DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 32, Issue 1

Full Contents Now Available!

Government organizations should develop continuity of operations (COOP) and continuity of government (COG) plans as part of a comprehensive emergency management program using a comprehensive planning process based on federal guidance and best practices in emergency management and continuity planning. This article addresses some of the key issues involved in implementing COOP and COG programs.

What are COOP and COG?

COOP and COG are terms that were first used to refer to the “shadow government” that was conceived during the Cold War as a way to ensure the U.S. government would be able to continue in case of nuclear war. In addition, continuity planning was a requirement for state and local governments under the civil defense program mandates. Today, COOP planning remains an important planning requirement. While terrorism may be the threat that is leading to the increase in planning efforts, COOP and COG planning will help ensure government services in the face of any hazard.

Contemporary COOP and COG activities focus on the jurisdiction’s ability to perform minimum essential government functions during any situation. With the necessary preparations, essential government functions like public safety, public works, and health care can be available under almost any circumstance. Many more routine government functions may also be essential to your community and will need to be included in planning. It is also important that local businesses and other community organizations be included in the process and encouraged to have their own COOP plans.

COOP should be seen as part of a complete community emergency management program, and as such, should be included in a comprehensive emergency management program (CEMP) process, which utilizes an “all hazards” approach and addresses the four phases of emergency management (mitigation, preparedness, response and recovery).


How far is enough? That was the question asked of Association of Contingency Planners (ACP) chapters in the United States. The intent of the survey question was to set standards from within the industry regarding how far an alternate facility and an off-site storage facility should be from the primary operations site.

This article is a compilation and interpretation of the responses to that survey.

Our thanks to all of the ACP chapters for their participation. Without their cooperation this study could not have been completed. A list of chapters that participated is included at the end of this article.

So, how far is far enough? The answer is 105 miles. Well, sort of ... actually, the survey got a little more granular than that. We asked the participants to indicate how far an alternate facility should be from the primary operations facility, assuming that the primary facility is susceptible to any of 12 different threats/risks. Response averages were tabulated and the results are shown in Figure 1.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sounded a wakeup call throughout the healthcare industry – patient data is an asset and it needs to be protected. IT departments are now facing the challenge of implementing HIPAA’s three provisions – electronic data exchange of transactions (EDI), privacy, and security.

The HIPAA rules are clear for EDI and privacy, but the security rule had not yet been finalized until February. Faced with competing strategic priorities and shrinking budgets, CIOs at healthcare organizations must convince senior management to comply with these evolving rules.

CIOs throughout the country often complain about board members and senior executives who are not taking HIPAA seriously. Healthcare executives argue it will take years of case law to clarify what constitutes a HIPAA violation, how to apply sanctions, and how to provide ongoing enforcement. The federal government has few staff to enforce HIPAA currently and the strategy for auditing compliance is not well defined.

However, adhering to the HIPAA Privacy and Security rules are more than just about compliance, they make sound business sense. That is the view of Dr. John J. Halamka, CIO of CareGroup Health Systems in Boston. A medical doctor by training, Halmaka oversees the IT needs for CareGroup’s three major Boston hospitals and three community hospitals. Together the six CareGroup facilities have about 12,000 employees, including 3,000 doctors who see about one million patients a year.


The Whittier earthquake struck as I was coming down an off-ramp on my way to work in Pasadena, Calif. I first thought I had four flat tires. Then, as I looked around me, I began to realize that one of the disaster scenarios we had imagined was beginning to occur.

As an operations division manager for Pacific Bell and chair of the Los Angeles Emergency Operations Committee, one of my first actions was to retrieve a copy of our business continuity plan, a three-inch ring binder, which I kept in the trunk of my car. The committee I chaired was composed of 22 top managers within the region, each representing a different discipline. We had formed a task force just one year earlier to develop plans specifically to react to an earthquake, and we had put many elements of our plans in place, most of which were documented in that binder.

Fortunately for me, this earthquake was moderate as earthquakes go – only $1 billion in damages and seven fatalities in southern California. But before the morning was out, I had abandoned that binder because it was so distant from the realities we faced.


Cost-effective recovery strategies and written agreements related to the most feasible alternatives are important aspects of business continuity planning. Numerous unpredictable and often unpreventable hazards can endanger the organization. Because of these threats, recovery alternatives for human resources, facilities, critical systems, data and voice communications, and business processes should be evaluated.

The recovery strategies should be based on the critical resources as determined during the business impact analysis (BIA). This article focuses on the methodologies for determining the most beneficial technical recovery strategies and assumes that a comprehensive BIA has been performed.

Overview of Technical Recovery Strategies
Commercial Hot Sites

A commercial hot site is a fully equipped, back-up site that is provided by an outside vendor. Hot sites tend to be the most expensive alternatives available for contingency processing. A hot site may be using electronic vaulting that allows the transmission of back-up copies of computer data through transmission lines to a storage facility at the hot site location. A fully equipped hot site service may feature amenities beyond the necessary equipment to process data including varying degrees of security, fire protection, and telecommunications capabilities. Security could be elaborate, including electronic card-entry systems, 24-hour security guards, motion detection systems, water sensors, and closed circuit television.

Mobile computer hot sites are also available for specific equipment. In this case, a large trailer containing backup equipment and peripheral devices is sent to the scene of the disaster and connected to existing communications lines.