Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 30, Issue 3

Full Contents Now Available!

DRJ Blogs

DRJ | The premiere resource for business continuity and disaster recovery

Records Management for BCP

Records Management for BCP

Records management is an ongoing struggle for many businesses, especially when it comes to Business Continuity Planning (BCP). Every time we go to a client site we get asked about what to do with all of the information the business generates. Where should it be stored? How should it be accessed, and by whom? And how do we know it’s up to date? In this post we are highlighting a few tips and tricks for records management to help your business easily survive the next disaster. 

What is a record?

Let’s start with the basics. What are we actually talking about when we say ‘record’? Most often a record is a set of printed documents that are kept in file folders or binders. But don’t be fooled! Records also include anything written in employee notebooks, or post-it notes at people’s desks. In short, anything written down for your company is a record. And that’s just hard copy.

There are also electronic records. Most often people think of anything that is generated in any of the Microsoft Office suite of programs (like Word, Excel, PowerPoint, etc.). These records also include pictures, any emails sent or received to the company email address (and yes, attachments too), as well as anything sent or received in instant message programs used by your business.

...
Continue reading
734 Hits
0 Comments

The 4 Ps of Incident Management 2.0 - Ramesh Warrier

Plans should not be the only goal of Business Continuity Management (BCM) programs.  The true end-state of BCM should be to assure that your organization can successfully manage itsresponseto any disruption, the goal of Incident Management.

An Incident Management focus has 4 components:

Planning– More than just BIAs and Risk Assessment, planning is the process of gathering, analysis and presentation of data crucial to Incident Managers’ and senior executives’ Decision Support.  These include: assessment of current capabilities, vulnerabilities, gaps, single points of failure, process and IT services critical resources, RTO’s and RPO requirements.

...
Continue reading
604 Hits
0 Comments

4 years later… what we can learn from the Lac Mégantic rail disaster

4 years later… what we can learn from the Lac Mégantic rail disaster

What can we learn from Lac Mégantic

In July of 2013, the deadliest Canadian rail accident since 1867 occurred in Lac Megantic, Quebec.  A series of errors resulted in a train carrying crude oil to roll downhill before derailing in the town of Lac Megantic.  The accident resulted in:

  • 63 derailed rail cars
  • 47 deaths
  • 2000 people forced from their homes
  • 4200 people impacted
  • 30 buildings destroyed
  • multiple criminal charges
  • $460 million dollars in settlements (and ongoing legal battles)

While it might be tempting to assume an accident of this magnitude is the result of a single large error or mechanical failure, this was not the case.  Investigators identified 18 causes and contributing factors that led to the disaster.  Here are a few common, but potentially dangerous assumptions, that were made by the rail company and are often heard in the emergency response and business continuity arena:

  • We've trained our staff in all safety procedures. The rail engineer in the Lac Megantic disaster received training.  Despite this, he did not conduct a proper brake test to ensure the locomotive was secure.  The engineer applied 7 handbrakes, yet investigators estimate that the operator should have applied at least 17 brakes to secure the train.  Investigations revealed that training, testing and supervision were insufficient.  Safety training is important, but regular reviews and testing are just as critical.  Management needs to be sure that staff are always following procedures accurately and consistently.
  • We have written procedures for our staff to follow. In the rail disaster, personnel mislabeled the oil cars with the wrong type of crude oil and did not follow brake procedures.  Just because procedures are written down doesn’t mean staff will always follow them.  We can learn from the checklist approach used in the airline industry and now adopted in operating rooms as well.  Mandatory checklists require the pilot/surgeon to physically check off that required procedures are followed, every time.
  • We’ve evaluated the situation and decided it’s too costly to fix so we’re going to accept the risk. Eight months before the Lac Mégantic rail disaster the lead locomotive was in for repair.  Due to the costs associated with a standard repair and the pressure to return the locomotive to service as quickly as possible, the company took short cuts using an epoxy-like material instead of performing the standard repair.  This material caught fire the night of the disaster and was a significant contributing factor to the events that led to the derailment.  Businesses make cost-benefit decisions everyday but we need to be sure we’re fully recognizing all the costs.  The railway is now in bankruptcy protection because of the event.
  • We are regulated and regularly inspected so we’re confident that we’re following all required procedures. Prior to the rail disaster, reports documented a pattern of repeat problems.  Despite these reports, Transport Canada did not always follow up to ensure the company was addressing the underlying conditions that led to these recurring problems. Lack of oversight left gaps that contributed to the disaster.  While many regulations exist, regulators often do not have sufficient resources to verify that companies are following the rules.  Do not confuse compliance with safety.  Companies need to do their own due diligence.

These are just a few of the excuses we hear companies use to make themselves feel comfortable that they’re meeting safety and business continuity obligations. These are also some of the same issues that led to the Lac Megantic disaster.  Don’t assume you are meeting your obligations.  Test, retest, and ensure you have tools and plans in place to ensure the safety of your operations.

...
Continue reading
376 Hits
0 Comments

7 Emerging Trends in Disaster Recovery Industry

7 Emerging Trends in Disaster Recovery Industry

For most business executives, finding a way to keep their businesses running even in the event of a disaster cannot be overstated. In fact, disaster recovery and business continuity are fast becoming the most important IT conversation that business leaders are having to discuss with their staff as well as train them on the protocols to follow when a disaster strikes. On average, business organizations take 1-9 hours to recover from a disaster. Each hour costs an average of $700,000.

In any disaster recovery procedure, the first few minutes and hours after a business system crashes are extremely crucial. For most enterprises, the rest of the recovery process is determined by how well events unfold in the period immediately after the disaster hits the business process.

Failure to be adequately prepared for a disaster has the potential to wreak havoc on the reputation and financial standing of the organization. What’s more, a poorly managed disaster can scare customers away. A Business Continuity Institute poll conducted by risk experts found that 85% of the people who took part in the survey had concerns that their businesses were at risk of a cyber-attack within a period of 12 months from the time the poll was conducted.

...
Continue reading
1377 Hits
0 Comments

Emergency Response, Disaster Recovery and Business Continuity: Putting Incidents in Context

Emergency Response, Disaster Recovery and Business Continuity: Putting Incidents in Context

You’ve likely heard the terms before and may have a vague idea of their definition, but how do emergency response, disaster recovery and business continuity really work together during an incident? This blog post will walk you through these phases.

 

Putting Incident in Context

You are sitting in your office building and the fire alarm goes off. Following health and safety procedures, you head outside and smell smoke. You can see flames coming from the top two floors of the building. The fire department has arrived and is setting up to put the fire out. Your colleagues are moved away from the building, and anyone who is hurt is treated. You are left to wonder when, if ever, you’ll be able to come back to work.

Within three days your IT group has you set up with a laptop so that you can work remotely. You and your colleagues work together online and through conference calls. Eventually, after the damage to the office is fixed, you get a notice that everyone can return to work as normal.

...
Continue reading
434 Hits
0 Comments

Hyperlink your way to a successful BCP

At KingsBridge our primary focus is developing simple and straightforward business continuity software (our flagship tool Shield). However, we also believe strongly that to develop a useful tool, you need to be using it everyday, just like our customers do. To make this happen, we also do consultingwriting plans, exercising plans and performing gap analyses on existing plans. The gap analysis is always an interesting experience because we see how other organizations have structured their business continuity plans. We can receive hundreds of pages of content to perform our analysis. When the documentation arrives, our first thought is often, how do they find anything in here? They must be flipping pages forever to find the content they need when the plan is activated.

Easy plan navigation is critical to writing your business continuity plan. It’s one thing to ensure your plan includes all the critical plan elements and it is kept up to date. It’s quite another to ensure that everyone can find the information that they’re looking for. How do we manage this in Shield? Hyperlinks!  [READ MORE...]

...
Continue reading
449 Hits
0 Comments

Business Continuity or Disaster Recovery?

Business Continuity or Disaster Recovery?

Business Continuity plan, or Disaster Recovery plan? How do you know which of these you should be writing for your company? Is there even a difference between the two?

The short answer is yes, there is a difference! And it is not intuitive. Most people hear the words ‘disaster recovery’ and assume that the phrase means ‘recovering from a disaster’. Likewise, ‘business continuity’ sounds like it means ‘continuing with business.’ These terms are often misused because the assumed definitions sound very similar. So let’s set the record straight!

Disaster Recovery Plan

A Disaster Recovery plan is not a plan to recover from a disaster. It is the plan your IT department will follow to bring systems back online in the event of an outage. These outages (what we in the industry call ‘incidents’) can occur in a number of different ways and affect a myriad of components. An outage or incident may be the cause of, or it may lead to, a disaster. If you have ever been sitting at your office desk and your email suddenly stops working, chances are your company experienced an incident. The IT department works madly to get your email back online. Then there is a sigh of relief when it works. And email is just one part of it. Access to the internal network, the different software you use, the phone system, and the internet all fall under Disaster Recovery too.

...
Continue reading
646 Hits
0 Comments

Business Continuity Awareness Week 2017

Business Continuity Awareness Week 2017

Mark your calendars! Business Continuity Awareness Week 2017 is next week, May 15 – 19! You may be thinking, “Wow, that’s coming up fast! I’m not ready, I thought I had more time!” Don’t worry! We’re here to help you with some last minute tips and tricks to pull off an educational, forward thinking Business Continuity Awareness Week!

This year’s theme is Cyber Security

The first thing you should know is this; The Business Continuity Institute (BCI) announced this week’s theme as cyber security. In a nutshell, cyber security is made up of the firewalls, technology, processes, etc. that help to protect your business from viruses, attacks, and other wrongful access. Below are a few examples of what you can do to increase its awareness in your organization.

Put up posters

The BCI has six different posters for download on their website – for free. Download some of these posters, print them, and hang them throughout your office. Each poster touches on a different part of cyber security and what your employees can do to stay secure.

...
Continue reading
549 Hits
0 Comments

Orchestration for Disaster Recovery

It’s no longer acceptable to have simply checked a box indicating that you have a disaster recovery plan, or have performed a disaster recovery exercise within the last year that required significant resource investment and more than 16 weeks to plan for. In today’s always on world, with the severe reputational damage that can be caused by an outage at the forefront, many companies need a validated plan that may be fully executed in a minutes notice. As a result, companies are moving towards designing more proactive strategies to fail between sites on a more frequent basis, running production from the failed over site for an extended period of time to verify operations, then failing back to their original state.

For many companies this may seem to be an almost impossible task; however, the very recent introduction of recovery technology in the form of advanced orchestration, which automates and executes the entire recovery run book from end to end, now provides a single pane of glass to govern the complete process. Many companies are now successfully leveraging these advanced designs to not only successfully orchestrate and validate a fail over, but are gaining valuable insight and documented proof of the results for audit and compliance.  

Will your disaster recovery plan do that?

...
Continue reading
554 Hits
0 Comments

Driving Resiliency Through Operational Risk Management

I recently had the pleasure of presenting with a panel of RSA Archer customers on the topic of “Building Resiliency Across the Value Chain" for a Disaster Recovery Journal webinar.  

Two key questions were posed to the 80 attendees. The first question was: “Where is your organization on the business resilience scale?”  The responses were:

 

...
Continue reading
1165 Hits
0 Comments

The price of Cloud Backup and DRaaS

Cloud computing is hardly a new player of the IT world. Its ever-growing market share and popularity within the IT community derives from combining flexible prices with the Always-On Availability of infrastructure resources. It brings out a whole new world of possibilities for your business, while reducing the long-term costs of maintaining your own infrastructure. Yet, despite the obvious cost advantages of moving data to the cloud, pricing is still a top concern, as Veeam discovered from our recent 2016 cloud end-user survey (see chart below).

Are cloud backup and DRaaS affordable?

The answer depends on many factors. A change of mindset is required when thinking about the affordability of cloud-based backup and disaster recovery (DR). Depending on your individual business requirements, cloud backups or even a full Disaster Recovery as a Service (DRaaS) solution can be very affordable, especially considering the money saved in the event of a disaster. The general rule is the lower the recovery time objective (RTO) and recovery point objective (RPO) your business requires, the higher the potential cost.

...
Continue reading
1549 Hits
0 Comments

Communicating When Disaster Strikes - Tips for Preparedness

One of the first things people do when disaster strikes is start communicating. Someone calls 911. Emergency response groups learn and relay important facts about the incident. And people speculate about what happened, why it happened, and what will happen now.

As a business, it is vital to be ready to respond when disasters occur. In order to keep gossip to a minimum and maintain a positive reputation, clear communication about the incident must occur in a timely fashion. This can be hard to do when there is concern over the well being of employees or pressure to provide an explanation about who is responsible. Adding to this stress is that all of the facts may not be known right away, yet communications still need to be sent.

So how does a business take steps to ensure clear, timely communications occur under all of that pressure? This post provides you with a few tips to help you (and your business) communicate effectively in the aftermath of a disaster.

...
Continue reading
714 Hits
0 Comments

BUSINESS IMPACT ANALYSIS RELIEVES “TEMPEST IN A TEAPOT” SYNDROME

BUSINESS IMPACT ANALYSIS RELIEVES “TEMPEST IN A TEAPOT” SYNDROME

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:

• A storm in a teacup’ – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
• A storm in a glass of water’ – Netherland
• Tempest in a potty’ – Hungary
• A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ – England

Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.

...
Continue reading
718 Hits
0 Comments

No Building, No People, No Systems, No Suppliers

We get asked a lot of questions about how any one company can possibly plan for all of the different incidents they could experience.  It’s a good question.  There are many variations of complexity to incidents that can make the task of planning for them all feel overwhelming.  Fires start small, and can grow and spread.  Tornadoes might cause minor damage to the warehouse, or take out the entire structure.  One employee gets sick with the flu, and suddenly a third of the workforce is unable to come to work.  

While discussing this problem with a friend of KingsBridge BCP recently, they had the perfect example to illustrate this point.  This person works for a natural gas company, and their story goes like this:

There was a bad thunderstorm happening in an urban area adjacent to an electrical tower.  Lightning from the storm struck the tower.  The good news is that the tower had a ground wire. The bad news is that the ground wire ran down into the ground next to the end of a metal corrugated sewer pipe.  The surge from the lightning strike ran down into the ground wire and hit the sewer pipe. It was conducted along the length of the sewer pipe until it hit a natural gas pipeline at the other end.  This caused a minor explosion that set off a chain reaction to all of the natural gas feeds into the homes and businesses in the nearby vicinity.

...
Continue reading
1052 Hits
0 Comments

New Age Resiliency

 The age of manual disaster recovery is rapidly reaching end of life.  The need for an ‘Always on’ business that leverages enhanced technologies is driving traditional recovery programs to seek improved, cost effective alternatives.  Speed, accuracy, and consistency quickly become the predominate principles for effective resiliency programs.

Many factors are driving the need for taking the next step towards transforming resiliency programs to enable a more software defined, orchestrated approach to keeping a business up and running. These include:

  • Corporate demands for less downtime, evidenced by the growing number of real time, online systems that demand a 24x7x365 end user experience to drive expected results
  • Increased mandates for external compliance and internal audit to demonstrate continuous availability and a near instant response to an outage
  • Threats from cyber activity that require immediate action to identify and re-mediate the concern and resume processing with minimal business interruption
  • Continuous monitoring and confirmation of the resiliency program which increases confidence that should an event occur, the business is ready to respond
  • Increased recovery capacities to manage the tremendous upsurge in data growth and hybrid IT progression is driving the need for more significant resiliency designs to protect information and develop a more expeditious means to bring it back online in the event of an interruption
  • The challenge to validate recovery given the increase in size and complexity of the environment and the inherent risks associated with demonstrating full business functionality without impacting production 

Addressing these factors has become a huge challenge, especially when using traditional methods for validation of the program, responding to a live event, and ultimately demonstrating complete business resumption.  Recent technology developments in the area of automation and orchestration not only address these needs, but more specifically provide the road map for the next generation of business resiliency. 

...
Continue reading
1530 Hits
0 Comments

Have You Automated Your Emergency Notifications? How This One Step Can Save Lives

Have You Automated Your Emergency Notifications? How This One Step Can Save Lives

Emergencies Aren’t The Time to Plan

We don’t often think of emergency response until there is an actual emergency which is the absolute worst time to figure it out. When you’re in a crisis, you and your co-workers are less likely to think as clearly as when you aren’t. An emergency “plan” is just that, a plan. It’s your guide to getting you and your employees out of harm’s way and keep the business up and running as best as possible. The more steps you can remove from the process through automation, the better off everyone will be.

While many organizations say they have an emergency procedure  in place, there are a few problems with many plans:

1. The plan isn’t really a plan. It’s more of an idea. “If we have to evacuate, we’ll just go into the parking lot.” That’s not a well-conceived plan. An appropriate plan must be well thought out, rehearsed, and include all of the most likely scenarios, plus the flexibility to extrapolate the procedure to unexpected events. This “all-hazards” plan requires more than one person to develop, in fact, a committee of in-house and remote stakeholders who can work together to come up with a comprehensive strategy and agree on the technologies that will make it happen.

...
Continue reading
910 Hits
0 Comments

5 Clichés About Business Continuity Management You Should Avoid

Business Continuity Management has tremendously evolved since it originated in the 70’s but some common clichés are still lurking in the shadows. Avoid these 5 mistakes to create a successful business continuity management program that is objective, consistent & repeatable.

 

1. Every business continuity program is the same

Don’t fall into the trap of one size fi­ts all or “This is how we did it at my last company so let’s go!”  Is it possible that all the factors that went into the success you had with your last employer will come together at this organization? Sure, why not! Should you bank your career on that happening? Hmmm, maybe not. Each organization has its own unique ‘best fit’ framework for a sustainable resilience program. 

Define business continuity/organizational resilience as it relates to your organization or industry. Every organization has unique needs & priorities that vary based on industry, geographic location & resources.

Continue reading
1507 Hits
0 Comments

Top 20 Data Center Mistakes

Data center migrations aren’t a regular thing for most employees. Depending on the kinds of companies you work for and roles you hold, you might participate in a handful of major migrations over the course of a career. Before starting a data center migration, you need to figure out where you are going, what’s going there, and how to get it there.

These are some common pitfalls to avoid, mistakes others have made, tips to keep in mind, and otherwise general do’s and don’ts of data center migration (20 of them)...

Read more: http://www.device42.com/blog/2017/01/top-20-data-center-migration-mistakes/

...
Continue reading
919 Hits

New Year's Resolutions

We are just a few days away from 2017, wondering what it will bring.  Everyone is deciding what their New Year's resolutions will be.  What will you do differently in your personal life?  And what changes are you going to make in your business and professional life?  This is the perfect time to reflect on what went well for your company this past year; and what was less than perfect. It is also the prime time to do some planning and preparation.

Incidents have a global impact.

One only needs to look back on 2016 to remember how many natural disasters occurred.  This was one of the deadliest Atlantic hurricane seasons since 2005, spanning all the way from mid-January to the end of November.  Out of 1,766 deaths this season, 1,659 were attributed to Hurricane Matthew alone.  There were also massive earthquakes in Ecuador, Italy and the Solomon Islands, and rampant wildfires in the Southeastern United States.  At first blush when these incidents are looked at separately, the impact might not be considered all that high.  However when you really think about the global impact of incidents like earthquakes, sudden flooding, snowstorms, power outages, fires, and hurricanes, you quickly realize how these seemingly isolated incidents resulted in real impacts on your bottom line.

The New Year is the time to start.

I suggest you take this week to get ready for the year ahead. Do a threat risk assessment.  Really look at the results of this process and consider how these threats will impact your business and bottom-line.  Next, take action.  Work with a proven leader in the industry to put together a business continuity plan. When done effectively, the creation and implementation of this plan doesn't have a big impact on the day-to-day operations of your business.  Ultimately you will have the peace of mind that your company and its assets are protected in the event of disaster.

...
Continue reading
1145 Hits
0 Comments

7 Steps to BIGLY build a business continuity management program

Effectively fulfilling your role as a business continuity executive means not only understanding your organization’s ability to remain resilience in the face of any disruptive event or disaster, but also proactively contributing, sanctioning and enforcing an effective business continuity program.  I put together a short outline of steps you should take as you build your business continuity management program.


1. Create your own unique ‘best fit’ framework for a sustainable resilience, continuity and disaster recovery program

The critical considerations of this framework include:

...
Continue reading
1557 Hits
0 Comments