How numerous lives does your data have?

By Sameer Sule

SANDY- if you live in the northeast you will not forget her name for a long time. Every CEO, business owner and home owner was holding his/her breath as Sandy blew over us. I know I was. My house is surrounded by trees and every time a 50 mph gust came, I was praying to the higher power that the branches held up. Unfortunately a tree on the adjoining street couldn’t hold up and came down, knocking the power out from our neighborhood for a day. We were the lucky ones! Others in the NY and NJ area weren’t so lucky. 

The damage to people, property and businesses in NY and NJ  is unimaginable.  According to early estimates over 100,000 homes and businesses were completely destroyed or severely damaged. Many business owners have lost everything and may never recover. All their life’s work gone in a blink of an eye.  My prayers go out to people who have been disastrously affected by Sandy. Could they have done more to protect their businesses? In some cases the answer is no; we are powerless in front of mother nature and despite our best preparations things can go real bad. But in many cases, I am sure business owners are cursing themselves for not being better prepared. Most businesses do not have disaster recovery plans in place. Simple things like backing up data in a secure place, having redundant power supply such as a portable generator are not in place.Taking these simple steps can mean the difference between business recovery or business death. 
Events like Hurricane Sandy remind us how close we get to losing everything. Its just a matter of luck that one business or home gets destroyed and another doesn’t. Yet many of us thank our stars and move on without really considering what we can do to protect our family, home and business in the event of a disaster. We live in an information age and our life is practically a collection of bytes. Apart from a few hard copies most of our information is now stored in electronic format. Now is the time for those of us lucky enough to escape unscathed from Sandy to take a look at what is important in our lives and take steps to safeguard it. Do we have all our important documents in a safe place? How about all our electronic data- our files, family pictures, legal information, financial information? Have they been backed up online and can we recover them easily afterwards?
Knowing that we can recover our critical data after a disaster will make the recovery process relatively easier. So unless your data is a cat with nine lives, Sandy just used up one. How many more lives does your data have?

Sameer Sule is a Business Technology Consultant at Kinara Insights, a company providing contingency/disaster recovery planning services to doctors, dentists and healthcare practices. He helps his clients understand and use technology to reduce practice downtime, increase efficiency and improve quality of patient care.

Check out Sameer’s Google+ profile

 

Taking Care of Your Individuals in Disaster Response

It’s about time. Someone has admitted that DR/BCP writers have ignored the personal issues of employees following a disaster when creating business continuity plans, reviewing them, or just writing about them. Eric Krell wrote in Business Finance on November 6, 2012, an article entitled “Sandy Exposes the Human Side of Continuity.” I was alerted to the article by Phil Rothstein. Perhaps for Mr. Krell, Sandy was HIS first exposure to the human side of continuity. I’ve been teaching a unit called “Take Care of Your People” with my colleague Deidrich Towne, Jr. at DRJ conferences since 1999. We have presented lessons learned from our real experience of “people” issues associated with disaster response.

People, including employees, have routines that must be followed daily. Examples are taking care of children, pets, elderly parents, and farm animals. If you were to review Maslow’s hierarchy, you wouldn’t find work or career in the list of critical, life-sustaining functions. Let me give you an example. When putting together a strike plan, management employees were assigned duties requiring they work 6 days, 12-hour shifts. I got a call from a woman who said she couldn’t work that many hours in a week. I told her it was a “condition of employment” for management personnel. She responded, “Dr. Phelan, three months ago my husband and I adopted a child on the condition I would not work outside the home more than 35 hours per week. If I accept the strike assignment, I will lose my child.” I called her boss and set up a job-sharing arrangement to cover the duty.

There are human considerations that “trump” reporting to work. These are escalated when disaster strikes.

So, what’s a business continiuty planner to do? Some of you remember the exercise I used to illustrate what might happen when one is required to work under alternate or disaster recovery circumstances. Remember my asking you to sign your name while talking on the phone? Then I asked you to put the phone in the other hand and sign your name again. I observed three things.

1. You laughed, knowing that signing your name with the other hand would be difficult. This is an expression of fear or anxiety. This almost always happens when people are asked to work under alternate conditions. You can counter some of this with more exercises.

2. Your second signature was of lower quaility than your first. People working in disaster response mode will often not produce the same quality of work as they would under normal conditions. Plan for time to correct errors.

3. You took more time to sign your name with the other hand. Workers in alternate or disaster response mode will need more time to complete the same work they complete under normal circumstance. You can counter this with longer shifts and planning for backlog once the disaster response is over.

When workers have pressing needs at home, they will meet those needs before reporting to work. You need to plan for a certain percentage of your workforce to be unavailable in disaster response.

Most of all, you need to be compassionate toward those workers who have to make the difficult choice to “not report” because personal issues are more important. Find time to discuss this both in advance of a disaster and certainly during the debreif following a disaster.

I congratulate Eric Krell for admitting he had not considered this prior to Hurricane Sandy. He will going forward.

 

Studying the Hard Way

Despair. Anger. Frustration. Hopelessness. Sadness. Disappointment.

This is just a brief list of the emotions that folks impacted by Hurricane Sandy are feeling. It is impossible to understand what the citizens of the hard-hit areas are feeling. Many have lost everything – homes, belongings, businesses, and likely along with this – optimism.

While Hurricane Sandy occurred a little over a week ago, the east coast was blasted again today with a nor’easter. Normally a nor’easter does not garner much attention, but when people are still without power, heat, housing, gas, and jobs – the impact of such a storm only escalates.

The questions that many people are asking now are: did it have to be this bad? Were there any warning signs? Could the city of New York and state of New Jersey been better prepared? What do we do now – how do we rebuild?

Of course there are no easy answers to these questions and already there has been much finger pointing. Yes, there were missteps, miscommunications, and action plans that were not executed. Consider this summary of the 2009 meeting of American Society of Civil Engineers (held in New York City):

  • These engineers emphasized that a devastating storm would be likely to hit the city. Using computer simulations of an expected storm, these engineers showed city officials what could happen if safety and disaster recovery measures were not taken.
  • The engineers provided city officials with detailed plans showing how New York City could be protected from an impending hurricane or similar storm.
  • Recommendations were made to install surge barriers or tide gates in New York Harbor.
  • Admittedly these barriers would not have been installed in time to protect the city from the most recent natural disaster.
  • City officials blanched at the estimated cost of such protective measures.
  • Such technology has been installed in London, England and in the Netherlands.
Today, there are still no decisions or action plans on what to do to protect the city and outlying areas…
Unfortunately, at the end of the day, it’s the citizens who end up suffering the most when city executives cannot agree and/or fail to recognize the value in being prepared for a natural disaster.
The New York Times is full of stories about people who have lost everything. The couple who had spent thousands on renovating a building in Red Hook in preparation for moving their business – now everything is gone. Of restaurant owners who had to throw away thousands of dollars in food and now have to work to rebuild their restaurants. Or the patients admitted to NYU hospital who were evacuated when the hospital’s generator was flooded and all power was lost.
The list goes on of people who have been pushed to the brink. Could such stories have been prevented? Yes. 
So who is to blame? Essentially no one person is to blame. Rather this is a systemic attitude towards threats, natural disaster, and disaster recovery. Everyone likes to think it won’t happen to them. And when it does, it is often too late to right the wrong decisions. Time will tell if city and government officials have learned their lessons the hard way – or if they’re willing to take risks on behalf of their citizens again.
(It should be noted that through-out these rather terrible times, there have been some amazing stories of good deeds and community spirit. Many many thanks to those who have stepped forward from through-out the country to help those most deeply affected by Hurricane Sandy. It is during the hardest times that we often see the good come out in people. )
To read more about how New York and other cities can be prepared for the next natural disaster, read this Fast Company article.

A Tiny Support from My Close friends – Gasoline Supply Chain in Northeast

We have all heard the news that gasoline is in short supply along the east coast, especially in New York City, New Jersey and the shore of Connecticut. But why is gasoline selling at 19 cents lower per gallon in Upstate New York?

Refineries and distributors of petroleum products have a supply chain that demands they “move” product and accept new deliveries. With fewer sales along the east coast due to power outages, the supply on hand must go somewhere else. No one can purchase normal amounts of gasoline in the nation’s most demanding market.

So, suppliers look for half-full tanks in outlets (gas stations) away from the coast. How far away, you ask. A FaceBook Friend yesterday told the story of driving from Poughkeepsie (75 miles north of NYC, up the Hudson River) to Red Hook (90 miles north of NYC) looking for a gas station that had gas. Yet, here in Central New York, gasoline has dropped from $ 4.04 per gallon to $ 3.85 per gallon. Why, because tanks in Central New York gas stations are taking the fuel that distributors can’t sell along the coast. In order to make room for these deliveries, gas stations have lowered the price per gallon to sell more gasoline. The Federal Government kills two birds with one stone. They supply free fuel using military resources that are not electricity dependent, and they support the oil companies by purchasing the excess fuel the oil companies have no way to distribute.

A Little Help from My Friends, please. Is there a DRJ reader with more knowledge than I about how the supply chain is adjusted to avoid losses when disaster strikes. Are there folks away from the affected area benefitting from the hardships of those who are victims?

Meanwhile, I’m off to the pumps before the shortage reaches Central New York.

Please post you comments to help my thinking.

Best regards,

Dr. Tom

Hurricane Sandy Update

Well, in theory the worst of Hurricane Sandy is now over. But for hundreds of thousands of people, the destruction left behind is a large barrier to getting over the storm’s destruction. With some people trying to get back to normal – battling traffic to get into Manhattan there are many many other people who are facing lost homes, missing belongings, the loss of businesses and many unanswered questions.

The East Coast is in the early days of realizing how much Sandy has really impacted folks. While some will be wringing their hands suggesting that people, government, and business should have been better prepared – there really are no clear cut answers. In coming days we will learn of communities, businesses, people and institutions that were prepared for such a disaster and we’ll hear and read stories of those that weren’t. Now is not a time for placing blame and pointing fingers – but rather a time to come together and support those that we can.

As we did earlier in the week, we’ve pulled together some links about Hurricane Sandy:

  • Status of services and transportation in New York City
  • Google’s crisis map
  • Gas shortages and traffic jams
  • A report on communities that were and weren’t prepared
  • Medical research losses mounting
  • Disaster relief funding
  • The New York City marathon will go on
  • Prepared but not prepared enough
The thoughts of everyone here at DRJ are with those who have been impacted by Hurricane Sandy. 

Using Toolkits to Make Company Continuity Less complicated

By Greg Marbais, Avalution Consulting
Article originally posted on Avalution Consulting’s Blog

Many business continuity professionals face shrinking budgets and, because of an expanding business continuity program scope and aggressive recovery objectives, lack the time necessary to “touch” all areas of the organization and optimally prepare for disruptive events. As a result, practitioners need a way to create repeatable processes to execute recurring planning activities in a decentralized manner while making efficient use of the organization’s personnel to comply with management’s expectations. One approach we often find useful in rolling out a standardized, thorough, efficient and repeatable process for business continuity activities is the creation of a business continuity program toolkit. A business continuity toolkit typically contains a set of instructional narratives, as well as templates, tools and examples to help dispersed personnel appropriately execute business continuity planning activities consistent with organizational standards.

The development of business continuity toolkit is an approach growing in popularity, with the end goal of implementing and executing repeatable, effective business continuity activities across larger, dispersed organizations in order to meet management’s performance objectives. Business continuity toolkits often include instructions that are easy for those charged with planning – especially those planning on a part-time basis – to follow and understand. This approach makes the most out of centralized business continuity professionals and provides part-time planners with the proper information to be effective in their planning role.

Preparing to develop and implement a business continuity toolkit should begin with a clear set of objectives, outcomes and how success will be measured, obtaining approval from management (as required by the organization) and establishing a timeline with key milestones.

What’s in a Business Continuity Toolkit?
The contents of a toolkit are necessarily unique to each organization; however, most contain the following:

  • Governance materials that establish the expectations of the organization for business continuity planning. 
  • Written instructions and guidance to prepare for, execute and conclude each core business continuity activity, together with recommendations regarding how to select and engage the most appropriate resources. 
  • Templates that address common program elements. 

Documents commonly included in a toolkit are shown in the following diagram:

Example Toolkit

The materials and application of the toolkit will vary from organization to organization; however, it’s important to ensure that the toolkit is written and designed at a high enough level so that every organizational element can utilize the content and apply it effectively. Instructions should include task detail, links to templates and examples, and the method to maintain and continually improve the outcome. Further, the instructions included in the toolkit should provide users with a structured process to execute a business continuity activity in alignment with organizational policy and program requirements.

As noted above, an effective toolkit will include templates and examples that help those charged with planning to perform the required activities and tasks listed in the instructions, all leading to an appropriate level of preparedness for disruptive events. Templates and examples included in most toolkits include interested party communications, meeting and planning session agendas, report structures and presentation files. Each template should be referenced in the instructions as to when it should be used. Templates often included in a toolkit are:

  • Communications templates provide a structured method to convey expectations for all planning participants. An example email template used for a business impact analysis (BIA) kickoff meeting would explain that the department is implementing or reviewing a BIA, that the recipient has been identified as a person that should be involved in the process and what the recipient will be expected to do during the data gathering effort and throughout the BIA process. 
  • Agenda templates provide a basic structure to help planners carry out meetings designed to plan for or perform business continuity planning activities. An example agenda template used for a BIA kickoff meeting often includes an introduction to the BIA, a discussion of the scope of the BIA, a review of roles and responsibilities for all participants, an overview of the BIA process, and next steps in order to prepare for the BIA. 
  • Report templates provide a structure that enables planners to document the information necessary to enable preparedness for disruptive events. For example, a template used for summarizing BIA information would include a high-level summary of the information necessary to justify recovery objectives, a structure for reporting the detailed findings, and next steps. 
  • Presentation templates provide the basic structure and content used to convey findings, recommendations and enable management decision-making. For example, a BIA summary presentation would convey recommended recovery objectives, justification and perhaps even gaps between recommendations and current-state capabilities. 

Before Building a Toolkit
A business continuity toolkit is only valuable when the basic process for conducting a business continuity activity is defined and expectations agreed upon. When developing a toolkit, it is important to first create the structure for the business continuity program and reflect this structure in a policy statement and standard operating procedures (SOP). The toolkit essentially translates the program into actionable activities and tasks for those required to perform business continuity activities. Since the toolkit is meant to make performing business continuity activities easier and the outcomes better, it may not be valuable early in a program’s maturity when frequent changes to the toolkit are likely needed. In addition, it may be helpful to “beta test” the toolkit prior to rolling it out throughout the organization.

Another important consideration is the effect of culture on the use toolkits. Large organizations with independent business units spread across multiple geographies could have significantly different corporate cultures. Different cultures could lead to differing approaches to executing business continuity activities, such as a BIA. The toolkit needs to be adapted to the local culture – and diverse regulatory requirements and customer expectations – which is more than translating it into the local language. In addition, the process described in the toolkit may need to be adapted. For example, an organization that uses workshops to elicit business continuity strategy options in the United States may run into difficulty using the same process in China. In China, a similar process would often generate few strategy ideas, especially if the workgroup includes personnel at multiple levels of the organization. There is a cultural factor in China that prevents employees from providing feedback which may harm the reputation of another member of the group. This cultural factor means that conducting a BIA or trying to obtain strategy options requires changing the approach to get valid information. Ultimately, culture plays a substantial role in the effectiveness of a business continuity program, so it’s important that the program is adapted to the culture.

Conclusions
A business continuity toolkit enables the execution of a decentralized program and the implementation of standardized, consistent and compliant business continuity activities in an efficient manner. Bottom-line, the benefits a toolkit provides to the business continuity professional and the organization as a whole are that it:

  1. Clarifies expectations for those performing planning activities and provides examples to illustrate expectations; 
  2. Reduces the risk of non-compliance with regulatory requirements or other obligations; and 
  3. Enables the business continuity professional’s transition from an advisor on all preparedness tasks to a consultant to the most important and complex tasks. 

In the end, a business continuity toolkit helps optimize limited resources and appropriately engage personnel throughout the organization, thus mitigating risk and enabling effective recovery from disruptive events.

If you’re considering using a toolkit to roll out business continuity across your organization, please contact us to discuss how we can quickly establish a toolkit for your organization and aid you in deploying it.

—————————

Greg Marbais, Consultant
Avalution Consulting: Business Continuity Consulting

Our consulting team regularly publishes perspectives (shorter, independent articles) that touch on the trends currently affecting our profession and the strategic issues facing our clients. This is one of our most recent posts, but the full catalog of our perspectives – over 100 published since 2005 – can be accessed via our blog.

Planning for Disaster

Nothing can sink your small business faster than an unexpected disaster, so you need to be prepared. And disaster recovery preparation is easier than you think.

Planning For DisasterHurricanes, tornadoes, earthquakes, sprinkler malfunctions, burst pipes, electrical fires, power outages, a failed hard drive – big or small, a disaster could knock your company offline long enough to put you out of business. But it doesn’t take much preparation to make sure you can get back online quickly.

John Motazedi, CEO of SNC Squared – a business that was saved after a tornado thanks to its disaster recovery plan – recommends starting with a few things that would make it difficult to run your business if they were suddenly gone. Once you’ve figured out where you’re vulnerable, it should be pretty clear what you need to do to protect those assets and processes.

Planning for Disaster Records

Keep detailed records of all your business contacts so you can reach them in event of emergency. You may need backup office space, an emergency credit line, a cloud backup copy of your critical data – it might not take much to keep you going.

So take the time to think about what you absolutely need for your business to survive. It should tell you valuable things about your business regardless of whether you ever need that disaster recovery plan.

Adapted from How a Disaster Recovery Plan Can Save Your Business at Small Business Computing.

Read more on Planning for Disasterhttp://business.time.com/2012/10/22/planning-for-disaster/#ixzz2A99YeXMW

5 Tips for Keeping Your Information Secure in the Cloud

Sometimes after you migrate your business data and applications to the cloud via cloud servers, it is easy to forget that data security is something that should be consistently monitored.  There are a few things to consider after your company’s migration to the cloud to ensure your data stays safe at all times. 

 

  1. Credentials:  Your username and password should be complex and unique for every service or site you use credentials for.  This way, if the credentials for one account get compromised, the rest of your accounts remain safe.  If you are worried that login information will be lost or forgotten, there are apps and software available to help with password management.  
  2. Be careful where you login:  Often times, users login from devices that are not their own, which could be saving login information through the web browser and therefore, jeopardizing the data’s security.
  3. Security Questions:  Avoid implementing security questions for your accounts that can be answered by simply conducting an online search.  For example, if the answer to your security question can easily be found on your Facebook, Twitter, or LinkedIn profile, choose a different question.
  4. Encryption:  Encryption software scrambles and codes your credentials so that they are harder to procure, which helps your data remain uncompromised.
  5. Anti-Virus and Anti-Spy Software:  All access to the cloud comes from your local system first.  Therefore, if your system is at risk, so is your data in the cloud.  Anti-virus/anti-spy software is important to keep out trespassers and to block unsafe sources that can download software and steal personal information from your computer. 

 

Atlantic.Net provides secure cloud hosting solutions where data can be stored in an encrypted format using Public Key Encryption (PKE).  Atlantic.Net is constantly monitoring and upgrading their systems to ensure that their client’s data is as safe as possible. 

A Closer Appear At: ISO 22301

I just downloaded the updated Rules and Regulations spreadsheet… To say there is a lot of great content and information in this spreadsheet would be an understatement. This Rules and Regulations spreadsheet was compiled by a team of industry experts (all members of the DRJ EAB). 

The most recent update to this resource was in August 2012, and I thought it would be a good idea to write about different rules and regulations that you might not know about, have been recently amended or added or you might not fully understand. (Yes, this is me urging you to post comments about which rules and regulations you would like me to investigate and write about for you!) 

For the first look at the rules and regulations that impact everyone in the BC space, this post focuses on ISO 22301. 

 ISO 22301 

Here is the short summary of ISO 22301 from the bsigroup.com website: 

ISO 22301 is the new international standard for business continuity management. It has been created in response to strong international interest in the original British Standard BS 25999-2 and other regional standards. And if you meet the requirements to gain certification, your organization will be recognized globally. 

ISO 22301 identifies the fundamentals of a business continuity management system, establishing the process, principles and terminology of business continuity management. 

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. Use it to assure key stakeholders that your business is fully prepared and you can meet internal, regulatory and customer requirements. 

The standard provides organizations with a framework to ensure that they can continue operating during the most challenging and unexpected circumstances – protecting their staff, preserving their reputation and providing the ability to continue to operate and trade. 

What does this really mean? 

Essentially, this standard gives your organization the basis for identifying the threats facing your organization and how to withstand and be prepared for these threats. With ISO 22301 you have the tools to react proactively and be prepared for these threats. 

With this level of preparation and framework, your investors, colleagues, partners and brand have the confidence that your organization is prepared and ready to face threats and disaster head-on. 

ISO 22301 provides a formal business continuity framework and will help you to develop a business continuity plan that will keep your business running during and following a disruption. It will also minimize the impact so you can resume normal service quickly, ensuring key services and products are still delivered. 

How does it impact your business? 

We’ve written before in this space about how critical it is to be prepared for every level of threat – this includes natural disasters as well as normal day-to-day disruptions such as employee illness or loss of supply chain continuity. All of these can have a big impact on the success of your business and its ability to remain profitable. 

With ISO 22301 you have undergone the certification that proves, you are aware of and have identified these threats. The impact to your business being that your business is ready and prepared to react to threats and limit disruption. 

What do you need to tell your colleagues? 

A visit to the bsigroup.com website details a long list of benefits – so we’ll highlight a few here that stand out: 

Cost savings : You’ll have the opportunity to reduce the burden of internal and external BCM audits, improve financial performance and reduce business disruption insurance premiums.

Business improvement: 
Certification requires a clear understanding of your entire organization which can identify opportunities for improvement. 

Continuous improvement : The certification process involves regular audits that ensure your management system is up to date. 

Maximize quality and efficiency : ISO 22301 provides a framework based on international best practice based around the ‘Plan, Do’ Check, ‘Act’ concept. 

As you know there is a very long list of reasons why your business needs to adhere to rules and regulations – and each rule and regulation has its own benefits. 

What is interesting with ISO 22301 is the impact it has on BS 25999-2: 

  • BS 25999-2 has been superseded by ISO 22301. 
  • BS 25999-2 should be withdrawn on November 1, 2012. 
  • Businesses can make a transition from BS 25999-2 to ISO 22301. 
  • BS 25999-2 certification remains valid during the transition to ISO 22301. 
  • Certifications and renewals for BS 25999-2 will end after May 2014. 

Next steps? 

Now that you have the basics of this new standard, it is time to sit down and really review the website, watch the webinars, and send your questions to [email protected]

Make sure you review the recently updated DR Rules and Regulations spreadsheet – you can use this spreadsheet to quickly compare these rules and regulations and easily access more information. (And don’t forget to respond to this post and let us know about the rules and regulations you’d like us to take a closer look at.)

DR and Crisis Management

Recently, DR/BCP professionals have sent me inquiries about how to handle crisis management or crisis communication, especially during a DR event.  DR/BCP professionals may be highly involved in managing a data or system recovery and unable to devote attention to managing the entire crisis that may result. They need crisis management professionals on their team.  It wouldn’t be practical to have a crisis management professional on each DR/BCP team, but it w0uld be an excellent time to partner with the corporate or organizational crisis management/crisis communication professional.

I’ve done Incident Management Team training for private sector organizations, sometimes at several of their critical facilities across the nation.  The Incident Command System (ICS) model provides a framework for integrating crisis management, crisis communication and DR/BCP operations when disaster strikes.  Most private sector organizations have found ICS to be extremely helpful and affordable if it has be tailored to their business and presented by consultants who understand both the private and public sector uses of ICS.  Private sector CEOs also see the benefit in being compatible with public emergency response organizations.

Crisis management is NOT DR/BCP.  It is a necessary subset.  In my experience, ICS can be taught from the bottom up, rather than the traditional top-down, command and control orientation.  I teach private sector Incident Management Teams that the key figure in response is the Operations Section Chief (the DR/BCP CIO or designee in the case of an IT emergency). This is the person and section that can “fix the problem,” as Ed Devlin would say. All other ICS positions are there to support the Operations Section. I like the Incident Commander (ICS term) to be thought of as an “Incident Manager.”

How are you prepared to manage a crisis and to communicate critical information to stakeholders? Do you have crisis management expertise to support you DR/BCP resiliency team?