Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 30, Issue 3

Full Contents Now Available!

DRJ Blogs

DRJ | The premiere resource for business continuity and disaster recovery

Business Continuity as a Career? Really?

I wanted to share news about my new book, Business Continuity as a Career?  Really? (Building a World Class BC Program and Career) available on Amazon now. 

Maybe Business Continuity wasn’t represented in your high school career day, but this book is intended to share the joys and challenges of working in an exciting field.  Inside is a host of practical information on using the tools of the trade, like the Business Impact Analysis (BIA), creating a comprehensive recovery strategy for both the technical and business areas, positioning BC/DR for the best chance of mission success, hiring staff, using BC consultants effectively, and conducting successful table top exercises.  All you need to build a top tier program and have fun doing it.

Continue reading
749 Hits

The Importance of Consistent Communications

2015 has certainly been a busy year for cyber-attackers, with TalkTalk and Vodafone being the most recent victims of high-profile attacks. While much has been written about the technological, legal, and security issues around such attacks (e.g. was the data protected properly?), little has been written about how companies communicate in a time of crisis.

Despite all the technology powering the modern organization, business is still a fundamentally human endeavor with humans reacting very differently at times of crisis. In the wake of an attack, company communications can vary from non-existent, to inaccurate, to just plain misleading. There is often a desire to ‘play down’ the attack or ‘sugar coat’ the facts in a misguided attempt to protect the company’s reputation (a move which almost always backfires). In addition, it is very common to see inconsistent responses from different parts of the organization, bringing to mind the phrase “the left hand doesn’t know what the right hand is doing”.

One of the biggest mistakes in crisis management is not having planned for a crisis in the first place. As such, organizations must form a coherent communications plan for how they will respond in the event of an attack. This includes the activities employees need to perform and what and to whom to communicate.  Also included, employees must forecast how customers are likely to react, and what customers will be told and when. All employees, but especially those in customer-facing roles, need to know what to do and say and this takes thoughtful and careful planning and coordination with Marketing, Legal and especially Corporate Communications.

Continue reading
1573 Hits

RPO I get no respect

When considering any backup solution it is important to assess two key metrics, RPO & RTO.  I put more value on RPO then RTO and here is why.

RPO (Recovery Point Objective) represents how frequently backups are taken, or put another way, how much data you are willing to lose.

RTO (Recovery Time Objective) The duration of time and a service level within which a business must be restored after a disaster or disruption.

Continue reading
602 Hits

Creating a Perfect Pitch

 I’m speaking on Thursday at the 2015 SecureWorld Seattle conference, expanding and refining a presentation I made this past summer, and on an article I wrote on the same topic a couple of years ago.   I’ll be talking about the life of the CEO, including the magnitude and frequency of decisions that CEOs make every day.  I’ll examine how is it possible to make a perfect pitch to the C-suite for a large scale project, and the attendant expense, that is both intelligible and persuasive, when is data security and cyber security.  Part of that examination involves looking at how executives send and receive information and make decisions, using four executive archetypes – “online junkies, schmoozers, cheerleaders and firefighters” –   that can be found in a 2013  McKinsey Quarterly article to explain how large scale projects derail when the way that executives spend time is not aligned to the organization’s strategic priorities. 

The content aligns with my ongoing research on executives and risk, and how much executives actually know about risk present in their organizations.  Executives become more used to making decisions that could involve people, process, systems or external events as they rise higher in an organization. In almost parallel fashion, information appears to become simplified as it moves higher in the organization, past managers to senior management and then refined once again for the C-Suite, and perhaps a final time in the form of a report for the firm’s board of directors.  So we move from what can be a well-thought-out expensive proposal, to management signoffs as the proposal moves up to the C-suite for approval, the executive signoff, and then a summary in the form of a report – or ongoing status reports -- to the board of directors.

 My focus will be on how to think about and then create a proposal that is the “perfect pitch” – including an easily understandable executive summary that covers both tangible (the cost, the data available on the need for the project, and the competitive landscape) and the more intangible (corporate reputation, corporate liability, alignment with the corporate mission and other strategic initiatives) costs.

Continue reading
1025 Hits

A View from the Top – Three Ways to Leverage Your BCM Position

Basking in the glow of this year’s Disaster Recovery Journal Fall World conference (held in sunny San Diego) I have had an opportunity to start reflecting on some of the conversations that I had with fellow business continuity and disaster recovery colleagues.

One theme that continually emerged was that BCM professionals have unique access to all aspects of the businesses and organizations that we help support.  We constantly update business impact analysis data, interview colleagues, and adjust our BC and DR plans to ensure that our company’s board of directors can sleep soundly(ish) at night.

But, how can we leverage this holistic access to our competitive advantage? I suggest considering the following three points as you approach your next BC/DR project:

Continue reading
1781 Hits

Strengthening the Resilience of Outsourced Technology Services: FFIEC BCP Appendix J

As risk professionals, it’s important that we’re always up to date with the latest legislation. Recently, the FFIEC, otherwise known as The Federal Financial Institution Examination Council, set out a new piece of legislation that it’s vital we understand.

THE FFIEC’s BCP Appendix J (Appendix J) aims to ensure that financial institutions are taking seriously, their responsibility for the third-party service providers they utilize. Among other things, this means that their third party service providers must have sufficient recovery capabilities should anything go wrong.  This drives to the importance of businesses enforcing due diligence, ensuring that business resilience is in place in order to allow critical activities to continue to run in the case of a security breach or otherwise, and to consider the multitude of risks associated with using new technology.

Appendix J also includes requirements for management of Cyber threats. It was just last year that, America’s largest bank, was subject to a cyber attack that affected 76 million households. With cyber attacks on the rise, this new piece of ruling from the FFIEC certainly comes at a pertinent time.

Continue reading
6055 Hits

Why High Availability Solutions Shouldn’t Replace Disaster Recovery Planning

Originally posted on Rentsys Recovery Services' blog.
These days the cloud is no longer a no-go for critical infrastructure. In a survey conducted by Infosys last year,81 percent of respondents said they were already or were planning to use mission-critical apps in the cloud within the next two years.
With many cloud environments featuring capabilities for high availability, which by definition provide 99.999 percent uptime, how does that affect disaster recovery (DR) planning? If you manage all your applications in a third-party cloud environment with high availability built into the apps’ architecture, does that mean you can nix internal DR plans, procedures and tests?
The answer is no, and here are three reasons why.

You Need a Plan for Handling Data Corruption

DR planning is still a key component of the organization’s overall business continuity strategy. It’s important to have a high availability strategy for your critical systems and information, but if your high availability solution replicates errors, your data — while it might be available — would be useless. In that case, you’d need to fall back on your DR plan to recover that system.

Your Employees and Vendors Need a Plan to Follow

Even if you’ve outsourced management of critical applications, your employees still need to know what will transpire in the event of a power outage, facility loss or other incident. For instance, where will they work? How will they access the data and applications that are necessary to their job duties?

Your Cloud Provider Needs to Understand Your Environment

If you’re using a third party to manage your environment, it’s important to test so the vendor understands your environment. With documented and rehearsed DR plans, the vendor will be familiar with how to react during a business interruption and can do more on your behalf.
Although high availability is a key part of protecting your top-priority applications, it shouldn’t replace DR planning. To see what other components you should include in your DR plan,download our checklist.  
3496 Hits

How Do I Get My Data Back If My Cloud Provider Goes Bankrupt?

Originally posted on Rentsys Recovery Services' blog.

It’s a business continuity and disaster recovery planner’s worst nightmare: You wake up to the news that your cloud provider — the one that houses your critical data — has gone under. How do you get your data back?

The scenario isn’t entirely unheard of. In 2013, cloud provider Nirvanix announced it was closing its doors and told customers they had two weeks to migrate their data to another location. This announcement, however, should not have come as a surprise to customers. According to InfoWorld, Nirvanix had been informing its customers that it was having financial difficulties and at one point informed customers and partners that they could no longer upload data to the Nirvanix cloud.
Your provider going bankrupt should not come as a surprise to you, either. Before working with a cloud provider (or any other vendor who manages your critical data), you should assess the vendor’s financial situation as part of the due diligence process. If there are any red flags, proceed with caution.
No matter the financial situation of the provider, the contract you sign should have provisions around what happens with your data in the event of bankruptcy, default, etc. These provisions could include arrangements for transferring the data to another cloud environment or copying your data to external media and returning it to you.
If a provider won’t add a contract provision that protects you in the event of a bankruptcy, consider looking at alternate vendors.
For more guidance on choosing the right cloud provider, check out our post "11 Questions to Include in Your IT Vendor Due Diligence."
2834 Hits

Real-Time Recovery: How prepared is ‘prepared enough’?

With the explosion of truly ‘always on’ computing, the ability to demonstrate real time recovery is drastically changing how programs are executed from a testing standpoint.  Traditional methods associated with recovering the systems, data, and associated infrastructures and enabling network connectivity still serve as the baseline for recovery; however, enhanced methods for validating the capability in a more ‘live’ manner are receiving critical attention.  

Developing a proven resiliency strategy involves numerous activities to define a business protection plan that will be in place to defend against a catastrophic outage.  The key to being successful is how confident your organization is at time of need to execute the plan without it being a guessing game.  The ability to rely on a proven, structured process that has been repeatedly tested over time removes any doubt when resuming business in an alternate location at time of disruption   

The level of preparedness required for ultimate success is highly dependent upon the intensity and consistent focus put forth when validating the program against specific business criteria for results.  Testing live scenarios enable greater predictability when executing the plan, allowing for instinctive decision making to quickly invoke recovery at time of event.     

Continue reading
3259 Hits

Ultimate Workforce Continuity Starts with Personal Preparation

 Threats are constantly changing and new risks affecting your workforce are increasing in both impact and frequency. Civil unrest, terrorism, and natural and man- made disasters can be life threatening or hinder an organization’s workforce from its ability to continue business in multiple ways. Getting into the office may be impossible, and depending on the crisis scenario, working from home may not be available as a solution.

 Whether you’re a full time “work at home” employee, or asked to provide your own workspace during an emergency, here are some simple steps you can take now to make sure you are ready to stay productive after the emergency has passed.

 Here are 7 tips to stay personally productive after an emergency. Complete this checklist to see if you’re personally prepared to stay productive working from a location you provide!

Recent comment in this post
Al Rodecap
One additional suggestion. Do not advertise your preparations. It could get you visits you really don't want.
Thursday, 24 September 2015 11:11 PM
Continue reading
4415 Hits
1 Comment

2016 Budget Planning

Across companies both large and small, leadership teams have started to allocate budgets for 2016. A vast portion of the budget will be spent on keeping operations running, some will be allocated to future value-add projects and some will be set aside to protect the business mission against ever-increasing threats.


2015 has been a year filled with high-profile cases of security breaches, with dating website Ashley Madison being one of the latest big-name companies to come under cyberattack. Personal customer details were stolen from the website and released into the public domain, causing both reputational and financial damage to the Ashley Madison brand and even more so to its customers.

Continue reading
5262 Hits

How Far Away Should Your Disaster Recovery Site Be?

Originally posted on Rentsys Recovery Services' blog.

The question "How far away should my primary data center be from my disaster recovery (DR) site?" has plagued DR planners for years. Companies first began seriously examining the role distance plays in DR after 9/11, when the attacks on the Twin Towers caused a large portion of Manhattan to shut down and all the recovery vendor sites filled to capacity.

Unfortunately, there’s no clear-cut answer to this question. Some suggest locating the backup site at least two FEMA-defined regions away, but most people shy away from setting firm guidelines measured in miles.

Instead, the geography should be dictated by the risks related to your organization’s business processes, data and physical location (a business impact analysis should reveal what these risks are). Once you’re aware of the risks you face, you can weigh the benefits and drawbacks of nearby and distant DR sites.

Nearby Disaster Recovery Site

A nearby DR site is beneficial for a variety of reasons. It’s within driving distance, making it easily accessible. If your DR site is nearby and is unaffected by an incident affecting your primary location, you can continue business operations more quickly than if your DR site were hundreds of miles away. In addition, the bandwidth costs are less, and you’re not as likely to experience significant system recovery delays due to latency issues.

However, the benefit of having a DR site within driving distance depends on the locale's risks. If your region is prone to hurricanes, earthquakes or floods, having a DR site in the same region can be risky. For instance, Hurricane Sandy was 1,100 miles in diameter — that’s more than a third of the continental United States. In regional disasters like this, your DR site could be affected by the same event as your primary facility, rendering it useless.

On the other hand, Spokane, WA is a geologically stable area whose biggest threats are wildfire and train derailment. Many businesses in these areas are comfortable with a nearby DR site as long as the site is on a different power grid.

Continue reading
3996 Hits

Refresh your Business Disaster Preparedness Kit

By Mijee Dirks, Global Strategy Leader, IBM Resiliency Services

It’s that time of year when we dig out our family hurricane emergency kits for their annual refresh.  If your family is anything like mine, you are discarding expired food that sat in the garage for the last year, refreshing water supplies, and making sure you haven’t borrowed all of the batteries out of the kit for kid’s toys last Christmas.  We do this annual hurricane kit refresh easily, barely thinking about it, because we have done it so many times before. 

Now ask yourself – when is the last time you refreshed your business’s “Disaster Preparedness Kit”?   Key “supplies” in our business Disaster Preparedness Kits should be also refreshed regularly.  For most companies, this is at least annually or at any time there is a business or IT trigger.  Some examples of triggers are when a new critical application is implemented, or when another critical business process is added to the company.

Recent Comments
Bob Arnold
Excellent advice and a great reminder. Also a great time to review our personal business continuity preparedness should we need t... Read More
Monday, 21 September 2015 7:07 PM
Bob Arnold
Excellent advice and a great reminder. Also a great time to review our personal business continuity preparedness should we need t... Read More
Monday, 21 September 2015 8:08 PM
Continue reading
4564 Hits

Where are we now? How do we move forward?

One of two cornerstones of the National Academy of Arts and Science.

The weekend of August 28th marked the tenth anniversary of Hurricane Katrina, an event so significant that the practice of emergency management by the federal government was changed forever.  August 28th  marked the 54th anniversary of the March on Washington where Martin Luther King, Jr. gave his famous "I have a dream" speech.  It marked also the 60th anniversary of the vicious murder of a Chicago boy, Emmett Till, when he visited relatives in the South and whistled at a white woman.  On August 26th, a TV reporter and cameraman were shot dead in the head on a morning news program by a killer who then posted video of the murders to social media.  In a 23 page suicide note, the only thing that the murderer left out of his message was the similarity to ISIS acts of terror that also take place in living color and then get posted to social media sites.

While the federal government has completely reshaped its responses to disasters, we can't really pat ourselves on the back where equality and justice that Reverend King was looking for is concerned.  The situation has never been worse in this country where distrust and anger are concerned, and the gap continues to increase between those who have and those who do not.

The situation appears intolerable also where gun control and mental health proposals go unfunded and unapproved.  The National Rifle Association (NRA) continues to have a lock hold on our elected officials where even the simplest forms of information sharing are concerned -- registering guns and sales of guns in such a way that federal and state police databases are interlocked to detect those with criminal or mental health histories.  Why is this passing bare bones legislation that could trap for lowest hanging fruit so difficult?  What do we need to do to be heard?

The interior cornerstone at the National Academy of Arts and Science.

The worst of it in all this is that each episode seems to set off more disturbed people in what are called copycat events.  Just as those who ride trains every day are probably now more aware of their environments after the events of last weekend on the Amsterdam-Paris train, I suspect that every news person will feel their own heightened anxiety for at least the next several months.

Given the flammable nature of public discourse on so many issues these days, especially with presidential politics starting make things worse, I would suggest that we need to find new ways to move the discussion on gun violence forward, to see if it is possible to affect real change on this issue and on the issues involving equality and justice as well.

1036 Hits

Career Planning for the Business Continuity Professional


If you’ve read other blogs I have written, either for LinkedIn or on my website www.peacebusinesscontinuity.com  you’re aware that I have a high regard for the field of business continuity and disaster recovery planning and for those who labor therein.  For me it has been a rewarding career of learning and doing and, most of the time, been great fun.  I have been very fortunate that many new opportunities have come along and I’ve been able to take advantage of them, move up the ladder, and take on the roles of subject matter expert as a consultant to interesting clients and as a mentor to many new to the field.  In this blog I’d like to pass on some ideas about expanding one’s career within the field and also using it as a springboard into other endeavors.  For those who wish to remain in the field, I recommend the following:


Continue reading
6051 Hits

One Thing Your Cloud Provider Could Be Missing

Originally posted on Rentsys Recovery Services' blog.
Your cloud solution could be missing something. We’re not talking about bandwidth, security or service level agreements (though these things are all important). We’re talking about customer service. 

Often businesses evaluating potential cloud vendors are focused so much on tech specs that they don’t think about the matter of interacting with the vendor after the contract is signed. Sometimes this isn’t an issue if you’ve chosen a good provider. Other times, however, you might find that getting the support you need is like pulling teeth.
The following three categories can help you identify if a potential service provider will be a help or hindrance to meeting your data and application management goals.
Listening Skills
Are the cloud provider’s representatives trying to sell you services you don’t need, or are they dedicated to helping you build a backup solution that’s right for you? To get the most value out of your cloud solution, you need to make sure you’re not paying for products and services that you won’t use or that don’t do what you need them to.
Technical Assistance
What type of technical assistance does the provider offer? Support options could include self-service, phone support, on-site, in-house, outsourced or a combination.
It’s also important to know when assistance is available. Is the support provider — whether it be your vendor or a third party — only available during business hours? Is the company in the same time zone as you? Be sure to find out what level of support to expect and make sure you’re comfortable with it.
Technician Certifications
Knowing who will be offering your support can be almost as important as knowing the type of support you’ll receive. If you’re using a managed cloud service, are the people who will be handling your data certified engineers? Even if you manage your own data, will you have access to qualified help desk agents to resolve any issues?

Working with the right vendor can make a world of difference in how effective your cloud solution is for your business. To read more about best practices for implementing a cloud solution, read this post.
784 Hits

Freight Trains and Chemical Spills: How to Prepare Your Business

Originally posted on Rentsys Recovery Services' blog.

At the beginning of this month, a train carrying the flammable, toxic chemical acrylonitrile partly derailed and caught fire near Knoxville, TN, forcing 5,000 people to vacate the area.

A few days later, July 6, marked the two-year anniversary of the oil train derailment and subsequent explosions in Lac-Mégantic, QC, which killed 47 and forced 2,000 people to evacuate their homes.

Continue reading
1226 Hits

11 Questions to Include in Your IT Vendor Due Diligence

Originally posted on Rentsys Recovery Services' blog.

Outsourced IT is nothing new, but as Verizon Wireless’s recent report "Better Outcomes for IT Outsourcing" points out, digital transformation is changing the face of outsourcing. Customers want flexible service delivery models, ways to improve inefficient processes and spending models based on opex versus capex.

But with the rise of cybersecurity issues, tightly wound supply chains and customer expectations for always-on service, you need to make sure that any vendor with access to your data and systems is fully vetted. Before you involve any third party in your IT processes, make sure you know the answers to these questions:

Recent comment in this post
Guest — hireessaywriter
A very informative article! Seems like everyone can find among the 11 key points those you didn't think about before. For instance... Read More
Friday, 06 November 2015 7:07 AM
Continue reading
1236 Hits
1 Comment

Response and Recovery the Importance of Keeping Up to Date

Walk into almost any office, ask if they’ve got a response and recovery plan, and they’ll often point to a dusty shelf and tell you that yes they do. Next, ask them when their response and recovery plan was last updated. Chances are they won’t be able to reply with the same amount of certainty.

Despite businesses being aware that there are an increasing number of threats to their valuable data, often their response and recovery plans are outdated and don’t reflect technological change.

In this year’s Business Continuity Institute Horizon Scan survey , it was noted that cyber-attacks are now the top threat facing businesses, with 82 per cent of survey participants expressing their concern about them. With the repercussions of a cyber-attack being as significant as they are, it’s more important than ever that your disaster response and recovery plan is kept reassessed and updated on a regular basis.

Recent comment in this post
Guest — Kc
Very insightful
Monday, 29 June 2015 11:11 PM
Continue reading
5078 Hits
1 Comment

Readiness Best Practices: Effective Risk Assessment

In creating business continuity plans, every organization completes a series of risk assessment exercises. Without this general risk assessment, it would be impossible to prioritize what BCM plans are needed. Which disruptive events are most likely to impact your business? Your employees? Your clients? Your suppliers? Research suggests the top 10 risks tackled by business continuity teams include:

  1. Severe Weather
  2. IT Issues (outages, breach, virus…)
  3. Power Outages
  4. Natural disaster (flood, earthquake)
  5. Physical Violence
  6. Fire
  7. Epidemic
  8. Product delivery/quality
  9. Scandal/reputation
  10. Theft

Clearly some sub-set of these event types should be addressed in any business continuity planning effort. Today’s goal, however, is not to discuss this high level risk assessment process, but rather, to review best practices for evaluating a specific threat as it arises to determine if it merits activation of BCM teams and plans.

Monitoring Early Warning Signs

Effective event-specific risk assessment is to have some early warning detection in place. To best manage unplanned incidents, it helps to have visibility into the potential disruptions before they occur. Obviously, certain types of disruptive events are more easily monitored than others. Weather, for example, can be monitored closely via the National Weather Service, Accuweather and other sources. Most major storms are predicted in advance, enabling close monitoring by BCM teams. Similarly, floods and fire warnings are often weather-related and threat levels can be monitored closely.

Continue reading
1677 Hits