The Ultimate Guide To Business Continuity


Published on

Disaster recovery assumes that something has hap- pened to disrupt business, and it’s time to start things back up again.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Ultimate Guide To Business Continuity

  1. 1. TheUltimate GuidetoBusiness Continuity From CSO Magazine and CONTENTS Pre-incident planning and incident response Disruptions A to Z Exercises B U S I N E S S R I S K L E A D E R S H I P
  2. 2. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 2 A disasterjustisn’twhatitusedtobe.Inyears gone by, most companies defined a disaster as an act of nature—a hurricane, tornado, flood or fire that ravaged a building and wiped out a company’s ability to conduct business. Today, with worldwide networks, Web apps and 24/7 call centers, even a common electrical failure could spell disaster, if it brings communications and online trans- actions to a screeching halt. Business continuity involves much more than planning for disasters, though. It’s about taking steps to ensure that unexpected events have a minimal impact on a company’s ability to keep the business going. The focus is on continuity, notcrisis.Goodplanningmusttakeintoaccounteverything from people and communications to travel and facilities. Becausebusinesscontinuityanddisasterrecoveryshare much in common, they are often lumped together. However, before we get started, it’s important to mention that the two things are actually distinct, but intertwined. Disaster recovery assumes that something has hap- pened to disrupt business, and it’s time to start things back up again. Disaster recovery is the set of steps and processes involved in restoring a business to normal operation after its operations have been partially or completely interrupted by some event. Business continuity planning, on the other hand, is making plans to keep your business going even when something unexpected happens. A good business continuity plan might perhaps keep a situation from truly turning into a disaster. All of this planning creates a hoary goal that can never be met 100 percent. It involves weighing risks and tradeoffs, thinking about bad scenarios and worse, making tough decisions about which business functions are most impor- tant, and determining the dollar value of keeping your busi- ness running even in the face of horrendous events. However, this gut-wrenching work has several benefits. It can enhance employee safety, mitigate corporate liability, help meet regulatory requirements, and protect or even enhance your company’s public issues. In short, it’s good for business, as long as it’s done in a smart, risk-oriented way. This paper is intended to help you sort through the many issues at stake and begin to plan and prioritize how to protect your business from the damaging effects of any interruption—whether it’s a small incident that affects just one building, or a major event that makes headlines across the country. Section 1: Pre-Incident Planning and Incident Response GOOD BUSINESS CONTINUITY planning starts with being proactive. That means taking concrete steps to plan for an incident weeks, months or even years before it actu- ally occurs. There’s no one-size-fits-all approach. Much of business continuity planning varies based on the size of your company, your line of business, and the locations of your company, customers and suppliers. No matter the particulars, however, there are certain fundamentals you’ll need to cover—from making a business case to pulling together a team to potentially hiring a third party to help. We’ll walk you through each step. Step 1: Establish the Business Case If you want to make an effective business case for business continuity, you need to make its effects tangible, before disaster strikes. That means emphasizing not just the importance of risk mitigation, but also the business value and competitive edge that a strong business continuity plan can provide. That’s easier said than done, but here are some tactics that can help. Useregulatorycompliancetoyouradvantage.Incertain industries, regulations will define your business continuity strategy. Especially if your company is in the healthcare, financial services or insurance industry, the need to comply with regulations may dictate your thresholds for recovery. Aim to create a business continuity plan that reflects your company’s culture. Business continuity means differ- ent things to different people. The type of business continu- ity plan you design and how you sell it will be influenced by your company’s culture and organizational structure. Understanding this cultural landscape will help you craft a plan that is less likely to meet resistance from other parts of the business. Encourage grass-roots support by meeting individually with people in different business units. A good business continuity plan creates alignment among security, IT and corporate strategies and policies. Lay the groundwork for thatbymeetingwiththepeopleinindividualbusinessunits and trying to understand their mindset and expectations. Stay flexible. Asking for support for a business con- tinuity program doesn’t mean you’re asking the business to treat every application and piece of infrastructure the same way. “Just because you need failover capability for one application doesn’t mean you need that same capability for all files and systems,” said Jim Grogan, vice president of consulting product development for SunGard Availability Services. “Creating a blended solution helps the business become confident they are spending money wisely based on business principals and policies.” Find ways that business continuity can add to the bot- tom line. Finally, try to approach business continuity as a way of doing business—not as an add-on. One way to get executives to see that is to convince them how having a strong plan in place can improve revenue. “When [the] LaSalle [Bank Building] had a major fire in 2004, they con- tinued to process,” said Jack Smith, vice president and man- ager of global IT business continuity at ABN-Amro (which owned LaSalle at the time). “No critical functions were interrupted, despite it being one of the largest fires in the history of Chicago. Staying up when others may be down is good business—not to mention good public relations.”
  3. 3. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 3 Step 2: Follow a Planning Process Onceyouhavethego-ahead,howdoyouactuallygetstarted? Fortunately, there are a pretty standard set of things a busi- ness continuity plan should encompass. Obviously the first priority is to protect human life. However, much of the plan- ning focus is necessarily on how to manage the smaller, less critical events, which happen much more frequently than catastrophic ones. According to Tom Olzak, an author and blogger for who has almost three decades of experi- ence in network engineering and security, well-planned business continuity event management has several goals: To minimize the business impact of each incident. To address human safety. To mitigate corporate liability due to lack of due diligence. To meet regulatory requirements. To protect the organization’s public image by a fast, professional response. “A business continuity plan includes all documentation necessary to mitigate business impact and to recover bro- ken processes,” Olzak writes. Chief among those are plans for putting manual processes in place, so that you can con- tinue to deliver products or services—even at a lower level of output—until the business has fully recovered. The plan should also include instructions for recovering individual devices or systems, disaster recovery processes for catastrophic events, and possibly contacts or agree- ments for alternate data centers or business office sites as well as alternate staffing. Part of the initial planning process should include creat- ing a list of stakeholders for each supported system. These lists will become part of your overall incident response plan. AccordingtoOlzak,stakeholdersmightinclude:dataowner, process owner, managers, public relations, legal, security, help desk, facilities management, labor unions, and key customers. Step 3: Build and Train the Team (or Teams) As soon as possible, you’ll want to start pulling together a team—or teams—of people who’ll be responsible for busi- ness continuity planning. The sooner you can involve them in the planning process, the easier it will be to get buy-in and ensure that the plan will meet your business needs. It’s likely that you’ll need both an upper-level planning team and a front-lines incident response team. Theupper-levelplanningandexecutionwilllikelycome from a management incident response team (MIRT), some- times called a crisis response team. This cross-functional team might include the CISO/CSO, chief privacy officer, general counsel, chief compliance officer, business line presidents and public relations (or functional equivalents). During an event, this group ensures that accurate and com- plete data is gathered concerning the incident, and works to communicate this information to the stakeholders. A front-lines incident response team, sometimes a cyber incident response team (CIRT), will be more focused on answering questions like: “What happened? How did it happen? What damage has been done? And how do we prevent it from happening again?” That team is likely to include the following: Team Manager. Has overall responsibilitytoensure busi- ness objectives are metduringaresponse and is alsorespon- sible for communicating status to senior management. Technical Lead. Charged with assessing impact on the technologyinfrastructure,andresponsibleforcontainment and recovery activities as they relate to information tech- nology. This person might supervise one or more engineers or programmers. Public Relations. Responsible for communicating with investors, the press, and other outside entities. Security. Encompasses facility, personnel, and informa- tionsecurity.Iftheseareseparatedepartments,eachshould be represented on the CIRT. IS Support. Assists with containment and recovery, and establishes alternate methods of information processing when primary systems or network paths are disrupted. FacilitiesManagement.Responsibleforresolvingpower issues, coordinating the move to alternate locations, and conducting structural assessments and repair fall here. Labor Union. If applicable, can help diffuse possible reaction to unusual management decisions and provide employee perspectives of events. Representatives of Critical Business Functions. Depend- ing on the scope of the problem, might include one or two administration or operations teams, or many more. Once the team members are identified, they should meet to begin building an incident response plan. “The plan should include all activities related to containing and miti- gating effects and improving future response,” Olzak said. “The plan is then used to train the team. Thorough training produces a team which reacts to events quickly, without confusion. It helps ensure all members understand their responsibilities, the roles of others, and team cooperation when it’s needed most.” Step 4: Have a Business Impact Analysis Format The next step is to understand your exposures and make good decisions about your recovery strategy. If you have a solid strategy, developing your plans becomes straightfor- ward. “The most critical part of the whole process is your business impact analysis, including the risk assessment,” said Debbie Hoppenjans, manager of business continuity planning at Siemens IT Solutions and Services. “That’s where you need to spend most of your time.” At its core, a business impact analysis is the process by which you determine what systems or processes need to be recovered and how quickly, according to “Building an Enterprise-Wide Business Continuity Program ” by Kelley Okolita, published by CRC Press in 2009. Broadly speaking,
  4. 4. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 4 the more time you can take to recover a business process, the more options you will have to recover it, and the less it will cost. Likewise, a business impact analysis can help you justify the expense of faster recovery capability on time- sensitive processes. “All business functions and the technology that supports them need to be classified based on their recovery priority,” Okolita writes. “Recovery time frames for business opera- tions are driven by the consequences of not performing the functions.” If certain functions aren’t performed during the down-time, what will really happen? To do a business impact analysis of any given team, list everything done by that group, and analyze each of these functions against three areas: “financial risk of not per- forming that function, regulatory risk of not performing that function, and customer or reputational risk of not performing that function,” writes Okolita. “... It is all about impact. What happens to the company if we do not do this?” Then, part two of the process is to ask, how long before we see this impact? To help you assess levels of recovery, you might create a chart where you assign each business function a rating that looks something like this (excerpted from “Building an Enterprise-Wide Business Continuity Program ”): Rating Timeframe Description AAA Immediate recovery Must be performed in at least two geographically dispersed locations that are fully equipped and staffed. AA Up to 4 hours to recover Must have a viable alternate site that can be staffed and functioning within the four hour timeframe required. A Same day recovery Must be operational the same business day and must therefore have a viable alternate site that can be staffed and functioning within the same business day. B Up to 3 days Can be suspended for up to 3 business days, but must have a viable alternate site that can be staffed and functioning by the fourth business day. C Week 1 Can be suspended for up to a week, but must have a viable alternate site that can be staffed and functioning the sec- ond week following an interruption. D Week 2 or greater downtime allowable Can be suspended for greater than one week. A maximum number of days should be identified for this function. Step 5: Evaluating External Resources Evaluating Business Continuity Consultancies . Feeling overwhelmed? The good news is, there are plenty of consul- tancies and service providers who can make sure that your business continuity needs are met. BC/DR planning con- sultants include large firms such as Accenture, Booz Allen Hamilton, Deloitte, HP Enterprise Services (formerly EDS), IBM Global Services, and PricewaterhouseCoopers. There are also dozens of boutique consulting firms—regional and niche players that just focus on business continuity plan- ning. How can you be sure that the consulting firm has the expertise to fill in your business continuity gaps? Here are five questions to ask when choosing the best business con- tinuity consultant for your company. 1.Doyouknowwhatyouneed?Togetstarted,you’llneed to conduct a business impact analysis, and the consultants should perform a recovery option study to determine your company’s priorities. Make sure the consultant is willing to outline your recovery options and the amount of time each option will take. 2. Will the firm present several options?“Whenitcomes to business continuity, it’s about planning and services, and it should be less about technologies,” said Stephanie Balaouras, analyst at Forrester Research. “It’s your strategy for responding to business disruption and covers people, facilities and technologies. It covers everything from pan- demic planning to ‘Microsoft Exchange is down.’” Firms that offer BC/DR planning and consulting services should be able to help you do a business impact analysis, identify critical business processes, map all the dependencies and define how critically you need them, and what the impact would be on revenue. “When you under- stand that, you can build a business case and invest in the right solutions,” she adds. 3. Are the consultants certified in business continuity planning? Certification ensures that business continuity consultants are well-versed in all aspects of BC/DR plan- ning. Certification bodies include the Business Continuity Institute, DRI (The Institute for Continuity Management), Business ResilienceCertificationConsortium International, and the University of Virginia.Specialized certifications are available for emergency management, risk management, audit, security and technology. DRI International offers certification specifically for business continuity consul- tants and vendors to ensure that practitioners understand professional practices. Each subject area includes the professional’s role within the area and an outline of recommended knowledge within the subject area. The 10 subject areas cover topics such as risk evaluation and control, business impact analysis, emergency response and operations, awareness programs, training, crisis communication and coordinating with external agencies. 4. Are they willing and able to prioritize? You can save a lot of money by evaluating your BC/DR priorities, said Ben Thornton of Corus, a disaster recovery and business conti- nuity consulting firm. “If you need systems back up in six hours—you can, but you’ll have to throw a lot of money into that. Instead, consultants should be asking, ‘Do you need that? What can you wait a couple of days on, or a week on?’ and establish priorities.” Perhaps only 20 percent of the total environment must be recovered in minutes or hours. 5. Do they offer BC/DR solutions to fit your budget? Nearly one-quarter of companies surveyed by KPMG
  5. 5. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 5 have not been able to justify the costs of business continu- ity plans. Most of these companies are focused in the large enterprise with 500 to 999 employees, according to the study.Consultantsshouldknowyourbusinesswellenough to understand budget constraints and your immediate BC/ DR needs. “We let the business [units] decide what they want to spend and help coordinate based what the numbers tell us,” Hoppenjans explains. “We let [business impact analy- sis] data tell us what each department is doing as far as BC planning, what their risks and what their vulnerabilities are, and they decide what to spend. Some responses may be customer- or contract-driven.” Evaluating Business Continuity Services and Soft- ware. The frequency of common business interruptions has boosted the market for external disaster recovery services—which include data center services, backup and mobile recovery services—to $3 billion to $4 billion a year, according to Gartner. Here are some points to consider when evaluating business continuity and availability ser- vices and software. Weigh the benefits of specialized business continuity planning software. Business continuity planning software can help large companies formalize the BC framework and continually update the plan. “Of companies that actually have plans, 50 percent use software and 50 percent use informal software” such as Excel spreadsheets, said Steph- anie Balaouras, a senior analyst at Forrester Research in Cambridge, Mass. Software providers such as SunGard Data Systems (which acquired Strohl Systems Group), eBRP Solutions, and U.K.-based Office-Shadow (now part of ICM Business Continuity Services Limited) offer BC planning solutions. Regulated industries that face audits, such as life and health insurance companies or financial institutions that require uniformity in how they build their plans, may benefit from one of these software packages. Consider the major business continuity/availability service providers and some niche players. Hosted busi- ness continuity/availability providers typically provide cold sites (data center space to house your own equipment and backup tapes), warm sites and hot sites (an operation- ally ready data center), as well as data archival, restoration capabilities, and managed services. SunGard, HP Enterprise Services, and IBM Global Ser- vices own the worldwide market share in this segment with the broadest set of services. Smaller services players such as Rentsys Recovery Services are also making inroads into the market. Let recovery requirements dictate the level of dedicated BC services. Subscribing to a data recovery service that you can trigger when a disaster strikes is fine if data can be restored in two to four days. But increasingly, as businesses require 24/7/365 availability, ¬more dedicated data recovery services are required. Just make sure you’re not paying for more than the business need dictates. Use caution when outsourcing business continuity func- tions overseas. Because of terrorism and natural disasters typicallynotseenintheUnitedStates,suchastsunamisand monsoons, companies should take caution when outsourc- ing backup, recovery and business continuity operations offshore.Somepopularoutsourcingcountriesmaynothave the recovery capabilities found in the United States. Step 6: Build a Crisis Communication Plan Communication during a crisis can be thought of on several levels—communicatingwithinternalconstituentsandstaff; communicating with business partners, suppliers and cus- tomers; and communicating with the general public, often via the media. We’ll cover these aspects from the inside out. Internal Communication. The people who work at the organization must be kept apprised, as much as is rea- sonable, during a crisis. Many organizations tend to keep employees in the dark during a difficult time, and that’s a mistake, said Brit Weber, program director at the School of Criminal Justice at Michigan State University in East Lan- sing, Mich. “They all have associates who want to know” what’s going on when there’s a crisis, Weber said. “Employ- ees will start calling the media if there’s a major crisis like an evacuation. That’s why it’s vitally important to tell your employees what’s going on,” so they don’t give out wrong information. Emergency notification systems can use many differ- ent means of communication—phone calls, text messages, e-mail—to contact employees, vendors or other critical per- sonnel. A calling tree with home and mobile phone num- bers can be a simple first step. “Although [emergency notification systems] may have slick bells and whistles, I have found that you don’t need them,” ABN Amro’s Smith said. “You need a system that will call a lot of people all at once and have them call into a central conference call number.” He also suggests hav- ing an automatic phone forwarding system through your phone company. That way, clients whose only contact is an office phone number can be rerouted to an employee’s cell or home phone. In some cases, companies also have discovered that portals or intranets have been useful during a crisis. That’s what happened at Gale GFS, anyway. The property manage- ment company has an Incident Reporting System that oper- ates as asortof business blogon its intranetportal. Creating it wasn’t complicated, said Chris Messineo, assistant VP for IT at Gale GFS (a unit of the Gale Company), which man- ages and oversees properties around the world. Essentially, anemployeecanlogontotheWeb-basedsystemwithauser name and password and write about a hurricane, an explo- sion or any other incident. Gale GFS designed and built its system to automatically send out an e-mail notification to everyone in the region. Through an online control panel, administrators can determine who gets notified by region and by company. E-mail alerts pop up on cell phones and smartphones, as well as on computer screens.
  6. 6. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 6 Each case or incident is archived in the system so that others can retrieve them from the database in order to study them. Each session, however, is available for viewing only by the employees working with a specific client so as to maintain security. External Communication. Keeping employees in the loop is only part of the equation. During an adverse event, the crisis response team will determine the appropriate parties that must be notified both under the law and con- sistent with corporate values, as many organizations will decide to go beyond the legal or contractual requirements to protect the clients and consumers. The ultimate goal of all crisiscommunicationisessentiallytoupholdlong-standing relationships and assure key stakeholder groups that your company understands how the event impacts them and what you intend to do about it. When something really bad happens, such as a natural disaster that forces a company to evacuate headquarters or a security breach that results in lost or stolen data, the media will come calling. How organizations deal with the blitz could affect the long-term impact of the crisis. An effec- tive and constructive response might help put the company in a positive light during a tough time. An ineffective or antagonistic reaction might make a disastrous situation even worse. Here are some tips for dealing with the public—and in particular the media—after a security incident or business- interrupting event. Be truthful. Honesty really is the best policy. “One of the most important things is to try to understand what the media is interested in. The media is interested in accurate, truthful information—something that will be of interest to their readership [or viewers],” said Michigan State’s Brit Weber. “If you don’t know the answer, indicate that it’s information you don’t know at this point and hope to [pro- vide] later. Provide useful information. Organizations should be as forthcoming as possible with information about the specific incident,andprovideanyrelevantbackgroundinformation that will help the media put the situation in proper context. “Tell them what you do,” Weber said. “Provide a fact sheet or release that explains what your business does.” If you don’t provide information, reporters will look for other sources inside and outside the company, who might provide inac- curate or outdated information. Trainyourspokespeople.Inacrisis,manyorganizations automaticallyputtheCEOinfrontofthemedia,Webersaid. But if the chief executive or other designated spokesperson isn’t comfortable or familiar with reporters, cameras and microphones, that could backfire. “All spokespeople need to be trained to deal with friendly interviews and in-your- face ambush interviews,” said Jonathan Bernstein, presi- dent of consultancy Bernstein Crisis Management. “It’s not an intuitive skill.” Establish an ongoing relationship. Organizations that keep media outlets informed on an ongoing basis will be less likely to have misunderstandings when a crisis arises. Theymightevenrelyonthemediaforhelpindisseminating information. “It’s very important for corporations to have a collaborative or partnership process with the [local] media,” said Weber. “Don’t wait for an incident to happen.” Don’t let the media be the only source of news.Consider using communications tools such as employee newsletters, orallowingofficialstomakepersonalappearancestogroups such as a chamber of commerce or business association. SECTION 2: DISRUPTIONS A TO Z DIFFERENT SITUATIONS REQUIRE different types of plans. Below, we list some specific wrinkles and possible approaches to different types of threats. Corruption Corruptioncanbelikeaformoftax,buttheremaybemount- ing pressure not to pay. In the past, there were allegations that the extractive industries -- particularly energy and oil -- were paying off lots of people, in order to operate in corrupt environments, said Chris Voss, a former lead hostage nego- tiator for the FBI and now CEO of The Black Swan Group. Now, “under pressure from human rights groups, there’s a set of voluntary principles that the extractive industries signed off on, saying that they would contribute to trying to build legitimate law enforce infrastructure instead of pay- ing people off and encouraging corruption.” In places where the law enforcement infrastructure is not well-developed, these companies are also building their own security forces and compounds. If an economic downturn makes them unable to afford this protection, it will affect their security. Extortion Here’s one CISO’s plan if he receives an extortionist’s e-mail. 1) Contact general counsel and CIO executive team (and whomever else they deem appropriate), and jointly make assessment of the company’s risks as well as the credibility of the threat. Discuss all possible factors that could mag- nify the risks (such as impending big executive news or an acquisition). 2) Recommend contact with appropriate electronic crimes law enforcement officials for tactical advice and (hopefully) assistance. (For example, are we the first to evergetthisthreat?Aretheseknownperps?Hastherebeen prior experience with them or with this MO?) 3. If top management agrees to involve external law enforcement, begin an investigation jointly with law enforcement. Formulate detection and response strategy with them to prepare to acquire and preserve evidence. 4. If senior management declines to involve external
  7. 7. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 7 law enforcement, then expect to be tasked to assemble a “red team”. Regardless of whether management decides to pay, this team will search for and eliminate the vulnerabili- ties that make the threat credible, and take other steps to diminish risk of attacks. 5. Simultaneously expect to be working with crisis man- agement teams, and especially the investor relations and corporate PR staff, to prepare an official position for the media. If a U.S.-based company, consider the Sarbanes- Oxley implications of every decision. That means senior finance folks will also need to be involved. 6. Warm up disaster and business continuity plans and providers depending on the nature of the threat, perhaps increase backups in frequency or type. (For example, go to “full now” instead of “incremental” for critical systems at risk.) Floods Flooding is generally localized and somewhat predictable. If you operate business in an area prone to flooding, be sure to have a good plan in place for doing system backups, and plan to have redundancy in an area outside of the flood zone. Remember that even if your company facilities are on high ground, employees and delivery persons may be unable to get to the facility due to flood water over the access roads. Finally, expect a lot of residual impact due to employ- ees, vendors and customers being directly impacted. Even if corporate facilities are not impacted, employees may have personal losses of home and property and be busy attempt- ing to deal with these losses and the cleanup involved. (See also Hurricanes.) Global Hotspots How to do you keep executives and employees safe in global hotspots? Chris Voss, a former lead hostage negotiator for the FBI and now CEO of The Black Swan Group, offered some thoughts on the risks and trends in different areas: Haiti: “Economic kidnapping is like a virus; once it gets into a society it’s very hard to get it out. Criminals find out it’s pretty easy money. That’s what’s happening in Haiti, I think. There’s not much wealth in Haiti, but kidnapping numbers have to be up to 250 or so Haitian-Americans. If they grab someone who has family in the US, whatever they get—if they get $5k to $25k per kidnapping—that’s really serious money in Haiti.” Mexico: The Mexicans are “covering up a massive kid- napping problem. I recently had a conversation with the head of security for an international company based in Mexico; he tried to tell me, ‘Kidnapping, it’s mostly crimi- nal on criminal’—which is nonsense. They’re diminishing the problem, trying to keep the larger world from criticizing them. So it’s getting worse and worse all the time. Tremen- dous amounts of legitimate businessmen are leaving that region.” Philippines: “In the Philippines, at the end of the Burn- ham-Sobero kidnapping case [2001-2002], the response of the Philippine and U.S. governments really sort of took their kidnapping infrastructure apart, left the Abu Sayyaf in somewhat of a shambles. They began to move toward bombings at that time. But that’s run its course and they’re getting back into it, starting with locals. I think it’s a matter of time before they are looking for Westerners again.” South America: “Colombia is much safer than it was ten years ago. Amazing difference. When I went in 1998, the guerillas had complete control of the countryside, and you could not travel there safely. In 2005, I went to a going- away function in the countryside with no military escort. We were hardly armed at all. Now sometimes when you put pressure on crime in one area, it simply moves to a differ- ent area. Some of the Colombian kidnappers quit, and some are in jail. Of the others, some moved. So it’s on the rise in Venezuela and Ecuador.” Hurricanes While it’s impossible to predict the severity and timing of any given hurricane, if you conduct business in certain parts of the country, you can be fairly well-assured of the need to plan for the high winds, heavy rains and flooding that mark these strong storms. Obtain adequate insurance both for hurricane wind damage and flooding, and make sure that your business continuity plan encompasses the loss of power and running water. If it’s necessary to have a data center in a hurricane zone, make sure the building is built to sustain hurricane dam- age and has back up and battery power. Better still, have a back-up data center in another part of the country, and test it by bringing the main data center down and bringing up the back-up one. The data is only one part of the picture, though. Be sure that employees understood where to go and what to do dur- ing an evacuation. It’s important to have a way to send out alerts to all employees, even if the hurricane strikes on a weekend or when employees are traveling. Alternately, you could set up special numbers so people can dial-in and alert the company as to where they are. If a facility goes down because of power failure or flood- ing, many organizations need a physical location to place their staff so operations can continue. Tampa-based OSI RestaurantPartners,whichownspopularrestaurant-chain brands including Outback, maintains a comprehensive facility in Atlanta, which they have had to use at least twice in the last 4 years. “Once we declare a disaster, we have 50 cubes available there,” said OSI Chief Information Officer Dusty Williams. “But we have to go up and make sure everything is up and running and ready. So we have people, from an IT perspec- tive, head up 72 hours out ahead of any storm in private air- crafts to make sure everything is ready to go.” The process of relocating people and sometimes equip- ment is time consuming, labor intensive and costly. The company even has contracting companies on standby for employees that may need assistance with boarding up
  8. 8. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 8 houses before they depart. As complicated as it all sounds, Williams said, thankfully, most of it can be planned. “With hurricanes, you have a distinct advantage over an earthquake or a tornado,” Williams said. “You really don’t know when they will strike.” Kidnapping Chris Falkenberg, president of Insite Security, a New York- based consultancy, outlines four preventative measures companies can consider to minimize kidnapping risk. 1. Establish a counter-surveillance program. An orga- nization with an effective counter-surveillance program has good shot at detecting a threat, increasing security and motivating potential kidnappers to go elsewhere. In addi- tion to having personnel manning the gate, a counter-sur- veillance program has personnel who are watching to see who is watching others. This means looking for people who might be walking back in forth frequently in front of a loca- tion, taking video or photographs, or counting footsteps to determine the measurements of a given location. A counter-surveillance program might also use CCTV infrastructure in a proactive way, Falkenberg said. “A coun- ter-surveillance team can use all of the intelligent video in a proactive means, particularly if you have the ability to iden- tify cars and license plates to keep an eye out for who seems to be in your perimeter.” 2. Utilize GPS. Falkenberg recommends companies put in place technology to be able to receive GPS transmissions from cell phones or emergency GPS transmitters. While this technology may only go so far because the device will likely be taken from the victim, in some scenarios, it could still aid in rescue. “There is some technology coming out in which you can program a cell phone to send out a distress signal,” Falkenberg said. “What we are using with some clients is a handheld GPS transmitter which you can essen- tially use as a portable panic button.” 3. Train employees on how to stop a kidnapping in prog- ress. When an event takes place, victims find themselves forced into vehicles with commands shouted at them like “Get in the car! We are going to kill you!” While this is terri- fying, it is actually much easier to turn the situation to your advantage at that point than it is once you are incarcerated, Falkenberg said. However, this kind of reaction to threats is not second nature—it is something that has to be learned. He recommends talking with employees about what to do if threatened and rehearsing it. 4. Consider families, too. A crisis management and con- tinuity plan for the family outside the office is key. However, the family component can’t be addressed with the same techniques used for employees because families are not going to tolerate the kind of protection that c-level execu- tives tolerate at work. Also, it is just not cost effective. Falk- enberg suggests training family about potential dangers and how to behave if someone attempts to abduct them. More tips and advice. Falkenberg also recommends companies train employees about how to act as hostages in the event that they are abducted. Tips include touching everything in sight to leave lots of fingerprints and talking to the kidnappers so they see you as a human, not an object. Falkenberg recommends mentioning family, children, and other personal facts that may aid in getting them to see you as a person. McCann, senior VP of security operations and training at Kroll, also advises finding some kind of resonant chord with abductors to try to get them to show more empathy toward you. Mining your captors for information also can be helpful. You may be able to discern whether you were abducted for political or religious reasons, for ransom or for all of the above. It’s also important to remember that people are work- ing to get you released. “The feeling of hopelessness works completely against you,” he said. Pandemic Business risk consultancy Control Risks has identified ten questions organizations can use to determine their level of preparedness in the event of a pandemic emergency. Brian Kaye, vice president and national practice leader for busi- ness continuity, walks us through these questions. 1. Have you defined reliable information sources that you will monitor for situational awareness in the event of an influenza pandemic? The information gathered from these sources will be critical for your decision-making process. 2. Has top management documented a set of guiding principles? This would outline, among other things, the commitments the firm will make to protect its employees and the budget available for planning. 3. Does the firm have in place a robust Crisis Manage- ment & Communications program that will allow execu- tives to make key decisions and communicate messages on a timely basis? The question in pandemic planning, accord- ing to Kaye, is not how do we pick up the pieces; rather it is how do we live with this situation over the course of the next 18 months? 4. Is there a business continuity program in place that documents key products and services that will receive pri- oritized attention during a time of reduced staff availability? If only 50 percent of staff is in the workplace on a particular day, which business activities will be conducted and which will be deferred? 5. Has the firm implemented a robust employee health program that will guide ‘safe workplace’ protocols, such as facility access, social distancing, and surface cleaning? Surface cleaning and social distancing both prove effective and can have a major impact. The conventional perspec- tive is that people are universally susceptible to influenza pandemics, and we must rely on these approaches to limit contagion. 6. Has the firm documented Human Resources provi- sions that outline actions employees should take if they become ill and how to handle sick leave and family care issues? It sounds so simple, but if you don’t provide clear
  9. 9. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 9 instruction regarding sick leave, employees will show up to work sick and ask whether they should stay or go. You need to remove any uncertainty in the mind of the employee so that they can stay home and get better without risk of spreading the virus to other employees. 7. Are key strategies for remote connectivity of workers backed up by actual IT capabilities in terms of VPN band- width and hardware availability? You need to be realistic and ask whether your existing IT infrastructure can sup- port your entire workforce working from home at once. 8. Has the firm prepared guidance for expatriate employees and travelers? Does the firm have the ability to re-create travel patterns for employees, to support investi- gation into risk exposure? This goes back to ensuring that your sources of informa- tion are reliable and establishing your guiding principles. This was a lesson learned from SARS, Kaye said. ”If you have the ability to retain employees travel history and re- create their travel pattern, you have the potential to pin- point their point of exposure.” 9. Has the firm discussed its pandemic preparedness efforts with key vendors, suppliers and other business part- ners?“Eventhestrongestin-housepandemicpreparedness program can be rendered worthless if the company has a dependence on a third-party that is compromised,” Kaye said. 10. What is the firm’s position on the procurement and stockpiling of both pharmaceutical and non-pharmaceuti- cal protective measures? If there is a formal program, who is responsible and are all key provisions up to date? “Anti- viral treatments are receiving so much attention right now that it is almost tempting to mistake them for a pandemic preparedness program,” said Kaye. “I cannot stress enough that they are not one in the same.” Tornados Business continuity planners in tornado alley have much in common with those in hurricane areas—but also key differences. Tornadoes have smaller funnels, but they can appear in groups, may feature dramatically higher winds, and can strike with far less warning than a major hurricane typically provides. Tornadoes can stretch more than a mile acrossandstayonadestructivegroundpathformanymiles, wiping out structures and picking up objects and debris along the way. It’s impossible to build a structure that can withstand the strongest tornado, so redundancy is key. However, it may be possible to have redundant data centers within an easy drive of one another. With tornado patterns in mind, Cancer Treatment Cen- ters of America (CTCA) built two data centers in greater Chicagoland so that they sit 59 miles apart and in a pattern in which the likelihood of tornado hitting both of them is nearly impossible, said Chad Eckes, chief information offi- ceroftheSchaumburg,Illinois-headquarteredorganization. The locations were chosen based on information from the Federal Emergency Management Agency about weather patterns. “The first main design from a BCP standpoint was to have complete redundancy in our data. Anytime there is anyproductiondatawrittentotheprimaryitisimmediately mirrored over to our DR data center,” said Eckes. “Literally, we are up to date in our second center within 15 seconds. That is, with a complete copy of all clinical systems.” Geoff Craighead, vice president of High-Rise and Real Estate Services at Securitas Security Services USA and author of “High-Rise Security and Fire Life Safety,” advises clients he works with in tornado zones to consider all physi- cal elements of a building when creating a business continu- ity plan. Tornado warnings, when they are possible, are often broadcast on both radio and television, which of course can be monitored in the average security or network operations center. Craighead said if an organization is warned there is possibility of a tornado in the near future, preparations could include securing or moving outdoor objects such as trash containers, planters, signs, furniture, and vehicles that may blow away or cause damage to people or property. Craighead also recommends pruning tree branches that may cause damage to the building. Occupants should clear all objects from desks and working areas, and all exposed paperwork should be stored in closed cabinets and other containers, he said. Valuable equipment and documents should be moved to interior rooms. SECTION 3: EXERCISES PRE-INCIDENT PLANNING FOR business continuity events should start by developing realistic scenarios that could arise. Typical examples would deal with external fraud, a malicious insider, a technology hack, lost media, a data center disaster and an external security breach. A tabletop exercise is a great way to get business conti- nuity plans off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster, the crisis management group gathers for three hours to talk through a simulated disaster. It can be a full-scale production that involves local first responders and professional moderators. Or it can be a sim- pleaffairconductedbyin-housedisasterplanners.Theidea is to have an escalating scenario that unfolds in several seg- ments. After each segment, small working groups discuss how they would respond, then report back to each other before hearing from moderators about what happens next. Tips for an Effective Tabletop Decide how much gloom and doom you want. When plan- ning a tabletop, Joe Flach, VP of Eagle Rock Alliance, asks, “Do you want this to be a physical event with assets dam- aged and destroyed, or do you just want those things inac- cessible? Do you want death and injuries, or just to test the
  10. 10. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 10 ability to get work up and going someplace else?” Test how quickly you can pull together key players. At public utility PSE&G, Director of Corporate Security Mike Paszynsky said the crisis management group doesn’t always know when a tabletop will occur. Instead, the com- pany tests how quickly it could reach all those individuals. Specialized software pings team members’ phone numbers and communications devices, alerting them that the crisis management team is assembling. Involve everyone. Make sure each person has a role. If onepersonanswersallthequestions,haveothersenacthow they would respond if that person were unavailable. Acknowledge that first-timers may be nervous. “Some business managers don’t want to show that they may not know how to respond to a certain issue,” said Rad Jones of Michigan State University. To make them more comfortable, consider an hour-long orientation. Later, work your way up to a three-hour exercise, and then invite local law enforce- ment and first responders to participate. Encourage misinformation. During a crisis, Flach said, “you’re always asked to make timely decisions based on incomplete and inaccurate information.” You can simulate the confusion this causes by giving the groups handouts containing different information. Take the lessons with you. A designated note-taker should keep track of what happens; always leave time for lessons learned. Scenario 1: A Disgruntled Employee Starts a Data Center Fire Segment 1: A small fire begins just outside the data center, setting off the alarm system. By the time the fire department arrives, the fire has been extinguished by the sprinkler sys- tem, but the building has been evacuated. Employees and people who work in nearby buildings want to know what has happened, as does the media. Then, as people begin to go back inside, the receptionist takes a call from someone who indicates that the fire is “only the beginning” because the company hasn’t treated him right. Segment 2: An employee discovers a box in the lobby with a handwritten warning that it contains anthrax. Man- agement decides to evacuate the building again. Calls come in from concerned family members, and local TV crews arrive. Meanwhile, the sprinklers in the data center have caused the company’s e-mail and Web servers to stop work- ing, which means the company’s e-commerce site is down. Segment 3: A woman calls the newspaper claiming to be the wife of an employee who’s just been laid off and who has left printouts about anthrax scattered in his home office. The newspaper calls the company with this information. The health department is on scene. The company’s call cen- ter (at another location) is swamped with calls from custom- ers who can’t place orders at the website. Segment 4: The police apprehend a suspect. The health departmentdeterminesthattheboxdidnotcontainanthrax and the building is safe. Some employees are afraid to come back to work. Based on a suggestion by Rad Jones, academic special- ist at Michigan State University’s School of Criminal Justice and former director of security and fire protection for Ford Motor. Scenario 2: An Explosion at a Nearby Chemical Plant Releases Deadly Toxins Segment 1: An explosion occurs at a chemical plant two miles from headquarters. Local news media are reporting that an undetermined number of the chemical company’s employees have been injured or killed, and officials are try- ing to determine to what extent deadly toxins have been released into the air. No one is sure what caused the blast. Segment 2: Area hospitals are crowded with people reporting breathing difficulties, and public health officials are encouraging people all over the city to “shelter in place” as a precaution. Headquarters is currently upwind of the explosion. The company needs to decide what to tell its employees to do but isn’t sure whether it has the legal right to tell people not to leave. People are speculating that terror- ists caused the explosion. Segment3:Thecompanytellsemployeesnottoleavethe building, but many do anyway, saying that they don’t trust what they’re hearing and that they need to get home and take care of their families. The security guards at the front door also want to know what to tell people on the street who want to take shelter in the company’s lobby. The cafeteria reports that it has already sold out of lunches. Segment 4: The immediate danger passes, and authori- ties say the explosion was an accident. Several employees have been hospitalized, and others are upset that the com- pany cafeteria did not have more supplies on hand. Based on a suggestion by Mike Paszynsky, director of corporate security at PSE&G, a Fortune 500 public utility based in Newark, N.J. Scenario 3: A Pandemic Flu Hits Segment 1: A pandemic flu starts sickening and killing peo- ple in Hong Kong, where the company does not have any operations. The medical community fears that the disease will spread to other continents and said that anyone who has been to Hong Kong in the past three weeks could be a carrier. As a precautionary measure, the company con- siders asking employees who have traveled to Hong Kong within the past three weeks not return to work until they see a doctor. The company also considers having security at the front door ask every visitor whether he or she has been to Hong Kong in the past three weeks. Segment 2: A few people in the region are diagnosed with the disease, and the absentee rate at schools rises. Employees start calling in sick, but it’s not clear whether they are ill or afraid of going out in public. Enough people are absent that the company struggles to keep systems up, take orders and pay bills. Segment 3: The disease spreads, and absentee rates
  11. 11. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY 11 shoot up to almost 50 percent. Some employees are sick or caring for sick family members. Employees are asking the company to provide for vaccinations and masks, even though the medical community said those precautions may not be effective. Critical functions are not getting done. Managers consider letting crucial staff volunteer for a lock- down—those who volunteer would receive vaccinations but then not be able to leave the building until the danger passes. They also consider rerouting work to another loca- tion or calling in retired workers to help out. Segment 4: The disease has peaked, but many employ- ees are still leery of returning to work. Based on a suggestion by Joe Flach, VP of Eagle Rock Alliance, a business continuity consulting firm in West Orange, N.J. Catastrophic Threats What does the Department of Homeland Security view as the country’s biggest risks? A hint came in its National Preparedness Guidelines, released in 2007, which listed these 15 unranked catastrophic scenarios. Collectively they demonstrate the need for a far-reaching range of response capabilities. Improvised nuclear device Aerosol anthrax Pandemic Influenza Plague Blister agent Toxic industrial chemicals Nerve agent Chlorine tank explosion Major earthquake Major hurricane Radiological dispersal device Improvised explosive device Food contamination Foreign contamination Foreign animal disease Cyber attack