1. March 2007 • Volume 4 • Issue 3
Are We Fully
Prepared?
Identifying pitfalls of business
continuity planning
N a t i o n a l N e w s • I n t e r n a t i o n a l N e w s • P r o d u c t s • E v e n t s
Where business continuity, security and emergency management converge.
Also…
Predicting Hurricanes
Taking the Fear
Out of BC Exercises:
A Blueprint for Success
Are We Fully
Prepared?
Identifying pitfalls of business
continuity planning
3. www.ContingencyPlanning.com | 3
Predicting
Hurricanes
Times have changed
Viewed from above, hurricanes appear as majestic storms
comprised of towering thunderstorms spiraling around
an often calm and clear center called an eye. But below the
clouds are destructive winds, towering waves and torrential
rainfall. Over water, hurricanes torment ships and can dis-
rupt commerce. Over land, hurricanes cause considerable
property damage, unleash flash flooding and spawn killer
tornadoes.
And such a storm can strike with little or no warning. A
day begins innocently enough; then, suddenly, it becomes
overcast and breezes steadily increase. Howling winds drive
sheets of torrential rain while toppling trees, snapping
power lines and destroying homes. Even with advance noti-
fication, these are potentially deadly conditions. But, in the
not-so-distant past, the absence of an Earth- and space-
based detection network allowed hurricanes to make sur-
prise entrances.
Knowing where and when a hurricane will strike and how
strong it will be are the fundamental issues that challenge
meteorologists, as their decisions impact life-saving pre-
paredness plans. Advances in the last half-century have
brought tremendous improvements in hurricane forecasting
and, despite a growing coastal population, have yielded a
4. 4 | CPM-GA March 2007
dramatic decline in hurricane-related fatalities. Today, the
National Oceanic & Atmospheric Administration (NOAA) uses
an arsenal of forecasters, instruments, and computer-based
tools to produce the best possible storm projections that
extend days into the future.
NOAA’s investment in ocean and atmospheric research, cou-
pled with technological advancements, has led to a remarkable
transformation in hurricane monitoring and forecasting.
Emerging from these combined factors has come intricate com-
puter modeling, a vast network of ground- and ocean-based
sensors, satellites and Hurricane Hunter aircraft. Accurate pre-
dictions of storm track and intensity are key to helping NOAA
protect life and property.
LIMITED WARNING
Hurricane forecasts were once solely dependent upon relative-
ly sparse observations of sky and water conditions, along with
occasional ship reports of turbulent weather in the ocean.
Attaining the limited data that was available was time-consum-
ing and resulted in hand-drawn maps that displayed only a par-
tial picture of what was actually occurring. Lacking a com-
plete analysis of current weather patterns, in conjunction
with insufficient knowledge of tropical meteorology, fore-
casts for tropical storms and hurricanes were deficient.
These limited forecasts left little time for preparation before
a hurricane struck.
Without advanced preparation, hurricanes are lethal. On
NOAA’s list of the deadliest hurricanes to strike the United
States, the overwhelming majority of storms occurred before
hurricane prediction reached levels necessary to adequately
serve the public.
Among noteworthy lethal hurricanes to strike the United
States are:
• The Galveston (Texas) Hurricane of 1900, which resulted
in a death toll of up to 12,000.
• The Lake Okeechobee (Florida) Hurricane of 1928, which
was responsible for at least 2,500 fatalities.
• The Hurricane of 1938, which struck Long Island, New
York and New England with a mere four hours advance
warning and left approximately 600 individuals dead.
This map shows U.S. hurricane strikes between 1950 and 2005. Photos courtesy of NOAA
5. www.ContingencyPlanning.com | 5
Armed with a greater understanding of a hurricane’s life cycle,
along with a more robust automated observation network,
today’s meteorologists can produce hurricane forecasts with
greater precision. With NOAA’s National Hurricane Center,
NOAA’s Central Pacific Hurricane Center and local National
Weather Service forecast offices across the country, NOAA is
constantly monitoring the tropics, from Guam in the western
Pacific Ocean to the west coast of northern Africa, looking for
storms.
Routine hurricane track forecasts for the Atlantic Basin
(the Atlantic Ocean, Gulf of Mexico and Caribbean Sea)
began in 1954 and could only provide information one day
into the future. Forecasts were expanded to provide two
days advance notice in 1961 and three days in 1964. Three
days remained the standard for advance hurricane forecasts
through 2002.
In 2003, boosted by the reliability of computer models,
NOAA began issuing forecasts out to five days in advance. In
addition to helping the public and local officials prepare for
impending hurricane landfalls, this recent forecast extension
helps the U.S. Navy ensure ships are safely removed from a
storm’s path.
TACKLING KATRINA
The forecasted track of Hurricane Katrina is one example of
NOAA’s modern-day forecast accuracy. As Katrina entered
South Florida as a newly upgraded hurricane, National
Hurricane Center forecasters knew the storm’s future path
would take it over the energizing warm waters of the Gulf of
Mexico before threatening the northern Gulf Coast. For a con-
sistent 56 hours before landfall, the National Hurricane Center
predicted the center of Katrina would specifically strike south-
east Louisiana as a “major” hurricane.
While hurricanes remain one of nature’s most violent and
destructive storms, and modern research strives to further
improve the forecast of hurricane track and intensity, long gone
are the days of surprise storms that go undetected until it is too
late to prepare.
Achievements in hurricane forecasting are rooted in the
growing number and integrity of data collection tools. From
Damage from the Galveston Hurricane of 1900 was caused by the hurricane and resulting storm surge. This was the greatest natural disas-
ter in terms of loss of life in U.S. history.
6. 6 | CPM-GA March 2007
buoys in the ocean to land-based radars to Hurricane Hunter
aircraft and satellites, these instrument networks are perpetual-
ly taking the pulse of the planet and feeding forecasters critical
data.
AIRCRAFT
Gathering data from within, above and around hurricanes are
aircraft operated by NOAA and the U.S. Air Force (USAF).
Since the first intentional flight into a hurricane approaching
Galveston, Texas, in late July 1943, NOAA and the USAF now
routinely fly into storms that are a potential threat to the
United States. Onboard radar and dropwindsondes, which are
ejected from the plane’s belly to measure a cross-section of a
hurricane’s pressure, temperature, humidity and wind, provide
NOAA meteorologists with data of unmatched density.
SATELLITES
Satellites have greatly improved hurricane forecasting with
their ability to provide informative snapshots of Earth. April 1,
1960, marked the first launch of a weather satellite. Since then,
satellites have become increasingly mature in their ability to
analyze cloud structures as well as read the temperature of
ocean surfaces.
NOAA’s National Environmental Satellite, Data and
Information Service supports two types of satellites: geostation-
ary operational environmental satellites (GOES) for national,
regional and short-range forecasting and polar-orbiting opera-
tional environmental satellites (POES) for global, long-term
forecasting and environmental monitoring. Together, GOES
and POES complete a global weather satellite monitoring sys-
tem, tracking atmospheric variables, such as temperature, and
providing atmospheric data and cloud images needed to track
and understand hurricanes.
WEATHER RADAR
Weather radar, first introduced in the late 1950s, underwent a
Southeast Louisiana remained in Katrina’s projected landfall from the National Hurricane Center for a full 56 hours prior to the storm com-
ing ashore near Buras, Louisiana, at 6:10 a.m. CT on August 29, 2005.
7. www.ContingencyPlanning.com | 7
rebirth during the modernization of NOAA’s National Weather
Service in the late 1980s and early 1990s. Today, a total of 155
WSR-88 Doppler radars constantly scan the skies over the
United States and its territories. Doppler radar reads precipita-
tion intensity and movement and a variety of wind data across
a wide column of the atmosphere, providing forecasters with a
valuable cross-section analysis of a storm.
BUOYS AND FLOATS
Buoys and floats peppered throughout the oceans transmit a
variety of valuable data at and below the ocean surface, includ-
ing air and water temperature, wave height and wind direction
and speed. Operated by NOAA’s National Data Buoy Center,
the existing network of buoys is being enhanced with the addi-
tion of eight more hurricane buoys in the western Atlantic
Ocean, which will allow NOAA to attain more data in an area
where hurricanes frequently occur.
COMPUTER FORECAST MODELS
All of the observation elements mentioned above, as well as
other sensors, provide essential data points that feed NOAA’s
computer forecast models, which calculate likely future weath-
er behavior. A more complete, current picture of a hurricane
and its environment (the ocean and atmosphere) provided by
land-, air-, ocean- and space-based sensors permits more accu-
rate model projection. The mathematical representation for
such computer forecast models is becoming more detailed and
can better model a hurricane’s interactions with its surround-
ings, ultimately producing better forecasts.
For example, recent computer model upgrades have featured
a better reflection of the “loop current” in the Gulf of Mexico.
This narrow ribbon of very warm water can provide hurricanes
with added fuel that allows them to strengthen rapidly. The
model’s ability to project such intensification is invaluable, as it
is detrimental to determining the extent of hurricane evacua-
tions.
Not only has NOAA become proficient in forecasting indi-
vidual storms, but also the evolving understanding of global
ocean and atmospheric patterns has allowed NOAA to pro-
duce seasonal outlooks extending through the entire six-
Satellite images, such as this image of Hurricane Rita approaching the Gulf Coast, provide valuable information needed to monitor tropical
storms.
8. 8 | CPM-GA March 2007
month hurricane season (June to
November). These outlooks project the
number of tropical storms, hurricanes and
major hurricanes (Category 3 and higher)
likely to form in each basin that NOAA is
responsible for (including the Atlantic
Basin and the Eastern and Central Pacific
Basins).
Delving through the past shows how far
our ability to predict hurricanes has come.
With further improvements on the horizon
led by an increasingly dense network of
observations and sophisticated computer
models, NOAA seeks to produce forecasts
with even greater specificity. Working with
the media, partner organizations and emer-
gency officials and through enhanced out-
reach, NOAA aims to educate the public
on taking proactive measures to lessen the
impacts of hurricanes.
Whether NOAA is forecasting an above-
average hurricane season, similar to the
record-setting 2005 season with 28 storms
and 15 hurricanes, or a below-average sea-
son for a given year, their fundamental
advice remains the same: be prepared. It
only takes one storm for it to be a bad sea-
son. After all, it may not be a matter of if a
hurricane will strike; but rather a matter of
when.
— NOAA
References
Hughes, P. (1976). American Weather
Stories. Washington: U.S. Department of
Commerce, National Oceanic and
Atmospheric Administration, Environmental
Data Service.
NOAA. (2005). NOAA deploys seven new
hurricane buoys. Retrieved January 22,
2007, from: http://www.noaanews.
noaa.gov/stories2005/s2458.htm.
Sheets, R.C. (1990). National Hurricane
Center: Past, Present and Future. Weather
and Forecasting, 5, 2. Retrieved January 22,
2007, from: http://ams.allenpress.com/
p e r l s e r v / ? r e q u e s t = g e t - a b s t r a c t &
d o i = 10 .117 5 % 2 F 15 2 0 - 0 4 3 4 ( 19 9 0 )
005%3C0185%3ATNHCPA%3E2.0.CO%
3B2.
Hurricane buoys before being deployed from Gulfport, Mississippi.
9. www.ContingencyPlanning.com | 9
NATIONAL NEWS
TAX ATTACKS
As the April 17 tax filing deadline approach-
es, cyber fraudsters are planning their attack
on online tax filers to steal confidential infor-
mation. Websense Inc., San Diego, Calif., a
provider of Web security and Web filtering
productivity software, has announced that
Websense® Security Labs™ has seen a rise
in phishing attacks via fraudulent e-mails and
Web sites that spoof the Internal Revenue
Service (IRS). Since December 2005,
Websense Security Labs has been working
together with the IRS and other organiza-
tions to investigate the rise of tax scams and
better protect consumers and employee
computing environments from increasingly
sophisticated and dangerous Internet securi-
ty threats.
Websense Security Labs has discovered
tax attacks targeting the United States in sev-
eral countries hosted on compromised Web
servers. For example, one of the largest IRS
phishing campaigns claims that the taxpayer
is eligible for a refund and needs to log on to
a Web site to verify their information. Users
receive one of a variety of e-mail messages
with a link to a fraudulent Web site. Upon
accessing the spoofed tax Web site, the user
is then forwarded to a fraudulent site that
requests credit card information and other
personal identifiers. The intent of these
attacks is to dupe users into revealing confi-
dential information, which can be used for
withdrawing funds.
Phishing can present a serious security risk
for consumers and organizations. Phishers
are becoming more sophisticated in their
deception techniques to lure employees to
spoofed Web sites, as most employees can-
not determine which is a genuine site and
which is a fake; however, employees don’t
have to “fall for the phish” and actually enter
confidential information on a phishing Web
site to be compromised. For example, recent
trends indicate that by just visiting a Web site,
many types of phishing URLs can install spy-
ware, such as a malicious keylogger, which
has the ability to capture data including net-
work passwords or social security numbers
without their knowledge. It only takes one
employee to click on a phishing site and acci-
dentally give out confidential corporate data,
customer records, network passwords or
trade secrets to jeopardize an entire organi-
zation’s intellectual property.
“Cyber thieves sit back and wait for cur-
rent events, such as tax season, which pro-
vide an opportunity to manipulate for mon-
etary rewards,” says Dan Hubbard, senior
director, security and technology research,
Websense Inc. “With tens of millions of
online users filing their taxes on the Internet,
many Web filers readily disclose personal
identifiers such as network passwords, social
security numbers, bank account numbers or
their mother’s maiden name. The combina-
tion of having a large pool of potential users
to target and the timeliness of the current
event could lead to high numbers of both
consumer and corporate victims.”
According to the IRS, 68.5 million tax
returns were e-filed in 2005, and that num-
ber is predicted to increase at a record pace
this year. The IRS also expects fraud
attempts to rise and has published its own
warnings in an attempt to educate the pub-
lic on these scams. According to the IRS Web
site, fraudulent e-mails appearing to come
from the e-mail protected from spam bots,
e-mail protected from spam bots or other
similar irs.gov themed addresses offer a tax
refund and direct recipients to a link
contained in the e-mail. The link directs users
to a clone of the IRS Web site that is modi-
fied to ask for personal and financial
information not required by the real IRS
page. Furthermore, through its own
research, Websense Security Labs found that
many of the sites have similar characteristics
in their URL paths and include /IRS/claim-
refund/caseid or /.www.irs.gov in the path.
Web filers can avoid tax attacks and other
Internet security threats by taking a few sim-
ple measures. For example, the IRS recom-
mends not to click on any links in suspicious
e-mails; instead go directly to the IRS Web
site: www.irs.gov.
In addition, companies seeking to protect
their employees from phishing scams can
employ Web filtering and Web security soft-
ware to prevent users from accessing sites
associated with fraudulent online activities
such as phishing.
— Websense Inc.
DHS ISSUES PROPOSAL FOR STATES
TO ENHANCE DRIVER’S LICENSES
The Department of Homeland Security
(DHS) has announced its proposal to estab-
lish minimum standards for state-issued dri-
ver’s licenses and identification cards in com-
pliance with the REAL ID Act of 2005. The
REAL ID requirements are a result of rec-
ommendations made by the 9/11
Commission, which Congress passed into
law, and will enhance the security and
integrity of driver’s licenses.
“Raising the security standards on driver’s
licenses establishes another layer of protec-
tion to prevent terrorists from obtaining and
using fake documents to plan or carry out an
attack. These standards correct glaring vul-
nerabilities exploited by some of the 9/11
hijackers who used fraudulently obtained
GlobalAssurance
10. 10 | CPM-GA March 2007
drivers licenses to board the airplanes in their
attack against America,” says Homeland
Security Secretary Michael Chertoff. “We will
work closely with states to implement these
standards and protect Americans’ privacy
against identity theft and the use of fraudu-
lent documents. We are also pleased to have
been able to work with Senator Susan
Collins, R-Maine, and I believe that the pro-
posed regulations reflect her approach.”
The department’s proposed regulations set
standards for states to meet the requirements
of the REAL ID Act, including: security fea-
tures that must be incorporated into each
card; verification of information provided by
applicants to establish their identity and law-
ful status in the United States; and physical
security standards for locations where licens-
es and identification cards are issued.
As proposed, a REAL ID driver’s license
will be required in order to access a federal
facility, board federally-regulated commercial
aircraft and enter nuclear power plants.
Because states may have difficulty complying
before the May 11, 2008, deadline, DHS will
grant an extension of the compliance dead-
line until Dec. 31, 2009. States that have
received extensions will, over the course of
the waiver period, submit proposed timeta-
bles for compliance.
DHS has also announced that up to 20
percent of a state’s Homeland Security Grant
Program funds can be used to help imple-
ment REAL ID. This additional flexibility will
be made available during the current 2007
grant cycle.
In May 2005, President Bush signed the
“Emergency Supplemental Appropriations
Act for Defense, the Global War on Terror
and Tsunami Relief Act” into law. Among the
provisions contained in the law was the
REAL ID Act.
The proposed regulations have been sub-
mitted to the Federal Register for a 60-day
public comment period.
— DHS
STATE, LOCAL TRIBAL OFFICIALS TO
GET NEW COORDINATED
INTELLIGENCE SERVICES
A new federal intelligence coordinating
group has been established to provide state,
local and tribal government officials and
emergency management operations with
information related to terrorism threats, dis-
asters and other related topics, which will be
specifically targeted based on individual
needs, reports Federal Computer Week.
According to Lora Becker, the incoming
director of the interagency federal state and
local threat reporting and assessments coor-
dination group, there is a need “for a unified
voice,” in federal communications and that
the new analysis “is tailored to the needs of
[state, local and tribal intelligence users] and
advocating for those same customers.”
The intelligence provided will not “gener-
ate alerts, warnings or updates on homeland
security threats. Its analysts will provide
strategic assessments of threats and dissemi-
nate them through established routes, such
as the FBI’s Joint Terrorism Task Forces and
the dozens of technology-rich state informa-
tion fusion centers.”
Additionally, there will be a cross-pollina-
tion of federal intelligence agents working
with state and local officials at the state
fusion centers to provide a more balanced
intelligence dissemination and analyzation
process. According to Michael Mines, the FBI
deputy assistant director for the intelligence
directorate, “the FBI sees these centers as a
natural bridge to the joint terrorist taskforces.
We have over 100 analysts assigned to the
42 fusion centers.”
— National Council on
Readiness and Preparedness
CONFLICTING SIGNALS CAN
CONFUSE RESCUE ROBOTS
Sensor-laden robots capable of vital search
and rescue missions at disaster sites are no
figment of a science fiction writer’s imagina-
tion. Prototypes and commercial models of
urban search and rescue (US&R) robots will
soon begin to work rubble piles across the
country. Too many of these lifesaving robots,
however, could be too much of a good
thing, according to researchers at the
National Institute of Standards and
Technology (NIST), who report that the
radio transmissions of multiple robots can
interfere with each other and degrade search
and rescue performance.
A NIST analysis of wireless radio field tri-
als for US&R robots found that 10 out of the
14 robots tested experienced communica-
tion problems due to radio interference from
other systems. Engineers carried out tests on
the robots last August at a US&R robot stan-
dards development gathering in
Gaithersburg, Md., sponsored by the
Department of Homeland Security. The
researchers found that neither use of “indus-
trial, scientific and medical” (ISM) frequency
bands nor adherence to protocols designed
to minimize interference between systems in
the bands could guarantee flawless commu-
nication between a robot and its human
operator. Radio interference could happen
whenever the ISM frequency bands became
crowded or when one user had a much
higher output power than the others. An
example of the latter problem occurred dur-
ing the tests when transmitters in the 1760
MHz band knocked out video links in the
2.4 GHz frequency band. In another case, a
robot using an 802.11b signal in the 2.4 GHz
band overwhelmed and cut off a robot that
had been transmitting an analog video link at
2.414 GHz.
The NIST paper lists a number of ways to
improve urban search and rescue wireless
communications. Options, some of which
are currently being investigated by robot
manufacturers, include changes in frequency
coordination, transmission protocols, power
output, access priority and using relay trans-
formers to increase the range of wireless
transmissions (a technique known as multi-
hop communications). The paper also sug-
gests establishing new access schemes or soft-
ware-defined radios that allow interoperable
communications.
The work is funded by DHS’s Science
and Technology Directorate through NIST’s
Office of Law Enforcement Standards.
— NIST
SURVEY SHOWS AMERICANS FEEL
GOVERNMENT UNPREPARED FOR
AVIAN FLU PANDEMIC
Recently, the International Association of
Medicinal Compliance (IAMC) was in atten-
dance at the Business Planning for Pandemic
Summit, a national summit with a participa-
GlobalAssurance National News
11. www.ContingencyPlanning.com | 11
tion of more than 250 attendees represent-
ing 195 organizations and 40 states. Hosted
by the Center for Infectious Disease
Research and Planning (CIDRAP) at the
University of Minnesota, the summit provid-
ed an opportunity for companies from
industries in all sectors to come together and
discuss the threat of an avian flu pandemic.
Attendees heard presentations that
addressed legal, healthcare, infrastructure,
human resource, transportation and govern-
ment support issues that affect companies in
all industries. Across the two-day meeting,
participants were given the chance to discuss
specific industry needs and begin plans for
continuity during an influenza pandemic.
Alarmingly, 53 percent of participants feel
the government is not well-prepared. As
such, 76 percent say that social unrest and
disruption will occur if a pandemic does
occur.
In the event of a pandemic, it will be
imperative to public health and order to
develop effective and timely influenza plans.
As the nation learned in the cases of 9/11
and Hurricane Katrina, the government, on
both state and federal levels, needs to be
prepared for a worst-case scenario situation,
or else it will inevitably be unprepared. The
summit was designed to enable business
leaders, government officials, business-relat-
ed organization officials and media to identi-
fy their roles and responsibilities in defining
and executing a preparedness plan. In doing
so, these leaders focused on critical risk
assessment and mitigation, public policy,
legal, supply chain and human resource plan-
ning for business continuity during a pan-
demic. Featured speakers included Michael
Leavitt, the U.S. Secretary of Health and
Human Services, Michael Osterholm, the
Director of CIDRAP, Ted Koppel, former
anchor and managing editor of Nightline
and ABC News, and Tommy Thompson, the
former U.S. Secretary of Health and Human
Services.
Surprisingly, most of these participants,
who are heavily associated with government
functions, seemed disheartened by and
weary of the government’s avian flu pre-
paredness. According to Arne Carlson, the
former governor of Minnesota, “We have not
seen an acceptable government response.
We only have the ability to handle tragedies
with good leadership. The leadership needs
to get out in front and say, ‘Here’s what
affects us. Here’s how much it costs.’”
Similarly, Osterholm says, “SARS hap-
pened in the speed of hours/days and that
was a smaller scale than this. This could hap-
pen overnight.”
Seventy-three percent of participants felt
that government intervention would have a
major impact on their business. Accordingly,
67 percent felt that developing relationships
with state and local officials at this time
would be essential to offsetting the detriment
that a pandemic could cause; however, only
15 percent of respondents and their organi-
zations had actually contacted the govern-
ment on the issue surrounding a national
pandemic. This signals that not only the gov-
ernment, but also organizations and citizens
need to actively engage in defining and exe-
cuting a pandemic preparedness plan.
As Carlson says, “It’d be wonderful if
everyone could go home after this confer-
ence and write a letter to both the President
and then the governor of their state, asking
them for these answers.”
The IAMC (www.takeyourmedicine.org)
is currently partnering with FLAVORx Inc.
to provide actionable and feasible solu-
tions to encourage and ensure that
Americans take their medicine properly.
By offering a scientifically tested and specif-
ically developed medicinal flavoring to com-
bat the bitter taste of antiviral drugs such as
Tamiflu®, children and adults alike will be
able to swallow liquid medications without
struggle. Studies show that children are high-
ly susceptible to infection, with about 45
percent of school-age children catching
influenza during an epidemic. Children
then, play a significant role in viral transmis-
sion and spread of infection. For an
extremely minimal cost, government offi-
cials will be able to stockpile flavorings to
guarantee near 100 percent medicinal com-
pliance, thereby preventing the emergence
of resistant flu strains, persistent symptoms,
harmful side effects, and even mortality as a
result of taking medication improperly.
— IAMC
SURVEY REVEALS MORE THAN HALF
OF SECURITY PROFESSIONALS
MANUALLY UPDATE SECURITY
SETTINGS
IT security professionals are spending unnec-
essarily large amounts of time to manually
update security setting configurations, accord-
ing to a recent survey conducted by San
Diego, Calif.-based St. Bernard Software, a
provider of security solutions. The result is
increased vulnerability to known avoidable
exploits.
In a recent survey of 233 IT security pro-
fessionals, 52 percent of respondents said
they still manually update security settings.
The poll also found that 25 percent of
respondents don’t have a way to manage
security settings, leaving companies vulnera-
ble to serious network threats and liabilities.
Other findings from the survey revealed that
48 percent of companies do not have a poli-
cy in place for managing security settings.
According to the System Administration,
Network and Security Institute (SANS),
because of the many complex settings
required to administer Windows, it is highly
susceptible to security breaches. Yet the task
of successfully performing settings manage-
ment typically requires hours of tedious,
proactive research, through hundreds of
pages of documentation issued by Microsoft,
NIST, NSA and other security experts.
With this in mind and the results from its
recent survey, St. Bernard Software reminds
organizations that unless security settings are
updated regularly and configured properly,
they are leaving their networks and machines
in jeopardy.
“Knowing that 25 percent of IT security
experts have not specifically addressed secu-
rity settings management is a great concern.
Hackers and virus writers are becoming more
sophisticated by the day, and companies
must stay on top of security settings, or they
are leaving their network wide open for
attack,” says Steve Yin, vice president of sales
and marketing at St. Bernard Software.
“Although half of the respondents are, in fact,
performing this critical function, they're doing
so manually, which may not be the most effi-
cient or effective process.”
— St. Bernard Software
12. 12 | CPM-GA March 2007
SHOW ME THE STORAGE ROI: COST
AND MANAGEMENT ISSUES
CONTINUE TO CONCERN CIOS
Hitachi Data Systems Corporation has
unveiled the results of a survey conducted
amongst CIOs from the Asia Pacific region.
IT costs are escalating due to increasing
demands for data and information. CIOs are
under greater pressure to justify IT invest-
ments based on business value rather than
cost avoidance. The survey, which polled
100 respondents from China, Hong Kong,
Korea, Taiwan, Singapore, Malaysia,
Thailand, India, Korea and Indonesia, reveals
that 64 percent of respondents said that the
best thing vendors could do to support them
was to build ROI assessments for their stor-
age investments.
“Applications and the storage environ-
ments that companies depend upon have
become critical drivers of business processes
and decisions that impact organizational
growth and profitability,” says Michael
Cremen, senior vice president and general
manager, APAC, Hitachi Data Systems. “At
the same time, CIOs are challenged with the
task of justifying their IT investments.”
Cost and management issues continue to
be a concern amongst IT leaders within
organizations in the region. Going into
2007, 45 percent of respondents indicated
reducing storage management costs as a key
challenge they would like to address, while
38 percent of respondents believe that
ensuring their IT infrastructure will meet
business needs will continue to be an impor-
tant focus for the coming year.
The following are some of the business
issues which will be of focus, and CIOs will
be trying to balance these requirements
while managing costs:
Business continuity: Every CIO fears
the potential loss of company data, and, as a
result, revenue in the event of an emer-
gency. Ensuring all files are backed up and
kept safe in a separate location is of para-
mount importance, and this will be borne
out in 2007 as more and more organiza-
tions put business continuity plans into
place.
Security: Regardless of industry, a com-
pany’s employee base will continue to use a
multitude of applications. It is the CIO’s
responsibility to ensure the data supporting
these applications is secure but still easily
accessible when needed. With increasingly
strict rules governing data security and
penalties for improper management, achiev-
ing the balance between security and usabil-
ity is going to have a place near the top of
the priority list.
Increase in regulation: The number of
regulations companies must comply with is
multiplying, creating exponential growth in
the amount of data that needs to be stored.
This is an opportunity for companies to
mine and manage their most important
assets.
As companies continue to leverage tech-
nology to meet business needs, gearing up
the company IT environment will continue
to be of importance. According to the sur-
vey, 38 percent of respondents believe that
the convergence of technologies will have
the biggest influence over storage growth in
the next three years. In addition, 39 percent
of the respondents believe that in the next
three years, the biggest concern of CIOs will
be to manage increasingly complex IT envi-
ronments with minimal resources. This is
especially true with the increase use of vari-
ous technologies from different vendors, as
well as shrinking IT resources.
Within this context, 42 percent of respon-
dents believe that an important factor influ-
encing business success is the interoperabili-
ty of technologies from different vendors,
while 23 percent think that adopting a cen-
tralized approach to management as well as
a future proof IT infrastructure are equally
important factors.
This is especially crucial as the trend for
mergers and acquisitions among companies
across a range of industries is likely to con-
tinue in 2007. This adds complexity as CIOs
integrate the different IT infrastructures.
Using a vendor which offers common man-
agement across heterogeneous storage
devices will help in this instance. It will also
alleviate the problem of different IT skills in
the IT department which can be an inhibitor
to an efficient and easy integration.
— Hitachi Data Systems Corporation
PREPARING FOR THE PANDEMIC: CME
RELEASES BUSINESS PLANNING
GUIDE
Canadian Manufacturers & Exporters
(CME) has unveiled a planning guide for
Canadian business that will help mitigate the
estimated $60 billion economic impact from
a pandemic outbreak.
“Canada’s business community is at risk,”
says CME President and CEO Perrin Beatty.
“It’s not a matter of if, but a question of
when the next pandemic will strike. Many
Canadian companies are not prepared and
this lack of readiness may threaten their eco-
nomic viability and the delivery of critical
goods that depend on complex supply chain
systems.”
The World Bank estimates that the cost to
the global economy of a flu pandemic
would be upwards of $800 billion.
According to the U.S. Congressional Budget
Office, the impact of a pandemic would cost
up to 5 percent of the gross domestic prod-
uct.
Assuming Canada would be similarly
affected and considering the reliance on
trade, Canada’s economy could suffer by as
much as $60 billion due to a pandemic out-
break – even more if the Canada-U.S. bor-
der were to experience serious difficulties.
“As a nation, we can’t afford to be unpre-
pared,” says Beatty. “CME’s guide equips all
Canadian business with tools and informa-
tion to minimize the risk that influenza pan-
demic poses to the health and safety of
employees, the continuity of business oper-
ations and the bottom line.”
The 87-page guide highlights key consid-
erations when coping with a pandemic,
including the critical elements of a continu-
INTERNATIONAL NEWS
GlobalAssurance
13. www.ContingencyPlanning.com | 13
ity plan plus a summary checklist; a how-to
guide to develop a continuity plan; medical
precautions; and human resource considera-
tions.
“A business continuity plan should be an
essential element of any business strategy or
operating procedures, as we have learned
from SARS, 9/11 and even the ice storm,”
says Beatty. “I cannot think of any reason
not to be prepared, but 60 billion reasons
why we should.”
CME’s Continuity Planning Guide for
Canadian Business can be downloaded, free
of charge at www.manufacturingour-
future.ca.
— CME
CAN YOU TRUST YOUR EMPLOYEES
WHEN IT COMES TO SECURING
YOUR BUSINESS?
Research compiled on behalf of Trend
Micro, an IT security company, has found
that UK computer users are more reckless
in their computer behavior at work than
other countries. This especially comes as a
worry for the smaller sized business, as
they’re often the ones that don’t have the
constant presence of an IT department.
This international study has shown that
UK users are more careless in their behav-
ior when using an employer’s machine.
More than half of the respondents (53
percent) rely on IT departments to rescue
them should something bad happen.
When asked why they were more risky
and carefree with their online behavior at
work than at home, 45 percent stated that
they are not as worried because it’s not
their computer equipment.
Pat Dunne of Trend Micro says, “Despite
all the warnings, people still make avoid-
able mistakes and needlessly expose their
PCs to computer ‘nasties’ that ultimately
cause critical computers to fail. The solu-
tion is rethinking how companies warn
employees about IT threats and adopting
more automated defense systems that
entirely bypass employees who may be
the weak link.”
Illustrating how careless people can be,
Trend Micro has compiled their top five of
the most avoidable support calls:
1. Naked Anna: Hundreds of callers were
re-infecting themselves over and over
again with a virus trying to view the pic-
ture of tennis star Anna Kournikova
they’d received on an e-mail. They just
kept on opening the e-mail to try and
get a glimpse of a saucy picture of Anna.
They just wouldn’t accept that it was all
a hoax.
2. IT for beginners: A customer called say-
ing that the floppy drive was not work-
ing. When asked for the exact problem,
“Is it that it does not read them? Does
the drive accept them at all?” After sev-
eral questions the caller replied that the
problem was that the floppy disc just
would not fit in the drive. He was again
asked if he could check if there was
another disc inside, he just replied that
it wouldn’t fit in. It was then described
to him the place where he had to put
the floppy. And his amazing reply? “The
strange thing is that the floppy is square
but the tray has a round shape.”
3. E-mail a worldwide form of communi-
cation? A man who owned his own
business had called to request an engi-
neer to come out. When asked why he
needed the help of an engineer, he stat-
ed that he was trying to send an inter-
national e-mail. It was explained to him
that he could send e-mails to an interna-
tional e-mail address just as easily as his
could to people in the UK. But he just
wouldn’t believe it and insisted that the
engineer was there to help him within
the hour.
4. What’s a computer? A woman who
couldn’t access anything on her PC was
asked to restart it. She said it went
black. When asked to turn it back on
again, she said it has come back exactly
how she left it. After a few minutes of
scratching heads it was determined that
she was just turning the screen on and
off. She didn’t know that there was
another part to her computer sitting on
the ground under her desk.
5. Flirty fools: When the infamous
“ILOVEYOU” e-mail virus hit, the flattery
approach made people do the strangest
things. Even the most tech-savvy people
were opening this virus again and again
thinking that someone had send a flirty
message to them.
— Trend Micro Inc.
The World at Your Fingertips
Want the latest breaking business continuity
news stories when it’s convenient for you?
Look no further than
www.ContingencyPlanning.com. Exclusive
Web updates are added every weekday to
ensure you don’t miss a step.
Log on today and get up to speed.
www.ContingencyPlanning.com
14. 14 | CPM-GA March 2007
If the key to a successful exercise starts with organization, then
the design must strive for expected results. The Exercise
Requirements Matrix, built and described in Part I of this series
(February CPM-Global Assurance) outlined what types of exercis-
es to perform, a suggested schedule for completing the exercises
throughout the year, each of the design teams that need to be
involved in designing an effective exercise and how to use a doc-
ument template to store all the pertinent exercise information.
This article, Design for Results, will explain how to: (1) work
with a design team; (2) plan to meet exercise goals and objec-
tives; and (3) create a realistic scenario.
STEP 1: UNDERSTAND THE EXERCISE TEAM
The exercise team is made up of several sub-teams and individ-
uals to ensure the exercise’s success. Each exercise you conduct
may have all or some of the following roles and responsibilities:
Exercise Facilitator: Someone from the business continuity pro-
gram office should facilitate the exercise and should meet with the
design team to formulate the details of the exercise, as well as invite
Taking the Fear
Out of BC
Exercises: A
Blueprint for
Success
Part II: Design for results
By Telva Chase
and interact with all participants prior to the exercise, if necessary.
The facilitator is responsible for the pre-exercise briefing where
the rules of engagement are outlined and all participants are given
an opportunity to ask questions and feel comfortable with the
proceedings. The facilitator will observe the exercise and will not
stop the exercise unless there is a major issue with how the exer-
cise is going. The facilitator runs the show, answers questions, pro-
gresses “time” and keeps things moving.
Exercise Assistant: The exercise assistant is critical to a smooth
exercise. The best person for this position is usually an administra-
tive assistant residing in the facility where you are conducting the
exercise. They are responsible for reserving the room(s), ensuring
appropriate audio-visuals are available, making copies of exercise
documentation and ordering lunch, snacks and drinks. The assis-
tant is also responsible for running messages between the simula-
tion team and the recovery team rooms. Use your assistant in any
way that makes sense: scribing during the debriefing, passing out
cue cards or messages, etc.
Recovery Team: The recovery team consists of the local inci-
15. www.ContingencyPlanning.com | 15
dent response team or emergency response team members who
have responsibility for critical corporate areas (human resources,
editorial, product management, IT, sales and marketing, legal,
etc.) and have been trained in incident management, occupant
emergency preparedness and have a business continuity or dis-
aster recovery plan. The recovery team can be as large (groups
of 40 or more are difficult) or as small as necessary (five to six
employees). Even for a drill, you may want to exercise the entire
building, or just a division or department. Always invite execu-
tive and senior management teams to participate. After an exer-
cise, they often become the greatest supporters of the business
continuity program. During the exercise they may or may not
take an active role in the response/recovery, but it really
depends on the corporate culture and natural leaders who are
present. The design team can always “write someone out” of the
exercise, but it’s nice to have them observe, even if they aren’t
participating. You have to determine where to draw the line for
participation. In some companies, it is at the director level (direc-
tors and above participate and only in abnormal circumstances
do they have someone below the director-level participating).
Design Team: The design team is comprised of one staff mem-
ber from each of the critical corporate areas (with a maximum
of five to six participating) and will have the responsibility of
designing the exercise in its entirety. They will also delegate and
recruit evaluators and other members for the simulation team.
The design team meets on average once a week for the four
weeks leading up to the exercise and documents all meetings in
the design document.
Simulation Team: The simulation team consists of the design
team plus any other team members they delegate and recruit
during the planning of the exercise. The simulation team role
plays or simulates any internal or external person that the recov-
ery team might contact during the exercise. Because some busi-
nesses span across geographical locations, it is necessary to iden-
tify internal corporate resources that will participate in the exer-
cise. In many cases you may want to exercise many locations at
the same time that make up the same strategic business unit.
This team “drives” the scenario and releases information as
planned, to ensure that the recovery team responds to situations
appropriately. The simulation team releases information to the
recovery team by delivering messages, visiting recovery team
members, phoning in messages or playing pre-recorded TV and
radio announcements.
Observation Team: The observation team is made up of two or
three observers or evaluators who can objectively observe and
take notes during the exercise. They should be very familiar with
the incident management, occupant emergency, business conti-
nuity and disaster recovery plans for that specific location. They
are also briefed prior to the exercise during an orientation where
expected results are discussed. The observation team is given a
clipboard with prepared scenario simulation times, events,
expected responses and room for making notes. If the exercise
spans more than one location, a team in each location will need
to be defined. The observation team provides feedback immedi-
ately following the exercise during the exercise debriefing.
STEP 2: MEET WITH THE DESIGN TEAM
Different types of exercises require different amounts of plan-
ning times. Part I of this series explained suggested planning
times. For example purposes only, the following shows how to
design an exercise that will require one month (or four weekly
meetings). It is suggested that each meeting only last one hour.
Meeting 1: Identify Goals, Objectives and Participants
Start the planning process with a stated goal followed by spe-
cific objectives that support that goal. In order to exercise for
desired results, you must first determine what it is you are trying
to achieve. Begin filling in your exercise document template with
the information discussed with the design team.
Examples of Goals:
This exercise is to measure how personnel effectively evacuate
the building following an alarm.
• The goal of this exercise is to perform a walk-through of the
“plan” and discuss possibilities for response and recovery.
• The goal of this exercise is to ensure senior management know
and understand all procedures for emergency management.
• The goal of this exercise is to ensure all organizations can com-
municate effectively during a time of crisis.
• The goal of this exercise is to test coordinated efforts between
organizations during a response and recovery effort.
Ask the design team for viable candidates for the following
positions: exercise assistant; recovery team; and observation
team.
Meeting 2: Begin Developing the Scenario
In developing the scenario, think about threats, vulnerabilities
and risks that are known as a result of performing the business
impact analysis. Review written plans and identify areas for
improvement. Ensure that the scenario is realistic for the loca-
tion, building and its occupants. Do not plan an exercise scenario
that would waste the team’s time.
Be sure to include things like date, time, weather and neces-
sary background information. Do not leave anything for the
recovery team to assume. The scenario and its messages that
twist and turn the exercise must provide the recovery team with
enough information to proceed with decision-making and
response/recovery activities. Start with how the recovery team
finds out about the incident. Give them the sequence of events
or an initial damage report or assessment. Let them know where
they are at all times. Don’t forget to “erase” people from the
exercise: Who is missing? Who is still there? Are there injuries or
fatalities? Has anything been communicated prior to the scenario
beginning? Create a list of assumptions and artificialities and
16. 16 | CPM-GA March 2007
document them in the exercise document.
It is suggested to create a table for the scenario and a timeline
that will “drive” when and how the different segments of the sce-
nario will be fed to the recovery team. Suggested column head-
ings include:
Segment #: This could be a letter or number
Real Date and Time: Date of exercise and time (to progress the
clock)
Simulated Date and Time: This is announced before each message
Message: The next “piece” of the scenario
Delivered How: Announced, phone call, radio, TV, in person
Delivered By: Simulation team member name
Ensure at this point in time that facilities are available to use,
and they have been reserved.
Meeting 3: Finalize Scenario and Initial Simulation Walk-Through
This will be the second session to discuss with the design team
all the details of the scenario. All participants should be identi-
fied by now. The exercise goal, objectives, assumptions, artificial-
ities and details about the scenario should be completed by the
end of this meeting.
Go through the scenario with the design team and identify all
external parties that the recovery team will most likely contact
during the exercise. Create a “communications directory” and
document in the exercise document. Assign “roles” for everyone
on the communications directory and include only the cell
phone numbers of those role-playing on the simulation team (no
need to include their real names).
Meeting 4: Finalize Scenario, Logistics and Communications
Directory
Ensure that rooms are reserved, lunch and/or beverages are ordered
and that any audio-visual materials are reserved and available.
As time nears the exercise date, some participants may notify
you they won’t be able to attend for various reasons. If you’ve
written segments that affect them individually or you are expect-
ing a certain response from them, you may need to “adjust” the
scenario slightly to make things work out. Re-read the scenario
and ensure that the activities meet or exceed the objectives and
that the goal will be obtained.
Ensure that the design/simulation teams are comfortable with
their roles and responsibilities, and ensure that cell phone num-
bers listed in the communications directory are correct.
Nail down last minute issues that have arisen, if any. Walk through
the scenario one last time with the simulation team to ensure that
everything is in place and the scenario is well understood.
STEP 3: PREPARE EXERCISE DOCUMENTATION
Several handouts will be needed during the exercise. The
Exercise Document that has captured all of the exercise details
will be used to create most of these handouts. You cannot dis-
tribute the Exercise Document as is, as it contains the entire sce-
nario.
Simulation Team Handout (including full scenario and timings/mes-
sages)
The simulation team will need a handout to follow the scenario
closely with a clock. They will be responsible or handing mes-
sages, making “guest” appearances in the recovery room and
making phone calls to add additional information for the recov-
ery team. This document needs to have full details of the sce-
nario.
Observation Team Form (including full scenario and expected
responses)
The observation team can be identical to the simulation team
handout with one exception – it also needs to outline expected
responses. If the observers are not entirely familiar with a plan
that is being exercised you can help them by giving them a cue
so they know what to look for.
Recovery Team Guidelines
Create a recovery team guidelines handout that is derived from
the following sections in the exercise document:
• Location to be exercised
• Date and time
• Scope of exercise
• Artificialities
• Assumptions
• Scenario (only up to the point where you wish the exercise to
begin)
• Instructions to participants (rules of engagement, if you will –
set expectations!)
• Communications directory
Other handouts (as necessary) include:
• Name tents or name tags if the exercise is large. Also use
nametags for simulation team members role-playing someone
other than themselves.
• Cue cards – if you need to advise a recovery team member of
something and you don’t want everyone receiving the informa-
tion, use 3x5 cards to print messages for them and hand them
out at the appropriate times in the scenario.
• Messages – if you are handing messages out, or if you having
them read out loud, it would be easier if they were printed,
one message to a page that can be shared as a reference with
the recovery team.
STEP 4: HOLD PRE-EXERCISE ORIENTATION
Schedule a pre-exercise orientation meeting with the simulation
team (if needed), the observation team and the exercise assis-
tant. It’s best to schedule these meeting just prior to the exercise,
17. www.ContingencyPlanning.com | 17
or the day before for a couple of reasons. If you hand out the
complete scenario to the observation team prior to the exercise,
they may be tempted to “share” it with their co-workers involved
in the exercise. You also want the review to take place just prior
so that the information is fresh in their minds.
Simulation Team Orientation
• Provide the team with hard copies of the scenario and expect-
ed actions and scripts for each “role” they are playing.
• Walk through the exercise and messages one last time with
everyone.
• Ensure that the room reserved for the simulation team during
the exercise is adequate. Walk through the room with the sim-
ulation team and answer any questions.
• Ensure that any extra materials or equipment are scheduled to
arrive in time for the exercise (flip charts, projectors, etc.).
Observation Team Orientation
• Provide the team with hard copies of the scenario, timing and
expected responses by the recovery team.
• Explain logistics and roles and responsibilities.
• They will need a checklist that provides them with expected
results for each piece of information driving the scenario.
Providing them with the same document as for the simulation
team will work, as long as they understand what they are to be
observing and measuring, and explain it to the observation team.
Exercise Assistant Orientation
You may or may not want to provide the exercise assistant with a
detailed scenario. Explain their role and responsibilities and provide
enough information for them perform their job without having to inter-
rupt the exercise. If the recovery team needs to eat a meal during the
exercise, for example, ensure that the assistant knows when the food
should arrive, by whom, and where it is to be setup. If you want the
assistant to deliver messages to the recovery team throughout the exer-
cise, they will need to have a copy of the timings and scenario compo-
nents, the messages typed up and ready for distribution, etc.
Having done all the advance design work for the exercise, you
are finally ready to conduct the exercise. Don’t miss Taking the
Fear Out of BC Exercises: A Blueprint for Success, Part III:
Exercise with Confidence, in next month’s issue of CPM-Global
Assurance, which will outline how to set the tone, develop guide-
lines, conduct and evaluate the exercise.
About the Author
Telva Chase has more than 27 years of software engineering and
seven years of full-time BC/DR experience. In 2002 she created and
currently is the director of the business continuity program office for
Thomson Scientific & Healthcare (www.thomson.com). Questions and
comments may be directed to editorial@contingencyplanning.com.
GlobalAssurance
EVENTS CALENDAR 2007
March
14-16: Do-It-Yourself Business
Continuity Management
Course
Singapore
www.bcpasia.com
23: Business Continuity
Management Seminar
Hong Kong, China
www.bcpasia.com
25-27: Continuous Availability
Summit 2007
Loew’s Royal Pacific Resort at
Universal Orlando; Orlando, FL
www.stratus.com/summit
25-27: European Security
Conference
Berlin, Germany
www.asisonline.org
26-28: Do-It-Yourself Business
Continuity Management
Course
Beijing, China
www.bcpasia.com
April
22-25: Strohl Systems User
Group Conference
JW Marriott Desert Ridge Resort
& Spa; Phoenix, AZ
www.strohlsystems.com
24-25: Freedom of Information
Conference
Jurys Great Russell Street Hotel;
London, UK
www.foiconference.co.uk
25-27: Do-It-Yourself Business
Continuity Management
Course
Manila, Philippines
www.bcpasia.com
May
22-24
CPM 2007 WEST
The Mirage; Las Vegas, NV
www.contingencyplanningexpo.com
July
8-11: World Conference on
Disaster Management
Toronto Metro Convention
Centre; Toronto, Canada
www.wcdm.com
September
12-13: Dealing with Disasters
Conference
School of Applied Sciences,
Northumbria University;
Newcastle upon Tyne, England
Graham Thompson:
graham.thompson@tees.ac.uk
18. 18 | CPM-GA March 2007
On Sunday, Aug. 28, 2005, the day before Hurricane
Katrina hit New Orleans, President George W. Bush was
briefed by Max Mayfield, director of the National Hurricane
Center, and Michael Brown, then director of the Federal
Emergency Management Agency (FEMA). They warned him
about what could happen in the future. A subsequent videotape
shows the president assuring local officials that “we are fully pre-
pared.”
As events demonstrated, we were not fully prepared. Yet the
President was willing to go on record saying that we were.
Politics, perhaps. Being misunderstood or misinformed? Maybe.
But at least some of the people involved genuinely believed that
we were fully prepared.
We often ask – especially after a disaster – how we can hold
people more accountable or get rid of those incompetents who
failed to implement the plan. But maybe, to quote former Intel
CEO Andy Grove, “That is not the right question.” Maybe the
right question, therefore, is why did people believe we were pre-
pared when we were not?
In business and government, we build plans and then we trust
them. “We are fully prepared” generally means “we have a plan,
Are We Fully?
Prepared
Identifying pitfalls of business
continuity planning
By Mark Chussil
19. www.ContingencyPlanning.com | 19
we have the resources required by the plan and we have trained
our people to execute the plan.” Talented, dedicated people
work hard to make great plans. Those plans always work … on
paper. After all, if we thought the plans wouldn’t work, we
wouldn’t call them our plans.
So what goes wrong? Why do strategists write growth plans
with wondrous forecasts and spreadsheets only to have their
businesses shrivel? They fail to anticipate or respond effectively
to competitors’ moves, as in the slow, painful decline of the
American automobile industry. Why do government agencies,
following their plans, buy hardware and drill emergency respon-
ders, only to see citizens suffer and die in a disaster? The agen-
cies fail to communicate and coordinate, as was the case with
Hurricane Katrina.
CONFIRMING PROBLEMS IN PLANNING
What goes wrong, in part, is the process of planning itself. The
process of planning unintentionally leads to failures to anticipate,
respond, communicate and coordinate because the process of
planning unconsciously makes us overconfident in the plans.
It’s not that the process of planning is bad, and it’s emphatically
not that the planners are bad, it’s that the process often doesn’t
go far enough.
In planning, we develop a sequence of steps to follow in a
given situation. We refine and communicate the sequence by
writing it down – in detail – and we test and teach it by rehears-
ing it in drills. When we’re done, we believe we have validated
the plan. We believe the plan, and we believe that we are pre-
pared.
What we do in that process is implicitly focused on so-called
“confirming evidence.” Each time we write down tasks and pro-
cedures that will make the plan work – and each time the
rehearsal works – we feel more confident that the plan will
work.
When we believe the plan will work, we stop questioning it.
As humans, we tend to seek, retain and apply facts consistent
with our beliefs. We tend to discredit or avoid information that
conflicts with our beliefs. Sometimes, we even stop listening.
(When’s the last time you read a book by an author with whose
views you expected to disagree?) Unfortunately, like the belief
that we were fully prepared for Katrina, some sincere beliefs are
simply not true.
CALIBRATION AND FEEDBACK
Social psychologists use a concept called calibration, which refers
to the match between confidence and accuracy. How it’s meas-
ured is beyond the scope of this article. But suffice it to say that
weather forecasters are well-calibrated because, for example,
when they say there’s a 70 percent chance of rain, 70 percent of
the time, it rains.
We stop seeking information, studies, ideas or tests when we’re
confident we’ve got enough. When we’re accurate and we do
have enough, that means we don’t need more and it’s appropri-
ate to stop. The problem occurs when we are inaccurate. High
confidence with low accuracy means we stop too soon. That’s
what happens with the plans we believe will work because they
worked on paper and in rehearsals. That probably contributed to
officials proclaiming, confidently and accurately, that we were
prepared for Hurricane Katrina.
According to Professor Scott Plous of Wesleyan University,
Middletown, Conn., “The most effective way to improve calibra-
tion seems to be very simple: Stop to consider reasons why your
judgment might be wrong.” In other words, look for disconfirm-
ing evidence.
Professors Jay Russo of Cornell University, Ithaca, N.Y., and
Paul Schoemaker of the University of Pennsylvania, Philadelphia,
say we can improve calibration by providing timely, accurate
feedback. Learning from timely, accurate feedback gives weath-
er forecasters an “enviable record of reliability.”
How can we provide timely, accurate feedback for those we
have entrusted with safeguarding our communities and indus-
tries? How can we encourage them to search for disconfirming
evidence? How can we help them work around the shortcom-
ings of the planning process?
FAIL SAFETY
In an introductory psychology course in college, we joked about
a concept called “one-trial learning.” In one-trial learning, you
imagine a rat being placed at the base of a T-shaped maze. If the
rat runs one way when it gets to a T intersection, it gets a piece
of delicious cheese. If it turns the other way, it gets a fatal elec-
tric shock. The rats that make the right choice learn in just one
try.
Of course, there’s no real learning. It’s luck, jazzed up with
imaginary academic sadism. But in concept, it’s not so different
from on-the-job training.
In real life, we don’t want to risk one-trial learning. Taking the
wrong turn in a real-life T-shaped maze means real people get
hurt. What we want is the opportunity to fail – and learn –
where it’s safe. In effect, we want many-trial learning in which
we replace the cheese and the fatal electric shock with timely,
accurate feedback. The feedback, especially from failures, pro-
vides disconfirming evidence and the opportunity to discover
and repair flaws in plans before they do us any real harm.
Make it safe to disagree. People sometimes feel reluctant to
contribute disconfirming evidence or dissenting opinions, partic-
ularly in politically charged decisions. It’s critical, though, to draw
them out. So, do things differently. Close the doors. Allow
anonymous feedback. Reward the contributions, even if they’re
uncomfortable. Let people role-play.
Change how ideas are presented to decision makers. A.G.
Lafley, CEO of Procter & Gamble, “always asks managers to give
him two different approaches and present the pros and cons of
each” before he makes a decision. Ask for reasons why it will
work and reasons why it won’t.
Look outside your agency or industry. Think differently by
putting on someone else’s hat. Imagine, for instance, what Rudy
Giuliani, Steve Jobs, Sir Winston Churchill, General George
www.ContingencyPlanning.com | 19
20. Call For Papers Open!
Do you have what it takes to be part of the
CPM 2007 EAST conference faculty?
We are looking for professionals in business continu-
ity/COOP, emergency management and security to
deliver advanced-level lectures, case studies and inter-
active workshops geared toward experienced plan-
ners. CPM 2007 EAST will take place November
13-15 at the Gaylord Palms Resort in Orlando.
www.ContingencyPlanning.com/events/east
20 | CPM-GA March 2007
Patton or Steven Spielberg would do with the challenges you
face. Look for insight to industries, such as software and micro-
processor engineering: They do rigorous code reviews and suc-
ceed at making the most complex stuff in history work.
Ask strange questions. What would it take to improve per-
formance not 10 percent but tenfold? What could we do that
would make customers or citizens happy even if it costs more
money? What has to happen for our plan to work (e.g., the elec-
tricity stays on, we have police protection, there’s enough gaso-
line), and what would we do if one or more didn’t happen?
Keep asking “what if?” Asking “what if?” reveals the chaos, sur-
prises and uncertainty you’ll face in a real crisis. What if critical
people aren’t on the scene? What if you have to carry out the
plan in the middle of the night or during a snowstorm with the
power out? What if senior leaders aren’t able to communicate?
Conduct simulations. By their very nature, simulations provide
timely feedback and disconfirming evidence. They make it very
difficult to succeed simply because you want to succeed or
because you believe your plan will work. You’ve got to take
action, coordinated with others on your team and within the
bounds of available resources. Good simulations stimulate high-
impact, out-of-the-box, we’ve-got-to-do-something thinking
while there’s still time. Moreover, you can repeat the simulations
with different people or with different settings to get many-trial
learning. This is the path to before-the-job training.
You wouldn’t certify an aircraft as airworthy just because it
flies smoothly in a wind-tunnel rehearsal or in a clear-skies drill.
You also want to demonstrate that it will fly safely in a bad
storm or when an engine fails. Stress-testing your plans helps
you make them crisis-worthy. Then you can say confidently,
and accurately, that you are prepared.
About the Author
Mark Chussil is a founder and senior director of Crisis Simulations
International (CSI) LLC and is a founder and CEO of Advanced
Competitive Strategies Inc. (ACS). He designed CSI’s DXMATM
crisis simulator (patent pending) and ACS’ award-winning
ValueWar® business simulator. Questions and comments may be
directed to editorial@contingencyplanning.com.
References
1. The Wall Street Journal, March 3, 2006.
2. “The Education of Andy Grove,” Richard S. Tedlow, historian at
the Harvard Business School, Fortune, Dec. 12, 2005.
3. The Psychology of Judgment and Decision Making, Scott Plous,
McGraw Hill, 1993, page 228.
4. See Decision Traps, J. Edward Russo and Paul J.H.
Schoemaker, Simon & Schuster, 1989, pages 98-102.
5. National Public Radio, Jan. 6, 2006.
6. “Rewarding Competitors Over Collaborators No Longer
Makes Sense,” Carol Hymowitz, The Wall Street Journal, Feb.
13, 2006, page B1.
21. www.ContingencyPlanning.com | 21
GlobalAssurance
PRODUCTS
INFORMATION SECURITY E-MAIL
SOFTWARE
Los Angeles-based SearchInform Technolo-
gies Inc.’s newly released MailSniffer pro-
vides information security and prevents the
leakage of confidential information.
SearchInform MailSniffer RC intercepts all e-
mail traffic on the network protocol level,
indexes the intercepted messages and
enables the user to conduct search through
them with access to all sent and/or received
messages on a given computer. Users can
conduct quick quality full-text search with
due consideration to stemming, thesaurus
and word location in a phrase. The search is
conducted through all incoming and outgo-
ing correspondence not only in the body of
the letter, but also in its attributes and even in
the contents of attached files. All intercepted
information gets indexed and stored into the
database, so that even if a message is deleted
from the mail client, its contents will still be
available for search. When viewing the histo-
ry of correspondence between two people,
MailSniffer displays it in a chronological
order for the user’s convenience. Features
include previewing correspondence history
with one recipient; full text search in mes-
sages and attached files with due considera-
tion to stemming; control over employees’
correspondence; and user access rights differ-
entiation.
www.searchinform.com
INTELLIGENT STORAGE ROUTER FOR
BC, DR APPLICATIONS
QLogic Corp., Aliso Viejo, Calif., a provider
of fibre channel host bus adapters, stack-
able switches and blade server switches, has
announced that information management
and storage provider EMC Corporation,
Hopkinton, Mass., will expand its resale of
QLogic® Network Platform products to
include the new QLogic SANbox® 6142
intelligent storage router, now available
through the EMC® Select Program. In
addition, selected QLogic host bus
adapters and switches are also offered
through the program. The SANbox 6142,
qualified as EMC E-LabTM Tested with
EMC CLARiiON® networked storage sys-
tems, features SmartWrite wide area net-
work optimization technology for business
continuity and disaster recovery solutions
requiring remote mirroring of data. The
6142 features SmartWrite, the QLogic
patent-pending technology for accelerating
and bridging SANs over WANs and pro-
vides SAN-over-WAN connection infra-
structure for EMC MirrorView and EMC
SANCopy to support disaster recovery,
replication and volume copy services over
WANs. Using SmartWrite’s Layer III (SCSI
layer) routing, the SANbox 6142 is able to
perform SAN bridging over WANs without
having to merge SAN Fabrics. SnartWrite
eliminates double addressing of SAN
devices required by iFCP; eliminates the
need to have unique names on each SAN;
and leverages the WAN resources for
resiliency and encryption.
www.qlogic.com
DISASTER RECOVERY SERVICES FOR
GOVERNMENT AGENCIES
Basking Ridge, N.J.-based Verizon Business’
Voice Continuity disaster recovery service is
now available to federal customers under the
U.S. General Services Administration’s
Washington Interagency Telecommunications
System (WITS) 2001 contract for federal
agencies within the Washington, D.C., metro-
politan area. The services have been available
since 2005 to other federal government users
to purchase from the GSA’s Federal
Telecommunications Service (FTS) 2001 con-
tract and are available to state government
customers. These services, offered in conjunc-
tion with TeleContinuity Inc., Rockville, Md.,
help federal and state government agencies
meet continuity of operations planning
requirements. In the event of an equipment
failure, natural disaster or building evacuation,
the voice continuity option provides the capa-
bility to reroute calls to maintain telephone
service to virtually any location and device,
including wired or wireless phones, desktop
or mobile computers and personal digital
assistants. Verizon Business identifies potential
risks and exposures, including router or hard-
ware failures, cable cuts, power and net-
work outages, natural disasters and acts of
terrorism; provides an analysis of costs and
benefits of potential mitigation measures;
and tests the solution. The technology links
the public switched telephone network
with the Internet to create a seamless sys-
tem for voice disaster recovery. Users acti-
vate the voice continuity service when they
anticipate or are experiencing an outage.
Upon activation, users can choose the
device and location where calls will be
rerouted.
www.verizonbusiness.com
DISASTER RECOVERY, FAULT-
TOLERANT SOLUTION FOR SMALL
FACILITIES
Dataprobe, Allendale, N.J., a manufacturer
of technology solutions for networking sys-
tems management, has released the K-3
Series, a new line of redundancy switches
that provides up to three A/B switches in a
1U rack-mount chassis. It is optimized for
remote sites and distributed systems that
want to construct high-availability, fault-tol-
erant communications. K-3 provides physi-
cal layer switchover of communications cir-
cuits for line protection and equipment
redundancy applications. Small remote
sites provide mission-critical operations and
have the same availability requirements as
data centers. The new K-3 is a redundant
switching system designed to address these
challenges by ensuring maximum uptime
for critical communication circuits. It
includes automatic and remote control
capabilities. Users can control up to three
A/B switches in either independent or gang
switch arrangement. The K-3 can be con-
trolled via Web, Telnet, SNMP, etc., making
the system accessible from any network
location while the chassis provides for one
internal A/C or D/C power supply, with
the option for dual redundant power in an
external supply.
www.dataprobe.com
22. CPM delivers a training experience unlike any other.
Learn to defuse any disaster that rears its ugly head.
Sessions include:
• Pandemic Influenza:The State of the Threat
• Establishing Mission-Critical Employee Programs
• Data Security in a Distributed World
• Disaster Simulation Exercise
And many more!
Register Now!
www.ContingencyPlanningExpo.com
