continuity planning

2017 is done - what do we do differently in 2018?

With 2017 behind us and a new year just begun, we consider which business practices we want to continue and perhaps which need to be done differently.   As ghoulish as it may seem, part of my planning includes learning more about how many disasters happened during the past year, problem trends, and how well businesses are prepared for recovery.
 
In a report from FEMA, I found the number of major disasters declared over the past five years:
 

Year # % change from previous year
  2017     135                  +32%
  2016   102                +29%
  2015   79                 -5%
  2014   84                 -12%
  2013   95  
 
These numbers account for such things as weather disasters, floods, terrorist attacks, and those caused by human actions.  Digging a little deeper, I wondered how many cyber/data breaches happened during 2017, or at least those deemed big enough to be reported.  Here’s the list I found:
 
E-Sports Entertainment Association, Xbox 360 ISO and PSP ISO, InterContinental Hotels Group, Arby’s, River City Media, Verifone, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, America’s JobLink, FAFSA: IRS Data Retrieval Tool, Chipotle, Sabre Hospitality Solutions, Gmail, Bronx Lebanon Hospital Center, Brooks Brother, DocuSign, OneLogin, Kmart, University of Oklahoma, Washington State University,  Deep Root Analytics, Blue Cross Blue Shield/Anthem, California Association of Realtors, Verizon, Online Spambot, TalentPen and TigerSwan, Equifax, US Securities and Exchange Commission, SVR Tracking, Deloitte, Sonic, Whole Foods Market, Disqus, Hyatt Hotels, Forever 21, Maine Foster Care, Uber, Imgur, TIO Networks, eBay, Alteryx
 
That’s more than 40 companies - not a good trend.   It also leads to the questions, "Is my business vulnerable?" and  "What can I do about this?"  
 
Here are some quick tips that I gleaned from a recent article from EverBridge:
 
Question your approach
Justification for the effort to define a recovery strategy on what is arguably a rare occurrence is a difficult task.  Rather, look at the need from a value-based perspective for being able to recover, such as:
1.      Regulatory compliance
2.      Competitive advantage
3.      Brand and reputation recognition
4.      Knowledge capture
5.      Increased robustness
 
Benchmark
Find out what others in your industry are doing and from there address the question, “What is right for us?”  Not all companies need sub-second recovery… Some companies really can convert their entire work force to remote workers…   Your solution needs to be tailored to your needs.
 
Work Out
Simply, plans are worthless if you don’t exercise them on a regular basis.  Leading standards on continuity planning refer to having regular exercises that increase in scope and complexity over time.  Of course, “How often?”  is a key question.  Two exercises a year is thought to be a good benchmark for exercises, with one being a tabletop exercise and the other a more in-depth simulation.
 
Some food for thought:  As you continue through your planning process, include your business recoverability and resilience as part of the discussion.  Being prepared for “what if” scenarios is critical for long-term success.  
 
Huber Advisors is here to help with that planning.  We can advise on how to start the process yourself, as well as engaging with your organization to facilitate the creation of strategy and recovery plans.  Call us at 651-429-9991 or e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it.  and we can help you Be Ready for Anything!

Some things simply stay the same.

I came across a report that highlighted four key areas on which to focus your recovery strategies:
  • Virtualization
  • Cloud Computing
  • Mobile Devices in the Workforce
  • Social Networks
Looking at today’s business climate, these are certainly four areas that can still impact your environment. 

What’s interesting is that the list is from a CIO poll from April, 2012.  A lot of the basic elements of your recovery strategy really haven’t changed in the last five years (if not longer).  Nonetheless, important areas for your planning. 

As you work on your recovery strategies, here are some key points you to consider:

Size does not matter.
Smaller companies are actually easier targets and need to be equally wary of an attack.

The inexperienced are the most complacent.
As soon as business leaders and companies deal with an incident that impacts their business, they are more likely to galvanize the troops to prevent one from making a direct hit.  But the planning needs to be done before the incident, not after.

Educate employees on their roles.
Some people whether employees or customers are often the weakest link in a recovery chain. Training is critical to an organization’s success and resiliency.

Clear communication is critical.
Communicate what you know, when you know it while recovering from an incident that impacts your organization.

Plan for the worst.
When preparing your strategy, definitely discard the rose-colored glasses and plan for the worst-case scenario.

As the title says, some things really stay the same.  The key areas to address, the need for recovery, and the goal of ensuring your business continues to provide product and service.  The biggest thing is to not late complacency be the thing that stays the same.

Starting small works.  Call us now at 651-429-9991 and start with a day’s worth of focus on your recovery strategy.  Remember, our goal is Helping Businesses Stay in Business!

But does your plan work?

“The purpose of disaster recovery testing is to reduce the level of information that a company does not know it does not know.”

-      Dan Muecke, VP Technology Planning, Advanta Corporation

If you’ve made the investment in business continuity and disaster recovery planning, it is imperative that you continue to hold exercises to validate the plan, and to ensure that your strategy is up to date.  If you haven’t had a comprehensive review of your plan, or held an in-depth simulation exercise, within the last 4 to 6 months, you're overdue.

If a company completes their recovery planning without testing, it is very likely to encounter major problems during an actual recovery and then resort to “winging it”.   Clearly, not the way you want to approach preserving the livelihood of your business.

By conducting tests/exercises, you will uncover gaps in your planning and assumptions.  This identifies areas in which more knowledge is needed in order to ensure recovery.  Finding these gaps in a controlled environment (while testing, during a simulation), allows for reasoned resolution and closing of the gaps.  Attempting to do so while under the pressure of a real disaster will certainly be less effective.   So, dust off those plans, define the scenario, and hold those exercises.  That truly is the way to ensure you are Ready For Anything.

Recovery plans aren't just nice. In certain cases, they're required.

About 50% of businesses that suffer from a major disaster without a disaster recovery plan in place never re-open for business

-         American Management Association


That statistic by itself is enough to get one’s attention, but then factor in all the regulations, laws, and mandates that require recovery planning:

 

-    Sarbanes-Oxley act

-    IRS Procedure 86-19

-    Consumer Credit Protection Act Section 2001 Title 1X

-    Foreign Corrupt Practices Act

-    Expedited Funds Availability Act

-    Gramm-Leach-Bliley Act

-    Federal Financial Institutions Examination Council

-    BASEL II, BASEL Committee on Banking Supervision

-    HIPAA

 

-    FDA Code of Federal Regulation

-    FEMA FRPG 01-94

-    FISMA Act

-    NIST SP800-34

-    NERC P6T3

-    NERC Urgent Action Standard 1216

-    Rural Utilities Standard 7

-    Presidential Decision Directive 63

-    Presidential Decision Directive 13010

-    ISO Standards 9000, 22301, 27001, 31000

-    GAO/IMTEC-91-56 Financial Markets

-    FFIEC Inter-Agency Policy

Failing to comply with these standards and regulations for your industry/organization can directly impact your ability to compete in the marketplace, obtain funding, and even bid on certain projects.

As Ben Franklin put it, "An ounce of prevention is worth a pound of cure."    Having a comprehensive recovery strategy helps prevent catastrophic events, well worth the time and effort as opposed to rebuilding your business from a total loss.

Side note - Franklin's quote is the result of him trying to convince the colonial Philadelphians that creating a group committed to firefighting was a good idea.  His agrument was that prevention of a catastrophic city-wide fire was preferable to rebuilding the city from scratch.