The GAP in DR/BCP/EM Technologies

The GAP in DR/BCP/EM Technology

Recently I attended a concert at my grandchildren’s school
in a small, rural community in Upstate New York.  A small child in the row behind me was using
what appeared to me to be a tablet computer. Amazed by the use of technology, even
by very young children, I had thoughts of how widespread the use of
sophisticated technology had become, even in remote areas.  There have been times when I felt government
agencies and some businesses assumed the presence and use of technologies to be
far greater than actual.  I challenged a
DHS employee on the use of GIS and various mapping capabilities, stating that
rural communities lacked such capabilities. He replied that his information was
just the opposite, that the use of GIS and other mapping functions was very
popular and widespread.

From my experience in rural counties, computing capacity is
not as great as reported by the DHS. 
This raises the question of capabilities of small and medium-sized
businesses to use sophisticated systems often displayed in the DRJ exhibit hall
and in articles about systems including rapid notification, GIS, and
applications for emergency and business continuity planning and response.  Is preparedness as well equipped as we often

I suspect small businesses are underprepared with business
continuity technologies.  Some larger
businesses may have the means to acquire such applications, but are not supporting
their use and maintenance.  Larger
government agencies seem to have the technology, but local governments,
especially rural municipalities, have less. Awareness is lacking in some
cases.  I met with an IT systems person
at a rural county who had ESRI and the tools to do mapping and global
positioning of such items as fire hydrants, but had no awareness of HAZUS-MH,
the free natural hazard tool from FEMA for mitigation planning.

What I am suggesting is that there is a gap between those
who are knowledgeable about new technologies for disaster recovery,
preparedness, and business continuity and those who are less aware or unable to
afford such technologies.  The danger is
for the “haves” to assume that the “have nots” can keep up with preparedness,
response and recovery efforts when disaster strikes.  The greatest gap is in public
information.  We assume the public can
receive a critical message, but many cannot. As we progress with technology,
and we should, we cannot forget those who don’t have it.

And, by the way, the child sitting in the row behind me at
the concert was playing with an Etch-a-Sketch.

5 Crisis Management Truths from the Tylenol Murders

0cc6d in tylenol murders capsules

The 1980’s Tylenol poisoning murders spurred panic, wide-spread fear, and perhaps the best-ever corporate response to a major public relations crisis. James E. Burke, then CEO of Tylenol-maker Johnson & Johnson, died on September 28 at the age of 87. He will be best known for his strong, decisive leadership and what has widely been recognized as a model of exceptional corporate crisis management. Fortune magazine named him one of history’s 10 greatest CEOs.

There are 5 truths we can learn from Mr. Burke’s handling of the poisoning disaster—lessons in the right way to handle a public relations nightmare.

1. Be forthcoming and honest

0a968 in tylenol murders james burkeIn 1982, seven people died after taking capsules of Extra-Strength Tylenol that had been laced with cyanide. The sabotage spurred a national panic about the safety of over-the-counter medications, and threatened the very survival of Johnson & Johnson. Tylenol products represented one-fifth of J&J’s revenue at the time.

J&J was careful to point out that, based on the evidence, the tampering must have occurred at the retail stores. However, they did not attempt to shift blame. They were extremely candid.

Image: James E. Burke with an oversize model of the Tylenol that replaced capsules. Credit: William E. Sauro, The NY Times

Burke “spoke the truth and that was astonishingly liberating for everyone who heard it because we have all become so accustomed to public figures telling less than the truth or lying,” wrote Harvard business professor Richard Tedlow.

2. Act quickly and decisively

According to Tedlow, on the afternoon of the first deaths, the company:

  • set up toll-free numbers manned by company employees
  • sent 450,000 telex messages to doctors’ offices, hospitals and trade groups
  • stopped all Tylenol advertising

On the first day.

3. Take responsibility, even if you don’t have to

Less than one week after the deaths, J&J spent more than $ 100 million recalling 32 million bottles of Tylenol capsules from store shelves. According to a Harvard Business School case study of the incident, the heads of the FDA and FBI felt that a recall would be an overreaction. J&J’s management put customer safety ahead of their financial concerns.

The company also established relations with the Chicago Police Department, FDA and FBI to maintain a role in searching for the person responsible for the deaths, and became the first company to adopt new triple-seal tamper-resistant packaging rules.

4. Treat people with respect

Within months, J&J re-introduced Tylenol capsules to consumers. It distributed over 40 million $ 2.50 coupons (enough to purchase a good-size bottle) to compensate customers who threw away Tylenol during the scare. They also created a new pricing program that saved consumers up to 25%.

In a 1986 news conference, Mr. Burke announced that Johnson & Johnson would stop selling over-the-counter products in capsules, which could be tampered with, and switch to solid caplets. When asked by a reporter if he was sorry the company had not acted sooner. Mr. Burke replied “Yes, indeed I am.”

5. Good behavior pays dividends

As the tough decisions were being made by Mr. Burke and his executive team, many were skeptical. They warned that the company’s reputation would never recover. Time has proved them wrong.

Less than a year after re-launching Tylenol, J&J regained a 30% share of the market and once again became the top-selling pain reliever. Today, Tylenol enjoys the highest ratings for consumer confidence, and is the most prescribed over-the-counter pain reliever.

Ultimately, the decisions were part of a shrewd plan to salvage the reputation and revenue of J&J, and return Tylenol to commanding market share. Even so, Mr. Burke proved that putting the customer first can reap greater rewards than a short-sighted drive to deflect blame and protect share price.

Maintaining a “reservoir of trust” among customers helped see J&J through this defining crisis, and in a 2003 Harvard Business School profile, Mr. Burke noted that “Nothing good happens without trust. With it, you can overcome all sorts of obstacles.”

By Wayne Blankenbeckler, MissionMode Solutions | Crisis Insights blog

Sources: “The Tylenol Crisis: How Effective Public Relations Saved Johnson & Johnson”, Pennsylvania State University | New York Times | Chicago Tribune | Washington Post | BloombergBusinessweek

Image credit, Tylenol capsules: Leif Skoogfors, CORBIS

Utilizing Cloud Hosting as Your Business’ Disaster Recovery Remedy

It is clear to see why businesses put so much emphasis on backing up their data – they need their data to be secure so that their customers can rely on them.  Therefore, an effective disaster recovery plan is essential for every business that relies on stored data.  Furthermore, a successful disaster recovery solution requires additional resources identical to those used during daily operations.  

While there is a wide selection of disaster recovery solutions, cloud hosting provides the most flexibility and ease of use, while remaining cost-effective.  As opposed to purchasing two physical servers (one as your day-to-day server and the other as your backup), cloud servers provide the benefit of being able to easily create multiple servers in the cloud without needing to lease/own physical servers. 

In the same way that server redundancy provides failover protection for business continuity and disaster preparedness, cloud hosting provides increased stability and security, as well as improved scalability.  The redundancy delivers a backup for anything that may occur, such as a natural disaster or a security hack that comprises data.

Due to its cost effectiveness, cloud computing provides disaster recovery methods for small businesses that were previously possible only in large enterprises.  Cloud hosting enables significantly faster recovery times in the event of a disaster, as servers can be spun up in minutes on a cloud host platform.

With cloud hosting from a premier hosting provider like Atlantic.Net, principal IT infrastructure is also essentially a dynamic backup system, as your data and applications reside in an offsite, secure data center facility with a backup, uninterrupted power supply, and dedicated support staff, just in case.

How to Establish Danger Appetite in the Context of Organization Continuity

By Brian Zawada &amp Jacque Rupert, Avalution Consulting
Write-up originally posted on Avalution Consulting&rsquos Blog

The introduction of ISO 22301 (Societal security &ndash Requirements &ndash Enterprise continuity management system) far more closely aligns company continuity to the broader danger management discipline. A main contributor to this alignment is the common&rsquos requirement to realize the organization&rsquos &ldquorisk appetite&rdquo (a term not used in BS 25999).&nbsp

ISO 22301&rsquos definition of threat appetite (Section 3.49) is the &ldquoamount and variety of risk that an organization is willing to pursue or retain&rdquo. The regular makes reference to risk appetite in two sections:

ISO 22301 and Danger Appetite

In addition, the authors of the guidance document supporting ISO 22301, titled ISO DIS 22313, make one particular further reference to threat appetite in the section focused on establishing the context for the business continuity management technique:

ISO 22301 and Danger Appetite

For these searching for alignment with or certification to ISO 22301, organization continuity professionals (or those charged with enterprise continuity planning) should realize the idea of risk appetite and address the needs outlined above.&nbsp

Please note: the goal of this post is not to provide a comprehensive, theoretical understanding of risk appetite, as other whitepapers and info sources already do this, but rather to introduce the idea to company continuity professionals and offer you insight on leveraging and &ldquoimplementing&rdquo this idea in our profession.

The Relationship Amongst Danger Appetite and Business Continuity
We think the contributors to ISO 22301 integrated the notion of threat appetite (&ldquoamount and type of risk that an organization is willing to pursue or retain&rdquo) into a enterprise continuity management program standard for two important factors:

  1. Organizations ought to view danger appetite as all-encompassing, incorporating all places of threat, including the company continuity-associated risks linked with disruptive incidents and&nbsp
  2. Utilizing danger appetite to adequately scope and support a business continuity management system aids align business continuity to organizational strategy and other risk management efforts, enabling organization continuity to better integrate into broader threat management.&nbsp

Further, when carried out effectively, risk appetite becomes a key input to (and it could overlap considerably with) a company continuity management system&rsquos scope and objectives.&nbsp

Keys to Determining Threat Appetite
As noted above, many sources of information are obtainable that describe the concept of danger appetite and the greatest method for determining an organization&rsquos danger appetite. Avalution analyzed these sources to aid further understand how to most properly help our clientele in determining and documenting their danger appetites as it pertains to organization continuity preparing, as properly as integrate the notion into our own company continuity system (since we are actively transitioning from BS 25999-two to ISO 22301 within our organization). One particular of the most valuable sources we identified is a white paper published by the Institute for Danger Management (IRM), which introduced a quantity of &ldquodesign&rdquo aspects the authors considered as important to figuring out danger appetite. 3 of these design aspects, or considerations, are paraphrased below, which we located aids to better realize and decide danger appetite:&nbsp

  1. An organization&rsquos danger appetite is &ndash or should be &ndash measurable&nbsp
  2. The acceptability of threat must have a time (temporal) consideration, to ensure periodic assessment (given organizational and environmental alter)&nbsp
  3. Threat acceptance ought to not have anything to do with relaxing controls (risk treatment options)&nbsp

With this stated, and in our opinion, some of the sources of data &ndash other than executive management &ndash that organizations really should evaluate when figuring out danger appetite incorporate:

  • Annual reports and monetary statements&nbsp
  • Consumer contracts&nbsp
  • Regulatory requirements&nbsp
  • Business strategic plans&nbsp
  • Marketing and advertising materials&nbsp
  • Board meeting minutes&nbsp

Although we will not go into additional detail on determining threat appetite, these looking for extra data should contemplate reviewing the following:

  • COSO &ndash Understanding and Communicating Danger Appetite&nbsp
  • ERM Symposium &ndash Cremonino&nbsp
  • Towers Perrin &ndash ERM Threat Appetite&nbsp
  • COSO &ndash ERM Executive Summary&nbsp

Instance &ndash Risk Appetite at Avalution
In transitioning from BS 25999-2 to ISO 22301, we had to understand how risk appetite pertains to our business continuity management method, provided that this is a new formalized requirement essential for certification. Using the guidance and method described in the previous section of this article, we documented our risk appetite summary as follows:

In 2012, we are willing to tolerate a finite amount of downtime as long as it does not outcome in the following:

  1. Damaged reputation among our clients that leads to broader, unfavorable market place perception
  2. Missed service level agreements particular to The Preparing Portal and BC Catalyst&nbsp
  3. Financial loss in excess of $ 50,000
  4. Project delays of much more than three days due to resource disruption and lost information

In order to align our existing organization continuity system with this statement relating to danger appetite, Avalution management intends to staff and appropriately resource our enterprise continuity management program to minimize downtime in the most effective, pragmatic manner feasible.&nbsp

As noted earlier in this short article, this statement aligns with the IRM style considerations, specifically:

  • It aligns to our merchandise and services, as well as our organization&rsquos strategic priorities, and hence the scope of our company continuity management program&nbsp
  • It delivers quantifiable techniques to measure risk&nbsp
  • It notes a time element (2012)&nbsp
  • It notes where our management team accepts a level of risk, which frees resources to boost our company, services and technology, as effectively as invest in our men and women&nbsp

Danger appetite is an critical idea that involves strategic, operational and tactical elements &ndash all of which influence the productive implementation and continual improvement of a business continuity management program. Taking into consideration threat appetite as element of organization continuity organizing allows business continuity to far more closely align with threat management efforts, enabling enterprise continuity efforts to focus mostly on the risks management is unwilling to accept regarding critical items, services, business processes and resources (all of which an organization should obviously document within its danger appetite). Understanding the boundaries &ndash based on an acceptable level of threat &ndash introduces focus and clarity in arranging, which outcomes in greater levels of effectiveness and efficiency in safeguarding an organization&rsquos most time-sensitive or vital activities.&nbsp

Further, considering danger appetite in the context of organization continuity planning really should support management frame organization continuity in relation to how they currently think about the broader subject of dangers to the organization, with the danger of disruptive incidents becoming only one particular factor to consider. Aligning the organization continuity work to how management already thinks (on a strategic level) really should contribute to a stronger, clearer value proposition for the preparedness effort, which ought to allow long-term support and management involvement.&nbsp

Due to the benefits outlined throughout this short article, Avalution believes that the idea of threat appetite is a welcome addition to ISO 22301, and one particular that organization continuity specialists must find out far more about in order to be an active participant in a broader threat management effort.


Brian Zawada, Director of Consulting &amp Jacque Rupert, Managing Consultant
Avalution Consulting: Company Continuity Consulting

Our consulting group frequently publishes perspectives (shorter, independent articles) that touch on the trends currently affecting our profession and the strategic troubles facing our clientele. This is one particular of our most current posts, but the complete catalog of our perspectives &ndash over 100 published because 2005 &ndash can be accessed by means of our weblog.

Apply to Increase Neighborhood Resiliency: Community Resilience Innovation Challenge Funding Available

A lesson we can take away from the recent severe weather and fires across the country is disasters can happen anytime, anywhere. No one can control where or when emergencies may happen but we can take steps in advance to prepare. Today, I am excited to announce a step towards better preparing local communities before disaster strikes – the 2012 Community Resilience Innovation Challenge.

This new opportunity is designed to assist local areas in building and revitalizing community-based partnerships through innovative initiatives and programs designed to advance the nation’s resilience to disasters. Funding levels range with a maximum of $ 35,000 and applications are open to all local, state, and tribal agencies and governments, business entities, associations, organizations and groups.

The Challenge program is supported by the Rockefeller Foundation and FEMA and will be administered by the Los Angeles Emergency Preparedness Foundation to encourage local communities to engage in creative activities that enhance disaster resilience. FEMA’s goal through the Community Resilience Innovation Challenge program is to emphasize the importance of planning and engaging the whole community, across all social sectors, to effectively respond to disasters.

The application period for the Community Resilience Innovation Challenge is open now through October 26, 2012. Information on the Challenge criteria and application process can be found at

Join me in spreading the word to those in your community who are passionate about disaster resilience!

BCM World Conference and Exhibition 2012 – just an additional event?

Life as a BCM practitioner in any organisation can sometimes feel like you have been sentenced to solitary confinement. Often working in isolation and surrounded by your ‘adversaries’, it can be a lonely role as you struggle to embed BCM into your organisation and to win over some of your strongest critics. Coupled with the need to be a ‘jack of all trades’ that requires you to be knowledgeable, persuasive, inspirational, and highly-organised as well as a skilled facilitator, being a BCM practitioner can be a really tough job.

Just when you feel your energy levels dwindling and see your enthusiasm ebbing into the distance, along comes the BCM World Conference and Exhibition – the one that reaches the parts other conferences cannot reach, filling you with renewed energy and rekindling your passion for the discipline that is the love of your life.

The BCM World Conference reunites you with your allies, puts you alongside the ‘already convinced’ and ‘converted’ and offers you temporary release from your ivory towers, allowing you to dip into the cool pool of BCM and immerse yourself in a world where you feel safe and understood.

Here you can find out what’s new on the BCM horizon; meet with other practitioners from a wide range of organisations from across the globe; share, exchange and learn from your peers; and develop new-found knowledge and practical insights that you can apply to your own organisation.

This year, Richard Reed, Vice President for Preparedness and Resilience Strategy at the American Red Cross will be delivering the Conference keynote, which promises to shed some interesting insights into the US approach to preparedness and societal resilience. Reed, who was the former Special Assistant to President Obama and Senior Director for Resilience at The White House, will be looking at how major events including terrorism, health emergencies, major accidents and catastrophic natural disasters have shaped and modified the approach of successive administrations.

The Conference is supported by a FREE to attend exhibition that showcases the latest BCM products and services from leading suppliers around the globe and exposes you to the latest BCM tools that will make your job and your life a lot easier. See, compare and experience first-hand the latest trends and developments in BCM products and services and be among some of the first to witness some exciting launches. With around 50 exhibitors under one roof, the Exhibition provides the perfect platform for some targeted investigation and market research and ample opportunity to talk directly to the vendors and ask the questions that are really important to you and your business.

The Exhibition also plays host to a FREE Seminar Programme that runs throughout the two day exhibition. Benefit from some insightful vendor showcasing seminars on BCM products and services as well as some thought-provoking BCM case studies delivered by an interesting line-up of international experts and established BCM practitioners. So if you don’t have the budget to attend the Conference, at least make a point of attending the Exhibition!
Is BCM World Conference and Exhibition just another event? I will leave you to decide. I don’t think it is.

Disaster Recovery for HIPAA Data & Applications

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted to help address concerns regarding health care data security and privacy.  As part of the administrative safeguards of this act, health care facilities are responsible for backing up their data and having a disaster recovery plan in place for responding to emergencies. 

In general, health care facilities are responsible for maintaining the availability, integrity, and confidentiality of their patients’ Protected Health Information (PHI).  If a patient arrives in the Emergency Room in the middle of the night, the physician needs to be able to access the patient’s electronic health records quickly so that they can address their needs effectively. 

Therefore, data backups are imperative and a disaster recovery plan is essential to ensure that Protected Health Information can be recovered and restored in a reasonable amount of time if an unexpected event occurs.  The health care facility’s disaster recovery plan should outline data priority and failure analysis, testing activities, and change control procedures. 

With cloud computing, disaster recovery has become very cost-effective.  Health care data can be backed up off-site or hosted in a highly-available environment that maintains data integrity in the event of a disaster.  Also, redundancy can also be delivered in the cloud server platform to provide failover protection.

Atlantic.Net offers HIPAA Compliant Hosting and is a trusted partner to medical and health care facilities throughout the country.  Atlantic.Net has been recognized by disaster recovery hosting professionals and has been chosen by the Disaster Recovery Journal as their official data center!

DRJ’s and Market Conferences’ Most Beneath-Valued Advantage

After every conference I undoubtedly get a variation of the same question, “How was the show? How was the attendance?” And every year I give the same response…… “Show was great. Wish the attendance was a bit higher.” I think we all know that BCP and DR are some of the first casualties of budget cuts. Well, conference privileges get cut before BCP and DR. As we go into budget season for most organizations I suggest you fight a bit harder to attend local and national conferences. Sure we all benefit from the content and keeping up with the latest technology but one of the most under-valued benefits of attending conferences is the networking that just happens. Networking doesn’t just happen in the sessions or at the vendor exhibits. It can certainly also happen at the bar, or at the Gym, or while checking out the local surroundings. This networking is very hard to report back on, but I believe in this virtual world we live in now that one hand shake at a conference can create an everlasting relationship….. For the record this blog is purely the opinion of Fairchild Consulting and the Arnold’s had nothing to do with influencing this blog ;o)

The Value of a Disaster Recovery Plan

It is extremely important for businesses to have a Disaster Recovery (DR) plan in place for situations where downtime or data loss may affect the business’ ability to continue operating smoothly and effectively.  To protect your data, it is essential that you know what you’ve got, understand what’s at risk, and then create a Disaster Recovery plan to keep risk at a minimum.

Disaster Recovery ties directly into business continuity because with so many businesses relying on their websites and/or the Internet in general, the loss of data could greatly affect their revenue.  The reality is that if your information system is taken down due to a flood, malware, hack attack, etc., you have both a business continuity and disaster recovery issue on your hands.

When putting together a Disaster Recovery plan, there are several key factors that will need to be considered so that the plan is as effective as possible.  Take the following factors into consideration when creating a DR plan for your business:

  • Recovery Time Objective (RTO) – What is your business’ objective time in which you should be able to restore systems to a point where you can carry out the impacted operations, even perhaps with limited functionality?
  • Maximum Tolerable Downtime (MTD) – How much downtime can your business handle before the impact of this downtime becomes long term and results in substantial loss?
  • Recovery Point Objective (RPO) – At what point can your business cope with data loss?  This will determine whether your business should implement data backup routines consisting of constant synchronization, daily backups, weekly backups, etc.

Having a Disaster Recovery plan in place will allow your business to recover from disaster in a relatively short amount of time because of the protocols in place to restore lost data, as well as to restore hardware resources that have been affected.

Atlantic.Net has been recognized by top disaster recovery hosting professionals throughout the world and has been chosen by the Disaster Recovery Journal as their official data center

Returning From San Diego a Tiny Bit Wiser

I was 1st offered responsibility for disaster recovery planning in 1985 even though operating at, what was then identified as, Bank of Virginia in Richmond, VA. We had been a UNISYS shop and had a mainframe recovery subscription with a business whose name I no longer remember that had a UNISYS recovery facility in Warminster, PA. I have been working in the fields of disaster recovery, company continuity, emergency response and crisis management, in a corporate management or consulting capacity ever given that. You do the math to decide how many years&rsquo encounter that equates to &ndash I am not certain I want to!

But, even right after all those years, I am nonetheless studying new issues, new tactics, greater options, greater methodologies, and so forth., each and every and each day. And, via conferences such as the just completed 2012 DRJ Fall Globe, I accelerate that studying method and I meet much more and a lot more men and women that assist me grow and find out along the way.

Way back in 1985, I started attending sector conferences, user groups and professional instruction seminars. All through the years, I have attended numerous DRJ conferences &ndash first as a practitioner then, after gaining expertise and self-confidence, as a presenter and then, right after becoming employed by DR and BCP services organizations, as a vendor. This year, though I am back in the consulting sector with a new company &ndash I attended the conference after again in a practitioner capacity &ndash and had a wonderful encounter.

From the extremely 1st General Session on Monday morning exactly where I learned that I am ignorant &ndash but that is not a bad factor &ndash to the really final Common Session on Wednesday exactly where I learned how to recall, in order of ratification, the original thirteen colonies of the United States, I was enthralled, entertained and learning new things.

I adore the reality that when I attend these conferences, after all these years, it is like obtaining an annual reunion with the so a lot of old friends I have been privileged to make all through the years and yet, I still meet loads and loads of new people &ndash some new to the field and other individuals just new to me. I was so content to see, at this conference, so numerous new and young faces helping to instill fresh new concepts into our field.

I personally wish to thank the tremendous presenters who so freely shared their knowledge with those in attendance at their sessions in a thought-provoking and often entertaining way. I want to thank the vendors who took time to talk to me about their goods and services and who were prepared to share their experiences and thoughts with me. And, I want to thank all of the other participants who swapped organization cards with me, exchanged challenges and solutions with every other over breakfast, lunch and following session get-togethers. And, of course, thanks goes out to the DRJ Group, management and staff that did a terrific job, after again, in organizing and orchestrating the conference.

I don&rsquot know how 4 days can go by so fast and however seem to cram in so much stuff that I feel physically and mentally exhausted but but energized and eager to put to practice some of the new ideas and expertise I gained. As my plane is descending into Seattle and I am getting told I have to energy down my electronic device, I am each glad to be home and however, currently looking forward to the subsequent conference.

Oh, by the way, these colonies would be: Dollar Ware (Delaware) two pens (Pennsylvania) Jersey Cow (New Jersey) King George (Georgia) connect his cut (Connecticut) massive block of ice (Massachusetts) Marilyn Monroe (Maryland) pointing south (South Carolina) a new ham (New Hampshire) a Virginia peanut (Virginia) the Empire State Developing (New York) point north (North Carolina) and, a Rhode Island Rooster (Rhode Island).