Disaster Recovery Journal Spring 2024

REGISTER TODAY! www.drj.com/spring2024

Spring 2024 u Volume 37, Number 1

The State of Disaster Recovery Preparedness 2024

INSIDE ... Strategic Resilience in 2024 Disaster Recovery Investments Grow Revenue, Not Just Cut Costs Data Stored in Cloud-based Applications Emergency Notification Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Your North Star for Resilience

Take a Different Approach – Move From Reactive to Proactive

Fusion provides easy, visual, and interactive ways to analyze every aspect of your business so you can identify single points of failure, key risks, and the exact actions you need to take next to mitigate impact.

Get started on your resilience journey today! Visit fusionrm.com

“Our team is able to visualize complex relationships and dependencies between lines of business in our organization. This alone is worth its weight in gold!” – Fusion User in the Financial Services Industry

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com ASSOCIATE EDITOR Pam Clifton PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER

TABLE OF CONTENTS

COVER The State of

Disaster Recovery Preparedness 2024 By BRENT ELLIS

Amy Faulkner amy@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

8

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Peter Laz, Margaret Millett, Frank Perlmutter, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Rich Cocchiara, Ashley Goosman, James Green, David Halford, John Hill, Ray Holloman, Colleen Huber, Cary Jasgur, Lisa Jones, Joan Landry, Melanie Lucht, Melissa Muñiz, Nicole Scott + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

18

33 Adapting to Change: Strategies to Mitigate the Impact of Rising Flood Risks By STACI SAINT-PREUX

Strategic Resilience in 2024 By KEITH FREDERICK

24 Disaster Recovery Investments Grow Revenue, Not Just Cut Costs By PATRICK DOHERTY

35 Assessing the Risks of AI Dependence in Organizational Resilience By NATHAN SHOPTAW & JOHN HILL

26 Diversity, Equity, and Inclusion for Continuity and Resilience By RAY HOLLOMAN

39 When a Data Disaster Strikes, What’s Next? By ERIC HERZOG

26 Data Stored in Cloud-based

Applications: The Next Frontier in Data Protection By JEROME M WENDT

41

Career Spotlight: Priscila Nascimento By SELMA COUTINHO

31

46 Emergency Notification Directory

The Path to Continuity and Resilience Program Success in 2024 By STEVE RICHARDSON

DISASTER RECOVERY JOURNAL is copyrighted 1987-2024, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | SPRING 2024 5

FROM THE PRESIDENT’S DESK

Networking, Information Sharing Bolster Business Resilience T he recent surge in major disasters under scores the vulnerability of businesses. While some have struggled or even shuttered, others have thrived amidst the chaos, largely due to effective network ing and information sharing practices. Networking involves forging con responses to challenges such as natural disasters or pandemics. While these practices demand effort and com mitment, their benefits are substantial. To leverage networking and information sharing effectively, businesses can: Attend Events and Conferences : Actively participate in industry gatherings like DRJ spring and fall conferences to network and stay abreast of developments. Join Industry Groups and Associations :

BOB ARNOLD, MBCI Hon.

nections with professionals within and beyond one’s industry, through events, conferences, and social media platforms like LinkedIn. Information sharing, meanwhile, entails exchanging expertise and resources through various channels such as brainstorming sessions, mentorship programs, and collaborative ventures. Together, networking and information sharing bolster business resilience in several ways: Access to Expertise and Resources : Networking opens doors to a plethora of knowl edge and resources otherwise inaccessible. Businesses can learn from others’ experiences, collaborate on projects, and even pool resources for mutual benefit. Increased Visibility and Credibility : Building networks helps businesses enhance their brand visibility and credibility within their industry. Participation in events and interactions with thought leaders can attract potential customers and partners, fostering trust and credibility. Opportunities for Innovation : Information sharing catalyzes innovation by facilitating the exchange of ideas and perspectives. Collaborative efforts enable businesses to identify emerg ing trends and technologies, driving operational improvements and product/service development. Enhanced Resilience : Crucially, network ing and information sharing create a safety net for businesses during crises. Strong relationships provide access to support networks, enabling swift

Engage with professional associations like ACP and other local networking groups to connect with peers and access relevant resources. Utilize Social Media : Leverage platforms like LinkedIn to expand professional networks and participate in relevant discussions. DRJ has a LinkedIn page and group with lots of industry information and thousands of members with whom to connect. Seek Mentorship : Cultivate relationships with experienced professionals who can offer guidance and share insights. The DRJ Mentor Program is a 10-month, structured, accelerated learning pro gram, which connects seasoned professionals with those newer to their industry who wish to develop their skills and career. It’s also completely free! In conclusion, networking and information sharing are indispensable for businesses navigating today’s dynamic landscape. By fostering relation ships, exchanging knowledge, and collaborating on innovative initiatives, businesses can fortify their resilience and position themselves for sustained success amidst uncertainty. Whether embarking on a new venture or scaling up operations, integrating these practices into business strategies is para mount.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | SPRING 2024

Identify Risks. Communicate Quickly. In One Unified Platform.

Want to hear from industry experts?

AI-Driven Business Continuity: Strategies and Impact Monday, March 18 at 10:45 a.m. Generational Views on Building a Career in Resilience Monday, March 18 at 3:45 p.m. Achieve Resilience Management: How Organizations Can Predict, Manage and Mitigate Risks/Threats Tuesday, March 19 at 10:45 a.m.

Don’t forget to visit the OnSolve booth #304

onsolve.com

The State of Disaster Recovery Preparedness 2024

By BRENT ELLIS

Disaster Recovery Preparedness Is Evolving

8 DISASTER RECOVERY JOURNAL | SPRING 2024

M any businesses understand the need for disaster recovery capabilities, but adoption and implementation of various practices and capabilities are mixed. Forrester Research and the Disaster Recovery Journal (DRJ) have partnered to field a number of market studies in busi ness continuity and DR to gather data for benchmarking and to guide research and publica tion of best practices for the industry. This study, which focuses on DR preparedness, was first fielded in the fall of 2008 and then again in 2011, 2013, 2016, 2020, and 2022. We designed the 2023 study to determine organizational confidence in DR preparations and preparedness; the drivers fueling continued improvement in DR preparedness; organizational practices regarding DR program governance, planning, plan maintenance, and testing; how organizations provision and architect their data center recovery sites; current recovery objectives and technology adoption; and the integration of cloud-native and software-as-a-service (SaaS) workloads into DR planning.

Nearly All Businesses Do Some Form of Disaster Recovery Planning Our 2023 survey revealed businesses recognize the need for a DR strategy and capabilities, with more than 90% having some sort of DR program. Only about half of respondents plan for disaster recovery at the enterprise level in a centralized pro gram, and just under 11% of respondents plan for DR in localized silos (see Figure 1). The survey also found more than 70% of respondents allocate between 0% and 10% of their total IT budget to DR. Almost 30% spend more. Previous surveys have found businesses overwhelmingly see DR as a critical priority, with 24/7 business activities as a top driver, but integration of those priorities into overall business strat egy is still lagging. DR Primarily Belongs To I&O, But Risk Professionals Are Increasingly Involved DR planning and strategy still falls pri marily to IT, with about 45% of respon dents saying their head of DR is part of infrastructure and operations (I&O) (see Figure 2). Silos still exist though, and they’re difficult to overcome. For large enterprises which consist of different business units, the loosely coupled silo approach remains pragmatic. However, we’re seeing movement toward a more practical federated model where overall governance, strategy, policy, processes,

and standards are set by a strong corporate group, especially risk management pros. Local planners then customize specific plans for their region or business unit. But these changes aren’t happen ing quickly enough. Our study revealed:

DISASTER RECOVERY JOURNAL | SPRING 2024 9

u DR visibility normally doesn’t reach the C-suite . DR programs have limited C-suite visibility, with only 41% of DR program heads reporting to a C-level executive (see Figure 3). Though in this year’s survey we saw an equal number of respondents report the head of DR reports two levels down from the C-suite, a big jump from the 26% reported in our last survey. Moving the role up in the organization strengthens alignment with overall business needs and increases access to resources for ensuring technology resilience for critical business functions. u DR is increasingly a risk management concern . Firms are clearly aligning DR programs with risk management. Close to two-thirds of respondents reported their enterprise risk management (ERM) and DR programs are related, even if they’re not part of the same functional organization (see Figure 4). Furthermore, 23% of DR programs are directed by a risk management function. As technology strategy becomes more synonymous with business strategy, technology outages form a more direct threat to business revenue, reputation, and regulatory posture. Risk professionals bring a more holistic perspective to mitigating risk and balancing investment properly to address the needs of the business. DR Planning and Practices Leave Many Unprepared About 17% of survey respondents reported having a significant disaster, outage, or business disruption in the last two years. Additionally, less than 40% of respondents felt very or extremely pre pared to deal with a site failure or disaster (see Figure 5). Forrester has found: u Business impact analyses (BIAs), risk assessments, and DR plans need attention . Roughly 69% of respondents update DR plans annually, with another 20% updating more frequently (see Figure 6). Risk assessments and BIAs

follow similar update patterns. Fewer than 20% of respondents update these three aspects of risk and recovery planning twice a year or more frequently. In a business climate which demands constant technology change, having a long update cycle means

10 DISASTER RECOVERY JOURNAL | SPRING 2024

infinite blue

Infinitely ready. Infinite Blue's integrated enterprise resilience solutions give organizations the power to foresee risks, predict impacts, collaborate, communicate, and emerge stronger than ever before.

businesses are left unprepared for disasters related to new technologies and services or emerging cyber threats. u DR readiness dashboards remain poorly adopted . Only 31% of respondents reported having a dashboard to indicate recovery readiness for their organization (see Figure 7). Without effective reporting, addressing gaps or problems in the DR program is impossible. Businesses seeking enhanced DR capability need tooling which will help them assess how recoverable their infrastructure is. Backup and DR vendors are working to make this process easier with the inclusion of synthetic and automatic test routines as well as tracking recovery time objective (RTO) and recovery point objective (RPO) thresholds to help identify applications and services which are violating stated policies. DR Site Preparedness and Failover Testing Lack Scope and Frequency A key component of DR prepared ness is having an alternate site to launch workloads in the case of a failure. Those DR sites are usually prepopulated with replicated data, virtual machine (VM) or container images, and the relevant auto mation to orchestrate failover in the case of crisis. Public and private cloud technol ogies have reduced the need for dedicated disaster recovery sites with many busi nesses implementing disaster-recovery as-a-service (DRaaS) strategies which use pre-cached data, infrastructure-as-code automation, and pilot light infrastructure to minimize resource utilization until the point of failover. u Current DR sites don’t protect the full spectrum of critical services firms rely on . Ninety-three percent of enterprises have at least one DR site; 34% have more than one (see Figure 8). Given only around 50% of organizations have an enterprise-wide DR program, much of the DR or DRaaS infrastructure businesses

maintain only address a subset of DR needs. Additionally, discussions with DR professionals have indicated many traditional DR sites aren’t properly sized to accommodate a full-site failover.

12 DISASTER RECOVERY JOURNAL | SPRING 2024

Find us at booth 410!

Good Things Come to Those Who A re Prepared. We’re Presenting at DRJ Spring March 1 8 - 2:15 PM Breakout Track 2 - BT2-03 Practical Resiliency: Using Testing and Exercising for Buy-In Learn modern approaches to exercising your plan and using tests to identify gaps from business continuity experts. Take testing to the next level beyond regulatory requirements and learn how to use creative tests and exercises to help identify gaps, provide feedback to the organization, and gain buy-in for BC strategies. Real-life examples will provide practical ideas you can implement today. Bonus: Receive a free tabletop template Try Preparis Alerts risk free for 30 days!

Tim Mathews, Executive Director ETS

You’ll get access to: • Unlimited messaging • Unlimited tests • Mobile app access • Email templates • And more!

Jeff Goldstein, VP for Global Partnerships & Enterprise Accounts Preparis

Scan the QR code and use code DRJ24-RISKFREE in the comments to get started.

One powerful suite for continuity. Everything you need, and nothing you don’t.

855-447-3750 | contactus@preparis.com | www.preparis.com © Copyright 2024 – Preparis. All Rights Reserved.

u Failover isn’t tested enough . More than half of enterprises do a partial or full failover to their DR site (see Figure 9). Many organizations only test component by-component DR failover, which has limited usefulness. Partial failover doesn’t simulate true data center outages and the complications those types of outages bring. Ideally, an organization will be able to fail fully to a DR test location and fail back seamlessly. However, practices show the current state of DR infrastructure is less than ideal. Disaster Recovery for Cloud Workloads Is Slowly Maturing Cloud is hardly new, but in the area of disaster planning, it’s still immature. In 2023, we saw several outages from major hyperscalers and many small outages from smaller cloud and hosting providers. Just under one-half of respondents reported they were able to failover workloads to alternate availability zones or regions in the same cloud provider. Surprisingly, about 8% of respondents do DR in alter nate cloud providers, and many respon dents (16%) failover public cloud-based workloads to an on-premises data center (see Figure 10). One difficulty for cloud based workloads is determining the risks a workload is exposed to and understanding the default resiliency of the cloud services being used. Even things like hyperscaled automation can introduce risks which are unfamiliar to seasoned DR professionals. Strategies for ensuring cloud resiliency are maturing even as enterprises continue to evolve application architecture to include more third-party services, often shifting risk mitigation from technical remedies to contractual and legal methods. Enterprise SaaS Adoption Is High, Making It a Priority for DR Planning More than 86% of respondents indicated

Resilience Strategy, providing resilience for vendor-provided ser vices is more than just backing up the data; it can mean consider ing alternative platforms, custom SLAs and shared risk, or even legal protections as part of one’s resilience strategy. Resilience-Related Practices Are Gaining Traction for Production Workloads Businesses are overwhelmingly transitioning how they address DR planning with the adoption of resilience and reliabil-

they are using Microsoft 365, Google Workspace, Salesforce, or other enterprise SaaS tools (see Figure 11). Furthermore, 96% of respondents, from a base of 36 total respondents, consider all or some SaaS platforms in their DR planning. While major platforms like the three identified in this survey have a robust ecosystem of backup options, not all SaaS are created equally, and backup of SaaS applications can be tricky. Additionally, as enumerated in Forrester’s How To Create A SaaS Application

14 DISASTER RECOVERY JOURNAL | SPRING 2024

Protecting Performance

75% of organizations have recovery plans. Most prove inadequate. Siloed recovery and resiliency capabilities are now obsolete.

Protect business continuity and performance across your IT ecosystem with technology and experts you can rely on. Trust the predictive and proactive model led by automated insights into potential attacks continuously analyzed, tested, and executed by recovery specialists.

Vendor Agnostic

Expert Recovery

Holistic Strategy

Gartner Leader

877.445.4333

RECOVERYPOINT.COM

ity practices (see Figure 12). Specifically, many respondents said they have already adopted or plan to adopt practices which improve the ability to respond to emergent errors and failures as they happen, like site reliability engineering (SRE), infrastruc ture as code (IaC) automation, and chaos engineering (see Figure 13). Underlying many of these technology practices is the infrastructure shift to cloud-native com puting using containers; just under half of 34 respondents reported operation of production workloads in Kubernetes envi ronments. Forrester has found in other studies, nearly two-thirds of enterprises are adopting Kubernetes in private and public cloud. This discrepancy highlights a disconnect between what DR profession als expect to protect versus what is actu ally being adopted. Supplemental Material Research Methodologies For the Forrester/Disaster Recovery Journal November 2023 Disaster Recovery Practices and Preparedness Survey, Forrester and the Disaster Recovery Journal (DRJ) conducted a joint survey. The survey was fielded globally to IT, disaster recovery (DR), and risk professionals with affiliations to both Forrester Research and the DRJ as well as to a randomized list of IT, DR, and risk professionals. Additionally, on LinkedIn

in business continuity and disaster recovery publications, online discussions, etc. They have above-average knowledge of best practices and technology in business continuity/DR. A second set of respondents was solicited based on their professional title in IT, DR, or risk management. This list was randomly generated. Additional responses were solicited via social media on LinkedIn and Twitter for a semi-random response set. With a combina tion of random and nonrandom responses, the survey serves as a valuable tool in understanding where both advanced and average users are today as well as where the industry is headed. Special thanks to Lauren Nelson, Amy DeMartine, Lauren Alexander, and Jen Barton of Forrester Research for their con tributions. v Brent Ellis is a senior analyst of technology architecture and delivery with Forrester Research. He serves technology leaders by providing holistic thinking related to technology resilience and the alignment of tech invest ments with business needs. His goal is to help clients find the right mix of technologies, processes, and people to maximize their goals and provide the unique value they have to the world. Ellis is particularly focused on reliable and resilient IT services, storage, cloud infrastructure adoption, mainframe modernization, and busi ness technology alignment.

and Twitter, we solicited responses from technology profession als with responsibility for DR planning. This process generated a total of 90 responses, 46 indicating they have a disaster recovery program and were able to complete the survey. In this survey: u Thirty-three percent of respondents were from companies which had 0 to 999 employees (defined by Forrester as small and medium-size businesses); 18% had 1,000 to 4,999 employees; 26% had 5,000 to 19,999 employees; and 23% had 20,000 or more employees. u All respondents were decision-makers or influencers in regard to planning and purchasing technology and services related to disaster recovery. u Respondents were from a variety of industries. One part of the response set for this study was solicited from a select group of respondents (predominantly DRJ members and Forrester clients) and is therefore not random. These respondents are more sophisticated than the average. They read and participate

16 DISASTER RECOVERY JOURNAL | SPRING 2024

green IT

consolidation portfolio computing vmware itil security GRC forrester wave service desk portal outsourcing vtl business continuity opsware asset management host disaster recovery email in the cloud change management virtualization web 2.0 metrics storage risk IT service community cloud computing

Research – Resources – Solutions Forrester delivers independent action-oriented insight to solve your biggest challenges. Visit us at www.forrester.com/drjournal to learn how our research, consulting, and executive programs will help you succeed.

Making Leaders Successful Every Day

Strategic Resilience in 2024

Five Key Business Continuity Resolutions

A

By KEITH FREDERICK

s we embark on 2024, busi ness continuity leaders and practitioners across various sectors must prioritize stra tegic resilience in a world increasingly characterized by risks and disruptors. This era demands a keen

work capable of withstanding and adapting to evolving threats. Drawing from a broad spectrum of industry experience and a col lective understanding of best practices, the following five resolutions are offered for consideration. Designed to enhance opera tional integrity, foster adaptability, and strengthen overall resilience, these resolu tions are pivotal for any forward-thinking organization. Organizations are encouraged to con sider integrating these resolutions, or others more closely aligned with their unique business needs, into their strategic approach to business continuity. By adopt ing such tailored strategies, organizations can cultivate a proactive stance, ensuring they are well-prepared for current chal lenges and strategically positioned to handle future uncertainties. This approach transcends mere goal achievement; it’s about instilling a culture of resilience throughout every aspect of organizational operations. In doing so, resilience becomes

not just an objective but a core element of the organizational ethos, deeply embedded in every decision and action. 1. Exercising Proactive Vigilance The first resolution, exercising proac tive vigilance, underpins all others. This approach is about more than just avoid ing threats; it involves a comprehensive and active scanning of the environment in multiple dimensions – upstream, down stream, horizontally, and vertically – to identify potential risks and disruptors to products and services. Leveraging the strategic expertise of business continu ity practitioners and leaders, along with employing cutting-edge technologies, tools, and resources, is crucial. These elements are vital for effec tively identifying and responding to risks, thereby ensuring the safety of employees, the stability of finances, the integrity of brands, shareholder confidence, and, criti cally, the trust and satisfaction of custom ers. By utilizing the insights and skills of

awareness of present challenges and a forward-looking approach, anticipating and preparing for future uncertainties. Reflecting on past experiences and stra tegically planning for the future are key steps in formulating resolutions which are timely, deeply considered, and aligned with both immediate and long-term orga nizational goals. In this dynamic landscape, the role of business continuity professionals is more crucial than ever. Their responsibilities extend beyond merely building business continuity plans and responding to imme diate business disruptions or crises. They also involve developing a resilient frame

18 DISASTER RECOVERY JOURNAL | SPRING 2024

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

internal experts and advanced solutions, organizations can better anticipate and meet the evolving needs of their custom ers, maintaining and enhancing loyalty and support while adding true value to operational processes. This proactive stance involves regular risk assessments and staying abreast of emerging trends in areas such as cyber security, market dynamics, and opera tional and technological advancements. By doing so, organizations can respond to immediate threats and prepare for future challenges, ensuring continual readiness and adaptability in an ever-changing busi ness landscape. 2. Navigating Geopolitical Risks Geopolitical shifts, such as the ongoing Russia-Ukraine conflict and the Israeli Gaza tensions, significantly influence business risks and impacts. The second resolution for 2024 calls for organizations to deepen their understanding of these dynamics and integrate this awareness into their risk management frameworks. These conflicts underscore the need for vigilance and preparedness in the face of interna tional events. The ripple effects of geopolitical con

to better anticipate the potential effects on their business operations. It involves staying informed about current events, engaging in comprehensive scenario plan ning, and developing adaptable strategies to manage outcomes. By doing so, orga nizations can mitigate risks and maintain operational resilience amidst a complex landscape of geopolitical complexities, ensuring they are prepared for immediate and long-term impacts. 3. Strengthening Climate Defenses The wildfires in Hawaii and the severe storms in Guam and New Zealand in 2023 are just some examples highlighting the critical need for organizations to enhance their climate preparedness and defense. In addressing these challenges, it is essential to consider a range of tools and methods which cater to different resource and fund ing levels. Traditional meteorological data and models remain fundamental in predict ing weather patterns and climate events. Additionally, internet-based weather ser vices, news and weather channels, and community-based observations provide real-time data and forecasts which are widely accessible. Weather alert sys

and ensure all team members know their roles and responsibilities in the face of severe weather. While artificial intelligence offers advanced capabilities in climate monitor ing such as processing vast datasets and providing nuanced predictive analytics, it is important to acknowledge the costs associated with AI technologies might be prohibitive for some organizations. This is particularly true for smaller entities or those operating with limited budgets. Factors like the initial investment, ongoing maintenance, and the need for specialized expertise can present significant barriers to AI adoption. For organizations with the capacity to invest in AI, these technologies can sig nificantly enhance forecasting reliabil ity and provide more precise warnings. However, for those facing budget con straints, combining traditional methods, simpler technological solutions, and well developed severe weather playbooks can still create an effective climate monitoring and defense system. This multi-faceted approach ensures organizations of all sizes and resources can effectively understand and respond to weather-related risks. 4. Fortifying Supply Chains Recent tensions in the Red Sea have once again brought to light the fragility of international supply chains, disrupting the flow of essential goods, and underscoring the urgent need for more resilient supply chain strategies. This resolution advo cates for a multifaceted approach, which includes diversifying suppliers to reduce reliance on any single source or region, leveraging technology to gain enhanced visibility into supply chain operations, and developing robust contingency plans. Equally crucial to this strategy is main taining and strengthening cybersecurity measures. As global cyber threats continue to evolve, digital supply chains remain at heightened risk. This requires not only upholding secure data transmission proto cols and conducting regular cybersecurity audits but also investing in or enhancing advanced cybersecurity and threat moni toring systems. These systems are critical for continuously scanning and identifying

“

flicts on global businesses are extensive and varied. They can lead to disrup tions in supply chains, fluctuations in global markets, and uncertain ties in international trade regulations. For example, the Russia-Ukraine con flict has notably raised concern about energy sup plies and prices, affecting industries worldwide. Similarly, tensions in the Middle East can affect oil prices, leading to broader economic consequences. To navigate these chal lenges, organizations must monitor these situ ations closely and under stand the uncertainties they bring. This proactive approach enables them

tems are crucial, offering timely warnings about severe weather events and enabling organizations to take necessary precau tions to protect infrastruc ture, supply chains, and personnel. An essential com ponent of an organiza tion’s climate defense strategy is the creation of severe weather play books and related train ing for response and recovery teams. These playbooks provide struc tured response plans for various weather-related scenarios, outlining spe cific actions to be taken before, during, and after such events. They guide quick decision-making

This approach transcends mere goal achievement; it’s about instilling a culture of resilience throughout

every aspect of organizational operations.

“

20 DISASTER RECOVERY JOURNAL | SPRING 2024

The Global Leader in Organizational Resilience

BusineSs Continuity/Continuity of Operations information security Critical Environments

Incident Response Crisis Management & Communications

Legal, Audit, & Compliance Organizational Behavior Risk Management Supply Chain Resilience

Financial Health & Visibility Human Resources Management ICT Continuity

we educate. we credential. we lead.

Building Resilient Communities, One Organization at a Time

www.build-resilience.org | info@theICOR.org | 1-866-765-8321

potential cyber threats, enabling proac tive responses to emerging vulnerabilities. Ongoing comprehensive data protection training for employees is vital to safeguard supply chain operations against cyber vul nerabilities and ensure uninterrupted busi ness continuity. In addition to cybersecurity, physical security measures are also essential. This includes securing warehouses, transpor tation modes, and supply chain nodes against theft, tampering, and physical damage. Implementing surveillance sys tems, access controls, and security proto cols are keys to protecting physical assets throughout the supply chain. Another essential component is the creation of supply chain continuity play books. These playbooks should outline specific actions for various disruption sce narios, including identifying alternative suppliers, transportation routes, and meth ods for rapid adjustments. Stockpiling critical components or raw materials may also be considered as a buffer against dis ruptions. Effective collaboration across indus tries is crucial, balanced with the need to protect proprietary and sensitive business information. This collaborative approach can help businesses collectively navigate supply chain challenges more effectively. By proactively addressing these chal lenges and having detailed playbooks in place, organizations can enhance their preparedness and response to supply chain disruptions, ensuring a more robust and reliable supply chain. In today’s inter connected and rapidly evolving business environment, such resilience is key to maintaining competitive advantage and operational stability. 5. Dynamic Training & Exercise The final resolution for 2024 empha sizes moving beyond theoretical plans to actualize business continuity strategies in the face of significant emergencies, major incidents, or crises. This involves a shift toward dynamic training and practical exercises which foster higher engagement levels and real-world preparedness. For businesses in the technology sector or those focusing on testing their support

technologies, virtual and hybrid exercises are particularly effective. These exercises can simulate a wide range of scenarios, including cyber-attack simulations, data breach scenarios, and coordinated disas ter response, all within a virtual or par tially virtual environment. This approach is invaluable for rigorously testing IT infrastructures and response protocols, providing a safe and controlled setting to identify and address potential vulnerabili ties, thereby ensuring technological resil ience against various digital threats and challenges. In contrast, industries where physical operations play a crucial role benefit more from in-person exercises. These include tabletop exercises for team discussions and role-playing specific scenarios, as well as full-scale drills which simulate real-life emergency situations, including business recovery and restoration strategies. The “crawl, walk, run” methodology is particularly effective in structuring these exercises. It begins with basic, fundamen tal exercises (crawl) to build foundational understanding and skills. This progresses to more complex scenarios (walk), where teams can apply their skills in more chal lenging situations, and ultimately culmi nates in full-scale, realistic simulations (run) which test the organization’s full range of response capabilities. Involving various levels of the organi zation in these exercises is crucial, from front-line response teams to top manage ment. Tailoring exercises to specific roles and responsibilities and conducting them at different levels, such as corporate, regional, or local, ensures comprehensive coverage and relevance. This approach ensures everyone understands their role during an event and how to execute the crisis management and business continu ity plans effectively. Regularly updating these training programs to reflect the latest threats and best practices is also vital in maintaining organizational preparedness and resilience. Conclusion As we navigate through 2024, busi ness continuity practitioners and leaders are encouraged to consider integrating

resolutions such as exercising proactive vigilance, navigating geopolitical risks, strengthening climate defenses, fortifying supply chains, and investing in dynamic training and competency development into their strategic approach to business continuity. These resolutions, or others more closely aligned with specific busi ness needs, are pivotal in cultivating a pro active stance, ensuring preparedness for current challenges, and strategic position ing for future uncertainties. Adopting such tailored strategies tran scends mere goal achievement; it’s about instilling a commitment from top manage ment and a culture of resilience throughout every aspect of organizational operations. This approach embeds resilience not just as an objective but as a core element of the organizational ethos, influencing every decision and action. In doing so, organi zations can transform potential challenges into opportunities for growth and innova tion, leading to a more robust and resilient organization. Reflecting on these considerations, what resolutions could you or your orga nization adopt to enhance strategic resil ience? Tailoring these resolutions to address specific challenges and opportu nities reinforces the commitment to resil ience, making it a fundamental principle driving innovation and sustained success in your organization. Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of West Pharmaceutical Services. v able medications and healthcare products. In this role, he is instrumental in ensuring the continuity and resilience of West’s operations worldwide, a critical aspect of the com pany’s commitment to delivering high-quality healthcare solutions. With more than 20 years of experience, he has adeptly led complex preparedness, continuity, and recov ery initiatives across various regulated sectors, including finance, healthcare, manufacturing, research, and U.S. government operations. Recognized as a key opinion leader in organizational resilience, he holds the esteemed title of Fellow of the Business Continuity Institute. Keith Frederick, FBCI, CBCP, is the director of global business continuity and resilience at West Pharmaceutical Services, a lead ing manufacturer specializing in packaging components and delivery systems for inject

22 DISASTER RECOVERY JOURNAL | SPRING 2024

RESILIENCY eLearning

Business Continuity

Disaster Recovery

Crisis Management

Physical Security

Life Safety

IT Security

For Employees & Recovery Teams

TRAINING THAT WORKS FOR YOU Customized content: reflect your program, methodology, culture, and brand. Track your learners: courses are compatible with your Learning Management System. Subject matter experts: we create the content and you validate the outcome. 3 - 6 week development time: a quick launch builds momentum for your message.

POPULAR COURSES

Active Shooter

Cyber Security Awareness

Awareness Campaign

DR: All Employee Intro

BC: All Employee Intro

Home Prep (no charge)

Business Impact Analysis

End-User Software Training

CM: Introduction

Physical Security

CM: Roles & Responsibilities

Table-Top Exercise

www.ripcordsolutions.com

Disaster Recovery Investments Grow Revenue, Not Just Cut Costs By PATRICK DOHERTY

tain business continuity, enterprises must heighten their focus on disaster recovery (DR) to ensure their data remains pro tected and they’re able to quickly get their systems back online. It’s a longstanding responsibility of IT to articulate the value of a data pro tection plan. However, as data protection has become a critical business issue, it involves a wider variety of stakeholders. Take the chief revenue officer (CRO), for example. The CRO role has evolved to oversee full revenue cycles comprised of critical customer and prospect data. This means CROs not only have a front row seat into other organizations’ “crown jewels,” but they own the responsibility of protecting this sensitive information. Historically, discussions around down time often center around lost money, as lost productivity costs equate to thou sands of dollars per minute. As the CRO role has shifted, the primary responsibility remains: to oversee the enterprise revenue cycle. When it comes to IT, advocating for data protection investments must include a clear understanding of both cost and rev enue. More specifically, downtime isn’t just

T oday’s organizations are navigating unique business challenges amidst the increased cost and frequency of data breaches. Security incidents are overwhelmingly detrimental to an organization and significantly impact organizational health when not properly addressed. Yet alarmingly, 57% of busi

nesses are more likely to pass incident costs onto consumers than to increase their own security investments. The number of cybersecurity incidents isn’t likely to drop anytime soon, which means organizations must be prepared to navigate an attack and quickly get back up and running in its aftermath. To sus-

24 DISASTER RECOVERY JOURNAL | SPRING 2024

align internal teams on the actions that should and shouldn’t be taken amid an incident, like not paying ransom as it can exponentially increase the risk of a second attack. Lacking a clear course of action for all internal teams and stakeholders can further exacerbate risk. n Internal burnout . IT and security teams are on the front line during cyber incidents. These internal teams are already facing an immense

about reducing cost, it’s also about driving long-term impacts on revenue. It is critical for IT and security teams to advocate for a comprehensive DR plan to the CRO and contemplate how to enlist this person as an advocate in prioritizing investment in DR solutions. Enlisting the CRO in Disaster Recovery Business leaders often fail to recognize DR is an integral component in building a strong data protection plan to keep an organization operating in the event of dis ruption. Developing a long-term approach to data protection should look at the bigger picture and align with business needs. Customer Continuity There are a variety of organizational advantages for establishing a personalized plan built around processes, solutions, and people who incorporate customer impacts of a security incident. Customers want a partner they can trust, and lost custom ers equate to lost revenue. Businesses fail to adequately test these processes far too often. The water always finds the crack; it only takes one process vulnerability to allow an incident to occur. At the end of the day, customers don’t have a ton of patience when it comes to losing mission-critical infrastructure. If a customer feels the organization is putting them at risk, what will stop them from moving their business elsewhere? Improved Efficiency Not having a thorough understanding of the systems in place and lacking rou tine testing processes is often what puts businesses in the eye of the proverbial hurricane. Communications around disas ter recovery testing must shift away from reducing costs to focus more on building and maintaining discipline. Discipline cre ates efficiency, and efficiency equates to revenue. Laying out the benefits of a catered plan to pinpoint the detrimental impact of an incident helps educate CROs on why long-term data protection investments are necessary. Clarity around the role of DR within a data protection plan also provides an opportunity to highlight how equip ping your teams with the proper tools will

help to further continuity. This will allow CROs to collaborate with their C-suite counterparts to reframe the conversation toward the longer-term benefits of being smart and efficient. Reputation Protection When approaching these conversations, think of DR as an insurance policy. For many, disaster recovery isn’t a top priority

“

until a disaster happens, but this reactive approach can be disastrous to an organization’s reputa tion. Similar to downtime, there have been efforts to quantify the negative costs associated with a “bad” reputation, often center ing around the increased cost to attract and retain top talent. Losing out on talent ultimately equates to fewer revenue-generat ing opportunities. Reframing the Benefits of a Preventative Approach It’s time IT and busi ness leaders transparently align on their recov

amount of pressure as they operate and secure the backbone of an organization’s infrastructure. Adding an attack to the mix further overwhelms the IT and security workforce as they’re left to mitigate the impact. A strong DR plan in place means IT and security teams have the necessary tools to keep critical assets protected, alleviating the burden of an attack. Now is the Time to Revisit Recovery and Protection Strategies As we kick off a new year, now is the time for

57% of businesses are more likely to pass incident costs onto consumers than to increase their own security investments.

IT and security teams to start thinking about DR in terms of costs and revenue. This will allow them to advocate in front of CROs and be transparent about the impor tance of business continuity and disaster recovery plans. Ultimately, this transpar ency will allow the level of IT-business collaboration necessary to move invest ments forward. It is imperative leaders understand the value that results from placing a stronger emphasis on developing a robust disaster recovery plan equipped for the modern threat landscape. v “

ery and protection strategies as a part of holistic security measures. Oftentimes, this involves reframing the conversation around an increased likelihood of nega tive impacts if preventative action is over looked: n Increased likelihood of cyber incidents . Navigating cyber-attack attempts has become the norm within the business landscape, but those who fall victim to these attempts face increased scrutiny and potential data loss. Focusing on DR and protection strategies provides the business with an insurance policy. If a bad actor gets in through your initial security defenses, assets will be protected. Without these plans in place, businesses lack a critical line of defense. n Lack of clear cyber response plans . A key component of developing a data protection plan to encompass DR is an incident response plan. This plan helps

As chief revenue officer for Flexential, Patrick Doherty leads sales, sales opera tions, solutions engineering, channel, commercial management, and market ing. He has his finger on the true pulse of Flexential’s revenue growth investments.

Doherty is responsible for results across the entire rev enue process. As a 20-year-plus veteran of the technology industry, Doherty has a long record of success across a variety of fields, including sales, marketing, strategy, and product development.

DISASTER RECOVERY JOURNAL | SPRING 2024 25

ing and asking for accommodation in the workplace to be more productive employ ees. Having more neurodivergent people in the workforce may mean we must shift around how plans are created or how exercises are done to be more equitable to the people responding to events. We may need to provide information differently than how it has always been done, which is fine. Updating and changing our practices is a good thing, and there should always be a review to ensure the plans still meet any company or certification standards while also ensuring plans are practicable for the people and teams working on the plan. Reducing long passages of text, when a checklist would suffice, is a change that allows for the information to be con sumed by more groups. It has been said many times, no one is reading the plan. Is the text overwhelming when one is given information and asked questions from all directions? People can consume informa tion in various ways. How can we, as professionals, ensure people get informa tion in the easiest ways to consume? One of the most significant changes is that we now have five generations in the workplace, ranging in age from 16 to 75. Those five generations all have differ ent experiences and how they want to interact and be treated in the workplace. Generation Z, which is the youngest in the workplace, is much more digitally native to the Baby Boomers and the ones in the silent generation who are still working. How all those people want to receive information is different; some may still want paper plans, while others expect it to be in an app if it isn’t auto mated, the action that needs to take place. Navigating these differences in gen erations while ensuring safety is highly important because if there is a misunder standing, that could mean a difference in how quickly operations can return to normal. As continuity professionals, the aver age age tends to skew older, so how do we continue to bring new people to the fold to ensure they feel like they can learn and be respected in the industry? Students

Diversity, Equity, and Inclusion for Continuity and Resilience By RAY HOLLOMAN O ver the last few years, there has been an increased focus on diversity, equity, and inclu sion (DEI) in the media, but what does that mean for our industry? First and foremost, the top shifts in the workplace since the begin ning of the pandemic. There has been an increase in the awareness around neuro diversity, generations in the workplace, disability, and gender identity and expres sion, among other topics. If we are tasked with ensuring people are safe in our workplace, especially during a crisis or incident, these plans should be accessible to everyone in our organization. priority for many professionals is that our business continuity plans are enacted to ensure everyone can make it home safely. While there is much focus on race and gender when we talk about DEI, there are other categories we should be taking into consideration, especially with some of the Neurodiversity has risen in visibility in the past few years as there has been more access to people who are no longer mask

26 DISASTER RECOVERY JOURNAL | SPRING 2024