month, is an unwelcome reminder of the importance of business continuity planning and preparedness. In any disaster, there are many lessons learned for all persons and organizations involved. Here we look to Matthews’ to highlight some lessons we can all take away to enhance business continuity planning for not just hurricanes, but disasters of any kind.

For those who didn’t follow the hurricane, it’s effects were great and widespread. Wind gusts up to 107 mph were measured at Cape Canaveral, Florida. Water levels rose up to eight feet above normal levels as a result of the storm surge. Some areas reported up to 14 inches of rainfall, furthering flood risks and concurrent impacts miles from the coastline.

If directly inside this impact zone, many immediate effects can inhibit your business operations:

...
Continue reading
1087 Hits
0 Comments

The Worst Advice We've Ever Heard About Incident Communications

Lessons from Ben

Benjamin Franklin was a great man who is known for his quotes and advice. Not only was he a founding father of our nation, but he launched the first library, the first hospital, and the first fire department. Those are but a few of his contributions to our society but even he understood the questionable value of advice from others when he said, “Wise men don’t need advice. Fools won’t take it.”

Advice can be a double-edged sword. On the one hand, it can be highly beneficial. We often seek advice when we are struggling with a situation or want another perspective. On the other hand, we often detest advice when it’s given without requesting it, particularly when that advice is counter to what we think we know.

Ask 50 people for advice on virtually anything, personal or work-related, and you will likely receive 50 different suggestions. How should you roast a chicken? Just Google that one and see how many different sites pop up. I just did and a whopping 75,800,000 results are possible. “How should a company communicate with its employees?” The chicken just got cooked because nearly double the number of results were offered up. Astonishing.

...
Continue reading
995 Hits
0 Comments

All data is not created equally!

Your original job application is not as important as your company’s payroll database, or even the email database. So, why are you using the same storage policy for both?

 

IT organizations can actually drive up the cost of storage unnecessarily by treating all data as if it were the same and storing it all on the same media. Stop using one policy to rule all of your data. It might be simple, but it is killing your bottom line.

...
Continue reading
713 Hits
0 Comments

Ebola - The Classic Creeping Crisis

This week Charlie discusses how the Ebola crisis is creeping up on all of us. 
 
 
The situation in West Africa, with the ongoing spread of Ebola, bears all the classic symptoms of a ‘creeping’ or ‘rising tide’ crisis.

In Tolly’s Handbook of Disaster and Emergency Management Principles and Practice (edited by Lakha & Moore, 2004) a rising tide crisis is described as a: “Problem which creeps up gradually, such as occurs in the case of organised crime, corruption, a developing infectious disease epidemic or a steady stream of refugees into a country. There is no clear starting point for the crisis and the point at which it becomes a crisis may only be clear in retrospect.”

At present the disease is out of control in Sierra Leone, Liberia and Guinea. The latest news from the BBC says that in Sierra Leone there are five new cases of Ebola every hour and that a total of 765 new cases were reported in the West African state in the last week alone.

The problem is compounded by the fact that there are only 327 hospital beds in the country. The disease has killed 3,338 people so far. The situation is made even worse by the fact that 10% of Ebola deaths have been health professionals. Those trying to prevent the spread of the disease are being killed by it.

...
Continue reading
1214 Hits
0 Comments

What can the Scottish Referendum teach us about business continuity?

This week Charlie discusses the Scottish referendum results.

 

I have written about Scottish independence before, but thought I would revisit the topic now that the referendum has been and gone.

...
Continue reading
1011 Hits
0 Comments

Here are few tips to keeping your BC plan and program healthy!

Food is a universal language. So is man’s need to survive. Whether in the business world or the kitchen we need a simple recipe for business continuity success.  In this four part series I’ll introduce you to the four basic courses necessary when cooking up an appetizing and rewarding business continuity program. This week the focus is on doing what’s good for us…exercising and eating our veggies!

Continue reading
1559 Hits
0 Comments

Establishing the Business Case for the Business Impact Analysis

By Jacque Rupert, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog

Nearly all business continuity professionals understand the importance of the business impact analysis (BIA) as the primary means for laying the foundation of a business continuity program. However, many professionals struggle to receive executive buy-in, as well as the necessary resources and support for the process. This article dispels common myths in attempt to help remove barriers to obtaining support and contributes to the creation of the business case for performing the BIA in any organization.

If you would like to learn more about the purpose and expected outcomes of the BIA, please check out: The Relationship Between the Business Impact Analysis and Risk Assessment.

...
Continue reading
1301 Hits
0 Comments

Assessing Your Disaster Recovery and Business Continuity Strategy

  • Identifying business processes
    • How critical are they to the business? 
    • What are the RTO's for them? 
    • What is the supply RTO for them from IT? 
    • Are they relying on the applications, or could be done manually in case of disaster? 
    • If there are gaps within Supply / Demand RTO --> negotiate with the Sr. Mgmt to either implement the changes or sign off on accepting the risk
  • Assess the potential external / internal risks for the company
    • What are the disruptions to the business? (i.e. natural disasters, flu pandemic, building not available, e.t.c.)
    • What are the internal risks? (i.e. access privilege violation, information theft, e.t.c.)
    • Create "Criticality Matrix" to assess the probability of each of the risks happening to an organization. This could be on a High/Medium/Low basis
  • Review all DR/BCP Plans
    • Start off with the Tier 1's critical applications and go down the list
      • Conduct plan review called "Tabletop" with plan builder to review and update the document
      • Then conduct "Walkthru" with the plan builder presenting the plan in front of all stakeholders. You can also invite internal/external audit to assess the process
      • Conduct a functional test 
  • Vendor management
    • How often were the vendors reviewed? 
    • How often are the vendors visited? Top 10 critical vendors must be visited on an annual basis. This could be merged with the Security Assessment. 
    • Obtain information on data center locations, disaster recovery tests, contact persons, as well as dates and times of the past and future tests
    • Record information within plans and ensure that each plan requiring vendor application to be available possesses this vendor information
  • Functional Testing
    • How often are the critical applications tested? 
    • Is the testing methodology aligned with the corporate goals? Are you getting service disruptions during the tests? 
    • How often are Tier 2,3,4 applications tested? 
    • Were multiple concurrent tests conducted at once? (e.x. testing 20 applications as a bundle in datacenter failover test). 
    • Review the Test Certifications to ensure they possess critical information, such as: test times, applications tested, hardware tested, issues are logged, resolutions are found, physical signatures of the testers are obtained, Sr. Mgmt approvals
998 Hits
0 Comments

The Relationship Between the Business Impact Analysis and Risk Assessment

By Jacque Rupert, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog

The business impact analysis (BIA) and risk assessment are foundational elements of every effective business continuity program; however, in our experience, many business continuity planning participants experience a lot of confusion regarding the definitions, relationship, and expected outcomes between the two processes. This confusion often results in outcomes that fail to drive preparedness.

Avalution acknowledges that there are many different ways to design and execute BIA and risk assessment processes, depending on the objectives for each. We also know that many experienced business continuity professionals have strong opinions on this topic, which may not fully align with our view. This article simply aims to provide Avalution’s perspective on how to best design and execute the BIA and risk assessment processes to achieve results that align with how management views business continuity risk.

...
Continue reading
2086 Hits
0 Comments

Why Plan? A Closer Look at Business Continuity

By Ross Ladley, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog

Business continuity is an often talked about risk management practice, especially with what appears to be an ever increasing number of serious disasters, including Superstorm Sandy, the California wildfires, and the Japanese Tsunami – and that’s only natural disasters! Disruptive incidents can stem from major events such as these, but they can also originate from events that are far less visible and widespread, including sprinkler malfunctions, power outages, supply shortages, and an IT disruption.

This perspective discusses why organizations make the decision – or should make the decision – to invest in business continuity planning.

...
Continue reading
1282 Hits
0 Comments

Using the Results of Your BIA to Develop Disaster Recovery Requirements

By Michael Bratton, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog

So you’ve just completed your business impact analysis (BIA) – identifying recovery time objectives for a variety of processes and functions throughout your organization and captured the names of applications and systems that business owners state they just can’t live without. In addition, the IT department heard you were conducting a BIA and mentioned on a few different occasions that they were excited to see what the final results would be to help with their planning. You’ve taken all the applications and their reported recovery time and recovery point objectives and crammed them into a very lengthy spreadsheet, and then the inevitable happens… you realize that everything you have collected is a huge mess.

But, don’t worry, this is a common issue! This perspective will explore the process of taking that seemingly disorganized pile of data and organizing it into something that can be utilized by IT disaster recovery planners to help meet continuity goals. So, let’s get started!

...
Continue reading
1501 Hits
0 Comments

Using ISO 27031 to Guide IT Disaster Recovery Alignment with ISO 22301

By Greg Marbais, Avalution Consulting
Originally posted on Avalution Consulting’s Blog

Many organizations struggle to define the best method to meet business expectations regarding information technology (IT) recovery. ISO 27031 provides guidance to business continuity and IT disaster recovery professionals on how to plan for IT continuity and recovery as part of a more comprehensive business continuity management system (BCMS). The standard helps IT personnel identify the requirements for Information and Communication Technology (ICT) and implement strategies to reduce the risk of disruption, as well as recognize, respond to and recover from a disruption to ICT.

ISO 27031 introduces a management systems approach to address ICT in support of a broader business continuity management system, as described in ISO 22301. ISO 27031 describes a management system for ICT readiness for business continuity (IRBC). An IRBC is a management system focused on IT disaster recovery. IRBC uses the same Plan-Do-Check-Act (PDCA) model as the business continuity management system described in ISO 22301. The objective of IRBC is to implement strategies that will reduce the risk of disruption to ICT services as well as respond to and recover from a disruption. Business continuity and IT professionals will find the use of the PDCA model very familiar but with necessary changes to support recoverability of ICT based on business requirements and expectations.

...
Continue reading
3385 Hits
0 Comments

Rudolph the red-faced business continuity manager (a Christmas tale – sort of!)

By Andy Osborne, Consultancy Director at Acumen

Once upon a time there was a senior manager called Rudolph who, on top of his other responsibilities, was put in charge of the business continuity project. Rudolph was a busy chap with a lot on his plate – he didn’t have time for detail. And anyway, disasters never happen do they? Well, only to other people. 

So rather than doing any proper analysis he leapt straight into writing a plan. In fairness, he also thought about the business continuity strategy -  for about five minutes. Then he took out the cheapest contract he could find for some ship-in IT equipment and wrote some lovely looking plans based on a number of un-validated (and, as it happens, invalid) assumptions. It didn’t take him long at all really. 

...
Continue reading
3067 Hits
0 Comments

Multi-Site Disaster Response and Coordination Best Practices

By Stacy Gardner, Avalution Consulting
Originally posted on Avalution Consulting’s Blog

Most organizations that have experienced a crisis would likely agree that advance planning is critical to enabling an effective response. When a disaster impacts several sites simultaneously, it makes coordination even more chaotic, so the importance of a defined structure increases. Organizations with multiple facilities or sites, especially those within “at-risk” regions, should take proactive steps to prepare their organization for events that require a widespread and coordinated response. Specifically, these preparedness steps include enabling coordination, communication, and adherence to organizational policies in advance of a disaster to ensure all sites implement appropriate response procedures. This article summarizes best practices that help enable sites to work together and execute common, approved response strategies to minimize impact and reduce confusion.

Define Authorities and Expectations
In organizations with centralized policies effective across several sites or facilities, it is important to define specific response authorities and performance expectations within human resources or business continuity policies. Specific policy changes include defining which individuals have authority to close a site as well as closure critieria, such as a public authority emergency declaration. Organizations should define criteria by which individual site leaders can act independently, such as in situations where employees are at risk for an immediate threat, and when additional approval and oversight is necessary from an executive leadership team, such as in advance-warning events.

...
Continue reading
1624 Hits
0 Comments