1. April 2007 • Volume 4 • Issue 4
How to Become
a Trusted
Stategic Advisor
National News • International News • Products • Partnerships • Movers & Shakers
Where business continuity, security and emergency management converge.
Also…
Pandemic Planning
Taking the Fear
Out of BC Exercises
How to Become
a Trusted
Stategic Advisor
3. www.ContingencyPlanning.com | 3
Maintaining
Momentum
Staying ahead in pandemic planning
By Greg Stenmoe and
Marie Johnson, CBCP
Pandemic influenza will not discriminate. If it hits, it will
hit hard. Every business and every organization, along
with its most valuable players, will battle the sudden, relent-
less impact for as long as an outbreak spreads and sustains.
Statistics projecting estimates of human illness and
deaths by state or on a national scale, based on previous
pandemics such as the Spanish Flu of 1918, have been some-
what exhausted in media reports. At one time, inundated
with news of potential cases of “bird flu,” family planning
tips and worst-case scenarios (sans an actual pandemic
arrival), all the world stood watching … waiting. Yet today,
the average person is at best familiar with basic terminology
and now is either inattentive, skeptical or becoming increas-
ingly less informed.
Business continuity planners must avoid letting the public’s
complacency and signs of “pandemic fatigue” influence the
focus and speed of progress invested in comprehensive
preparation and planning.
A PANDEMIC IS SERIOUS BUSINESS
The second of two national pandemic summits hosted by
the Center for Infectious Disease Research and Policy
(CIDRAP) took place in February 2007 and involved
4. 4 | CPM-GA April 2007
numerous major corporations and leaders from across the
United States. The conclusion that resulted from days of discus-
sion proved to be promising. Organizers confirmed that those
closely involved in planning for a global pandemic event are, in
fact, taking the issue very seriously.
While any progress in pandemic planning is a step in the
right direction, there remain so many uncertainties associated
with how an event of this nature will materialize. Developing a
solid business continuity plan is a logical first step for industry
professionals, but it is only one piece of an intricate puzzle.
The true effectiveness of any business continuity plan will be
measured by its ability to extend scope beyond accounting for
the survivability of just one individual entity and its internal
operations. Business continuity managers must also proactively
integrate consideration of external factors – the dynamics of
cross-sector communication; the overall impact of governmen-
tal authority; and the value of coordinating efforts, before any
crisis, with government agencies, nonprofits and other business-
es, not excluding direct competitors.
WHO DOES WHAT AND WHEN?
In the event of a pandemic catastrophe, government, public
and private sectors will play reciprocal roles to one another.
Government will rely on businesses to communicate key mes-
sages to employees. Businesses will look to the government for
clarification on governmental authority. And nonprofits will
seek partnerships with government and businesses to help
define vulnerable populations during time of crisis.
Eighty-five percent of our nation’s infrastructure is owned by
the private sector. In the event of a pandemic, businesses will
look to local, state and federal governments for guidance on
answers to many questions: Who is responsible for closing
schools? Can company headquarters serve as a community
hospital? When and how will employees be quarantined?
The government has sweeping authority to place restrictions
on certain activities, such as travel and the flow of goods, as
well as to make use of private business facilities, personnel and
services in the event of a declared emergency.
Additionally, businesses will be regularly employed by gov-
ernment to disseminate important information to employees.
Large employers will be of particular value since they offer
access to wider audiences, though small and mid-size compa-
nies should not be overlooked. Key messages will need to be
consistent and clear at every opportunity, whether the topic is
government quarantines or merely a reminder of how to prac-
tice safe hygiene in the workplace.
The business sector’s role in communication is critical when
considering what will be needed by government; however,
there are other ways that businesses can and should collaborate
externally on issues related to pandemic planning. In particular,
the development of inter-company planning groups, compris-
ing several disaster recovery and business continuity profes-
sionals from different companies and industries, offers excep-
tional benefit through the sharing of varying industry perspec-
tives on “what if” scenarios. In addition, inter-company plan-
ning presents an avenue for strengthening cross-sector rela-
tionships, where local and state governments can participate
and utilize the opportunity for introducing top business lead-
ers to key emergency management officials and the essential
functions of related agencies, such as local departments of
health and public safety.
With regard to the role of nonprofits, service organizations
will be challenged with providing emergency assistance to
vulnerable populations. Resources will likely be over-
whelmed, so business and government support will be cru-
cial. Faith-based organizations will act similarly, in addition
to serving as a source for spiritual healing and comfort.
The continuing devastation of Hurricane Katrina, as well
as painful memories of 9/11, provides a unique and unex-
pected opportunity to learn by way of example. The value
of communicating and coordinating efforts today is obvious
when taking into consideration the distinct roles of govern-
ment, business and nonprofit entities during a potential pan-
demic, catastrophic event. Developing mutually beneficial
relationships among these various sectors of our communi-
ties, along with increased understanding of how each intends
to function, will serve to strengthen and unify all efforts for
society’s greater good. Business continuity planners need to
make this an immediate top priority.
EVALUATING THE POTENTIAL FOR LIABILITY
Comprehensive pre-planning involving cross-sector commu-
nication and coordination will certainly help to mitigate
some risk for any company or organization during a pan-
demic catastrophe. However, another equally important
component to business continuity planning is thorough
knowledge of the potential legal issues implicated by pan-
demic influenza.
A pandemic will be like nothing we have ever seen before.
We cannot predict its onset or outcome, yet the responsibil-
ity of arming businesses against potential liabilities will rest
with those heavily involved in business continuity planning
and risk management.
Multitudes of legal issues threaten business. Continuity
planners should become familiar with applicable laws and
first carefully update all human resource policies.
In a pandemic catastrophe, human resource management
will be challenged by employee impact immediately at
onset. Up to 30 percent to 40 percent of the workforce
could be out sick, so who will come to work?
Employees may either become infected with the dreaded
H5N1 avian influenza virus or be justifiably concerned
about the health and well-being of their families. Some will
stay home because of illness while others will arrive at the
office out of economic necessity. No two situations will be
alike. “What if” scenarios must be looked at from every angle
and addressed through desired protocol.
Sick-leave policies, for example, need to cover situations
5. www.ContingencyPlanning.com | 5
ranging from sending employees home to handling cases of
excessive use or abuse of sick-leave time. Quarantines are
another important consideration.
There will be wage and hour issues involving both those
businesses relatively unaffected by the pandemic event and,
conversely, those identified as having critical function. These
businesses will meet with sudden high demand and most like-
ly will require employees to work overtime. If not built into the
business continuity plan in advance, compensating for overtime
could be a costly scenario.
How will discrimination apply in the event of a pandemic? It
is illegal to discriminate against an individual based on a dis-
ability, but it is also illegal to discriminate on the basis of a per-
ception of a disability. If an employee is perceived to have con-
tracted pandemic influenza, and the individual is fired or not
permitted to enter the workplace, is this a case of disability dis-
crimination? Likewise, is it a violation of these same laws to
inquire about whether or not an employee is ill?
When upper management is aware of personal illnesses, pri-
vacy issues will arise as organizations try to walk a fine line
between protecting the anonymity of employees who are sick
and informing public health officials or law enforcement. The
Health Insurance Portability and Accountability Act (HIPAA)
applies protection to an individual’s medical health history with
limited exceptions.
Employers are required by law – specifically through the
Occupational Safety and Health Administration (OSHA) – to
maintain a safe work environment. Business continuity experts
need to be familiar with how OSHA laws apply to instances of
traveling for business, on-site contamination by an ill employee
and other worst-case scenarios.
How will the Worker Adjustment and Retraining Notification
Act (WARN) apply? Federal law requires that government and
employees be given a 60-day advance notice of any facility
closings or mass layoffs, with the exception of natural disasters
and unforeseeable business circumstances. Under current case
law, a pandemic is not considered a natural disaster and it is
unclear if it can be defined as an “unforeseeable business cir-
cumstance.”
In addition to addressing human resource management
issues, it is critical to examine insurance policies for loopholes,
gaps and exclusions. Is there coverage for business interruption,
government quarantines or worker’s compensation issues?
No doubt, there are a multitude of scenarios to consider
when reviewing internal policies and procedures for potential
employer liabilities. Amendments that compensate for the
unpredictability of a pandemic event will be essential. In addi-
tion, it is important to understand that current laws and regu-
lations may, in fact, conflict with one another. For example, the
new OSHA guidelines, released in February 2007, appear to
impose obligations or make recommendations that could con-
flict with other laws and regulations. Business continuity plan-
ners should pay attention to changes in law, such as the manda-
tory paid sick-leave legislation that recently took affect in San
Francisco and is being considered by several other states. Legal
scholars have already predicted this issue will lead to increased
legal claims based on cases of employer ignorance or misinter-
pretation of the law. These legal developments could prove rel-
evant during a pandemic catastrophe.
NO JUSTIFICATION FOR TOO LITTLE, TOO LATE
The reality is that the threat of pandemic influenza is still as
real as ever, and there will continue to be many unresolved
issues associated with it – until the nation is forced to endure
an event of this nature. Regardless of public disinterest or igno-
rance, business continuity managers must continue to push for-
ward, remaining proactive in developing comprehensive plans.
Today’s focus, however, must shift away from individual plan-
ning for the survival of one business or organization to a con-
tinuity plan of broader scope. External factors, such as govern-
mental authority and the roles of other sectors, will have great
impact in a time of chaos. Building relationships between gov-
ernment, business and nonprofit entities and working together
to communicate and coordinate efforts should become key
objectives. Otherwise, the legal implications of inconclusive
planning will be felt soon enough. There will be no justification
for poor planning when so much of our existence is at stake.
About the Authors
Greg Stenmoe is a senior litigator in the labor and employment sec-
tion at Twin Cities-based Briggs and Morgan, P.A. He speaks fre-
quently about the legal issues implicated by pandemic influenza in
human resource management, business planning and governmental
authority. Marie Johnson, CBCP, is president of the Business
Continuity Planners Association (BCPA). She has worked in the busi-
ness continuity industry for eight years at top companies, such as
Ernst & Young and U.S. Bancorp, before taking on her current role
as senior manager of business continuity management for Ameriprise
Financial. In October 2006, Stenmoe and Johnson co-founded a pan-
demic summit, along with the State of Minnesota, that successfully
brought together leaders from all over Minnesota to discuss cross-sec-
tor coordination and communication for the first time. Questions and
comments may be directed to editorial@contingencyplan-
ning.com.
Want More?
Still looking for more updates on pandemic
planning? Get all the latest by logging
on to www.contingencyplanning.com.
We’ve got you covered.
6. NATIONAL NEWS
DHS AWARDS $8.8 MILLION FOR
EXPLORATORY RESEARCH ON
ADVANCED NUCLEAR DETECTION
TECHNOLOGY
The U.S. Department of Homeland
Security’s (DHS) Domestic Nuclear
Detection Office (DNDO) recently
announced 10 contract awards totaling $8.8
million to nine companies that will perform
exploratory research in advanced nuclear
detection technology. The Exploratory
Research Program is designed to transform
nuclear detection technology by funding
aggressive research and development that is
unconstrained by pre-existing user expecta-
tions and initial technical risks.
The nine companies selected are: Alliant
Techsystems Inc., Mission Research Division;
Canberra; EIC Laboratories Inc.; General
Electric Global Research Center (two
awards); Physical Optics Corporation;
Radiation Monitoring Devices Inc.; Rapiscan
Systems Corporation; Science Applications
International Corporation (SAIC); and
Westinghouse Electric Company.
Each contract consists of multiple phas-
es, including an advanced technology
demonstration, before potentially transi-
tioning to a systems development and
acquisition program. Successful technolo-
gies will be deployed to provide port-of-
entry (POE) and non-POE radiological
and nuclear detection capability.
Earlier this year, DHS announced the
award of Exploratory Research
Cooperative Agreements with Academia
totaling approximately $3.1 million to
make significant advances in basic
nuclear detection technology. Seven uni-
versities were awarded cooperative
agreements: California Institute of
Technology, Florida Institute of
Technology, Rensselaer Polytechnic
Institute, State University of New York at
Stony Brook, University of Michigan,
University of Nebraska at Lincoln and
Washington University.
— DHS
DHS PROVIDES FIRST RESPONDERS
$34.6 MILLION IN EQUIPMENT,
TRAINING PROGRAMS
The U.S. Department of Homeland
Security (DHS) has announced the award
of $34.6 million in equipment and train-
ing to first responders across the nation
as a part of the fiscal year 2006
Commercial Equipment Direct
Assistance Program (CEDAP). DHS
awarded more than 2,000 direct assis-
tance grants to ensure that law enforce-
ment and emergency responders receive
specialized equipment and training to
meet their homeland security mission.
“CEDAP is yet another mechanism for
the department to work with our local
homeland security partners in strengthen-
ing this nation’s ability to prevent, pro-
tect, respond and recover from a natural
disaster or terrorist attack,” says Under
Secretary for Preparedness George
Foresman. “This program enhances state
and local communities’ capabilities as
well as arms their first responders with
the tools to build stronger regional coor-
dination.”
CEDAP offers equipment in the fol-
lowing categories:
• personal protective equipment;
• thermal imaging, night vision and video
surveillance tools;
• chemical and biological detection tools;
• information technology and risk man-
agement tools; and
• interoperable communications equip-
ment.
This program also focuses on smaller
communities and metropolitan areas not
eligible for the Urban Areas Security
Initiative grant program. Awardees are
required to receive training on their
awarded equipment either on-site or at a
CEDAP training conference.
DHS has provided more than $69.7
million in equipment and training to law
enforcement and fire departments
through CEDAP since the program’s
inception in 2005
— DHS
WORST SECURITY THREATS:
HACKERS AND VIRUS PROTECTION
Network security is regarded by execu-
tives as the single most important attrib-
ute of their network, according to the
results of a global survey conducted by
the Economist Intelligence Unit (EIU) for
AT&T. The research reveals that a major-
ity of executives (52 percent) now
believe that having a converged network
gives their companies better defense
against IT security breaches. Furthermore,
nearly 70 percent feel that IP helps
ensure business continuity following an
emergency.
The survey of 395 senior executives,
called “Network Security: Protecting
Productivity,” also shows that, at the
same time, network security concerns
remain at the top of the list of barriers to
implementing a converged IP network. IP
convergence, although it may increase
vulnerability in some ways, promises to
take the network defenses to new levels
of sophistication and reliability. Today,
organizations are equipped with incom-
parably better tools to protect the net-
work than they were even in the late
1990s.
The EIU white paper shows that,
increasingly, executives feel especially
concerned about the growing volumes of
customer data they hold and manipulate,
and 45 percent say that the holding of
sensitive customer data on their network
makes them feel “extremely” vulnerable
from an electronic security perspective.
Another 41 percent say the process of
analyzing and acting upon detailed cus-
tomer data also significantly increases
their vulnerability.
Among the worst security threats cited
by nearly half (49 percent) of executives
is hackers. Protecting against viruses and
GlobalAssurance
6 | CPM-GA April 2007
7. www.ContingencyPlanning.com | 7
worms also remains top of mind for com-
panies but emerging as one of the most
feared threats is identity theft – men-
tioned by one-third of executives – and
their concerns are set to rise over the
next three years.
The EIU research has also highlighted
the importance of the chief security offi-
cer (CSO), and although typically the
CEO remains the primary decision-
maker for electronic security decision
(with the exception in Europe where the
CIO is more likely to hold this role), the
role of the CSO is rising, with 12 percent
of companies confirming this as the main
decision-maker.
“Security is becoming more and more
important in today’s collaborative envi-
ronment,” says Lloyd Salvage, AT&T’s
vice president in the UK. “We are con-
stantly talking to our customers and help-
ing them to re-evaluate their require-
ments to ensure that their businesses are
adequately protected at all times.”
The white paper is the second of a
series of thought-leadership papers in the
Network Convergence series written by
AT&T in cooperation with the EIU.
Subsequent papers in the series will
explore how companies are addressing
the challenges of managing applications
integration and enterprise mobility.
As part of the research for the paper,
the EIU conducted an online worldwide
survey of 395 senior executives across 51
countries and more than 20 industries.
The majority of respondents came from
Western Europe (32 percent), Asia Pacific
(30 percent), and North America (30
percent). Other respondents came from
Eastern Europe, Latin America, the
Middle East and Africa. 63 percent of
those polled hailed from large firms with
annual revenue of more than $500 mil-
lion. The top five industry sectors repre-
sented by the survey respondents were
professional services, financial services,
manufacturing, IT and technology and
healthcare, biotechnology and pharma-
ceuticals. In addition to the survey
research, the EIU conducted a series of
one-to-one in-depth interviews with sen-
ior executives and analysts.
— AT&T
FORMER CA SENIOR VP TO LEAD
APPLICATION SECURITY
Application Security Inc., New York, N.Y.,
a provider of database security solutions,
announces the appointment of Toby
Weiss as president and CEO. Jack
Hembrough has been elevated to the
position of Chairman of the Board after a
successful leadership run of more than
four years.
“A combination of mounting regulatory
pressures, increasingly focused and pro-
fessional cybercrime and technology
advancements have driven demand for
data security over the last year,” Weiss
says. “With enterprise information assets
increasingly under attack in 2006 and
2007, demand for database security has
never been stronger.”
Weiss takes the reins after continued
growth across key verticals including
financial services, retail, telecommunica-
tions, healthcare, education and govern-
ment with a customer base of more than
700 customers globally.
Weiss joins the company from CA,
Islandia, N.Y., a leading information tech-
nology management software company,
where he held several senior manage-
ment positions. He was most recently the
senior vice president and general manag-
er for CA’s security management business
unit where he was responsible for the
development, strategy, product manage-
ment, marketing and support for several
award-winning security product suites.
During his tenure with CA, Weiss also
served as a senior vice president respon-
sible for managing the regional business
including sales, support and administra-
tion for several areas in the Asia-Pacific
region.
“With the recent trend toward out-
sourcing data repositories and financial
services operations, the need to monitor
database activity and identify potential
issues is more vital than ever to maintain-
ing corporate reputations and consumer
confidence,” says Weiss.”
— Application Security Inc.
SARUBBI NAMED DIRECTOR OF
FEMA’S REGION III
Jonathan D. Sarubbi has been appoint-
ed regional director of Region III in
Philadelphia for the Department of
Homeland Security’s Federal Emergency
Management Agency (FEMA).
Sarubbi, who officially joined FEMA on
March 18, will be responsible for coordi-
nating FEMA mitigation, preparedness
and disaster response and recovery activ-
ities in Pennsylvania, West Virginia,
Maryland, Delaware, Virginia and the
District of Columbia.
“Part of my vision for the new FEMA is
building a strong team of leaders with
decades of emergency management and
other related experience,” says FEMA
Director David Paulison. “With Jon’s
appointment, we now have permanent
directors in all 10 regions of the country.
He has a great background in crisis man-
agement, program management and
homeland security, as well as knowledge
of government safety, security and envi-
ronmental regulations.”
MOVERS & SHAKERS
GlobalAssurance
8. 8 | CPM-GA April 2007
Prior to joining FEMA, Sarubbi was
vice president of marine operations for
the International Registries, Maritime and
Corporate Administrators of the Republic
of the Marshall Islands. During a 26-year
U.S. Coast Guard career that ended in
2005, he held a variety of leadership
positions and directed strategic planning,
day-to-day operations, training, exercises
and logistics and managed multi-million-
dollar budgets and Coast Guard facilities
and property.
Sarubbi served as federal maritime
security coordinator for eastern
Pennsylvania, southern New Jersey and
Delaware and coordinated maritime
homeland security operations. He
worked with federal, state and local law
enforcement and first-responder commu-
nities to gather and evaluate intelligence,
conduct security boardings and harbor
patrols, draft and exercise contingency
plans and prepare for and respond to ter-
rorist incidents.
— FEMA
RESEARCH ANALYSTS, SALES
DIRECTOR JOIN TABB GROUP
TABB Group, a financial markets
research, advisory and crisis management
firm with offices in New York,
Massachusetts and Washington, D.C., has
announced the addition of two research
analysts and a sales director to meet cur-
rent customer demands and position the
company for continued growth in 2007
in the United States and Europe.
The new staff includes Cliff Webster, a
senior analyst in the crisis and continuity
services practice; Anthony Servidio Jr.,
director of sales; and Cheyenne Morgan,
an analyst in the securities and capital
markets practice.
Webster, an expert in process analysis,
contingency planning and risk and threat
assessments, as well as exercise develop-
ment and implementation, will work
directly with financial institutions, inter-
national development organizations and
private sector clients. He comes to TABB
after six years as an associate at Booz
Allen Hamilton where he managed ana-
lytical projects for clients in the defense,
intelligence and public policy community.
Before Booz Allen Hamilton, he worked
with Northrop Grumman and SAIC pro-
viding consulting services in the areas of
international security.
Servidio joins TABB from SAVVIS
Communications in New York where as a
global account manager he was responsi-
ble for sales and management of 10 of
their top 100 customers, selling IP-centric
solution sales of private networks, VPRN,
VoIP, client connectivity extranets, collo-
cation, hosting, BCP and security services.
From 2002 to 2004, he was a global
account executive at Moneyline Telerate
in New York selling SAVVIS network
services and promoting solutions to
hedge funds.
Morgan, who will handle the soon-to-
be-released TABB Liquidity Index cover-
ing pricing information for all of the
ECNs, exchanges and dark pools, served
as an analyst at Markit Group Ltd. in
New York working on bringing trans-
parency and efficiency into the syndicat-
ed loan business by collecting daily pric-
ing data from banks, hedge funds and
institutional investors, as well as conduct-
ing market research on the loan industry.
Prior to Markit, she was at Sumitomo
Trust and Banking, Ltd. where she
worked in the corporate investment man-
agement group.
— TABB Group
GlobalAssurance Movers & Shakers
The World at Your Fingertips
Want the latest breaking business continuity news stories when it’s convenient for you? Look no further than
www.ContingencyPlanning.com. Exclusive Web updates are added every weekday to ensure you don’t miss a step.
Log on today and get up to speed.
www.ContingencyPlanning.com
9. www.ContingencyPlanning.com | 9
PARTNERSHIPS
AGREEMENT TO SUPPLEMENT
EMERGENCY AIR RESPONSE
SERVICE
Frisco, Texas-based Business Continuity
Planning Inc. has entered into an agree-
ment with a subsidiary of Tenet
Healthcare Corporation, Santa Barbara,
Calif., to provide dedicated emergency
air response aircraft support anchored
on the West Coast.
Business Continuity Planning, a sub-
sidiary of XGL, will provide supplemen-
tal emergency air response services
through its Aviation Logistics Emergency
Response Team (ALERT) program for
Tenet’s West Coast hospitals in the event
of a major emergency event.
This is the second contract between
the two companies for this service.
Tenet hospitals in the southeastern part
of the United States are served by a sim-
ilar contract entered into in the fall of
2006.
ALERT puts in place dedicated, pre-
positioned assets to fulfill the aviation
component of Tenet’s emergency and
disaster planning strategies. The pro-
gram delivers systems necessary to help
maintain business continuity through
emergency airlift, expedited cargo and
related communications infrastructure
for the duration of the contract.
“Tenet has several advance-planning
response contracts in place as part of
their disaster and preparedness planning
strategy,” says Jeff Young, Business
Continuity Planning’s director of new
business development. “Their hospitals
serve as first responders in the commu-
nities they serve during emergencies,
and we are pleased that the company’s
management has taken an active role to
manage events before they happen.”
Launched in 2006, ALERT evolved
from the response provided by its par-
ent company following major natural or
man-made business interruptions.
During the massive 2005 hurricane
cycle, for example, the company
responded quickly to mobilize rotary-
wing (helicopter) assets, fixed-wing (pri-
vate jet) assets, forward operating teams
and real-time field based communica-
tions.
“ALERT is for direct response to situa-
tions just like those experienced by so
many in the fall of 2005,” says Young.
“Our contracts with Tenet are the result
of two teams coming together and refin-
ing a plan to provide backup mission-
critical support during times of emer-
gency when traditional modes of trans-
portation and routes are unavailable.”
Advance contracts like the ALERT
program can assure that business sectors
such as healthcare, energy generation
and other essential services can focus on
each organization’s core competencies,
says Young. “The ALERT program is
designed to reduce response time for
customers,” he says. “The goal is to
accelerate the return to normalcy.”
— Business Continuity Planning Inc.;
Tenet Healthcare Corporation
PARTNERSHIP DELIVERS VIRTUAL
INFRASTRUCTURE SECURITY
Virtual Iron Software, Lowell, Mass., a
provider of server virtualization and vir-
tual infrastructure management software
solutions, and Atlanta-based Reflex
Security Inc., a provider of network
intrusion prevention, will deliver Reflex
Security’s Reflex Virtual Security
Appliance (VSA) specifically designed
for Virtual Iron’s virtual infrastructure
environment.
Operating as a virtualized appliance
inside the virtualized environment,
Reflex VSA transcends the limitations of
traditional network security approaches
to detect and mitigate threats between
virtual hosts and networks.
Virtual Iron is an enterprise-class serv-
er virtualization and virtual infrastruc-
ture management platform that delivers
capabilities for primary virtualization use
cases including server consolidation,
development/test/staging environments,
rapid provisioning, virtual appliances,
business continuity, dynamic capacity
management and policy-based automa-
tion.
Reflex VSA is a virtual intrusion pre-
vention solution for virtualized network
environments. Tailored to enterprises
using Virtual Iron for server and net-
work consolidation, Reflex VSA adds a
layer of protection inside the virtualized
network, detecting and preventing
threats such as DoS attacks, virus and
worm propagation and access violations.
“Virtual networks are very attractive
to our enterprise customers as they
reduce server proliferation, increase uti-
lization, and simplify IT infrastructure,”
says Bob Darabant, EVP of sales and
marketing of Reflex Security. “As cus-
tomers expand their consolidation
efforts to more mission-critical applica-
tions, they require a security solution
specifically designed to detect and pre-
vent attacks within virtualized servers.
Reflex VSA assures that enterprises have
comprehensive IPS protection, while
enjoying the reliability and cost-savings
of enterprise-class virtual infrastructure.”
“Traditional security solutions often
require additional hardware and the
installation of complex applications,”
says Mike Grandinetti, chief marketing
officer at Virtual Iron. “Our customers
are deploying Virtual Iron to simplify
their data centers and reduce hardware
and operational expenses.”
General availability of the joint Virtual
Iron/Reflex Security virtual appliance is
planned for the second quarter of this
year. It will be available for free via
download on Virtual Iron’s Virtual
Appliance Exchange and at Reflex
Security’s Web site.
— Virtual Iron Software Inc.;
Reflex Security Inc.
GlobalAssurance
10. 10 | CPM-GA April 2007
Conducting business continuity exercises is an extensive
process. Previously in this series, an outline was presented
as to how many exercises to perform annually, what types of
exercises there are, and how to schedule them. The teams need-
ed to execute an effective exercise were also discussed. And an
explanation was provided as to how to work with an exercise
design team, how to set goals and objectives and how to create
realistic scenarios.
The exercise documentation should be produced at this
point, along with a fully detailed scenario with expected results
outlined. Orientation meetings with the simulation and observa-
tion teams should also be completed, with the teams under-
standing their roles and how to role-play their parts during the
exercise. In addition, you should have had a meeting with the
exercise assistant and set expectations.
With all the preparation behind you, it’s time to execute your
exercise plan. This article, Part III in this series, is written for a
mock disaster scenario lasting four hours.
STEP 1: PRODUCE FINAL DOCUMENTATION AND
HANDOUTS
Taking the Fear
Out of BC
Exercises: A
Blueprint for
Success
Part III: Excercise with confidence
By Telva Chase
Exercises are expensive to run and need to be prepared for to
the last, minute detail. Others will not feel the same about the
exercise as you do, so ensure that you have everything copied,
collated and ready to go 24 hours in advance. Because the
exercise is run based on “timings” it’s critical that the exercise
is not delayed, least of all because you are not prepared to
start on time.
Send appointment reminders to all participants with a list of
equipment (laptops, cell phones, pagers, etc.) and items (plans,
disaster kits, etc.) to bring to the exercise. Stress the impor-
tance of being on time. If a critical participant alerts you that
they will not be able to participate, you will need to adjust
your documentation.
Recovery Team Guidelines: Check for accuracy of names,
dates and times, opening scenario, communications directory
and instructions. Double-check that cell phone numbers on the
communications directory are correct. Make enough copies for
those invited to participate, plus a few extras.
Simulation Team Handout: Go through the fully detailed sce-
nario for the simulation team to use during the exercise. You
should already have conducted an orientation with the team
11. www.ContingencyPlanning.com | 11
and made final edits to the document. Make enough copies for
the team in the event they do not bring one with them.
Observation Team Form: Ensure that the scenario and timings
match the simulation team handout. Go through the section on
“expected results.” Make any necessary last-minute corrections
and print enough copies for your evaluators.
Participant Evaluation Form: Prepare an evaluation form to give
exercise participants. Be sure to provide a place to check off if
the participant was included on simulation, recovery or obser-
vation teams. Ask for their name if you like, but make it option-
al. Provide a maximum of 10 questions or statements for
response; keeping the form short will encourage more feed-
back. After each statement, provide a scale so that the partici-
pant may indicate their answers. Provide a “comments” section
at the beginning or end of the survey so that participants may
write additional comments. Make enough copies for everyone
in attendance. A participant evaluation form statement may
look like the following:
1. The goal of the exercise was achieved.
1 2 3 4 5
Disagree Agree
Other questions/statements to consider including in the eval-
uation for comment are:
• The business continuity plan written for my business function
was helpful during the exercise.
• My business unit was utilized appropriately throughout the
exercise.
• Communication during the exercise was effective and appro-
priate.
• Emergency procedures are known and understood by my
team.
• What did you like best/least about participating in today’s
exercise?
• How can the exercise be improved?
• What surprised you about the exercise?
Messages and Cue Cards: It may be necessary to print out mes-
sages, one to a page, separate from the simulation team hand-
out. Anyone from the simulation team or the exercise assistant
may need to read aloud or hand a person on the recovery team
a message during the exercise that either adds or changes the
information already given as part of the scenario. These mes-
sages need to be coordinated and managed throughout the
exercise in a timely fashion. Here are a few examples:
Name Tents or Nametags: Name tents or nametags need to be
prepared if the exercise is large. Also use nametags for simula-
tion team members role-playing someone other than them-
selves. Have these printed and ready to go so you are not wait-
ing for people to fill out nametags upon arrival.
STEP 2: LAST-MINUTE PREPARATIONS
Unless you have help on the day of the exercise, it’s easier to
collate all materials before arriving on site. Depending whether
or not there is assigned seating in the recovery room, you may
want to include nametags or name tents in each package.
When gathering materials for the packages:
• Recovery team participants should receive the recovery team
guidelines and an evaluation form.
• Simulation team members should receive the recovery team
guidelines, a simulation team handout and an evaluation
form.
• Observation team members should receive the recovery team
guidelines, an observation team form and an evaluation form.
• The exercise assistant should receive a copy of everything.
Pack everything you will need to conduct the exercise,
including the following items you may have forgotten:
• A bell, flag or other signaling device to stop the exercise if
need be.
• A fully charged cell phone or BlackBerry, along with the
charger.
• Copies of plans that will be tested; you may need to refer to
them during the exercise.
• Any audio/visual materials that will be used (radio/TV
announcements, maps, photos, etc.).
If you are traveling to the facility by air, pack all the above
materials in your carry-on luggage, or have someone on site
prepare the materials and have them waiting for you upon
your arrival. You don’t want the exercise to be delayed because
your luggage is missing – along with all the exercise materials.
STEP 3: ARRIVE AND SET THE TONE
Arrive early – at least one hour before the exercise – and
ensure that the rooms (one for the recovery team and one for
the simulation team), furniture and equipment setup is correct.
Coordinate with the exercise assistant to ensure that
meals/drinks are scheduled for delivery.
12. 12 | CPM-GA April 2007
Have the exercise assistant help with handouts, name
tents/nametags, flipcharts, markers, tablets, pencils/pens and
chairs. Ensure that he or she understands how messages and
cue cards are to be delivered. If there are participants that need
to be grouped together for whatever reason, assure that there
is a designated area(s) for them.
Greet each participant as they arrive at the door. This helps
to put everyone at ease. If there is assigned seating, point each
person to their location. Food and drink should be available if
the exercise spans more than a four-hour time period. At min-
imum, water and snacks should be in each room.
And begin exactly on time.
STEP 4: PARTICIPANT ORIENTATION
Using the recovery team guidelines document, go through the
instructions, expectations, goals and objectives and how to use
the communications directory. Give the participants the open-
ing scenario at the very end and answer any questions you can.
This step should take about 25 minutes.
STEP 5: DISMISS SIMULATION TEAM
Dismiss the simulation team to their room five minutes before
exercise is to begin. They will interact with the recovery team
by phone and in person, depending on the scenario.
STEP 6: CONDUCT THE EXERCISE
Ring the bell or wave the flag, and write the date and time on
the board or flipchart, or use a projector. Announce the next
piece of the scenario (by messenger, cue card or radio/TV
announcement.
Observe the activity; if the recovery team needs assistance to
begin, ask a few questions to get them started.
Stop the exercise whenever you progress time within the sce-
nario to make an announcement. Allow participants to have a
15-minute break. Terminate the exercise on time. This step
should last a little longer than two hours.
STEP 7: EVALUATION AND FEEDBACK
At the conclusion of the exercise, invite the simulation team
back to the recovery room for a feedback session, which
should last about an hour. Do this immediately following the
exercise while everything is still fresh in the participants’ minds.
It’s usually best to ask for feedback (write this on a flipchart)
within set parameters. Have participants complete their evalu-
ation forms during this hour.
For example, ask that each person name three things they
thought went well and three things that could be improved.
Limit each comment to less than two minutes. Leave enough
time (five minutes) at the end of the session to summarize as
the facilitator. As the exercise assistant makes notes on the
flipchart, each item can then be checked each time the same
comment is made.
Preface all feedback with a statement that any derogatory
comments should not include anyone’s name but “we” should
be used. For example, encourage participants to say something
like, “We could have done a better job of contacting all employ-
ees.” If a positive comment is made, then by all means, give
credit to the person receiving the compliment. For example,
“Jill was a great leader. She communicated effectively with her
team.” Assure participants that the feedback session will be a
positive experience.
Allow feedback to happen in this order, without open discus-
sion:
• Facilitator
• Observation team
• Simulation team
• Recovery team
Ask for and collect written evaluations. As the facilitator,
quickly glean all areas for improvement, and identify plans and
responsible parties for action items. Agree upon due dates and
review dates, and have the exercise assistant write all action
items on a flipchart or board. Thank everyone for participating.
Finally, let the group know when the report will be published
and distributed.
Following these steps will help provide a well-organized,
effective exercise resulting in updated and improved business
continuity plans and a corporation that is prepared to handle
any type of incident or emergency.
Don’t miss Taking the Fear Out of BC Exercises: A
Blueprint for Success, Part IV: Enhance, Improve,
Succeed, in next month’s issue of CPM-Global
Assurance.
About the Author
Telva Chase has more than 27 years of software engineering and
seven years of full-time BC/DR experience. In 2002, she created
and currently is the director of the business continuity program office
for Thomson Scientific & Healthcare (www.thomson.com). Questions
and comments may be directed to editorial@contingencyplan-
ning.com.
For even more tips on conducting
effective BC exercises, check out tips from the
experts being offered at
CPM 2007 WEST in Las Vegas May 22-24.
See page 23 for more info, or log
on to www.contingencyplanningexpo.com.
13. www.ContingencyPlanning.com | 13
INDONESIA ALLOTS $1 BILLION TO
PREVENT FLOODS
Indonesia has earmarked more than $1
billion to prevent flooding in the capital
where an inundation earlier this year
killed dozens. The flooding in February
following monsoon downpours killed 85
people across Indonesia, displaced
around 340,000 and paralyzed Jakarta,
a city of about 12 million people.
It led to searing criticism of flood pre-
vention measures as foul-smelling water
sloshed around normally traffic-clogged
roads for more than a week.
There were even calls to consider
moving the low-lying capital elsewhere,
as power and water supplies were dis-
rupted in the interests of safety.
In response, the central government
and the capital’s local authority have
alloted 9.5 trillion rupiah (1.04 billion
dollars) to avoid a repeat, says Public
Works Minister Joko Kirmanto. The
money will be used for measures such as
improved drainage, tackling rivers prone
to overflowing and the completion of a
major flood canal by 2008. The govern-
ment will provide 6.5 trillion rupiah,
with the remainder coming from the
local authority. Kirmanto says the
money would be dispersed from now
until 2009, but around 40 percent will
be released this year.
Some experts say the floods occurred
because poor city planning and an
extended construction boom over-
whelmed an old drainage system built
hundreds of years ago by Dutch coloniz-
ers. The inundation is estimated to have
caused damage and losses also worth
around $1 billion.
— Agence France-Presse
WHO, EXPERTS MEET TO DISCUSS
AVIAN FLU TREATMENTS
By Cheryl Pellerin, USINFO Staff Writer
As the number of human cases of avian
influenza confirmed by the World
Health Organization (WHO) rises to
281, with new cases reported in Egypt
and Laos, WHO and international
experts are meeting in Turkey to discuss
how best to treat people who become
infected with the highly pathogenic
H5N1 form of the bird flu virus.
Since 2003, some 300 million birds
have died directly from infection or
have been destroyed to keep the virus
from spreading, and 169 people have
died, most from close contact with sick
birds.
The March 19-21 meeting in Antalya,
on the Mediterranean coast of southern
Turkey, is the second meeting of 100
experts and experienced medical practi-
tioners from hospitals that have treated
H5N1 patients. The first meeting was in
May 2005 in Hanoi, Vietnam.
“We know more now than we did two
years ago,” a WHO spokesman told
USINFO. “A lot of work has gone on
between 2005 and now, and there have
been twice as many cases. All that com-
bined will mean we have a lot more data
to draw from.”
The meeting’s objectives are to sum-
marize H5N1 symptoms and laboratory
and pathological findings, encapsulate
current knowledge about managing
H5N1 infections and identify gaps in
H5N1 knowledge and treatment that
need research.
During the meeting, participants sum-
marized the current understanding of
INTERNATIONAL NEWS
GlobalAssurance
14. features of H5N1 infection like its incu-
bation period, clinical course and dura-
tion of viral shedding, and of the pathol-
ogy and clinical manifestations of H5N1
virus infection in people. Participants
hope to improve understanding of
responses to current treatments, includ-
ing anti-viral drugs.
A paper describing the results and
updating the WHO recommendations
for treating H5N1 patients will be pub-
lished in a medical journal.
On March 19 and 20, the Egyptian
Ministry of Health and Population
announced new human cases of H5N1
avian influenza infection, both in Aswan
Governorate in southern Egypt. The
cases were confirmed by the Egyptian
Central Public Health Laboratory and
U.S. Naval Medical Research Unit No. 3
in Cairo.
A two-year-old boy developed symp-
toms March 15 and was admitted to the
hospital the next day. He was in stable
condition on March 20. Investigations
indicated a history of contact with back-
yard poultry.
On March 13, a 10-year-old girl was
admitted to the hospital with symptoms.
She was in stable condition on March
19. Investigations indicate that she had
recently been exposed to sick poultry.
The girl’s contacts are under observa-
tion.
According to WHO, no epidemiologi-
cal link has been found between the
two cases.
On March 12, the Ministry of Health
and Population announced another
human avian flu case: a four-year-old
boy from Ad Daqahliyah Governorate.
He developed symptoms March 7, was
admitted to the hospital the next day,
and his condition was stable March 12.
He was exposed to sick birds during the
first three days of March. The boy’s con-
tacts are healthy and are being moni-
tored closely.
Of the 26 cases confirmed to date in
Egypt, 13 have been fatal.
On March 16, the Ministry of Health
in Laos, officially the Lao People’s
Democratic Republic, reported its sec-
ond human death from infection with
the H5N1 avian influenza virus.
The country’s first death, announced
by the Ministry of Health March 8, was
a 15-year-old girl from Vientiane
province, the capital of Laos, in the
Mekong Valley. Her infection was
announced Feb. 27 and she died March
7 after being hospitalized in neighboring
Thailand.
And a 42-year-old woman from Saka
village in the Pong Hong district, also in
Vientiane province, developed a fever
Feb. 26, was hospitalized in Vientiane
Provincial Hospital Feb. 28, and then
transferred to Setthathirat Hospital
March 1. She died three days later.
Tests performed during an investiga-
tion to determine the source of expo-
sure found a duck positive for bird flu in
the woman’s household. Close family
and hospital contacts are being moni-
tored for possible infection.
Initial testing was conducted by the
National Centre for Laboratory and
Epidemiology in Laos. In line with WHO
policy, samples were sent to a WHO col-
laborating laboratory in Tokyo for diag-
nostic verification and further analysis.
The collaborating center confirmed
H5N1 infection.
WHO continues to work closely with
the Laos government to strengthen case
reporting, improve diagnostic capacity
and increase local awareness of the dis-
ease.
— Bureau of International Information
Programs, U.S. Department of State
EMERGENCE OF AVIAN INFLUENZA
IN AFRICA INCREASES PANDEMIC
RISK
The avian influenza virus, with its possi-
ble mutation into a form capable of
engendering a human pandemic,
remains a serious threat around the
world, with greater transparency and
sharing of information critical to meet
the challenge, and Africa emerging as a
top priority for resources and technical
aid, according to the latest United
Nations update.
“The possibility of a human pandemic
hangs over us,” warns the UN Food and
Agriculture Organization (FAO). “H5N1
remains a potent threat around the
world, both to animals and humans,” the
agency says, noting that, with the arrival
of the virus this year in Africa, there is
much cause for concern.
“Failure by any one country to contain
the disease could lead to rapid re-infec-
tion in many more countries,” FAO
Assistant Director-General Alexander
Müller says. “One weak link can lead to
a domino effect, undoing all the good
that we have achieved so far. Now is no
time for complacency.”
FAO says that several parts of the
world remain particularly vulnerable
because of a shortfall in donor funding,
including Africa, eastern Europe and the
Caucasus and Indonesia.
According to the FAO, “Africa must
now be a top priority for resources and
technical assistance in the battle against
avian influenza.” However, the agency is
also calling for continued commitment
to unaffected parts of the world like
Latin America and the Caribbean,
“where the FAO’s investment in national
and regional preparedness planning is
paying off.”
Winning the battle against the virus
demands a long-term vision, with more
surveillance, rapid response to outbreaks
and greater transparency and sharing of
information essential. “Scientific break-
throughs on improved diagnostics, vac-
cines and treatments can only emerge if
virus information is shared widely and
willingly, for the greater good,” the FAO
says.
The FAO is calling on countries to
place stronger emphasis on hygiene and
movement control throughout the ani-
mal production and marketing chain to
produce positive results. “In Vietnam, for
example, an integrated strategy of sur-
veillance and laboratory capacity build-
ing, movement control, vaccination and
culling has averted what could have
been a disaster,” the agency notes.
GlobalAssurance International News
14 | CPM-GA April 2007
15. Senior UN System Coordinator for
Avian and Human Influenza David
Nabarro says $1.5 billion is needed
worldwide during the next two to three
years for preventive measures. So far,
the FAO has received $76 million for its
activities, and agreements have been
signed for $25 million more, with a fur-
ther $60 million in the pipeline.
— FAO
INDONESIA AGREES TO RESUME
SHARING AVIAN FLU SAMPLES
BY CHERYL PELLERIN, USINFO
STAFF WRITER
After a two-day meeting in Jakarta,
Indonesia, among officials from the World
Health Organization (WHO) and 18
nations that have had animal and human
outbreaks of the highly pathogenic avian
influenza virus, the government of
Indonesia has agreed to resume sharing
H5N1 virus samples for the first time
since January.
Indonesia Health Minister Siti Fadilah
Supari focused global attention during the
past few months on the fact that develop-
ing countries supply H5N1 samples to
WHO collaborating centers for analysis
and preparation for vaccine production
but are unlikely to have access to the vac-
cines.
“Previously, WHO used a mechanism
that was not fair for developing countries,”
Supari said at a March 27 press conference
in Jakarta. “This mechanism was not fair
and transparent in terms of the expecta-
tions of developing countries. We think
that mechanism was more dangerous than
the threat of pandemic H5N1 itself.”
To address these concerns and maintain
sample sharing for risk assessment, WHO
organized the meeting in Jakarta. Among
the participants were senior scientists,
including four directors of the WHO col-
laborating centers; potential funding
sources, including representatives from the
Asian Development Bank and the Gates
Foundation; and others.
The agreement comes as the Egyptian
Ministry of Health and Population
announced a new human case of H5N1
avian flu in a three-year-old girl from
Aswan governorate who had contact with
backyard poultry.
“The current global capacity to produce
a vaccine to respond to an influenza pan-
demic is insufficient to meet the global
need, especially in developing countries,”
says U.S. Health and Human Services
Secretary Michael Leavitt. “The WHO
deserves continued support and commen-
dation for its leadership in guiding the
global effort to prepare for and respond to
a potential human influenza pandemic.”
Withholding viruses from WHO collab-
orating centers posed a threat to global
public health security and the ongoing risk
assessment conducted by WHO collabo-
rating laboratories.
WHO collaborating centers perform
several key flu-related activities, including
determining if the virus acquired human
genes or made other significant changes,
identifying potential vaccine strains, testing
to determine if the virus is vulnerable to
recommended anti-virals, tracking the
virus’s evolution and geographic spread
and updating diagnostic tests because flu
viruses constantly mutate.
After the meeting, Supari reviewed rec-
ommendations and said Indonesian virus-
es once again could be shared with the
WHO. The meeting concluded that WHO
collaborating centers will continue risk
assessment on H5N1 virus samples and
turn virus into seed virus suitable for vac-
cine production and terms of reference for
the WHO labs will be revised.
The terms of reference will describe
exactly what a collaborating center can do
with the viruses provided through surveil-
lance, says Dr. David Heymann, WHO
assistant director-general for communica-
ble diseases. WHO will develop the stan-
dard document with input from member
countries.
The meeting endorsed WHO’s efforts to
www.ContingencyPlanning.com | 15
16. 16 | CPM-GA April 2007
link vaccine manufacturers in developed
and developing countries to speed the
transfer of influenza vaccine manufactur-
ing technology.
“We have struck a balance between the
need to continue the sharing of influenza
viruses for risk assessment and vaccine
development,” Heymann says, “and the
need to help ensure that developing coun-
tries benefit from sharing without compro-
mising global public health security.”
Individual countries will negotiate how
vaccine is made available to them.
“WHO is not involved in financial nego-
tiations, either in selling viruses or buying
vaccine,” continues Heymann. “Countries
will negotiate bilaterally with vaccine man-
ufacturers. We will certainly facilitate if
countries are asking for support, but it
won’t be standard.”
WHO best practices for sharing flu virus
were developed for seasonal influenza
vaccine, which has a market in developed
countries but in only a few developing
countries.
“H5N1 vaccines are a different issue,”
Heymann says. “We will now modify our
best practices to ensure that they are trans-
parent to the developing countries which
are providing samples and which have
requested to share in the benefits resulting
from those viruses.”
The director-general of WHO is com-
mitted to working with pharmaceutical
companies and donors to develop a pos-
sible stockpile of vaccine for developing
countries if they need vaccine, says
Heymann, but this is at an early stage of
feasibility study.
— Bureau of International Information
Programs, U.S. Department of State
SINGAPORE EMERGING AS HUB FOR
DISASTER RECOVERY MARKET
By Tung Shing Yi, Channel NewsAsia
The recent Taiwan earthquake triggered
the meltdown of Internet connectivity and
caused the disruption of business services
in Asia.
But it also set off a revival of interest in
disaster recovery management among
companies in the region.
According to the Disaster Recovery
Institute Asia (DRI Asia), the episode clear-
ly shows the lack of contingency planning
among businesses in Asia. And the insti-
tute says there has been an influx of
enquiries from both the public and private
sectors.
Lim Sek Seong, program director, DRI
Asia, says, “One of the things the govern-
ment is emphasizing is that organizations,
whether public sector or private sector,
have to [have] business continuity man-
agement and implement business continu-
ity and recovery plans.”
“The key reason is that organizations
need to survive any major incidents and
protect the lives and safety of their cus-
tomers and staff, while at the same time
ensuring key assets like infrastructure and
information are protected. This is the pri-
mary focus of business continuity manage-
ment.”
Initially, the bulk of demand for its serv-
ices came from the financial sector
because of the need to reduce credit risks.
“Almost every country has its own central
bank. It was natural to avoid financial cred-
it risk, to control credit risk, the regulators
introduced guidelines. Many of these
banks also introduced business continuity
management guidelines,” says Lim.
But increasingly, the institute is seeing
demand from manufacturing, IT services,
chemicals and even the public sector. In
the past two years, DRI Asia’s revenue has
shown a steady annual growth of about 20
percent.
Disaster recovery awareness started with
Y2K fears in the late 1990s. It has since
evolved into a viable industry driven by a
high level of interest from the public and
private sectors.
According to DRI Asia, the Asia-Pacific
disaster recovery market is estimated to be
worth $1.3 billion a year.
— Channel NewsAsia
STUDY FINDS 44 PERCENT OF
COMPANIES UNABLE TO DECLARE
VIRTUALIZATION DEPLOYMENTS A
SUCCESS
The results of an independent global
study, conducted by Islandia, N.Y.-based
CA, a provider of information technolo-
gy management software, highlights the
mixed results companies are experienc-
ing with server virtualization, as well as
critical success factors discovered by
early adopters.
According to the study, which sur-
veyed 800 organizations around the
world, 44 percent of respondents who
said they had deployed server virtualiza-
tion technology were unable to declare
their deployment a success. Inability to
quantify ROI was a key factor in their
reticence to definitively claim positive
results.
The study also reveals that 71 percent
of organizations that have moved ahead
with virtualization have deployed, or
plan to deploy, multiple server virtualiza-
tion technologies, including operating
system and hardware virtualization, oper-
ating system partitioning, para-virtualiza-
tion and/or clustering. Sixty percent of
organizations consider clustering a type
of server virtualization, adding to the het-
erogeneity of virtualized environments.
For organizations claiming success with
virtualization, the most important factor
was being able to measure performance
of the virtualized environment. Other
key success factors cited in the study
include diligent inventorying of server
assets and load distribution and thorough
investigation of available technology
solutions.
According to the study, organizations
are primarily deploying virtualization to
improve server/system utilization rates,
increase server reliability and uptime and
enhance business continuity.
The survey was conducted in January
by The Strategic Counsel, an independ-
ent research firm. Of the respondents, 30
percent were from North America, 37
percent were from Europe and 31 per-
cent from the Asia-Pacific and Japan
region. Of the organizations surveyed,
67 percent had between 10 and 99
physical servers, and 22 percent had
more than 200.
— CA
GlobalAssurance International News
17. www.ContingencyPlanning.com | 17
Another question this two-part article will help address is,
“How do I maintain interest in continuity planning and strate-
gic readiness when the threat environment becomes less
intense?” Look for Part II of this series next month, which will
discuss disciplines five through eight: 5) constructive approach-
es; 6) pattern intuition; 7) surprise avoidance; and 8) manage-
ment perspective.
Each of these concepts is powerful, useful, and a key ingre-
dient for the all-important linkage with management as a trust-
ed strategic advisor.
DISCIPLINE ONE: VERBAL SKILL
There are five specific elements to the discipline of verbal skill.
They’re organized into a structure that will help you assess
your level of skill, knowledge and ability, as well as to deter-
mine where you need to improve.
The five elements trusted advisors need to master include
on-the-spot advice, constructive approaches, outcome direc-
tion, the three-minute drill and storytelling. This article will dis-
cuss two of these concepts.
On-the-Spot Advice: Managers manage in real time. Yes,
How to Become
a Trusted
Strategic Advisor
The eight disciplines: Part I
By James E. Lukaszewski,
ABC, APR, Fellow PRSA, CCEP,
Keynote Speaker at CPM 2007 WEST
Providing credible advice and thinking strategically are what
most of us – whether as a staff member or outside consult-
ant – truly seek to accomplish. This includes initiating and
helping to develop tactical options for operational and organi-
zational leadership. Gaining respect as a strategist and trusted
advisor ties into the three crucial questions that affect all con-
sulting relationships:
• How do I get invited to the table before all the decisions are
made and before outside voices get in the way?
• How do I earn a continuous seat at the strategy table? and
• What do I have to do to get the call from the boss ahead of
everyone else?
A variety of skills are crucial to becoming a trusted strategic
advisor. This article – Part I in a two-part series, discusses four
of the most important disciplines: verbal skills, strategic impact,
pragmatism and inconsistency.
Read these concepts through and assess how you may
already be accomplishing some of them as a part of your daily
work. You may need to more thoroughly think through some
of them develop them for your own use.
18. 18 | CPM-GA April 2007
there’s planning. Yes, there’s strategizing. Yes, there’s research
and other elements involved in developing business plans,
strategies and actions. Typically, the staff function knows very
little about the operating side of the business and, therefore,
requires input, learning time, and, sometimes, the client’s infor-
mal reflections on ideas before concrete advice can be offered.
The trusted advisor is expected to give advice on the spot.
This skill is what truly sets internal experts apart from outside
consultants. Some consultants are hired to conduct studies and
develop plans and strategies, but for the price paid, the boss is
looking for a consistent stream of useful advice, given immedi-
ately once a situation is understood, even if only vaguely.
Developing your ability to confidently give on-the-spot advice,
in small increments, is critical to being valuable when it really
matters – at times of crucial decision making.
Building this skill requires continuous refinement of your
management focus. This concept requires that you spend more
time focusing on what managers really need from a manager’s
perspective. It’s these experiences, knowledge and attitudes
that enable you to give advice promptly and competently –
with confidence.
Storytelling: You can marshal all of the facts, data and infor-
mation available on a particular topic. You can even work for
somebody who really does appear to read and absorb this stuff.
But one simple story, told in 30 seconds, with a great lesson,
moral or self-evident truth, is often more persuasive and pow-
erful. Become a storyteller.
When it comes to consulting, I’ve noticed that one of the
most interesting gender differences (I know this is a very dan-
gerous topic) is that I typically hear and expect male advisors
and consultants to use stories far more often than women.
While my study is based solely on empirical evidence, this is a
solid and interesting contrast – especially since most senior
executives are men. For the female contingency planning exec-
utive, developing the storytelling technique can be an extreme-
ly powerful verbal tool as you move forward.
The place to begin in storytelling is to recognize and choose
stories that you hear or tell yourself. Write out the stories and
examine why you like to tell or hear them.
Here are the attributes of an effective story:
• There’s a beginning, middle and end.
• It’s generally in positive language.
• Stories should be brief, usually up to 150 words (one minute
speaking time).
• Stories are in plain language (meaning language a 13-year-old
can understand).
• Stories are people-focused (about people, animals or living
systems).
• Stories end with a moral, lesson or self-evident truth.
People who tell stories are the teachers in our lives. We are
conditioned from childhood, through family life or religion, to
listen and learn from stories.
After you’ve analyzed the stories you already tell to deter-
mine what they teach and how they teach it, begin looking for
other stories that illustrate important points you want to make.
Get in the habit of thinking about situations in ways you can
effectively retell.
The Story Development Worksheet (Figure 1) shows a sam-
ple format (you can develop something like this on an 8-1⁄
2 x11-
inch sheet of paper) or template for identifying and developing
the stories you would like to use.
This is a serious, intentional activity. Forcing yourself to boil
down important information and events into this one-minute
format will make you say less, but make what you say more
important. This format forces you to focus on what truly mat-
ters. It’s a template that allows you a sense of communication
quality assurance in that you’re always heading towards a les-
son, moral or self-evident truth.
One of the greatest sources of stories today, and for many
decades, is Reader’s Digest. This magazine specializes in the very
short anecdotal story. There are columns like “Humor in
Uniform” and “Life in These United States.” Every month there
are many anecdotes throughout the publication that will be
useful as stories or models for stories you can actually use. In
addition, there are national and international associations of
storytellers you can join and participate in.
In my work as a consultant, whenever I have a conflict or dif-
ference of opinion with a client – or the client has a difference
of opinion internally – my first technique is to tell some kind
of story from my experience. The story illustrates a truth they
can both agree on, or agree to disagree on, so they can move
forward – or at least get by the current obstacles. When I’m
challenged by individuals, I invariably have a story of a similar
challenge that was either overcome, confirms their wisdom or
steers us in a new and better direction. Rarely will facts and
data ever be as powerful, even when delivered by knowledge-
able and respected people.
Besides, it’s really cool to know that a story you tell can make
people laugh, cry, question, commit, mobilize or take action.
DISCIPLINE TWO: STRATEGIC IMPACT
Strategic impact means three things: focusing on the ultimate
goal, focusing on what matters and working and thinking in a
more operational context. Strategic impact, from the stand-
point of our discussion, has five components, some of which
cut across ideas already shared in this series.
1. Management Language: Understanding the contingency
planning management function, and the value and merit of the
function, is probably the furthest thing from an operating indi-
vidual’s frame of reference. Clearly, what the contingency plan-
ning management function is and does is important, but usual-
ly secondarily to operational decision making and strategy. Use
management language; read management publications; and
understand what the boss cares about. Then learn something
about it, and give advice in that context.
2. Truly Strategic Insight: Insight is the development of new
information or knowledge from existing data or known facts.
19. www.ContingencyPlanning.com | 19
It’s the intentional action of looking at things differently, on
purpose, to extract new knowledge. This is one of the most
important disciplines of the trusted advisor. Absent this disci-
pline, everyone becomes a “yes” person based on what they
hear, read and see. You must make an effort to extract or dis-
till more value from what is already known. This is what insight
is all about.
3. Focus on the Ultimate Outcome: This is where the man-
ager’s or operator’s brain really is – at the end of the process,
looking at the product solution or next steps. This has to be
something you can do as well. Dr. Stephen Covey, author of
The Seven Habits of Highly Effective People, talks about planning
with the end in mind. This is a similar concept. Understand
where you’re headed; then work backwards to identify all the
doable increments.
4. Substantive Intensity: Staff people tend to babble a lot,
often about things only they care about. The mindset of sub-
stantive intensity focuses on what truly matters. I refer to this
as the 95-5 Rule. Ninety-five percent of what we do each day
doesn’t matter, is unnecessary or needs to be shoved off to
someone else so that the truly important stuff, the crucial five
percent, can be managed. In practical terms, this means that
when it involves management, you need to be certain that
what you’re talking about, working on or working with really
matters. Stop wasting time. Stop bloviating on things that have
little or nothing to do with where you’re headed. Always strive
to keep things focused on the crucial five percent. Be respon-
sible for substantive intensity when you’re around.
5. Conclusive Action Recommendations: Anyone who has
run anything understands that everything is accomplished in
increments rather than blindingly simple or powerful steps, or
surprise. Look for the next increment, the next step in the
process, the most logically doable actions that can be taken.
Then recommend, support or develop those steps and actions.
You’ll be responsible for keeping the momentum of the process
alive and, through the other techniques we’ve talked about,
keeping people focused on the proper direction.
DISCIPLINE THREE: PRAGMATISM
A pragmatist is someone who tends to focus on what is actual-
ly doable. A pragmatist knows the knowable, does the doable,
gets the getable and achieves the achievable.
In more practical terms, this means keeping management
centered on a track that will get them where they need to be.
While similar to providing substantive intensity, verbalizing
what is achievable often amounts to stating the obvious. In
many management discussions, enormous amounts of time are
wasted speculating, guessing, estimating and talking mindlessly.
Take the responsibly for bringing everybody back to what is
doable or what is knowable, and identify what is accomplish-
able.
A pragmatist brings a sense of reality into the mix of deci-
sions and actions to keep things as real as possible. Many of the
insights from those involved in contingency planning manage-
ment work are less obvious to those who are not. In fact, most
contingency management planners I work with do tend to be
pragmatists, and are sometimes criticized by management
because they are more engaged in system protection than in
the can-do attitude management seems to need to get things
done.
A pragmatist is a person driven by the power of incremental
success. Crises, disasters and explosive problems happen in an
instant. Recovery and remediation happen incrementally.
Avoid the mindlessly negative discussions, guesswork,
scheming and estimating that often occur when emotions run
high and problems are severe. Be the advisor who can do the
doable, know the knowable and do those things that you know
will work.
Remember the prime reason most CEOs lose their jobs: they
fail to achieve or accomplish what they promised when they
got the job. Avoid being the one who walks into the boss’
office with two, three or four new ideas, only to leave them
www.ContingencyPlanning.com | 19
Figure 1
The Story Development Worksheet:
Developing Stories That Communicate Your Messages
Storytelling is among the most powerful verbal communication
techniques in any language, in any culture. Stories that communi-
cate have six components, no matter how brief or extended the
story happens to be. The planning form below is designed to help
you take your messages, ideas and opinions and turn them into
stories that communicate, persuade, neutralize, energize, motivate,
pacify or even cause a tear.
Story Development Format
Message, communications objective, moral, lesson, punch line,
purpose, self-evident truth:
Plain language synopsis:
People focus, main characters:
Structure, sequence of events (beginning, middle, end):
Key facts/data:
Human factors:
20. 20 | CPM-GA April 2007
behind to add to the boss’ unmet and unfinished work from
yesterday, or even last week. Help the boss get what matters
done first.
DISCIPLINE FOUR: INCONSISTENCY
This is among the harder concepts to grasp because most of us
want to fit in, be accepted, be liked and still have some sort of
impact. If you want to be really valuable, why would you strive
to do the same thing everyone else is trying to accomplish? Be
constructively different, on purpose.
Inconsistency in strategy is a virtue. Strategy is looking at
things that are known and unknown and attempting to devel-
op innovative ideas and approaches for movement, action and
decision making. To do that, the strategist has to be intention-
ally inconsistent, looking at what was done before and inten-
tionally doing things differently from past practice. Being incon-
sistent means questioning all assumptions – intentionally mis-
understanding those ideas, assumptions and standards that are
taken for granted or at face value. Being methodically inconsis-
tent is one of the key habits to developing insight. This means
extracting new information and knowledge from existing data
and information.
One of the great strategies to achieving inconsistency is con-
stant simplification of ideas, concepts and decision making.
Simplification is accomplished by relentlessly asking “why.”
When a situation is outlined, we ask, “Why has that pattern of
events been identified?” When we get the explanation of
“why,” we ask, “Why were these knowledges the most impor-
tant of all the possibilities?” When we hear the answer to that
question, we ask “why” again. Each “why” helps us drill deep-
er, yet simplify what the ultimate strategic advice is going to be.
There are two kinds of questions in organizations - questions
that teach and questions that kill. Being inconsistent means ask-
ing questions that teach, illuminate and explore what’s being
thought, what’s being said, what’s being planned and what’s
going to be accomplished. A trusted advisor is a constructive
questioner.
The payoff is insight, sometimes even visionary approaches.
Be a facilitator and evaluator of positive, incremental
progress. Adopt these attitudes and you’ll be invited to more
meetings and your views will be sought after more frequent-
ly.
While being “inconsistent” in most organizations is a serious
indictment of behavior, in strategy, inconsistency is a power-
ful virtue.
Don’t miss Part Two of The Eight Disciplines of
Becoming a Trusted Strategic Advisor in next
month’s issue of CPM-Global Assurance.
About the Author
James E. Lukaszewski is a corporate crisis troubleshooter with a
global practice. He works at the highest levels of corporations and
organizations, advising senior management and top managers
preparing for crises, responding to crises and recovering from crises.
His Web Site www.e911.com is a major resource for disaster man-
agers. Questions and comments may be directed to editorial@con-
tingency planning.com.
Success Tips for Storytellers
Analyze and understand why your favorite stories work. Use the
same process to perfect new stories.
Four excellent sources for story models, which help you create
better stories, are:
• Bits and Pieces
• Storytelling Magazine
• Readers’ Digest
• Vital Speeches of the Day
Join the National Storytelling Association, National Speakers
Association or the Canadian Authors Association.
Be alert to good stories you hear.
Create a story/idea folder and keep it in your desk. When you
get an idea or think of a message you’d like to get across, jot
it down on a form like the Story Development Worksheet.
Create a lesson, message, or self-evident truth folder and look
for stories that can serve as archives for your message.
Don't miss James E. Lukaszewski's
keynote address at CPM 2007 WEST,
titled, "Why Should Your Boss Listen
to You? How to Become a Trusted Strategic
Advisor." Mr. Lukaszewski is
most frequently retained by senior
management as a trusted outside
advisor to directly intervene and manage
resolution of serious corporate
problems and threats. He coaches CEOs,
is a prolific author and speaker
and has been quoted in major business
publications. The recipient of
many academic and professional awards,
his name appears in Corporate
Legal Times as one of "28 Experts to
Call When All Hell Breaks Loose,"
and in PR Week as one of 22 "crunch-time
counselors who should be on the
speed dial in a crisis."
21. www.ContingencyPlanning.com | 21
GlobalAssurance
PRODUCTS
FUSEPOINT LAUNCHES NEW
ONLINE PRESENCE WITH DISASTER
RECOVERY RESOURCES
Fusepoint.com launches a new online
presence: a “higher level” of managed IT
services for deploying and hosting e-
business, security, disaster recovery and
business continuity solutions for the mis-
sion-critical applications that power busi-
ness in Canada.
Along with the launch of the new Web
site, Fusepoint has also developed sever-
al online resources, such as The Risk
Assessment Test and Online Virtual
Tour, to guide company decision makers
in understanding their own companies’
business continuity and disaster recovery
planning needs.
— Fusepoint
HP MAKES DATA BACKUP AND
RECOVERY EASY FOR SMBS
HP has introduced a disk-based backup
and recovery system for data protection
and disaster recovery. Designed for the
business continuity and IT needs of
small and medium businesses (SMBs),
the new HP StorageWorks D2D Backup
System automates and centralizes back-
up to provide reliable data protection for
up to four servers in a single, secure,
self-managing device.
The HP D2D Backup System inte-
grates into existing network-based IT
environments and can be configured
and managed in three steps. Daily back-
ups become fully automatic, reducing
the risk of human error and hardware
problems. Restoring lost or corrupted
files also becomes easier because back-
up data is stored online, where it can be
restored in minutes.
— HP
BANK OF AMERICA INTRODUCES
EMERGENCY RELIEF CARD
SOLUTIONS
Bank of America has announced that it
is introducing Emergency Relief™ Cards,
a suite of prepaid card products that will
assist corporations and government enti-
ties to prepare for catastrophic events.
The special-use cards are designed to be
incorporated into contingency plans to
enable continuing business operations
and to provide relief measures during
times of critical need.
The new Emergency Relief product
suite is built upon the knowledge gained
during prior emergency situations that
underscored the vital value of card pro-
grams. In the aftermath of Hurricane
Katrina, Bank of America provided
200,000 prepaid cards to the Salvation
Army for much needed victim relief.
During the 2004 hurricane season, Bank
of America issued more than 300 emer-
gency purchasing cards to the State of
Florida to deploy crews and restore
roadways. These cards were used for
more than 7,000 emergency purchases
totaling $7 million.
These experiences led Bank of
America to develop solutions that can
be set up in advance and incorporated
into recovery plans.
The suite of prepaid Emergency Relief
cards currently includes cards that can
be tailored for different situations. For
example, by employing merchant code
restrictions, programs can be designed
with the ability to prevent card use for
inappropriate purposes. Except for these
merchant code restrictions, the cards
may be used anywhere Visa is accepted.
Cards can also be customized for partic-
ular client requirements, including
whether to allow cash withdrawals and
what dollar amount is to be preloaded
on the cards.
A new version of the card will be
available this summer allowing clients to
pre-order unfunded cards that can be
activated and loaded with funds based
upon a pre-determined contingency
plan. Under this system, which is
believed to be the first of its kind in the
industry, card numbers, intended recipi-
ent names and pre-authorized amounts
will be kept on file with the bank to be
activated if and when needed. This
information will be updated monthly by
the client to ensure accuracy and the
ability to activate the system rapidly.
Additionally, duplicate emergency
instructions can be provided to the
bank. If a client cannot access technolo-
gy systems during a crisis to enable their
plan, Bank of America can initiate it for
them.
— Bank of America
MYPHOTOPIPE.COM WINS
CONTRACT FROM DEPARTMENT OF
HOMELAND SECURITY
myPhotopipe.com Inc., a Web-based
online provider of digital photo process-
ing and related services, has announced
that it has been awarded a contract from
the U.S. Department of Homeland
Security (DHS). The award calls for
myPhotopipe.com to provide photo-
graphic printing and design support serv-
ices to the DHS Office of Public Affairs.
The Office of Public Affairs chronicles
the agency’s responders, documents inci-
dent response teams, travels with
Secretary Michael Chertoff and provides
photographic prints to the agency’s
internal users, as well as to the media
and the general public.
“This is a milestone event in our
Company’s history, and a real credit to
our focus on the professional segment of
the fast-growing digital photo processing
market,” says L. Douglas Keeney, CEO
of myPhotopipe.com Inc. “We are
pleased to make this announcement,
especially given the fact that we were
competing against 12 other companies,
including a number that were much larg-
er than us. DHS has told us that a signif-
icant factor in their decision to select
myPhotopipe.com involved recommen-
dations from our current customers.
They were also pleased with our use of
digital templates, our digital photo tools
22. 22 | CPM-GA April 2007
GlobalAssurance Products
and our Internet resources.”
“The importance of this contract
extends beyond the very significant rev-
enue potential it represents, because it
dramatically illustrates why the digital
camera and the photographic print are
enjoying such a renaissance. No matter
where DHS operates, a digital camera is
available, and our online photo process-
ing tools allow the federal government
to effectively document its response to a
natural disaster or other incident with a
photo montage, or to record a visit from
the Secretary with an autographed pho-
tograph. We are thrilled, and at the same
time honored, to help one of the largest
branches of the United States govern-
ment accomplish its mission.”
— myPhotopipe.com Inc.
ONEBEACON OFFERING NEW
DISASTER-RECOVERY TOOL
OneBeacon Insurance is making a pow-
erful new resource available to help its
smaller business customers survive natu-
ral and man-made disasters.
Open for BusinessSM
, a free Web-based
disaster recovery and risk assessment
tool developed by the Institute for
Business & Home Safety (IBHS) enables
OneBeacon’s smaller commercial cus-
tomers to perform the kinds of disaster
analysis and recovery planning normally
limited to much larger organizations.
IBHS is a nonprofit insurance industry
organization dedicated to reducing the
social and economic effects of natural
disasters and other property losses. It
created the interactive, online version of
Open for Business exclusively for cus-
tomers of member companies, such as
OneBeacon.
OneBeacon customers can identify
risks from hurricanes, high winds, floods,
earthquakes, tornadoes/hail, winter
weather and wildfire with the Open for
Business Property Protection Plan; and
they can use its Recovery Plan to estab-
lish customized procedures for recover-
ing essential business functions.
— OneBeacon Insurance
Call For
Papers Open!
Do you have what it takes to be
part of theCPM 2007 EAST
conference faculty?
We are looking for professionals in business continu-
ity/COOP, emergency management and security to
deliver advanced-level lectures, case studies and inter-
active workshops geared toward experienced plan-
ners. CPM 2007 EAST will take place November
13-15 at the Gaylord Palms Resort in Orlando.
www.ContingencyPlanning.com/events/east
23. CPM delivers a training experience unlike any other.
Learn to defuse any disaster that rears its ugly head.
Sessions include:
• Pandemic Influenza:The State of the Threat
• Establishing Mission-Critical Employee Programs
• Data Security in a Distributed World
• Disaster Simulation Exercise
And many more!
Register Now!
www.ContingencyPlanningExpo.com
