DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Webster defines diversity as, “to differ from one another, to vary.”

The word diversity is often used in different contexts. It is commonly used in the financial world regarding stock portfolios, 401ks and more. It is also used in the human resource world.

Diversification in my way of thinking should also be synonymous with business continuity. Most organizations probably have plans in place in one of three ways:

1. Comprehensive test plan, fully redundant for all critical areas, regular test cycles run and documented. All issues resolved in a timely manner.
2. Somewhat recoverable. Some plans in place, but not maintenanced on a regular basis. Test cycles not run on a regular basis and issues left on the table.
3. Non-recoverable (but they think they are) because they have some documentation somewhere but nothing formal. Rarely test because of resource constraints.

What I see that could be missing is a diversification plan. Except in rare cases, all the eggs are in one basket.

The rare cases are the financial institutions that were involved in 9/11. They either had or now have diversification plans in place. They quickly learned the value of NOT having all your key people housed together just for the sake of convenience or economics.

If organizations lose the majority of their technical staff, the odds for recovering are not in their favor. Even if their plans are complete and have been tested, their expertise is gone.

Some examples, and there could be others depending what each organization is trying to achieve, would be:

1. Technical staff housed in various locations outside the main campus. Not all co-located.
2. If the first option is not feasible, house key technical staff in different areas of the main campus.
3. Not all key technical staff on the same shift.
4. Consider telecommuting environment on a rotating basis.
The diversification plan should also consider what platforms are key and who are the key players in the individual business units. These areas might be a good starting point to analyze before developing a plan.

Additionally, I would suggest you solicit input from your HR department. There might be cultural or personnel issues that might preclude a plan of this type. I would suggest a strong business case if this scenario manifests itself. There is a lot of documentation out there since 9/11, which strongly points out the benefits.

Although I am looking at this from an infrastructure perspective, this could possibly be applied in a work area environment, a call center, or business unit.

This wouldn’t have to be a lot of people, maybe just some key folks who are involved in the recovery effort, in the event of a disaster.

Testing is another area that will benefit from this. The focus becomes clearer if you test once with the primary team, then another time with the secondary team.

This type of diversification allows you the comfort level of having two teams with the same skill sets that, in the event of a catastrophic incident, you will have a far greater chance of recovery. And realize this, you are doing it with the same number of employees. No staffing increase. Another caveat to this is whether the two teams have the same testing issues, or are there differences and why. One reason could be, plans are not updated. Another reason could be an issue to one team might not be an issue to the other.

The adage, “If there are well written plans for recovery, then anyone could do it” is not reality. You need qualified technical personnel who know the platforms that need recovered. You need business unit expertise and business continuity personnel who helped or fully developed the plans.

If you decide to follow this model, or some variant, you have to ensure all the plans are updated to reflect this methodology. Especially critical would be communications to the alternate backup personnel. For example, if the main campus was destroyed, who in the backup facility has the authorization to declare? Are all the contacts’ phone numbers up-to-date? Has a common meeting area been agreed upon? Does the hot site provider have a list of alternates? Even though the two groups are in separate facilities or in a telecommuting environment, they must be very tightly joined through the use of documentation and testing procedures.

In my humble opinion, if you are truly worried about business continuity for your corporation, and they are serious about it, sit down with management and at the very least advise them of this type of diversity. Chances are good they are already aware of this and would be receptive to this type of dialogue.

Stress some of the trends that corporations are embracing. Also stress that this “paradigm shift” from the old traditional way prepares you for the worst that can happen.

Additionally, corporate management is now under pressure to ensure that their company has or will have the ability to withstand any disaster that threatens to disrupt the normal flow of business. Meeting this challenge is both a vexing and complex problem, especially if their existing plans are outdated and non-existence. However, it might be easier to frame this obligation and responsibility in different terms. There might be more acceptance to D/R planning if the issues were (a) safety of the employees of the company, (b) mitigating the impact of an outage to customers and stockholders, (c) preventing competitors from stealing market share after a disaster, (d) maintaining the financial well-being of the company, (e) threat of government intervention after a disaster, (f) legislation of government regulations requiring compliance, and (g) audit requirements for compliance.


Paul A. Castellano, CBCP, is the director of information security and business continuity for Allegheny Energy.