Disaster Recovery Journal Summer 2023

REGISTER TODAY! www.drj.com/fall2023

Summer 2023 u Volume 36, Number 2

Uncertain Times: Being Ready for What Happens Next

INSIDE ... Convincing Management to Do a BIA Anticipating the Ransomware Attack When They Ask Why We Do What We Do Consultant Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com ASSOCIATE EDITOR Pam Clifton PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER Amy Faulkner amy@drj.com PROGRAMS MANAGER Traci ONeal traci@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

TABLE OF CONTENTS

COVER Uncertain Times: Being Ready for What Happens Next By REGINA PHELPS

8

16 3 Ways to Future-Proof Your Organization with Operational Resilience By KATE NEEDHAM-BENNETT & STEVE RICHARDSON 20 Convincing Management to Do a BIA By RICHARD LONG 24 The Changing Dynamics of Cloud Object Storage By JEROME WENDT 28 Operational Resilience Requirements: What You Need to Know Now By MICHAEL BRATTON 30 Anticipating the Ransomware Attack By GERMAN VARGAS 32 Weathering the Storm: A Guide to Business Resilience After Natural Disasters By LAURA SHAFER

34 When They Ask Why We Do What We Do By JULIUS “JULES” EDWARDS 36 Five Ways Businesses Can Mitigate Cyber Threats By AMIT CHAUDHARY 37 Career Spotlight: Madison Littin By BOGDANA SARDAK 38 How to Take Your Risk Management Skills to the Next Level By MOSTAFA SAYYADI & MICHAEL J. PROVITERA 40 In-Person is Back By LISA JONES 44 Consultant Directory

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, Peter Laz, Frank Perlmutter, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Ashley Goosman, James Green, David Halford, John Hill, Ray Holloman, Colleen Huber, Cary Jasgur, Lisa Jones, Joan Landry, Joe Layman, Melanie Lucht, Katherine Whitaker + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

DISASTER RECOVERY JOURNAL (ISSN 1079-736X; USPS 013-076; Publication Agreement No. 40679000) is published quarterly by Systems Support, Inc., 1862 Old Lemay Ferry, Arnold, MO 63010. Subscriptions are free to all qualified personnel in the U.S. and Canada involved in managing, preparing, or supervising business continuity planning. Rate for all others in the U.S. is $10, Canada and Mexico $24, all other countries $47. For renewals or change of address, please include current mailing label. Periodical Postage Paid at Arnold, MO and additional offices at St. Louis, MO. POSTMASTER: Send address changes to DISASTER RECOVERY JOURNAL, 1862 Old Lemay Ferry, Arnold, MO 63010. Canada Post Publication Agreement No. 40686534. Return undeliverable Canadian addresses to: DISASTER RECOVERY JOURNAL, PO Box 456, Niagra Falls, ON L2E 6V2. DISASTER RECOVERY JOURNAL is copyrighted 1987-2023, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | SUMMER 2023 5

FROM THE PRESIDENT’S DESK

Diversity and Resilience: What the Research Says A s you might know, DRJ recently began working on a new initiative to promote greater diversity and inclusion at the publication and our conferences. Our larger hope is that we might be able to contribute toward increasing diver sity in business continuity overall. As I explained in announcing the initiative, there are three main reasons why we think improving diversity, equity, and inclusion (DEI) in BC is important: it’s the right thing to do, it’s the prudent thing to do, and it leads to higher performance.

BOB ARNOLD, MBCI Hon.

The study concludes by saying, “greater diversity, in terms of both gender and ethnicity, is correlated with significantly greater likelihood of outperformance.” The report, which highlights the diversity success stories of Citigroup, Target, and Lockheed Martin, describes diversity and inclusion as “an essential enabler of recovery, resilience, and rei magination.” For anyone working in the field of business continuity, the pres ence of the word “resilience” in a list should have special reso nance. Another study which came to a similar conclusion as McKinsey’s report was done by Cloverpop in 2017. That study is described in an article in Forbes called, “New Research: Diversity + Inclusion = Better Decision Making At Work,” by Erik Larson, Cloverpop’s CEO. Cloverpop looked at some 600 business decisions made by 200 different business teams at a variety of companies over two years. It found “a direct link between inclusive decision making and better business performance.” Specifically, the study found diverse teams make better deci sions up to 87% of the time and “decisions made and executed by diverse teams delivered 60% better results.” “Cloverpop’s research bolsters the case that employers who build diverse and inclusive teams see the best outcomes,” con cludes Laura Sherbin, CFO and Director of Research at the Center for Talent Innovation, according to Forbes. Obviously, these studies won’t resolve anything. I don’t men tion with the intention of ending the discussion, only of contrib uting to it. At any rate, they put some meat on the bones of the claim “diversity makes organizations better.” I encourage anyone interested to click on the links and explore the studies for them selves. One last thing (and here we swing from the big picture back toward bread and butter): Many of the surveys mentioned above note the importance of diversity in the broadest sense, including diversity of thought and experience. I share the belief this type of diversity is important. For that reason, I’m proud DRJ’s spring and fall conferences regularly feature more certified professionals, more 10-plus-year attendees, and more BC newcomers than any other BC event. If you want to attend a BC conference with that type of diver sity, you won’t want to miss our 69th conference Sept. 10-13 in Phoenix.

The first two reasons are almost self-evident. Members of cer tain groups have traditionally been underrepresented in the won derful field of BC, and it’s time they were included on a full and equal basis. In the current environment organizations that hold out dated attitudes on race, gender, and related issues run a high risk of creating serious problems for themselves. However, the third reason isn’t necessarily as obvious. The phrase “diversity makes companies stronger” has been repeated so often by DEI advocates it’s become a mantra. I have used it myself, in one form or another. However, just insisting something is true, even something you wish to be true, does not make it true. Simply declaring diversity is beneficial to the organization is not likely to win over DEI skep tics. It it’s not even likely to convince open-minded people if, as sometimes happen, their first-hand experience of DEI has involved embarrassment, social friction, or the need to attend time-consum ing training sessions. Fortunately, we have more to go on than the assertions of believers like me that diversity in an organization is an advantage. A number of studies have found organizations with a more heter ogenous work force tend to be more profitable and resilient than their less diverse peers. One such study was carried out by McKinsey & Company and described in their report “Diversity Wins: How Inclusion Matters,” published in 2020. That study looked at data covering more than 1,000 companies in 15 different countries. McKinsey’s survey found “companies in the top quartile of gender diversity on executive teams were 25% more likely to experience above-average profitability than peer companies in the fourth quartile.” Positive benefits were also found in the case of ethnic and cul tural diversity. Companies in the top fourth in that type of diversity outperformed those in the bottom fourth by 36% in terms of profit ability in 2019.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | SUMMER 2023

RISK UNDER ONE ROOF

•Information System •Claims Administration

•Third-party Risk Management •Enterprise Risk Management •Internal Audit •Policy Management •Compliance •Project Risk Management •Business Continuity & Resilience •Environmental, Social & Governance •Health & Safety

IS NOW...

Together, we’ll give you integrated risk management with end-to-end visibility and true enterprise resilience.

SALES@RISKONNECT.COM | WWW.RISKONNECT.COM

Uncertain Times: Being Ready for What Happens Next

By REGINA PHELPS

8 DISASTER RECOVERY JOURNAL | SUMMER 2023

T he impact of the COVID-19 pan demic continues to be felt around the world. It turns out this is not unusual. In fact, that is what pan demics do to the societies they touch! Going back to 430-426 BCE, the Plague of Athens, global pandemics have

2. Blaming others .

community settings. It also Implies a radi cal transformation in which the old cer tainties of modern society fall away and something quite new emerges. It was described well by Dutch his torian Johan Huizinga in the book “The Autumn of the Middle Ages” in 1919: “European society after the 14th century plague was highly

u Pandemics don’t create prejudices but exacerbate them. Society begins to blame “others” for the outbreak. u Throughout history, Jewish people have also been victims of anti-Semitic discrimination and hatred. 3. Fraying of society and social cohesion . Psychologists note an increase in antisocial behavior which leads to anxiety, irritability, aggression, and diminished impulse control. u Widespread crime. Increases in crime and violent crimes. u Political losses. Election losses attributed to the handling of the outbreak are common. u Movement toward populism and autocratic states and leaders. Democracies tend to struggle in a pandemic compared to autocratic states. It is not that autocrats do a better job in managing it, they just control the message. 4. Conspiracy theories and apocalyptic thinking . u Pandemics are plagued by conspiratorial thinking and theories. u Historically, some Christians have viewed global calamities as proof we are in the end times as foretold by the Bible and that Judgment Day is nigh. 5. Rise of the worker and organizing . u Going back to the Black Death in Europe, workers have taken advantage of a worker shortage to demand Looking at the list of the historical soci etal disruptions above, you would think it was describing our current situation. I found myself feeling both relieved this happens all of the time AND depressed this happens all of the time. The other his torical context to keep in mind is that the impacts go on for years. The average his torical pandemic societal hangover is an average of 50 years. COVID-19 Pandemic Societal Disruptions Many of us had been expecting a global health pandemic for years and yet when it happened, everyone seemed to be caught a improved pay, benefits, and working conditions. That continues to this day.

“

created major societal disruptions. While the impacts to the economy and the death toll are easier to quantify, the effects of the COVID-19 pandemic on society are significant but deceptive. Historian William Rosen sums up the soci etal impacts of a global pandemic well in the following quote from “Justinian’s Flea: Plague, Empire, and the Birth of Europe”:

strung, on edge and quick to violence. So fierce and clamorous was life that it could endure the mingled odor of blood and roses.”

Today, the simultaneous and overlapping crises facing the world include a mounting climate crisis, a war in Europe, an inflation shock, democratic dysfunction, a health crisis, banking instabilities, and much more.

Hopefully, we won’t have the same experience with the COVID-19 pan demic. Historically Observed Societal Disruptions It turns out all pan demics create societal disruptions. There are five reoccurring themes, and many will sound very familiar to you. While the impacts to the econ omy and the death toll are easier to quantify, the effects of the COVID-19 pandemic on society are

“The effects of epidemics (pandemics) are not measured

only in mortality. Their secondary consequences have been much more far-reaching and disorganizing than anything that could have resulted from the mere reduction of the population.”

significant but deceptive. 1. Distrust of government and public health measures . A lack of trust in our institutions may have its origins in previous epidemics. u Suspicion of government. For any

When disease transmission has long stopped, the effects of the pandemic live on for years. In our case, this long tail of COVID will impact individuals, families, communities, organizations, and nations long after the illness is endemic and part of our “usual” disease profile. Historical Pandemic Societal Disruptions So, what are social disruptions? It refers to the serious disruptions to the regular functioning of a society – in other words, how we live our “regular” and “routine” lives. The concept of societal disruptions is used to describe the alteration, dysfunc tion, or breakdown of social life, often in

“

actions related to the outbreak and the fear of creating a “totalitarian state.” u Resistance to any mandates and defiance of measures to slow spread (closures, distancing). u Resistance to mask-wearing dates to the 16th century when masks were often required and usually controversial. u Vaccine resistance. Vaccine resistance goes back more than 200 years to the 1770s and the introduction of a primitive smallpox vaccine.

DISASTER RECOVERY JOURNAL | SUMMER 2023 9

Misinformation is information that is spread, regardless of intent to mislead while disinformation is developed to be deliberately misleading or biased propaganda.

bit flat-footed. Information was slow to get out of China, countries fumbled in their response and many hoped it would just go away. Organizations who had old pan demic plans dusted them off and by mid March 2020, everyone seriously started to figure out how to respond. COVID-19 Pandemic: Five Individual Shifts Just as we explored the overall histori cal impacts caused by pandemics, what are we specficially seeing as a result of the COVID-19 pandemic? Here are the top five individual shifts to date: 1. Major decline in trust of expertise (knowledge, education, experience). Suddenly everyone became a medical or disease expert, no experience or education required. This may complicate our work as the value of our knowledge, expertise, or experience may be challenged. 2. Major decline in trust of people . You fear something you can’t see, and you don’t know who might be sick or not and this led to a distrust of all. Of course, trust is essential in any working relationship, and as we know, especially in a crisis. 3. Inequalities exacerbated (race/ ethnicity, income, religion). The ethnic breakdown of who was dying early in the pandemic showed it was disproportionally affecting Black and brown communities. Interestingly enough, once vaccines become widely available, it changed to killing more white Americans. Low-income Americans of all races were more impacted than those with higher incomes. 4. An increase in political divide and division, increasingly using politics as a form of personal identification. In America, some political parties and leaders expressed beliefs that vaccines or masks were good or detrimental. This made work environments more complicated, especially during vaccine and masking mandates. 5. Tremendous rise in misinformation and disinformation via social media and our self-selected echo-chambers.

turns out this year at the World Economic Forum 2023 in Davos, the world was abuzz with the latest new word, “polycri sis.” The world was asking, “Are we on the brink of a polycrisis?” You are likely thinking, “What is a polycrisis?” This term was first coined by the French philosopher Edgar Morin, who introduced it in the 1990s. However, it got new life at Davos 2023 by economic historian and Davos attendee Adam Tooze, who started to speak and write about it. A polycrisis is when present and future risks interact with each other to form a “polycrisis.” It is a cluster of related global risks with compounding effects such that the over all impact exceeds the sum of each part. Today, the simultaneous and overlapping crises facing the world include a mount ing climate crisis, a war in Europe, an inflation shock, democratic dysfunction, a health crisis, banking instabilities, and much more. The World Economic Forum Global Risks Report (GRPS) 2023 sheds light onto the concerns and thoughts of many global leaders. There was a marked pes simism among the respondents looking 10 years out: n 20% believed the world was at progressive tipping points and persistent crises leading to catastrophic outcomes. n 34% expect consistent volitivity across economies and industries with multiple shocks accentuating divergent trajectories. The report describes four potential futures centered around food, water, and metals and mineral shortages, all of which could spark a humanitarian as well as an ecological crisis (from water wars and famines to continued overexploitation of ecological resources and a slowdown in climate mitigation and adaption). In the years to come, concurrent crises will embed structural changes to the economic and geopolitical landscape and accelerate the other risks we face. More than four in five GRPS respondents anticipate consis tent volatility over the next two years at a

COVID-19 Pandemic: Five Global Shifts The impacts around the globe at the country level have been even further complicated by the Russian invasion of Ukraine. The war has further exacerbated all five of the issues noted below. 1. Financial hardships . Inflation, recession (in some countries), decrease in foreign aid. u This could affect money and staffing to manage our programs, as well as procurement of products and services to help us in managing the risk. 2. Global instability began with the pandemic and was further fueled by the Russian war in Ukraine. u This will impact our ability to safely manage crises in other country locations, further destabilizing countries and governments, and potentially impacting our businesses. 3. Food insecurity, threats of famine . u Food insecurity and famine means the movement of people seeking food. This can further disrupt and destabilize countries and regions where your organization may have offices or procure materials. 4. Supply chain disruptions (may cause some deglobalization). u We experienced major global supply chain disruptions starting in March 2020 and some continue to this day. 5. Crime. Increase in global criminals, gangs, nefarious parties. u Ransomware and the deployment

of other forms of malware are done very commonly by global gangs and nation states as a very effective form of revenue generation. International gangs have grown in power and influence, which can impact crops, manufacturing, labor, and more worldwide.

Polycrisis All of this got me interested, and I began wondering if anyone else was talk ing about these things besides me? Well, it

10 DISASTER RECOVERY JOURNAL | SUMMER 2023

Your North Star for Resilience

Move From a Reactive to Proactive Approach

Fusion provides easy, visual, and interactive ways to analyze every aspect of your business so you can identify single points of failure, key risks, and the exact actions you need to take next to mitigate impact.

Get started on your resilience journey today! Visit fusionrm.com

“Fusion Framework System offers a fantastic tool to consolidate key elements to manage Continuity and Crisis Management programs from infancy to maturity.” - Manager, Technical Services Continuity

minimum, with multiple shocks accentuat ing divergent trajectories. In other words, uncertain times. Global risks have shifted, and there is a major focus on three issues: economic, geopolitical, and societal. All three create more destabilization and unpredictable risks. Take for example, the economic outlook. Inflation in many countries remains stubbornly high, and some coun tries have slipped into a recession. The global banking community shuddered at the collapses of Silicon Valley and Signature Banks in the U.S., triggering concerns which lead to the demise of Credit Suisse in Europe. As of this writ ing, everyone appears on edge, waiting for the next shoe to drop. The geopolitical situation is tenuous at best. The Russian invasion of Ukraine has wide-ranging impacts far beyond either of those borders, including the destabi lization of the region, famine in Africa, fear of greater war in Europe, nuclear threats, and the migration of millions of refugees. The China-Taiwan conflict is raising tensions, and there is a growing fear of the potential for escalation and possible war between the two and what it could mean for the U.S. and other western nations. Numerous countries in Africa and South America are experienc ing major uprisings, including the turmoil in Peru, Colombia, and Brazil, as well as the instability in Western Africa. Things are very unstable, and it doesn’t matter whether your organization has locations or does work abroad – these are very challenging times. The third big wild card is the impact societally worldwide. As noted at the start of this article, the societal fissures run deep, wide, and remain to this day. The erosion of social cohesion and soci etal polarization is felt globally. There is a widening gap and polarization in values and equality such as immigration, gender, reproductive rights, ethnicity, religion, and climate. The economic and geopo litical issues have created a cost-of-living crisis, a serious impact to heathcare pro viders and systems, a severe mental health deterioration in all ages, lost education,

and earning potential in our youth, all fueled by misinformation and disinforma tion campaigns on social media and other information venues. What is a Business Continuity/ We need to focus on three critical crisis management skills to manage through the issues raised above: situational awareness, effective crisis management programs, and crisis communication. Situational awareness How can we plan for what is ahead if we are not getting the appropriate intelli gence to do so? Situational awareness is the ability to identify, process, and com prehend the critical elements of infor mation regarding an emerging situation or incident. It’s simply knowing what is going on around you! As crisis managers, we all know that situational awareness is essential for our survival. It requires we conduct two distinct activities: n Collect: observe, acquire, and compile the information. n Process: assess and validate the information and orient yourself to the possible impacts. Sometimes this can leave us feeling like we are drinking out of a firehose! How do you manage all the information? This requires carefully planning with hopefully a plan and tools that have been thought out and practiced in advance. You will need to consider these questions when doing this yourself or working with potential vendors to assist you: n What are your information sources, where do you find them, and whom do you trust? n How do you assess the information? n How can you validate the information? n How do you display it in a meaningful way so that decisionmakers can take in the information, make decisions, and then act? Effective crisis management program An effective crisis management team Crisis Management Professional to Do?

starts by having an overall program that includes a team, plan, and process in place for every location in your organization. (Any place you have a shingle out could be where “the bad thing” could happen.) The plans and teams of course must fit the size and mission of that location but at minimum, every location needs a team to respond to a crisis. Consider a structure which might look like this: n Tier One: a strategic (executive) and tactical (level below) at the headquarters. n Tier Two: larger offices need an appropriately sized team. n Tier Three: maybe one or two people tasked to assess and notify HQ. n All locations need a team and process to report up. Of course, plans, training, and exer cises are essential for every location. Consider this when looking at an overall crisis program: n There must be a plan for all these levels with clearly defined roles, responsibilities, and authorities. n Every location needs a designated incident assessment team to evaluate all potential threats and make the decision as to whether to activate the team and plans; they must be given the authority to act as well as the responsibility. n They must be trained in their roles. n At minimum, conduct an annual exercise – ideally a couple of smaller exercises (short, ripped-from-the-news types) and one robust simulation. Crisis Communication Finally, crisis communications are essential. Effective crisis communica tions require an established team and process that brings all company commu nicators together to ensure coordinated and accurate communications to all the identified key stakeholders in a timely manner. This cannot be made up “on the fly!” Ideally you bring all your company communicators together under one roof to ensure consistent and timely commu-

12 DISASTER RECOVERY JOURNAL | SUMMER 2023

nications. In the public sector, this type of team is called a Joint Information Center, or JIC. Simply stated, the communication goal during any crisis or incident is to get the right information to the right people at the right time so they can make the

right decisions and issue right commu nications. Right communications are not rocket science, but they require planning and discipline. It also requires the com munications team to work closely with crisis management and continuity plan ners not only at the time of crisis but in

planning and running exercises so there is a solid understanding of who is doing what. Going Forward What should you be thinking about as you put this article down? I strongly encourage you to take this on as a “home work assignment.” Begin by doing an evaluation of your program and your organization’s potential internal and external risks, given the post-COVID societal disruptions and potential poly crises we now face. To do that, look at your risk profile and potential risk expo sures, given all we have covered in this article, and take a serious look at your organizations. Ask yourself three basic questions: n Situational awareness : Is our process for obtaining, validating, and displaying information sufficient given the new and potential risks? n Crisis management program : Is our crisis management program, teams, plans, processes, and exercises training us to be ready? n Crisis communications : Are we able to get out timely communications to all identified key stakeholders using all the important and required platforms? Finally, work to continue to educate yourself and those around you about these world changes and critical issues. Many are just hoping or praying we will bounce back to 2019, but I can tell you it’s not going to happen! Work to be flex ible and nimble as these threats emerge and shift. We need to stay on our toes. And lastly, take care of yourself! This is a long haul, and we need you here in great shape as we navigate the challenges ahead. v Regina Phelps is an internationally recog nized thought leader and expert in the field of crisis management, exercise design, continuity, and pandemic planning. She is the founder of EMS Solutions Inc, (EMSS). Since 1982, EMSS has provided consultation and speak ing services to clients on five continents.

14 DISASTER RECOVERY JOURNAL | SUMMER 2023

Simple, Flexible Business Continuity Solutions.

With an end-to-end solution, such as Agility Recovery, business can recover 4 times faster than with no BCM solution.

The only integrated business continuity solution in the market that helps you plan , train , test , alert , and recover — all in one.

866-364-9696 contactus@agilityrecovery.com www.agilityrecovery.com

Copyright 2021 - Agility Recovery All Rights Reserved

3 Ways to Future-Proof Your Organization with Operational Resilience By KATE NEEDHAM-BENNETT & STEVE RICHARDSON O perating in a state of “business as usual” is no longer synonymous with an absence of disruption or crises occurring. The challenges institutions face have become pre dictably unpredictable. From geopolitical events to natural disasters to mismanage ment of risks, there are global business disruptions which are being dealt with daily. The “new normal” is a state of near constant management and mitigation of disruption to services. The chance of compounding crises occurring is a major concern for risk, resilience, security, and operations teams. There is mounting pressure (from regu

lators as well as consumers) for organi zations to take a proactive approach to ensure their future resilience, assuming regular controls might fail and scenarios will be more severe than anticipated. With that being said, there are three key consid erations to remember when implementing a more resilient state. Break Down Silos At the simplest level, a firm’s leader ship needs to know where their organiza tion might have vulnerabilities, what must be done to prevent impacts being felt, and how to implement resilience measures in order to be better prepared for future disruptions. In some organizations, their operational risk, cybersecurity, IT disas ter recovery, supply chain, compliance, and business continuity programs oper ate in isolation from one another. They work off of different data sets and have differing priorities which leads to differ-

16 DISASTER RECOVERY JOURNAL | SUMMER 2023

ent processes and tools. This results in departmental silos producing inconsistent reporting and decision-making. To solve this, organizations are estab lishing cross-functional steering commit

(DORA), the UK’s “PS7/21 outsourcing and third-party risk management” as well as “DP3/22 Operational resilience: Critical third parties to the UK financial sector,” and Australia’s “CPS 230 Operational Risk Management”

Most of these regulations have a common requirement: firms must be able to map their critical business services and interrogate all processes, assets, and resources that support those services, both within the company and throughout its supply chain. This holistic approach demands a comprehensive, integrated plat form that allows organizations to view their data and analyses through a single lens. The Time is Now for Operational Resilience Updating or overhauling a company’s operational resilience program can seem daunting – but it’s been proven time and again that a well-functioning resilience program is the best insurance against finan cial and reputational loss. Events, like the recent Silicon Valley Bank collapse, may suggest many risks are unpredictable, but the root causes and lack of adequate risk management are there if we look. Firms can be proactive and must focus on what they are empowered to do now. By stream lining teams and processes, reprioritizing investments based on vulnerabilities, and finding properly tailored technology, firms will be better prepared to weather the dis ruptions of the future. v

Most of these regulations have a common requirement: firms must be able to map their critical business services and interrogate all processes, assets, and resources that support those services, both within the company and throughout its supply chain. “

tees, bringing together leaders from operational resilience, business con tinuity and disaster recov ery, cybersecurity, and third-party risk manage ment to align comple mentary programs, teams, data, and metrics. In addi tion to ensuring consis tency and streamlining processes, breaking down these silos also increases transparency, knowledge, and alignment across the firm. Of course, these col laboration programs require strong leadership (with some bringing in a chief resilience officer) as well as a significant change in the company’s culture and approach to risk and resilience. These leaders are best situated to provide key insights and analysis for executive teams to consider when

(including third-party risk management). This is set ting in motion a change to best practice methodolo gies around supply chain resilience, with even those unaffected by the regula tions looking to align with requirements. Supply chain disrup tions and consequent impacts are particularly hard to manage due to the amount of time that it can take to onboard and offboard firms and then rebuild the resources to satisfy the requirements of all process and service owners. This is exacer bated when battling ven dor-based cybersecurity breaches, which are only on the rise as attackers recognize the value that they bring in access points to a wide range of firms. To combat this effectively,

Kate Needham-Bennett is a resilience specialist based in the UK, working with organizations worldwide and exploring how they might develop their risk and resilience programs with Fusion Risk Management.

making critical company decisions around matters which involve digital transforma tion, geographic expansion, or third-party initiatives. Increase Focus on Third-Party Risk Management Organizations must also sharpen their focus on their third-party risk exposures as they pertain to important or critical busi ness services. Resilience teams are work ing with third-party management teams to better assess potential supply chain vul nerabilities and understand the risk pro files of their critical third parties. There has been a recent plethora of regu lation around critical third-party providers to the financial services sector, such as the EU’s Digital Operational Resilience Act

it has never been more necessary for cyber, resilience, and third-party teams to work in conjunction. Think Globally, Act Locally With the rise in regulatory scrutiny, firms are being challenged with a new obstacle: the increasing complexity of run ning one holistic program that complies with all global regulations. The stakes can be high in terms of fines; the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) issued their first fine (of £48 million/$58 million) against the lack of operational resilience measures to TSB Bank in December 2022. The operational, legal, and reputational stakes can be even higher to remediate, costing millions to even billions. “

To date, she has been working as a practitioner in finan cial services firms setting up programs for M&A resilience onboarding, crisis management, and operational resilience to meet the evolving regulations. Needham-Bennett is now focusing on how technology can help make resilience easier, quicker, and more affordable for others, leaving them room to focus on innovations.

As chief resilience innovation officer, Steve Richardson has more than 15 years of experience in the risk and resilience indus try and is an original architect of the Fusion Framework® System™. Through leadership

roles in sales, services, and product management as well as his focus on customer success, Richardson brings a diverse set of skills and experience to Fusion’s customer community. He also leads strategic engagements for cus tomers across industries with specific expertise in financial services and banking. Richardson is a regular presenter at customer and industry events and works closely with industry analysts and strategic partners to establish Fusion as a market leader.

18 DISASTER RECOVERY JOURNAL | SUMMER 2023

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

Convincing Management to Do a BIA

When this happens, the business con tinuity management (BCM) team has two choices. The team can acquiesce to the dropping of the BIA or actively work to help management understand why the BIA is so important. The best way to convince management of the need for a BIA is to show them the benefits up front. In this article, let’s look at some of the core benefits of a BIA with an eye toward helping your organization’s decisionmak ers to understand why conducting a BIA would be beneficial to the entire enter prise. Usually when management balks at providing resources for the BIA, they express their resistance in ways like these: n “We just did one recently.” Often when they say this, recently was several years ago. n “Our business has not changed enough to warrant an updated BIA.” n “Can’t we just ask the leaders of each department for the information?” n “This is not business critical. We know what the priorities are.” n “You want two to three hours of how many people’s time? From every department?” These are the kinds of objections and questions you should be prepared to respond to when trying to win support for doing a BIA. Making The Case for the BIA Start talking up the need for a BIA well before your proposal is in process. Often management does not see BCM concepts as strategic but instead “regu latory” or “audit” necessities. At every opportunity, explain to management about the reasons for BIAs. As with most new needs or projects, it’s neces sary to have an education process before approval occurs. Common Objections to Conducting a BIA

T

By RICHARD LONG

tization. We know a BIA is essential to the health of any solid BCM program. However, financial decisionmakers and project stakeholders often do not share this understanding. As a result, they often resist in giving approval to conduct a BIA.

hose of us who are on the front lines of protecting organizations from disruptions understand the value of the business impact analysis (BIA) when it comes to strategy development and priori

20 DISASTER RECOVERY JOURNAL | SUMMER 2023

RESILIENCY eLearning

Business Continuity

Disaster Recovery

Crisis Management

Physical Security

Life Safety

IT Security

For Employees & Recovery Teams

TRAINING THAT WORKS FOR YOU Customized content: reflect your program, methodology, culture, and brand. Track your learners: courses are compatible with your Learning Management System. Subject matter experts: we create the content and you validate the outcome. 3 - 6 week development time: a quick launch builds momentum for your message.

POPULAR COURSES

Active Shooter

Cyber Security Awareness

Awareness Campaign

DR: All Employee Intro

BC: All Employee Intro

Home Prep (no charge)

Business Impact Analysis

End-User Software Training

CM: Introduction

Physical Security

CM: Roles & Responsibilities

Table-Top Exercise

www.ripcordsolutions.com

departments of their role within the organization. n Lead to a better understanding of actual impact of a loss of one or more processes. n Promote the elimination of gaps in IT recovery and business availability and recovery requirements. Reduced Costs Doing a BIA commonly leads to reductions in costs across the enterprise. Specifically, the BIA can accomplish the following: n Help eliminate or avoid fines related to regulatory requirements. n Lead to the removal of potential redundancies and unnecessary services or software. n Lead to reductions in costs relating to insurance, maintenance, and licensing. n Lead to reductions or elimination of costs because of a more accurate understanding of the company’s needs. Increased Compliance Conducting a BIA generally results in increased compliance with various types of requirements. Specifically, the BIA: n Often leads to the identification and subsequent closing of potential issues or gaps in regulatory compliance. Helping Management to See The best way to convince management that a BIA is necessary is to show them how performing one will benefit the com pany.

Your management team is dedicated to looking at the overall needs and risks of your organization. Make sure they have a clear under standing of the risks, costs, and benefits of conducting a BIA. There is a good chance that once they have a clear understanding of what the BIA can contribute to the organization in terms of improving functionality, reduc ing costs, and increasing compliance, they will approve your request to conduct one. Takeaways n Financial decisionmakers often lack understanding of the value of BIAs and resist giving approval for conducting them. n The BCM team might need to engage in a long-term process of educating management about the value of the BIA. n The heart of the BCM team’s case to management should be the ways the BIA will benefit the organization. n The benefits of the BIA fall into three categories: improving functionality, reducing costs, and increasing compliance. n When management has a clear understanding of the value of the BIA, they are more likely to agree to conduct one. v

Benefits of the BIA The heart of your case to management should be an explanation of the benefits in doing the BIA will bring to the organiza tion. To help in providing this explana tion, here is a list of the primary benefits of doing a BIA. The list is divided into three categories: improved functionality, reduced costs, and increased compliance. Improved Functionality Doing a BIA can lead to improved functionality at the enterprise across many areas. Specifically, the BIA can do the fol lowing: n Identify and document interdependencies between processes. n Identify and update the applications and systems used, as well as their importance. It can also lead to better understanding by IT of the functional importance of the various applications. n Identify shadow IT functions on which the business is critically dependent. There is a common assumption that backup and recovery are not needed for these SaaS/ cloud-based applications because the vendor will “handle” it. This assumption is often found to be false. n Lead to a better understanding of the nature and complexity of the IT and recovery processes. n Help you identify and understand new processes or changes to existing processes. n Lead to improvements in the interface between departments and groups. n Lead to increased understanding by

Richard Long is a senior advisory con sultant and practice team leader for MHA Consulting, where he has successfully leads international and domestic disaster recovery, technology assessment, crisis

management, and risk mitigation engagements.

22 DISASTER RECOVERY JOURNAL | SUMMER 2023

Introducing the new Virtual Corporation.

www.virtual-corp.com

EDITOR’S NOTE : DCIG empowers the IT industry with actionable analysis that equips individuals within organizations to do supplier and product evaluations. DCIG delivers informed, insightful, third-party analysis, and commentary on IT technology. As industry experts, DCIG provides comprehensive, in-depth analysis, and recommendations of various enterprise data storage and data protection technologies. The views, thoughts, and opinions expressed in all Disaster Recovery Journal articles belong solely to the author. The information, product recommendations, and opinions in this article are based upon public information and from sources DCIG, LLC. believes to be accurate and reliable.

tability feature to secure their data from the growing threat of ransomware. Still others view cloud object storage’s dura bility, resilience, and scale as their best option for long-term data retention. These reasons help explain why 84% of organizations plan to increase their use of cloud object storage. They need a simple, secure, cost effective way to store their growing amounts of archival and backup data. They also want to offload the complexi ties and overhead of managing the underlying storage infra structure. Cloud object storage aligns well with this combina tion of needs and wants. However, deciding to store data in the cloud creates a potential challenge for orga nizations. Having decided to use cloud object storage, they may choose from more than 50 available providers. Further, more cloud providers offer multiple tiers of cloud object storage with each tier possess ing differing availability, price, and performance characteris tics. All these options influence each organization’s choice of a cloud provider to host its archi val and backup data.

The Changing Dynamics of Cloud Object Storage By JEROME WENDT M ost organiza tions of all sizes currently utilize cloud services in some way. However, of the multiple cloud services avail able to them, cloud object stor age represents the one they primarily use. In most cases, they use it to store their archi val and backup data. Storing this data in the cloud sets the stage for them to perform disaster recover ies and/or satisfy regulatory requirements. Others use cloud object storage’s data immu

24 DISASTER RECOVERY JOURNAL | SUMMER 2023

The Global Leader in Organizational Resilience

BusineSs Continuity/Continuity of Operations information security Critical Environments

Incident Response Crisis Management & Communications

Legal, Audit, & Compliance Organizational Behavior Risk Management Supply Chain Resilience

Financial Health & Visibility Human Resources Management ICT Continuity

we educate. we credential. we lead.

Building Resilient Communities, One Organization at a Time

www.build-resilience.org | info@theICOR.org | 1-866-765-8321

data into their respective storage clouds over the Internet. However, organizations that transfer data out of the provider’s cloud may incur egress fees depending on the data transfer amount. While some providers allow organizations to transfer some data out (up to 100GB) monthly, egress fees start after that. These network usage fees range from .02 to .16 cents/GB. n Data transfer or egress to another data center within ensure they store their data in the right location within the provider’s cloud. Each provider has cloud data center locations all over the globe. If an organization stores its data in the wrong location and needs to move it, it gets charged a fee. These three represent only a snapshot of the additional cloud object storage fees that organization may incur. If they plan to encrypt it, monitor it, or replicate it, these activities may also incur further cloud object storage fees. These fees have less of an impact on organizations that only store TBs or even tens of TBs in the cloud. However, organizations that expect to store more than tens of TBs in the cloud should explore new cloud object storage options. These options may help lower storage costs, simplify man agement, and even eliminate unexpected data retrieval and transfer fees. the provider’s cloud . Organizations must also

‘Easy’ and ‘Safe’ Come at a Premium Organizations often first consider cloud object storage from the three largest gen eral-purpose cloud provid ers. Amazon Simple Storage Services (S3), Google Cloud Storage, and Microsoft Blob each provide the core tech nical features that orga nizations seek. Equally important, these general purpose cloud providers have a global presence and a high level of awareness within organizations. These factors contribute to any of these provider’s cloud stor age offerings being an easy, safe choice for organizations to make. However, these three options come at an elevated cost. Unless organizations choose otherwise, these gen eral-purpose cloud providers assign their standard cloud object storage tier by default. The costs for this tier range from $15-23 TB per month or $180-276/TB per year, depend ing on the provider. Organizations that store up to a few dozen terabytes of data on their default object storage tier may find these costs acceptable. Though organizations pay a premium, they obtain the availability, data security, performance, reliability, and peace of mind they seek. Further, many stor age appliances and archival, backup, and data manage ment software providers sup port these cloud object storage offerings.

Counting Cloud Storage’s Cost Paying $180 per year for 1TB of cloud storage or even up to $2,760 per year for 10TB may not sound like a lot. However, any organization that takes the time to count cloud object storage’s cost quickly sees how these costs add up. Further, the cloud storage capacity costs only represent a portion of what organizations may pay. Once organizations store data on cloud object stor age, they need to consider how frequently they will access and move it. If organizations end up performing these tasks fre quently, they may incur other fees that include: n Data retrieval . Once organizations store data in the cloud, they may need to access and manage it in multiple ways through a web interface. These activities may include copying it, getting a listing of it, or retrieving it, among other possible tasks. Executing any of these commands incurs a fee above and beyond the organization’s monthly storage costs. The data retrieval fees charged by providers are nominal (no more than 5 cents per 1,000 requests.) However, they can add up for organizations that expect to frequently take actions on their data.

Pros and Cons of Cloud Object Storage Tiering Organizations that primar ily store archival and backup data with the largest cloud pro viders may only infrequently incur data retrieval fees. They will more likely feel their wallet impacted by the costs associated with storing more archival and backup data. The other cloud object storage tiers available from these provid ers may help control and even lower recurring monthly stor age costs. Enabling cloud object stor age tiering represents both an easy and a complicated deci sion. These providers make it relatively easy to move data to other cloud object storage tiers. To do so, a cloud adminis trator for the organization logs into the organization’s cloud account. Once logged in, the individual can choose one of two options. 1. The administrator can simply move the storage to another tier. 2. Alternatively, they may use the provider’s lifecycle management feature. Using this feature, it places data on different storage tiers as the data ages. It can even delete data once it reaches a certain age. Moving data to other cloud storage tiers will likely result in organizations lowering their recurring monthly storage costs. However, this is not a guarantee. Organizations can optionally choose to move data to more expensive storage tiers.

n Data transfer or egress outside the provider’s cloud . No cloud provider currently charges organizations to transfer

26 DISASTER RECOVERY JOURNAL | SUMMER 2023