Posts in The ‘Business Continuity’ Category

It’s a Dog’s Life When it Comes to Business Continuity Development

Thursday, November 17th, 2011

Dogs teach us many lessons in life (cats do too … however this article favors my canine companions). They teach us patience during their puppyhood, tolerance during their adolescence, leadership during their adulthood, and appreciation during their senior years. Each lesson plays a vital role in building a successful business continuity (BC) program. Let’s take a closer examination…

Business Continuity is not an activity that typically produces immediate results or payback in terms of investment (unless a disaster strikes immediately after you have developed your program). It takes time to build relationships and reap the rewards that are possible as one becomes a trusted business continuity advisor. Some organizations don’t develop business continuity programs because they perceive this time as not well spent since they can’t see the immediate results. Big mistake, if you ask me.

Alternately, some give up on building a BC program too soon because they lack the patience to develop solid relationships. I believe patience is critical when developing a BC program. If I had not had patience with my puppy 15 years ago (and trust me, I needed a lot), imagine what I would have lost. Now imagine what you could lose f if you don’t practice patience as you build your business continuity plan.

Tolerance is the recognition of and respect for the opinions, beliefs, and actions of others. The business arena is filled with a variety of different people, personalities, and perspectives. Yet it’s natural to surround yourself with people most like yourself. However, adding diversity to your internal sponsors and client base could open up amazing opportunities. Stretching outside your comfort zone to meet people different than you could expose you to people and organizations you might not have otherwise met. Diversity is a major key to your networking and program management success and it requires tolerance to allow the opportunities to unfold. It was tolerance that allowed me to fully respect the natural tendencies of the German Shepard I had selected to be a part of my family.

To some degree, I believe there tends to be a leader and a follower in every relationship. In the human/dog relationship, all you have to do is watch an episode of The Dog Whisperer to see the results when the dog claims the leadership role.

Business relationships are no different. Leaders model the behavior they wish to see in others and guide behavior in a positive manner. Leaders take ownership and accept responsibility and they know how to delegate and hold themselves and others accountable. Accountability for your own success in developing a business continuity program is the first step to achieving success.

I’ve heard it said that we appreciate things more after they’re gone. Surely, I appreciated Buddy while he was alive, however, after he was gone, I truly began to appreciate all the little things much more, especially the amount of joy she brought into my life.

How often do you stop and truly appreciate the people in your company or network that work on your behalf to help you reach your business continuity goals? How do you show that appreciation? I believe that one of our basic human needs it to feel appreciated. When you take the time to appreciate those that help you, you’re making an investment in that relationship. The more investments you make, the stronger the relationship becomes and the closer you get to becoming a trusted advisor; the stronger the relationship, the stronger the inclination for the customer to help you and vice versa.  

There’s one thing that makes a dog truly special — unconditional love. A canine companion loves you unconditionally, without hidden agendas. We owe it to our organization and/or clients to be the kind of person our dog thinks we are. We owe our internal and external network sincere gratitude and appreciation on a consistent basis.

In the end, Buddy taught me a great lesson in focus.  Focus was the only thing that got me through the passing of a wonderful pet.  Focused, strategic consulting is what gets you the results you want. It takes you to the right places and introduces you to the right people. 

Business continuity program development is all about these lessons mentioned here: patience, tolerance, leadership, appreciation and focus.  Take a look at what you are doing in the area of business continuity development and don’t be surprised if you are truly leading a dog’s life.

Patrick R. Dunn, CBCP, CISSP
Practice Manager – Disaster Recovery & Business Continuity

Is your data center ready for a disaster?

Tuesday, September 20th, 2011

If you are like most employees at a medium-large sized business, you assume that your company’s data center is always going to be there and supplying your necessary applications, data and reports on a daily basis.  But what if you decided to peel the layers of the onion back and peek beneath the surface?  What you find might surprise you.  

Recent disasters such as Hurricane Irene, Texas wildfires, Mid-Atlantic earthquakes, tsunami’s, and tornado’s all highlight the need for a comprehensive and tested disaster recovery plan but most  are an “all or nothing” scenario, meaning the entire data center must be unavailable before declaring a disaster. This scenario does not look at individual component failures — the most common problems that escalate into a full blown disaster declaration.

Has your company looked at its data center infrastructure and vulnerabilities to address issues that may prevent a disaster declaration and enhance day-to-day or operational recovery?  In some cases there is nothing you can do to prevent a declaration – A direct hit from a tornado, major flooding, earthquakes, etc.  But in many cases a vulnerability analysis of your data center will uncover specific actions that can be taken to prevent a localized outage from becoming a full blown disaster.

So how do you prepare a data center for a disaster incident?

First – Conduct a Vulnerability Assessment of the data center. Five basic questions to ask are:

  1. Are you storing paper and boxes in the data center?
  2. Are your networking cables labeled?
  3. Have you looked at your data center from a power and capacity standpoint?
  4. Is physical access to the data center limited?
  5. Does the data center have heat, smoke, water sensors?
  6. Are there data security policies and procedures in place?
  7. Is the location of your data center conducive to continued operations or is the data center in a major hazard area?

You definitely need a comprehensive set of procedures for the infrastructure and for the applications. Each component, or group of components, usually has support infrastructure, and generally speaking, there’s a person or group responsible for that. So the servers are going to be under the server group, or the virtualization group, or both. All of these are generally working under an infrastructure group or an operations group, but come a major disruption, there’s a dotted-line relationship for disaster recovery management. And that kind of governance clearly needs to be spelled out, who is in charge, who makes the decision, what you do, and what sequence you do it in.

Of course there is much more to ensuring your data center survives a disaster,  but this should give you a jump start in reviewing your data center vulnerabilities.

Patrick R. Dunn, CBCP, CISSP
Practice Manager – Disaster Recovery & Business Continuity

Five Strategies For Business Survival

Sunday, September 18th, 2011

Business owners invest a tremendous amount of time, money and resources to make their ventures successful, yet emergency planning may get placed on the back burner in the face of more immediate business concerns.

At some point, your business will be disrupted by either a man-made or natural disaster; it’s not a matter of if, but when. Disaster recovery planning is vital to the longevity of the business.

Natural disasters like hurricanes, tornadoes and floods are particularly tricky to plan for because they can strike randomly and sometimes repeatedly in the same geographic location.

So how would a business survive such extreme threats?  Here are a few leading practices and strategies to help:

  1. Awareness:  A critical activity of Business Continuity actually occurs before the crisis. Informing and educating employees about programs, threats, expectations, accepted behaviors and actions will increase the likelihood that the intended response to an emergency will be achieved by making these situations at least a bit more familiar by way of repetition.
  2. Compliance:  Compliance with building code safety and frequent building code inspection checks are imperative to ensuring that your building is as safe as possible. The same method should be applied to information technology. Extreme caution should be taken when it comes to protecting your most valuable business resources.
  3. Redundancy: A variety of sources for accessing information should be available. Emails, website postings, “800” numbers to recorded messages, face-to-face information sessions, newsletters, and texting are viable methods.
  4. Frequency: During crises information changes quickly. Therefore, it is important to update messages frequently. Having a pre-established update schedule will benefit your organization during the business interruption.
  5. Communications: Often times at the beginning of a crisis there is a flurry of information, which then drops off. Crises can last for a while and people need different types of information from stage to stage. Maintaining communications continuity during all stages of a crisis is critical.

Patrick R. Dunn, CBCP, CISSP
Practice Manager – Disaster Recovery & Business Continuity

Business Wake-Up Call: Are You Prepared?

Tuesday, September 6th, 2011

Businesses in the Northeast are still feeling the devastating effects of Tropical Storm Irene.   Just a few weeks prior, a mild earthquake struck the Mid-Atlantic region and caused structural damage; people are still rebuilding.  And then there were the tornados striking the South and Midwest. This is your wake-up call folks! 

Were You Prepared?
How did you fare after the tragic floods resulting from Irene? Were you prepared for questions from your executives when the news came in regarding Hurricane Irene and subsequent 100 year floods?

  • Did you think to reach out to suppliers and employees in the region to begin the situation assessment? Or to stock up on needed resources before the flooding? Were you able to deliver products after the event or were there disruptions in your supply chain?
  • Did you think about engaging procurement and human resources as partners to determine the impact of the disaster and potential exposure?
  • Did you prepare to field questions from customers, business partners, and concerned family members?

Based on my experience watching organizations react to crises and other disruptive events, it’s common to see executives and those assigned Disaster Recovery and Business Continuity activities do the following:

  1. Get caught up as witnesses, watching the drama play out in the news just like everyone else, without always connecting the dots as to how the event may impact the organization’s interests. (This is where having a Disaster Recovery Plan would be of vital importance or having a person on staff whose sole responsibility is Disaster Recovery or Business Continuity Planning.)
  2. Focus (almost exclusively) on the day-to-day planning process, rather than taking an active role in participating in the response, including the situation assessment process.
  3. Fail to reference business impact analysis and risk assessment-related information in a potential crisis in order to judge possible exposure — what may be affected.( Ok – so you may not have this in place, but perhaps enough of a wakeup call has been issued and now your company realizes the time is right to conduct a business impact analysis and risk assessment.)

September is National Preparedness Month.  Now is the time to either create your Disaster Recovery Plan or update your plan if you have not done so recently. Another hurricane and even more tornadoes are currently on the weather radar…don’t wait!

Patrick R. Dunn, CBCP, CISSP
Consonus Practice Manager – Disaster Recovery & Business Continuity

How to Ensure Business Continuity in the Cloud

Tuesday, June 7th, 2011

Interesting article on ensuring business continuity in the cloud. It looks at planning for failure and best practices.

After years of hype, the IT industry finally had a rude awakening this spring that reminded us that cloud computing infrastructures are vulnerable to the same genetic IT flaw that plagues traditional data center operations: Everything fails sooner or later. Here’s how to build around that.

Read More…

Is your business prepared for hurricane season?

Thursday, May 26th, 2011

With all the recent focus on tornado activity, it’s been all too easy to forget about the other types of natural disasters – specifically hurricanes.

In a presidential proclamation made on May 20, 2011, President Obama declared May 22-28 National Hurricane Preparedness Week. The goal is to highlight the importance of planning ahead to protect families and secure communities and homes prior to the upcoming hurricane season that begins June 1st and spans six months.

The Federal Emergency Management Agency (FEMA) along with the National Oceanic and Atmospheric Administration (NOAA), are working in conjunction with the White House to raise awareness. According to a notice recently issued by NOAA’s Climate Prediction Center, the Atlantic basin is expected to see an above-normal hurricane season this year. NOAA is predicting the following ranges:

  • 12 to 18 named storms (winds of 39 mph or higher), of which:
  • 6 to 10 could become hurricanes (winds of 74 mph or higher), including:
  • 3 to 6 major hurricanes (Category 3, 4 or 5; winds of 111 mph or higher)

Each of these ranges has a seventy percent likelihood, and forecasts activity that will exceed the seasonal average of 11 named storms, six hurricanes and two major hurricanes.

Knowing that this year’s hurricane season is expected to be damaging, having a disaster recovery plan in place is the best approach to ensuring the longevity of your business.  Any size business can benefit from having a plan, and having one can mean the difference between continuing business and closing up shop forever. 

Take a proactive stance and start building your business continuity strategy now – Mother Nature is one woman you don’t want to mess with.

Patrick Dunn

The Difference Between Business Continuity and Disaster Recovery

Thursday, March 24th, 2011

Oftentimes, the terms business continuity and disaster recovery are used interchangeably. However, there is a definitive difference between the two and one cannot exist without the other.

Business Continuity (BC) – Think Proactive
Business Continuity is a proactive strategy to recoverability and has evolved to focus on the people side of a disaster.  Many organizations account for technical recovery but neglect the impact on the people involved. Having your systems available does no good if your people have no place to work, or no manual processes in place to get their job done.  Thus Business Continuity looks at the financial impacts of downtime (Business Impact Analysis), managing the event (Crisis Management) and Business Resumption Plans.

Disaster Recovery (DR) – Think Reactive
Disaster recovery planning, on the other hand, is a more reactive approach to recovery and has evolved to focus on the data center/ information technology aspects of an organization.  In essence it is the technical recovery side of a “disaster” — the recovery of systems and applications that enable the business to continue to operate.  DR is the factor that makes the critical difference between the organizations that can successfully manage crises with minimal cost, effort and maximum speed versus those that are left picking up the pieces for untold lengths of time at whatever cost providers decide to charge. (I.E. Organizations forced to make decision out of desperation.)

Detailed disaster recovery plans can prevent many of the headaches experienced by an organization in times of disaster. By having practiced plans, not only for equipment and network recovery, but plans that precisely outline what steps each person involved in recovery efforts should undertake, an organization can improve recovery time and minimize disruptive downtime.

Today’s best practices dictate that companies establish a Business Continuity Program that encompasses both technical and business recovery programs.  The technical aspect is handled by IT and is called Disaster Recovery.  The business side carries the moniker Business Continuity.  Both are required components of a comprehensive recoverability strategy.

Patrick R. Dunn, CBCP, CISSP
Practice Director – Disaster Recovery & Business Continuity

Don’t Forget Snow and Ice Plans in Your BC/DR Strategy

Thursday, January 13th, 2011

It’s only January and areas of the Northeast have experienced Snowmagedden I and II. And in the Atlanta region, my neck of the woods, we’re currently in the midst of Icemaggadden.  These events, while not considered disasters on the level of major hurricanes or other significant natural disasters, should still be accounted for when developing not only your organizations’ business continuity plan, but personal disaster plans for employees.

From a business perspective does your  BC/DR plan have the following?

  • A dial-in number that employees can call to check on company closures and conditions.
  • An accurate call tree to alert critical team members of their roles and responsibilities during an outage.
  • An updated crisis management plan that deals with unexpected weather conditions. 
  • Plans to deal with business processes when employees are unable to make it to work for extended periods of time due to road conditions.
  • In the South – having appropriate snow and ice removal tools and strategies in place to ensure safety of employees and guests.
  • A travel and expense policy for extended stays at hotels while employees are out of town on company business, unable to return home due to conditions or for employees at work, unable to get home due to road conditions.

From a personal perspective does your personal disaster recovery plan have the following?

  • Shovels, sand, salt to remove snow and ice from walkways and driveways.  Even in the South you need these things as I have discovered this week.  Many homes have steep driveways and unless you have the tools necessary to remove ice and snow, you are at the mercy of Mother Nature.
  • Food and water at home to allow you to stay put for a week.  My family has been ice-bound for five days so far and although we have enough food to make it through the week, we know others who do not.
  • Flashlights and candles to provide light in the event of a power outage. 
  • A maintenance schedule for your fireplace (if you have a wood burning one) to ensure safety.  An out of control chimney fire can destroy a home in a very short period of time. 
  • Cash on hand to pay for food delivery or unexpected expenses when credit cards are not an option.

Take the time now to update your personal and corporate business continuity plans. After all, it’s only January. Who knows what the rest of the winter will bring.

Patrick R. Dunn, CISSP, CBCP
Practice Manager – Disaster Recovery & Business Continuity
President – Association of Contingency Planners – Atlanta Chapter (2011- )
Vice Chairman – Contingency Planning Association of the Carolinas (2010 – )

Aligning IT with Business Goals

Monday, December 20th, 2010

In many organizations, information technology (IT) departments are struggling to align their capabilities to meet business objectives. Meanwhile, in the face of increased market and regulatory pressures and a history of project failures, CFOs, CEOs and other non-IT leaders are questioning both performance and costs associated with IT.

The stakes are high.

IT failures have led to reputation damage, customer and market valuation loss, and an increase in privacy concerns and high-profile lawsuits. In many cases, these have negatively impacted company growth.

Not surprisingly, demands on the CIO are greater and more complex than ever. The role of IT is now to help companies respond to market pressures by focusing on cost savings, return on investment, and growth objectives, and must help the organization operate within acceptable limits of risk while ensuring information and data integrity.

The key to facilitating this alignment is the Business Impact Analysis (BIA). The BIA identifies the critical needs of the organization and properly aligns those needs from an IT standpoint. Because there is almost always some discrepancy between the business requirements and the capabilities of IT, the BIA can be used to help identify conflicts and differences. By assigning a solid dollar value to the loss of that business function or process, the applications identified become the highest priority for IT to recover and allow the business to view resources in the proper perspective. Recovery Time Objectives (RTOs) and recovery Point Objectives (RPOs) are clearly identified as well, further quantifying the critical IT infrastructure.

Understanding business objectives and leveraging enabling technologies can help ensure that your IT solutions meet the current and future needs of your organization. The ideal place to start is with a BIA.

Patrick R. Dunn, CISSP, CBCP
Principal Consultant – Disaster Recovery & Business Continuity
Vice Chairman – Contingency Planning Association of the Carolinas (CPAC)
President – Atlanta Chapter of the Association of Contingency Planners (ACP)

How Archiving Complements Backup

Tuesday, November 16th, 2010

The terms archiving and backup are sometimes used interchangeably, however, both are very different and both are important components to a comprehensive data protection strategy that can improve operational and cost efficiencies. 

Basically, backups are used to recover systems and data due to corruption or loss. It is essentially a second copy of data where the original is left in place. Information is stored in the context of systems with retention control at the image level.

Archiving, on the other hand, is used for long term preservation of information. The actual archive is a copy of the data but the original is deleted, freeing up more room for storage.  Retention control is at the object level which facilitates eDiscovery.  Archiving also ensures the business is able to meet compliance regulations while addressing business productivity needs in the process.

While archiving AND backup can have a lasting impact on resource administration, retention management, litigation, and application storage efficiencies, archiving provides an ideal operational framework — a process that can aid your backup environment.

For example, take a look at these two scenarios: 

Scenario One Archiving Platform: NoBackup Amount: 200 GB of data

Backup Time: ~4 hours

Recovery Time: ~7 hours

Scenario TwoArchiving Platform: YesBackup Amount: 100 GB of data

Backup Time: ~2 hours

Recovery Time: ~3.5 hours

The difference: Archiving can reduce backup time at an average of 50% and provide recovery twice as fast.

If you apply an average internal cost per GB of $15 to the above scenario, you’ve just realized a storage cost avoidance savings of $1500 per 100GB. By implementing an archiving strategy before you migrate to Exchange 2010, you are not only simplifying and speeding up your exchange migration, but you are also able to realize actual savings for your storage procurement and/or allocation for the exchange environment.

So as you move to advance your data protection strategy, consider the functionality inherent in archiving and backup and how the two can work together to more efficiently meet your business needs. Using both solutions will facilitate a strong, holistic plan for protecting your most critical business asset – information.