3 Main Types of IT Disaster Recovery

What are the Different Types of IT Disaster Recovery?

Disaster Recovery (DR) is fundamental for keeping data safe and keeping up with business continuity. With different types of disaster recovery plans that a business can execute, finding all that fit can be overpowering. Every business is unique, so it’s vital to see each of the decisions accessible to you. Along these lines, you can pick which plan best suits your necessities.

What is Disaster Recovery?

So you ask, what is disaster recovery?” Disaster recovery (DR) is an organization’s capacity to answer and recover from an event that adversely influences business activities. The objective of DR strategies is to empower the company to recover the utilization of basic frameworks and IT foundations immediately after a disaster. To plan for this, companies frequently play out a top to bottom assessment of their system and make a plan to follow in the midst of a crisis. This report is known as a disaster recovery plan.

Why is Disaster Recovery Important?

Disasters can incur many kinds of harm with shifting degrees of seriousness, contingent upon the situation. A brief network outage could bring about baffled clients and loss of business to an online business. A hurricane or tornado could obliterate a whole office, server/data center or office.

The cost can be critical. The Uptime Institute’s Yearly Outage Analysis 2021 report assessed that 40% of blackouts or service irregularities in organizations cost somewhere in the range of $100,000 and $1 million. Around 17% cost more than $1 million. A data break can be more costly; the typical expense in 2020 was $3.86 million, as per the 2020 Expense of a Data Breach Report by IBM and the Ponemon Institute.

Different Types of Disaster Recovery (DR)

Business continuity and disaster recoveries are the processes and strategies that return your business system – equipment, programming and data – to full functioning following a natural or man-made disaster. Organizations progressively depend on IT for their strategic tasks. It is fundamental to have IT disaster recovery planning, like the CBRITP training course, set up to ensure your business isn’t in danger from a calamity.

BRCCI offers a comprehensive CBRITP training course. The CBRITP certification demonstrates that the holder of this IT disaster recovery certification has in-depth expertise in all stages of the IT disaster recovery planning life-cycle. For more info on CBRITP training course, you can click here.

Here, we check out three different types of disaster recovery

1. Cold Site Disaster Recovery

A basic yet powerful business recovery solution, a cold site is essentially a reserved region on a data center where your business can set up new equipment in case of a disaster. This is a popular IT disaster recovery planning. It will be more affordable than different choices, yet still enables an organization to endure a disaster.

In the event that you outsource your disaster recovery, chances are they will lay out this type of disaster recovery solution. This will work as long as your planning is great, your backups are sound and your documentation is amazing. Obviously, extra downtime in case of a disaster should be satisfactory for a cold site to be a legitimate choice. Expect 24 hours for critical systems and up to seven days for less significant capabilities.

2. Cloud-based disaster recovery

While utilizing a cloud-based approach, you’re ready to reduce costs by utilizing a cloud supplier’s data center as a recovery site. This is unlike spending on your own data center offices, staff, and frameworks. Users benefit from the competition between cloud suppliers, as they keep on attempting to outperform each other. Prior to focusing on this method, decide the difficulties that suppliers might have with your business’ backup and recovery. The supplier might have the option to help you in fixing those issues before the cloud turns into a piece of your DR plan.

3. Disaster Recovery as a Service

While Disaster Recovery as a Service (DRaaS) is much of the time in the cloud, it isn’t only for the cloud. Some DRaaS suppliers offer their answers as a site-to-site service, in which they host and run an optional hot site. Moreover, suppliers can reconstruct and transport servers to an organization’s site as a server replacement service. Cloud-based DRaaS empowers clients to failover applications right away. It helps to arrange failback to rebuilt servers, and reconnect clients through VPN or Remote Desktop Protocols.

While searching for a DRaaS plan, know that a few suppliers offer their own products. Others use DRaaS devices from partner sellers.

Conclusion

Making a thorough disaster recovery plan is challenging. That doesn’t mean it must be unimaginable. Find which approach is the right fit for yourself as well as your association. In the wake of doing as such, your data will be more secure from digital attacks, catastrophic events, and simple human error.

 

Join BRCCI Online Seminars, On-Site Training for Certified Business Resilience IT Professional (CBRITP) Certification Program Today

3 Main Types of IT Disaster Recovery

What are the Different Types of IT Disaster Recovery?

Disaster Recovery (DR) is fundamental for keeping data safe and keeping up with business continuity. With different types of disaster recovery plans that a business can execute, finding all that fit can be overpowering. Every business is unique, so it’s vital to see each of the decisions accessible to you. Along these lines, you can pick which plan best suits your necessities.

What is Disaster Recovery?

So you ask, what is disaster recovery?” Disaster recovery (DR) is an organization’s capacity to answer and recover from an event that adversely influences business activities. The objective of DR strategies is to empower the company to recover the utilization of basic frameworks and IT foundations immediately after a disaster. To plan for this, companies frequently play out a top to bottom assessment of their system and make a plan to follow in the midst of a crisis. This report is known as a disaster recovery plan.

Why is Disaster Recovery Important?

Disasters can incur many kinds of harm with shifting degrees of seriousness, contingent upon the situation. A brief network outage could bring about baffled clients and loss of business to an online business. A hurricane or tornado could obliterate a whole office, server/data center or office.

The cost can be critical. The Uptime Institute’s Yearly Outage Analysis 2021 report assessed that 40% of blackouts or service irregularities in organizations cost somewhere in the range of $100,000 and $1 million. Around 17% cost more than $1 million. A data break can be more costly; the typical expense in 2020 was $3.86 million, as per the 2020 Expense of a Data Breach Report by IBM and the Ponemon Institute.

Different Types of Disaster Recovery (DR)

Business continuity and disaster recoveries are the processes and strategies that return your business system – equipment, programming and data – to full functioning following a natural or man-made disaster. Organizations progressively depend on IT for their strategic tasks. It is fundamental to have IT disaster recovery planning, like the CBRITP training course, set up to ensure your business isn’t in danger from a calamity.

BRCCI offers a comprehensive CBRITP training course. The CBRITP certification demonstrates that the holder of this IT disaster recovery certification has in-depth expertise in all stages of the IT disaster recovery planning life-cycle. For more info on CBRITP training course, you can click here.

Here, we check out three different types of disaster recovery

1. Cold Site Disaster Recovery

A basic yet powerful business recovery solution, a cold site is essentially a reserved region on a data center where your business can set up new equipment in case of a disaster. This is a popular IT disaster recovery planning. It will be more affordable than different choices, yet still enables an organization to endure a disaster.

In the event that you outsource your disaster recovery, chances are they will lay out this type of disaster recovery solution. This will work as long as your planning is great, your backups are sound and your documentation is amazing. Obviously, extra downtime in case of a disaster should be satisfactory for a cold site to be a legitimate choice. Expect 24 hours for critical systems and up to seven days for less significant capabilities.

2. Cloud-based disaster recovery

While utilizing a cloud-based approach, you’re ready to reduce costs by utilizing a cloud supplier’s data center as a recovery site. This is unlike spending on your own data center offices, staff, and frameworks. Users benefit from the competition between cloud suppliers, as they keep on attempting to outperform each other. Prior to focusing on this method, decide the difficulties that suppliers might have with your business’ backup and recovery. The supplier might have the option to help you in fixing those issues before the cloud turns into a piece of your DR plan.

3. Disaster Recovery as a Service

While Disaster Recovery as a Service (DRaaS) is much of the time in the cloud, it isn’t only for the cloud. Some DRaaS suppliers offer their answers as a site-to-site service, in which they host and run an optional hot site. Moreover, suppliers can reconstruct and transport servers to an organization’s site as a server replacement service. Cloud-based DRaaS empowers clients to failover applications right away. It helps to arrange failback to rebuilt servers, and reconnect clients through VPN or Remote Desktop Protocols.

While searching for a DRaaS plan, know that a few suppliers offer their own products. Others use DRaaS devices from partner sellers.

Conclusion

Making a thorough disaster recovery plan is challenging. That doesn’t mean it must be unimaginable. Find which approach is the right fit for yourself as well as your association. In the wake of doing as such, your data will be more secure from digital attacks, catastrophic events, and simple human error.

Join BRCCI Online Seminars, On-Site Training for Certified Business Resilience IT Professional (CBRITP) Certification Program Today

BRMP or CBRM Certification

What is a CBRM certification?

BRMP or CBRM Certification? Over the years, CBRM certification has emerged as one of the top-rated, recommended and in-demand certifications among business professionals. More than 3000 professionals across all major industrial domains in 15+ countries have acquired CBRM certification. They are presently thriving in their profiles and making a difference through their knowledge. The CBRM certification is the most sought certification program by both private and governmental companies worldwide. The primary reason is the ever-increasing demand for people who are knowledgeable and skilled in business continuity and resilience. CBRM stands for Certified Business Resilience Manager. It is for business relationship managers who are at the intermediate to advanced level. Your advancement to the next position of Strategic Business Relationship Manager is the main goal and CBRM certification can surely escalate the process. With the growing demand for professionals who possess knowledge and skills in Business Continuity and Resiliency, the CBRM certification is the preferred program by both private and public organizations across the globe.

Why Get a CBRM Certification?

Everyone in the company depends on the business continuity plan to maintain operations after a disaster and return things to normal. It is crucial to understand how to create a strategy that is dependable, thorough, and efficient for any case involving a company disruption. CBRM certification training The CBRM certification shows that the certified expert has a thorough awareness of the most recent best practices. The certificate bearer has the understanding of the standards in business continuity and disaster recovery. The CBRM certification gives managers and potential employers the assurance that the bearer has acquired a sufficient level of expertise in business continuity and disaster recovery.

Reserve a seat for an online seminar on CBRM Certification by BRCCI – the CBRM training institute of America.  

What is BRMP Certification?

The first and foremost thing you need to understand what is BRMP certification? It is a certification course that can help transform any business into an effective enterprise. The BRMP certification is among the top of the credentials that hiring managers are looking for now. The certification shows that you have a deep understanding of linking interactions to outcomes and that you have mastered the fundamental ideas and abilities required to prepare for your future as a respected partner inside your firm. Accredited training and certification are delivered in all corners of the globe. You can choose from one-on-one training, corporate solutions virtual and online training.

Who is a BRM?

A Business Relationship Manager (BRM) strategically partners with businesses as peers by playing a proactive role in shaping the strategy and sharing ownership of results. They are the organization’s liaison between IT and other business departments. A BRM ensures the success of a business. The focus is mainly on six (6) skills – collaboration, strategy, communication, clarity, standards, and value. Organizations frequently discover that they need to improve communication between IT and outside business units as departments depend more and more on technology. BRM is important for many businesses. They are responsible for tracking customer satisfaction and communicating client needs to the rest of the team.

Why CBRM Certification is better alternative than BRMP Certification?

  • Thorough Knowledge 
The CBRM certification denotes that the bearer has in-depth knowledge and understanding of the business continuity program. The bearer has the capability to plan from inception through assessment, design, development, testing, and maintenance.
  • In-depth Understanding 
With the ever-changing dynamics of the industries, it is of utmost importance that professionals are in sync with the latest trends, practices and benchmarks. CBRM training certification helps the professionals to stay on top of their game and continue to steer businesses on greener pastures.
  • Professional competency 
CBRM certification provides employers and management with the confidence that the certification holder has attained an acceptable level of competency in the field of business continuity and disaster recovery.

Importance of CBRM Certification

Professionals from all major industries currently hold the CBRM designation in the following roles and positions:
  • Administrators and coordinators of business continuity
  • Workers and managers in data centers
  • Business continuity and resiliency team members
  • BC/DR experts
  • Information officers in chief
  • IT personnel and managers
  • Crisis management experts
Now that you have clear idea about BRMP or CBRM Certification? We recommend you attend an online seminar on CBRM by BRCCI – the CBRM Training Institute of America. Schedule your spot here. For more information on CBRM, please feel free to call us on 1-(888) 962-7224 or email at info@brcci.org.

What is a Disaster Recovery Plan (DRP)?

A disaster recovery plan (DRP), also known as a disaster recovery implementation plan or an IT disaster recovery plan. It is a documented policy and procedure that helps an organization carry out recovery procedures in the event of a disaster. Thereby, protecting business IT infrastructure and, more generally, fostering recovery. A disaster recovery plans primary goal is to thoroughly outline the steps that must be performed before, during, and after a natural or artificial disaster so that everyone on the team knows what to do. A disaster recovery planning should include purposeful man-made catastrophes (such as the effects of terrorism or hacking) and unintentional artificial disasters (such as equipment failure).

Overview of a Disaster Recovery Plan

Large volumes of mission-critical data are produced and managed by organizations of all sizes. As a result, the effects of data loss or corruption due to human mistakes, technical malfunction, viruses, or hacking can be severe. Therefore, the recovery of business data from a data backup image requires creating a disaster recovery strategy. The business continuity plan should be created in combination with information technology (IT) disaster recovery plan for maximum effectiveness (BCP). A business continuity plan is a comprehensive organizational strategy made up of the following five elements: 1. A strategy for resuming business 2. The resident emergency plan 3. A plan for continuing activities 4. A plan for incident management (IMP) 5. A plan for disaster recovery There is no one ideal method to create a disaster recovery plan because every circumstance is different. However, the main objectives of disaster recovery—three of which constitute the majority of DRPs—are as follows:
  • Prevention
  • Detection of new potential risks due to the result of routine inspections
  • Rectification, such as conducting a brainstorming session to discuss “lessons learned” and obtaining reliable insurance policies.

Disaster Recovery’s Advantages

Following your successful completion of the Disaster Recovery certification, you will benefit from the following:
  • Increasing your capacity to carry out a DR project
  • Obtain the knowledge required to assist a company in implementing Disaster Recovery strategies.
  • Assist a company in achieving its business goals for disaster recovery
  • Obtain a qualification that is respected worldwide.
  • Secure hardware and data
  • Improve your dependability
  • Reduce risk

How to create your IT Disaster Recovery plan in simple steps?

An IT disaster recovery plan cannot be created by just producing a paper. To comprehend your firm’s requirements and the threats it confronts, you must conduct a thorough study. Additionally, you must carefully organize the plan with all parties involved, test it to ensure that it functions, and regularly update it to remain pertinent. Create a working disaster recovery strategy by following these steps:
  • Create a list of your assets and note what needs to be protected.
  • Recognize context and criticality.
  • Risk assessment.
  • Establish recovery goals.
  • Choose your disaster recovery arrangement and tools.
  • Budgeting
  • Obtain plan approval
  • Share the strategy with everyone.
  • Test and review

What makes disaster recovery so crucial to you?

The organization will recognize you if you have the requisite skills to assist a business in developing, executing, and administering an ongoing disaster recovery plan. First, learn the fundamentals and essentials of disaster recovery, then assist your business in creating policies, plans, and recovery processes. Being certified for disaster recovery displays your commitment to developing a certain degree of professional expertise.

What is Disaster Recovery Training?

The basics of business continuity and disaster recovery, such as completing a business impact analysis, analyzing risks, creating rules and procedures, and putting a plan into action, are thoroughly understood by experts thanks to training. Professionals are also taught how to safeguard data by establishing rules and processes and how to recover and restore crucial data for their firm after a disaster. A disaster recovery plan details the steps a business should take to recover its IT systems quickly.

IT Disaster Recovery Training Courses

It might be challenging to choose the proper training and certification organization. However, BRCCI IT Disaster Recovery Training Courses are specifically created to satisfy the needs of both individuals and organizations. As a result, you may increase your knowledge, prosper, and, most importantly, get international recognition with the aid of our experts. Final thoughts There are various Certified Disaster Recovery training programs. BRCCI has the appropriate IT Disaster Recovery Training Courses for you if you want to advance your level of knowledge. Through the BRCCI training program, learn more about disaster recovery. Enroll today!

7 Reasons You Need a Business Continuity Plan

What is Business Continuity?

Business continuity refers to an organization’s capacity to continue doing critical tasks during and after a crisis. Business continuity planning sets risk management practices and procedures that seek to prevent disruptions of mission-critical services and swiftly and painlessly restore full operation to the company. The most fundamental requirement for business continuity is maintaining critical operations during a crisis and recovering with the least amount of downtime feasible. A business continuity plan (BCP) considers various unforeseen calamities, including fires, epidemics, disease outbreaks, cyberattacks, and other external threats. Here are seven top reasons your business need a continuity plan You must set up measures to stop internal and external risks from trying to interfere with your daily operations if you want to ensure that your firm is viable. Numerous theories on managing and maintaining your organization’s consistency are being circulated. Still, the following are some compelling arguments to guarantee that your company does not encounter dangers that might cause it to fail.

1. Emergency Recovery

business-continuity-plan

Disaster recovery is important for the restoration of company activities. Disasters are so deadly because of how unexpected they are. Emergency recovery will not prevent the disaster. Although, it does assist to mitigate its consequences on your business. Larger enterprises suffer significant losses. When considering business continuity plans for natural disasters, we frequently consider significant occurrences like quakes, floods, and other disasters. But these aren’t the only reasons for downtime. Human error-related data loss, users’ security procedures, inefficient employees, and accidents are other leading reasons of IT downtime.

2. Data indicates backups are insufficient

Most businesses use some data backup. If you can’t access your data, as can happen in a power outage or if you have to temporarily leave your business location, having data backups is useless. In the case of a calamity, accessing data may prove challenging. After all, having a backup is not the same as being able to retrieve it. By deploying business continuity and disaster recovery solutions that make use of such technologies, organizations may run critical business applications from backup instances on cloud-based virtual servers. By effectively “turning a switch,” this tactic can reduce downtime.

3. Insurance does not Protect Your Data

Every year, cyber attacks improve in sophistication and effectiveness. Insurance will not cover the losses of your data in case that a data center, server, backup, or even access to any of these is lost. To fully compensate for all disaster damages, insurance is insufficient. But it can pay the price of repairs, it has little impact on the income lost and the possibilities for future business.

4. Advantage over competitors

You will be well ahead if you can resume regular business activities while your rivals are still figuring it out. Your company may distinguish itself as a leader who can be trusted and relied upon by quickly getting your network up and running, restoring access to your business data and documents, and linking your staff to interact with one another and help your customers.

5. Losses during the business’s poor periods

Markets have a history of being particularly resistive during difficult times, which reduces revenues for most companies. If your company is young you can lose money because of debt. A solid business continuity plan keeps you from further losses and helps your company grow, enabling it to break even while things settle down.

6. Keeping employee commitment

Your staff becomes more committed to accomplishing the business goals when they accept and align with management’s actions. They become more passionate and excited about their profession since having a backup plan guarantees their safety. Employee productivity and continuous delivery of products increase as a result.

7. Organizations must continue

Maintaining a business is crucial. If you take a very simplistic stance, your firm effectively ceases to exist if you cannot purchase and sell. You need to define the steps to ensure that operations continue to run, regardless of the type of disaster. Conclusion You need to be aware of the risks involved and corrective steps to keep the operations running before beginning your business. Earn training and certification in business continuity and IT disaster recovery from our business continuity training institute. These highly sought-after certifications attest to your superior qualifications in every area of business continuity and IT disaster recovery.

Best Practices for Business Continuity in 2021

Organizational Risk Management – A Case Study in Companies that have won the Brazilian Quatity Award Prize

By Luiz Carlos Di Serio1, Luciel Henrique de Oliveira2, Luiz Marcelo Siegert Schuch3

Abstract Supply chain optimization, company interdependency and the establishment of global operating networks have all made companies more susceptible to uncertainty and risk. Literature on the subject lacks analysis of how companies have implemented these systems and what the results have been. This paper describes the implementation of Enterprise Risk Management (ERM) in three Brazilian world-class companies and evaluates the hindrances and facilitating factors. It also considers the results achieved in performance and company culture. Finally, we propose a model associating the benefits of risk management to the level of organizational transformation. Keywords: Enterprise risk management (ERM); risk management; organizational transformation; operating risks, ruptures in the supply chain. 1. Introduction In the organizational field, risk management has only recently featured in executives’ agendas, changing the perception in the process that this discipline is restricted to insurance experts (CAVINATO, 2004). The optimization of supply chains, more company interdependency prompted by the evolution of lean manufacturing, and the establishment of global supply networks have increased companies’ exposure to different types of uncertainties and consequently, to greater risk (HARLAND et al, 2003). According to the Global Risks 2008 report, published by the World Economic Forum, the main current risks stem from supply chains, the financial system, food safety, and issues related to energy availability and use. This work aims at finding ways to reduce the gap in the practical implementation of risk management systems in organizations. A multiple case study was conducted with three companies chosen from a list of winners and finalists of the PNQ National Quality Award. Winning the PNQ award was a prerequisite for the companies chosen, as one of the requirements of the EFQM Management Excellence Model is the identification, classification, analysis and handling of more significant corporate risks. The fact that these are award-winning companies is a sign of public recognition of their maturity, development and integrated management systems and enables a more comprehensive evaluation of the factors proposed by this study. This study is based on the following research problems: How do companies that are considered as examples of world-class management handle their organizational risk? How does risk management affect the culture and results of these organizations? 2. Theoretical References From an individual perspective, companies have acknowledged risk for a while and there is a vast literature on the subject in the areas of economics, finances, strategy and international management (JÜTNER et al, 2003). Also, the author points out that the term risk is somehow confusing, because it is perceived as a multidimensional concept. On the one hand it can be attributed to internal or external events that reduce the predictability of results (e.g. political, environmental and market risks). On the other, the term risk can refer to the potential consequences of an event (e.g. operating, personal and service risks). The Brazilian National Quality Foundation (FNQ, 2010) Excellence Model includes the need to identify organizational risks and defines risk as a combination between the probability of an occurrence and the consequence(s) of an undesired event. It also defines corporate risk as a risk to the achievement of an organization’s goals in the light of market uncertainties, the organization’s area of operation, the macroeconomic scenario and the organization’s own processes. Bernstain (1996) suggests that the understanding of risk management methods requires prior knowledge of their history. The author argues that it is almost unbelievable that theories about probabilities have taken so long to be developed. This delay is attributed to the combination of two factors that had to be present in order to enable the development of theories about risk: a more developed numeration system and greater liberty for people to question the future. The basic premise behind organizational risk studies is that a company’s behavior reflects its executives’ behavior. For this reason, the theoretical foundation for the analysis of the different results observed in organizations is based on understanding people’s behavior during decision-making. According to Fiegenbaun and Thomas (1988), it is important to question how far individual attitudes towards risk can be translated into organizational behavior. An increase in corporate scandals together with recent legislation such as the Sarbanes-Oxley Act of 2002 has led companies to focus more on risk management. Thus, it is not surprising that ERM models that provide a structure for risk analysis and measurement have been so widely embraced by executives (GATES and HEXTER, 2006). The market offers models aimed at directing an organization’s risk management. COSO’s (Committee of Sponsoring Organizations of the Treadway Commission) introduces an ERM model that takes into consideration strategic and operating aspects associated to risk management. This model has been embraced by agencies and by the US government as a means to control organizational risks and meet the requirements of the Sarbanes-Oxley Law. Over the past decades the area of operations has reemerged as a crucial part of strategic planning. Skinner’s article (1969) proposed that manufacturing be included in the strategic process rather than be limited as a specialization focused on the plant’s everyday routine. Operational strategy has gained more space and become a link between market requirements and operating resources (SLACK LEWIS, 2002). The implementation of a risk management system is a long-term, dynamic, interactive process that must be continuously improved and integrated to the organization’s strategic planning, Brazilian Corporate Governance Institute (IBGC, 2007). VENKATRAMAN (1994) presented a framework with possible ways to implement Information Technology within an organization. This framework (Table 1) has different stages of organizational transformation and their respective impacts, and it is the company’s job to determine which type of transformation it wants to introduce. The choice of a specific level of transformation depends on the costs incurred and on estimated benefits. 2. Methodological Procedures The research used the multiple-case study model proposed by YIN (2005). Selection of the cases was followed by the development of research proposals and protocol. Each case is described in detail. We first contacted the latest winners and finalists of the PNQ award and identified the companies that adopt risk management systems. Initial contact was made with the company’s representative on the FNQ (National Quality Foundation) data bank, who then referred us to the person in charge of risk management. One of the prerequisites for involvement in the study was for the company to work with the subject of ‘risk management”, even if it was still being structured. This premise enabled a preliminary glimpse of the results obtained through the implementation of the risk management system. Three of the companies we contacted agreed to share information and experiences. In many cases risk management involves the organization’s strategic questions, thus hindering access to some information and, in some cases even preventing the company’s participation in the study. This problem was dealt with through a confidentiality agreement stating that the participants’ names remain undisclosed, and through prior submission of the data collection process and of the research protocol containing the main themes discussed during the interviews. Our main interest was in risk management implementation and results, so despite limiting the research’s scope, the lack of access to each company’s specific risks did not prevent the execution of the study. After consulting the literature on the subject, we drew up the following research protocol for the interviews and analyses of the results: (1) Risk management implementation –factors that facilitate and hinder risk management in the company. (2) Current stage of the risk management system – risk management governance; risk identification and analysis; risk monitoring and crisis management, the use of technology and integration, and how and whether risks were communicated to stakeholders. (3) Impacts of risk management – the organizational culture’s approach to risk and decision-making and the impact on organizational results. The following proposals were withdrawn from theoretical references and used to direct the research and as the object of analysis of this study: • Proposal 1: organizations consider risk management as an important initiative for carrying out their strategies and obtaining sustainable results; • Proposal 2: organizations include formal risk analyses in their decision-making processes; • Proposal 3: the identification, analysis and handling of financial risks is more developed than in the case of operating risks; • Proposal 4: the adoption of a structured organizational risk management system has a positive impact on performance; We chose to conduct semi-structured interviews with a prepared questionnaire containing specific sections to help map out the implementation process, the current stage of the risk management system, and the results obtained. For each case analyzed we conducted interviews with the executive in charge of the organization’s risk management. The interviews were based on a prepared script and were conducted in the company’s facilities during scheduled meetings. They lasted an average of 3 hours and covered the entire scope established in the script. In each question the interviewees were asked to explain the company’s experience. At the end of questions with previously-established factors, it was requested that the interviewee grade the degree of agreement with this practice and the degree to which it has been implemented. The interview was not restricted to the suggested factors, so the interviewees were free to propose new ones. This approach aimed at obtaining a minimum group of factors for future comparison between companies. Although the selected companies did not authorize the disclosure of their names nor of details that enabled their identification, they are loosely described in Table 2. Both the interviews and the data collection were carried out by the authors. In addition to the interviews, we used information from the companies’ sites, minutes of meetings, internal presentations about the subject, annual reports, and documents available to the market (such as documentation sent to the Securities Exchange Commission – SEC – corroborating compliance with the Sarbanes-Oxley Law). 4 Results and Discussion 4.1. COMPANY A 4.1.1. The implementation of risk management The company’s risk management system was implemented in 2005, during the selection of a consultancy firm as part of the formalization of the risk analysis process. Some specific areas in the company already had a risk-identification and handling system, although there was no standardized structure and methodology. Demand for the structuring of a risk management system came from the holding company and majority shareholder. It was determined that two subsidiaries were to develop a common system that could, as a secondary goal, meet the requisites of the Sarbanes-Oxley Law. A working group was created containing members of the controllership, information technology, and auditing areas of the two companies and which was led by Investor Relations Management. Observation of the results showed that the leadership’s support and that implementation through a multifunctional team were facilitating factors. The leadership’s support was crucial for mobilizing people, as it placed the subject firmly in the executives’ agenda. This was made evident with the inclusion of the subject in the Chief Executive Officer and Chief Financial Officer’s (leaders of the implementation process) variable remuneration plan and with the definition of a specific action plan for the Financial Area within strategic planning. An interesting point is that the interviewees did not consider as relevant the use of a specialized consultancy firm to support the implementation process. Previous experience with the implementation of management systems was not considered a facilitating factor, although the firm had already implemented several other systems (ISO9001, ISO14001, OHSAS18001, MEG, SAP, among others). The answers did not suggest that any of the proposed factors had a significant impact on the implementation of the risk management system. In COMPANY A, the support of the leadership was considered effective and as a result the proposals item scored low on the interviewees’ evaluation, although all the interviewees recognized the item as being a very important factor. The factor that generated the greatest difficulty, according to the interviewees, was the executives’ relative lack of knowledge about risk assessment. According to them, this difficulty was attenuated by a request for each executive to identify the factors that made them “lose sleep”. Afterwards, the risks were detailed and analyzed. 4.1.2 The current stage of the risk management system The process’ Governance is carried out by the Risk Sub-Committee – the body responsible for risk management. Since 2005, company A has used the COSO methodology to deal with corporate risk. This methodology includes a process of identification, measurement, definition of responses, and control of potential events that might have a negative effect on the company and its strategies. The Risk Sub-Committee is directly linked to the Strategy Committee, which receives frequent reports about the progress made in risk identification, evaluation, and monitoring and about the materialization of previously identified risks. Risk identification and analysis exclusively cover the company and are not extended to its supply chain. Risk management is associated with strategic planning. Risk identification takes place at least once a year through the analysis of scenarios (external and internal environments) as part of one of the stages in the strategic planning cycle. There are preventive plans to reduce or eliminate the identified risks, while more significant risks are handled through a contingency plan drawn up in accordance to the risk’s priority. Risk prioritization is determined in accordance with the factors described in Table 3. Credit and market financial risks are a subgroup of Corporate Risks covered by the COSO methodology and monitored by the Risk Committee. Thus, financial risk management in COMPANY A is at a more mature stage than operating risk management. The factor identified by the interviewees as less developed is executive training. The risk management system’s most fragile spot is, according to the interviewees, the auditing of internal controls employed to manage identified risks. According to one of the interviews, this process occurs in several cases but its results have not yet been reported to the subcommittee and therefore corrective action has not been taken. Although the company uses credit management (SAP) and market risk management software, there is no indication of an operating risk management system. The company adopts criteria for risk control that are part of SAP parameterization, including control of the degree of approval for certain operations (credit, refunds, payments, etc). Although the entire process of risk identification and analysis is considered a restricted activity that is subject to the signing of a confidentiality agreement by the parties involved, the company has adopted the practice of disclosing its main risks in its sustainability report. 4.1.3 The impacts of risk management Risk management culture in Company A is still under development. According to the interviewees, risk management is still “confined” to the risk management Subcommittee and consequently, only a small number of executives have taken part in the full process – from identification to the drawing up of contingency plans for certain risks. Risk analysis is already part of the executives’ routine and the biggest change brought by the adoption of the risk management system is the formalization of the process and the creation of a single referential (classification, terminology, templates). The process is quite effective for those involved in assessing risks and in drawing up plans of action. According to the interviewees, there is not yet proactivity in risk identification and assessment, as with few exceptions these activities are undertaken upon demand from the Subcommittee. An important determining factor for the introduction of this culture was the implementation by the CEO of the No Surprise Policy, which is frequently mentioned in his periodic statements to the company’s employees (which are called “A Chat with the CEO”). The financial department also plans implementation and has established the need “to perfect risk management”. Among the benefits of organizational risk management, four were reported as being the most important: an increase in shareholders’ trust in the company; the prevention of events that could lead to an interruption in the operations; an improvement in operating results; and better identification of opportunities and threats. Shareholders’ trust was highlighted as a positive factor. In the case in point, this is also due to the No Surprise Policy between the CEO and the Board of Directors, which is also supported by the risk management system. It was also reported that risk management practices and the main risks to which the company is subject are also disclosed to the investment market. 4.2 COMPANY B 4.2.1. The implementation of risk management Risk management as a structured process dates back to 2005, when the company started to comply with the Sarbanes-Oxley Law following its listing on the New York Stock Exchange. At the time the process was led by the Corporate Governance area, which is directly linked to the CEO. The Corporate Governance area was created in 2002, with the initial purpose of adapting the company to the BOVESPA’s Novo Mercado corporate governance level. A process was established whereby there is annual evaluation of the controls for each of the accounts in the company’s financial statements. The process consists of identifying the interface areas and the existing controls for each line in the financial statement. Based on this there is a self-assessment of the controls’ effectiveness, followed by a series of field tests and verifications aimed at proving control efficiency. The company has four main risk areas that are the object of more detailed analysis – in the form of pilot projects. The risk implementation project foresees the gradual inclusion of new risks combined with the maturing and internal consolidation of the methodology. The adoption of a risk management system was not prompted by one factor alone. Although it started with adjustments to the Sarbanes-Oxley Law, it was also the result of a natural evolution of the organization’s management system, which was expected to have a positive impact on the organization’s results. The facilitating factor considered most relevant was support from the organization’s leadership, especially the CEO and Board of Directors. This support was manifested through a frequent (weekly) monitoring of risk management implementation and through the allocation of resources, both in terms of staff (through the creation of a department) and financial (approval of a budget to hire a consultancy firm to help implementation). Still on the subject of facilitating factors, the same importance was granted to previous experience with a management system (the company has certifications from ISO9001, ISO14001, SA8000 and OHSAS 18001), to the existence of a team dedicated to implementation and to the creation of a multifunctional team. A factor considered to be of great importance by the interviewee was the clear definition of roles during the drawing-up of the implementation project. The main complicating factors mentioned were a lack of understanding regarding risk assessment, and the long duration of the still-ongoing implementation as the plan foresees a gradual inclusion of risks in the methodology’s scope. This tends to turn implementation into a very bureaucratic process, whose limited scope prevents actual benefits from becoming immediately apparent. 4.2.2. The current stage of risk management Risk management is implemented by the Risk Management Department, which reports directly to the CEO. The department has four analysts in addition to its Chief Risk Officer. Effectively the office has a supporting role and is in charge of establishing the rules and standardizing the organization’s risk management process. Identification of specific risks is done by the business areas under the Risk Management Department. In company B the unit for the analysis of risk identification limits itself to the company itself and it does not acknowledge risks in the supply chain (upstream and downstream). The company has adopted the COSO methodology from September 2004 as a reference point for the development of risk management. It includes an ERM model that considers strategic and operating aspects associated to risk management. This reference point is also considered by risk taxonomy, which includes an additional category called regulatory risks given the importance of this issue for a company that operates in a strongly regulated market. If we consider the origins of the risk management process in the organization (adjustment to the Sarbanes-Oxley Law and the active management of regulatory risks), then the identification and handling of reporting (related to the reliability of the company’s reports) and compliance (compliance with legislation and applicable regulation) are more developed than the identification and handling of strategic and operating risks. The identification of operating risks is more spread-out and dealt with by several forums as part of the certified management systems related to quality (ISO 9001), environment (ISO 14001), health and safety (OHSAS 18001) and social responsibility (SA 8000). The company’s 2007 annual report contains the way in which some of its main risks were handled, as summarized in Table 4. Based on the risk management system’s level of maturity regarding risk quantification and handling and on the marks assigned by the interviewees, we concluded that the organization does not have a unified risk handling and report system. The process is still under implementation and currently only some of the risks are submitted to standardization (pilot-projects). As regards the use of technology and integration, the company has adopted a system for the management of regulatory aspects and another for the bottom-up certification of controls related to compliance with the Sarbanes-Oxley Law. This system includes a bottom-up approval process for control efficiency starting at the operating level and moving up to the CEO and board of directors – both of which grant final approval based on information from the lower levels. Regarding risk communication, a description of the organization’s main risks can be found in its Annual Report. Disclosure of more detailed information about risks and control strategies is confidential and restricted to the company’s executives. 4.2.3. The impact of risk management As regards culture and decision-making, the company has not developed a corporate culture for risk management. According to the interviewee, the process is still strongly linked to the strategic planning period during which SWOT analyses are carried out for each type of business. As risk management is still under implementation, there have been no evident cultural changes, as risk identification and handling have not simultaneously occurred in all areas of the company. In the case of the controls listed by the Sarbanes-Oxley Law’s certification process, there is already more awareness about the need to identify potential risks during changes in procedures – a sign of increased maturity in the company’s culture. In the interviewee’s opinion the benefits obtained from risk management are still limited, as shown by the current stage of implementation. Among the benefits proposed there is a perception of improvement in the operating results prompted by a reduction in losses and in interruptions. At this stage, it is not yet possible to associate risk management implementation with lower payments to insurers or to fundraising in the market, although the AA+ rating assigned by Austin will positively affect market confidence in the company. 4.3 COMPANY C 4.3.1 The implementation of risk management Corporate risk management in Company C started in 2006. The process was centrally coordinated in the US, as risk management is an attribution of the vice CEO responsible for the corporate management system. In Brazil the initiative to implement risk management is recent, starting in May 2008 with a workshop in the industrial plant aimed at identifying the unit’s main risks. This company’s case is different from the others, as it shows risk assessment in one production unit belonging to a global corporation. For this reason, the local risks are identified and handled almost exclusively at the operating area. Financial and strategic risks are dealt with on a corporate level and so are all the processes related to the Sarbanes¬-Oxley Law. The facilitating factors considered most important for the implementation of risk management were: support from the leadership, training on how assess risks, and the actions of the multifunctional team. The interviews showed that employees from all areas took part in a workshop held with members from headquarters and received initial training. As regards the complicating factors, the interviewee said that none of those listed actually hindered implementation or risk assessment. As the initiative came from headquarters, it received the prompt adhesion and mobilization of all parties involved. 4.3.2 The current stage of risk management In the unit analyzed the process was coordinated by the plant’s Chief Projects Officer and there is no formal support structure to support risk identification. Assessment is carried out annually through workshops held for that purpose and attended by employees from various areas. There is a risk management structure that reports directly to a vice-president and the corporate model uses the COSO methodology. A principal focus in 2008 was to assess risks that could lead to an interruption in production (Business Continuity Management) and the corporate guideline was for the creation of a structure involving key areas in the company. Risk identification at the plant (operating focus) is based on corporate methodology. The process starts with a standard list of events that the units classify according to pertinence, severity and probability of occurrence. An event to evaluate risks is held annually, with participation from several areas (IT, production, sales, supply, projects, etc). The main risks are classified and employees are appointed to draw up plans of action. As the plant has no risk indicators, reports about the monitoring of risk handling plans are presented during the plant’s executive meetings. A budget for risk mitigation actions is established on an annual basis and is also used as a basis for the executives’ evaluation. Financial exposure to risks does not take place at the plant, and there is no information available about how this is done on a corporate level. The analyzed plant has no risk management system or portal and surveys are recorded on spreadsheets using the corporation’s methodology. The plant’s risk management leader does not have access to any corporate system and all risk handling action plans are monitored by the group and the actions’ progress and inter-relations can be viewed by all. 4.3.3. The impact of risk management Although risk management is still at an initial stage, as only one full cycle has been completed in the plant that is being analyzed, there is evidence that risk-related issues have started to be included in the executive and middle-management agenda. This is due to the constant monitoring of risk mitigation action plans and their inclusion as a theme of discussion in managerial meetings in several areas of the company. In the case of the evaluation of results obtained from risk management, the principal implementation gains perceived at the plant were improvements to opportunities, to threat identification and to corporate governance. When asked about his perception of the corporate risk system, the interviewee said improved investor confidence is imperceptible at plant level. There were no improvements regarding compliance with legal requirements or regarding financial reports, as these obligations had been met prior to the implementation of risk management. 4.4. Comparative analysis and discussion In the three companies the implementation of risk management was prompted by demand from the board of directors, usually in response to pressure for more transparency. The enactment of the Sarbanes-Oxley Law in 2002 in the US was evidently a major incentive for companies listed on the US market. The three companies hold ISO 14001 (Environmental Management Standards) and OHSAS 18001 (Occupational Health and Safety Management) certification which require the identification of environmental impact (ISO 14001) and health and safety risks (OHSAS 18001). However, these assessments are not part of the risk management systems in any of the three companies. The explanation given during the interviews was that risk assessment for these norms is very specific and operations-oriented and therefore is not the focus of current risk management implementation, which is aimed at strategic and financial risks. Table 5 summarizes empirical evidence common to all three companies. Each company opted for different structures for the implementation of their risk management systems. While Company A opted for the establishment of an implementation team and a Risk Subcommittee to manage the process, Company B created a Risk Management Department that reported directly to the CEO. Company C created a post for someone with a deep knowledge of operations at the plant (Chief Projects Officer), as this was the focus of risk assessment in Brazil. Literature on the subject shows the adoption of different implementation models, whether in the form of a specific area, a committee or a post (LIEBENBERG and HOYT, 2003). In terms of complicating factors, field results show that the biggest hindrance to implementation stems from lack of knowledge about risk assessment among those involved. As for the extent of the assessments, both Company A and B affirmed that their respective risk assessments were focused on the company itself and that supply chain risks were not evaluated. Only Company C made an analysis of its client and supplier risks. This is in line with the Gates and Hexter (2006) research conclusion that risk management starts with the financial area and is followed by strategic and operating risks. We perceived that risk handling helps prevent occurrences and events that could lead to an interruption in operations. After discussions about this with representatives from the companies, we concluded that contingency plans are rarely put into action. One of the interviewees claimed that it is difficult to measure the risk management system’s efficiency, comparing it to a soccer goalkeeper: “No one knows how many goals a goalkeeper has prevented, but everyone knows how many he has let in”. This remark summarizes the difficulties in measuring the efficiency of a risk management system and leads to a much more qualitative than quantitative analysis of its impact. Based on figure 1 and the model proposed by Venkatraman (1994), analysis of the cases studied for this work suggests that companies A and B are more aligned to the Internal Integration stage. In these two companies the efforts are mostly focused on risk consolidation and integration, although in both cases the processes were redesigned in accordance with initial assessments. In corporate terms, company C might be at a more advanced stage (transition to Stage 4) as the firm, or more precisely its supply chain, is more concerned with business networks as shown in the individual analysis of the case. Finally, it is important to highlight that the model aims towards companies aligning their expectations and making more conscious choices, as in practice they can end up at different stages for each particular aspect. 5. Conclusions To guide the research we have made some initial proposals based on the theoretical revision discussed herein and in accordance with the empirical evidence. Proposal 1: The empirical evidence offers partial support to this proposal. Although in all three cases representatives from the organizations affirmed the belief that there have been result improvements, demand for implementation has largely come from upper management (in all three cases there was demand for compliance to the Sarbanes-Oxley Law). As there does not seem to be consensus about the extent of the improvements, the companies might be more interested in legitimizing their processes and structures than in effectively improving their performances. Proposal 2: This proposal has been partially proven true. The current state of risk management implementation in the companies has proved insufficient to have a significant effect on decision-making. Risk management remains strongly focused on the implementation team members and in some cases, on specific areas (Company A) or pilot-processes (Company B). The use of pilot-projects during implementation is recommended by the literature on the subject (Enterprise Risk Management Framework, 2007; KLEFFNER et al, 2003, COSO). Proposal 3: This proposal was observed in all three companies. In fact, operating risk management is at a lower stage of development than for financial risk. All three companies are integrating operating risks to the financial and strategic risks that had previously been handled. In this case, Company C was at the highest stage of development, by including supply chain risks in operating risks. This conclusion is in line with the theoretical discussion about the subject (SHEFFI, 2005; HARLAND, 2003, JUTNER et al, 2003; HENDRICKS and SINGHAL, 2005). Proposal 4: This proposal could not be convincingly proved. Although analysis of the cases led to the conclusion that the companies considered their operating results had improved, there was no objective evidence to this effect. An interesting analogy was made by one of the interviewees who made a comparison to a soccer goalkeeper: “No one knows how many goals a goalkeeper has prevented, but everyone knows how many he has let in”. This remark summarizes the difficulties in measuring the efficiency of a risk management system and leads to a much more qualitative than quantitative analysis of its impact. The research contributed both to the debate in the academic field and to managers interested in risk management implementation. As regards academia, the study presents a preliminary proposal for a theoretical model relating the degree of organizational transformation to the benefits of risk management, depending on how the organization decides to implement this initiative. Regarding practical application, the study enables the identification of different risk management development models in organizations with fairly developed management systems which, for this reason, are very experienced when it comes to this type of initiative. Finally, it presents the factors that might facilitate and hinder the success of this initiative. The study has some limitations. As this is a multiple case study its power of generalization is limited, despite the methodological care applied to its development. The risk management systems in the companies analyzed in the case study are at the initial maturation stage. This reduces the likelihood of events that could be the object of proactive action taken in response to risk assessment. Additionally, the companies’ current risk management status also limits perceptions about the cultural issues in the process. As risk management has not been effectively implemented in all areas, the interviews were restricted to direct participants in the implementation process, thus introducing a certain bias to the answers. None of the companies gave access to their specific risks or their respective handling (mitigation, elimination, transfer, etc). Consequently, it was not possible to evaluate the extent to which each of these alternatives has been applied. Risk management is seen as part of the companies’ strategy and disclosure of this information is considered a “risk”. We suggest more in-depth study at companies where risk management is at a more advanced stage. These studies could assess the systems’ impact on organizational culture from the viewpoint of the various participants (board of directors, executives, middle-management, risk management team members, staff and other employees), in order to identify how perceptions about risk can affect organizations’ control and strategic planning. Furthermore, as risk management can result in stricter internal controls it can also have an impact on processes related to innovation. Studies about this ambiguous aspect could help companies ration control during the continuous reinvention processes that are required for facing new challenges.

Alternate Communications During Times of Disaster

ALTERNATE COMMUNICATIONS DURING TIMES OF DISASTER

By Dr. Jim Kennedy, NCE, MRP, MBCI, CBRM

We have witnessed over the last three to five years many disasters both in the United States and abroad. Based on what we are hearing from NOAA and the National Weather Service the US is likely to see the same number, if not more, tropical storms this year. Storms like those of the size and ferocity of the type that were so devastating to the southern portion of the US in 2005. So, tropical storms in the US , earthquakes in South America and Asia or volcanoes anywhere else on the globe, we, humanity, face another year of potential emergencies that will need to be responded to.

One thing that all of these natural disasters have in common, besides the tremendous loss of life and disruption to everyday lives of the populous, is that they are immediately followed by an almost total loss of the ability to communicate with the outside world. Power is lost, telephone services are discontinued, and cell phone service is either non-existent or is so congested that it takes hours to get a call through.

So, every year, companies and emergency planners face the problem of providing continued communication before, during, and after a disaster strikes their areas. This year, more than any other time, in the southern part of America small, medium and large company business continuity planners are looking for alternatives to standard communications so that they can keep their business and critical operations running in the aftermath of a devastating event.

I thought that I would present some alternatives for the spectrum of business types so that those business continuity planners would have choices to make informed decisions about backup communications from.

Before we discuss back-up communications solutions let’s first discuss the failure mechanisms for the communications used during normal times.

Failure Modes

Most companies continue to rely upon the standard telephone system for their communications needs. In order to provide this service the telecommunications carrier, regardless of where you are located in the world, relies upon either copper wire or fiber optic cables from its central offices to its customers’ premises. This ‘last mile’ can either be above ground, which is in the majority of cases, or underground. We have all seen those graphic pictures of poles and trees uprooted and thrown to the ground after a hurricane or tornado have devastated an area. When this happens that last mile of connectivity between the business and its telephone provider, Internet provider, or application service provider are abruptly disconnected and utility power is lost. Underground cables are not entirely safe from disruption of service either. Many times due to flooding and/or power loss these underground services are disrupted as well. In the case of cell phone providers the cell towers receive your cell phone’s call they then route it to a local central office. These towers or the equipment inside of them can also be damaged or destroyed as well as the last mile circuits which connect those cell towers to the local telephone network. So cell phone service is as tenuous as the regular telephone service when a disaster strikes. I should also mention that the southeast US is not the only area where loss of communications services takes place and hurricanes and tornadoes are not the only natural disasters that disrupt communications and power. In the northeast US over the last several years ice storms and blizzards have also taken their toll on communications and power utilities, for example.

Usually following an event like a tornado, hurricane, blizzard or the like, the communications and power service providers work very hard to restore service, however, in most cases we are talking several days if not a week for the restoration of power and phone service. This restoration time varies depending on the size and intensity of the disaster. If it is localized, as it could be for a tornado, then service could be restored more quickly.

These copper and fiber optic cables also interconnect the local telephone company’s central offices to other central offices in the region and to long distance providers, cell phone carriers, Internet and data communications service providers anywhere in the world. These inter-exchange or ‘long haul’ circuits provide the ability of interconnectivity and communication to beyond the local area. So if your business communicates between offices in Baton Rouge LA and St. Louis MO there are probably several service providers and miles of cables involved in carrying the information from one point to the other. These cables travel above and underground and suffer the same fate as the local last mile circuits do. However, because of the number of calls, subscribers and the importance of these circuits, the carriers or the businesses that use them generally employed circuit ‘diversity’. What this means is that there are multiple paths for the voice or data to travel. If one path fails there is another which can be used to take the call to its intended destination. This works well for such things as car vs. pole accidents, isolated incidents like localized fires and floods, but with mass devastation like we experienced with Hurricane Katrina or the tornadoes in the midwest US, even the diverse routes are consumed in the overall damage toll.

Power is another failure mode. The central offices and cell phone sites have their own power sources in the form of batteries and emergency generators. If the event is limited to a few hours or a few days they will be fully operational. However, it was found that in the case of the hurricanes and earthquakes of the last few years power has been interrupted for several days even up to several weeks and the power plants, central offices, or cell towers in the areas of devastation were inaccessible for most of that time. This meant that the fuel trucks needed to refuel the generators were unable to get to their destinations and subsequently the central offices and cell sites went off-line.

So now that we understand that the power and communications utilities have pl anne d for adverse events, but the intensity and massive area of devastation often make these plans fail. It is left to the individual business owner or operator to determine the criticality of their services and to properly plan for potential communication and power failures that might impact them.

In the next part of this article, I will endeavor to present the alternatives that exist in case you experience a disastrous event with a communication failure.

Alternatives

Before I discuss the alternatives I feel that it is important to note that power is a main component of any recovery or mitigation strategy. That is, without power to run these technologies they will not operate. So, it is important to have reliable and sustainable power for the duration of the resumption and/or recovery effort. If you cannot verify that this is the case then alternate site recovery is the only viable alternative.

Infrared

One such alternative to commercial communication systems is infrared. This alternative is used if a company needs to interconnect two buildings together. Infrared provides an optical data, voice and video transmission system. Like fiber optic cable, infrared communications systems use laser light to transmit a digital signal between two transceivers. However, unlike fiber, the laser light is transmitted through the air. In order for the digital signal to be transmitted and received, there must be clear line of site between each unit. In other words, there should be no obstructions such as trees or buildings between the transceiver units. So, if your wireline or wireless communications fails you can still provide communications between two points. The only drawback is the distance and the line-of-sight requirements.

This solution provides low-cost, high-speed wireless connectivity for a variety of last-mile applications. It provides narrowband voice and broadband data connectivity and the various products provide scalable, wireless alternatives to leased lines. These infrared systems operate at data rates of 1 Megabit to Multi Gigabit speeds and they are deployable in one day, without requiring right-of-way or government permits for installation. They can provide an alternative communication link in hours instead of weeks or months. This is probably not an option for a small business, but for a medium or large business owner the cost is affordable. Cost can range from $10K to $25K per installation capable of distances of up to 1000 meters.

Microwave

Another alternative to commercial communication systems is microwave (wireless). This alternative is used if a company needs to interconnect two buildings together that are spaced farther apart than the conventional infrared can operate (i.e., in excess of 1000m). Microwave also provides a data, voice and video transmission system. Unlike infrared communications systems, which use laser light to transmit a digital signal between two transceivers, microwave uses ultra-high frequency radio frequency (wireless) transmission. In order for the digital signal to be transmitted and received, there again must be clear line of site between each unit. However, the distance that this alternative can span is up to 60 miles as long as no obstructions such as trees or buildings are located between the two locations. If wireline or wireless communications fails communications between two points can still take place. There are several drawbacks to this solution:

  • Distance limited to up to 60 miles
  • Requires an FCC license to operate
  • Right of Way Permits may be required
  • Needs highly trained technicians to install equipment
  • Cost can be prohibited to small businesses

The cost of a microwave system can be between $50K and $100K with installation and license preparation charges to be in the area of another $15K. It still provides a viable alternative for medium and large businesses.

Small businesses also have an alternative of smaller wireless systems which utilize non-licensed frequencies and which can be installed by an IT person in the business operation. Cost is about $1000 to $2000, but I must warn you that this is not as reliable a solution as the microwave wireless option and reliable speeds may be slower.

Satellite

So far I have provided solutions that have been better suited for the medium and large business operations. Satellite provides alternatives for small, medium and large enterprises and there are various speed and pricing options, which make it a very attractive alternative or mitigation strategy.

Satellite Phones

There are several types of satellite alternatives. If a company is only interested in providing a short term telephone back-up alternative then satellite phone service like INMARSAT, at&t, Iridium, Satcom, Skytel, Worldcell, or Globalstar to name only a few offer basic voice, fax and basic v and e-mail services. They offer mobile phone services and are not usually capable of providing sustained data communication or Internet types of services. However, this communications strategy is good for keeping your senior executives and critical operations personnel in contact during disasters. You can rent phones for about $40/week and then pay about $1.00/minute for basic service or you can buy the phones for $700 to $2000 each and negotiate rates in the area of $0.85/minute. So as you can see this is not an inexpensive option, but usable depending on the need for communications.

Vsat

VSAT is an acronym for Very Small Aperture Terminal, an earthbound station used in satellite communications of data, voice and video signals. A VSAT consists of two parts, a transceiver that is placed outdoors in direct line of sight to the satellite and a device that is placed indoors to interface the transceiver with the end user’s communications device, such as a PC. It is very much like a satellite TV setup. VSAT service can be placed into two categories: those that provide basic Internet access services and those that are enterprise grade. For the small and medium sized business the Internet access type service is often what is selected. Such offerings as: DirectWay, WildBlue, and Connexstar all offer low cost, small business types of back up solutions which use equipment much like the in-home satellite television services. The data rates are in the area of 200 kbps uplink and 1.5 Mbps downlink which is very much like residential DSL service. The cost is about $300 for the equipment and around $100 or less each month. This would provide a small business the ability to utilize VoIP, VPN and connect to the Internet. For medium and large size businesses there are more sophisticated satellite services. They require satellite antennas, which are 3 to 5 meters in diameter and much more sophisticated and expensive equipment. Installation of these more sophisticated satellite services can cost in the range of $100K to $250K with monthly operational service charges from $1000 to $5000/month. They provide quality of service and committed information rates as part of the service. They can provide for up to 150 toll-quality phone lines, broadband Internet, and high speed data communications and also provide secure communication (encrypted) is required. Satellite services can also be rented as part of a contract or call up service. But, rental services are on a first-come-first served basis. As we witnessed during the tropical storms of last year these portable rental satellite service providers were inundated with requests and try as they would there were only so many units to go around. Those who did not plan or contract ahead were left without service.

Last Thoughts

I hope that I have given business continuity planners some food for thought in developing alternative communication mitigation strategies. Each strategy has its benefits and drawbacks. You need to look at each potential possibility and determine what is right for you. If you are overwhelmed there are many consulting organizations and even your own telecommunications services provider who can help you to identify and select the best options. However, you need to get started today for the next hurricane, tornado, flood, of catastrophe season in your geographic region. It will be too late to plan after an event occurs.

Dr. Jim Kennedy is the Business Continuity Services Practice Lead and a Consulting Member of Technical Staff for Lucent Technologies. Dr. Kennedy has over 25 years experience in the business continuity and disaster recovery fields and holds numerous Master level certifications in network engineering, information security and business continuity.

He has developed more than 30 recovery plans, planned or participated in more than 100 business continuity and disaster recovery tests, helped to coordinate three actual recovery operations, authored many technical articles on business continuity and disaster recovery and is a contributing author for two books, the “Blackbook of Corporate Security” and “Disaster Recovery Planning: An Introduction.”


jtkennedy@lucent.com

brcci.org

Critical Infrastructure

CRITICAL INFRASTRUCTURE PROTECTION IS ALL ABOUT OPERATIONAL RESILIENCE AND CONTINUITY

By Dr. Jim Kennedy, MRP, MBCI, CBRM

It has always been the policy of the United States to ensure the continuity and security of the critical infrastructures that are essential to the minimum operations of our economy and government. This critical infrastructure includes essential government services, public health, law enforcement, emergency services, information and communications, banking and finance, energy, transportation, and water supply.

So even before the events of 9/11, the Executive Branch of our government, the President through Presidential Decision Directive 63 (PDD 63) issued May 22, 1998, ordered the strengthening of the nation’s defenses against emerging unconventional threats to the United States, including those involving terrorist acts, weapons of mass destruction, assaults on critical infrastructures, and cyber-based attacks.

But how many of us really understand what an immense undertaking that was? What is the critical infrastructure in the United States?

  • More than 3,000 government facilities
  • 7,569 Hospitals
  • Telecommunications: 2 billion miles of cable; 1000s of telephone switching central offices
  • Energy: 2800 Electric power plants; 300,000 oil and natural gas producing sites; 104 nuclear power plants
  • Transportation
    • 5000 public airports
    • 500,000 highway bridges
    • 2 million miles of pipelines
    • 300 coastal ports
    • 500 major urban public transit operators
  • 4,893 banks or savings institutions have more than $100 billion in assets
  • 66,000 chemical and hazardous material producing plants
  • 75,000 dams
  • 51,450 fire stations responding to 22,616,500 calls for assistance each year.

US business and every individual rely in some manner on the above every day. We depend on their operational resiliency and continuity of operations.

Initially, critical infrastructure assurance was essentially a state and local concern. With the massive use of information technologies and their significant interdependencies it has become a national concern, with major implications for the defense of our homeland and the economic security of the United States.

However, given all of the focus on critical infrastructure still one in three critical infrastructure operations goes without a business continuity or continuity of operations plan and three out of five of those operations with plans have never tested their plans as ‘fit for purpose.’

Up until this year the electrical energy sector had no single body setting security and availability standards and practices for their operation. In 2006 the Federal Energy Regulatory Commission (FERC) selected the North American Electric Reliability Council (NERC) as the Electric Reliability Organization (ERO) and standard setting body in the US for electric utilities. Contingency and continuity of operations plans in this segment of the critical infrastructure is minimal at best as is typical across the entire energy sector (e.g. transmission, generation, oil and gas distribution and etc.).

In the financial sector many institutions, despite regular audits and increased governmental regulations, still do not have adequate continuity plans in place and information security is marginal.

Although the deadline for HIPAA compliance has officially passed, a significant percentage of covered health care organizations still have not achieved basic HIPAA compliance, according to a recent industry survey. They lack emergency operations plans and even in some cases proper disaster recovery plans for patient care systems, which contain critical patient healthcare information.

So even though there are laws and regulations and a very clear focus on the protection and resilience of critical infrastructure operations it has not seemed to translate into practice for the actual critical infrastructure operations across the US.

Critical infrastructure protection is all about operational resilience. In the GAO’s ‘Critical Infrastructure Protection – Significant Challenges in Safeguarding Government and Privately Controlled Systems from Computer-Based Attacks’ the report refers to service continuity controls as: “controls that ensure that when unexpected events occur, critical operations will continue without undue interruption and that crucial, sensitive data are protected.” It (the report) goes on to say that: “Service continuity controls should address the entire range of potential disruptions including relatively minor interruptions, such as temporary power failures or accidental loss or erasure of files, as well as major disasters, such as fires or natural disasters, that would require reestablishing operations at a remote location.”

So how is this to be accomplished? The most effective way is for the development of a thorough and comprehensive business continuity or business resiliency management program. That program can be based on the NIPP Risk Management Framework, which consists of:

  • Setting Security Goals
  • Identify Assets, Systems, Networks, and Functions
  • Assess Risks
  • Prioritize Mitigation Efforts
  • Implement Mitigations Strategies and Protective Programs
  • Measure Effectiveness
  • Start back at the beginning

I have attempted to outline below a process to aid critical infrastructure operations, utilizing the above CIPP Risk Management Framework coupled with an effective governance model, in addressing business continuity and resiliency needs.

First a certified business continuity planner needs to be selected and must obtain senior management agreement and sponsorship for the program to be developed. With this sponsorship budgets and manpower can be allocated for the project.

Second, the planner must solicit the aid from multiple areas of the operation or business. This can be accomplished by establishing a Business Continuity or Business Resiliency Steering Committee. This committee will be comprised of middle management from across the operation (e.g. technical, operational, financial, HR and etc.). The function of this committee is to establish the direction and approve the program, identify tools to be used, establish metrics, and report to senior management on progress.

Next, if the amount of work to be done is substantial or if the business continuity or resiliency program is starting from scratch, is the development of a Business Continuity or Resiliency Program Office. This may be comprised of one or more individuals who are responsible (using project management disciplines) for ensuring that the planning and mitigation tasks are implemented consistently throughout the organization. They must also track and report on progress.

With the governance in place, the CIPP framework can be implemented and work can begin to implement it within the organization. The steering committee will work with senior management to establish the direction and communicating the goals within the organization.

Identifying the critical assets is the next step. In everyday business continuity planning this equates to performing a business impact analysis. Here business continuity planners will work to develop a clear picture of what components (people, process, and/or technology) of the operation are critical to it carrying out its mission and to identify how long it can do without or work-around those components if they are to become unavailable.

Next step in the CIPP Risk Management Framework is the assessment of risk. This equates to the business continuity planner’s risk assessment. The risk assessment is the process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Once the risk assessment is complete it will be necessary to move to the next step in the CIPP Framework, that of prioritizing the risks and developing mitigation strategies based on the operations risk appetite. Here is where the organization determines how to address the risk. Mitigate it, pass it on to another entity (insurance) or simply ignore it.

Whatever makes the best business sense is then translated into a protective plan which is then implemented under the direction of the program office. At this point in time, when the mitigation strategies are identified and are being implemented, is where the business continuity or resiliency plan can be developed. Again business continuity subject matter experts are best utilized to accomplish this task as they have developed plans for similar business operations. Once the mitigation efforts are in place and the plans completed awareness training and exercising of the plan is appropriate.

Lastly, before starting the whole effort over again, is measuring effectiveness. Is the plan and are the mitigation strategies “fit for purpose?” Does it adequately protect the operation from adverse events? If not, then the plan and mitigation efforts will have to be reviewed and modified as appropriate.

What has been accomplished is the beginning of a continuing effort to maintain the operation of the critical infrastructure. It has no end. It needs to be reviewed for every change to the operation.

I have been fortunate to help many critical infrastructure organizations build business continuity and resiliency into their operations. It is not easy but, as Presidents past and present indicate, it is of the utmost importance to make sure that the United State’s critical infrastructure is adequately protected as its citizens rely upon it every day for their safety, protection, and wellbeing. It is difficult but as has been said: the beginning of any important journey starts with a single step.

Dr. Jim Kennedy is the Business Continuity Services Practice Lead and a Consulting Member of Technical Staff for Lucent Technologies. Dr. Kennedy has over 25 years experience in the business continuity and disaster recovery fields and holds numerous Master level certifications in network engineering, information security and business continuity. He has developed more than 30 recovery plans, planned or participated in more than 100 business continuity and disaster recovery tests, helped to coordinate three actual recovery operations, authored many technical articles on business continuity and disaster recovery and is a co-author for two books, the ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-Book entitled: ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic.’ 


jtkennedy@lucent.com

brcci.org

Developing Seamless Business Continuity and Disaster Recovery Plans

DEVELOPING SEAMLESS BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS

By Dr. Jim Kennedy.

Introduction
The development of recovery times for both the business organization’s business continuity plan and the IT department’s disaster recovery plan need to be developed through the collaboration of both parties for either plan to provide the proper protection. However in my thirty-five years in the business continuity and resiliency field I have found in many situations they are not.

The reasons for this can be timing or a lack of knowledge of the overall business continuity and/or disaster recovery planning process coupled with a lack of understanding of each other’s real recovery timing needs.

The purpose of this article is to provide a framework in which the recovery time objectives (RTOs) for the business continuity and the disaster recovery plan can be developed together.

Reason for inconsistencies and failures
Generally the drivers for business continuity and disaster recovery planning are considered to be one and the same, but this is not always the case. Many times the very design process for IT infrastructure requires that the IT organization develop disaster recovery planning thoughts and plans early in the application and/or systems development process. So, early in the project’s timescale of the development of a new application or system, IT must have some understanding of what kind of recovery timing and recovery point timing will be needed to support the technology to be deployed. IT will try to obtain the RTO and RPO (recovery point objective) numbers, but the business is most often focused on insuring that the deployment of the new business process or function is rolled out on time and within budget. The business organization is not thinking about business continuity planning at this time. So, IT will take it on itself to develop a best guess of the required recovery times either based on conversations with the business organization or on its own, if the latter cannot or will not commit to a number.

In other cases that I have seen, there is a clear lack of knowledge about business continuity and disaster recovery planning. Each organization knows that they need either a business continuity or a disaster recovery plan but they are not trained in the overall steps in developing such plans. As such the business organization does not understand the risks, tradeoffs, and costs involved in developing a proper business continuity plan. The business organization also often does not understand that it needs to properly analyze the operation to better understand the recovery requirements during the process/systems/application development phase of the systems/process development life cycle or, as ITIL defines it, the application life cycle (ALC). The business organization needs to quantify the impacts of loss of that process or system; and may not be sure of the right questions to ask – not only in terms of loss of productivity, but in terms of costs to process manually in case of a system loss or failure. Can the organization develop and use manual processes at all if the system or IT infrastructure fails? Does the organization have the human resources to perform the necessary manual processes or will they need to bring in contingent workers and for how long and for what cost? Every business organization needs to clearly understand and to articulate their operation’s maximum tolerable period of disruption (MTPD).

MTPD is the maximum time an activity or resource can be unavailable before irreparable harm is caused to the organization. This applies to both customer-facing and internal activities. Note that the recovery time objective specifies the time by which an organization intends to recover an activity or resource: the maximum tolerable period of disruption is the upper bound on this time.

The business needs to utilize the MTPD to develop its processes and contingency processes, and the IT organization need to understand the MTPD to properly develop its technology and RTO which, in turn, will enable the business to achieve its RTO objectives.

At the same time, IT needs to utilize the recovery time numbers developed by the business organization as a basis for its system and infrastructure RTO values.

Standards and planning process
There are so many business continuity and disaster recovery standards to choose from, as well as other related standards of practice, that this might be the reason for all of the confusion. The fact that none of these standards really talk of integrating the business recovery and the IT technology recovery plans together in to the overall process or application development life cycle complicates the matter even further.

There is also the issue that business continuity and/or disaster recovery planning classes are usually only electives in business administration or computer technology/information systems curriculum. So we are not exactly preparing our next batch of business or technology leaders to properly understand the methods, or importance, of contingency planning.

All that being said, most of the standards that exist do have a pretty consistent set of predefined steps to be reasonably successful. So if we take all of the contingency planning steps and align them with the ITIL ALC phases the planning cycle will integrate system development with continuity planning together at the best possible time in the development process.

I will outline the steps below in developing business continuity and disaster recovery plans with their corresponding points within the ITIL application development life cycle:

STEPS IN BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING

ITIL APPLICATION LIFE CYCLE PHASES

1) Understand the Organization

a. Risk Assessment 

b. Business Impact Assessment 

            i. Determine MTPD for operation 

           ii. Develop RTO for Critical Systems

           iii. Develop RPO for Critical Systems

Requirements – requirements gathered based on business needs of the organization

2) Evaluate and Determine Strategy

a. BC strategy to meet RTO/RPO 

b. DR strategy to meet RTO/RPO

Design – requirements translated into specifications

3) Develop Plans

a. BCP – Business Organization 

b. DRP –IT Organization

Build – Application and the operational model are made ready for deployment

4) Exercise Plan

Operate — IT operates the application as part of the business service

5) Audit and Maintain Plan

Optimize

Using the standards and good practices
During the requirements gathering phase of the ITIL ALC the business owner should have also conducted the risk assessment and business impact analysis or BIA. The results of these two activities allow the business owner to clearly see the impact on the business of a failure or discontinuation of operations in either, or both, of the business or IT operations. They can then translate that knowledge from the risk assessment and business impact analysis into quantifiable RTO and RPO numbers to be used in the next phase of business continuity and disaster recovery planning (Evaluate and Determine Strategy) and the Design phase of the ITIL ALC.

The RTO and RPO numbers are used to develop alternative strategies that meet the recovery time and point needs. A cost for each alternative design is developed. The cost is the total of the IT cost to design, implement, build and operate; and the business cost for any workarounds or special handling during the outage period; plus costs to load any transactions processed during that outage period into the system (processing resynchronization) after they are brought back on-line and are processing again as before the incident.

The alternative strategies are then looked at using a cost and benefit (time, reduced workaround complexity, and etc.) analysis of each alternative. The best option will accomplish return to operation in a reasonable time with an acceptable cost to the business and IT. However, the alternative selected will require input from both IT and the business to properly address the risk of outage. The business will need to insure that it can perform the workarounds and still meet all of the business, regulatory and audit needs of the operation for the time period that the alternative defines the IT organization to need for restoring the IT systems needed to restart the application and its associated services.

For the plans to be effective and ‘fit for purpose’ it is very important that the business and IT are on the ‘same sheet of music’ as to recovery times and points. It is no good if the business has planned its resources and workarounds expecting a system recovery time of 24 hours only to find that the system will be down for 48 hours. On the other side of the coin it is not fiscally responsible to pay the cost to expedite the recovery time of an IT system to less than four hours if the business can tolerate an outage period of 24 hours or more at much less cost for the final IT solution.

Once it has been concluded that both plans are consistent with each other, the actual plans can be developed. While the business prepares for implementation of the new application and/or service, IT will make ready the systems and infrastructure needed to also meet the business schedule for implementation.

Exercising the plans
There is one caveat, however. Even if both sides have planned together and developed their plans based on a single and consistent recovery time, the two planning activities still need to verify (via exercising the plans together) that the IT recovery timing (the disaster recovery plan which includes hardware restoration, software restoration, synchronization of databases, and etc.) actually comes in on time to meet the business’ needs as provided for in the business continuity plan.

Only in testing and timing the two recovery processes to ensure that they are coincident can an organization truly be confident that the overall plans will be successful.

The author
Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV, CRISC has a PhD in Technology and Operations Management and is the chief consulting officer for Recovery-Solutions. Dr. Kennedy has over 30 years’ experience in the information security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of three books, ‘Security in a Web 2.0 World – a standards based approach,’ ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and is author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Dr. Kennedy can be reached at Recovery-Solutions@xcellnt.com

brcci.org

Disaster Recovery Planning & Cloud Computing

DISASTER RECOVERY PLANNING & CLOUD COMPUTING

Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV

January 2011

If you asked a group of IT practitioners or business people what cloud computing is they would probably answer in a manner consistent with blind men trying to describe an elephant with only the sense of touch. Each would have an answer consistent with their own specific perceptions.

In fact Public Cloud Computing is a relatively new term that has been around for only a few years and refers to the use of information technology services, infrastructure, and resources that are provided on a subscription basis. Public Cloud Computing is a Web or Internet accessed business solution where most or the entire computing infrastructure (computers, network, storage, and etc.) are contained remotely from the actual business site and is managed by a third party.

Many companies rely upon Public Cloud Computing in part or in whole for their business operations critical and other wise. So as we look at disaster recovery and Public Cloud Computing we are looking at a relatively new set of risks that need to be addressed to properly protect a business against unforeseen events.

Before I address the areas of concern to DR planning for public cloud computing let me discuss the various popular forms of public cloud computing available to the business.

There are three basic types:

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)

Software as a Service (SaaS) is defined as a service based on the concept of renting software from the service provider rather than buying individually for your business. The software is hosted on network servers which are made functionally available over the web or intranet. This service provides software on demand and is currently the most popular type of public cloud computing because of its flexibility, ability to be scaled, and because maintenance is provided by the service provider as part of the cost of the service. There are many CRM, ERM, and unique applications that are all provided as SaaS services. With web-based services all that employees need to do is register and login to the cloud provided instance. The service provider hosts both the application and the data so the business user is capable of utilizing the service from anywhere potentially across the globe. With SaaS the service provider is responsible for all issues dealing with capacity, upgrades, security and service availability.

Platform as a Service (PaaS) is defined as a service that offers a platform for developers. The business users develop their own code and the service provider uploads that code and allows access to it on the web. The PaaS provider provides services to develop, test, deploy, host and maintain applications on their development environment. The service providers also provide various levels of support for the creation of applications. Thus PaaS offers a quicker and cheaper model for application development and delivery. The PaaS provider will manage upgrades, patches and system maintenance.

Infrastructure as a Service (IaaS) is defined as a service where the service provider delivers the computing infrastructure as a fully outsourced service. The user can purchase various components of the infrastructure according to their requirements when they need it. IaaS operates on a “Pay as you go” model ensuring that the users pay for only what they have contracted for – such as network, computing platforms, rack space, and environmental (HVAC and power). Virtualization has enabled IaaS vendors to high volumes of servers to customers. IaaS users purchase access to enterprise grade IT Infrastructure and resources and personnel to keep the infrastructure running. No application or monitoring of data bases or data is provided by the hosting vendor above the OS level unless contracted at an additional cost.

Basic Flaw in the “. . . as a Service” Offerings

In the cloud computing definitions that are evolving, the services in the cloud are being provided by third-party providers and accessed by businesses via the internet. The resources are accessed as a service on a subscription basis. The users of the services being offered most often have very little knowledge of the technology being used, the security being deployed, the availability of the service being offered, or the operating best practices (monitoring, patching, maintenance, and etc.) utilized by the service provider. The business subscribers also have little or no control over the infrastructure that supports the technology or service they are using.

How to Take Control

Under the standard of “Due Care” and charged with the ultimate responsibility for meeting business information technology objectives or mission requirements, senior management must ensure that the services they contract, which include these “. . . as a Service” solutions are appropriate to meet all of the necessary business requirements including the areas: legal, technical, financial, and operational.

This business continuity due diligence comes only through a thorough vetting of the “. . . as a Service” provider in several areas. I have listed some of the more important ones below.

Legal & Regulatory

  • Will the service provider meet any of you data breach notification requirements (remember even though you are hosting you are responsible for the data under your protection i.e. PHI, PII, and etc.)?
  • Will the provider meet data retention requirements of the business?
  • Will the provider meet the standards for data encryption and protection you require?
  • Are “Safe Harbor” needs met?
  • Data destruction or return on end of contract well defined to meet your business requirements?
  • What is their incident management program?
  • Are they prepared to react in a timely fashion in case of any eDiscovery needs of data they store for you?

Service Availability

  • Are the facilities housing the service provider adequately secured (video surveillance, access control, and etc.)?
  • Are the RPOs and RTOs consistent with the business’ requirements?
  • How often are backups taken, are they maintained off-site, and have backups and restores been tested to your satisfaction?
  • Are standard backup methods and media used just in case the business needs to bring data back into house?
  • Maintenance and maintenance windows satisfactory with your operational needs?
  • What types of technical security do they employ (i.e., firewalls, virus protection, Intrusion Detection Devices, and etc.)
  • Are their hours of operation coincident with yours?
  • If you are a global company do they provide multilingual support?
  • Are there clear escalation procedures in case of an incident?
  • Does the vendor provide global diversity so if one sitre goes down another can be used in its place?

Operational

  • Do they have a current SAS 70 Type II audit findings report?
  • Have they corrected any areas of concern to your business?
  • What capacity planning do they have in place to meet the growing needs of your business?
  • What standards of practice do they adhere to (i.e., ISO 27001, BS25999, and etc.)?
  • Do they have a patch management program in place and what is it? Does it meet your requirements?
  • Do their SLAs meet your business and operational requirements?

I have developed a hosting questionnaire which each “. . . as a Service” vendor is required to answer to the satisfaction of my client and I would recommend that you do the same. Sometimes it takes a few iterations to complete the form to the satisfaction of the client, but when completed it does provide documentation of due diligence and a clearer picture of what can be expected from the service provider. If the vendor will not complete the questionnaire then it would be best to move on to another vendor – regardless of cost. If you can’t come to terms before a contract or Statement of Work is signed it will be ten times more difficult after signature to come to an agreement.

In Summary

Now this article has only scratched the surface and provided information on the basic questions that should be asked and answered to protect businesses utilizing “ . . . as a Service” providers. However, the intent of this article was to inform the reader that there are many types of “. . . as a Service” offerings and ways to reduce and/or eliminate problems that I have experienced over the last few years. The issue the article wants to impress upon the reader is one of due diligence. We as corporate or governmental IT security or business continuity experts need to make sure that our organizational leaders have the necessary information to make informed choices for the protection of critical and sensitive information. To allow them to decide between implementing adequate controls and safeguards now to protect against risks or to potentially pay later in reparations and lost confidence of those whose data they (senior management) have been entrusted to protect but have lost or allowed to be taken.

The author

Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV has a PhD in Technology and Operations Management and is the Chief Consulting Officer for Recovery-Solutions. Dr. Kennedy has over 30 years’ experience in the information security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of two books, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Author can be reached at Recovery-Solutions@xcellnt.com