Disaster Recovery Journal Fall 2025

REGISTER TODAY! www.drj.com/fall2025

Fall 2025 u Volume 38, Number 3

INSIDE ... Hidden AI Risks BCM Leaders Must Prepare for Now Why Continuity Leadership Matters More Than Ever Why CISOs Are Redefining Resilience DR Services Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Make confident decisions when it matters most Visit us at Booth 403

Scan to book a meeting with us

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER

TABLE OF CONTENTS

COVER The Resilience Disconnect: A C-suite Opportunity By MARGARET J. MILLETT 8

Amy Faulkner amy@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Peter Laz, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Robbie Atabaigi, Rich Cocchiara, Renuka Darbha, Sherri Flynn, Corey Hahn, Colleen Huber, Lisa Jones, Melanie Lucht, Melissa Muñiz, Melissa Owings, Bogdana Sardak, Nicole Scott, Paul Striedl, Joy Weddington + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

12

36 The Hidden Gap: How Internal Audit Uncovers Weaknesses in Risk

5 Steps to Build Strong, Resilient Teams That Deliver Results By BOB KLEMME

Management and Disaster Preparedness By NADA AL-SHAHRI

20 Hidden AI Risks BCM Leaders Must Prepare for Now By YULY GROSMAN 24 Recency Effect’s Role in Disaster Planning and Preparedness By SARA BENDER 28 Why Continuity Leadership Matters More Than Ever By THOMAS MAGEE

39 Data Mobility Emerging as a Must-Have Backup Software Feature By JEROME WENDT

42 Career Spotlight: Maya Calabrese By MELANIE LUCHT

44 Why CISOs Are Redefining Resilience By JOE SILVA

46 From Burden to Advantage: How SMEs Can Turn Compliance into a Growth Advantage By CHARLOTTE WEBB

33 8 Common Business Continuity

Planning Mistakes (And How to Avoid Them) By CARLO KELEJIAN

53 DR Services Directory

DISASTER RECOVERY JOURNAL is copyrighted 1987-2025, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | FALL 2025 5

FROM THE PRESIDENT’S DESK

Why Trust Is the Core of Crisis Leadership W hen a real crisis hits, people don’t follow job titles, they follow the people they trust. That’s something Maj. Gen. Alfred Flowers has said many times, and it rings true in our field. During a crisis, your title doesn’t matter much. What matters is whether your team knows they can count on you.

BOB ARNOLD, MBCI Hon.

AI Can Help, But It Can’t Lead Another article, “Hidden AI Risks BCM Leaders Must Prepare for Now,” by Yuly Grosman, raises a question we’re all hearing: Is AI going to replace us? Here’s the truth: AI might take over some tasks, like writing reports or sending remind ers. But it won’t replace real leadership. It won’t calm a room or help a team focus during a high-pressure moment. Technology can only go so far. As Jason Hoss puts it, “Think of AI not as a replacement, but as a force multiplier.” Use it to take work off your plate so you can focus on guiding people and making decisions. It’s All About the Team There’s another great article from Bob Klemme in this issue called “5 Steps to Build Strong, Resilient Teams That Deliver Results.” It’s a good reminder that no matter how solid your plan is, it’s the people who make things happen. If your team isn’t ready, or if they don’t feel supported, the plan won’t matter. That’s why we need to train, communi cate, and lead in a way that builds confidence and trust—before anything goes wrong. Let’s Talk About It in Dallas We’ll dig into all of this and more at DRJ Fall 2025 in Dallas. We’ve packed the agenda with sessions on leadership, crisis planning, cyber risk, and team building. It’s our 73rd conference and it’s shaping up to be one of the most important yet. Hope to see you there.

In today’s world, where we’re dealing with cyber threats, AI, natural disasters, and all kinds of uncertainty, trust and leadership matter more than ever. It’s Not Just About the Plan In this issue of Disaster Recovery Journal , there’s a great article called, “The Resilience Disconnect: A C-suite Opportunity” by Margeret Millett. It talks about how busi ness leaders don’t always connect the dots between resilience and the bigger picture. And that’s on us. Sometimes, we get caught up in the details, plans, frameworks, tests, and forget to show the real impact of what we do. If leadership doesn’t understand how our work helps the business stay open, protect customers, or avoid costly downtime, it’s hard for them to back us. Building that trust means talking about what matters to them. And it means showing that we’re not just there to follow a checklist, we’re there to help the business stay strong when it counts.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | FALL 2025

OPERATE WITH CONFIDENCE, ANYWHERE ON EARTH

CRITICAL EVENT MANAGEMENT TRAVEL RISK MANAGEMENT RISK INTELLIGENCE & ANALYSIS

GLOBAL SECURITY ASSISTANCE MASS NOTIFICATION SYSTEM MEDICAL EVACUATION & ASSISTANCE

HEAR FROM OUR INDUSTRY EXPERTS AT DRJ FALL 2025

The Role of Emerging Technologies in Building Operational Resilience Panel Monday, September 8 | 10:30 AM - 11:30 AM CT Decisions Under Fire: Crisis Response Lessons Tuesday, September 9 | 8:00 AM - 9:00 AM CT The One‑Person Resilience Team, Supercharged by GenAI: LA Fires, Tariff Shocks & the 2025 Disaster Season Tuesday, September 9 | 2:30 PM - 5:00 PM CT

VISIT BOOTH #404

www.crisis24.com

The Resilience Disconnect: A C-suite Opportunity

By MARGARET J. MILLETT

8 DISASTER RECOVERY JOURNAL | FALL 2025

I n today’s volatile global environment, resilience is no longer a siloed function or compliance exercise. It is a strategic imperative. This article explores six persistent disconnects held by boards and C-suite lead ers who undermine true enterprise resilience. It calls for a shift from reactive, checklist-based thinking to a proactive, integrated approach embedded in cor porate strategy, culture, gov ernance, and technology. With evolving regulatory demands across regions and rising stakeholder expectations, now is the time for senior leadership to take direct ownership of building agile, future-ready organizations. Disconnect No. 1: Resilience is an IT or Risk Function One of the most pervasive misunder standings is that resilience falls solely within the domain of IT, risk, or compli ance teams. While these functions play essential roles, they are only pieces of the puzzle. True organizational resilience spans every function from finance and human resources to operations and com munications. When resilience is siloed in a specific department, it becomes reactive and tac tical, rather than strategic and enterprise wide. Resilient organizations are those where the C-suite leads from the front, integrating resilience into business strat egy, culture, investment decisions, and governance frameworks. Instead of treating resilience as a purely operational concern, organizations should elevate it to the boardroom agenda, making it a core focus of executive over sight and long-term planning. Resilience should be positioned as a key pillar of cor porate strategy. It is integral to sustaining growth, protecting reputation, and meet ing stakeholder expectations. To ensure meaningful impact, cross-functional lead ership must be assigned to drive resilience initiatives, fostering collaboration across

risk, operations, technology, compliance, and strategy teams. Disconnect No. 2: Resilience Equals Business Continuity Planning Executives often equate resilience with having a business continuity plan (BCP) sitting on a shelf. While BCPs are vital, it is just one component of a broader resil ience strategy. Resilience encompasses crisis management, operational risk, third party dependencies, workforce agility, data integrity, cyber readiness, and the ability to innovate under pressure. A BCP is static by nature, typically based on assumptions which may quickly become outdated. Resilience, by contrast, is dynamic. It requires real-time decision making, continuous learning, and the capacity to pivot in the face of the unex pected. Instead of relying on static plans, orga nizations should develop a living, evolv ing resilience framework that adapts to changing risks, business priorities, and global conditions. This includes invest ing in scenario planning and stress test ing to anticipate potential disruptions and strengthen response capabilities. Most importantly, resilience should be viewed as an ongoing organizational capability. It needs to be embedded in the culture and decision-making, rather than a one-time exercise or a document that sits on a shelf. Disconnect No. 3: Compliance Equals Resilience Regulatory compliance is necessary, but it is not sufficient. Too often, orga nizations check the boxes for audits and assume they are resilient. Resilience is not about meeting the minimum requirements; it is about being prepared for the worst case scenario while being agile enough to seize opportunities. Regulators worldwide are shifting their focus from compliance to outcomes. They want to see evidence organizations can continue to deliver important business ser vices during disruption. To build meaningful resilience, orga nizations should move beyond checklist based compliance and focus on achieving true maturity in their practices. This means

linking resilience investments directly to measurable business outcomes such as operational continuity, customer trust, and financial performance. Additionally, com panies should engage proactively with regulators to understand and help shape evolving resilience expectations, ensur ing alignment between strategic goals and external requirements. Disconnect No. 4: Insurance and Redundancy Are Enough Some executives believe having cyber insurance or a secondary data center makes their organization resilient. While such measures are important, they address only parts of the resilience equation. Insurance does not prevent a breach; redundancy does not guarantee continuity if decision making is slow or communication fails. Resilience requires understanding interdependencies and preparing for cas cading failures across ecosystems. It involves not only technical and financial safeguards but also leadership readiness, stakeholder trust, and cultural adaptability. Effective resilience requires more than just technical solutions. It must be paired with strong leadership capabilities. Organizations should combine tools and technologies with leadership training to ensure confident, informed decision-mak ing during disruptions. Conducting simu lations that test real-time responses under pressure help prepare teams for complex crises. At the same time, building strong relationships across supply chains, part ners, and regulators fosters collaboration and trust, which are critical for coordi nated response and recovery. Disconnect No. 5: Resilience Is a Cost Center Budget conversations often relegate resilience to a cost that delivers unclear return on investment (ROI). As a result, programs are understaffed, underfunded and treated as a low priority. Resilience is a value driver. It protects reputation, maintains revenue, supports investor con fidence, and enhances competitive advan tage. Organizations that invested in resil ience before the COVID-19 pandemic out performed their peers in terms of speed to

DISASTER RECOVERY JOURNAL | FALL 2025 9

adapt, employee retention, and customer trust. Resilience is not a sunk cost. It is a strategic asset. To gain executive and board-level support, resilience should be framed in terms of risk-adjusted value preserva tion. It should highlight how it protects and sustains enterprise value in the face of disruption. Aligning resilience key perfor mance indicators (KPIs) with core busi ness performance metrics demonstrates its direct contribution to strategic objectives. Sharing case studies where resilience initiatives have delivered tangible finan cial benefits further reinforces its role as a value driver, not just a risk mitigation exercise. Disconnect No. 6: One-Size-Fits-All Resilience Models Work Executives may adopt frameworks or templates that are not tailored to their organization’s unique risk profile, cul ture, or regulatory environment. While industry standards (like ISO 22301 – the international standard for business conti nuity management systems (BCMS)) offer useful guidance, resilience must be cus tomized. Each organization has distinct criti cal services, supply chain vulnerabilities, and stakeholder expectations. A templated approach may overlook specific weak points or create a false sense of security. To ensure resilience efforts are relevant and effective, organizations should begin with an enterprise-wide risk and impact analysis that captures both strategic and operational vulnerabilities. Resilience programs must be customized to reflect the unique needs of each geography, sector, and business model, recognizing a one-size-fits-all approach falls short in a complex global environment. Integrating employee feedback and frontline intel ligence into planning ensures practical insights are captured, increasing the rel evance, agility, and effectiveness of resil ience strategies. The Board and Regulator Perspective Boards of directors and international regulators are increasingly holding the C-suite accountable for organizational

resilience. This is not just about fiduciary duty; it is about safeguarding societal sta bility and economic continuity. From the European Union’s Digital Operational Resilience Act (DORA) to U. Securities and Exchange Commission (SEC) cyber security rules, resilience is now a gover nance imperative. Depending on where organizations operate in the world, they may need to consider a few additional key regulatory bodies such as APRA (Australia), BaFin (Germany), and FSRA (UAE). Executives must be prepared to dem onstrate their organizations can consis tently deliver critical services, even under adverse conditions. This includes the abil ity to withstand and recover from systemic shocks while maintaining operational integrity. Protecting data, people, and physical assets is essential, as is the capac ity to make timely, transparent decisions during crises. These capabilities are not only vital for maintaining stakeholder trust but also for meeting regulatory expecta tions and sustaining long-term business performance. Boards must also evolve. They should include members with expertise in risk, crisis leadership, and digital resilience. Oversight should shift from reactive reviews to active scenario discussions and resilience investment planning. Regardless of region or sector, resilient leadership is emerging as the cornerstone of global competitiveness. The time to act is now.

Path Forward: Building Strategic Resilience To correct these misconceptions, C-suite leaders must shift from a defensive to a strategic mindset. Resilience should not be an afterthought but embedded in: 1. Corporate strategy: Link resilience with environmental, social, and governance (ESG), digital transformation, and innovation. 2. Culture: Encourage a growth mindset, psychological safety, and accountability. 3. Governance: Assign clear ownership, reporting lines, and performance metrics. 4. Technology: Leverage real-time data, automation, and AI to anticipate disruption. Resilient organizations are not simply those that bounce back. They are the ones that bounce forward emerging stronger, more agile, and better positioned for long term success. In today’s environment, resilience is not optional. It is a boardroom priority, regulatory expectation, and a business dif ferentiator. The sooner the C-suite recog nizes this, the better prepared they will be for whatever comes next. v

Margaret J. Millett, MsBC, FBCI (Hon), MBCP, is the CEO and founder of Seamless Horizon, Inc. She has driven business resil ience across Fortune 300 IT and financial services companies in the US and Ireland.

She is the 2023 Business Continuity Institute (BCI) Lifetime Achievement Award recipient and a sought-after global speaker and author.

10 DISASTER RECOVERY JOURNAL | FALL 2025

DRJ Fall 2025 Meet us at booth #219

5 Steps to Build Strong, Resilient Teams That Deliver Results

By BOB KLEMME

L et’s get straight to the point: the value of a strong team cannot be understated. Bad teams are destruc tive. Good teams create success. When assessing the strategic resilience of organizations, we find strong teams are often an indicator of positive results and long-term success, even in the face of adversity. When venture capital firms decide whether to invest millions to help a small company grow, the strength of the team is of primary importance.

Imagine someone is observing one of your team meetings. Perhaps they are an expert in organizational behavior, or a professional poker player, or your mother. This person could probably identify whether you have a successful team or if it’s headed for disaster. In this article I propose five steps to improve the results and resilience of a team. It’s not science, just years of obser vation and experience from many different teams. Some successful and some not.

1. Align on the Mission During a crisis the mission is clear: return the operation to normal ASAP. Before the crisis, I have found the mis sion may not be as clear. We will not explore how to define your team’s mission, that’s up to you. In brief, Simon Sinek might call it the “why” – simply defining why the team is here in the first place. When teams understand and align on their mission, it keeps everyone’s eyes

12 DISASTER RECOVERY JOURNAL | FALL 2025

Innovative, AI-assisted Business Continuity solution – for when it matters most

See 4C Strategies’ Resilience Platform in action at DRJ STAND 419 4cstrategies.com

Brisbane | London | Malmö | Orlando | Stockholm | Warminster | Washington,D.C.

focused up, instead of down on the details where decisions may cause grumbling. Even an unhappy decision can be under stood when team members recognize the mission remains intact. They know some thing’s got to give, and trying to make everyone happy doesn’t work on a high functioning team. Good leaders and good team members regularly demonstrate their mission focus. Team members observe how decisions get made: whether negative influences like expedience, politics, favoritism, or self interest take priority over the team’s big mission. Employees are wise to this, and follow suit for better or worse. When a team is aligned, their energy is focused on the objective. If not, energy is focused on everything but the objective. The US military is credited with a cul tural mantra: mission first, people always. This speaks to the challenge of focusing on

other metrics were more “activity com pletion” metrics, which is less desirable, but we found it was still the best way to track our progress without getting stuck in the details. For example, the effective ness of the plans and tests was expected and entrusted to the professionalism of the team. A benefit of clear metrics is that it com municates how leaders will measure the team’s success, so there are no surprises. Identifying meaningful metrics takes effort, but becomes a powerful mechanism that provides incentives for teams to align with the big mission. Doerr describes the value of short-term measurable results and using OKRs to accomplish this goal. With the big long term goal, leaders identify the key results needed as progress points along the way. Start measuring those results with dates, owners, and clarity. It’s common sense, yet somehow still a challenge. Resilient teams

2. Measure What Matters In his best-selling book “Measure What Matters,” John Doerr describes the bene fits of OKRs (objectives and key results) which he introduced to Google during its early days. It’s a valuable read, as it describes how teams can build their cul ture and ability to stretch for big goals as they measure the right incremental results. When I managed a BC/DR program, we reported progress toward our primary metrics each quarter, listed here: u Crisis events managed successfully, and exercises completed. u BC/DR plans activated and whether they met objectives. u BC/DR plans updated and tested successfully. u BIA project completed within timeframes. u Outreach activities completed and value to business.

Resilient teams know when to say “no” to distractions and know when to adjust to achieve the results that matter. Resilience is built when every member of the team knows the mission, knows how their actions affect results, is measured, and provided with the right incentives to deliver those results. “

the mission, while understanding the people involved. Good leaders dem onstrate high emo tional intelligence about the people ‘left behind’ when a decision goes the other way. Resilient teams don’t need baby sitting. Team members are encouraged to exercise judge ment, to improvise

adapt as chal lenges arise, recalibrate, or real locate resources to double-down or divert, or to adjust the time frames. If these big goals are really that important, the whole organization should be aware,

and be able to sup port that key proj ect. OKRs enable transparency, alignment across departments, and coordination as a team. Resilient teams know when to say “no” to distractions and know when to adjust to achieve the results that matter. Resilience is built when every member of the team knows the mission, knows how their actions affect results, is measured, and provided with the right incentives to deliver those results. 3. Provide Role Clarity Let’s begin with a quote: “Lead, follow, or get out of the way.” “

Each of our team members knew which metrics they were responsible for. We measured it and reported it, so every one knew how the team was progressing. This reinforced our focus since we were measuring activities and results aligned with our mission. There was agreement, friendly competition, and support for one another for the benefit of the team. A quick comment on our BC/DR met rics. Only the first two metrics captured our customer experience: how well the leadership teams responded to actual crisis events, and whether the BC/DR plan activation met its objectives. The

and adapt, to work their area of expertise when they are aligned on the mission. Even in the absence of communication or clear direction from leaders, a team member is empowered to take steps needed to achieve the mission. Incentives clarify and align teams on the mission. The structure of organizations allow people to hold one another account able, to reward positive results, and punish negative behavior. This requires atten tion and ongoing review to ensure well intended incentives don’t undermine the big mission.

14 DISASTER RECOVERY JOURNAL | FALL 2025

Protecting Performance

Visit us at booth #302/304!

Leveraging decades of expertise in data recovery and business resiliency, Recovery Point offers a proactive approach to identifying and safeguarding your most critical data, combined with a secure and tested means of recovery for end-to-end coverage for cyber events.

I CAN SLEEP AT NIGHT. - MANUFACTURING CLIENT

5.0 OVERALL USER RATING

DIRECTOR OF OPERATIONS & INFRASTRUCTURE

877.445.4333

RECOVERYPOINT.COM

I was talking with a business executive who served in the military. He said before learning how to give orders, he learned to take orders. The point here is role clarity. I have been fortunate to work with many people who served in the military and as emergency responders. I have observed those who work in emergency rooms and hospitals. What I see is role clarity. Each person doing their job, knowing when to step in or when to stand back in support of the big mission. In these cases, savings the lives of a patient, a child in a burning building, or a teammate in battle is often the ultimate mission. The thoughts are sobering. Here are two ways to define organiza tional roles that build resilience. n The first is to develop an organi zational structure that is fractal . This means defining teams as modular and scal able. This resolves single-point-of-failure problems. Our crisis management teams were responsible for leading the company’s response in a specific geographic area, for example in Florida, Mid-Atlantic states, or Pacific Northwest. These were a frac tal design that followed the company’s organizational structure. It made sense. Each team had the same structure, the same roles. They were already subject matter experts on their primary role, and since the teams were modular, they were able to provide support across teams when needed. For example, the leader of a network team in Florida could step into the same role on a different team in Texas. Not everything was identical, but they were smart, capable professionals, willing to adapt and support the big mission: ensur ing the reliability of our wireless network, for customers, and first responders. Often these teams would work together. Leaders from one region would travel to support their peers, who might literally be under water after a flood. Indeed, team member’s homes, cars and family are not immune during a crisis. The fractal design of the crisis man agement teams eliminated single points of failure in our crisis response capability.

The teams were more resilient as a result, and customers benefited. Go team! They even made a Super Bowl com mercial about it. For real. n The second point is role flexibility . This means team members are trained for their primary role, but have incentive to step outside this role to support the bigger mission. This resolves the “not-my-job” syndrome. Our BC/DR team was responsible for managing the company-wide program, crisis management, plans, tests, etc. We were a small team with big impact. We needed clarity in our roles, but also needed to step in for each other on weekends or if there were simultaneous crisis events to manage. Our team was measured based on indi vidual and team performance. We publicly shared our status in open forums within the broader department. Peer pressure toward a common goal is a powerful motivator. No one wants to be the person holding the team back from achieving its goals. The team and its mission remains resil ient, intolerant of poor performance. This makes a leader’s life easier, when the team helps enforce good behavior, and helps support one another during the inevitable surprises and challenges. When we help others, they are more likely to help us during a time of need. It too is common sense – and a beauti ful thing to see in action – to know and trust that someone else has your back. Not because they have to, but because they want to. Strong teams are inspiring and resilient. 4. Demonstrate Discipline Discipline is a unique word in the busi ness world, likely associated with pun ishment for poor performance or conduct violations. It may typically relate to nega tive behavior or things to avoid, but there are many positive disciplines. For example, team members appreciate it when others arrive on time for meetings, or when people follow through on com mitments, stay within budget, and act with integrity. These also seem like common sense, yet remain a challenge for many

teams. This is reality. Vince Lombardi, the famous football coach, was renowned for starting meetings early. When he first took over as coach of the Green Bay Packers, the team struggled due to the lack of discipline expected by their prior coach. Coach Lombardi made his point by prompting them to get back to basics. Living and breathing the basics makes a difference in the business world as well. Strong team members act with discipline, even when their leaders do not. These actions from within the team may be as important to the success of the team, help ing to set acceptable standards of perfor mance. Teams can self-regulate, when they know the mission, and rise to the occasion with their own discipline. There is a source of pride within a team. When a team wins. When a team has a reputation for delivering results when others fail. When a team works together through a significant challenge ... these things are good. They feel good and they breed more success. It becomes part of the team discipline. Sun Tzu, the ancient strategist, reminds military leaders of the seven ways to deter mine which side will win during a battle. Three of these pertain to discipline: u On which side is discipline most rigorously enforced? u On which side are officers and men more highly trained? u In which army is there the greater constancy both in reward and in punishment?” If you were to pick a team to help you win a competition, would you pick a team that has more discipline or less? Easy answer. Discipline is an asset that builds successful teams. 5. Add a Margin of Humanity “Boss, I screwed up.” It’s not the best way to start the day. OK, so now what? One option: “You’re fired.” Another option: “Let’s fix it.” There isn’t one magic answer. Leading teams through failure goes to the heart of management, building trust, and deliver ing winning results the next time.

16 DISASTER RECOVERY JOURNAL | FALL 2025

Take Control When Every Second Counts

With Incident Response From AlertMedia

Keep your teams aligned, informed, and equipped to handle whatever comes next.

Analyze & Improve With Built-In Reporting

Communicate With Impacted Teams

Monitor Progress in Real Time

Launch Pre-Built Plans in Seconds

Assign Clear Roles & Responsibilities

Discover Everything You Can Accomplish With Incident Response Here:

$500

VISIT ALERTMEDIA AT BOOTH #411 TO ENTER TO WIN A $500 AIRBNB GIFT CARD! (800) 826-0777 // alertmedia.com // ©2025 AlertMedia

Let’s picture the positive: your strong team is on a mission. They’re working hard, sacrificing, getting stronger, build ing confidence and capability. This looks good, but maybe there’s another competi tor, who is also strong, or scores a lucky shot, or by some fortune wins the day. Even your strongest team can lose. It’s not

really anyone’s fault. The team performed well, prepared well, but was just beaten. Someone had to lose, even in the Super Bowl. A painful reality after all that prepa ration. Even worse, maybe someone on the team screws up and says the wrong thing to a customer. Maybe they show up late

for an important meeting and it’s too late to recover. This is a different way to lose. Is someone at fault? Sure. Discipline, coaching, long talks? All of that. The point here is that teams need to deal with and work through losses, screw ups, and failure. Sports and business are filled with examples of individuals and teams who don’t give up, who come back next year, who persevere, figure it out, and win next time. I believe teams can build this as a skill. I call it “adding margin.” This means taking action to increase the resilience of the team. To add margin, interact with the team in a way that: u Increases the likelihood of success. u Reduces the likelihood of failure. u Recognizes we can’t control everything. u Understands mistakes happen and things break. This often means taking a breath, offering to help a teammate, or giving a teammate some latitude when they need it. These actions are investments into the team’s future success. In business school they taught us the best businesses are those with high gross margins. The reason is that with a high gross margin, the leadership team has plenty of room to screw up and still make a profit. It’s the same concept when building a resilient team. It’s a golden rule for teams: treat others the way you want to be treated. Treat teammates with common sense. Encourage leaders and teammates to give each other latitude, to add margin, so when the unexpected happens, or when some one screws up, the team is motivated to respond quickly and together. Let’s build high performing, resilient teams. v

Bob Klemme is managing director and founder of Trailmark Co., a consulting firm focused on increasing the strategic resilience of organizations. He managed the BC/DR program at Verizon Wireless

and subsequently developed an approach for managing strategic innovation risks for Verizon’s strategy depart ment. Prior to Verizon, Klemme was a consultant with PricewaterhouseCoopers.

18 DISASTER RECOVERY JOURNAL | FALL 2025

Do you have a fail-safe way to communicate the prevention plan during a crisis?

Visit Booth 518 to secure your organization BlackBerry.com/athoc

1. The Efficiency Trap: Automation and Its Blind Spots AI enhances productivity. It can reduce delays and perform repetitive tasks faster than humans. However, blind reliance on AI also introduces continuity vulnerabili ties: n Emotional signals get missed: AI tools aren’t yet able to detect emotional nuance. A stressed customer using non-standard phrasing may not get appropriate escalation, especially with chatbots or voice assistants. n Escalation pathways are obscured: Automated systems often bury the path to human help. This breeds frustration and delays resolution of problems that might escalate into major crises. n Critical thinking degrades: Employees trained to trust system outputs may lose confidence in their own judgment. When systems fail – or give misleading outputs – staff are less likely to intervene effectively. Automation isn’t inherently risky. But when systems are designed without human-centered resilience in mind, small issues can snowball into large-scale dis ruptions. 2. The Human Factor in the Post CoTech Era The Post-CoTech (Post-COVID + Technology) era has altered how humans engage with one another and with machines. While AI provides efficiencies, it also deconditions us from critical think ing and human connection. Generational Blind Spots Different age groups interact with tech nology differently. Generation X leaders, who grew up in analog environments, are often more skeptical of automation—but they may not fully understand today’s sys tems. Gen Z professionals, digital natives by birth, may trust system outputs too readily. This creates a leadership gap: decision makers may either under-trust or over trust AI, leading to mismanaged risks. Organizations must be attuned to these generational differences when training staff and designing response systems.

Hidden AI Risks BCM Leaders Must Prepare for Now Risks That Don’t Blink on a Dashboard

By YULY GROSMAN

I

n boardrooms and crisis manage ment meetings, conversations about artificial intelligence (AI) often revolve around efficiency, automa tion, and optimization. AI promises to streamline logistics, elevate customer experiences, and improve operational throughput. However, in the pursuit of technologi cal excellence, organizations may be walk ing past a growing hazard – human-tech friction and emerging threats that remain

invisible until it’s too late. Business con tinuity management (BCM) professionals are increasingly responsible not just for systems recovery, but for detecting early warning signs of disruption that blend human behavior with technological fail ures. In this article, we explore the under reported, often misunderstood risks at the intersection of AI, automation, and human vulnerability – and why BCM profession als must evolve their strategies now.

20 DISASTER RECOVERY JOURNAL | FALL 2025

2. Integrate remote threats: Update BCM plans to account for remote disruptions like drones or cyber-physical incidents. Run scenario-based drills. 3. Collaborate across functions: Ensure HR, security, and operations are aligned on incident protocols, including internal violence, emotional support, and tech related failures. 4. Maintain human backups: Automation isn’t a catch-all. Keep trained staff ready to step in for fraud, legal, or safety incidents requiring discretion. 5. Invest in leadership agility: Train decision-makers and first responders in flexible thinking, not just protocols. Focus on empathy, quick judgment, and scenario planning. Conclusion: Resilience Is Human Work AI is here to stay. So are drones, auto mation, and machine-assisted decision making. But the hidden risks they create are human: missed cues, overlooked frus trations, and decision fatigue. Leadership in this new era must go beyond recovery playbooks and dash boards. The most dangerous threats are often the ones you never see … because you weren’t looking. Business continuity begins with human continuity. Let’s not wait for a crisis to remind us. v transforms how teams lead, communicate, and operate under pressure. His philosophy, look-listen-respond, distils decades of experience in international business, special forces, and elite bodyguard instruction into three tactical behaviors. These enable leaders to build trust, respond with clarity, and deliver results when it matters most. Grosman doesn’t just share theory; his immersive, story driven keynotes are built on real-world consequences. He has trained thousands globally, from first responders and venture-backed startups to C-suite executives, provid ing hands-on leadership insights. His talks and seminars are ideal for CEOs, HR departments, law enforcement, and healthcare teams, equipping participants with proven methods to de-escalate conflicts, navigate aggression, and enhance emotional intelligence for critical situational awareness. Grosman is also loving father and husband. For fun, he travels and hikes, reads books, attends plays, and spends time with his family. Yuly Grosman’s rare duality – half a life building successful international busi nesses, the other half leading in danger ous environments – shapes his approach as a high-impact corporate speaker. He

As attack vectors shift from in-person to remote, BCM teams must evolve their models: n What constitutes an “active shooter” when the operator is remote? n Are existing policies and insurance frameworks prepared for drone-enabled disruptions? n Do crisis communication and evacuation plans account for aerial threats? These emerging risks demand not just new protocols, but new thinking. 6. Tactical Framework: Look. Listen. Respond. A resilient organization is not just tech-enabled – it’s tactically aware. The look-listen-respond framework adapts real-world situational intelligence training for BCM environments: LOOK: Situational Awareness n Recognize signals of distress early. n Monitor changes in employee behavior. n Stay alert to anomalies, including drone sightings or emotional client escalations. LISTEN: Human Intelligence n Build real escalation channels. Don’t hide humans behind 15 clicks. n Empower front-line employees to report concerns without fear. n Track micro-incidents before they become macro failures. RESPOND: Decisive, Human-Centered Action n Train teams to adapt—not freeze—when automation fails. n Review crisis plans to include remote threats like drones. n Equip teams to de-escalate with empathy, not just procedure. 7. Strengthening Organizational Resilience: Five Actions BCM Leaders Must Take To prepare for a future where human and machine interactions dominate conti nuity risk, leaders must act now: 1. Audit escalation systems: Make sure humans can be reached quickly when needed. Track time-to-human metrics and enforce maximum thresholds.

3. Case Snapshot: Delayed Response, Compromised Continuity A logistics customer suspects fraud on their account. The AI chatbot doesn’t recognize the query. After multiple esca lations, voice recognition fails due to a strong accent. After 30 minutes and three attempts, the customer gives up. What began as a service request cas cades into a BCM event: n Fraud potentially continues unchecked. n The customer suffers preventable stress. n Trust is damaged, leading to potential account loss. n A vulnerable client (e.g., elderly or stressed) could experience a health crisis or respond with aggression toward staff. This isn’t a one-off. These micro-fail ures – unnoticed, untracked – are becom ing macro-risks for BCM professionals. 4. Cascading Risk: When Frustration Escalates Unresolved tension between people and systems doesn’t stay digital. It can manifest physically: n Stress injuries: For customers or employees with health vulnerabilities, prolonged stress can lead to heart attacks, panic attacks, or strokes. n Aggressive behavior: Unresolved friction may lead to verbal abuse or threats toward staff. n Workplace violence: In extreme cases, it could escalate to workplace aggression, even acts of violence. Ignoring these pathways until they explode into formal incidents leaves organizations scrambling and ill-pre pared. 5. Drone Threats and Remote Active Attacks Remote, AI-enabled attacks aren’t just science fiction anymore. Drones— once used for recreation—can now be weaponized with improvised payloads. Commercial-grade drones can bypass perimeter controls and deliver attacks without a human ever stepping foot onsite.

22 DISASTER RECOVERY JOURNAL | FALL 2025

The Recency Effect and Its Impact on Disaster Planning The recency effect isn’t often discussed in emergency management, but it plays a role, especially in states that don’t fre quently experience large-scale disasters. Since 2005, FEMA has declared 2,770 (as of June 22, 2025) disasters across the US, with states like California, Florida, and Texas facing high disaster risk due to wild fires, severe storms, and tropical systems, as identified in the FEMA National Risk Index (NRI). What about states that don’t experi ence disasters frequently? Speaking as a Marylander, our state has experienced 15 declarations as a result of natural disasters (removed COVID and evacuation support for Hurricane Katrina). It has been since Tropical Storm Isaias in 2020 damage sus tained from a weather event has reached the level of a major disaster, and only in three counties. While we experience local ized impacts like tornado outbreaks in central Maryland and the National Capital Region, and tornadoes and flooding that affected Anne Arundel County, a disas ter declaration request was submitted for western Maryland, but a response from FEMA had not been received when this article was submitted. What does this mean for the systems responsible for planning, response, and recovery? Research shows we tend to under prepare for disasters when it is not fresh in our collective memory. Weber (2006), Kunreuther and Michel-Kerjan (2009) highlight that risk perception is often shaped by recent events, leading to reactive rather than proactive disaster planning. With tight budgets and a steady stream of day-to-day priorities, it’s easy to see why disaster planning takes a back seat, especially when a community hasn’t faced a major disaster in years. Conceptually, its importance is recognized. In practice, the key question often becomes: What level of resources can and should be set aside to ensure an effective recovery when the next disaster hits? Without the collaboration of legisla tors, budget managers, governmental

Ellicott City, Maryland 2018 by Sara Bender

Recency Effect’s Role in Disaster Planning and Preparedness By SARA BENDER T he writing is on the wall. Budget struggles at all levels of govern ment, and the likelihood fed eral support for disasters will be reduced or even go away com pletely. It brings to mind the recency effect; a mental shortcut where people tend to remember recent events or info In the context of emergency manage ment, it plays both a subtle and powerful role, explaining why disaster planning is stronger after a significant incident occurs and then loses momentum as our memory of the disaster fades. better than things they’ve not experienced for a long time (or ever).

24 DISASTER RECOVERY JOURNAL | FALL 2025

Stay Ready, Be Resilient.

BUSINESS-ALIGNED CYBER & OPERATIONAL RESILIENCE STRATEGY, IMPLEMENTATION, & MANAGED SERVICES

As a leading professional services firm, MorganFranklin Consulting specializes in comprehensive solutions for cybersecurity and adjacent services. Our dedicated approach allows us to protect clients' critical assets and enhance their resilience by addressing specific needs, ensuring cost-effective and results driven delivery.

Crisis Management Cyber Resilience Business Continuity & Disaster Recovery

Emergency Preparedness Training & Exercise

Learn more at mfcyber.com

departments, nonprofits, businesses, and communities, we just aren’t prepared. The success of disaster planning hinges on building these partnerships during blue skies. Coordination cannot begin after an incident; it requires ongoing commu nication, planning, and trust developed through meaningful collaboration. Each stakeholder brings unique experiences and resources, and only by working together in advance can we ensure an effective, timely, and equitable response when disas ters happen. Expanding the Circle: Partnerships To strengthen this shift, states should also consider building formal multi state mutual aid agreements outside of the Emergency Management Assistance Compact (EMAC). While EMAC is a critical tool for sharing resources during large-scale emergencies, its framework isn’t always flexible enough for regional or hazard-specific partnerships. Bilateral or regional agreements could allow states to more effectively coordinate responses for shared risks, streamline resource deployment, and support recovery mis sions where EMAC may not apply, as well as formalize the non-emergency functions such as training to develop standardized procedures, planning support and coordi nated regional mitigation. Equally important is bringing the pri vate sector into all phases of emergency management. Businesses, especially those in logistics, energy, communications, construction, and housing hold resources and capabilities that can fill vital gaps during a disaster the public sector cannot. Establishing partnerships with key indus tries in advance, through memorandum of understanding (MOUs), shared train ing, or integration into planning exer cises, ensures better coordination and faster recovery when it matters most. The National Business Emergency Operations Center (NBEOC) is a good place to start – or your state’s BEOC – but the collabo ration should not begin and end during emergencies. These partnerships are not a replace ment for public or private prepared ness; they’re a force multiplier. In times

Washington County, Maryland 2018 by Sara Bender

of crisis, no single entity can carry the full weight of response coordination and recovery. Together, with coordinated plan ning and shared responsibility, we can build systems that are more resilient and more responsive; regardless of how much federal support is available. Ultimately, disaster recovery can’t be the responsibility of the government alone, but government emergency man agers can and should be acting as the bridge for strong coordination. A whole community approach is essential, one that draws on the strengths of local leaders, businesses, nonprofits, faith-based orga nizations, and residents. This approach ensures planning is inclusive, recovery is equitable, and support reaches those who need it most. To build a future where communities can bounce back faster and stronger, we need to act before the next disaster …

not after. The time for rethinking emer gency management and disaster planning is now. v

Sara Bender currently serves as the direc tor of disaster risk reduction at the Maryland Department of Emergency Management (MDEM), providing oversight to the risk & recovery, communications & outreach,

public assistance, hazard mitigation, and whole commu nity integration branches. Previously, she was the public assistance officer and branch manager. During her time at MDEM, she has also served as the state coordinating officer, leading damage assessment and infrastructure recovery for three declared natural disasters, as well as the COVID-19 event. She has also served as the executive liaison for the FSK Bridge and the 2025 western Maryland flooding incidents. Prior to joining the staff of MDEM, she served in the US Air Force and continued to serve as a federal employee, also with the Air Force, until September 2016, when she transitioned to service with the State of Maryland. Bender holds an M.S. in management and public relations, and graduate certificate in human resources. She has also attended the FEMA Executive Academy and the Executive Leaders Program at the Center for Homeland Defense and Security at the Naval Postgraduate School.

26 DISASTER RECOVERY JOURNAL | FALL 2025