Disaster Recovery Journal Summer 2024

REGISTER TODAY! www.drj.com/fall2024

Summer 2024 u Volume 37, Number 2

Separating AI Noise from Reality

INSIDE ... Mastering the Aftermath: Strategic Responses to the Baltimore Bridge Collapse Maximizing Business Risk Management How a Book on Piracy Inspired My Life in Resilience Consultant Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Get started on your resilience journey today, visit fusionrm.com Fusion provides easy, visual, and interactive ways to analyze every aspect of your business so you can identify single points of failure, key risks, and the exact actions you need to take next to mitigate impact. Create Clarity Out of Chaos

“Hands down the best business continuity management tool for programmatic growth and scalability.”

“Our team is able to visualise complex relationships and dependencies between lines of business in our organisation. This alone is worth its weight in gold!” Fusion User in the Financial Services Industry

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER

TABLE OF CONTENTS

COVER Separating AI Noise from Reality By JEROME M. WENDT

Amy Faulkner amy@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Peter Laz, Margaret Millett, Frank Perlmutter, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Robbie Atabaigi, Rich Cocchiara, Ashley Goosman, David Halford, John Hill, Ray Holloman, Colleen Huber, Cary Jasgur, Lisa Jones, Melanie Lucht, Melissa Muñiz, Melissa Owings, Nicole Scott, Paul Striedl + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

8

14

25 Maximizing Business Risk Management: Integrating Process Improvement and

Mastering the Aftermath: Strategic Responses to the Baltimore Bridge Collapse By SEAN MCLAUGHLIN

Financial Compliance By KATIE BRENNEMAN

18

27

Rehearsing Plan B: The Importance of Mastering Your Workarounds By RICHARD LONG

4 Steps to Get Organizational Buy-In for Resilience Technology By STEVE PILOTTI

21

29 How a Book on Piracy Inspired My Life in Resilience By MARK HOFFMAN

Spring Showers and Climate Shifts: Strategies for Mitigating Severe Weather Impacts By STACI SAINT-PREUX

31

What Is the Meaning of Community Resilience? By KATHERINE THOMAS

23 Career Spotlight: Melissa Muñiz of Zion Resiliency By RAY HOLLOMAN

37

Consultant Directory

DISASTER RECOVERY JOURNAL is copyrighted 1987-2024, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | SUMMER 2024 5

FROM THE PRESIDENT’S DESK

Navigating Storms: How Risk Intelligence Safeguards Organizations I n today’s unpredictable world, organizations face a myriad of risks ranging from natural disasters to cyber threats and geopolitical ten sions. As these risks continue to evolve and amplify, the need for comprehensive risk intel ligence becomes paramount. In this article, we delve into the importance of risk intelligence in safeguard Supply Chain Resilience in the Face of Disruption The COVID-19 pandemic exposed vulner abilities in global supply chains, highlighting the critical importance of supply chain resilience. From logistics disruptions to raw material shortages, orga nizations must navigate a myriad of supply chain risks. By harnessing risk intelligence, organizations can gain visibility into their supply chain networks, identify potential bottlenecks or vulnerabilities, and implement contingency plans to ensure continuity of

BOB ARNOLD, MBCI Hon.

ing organizations amidst increasing volatility in weather patterns, geopolitical issues, cybersecurity threats, supply chain disruptions, and other emerg ing risks. Rising Storms: Weather Volatility and the Forecast One of the most pressing concerns for organiza tions is the escalating severity of weather phenom ena. The frequency and intensity of natural disasters, particularly hurricanes, have been on the rise. This year’s hurricane season forecast predicts heightened activity, posing significant threats to coastal regions and businesses operating in these areas. To mitigate the impact of such events, organizations must lever age risk intelligence to anticipate, prepare for, and respond to these disasters effectively. Navigating Geo-Political Turbulence Geo-political issues, including university protests and upcoming U.S. elections, add another layer of complexity to organizational risk management. Political unrest can disrupt operations, compromise employee safety, and damage brand reputation. By staying abreast of geopolitical developments through robust risk intelligence frameworks, orga nizations can proactively assess the potential impact on their operations and implement mitigation strate gies to safeguard their interests. Fortifying Cybersecurity Defenses In an increasingly digitized world, cybersecurity threats loom large. The proliferation of cyberattacks targeting businesses underscores the urgent need for robust cybersecurity measures. Threat intel ligence enables organizations to identify, analyze, and mitigate cyber threats before they manifest into damaging breaches. By leveraging advanced analyt ics and threat intelligence platforms, organizations can bolster their cybersecurity defenses and protect sensitive data from malicious actors.

operations in the face of disruption. Embracing Emerging Risks

In addition to traditional risks, organizations must contend with a host of emerging threats, including technological disruptions, regulatory changes, and environmental sustainability concerns. By fostering a culture of risk awareness and adapt ability, organizations can stay ahead of the curve and proactively address emerging risks before they escalate into crises. Harnessing Threat and Risk Intelligence So, how do organizations leverage threat and risk intelligence to safeguard their interests, employees, and customers? It starts with cultivating a proac tive risk management mindset embedded within the organizational culture. By investing in sophisti cated risk intelligence platforms, organizations can gather, analyze, and disseminate actionable insights to key stakeholders across the enterprise. These insights enable informed decision-making, facilitate timely response to emerging threats, and ultimately enhance organizational resilience in the face of uncertainty. In conclusion, the volatile landscape of modern business demands a proactive approach to risk management. By harnessing the power of risk intelligence, organizations can navigate storms, both literal and metaphorical, with confidence and resilience. From weather volatility to geopolitical tensions, cybersecurity threats, and supply chain disruptions, effective risk intelligence serves as a beacon of clarity amidst uncertainty, safeguarding organizations and ensuring their long-term viability in an ever-changing world.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | SUMMER 2024

infinite blue

Infinitely ready. Infinite Blue's integrated enterprise resilience solutions give organizations the power to foresee risks, predict impacts, collaborate, communicate, and emerge stronger than ever before.

Separating AI Noise from Reality By JEROME M. WENDT

8 DISASTER RECOVERY JOURNAL | SUMMER 2024

EDITOR’S NOTE : DCIG empowers the IT industry with actionable analysis that equips individuals within organizations to do supplier and product evaluations. DCIG delivers informed, insightful, third-party analysis, and commentary on IT technology. As industry experts, DCIG provides comprehensive, in-depth analysis, and recommendations of various enterprise data storage and data protection technologies. The views, thoughts, and opinions expressed in all Disaster Recovery Journal articles belong solely to the author. The information, product recommendations, and opinions in this article are based upon public information and from sources DCIG, LLC. believes to be accurate and reliable.

“

O rganizations face a growing chal lenge when it comes to effec tively utilizing artificial intel ligence (AI) in today’s data protection solutions. As more solutions offer AI, organiza tions must determine what AI features they deliver and if organizations can use the AI they offer. This puts the onus on organizations to separate the noise from reality when evaluating AI in these solu tions. The AI Noise More news articles and technology provider press releases than ever in some way reference AI. Both do it for similar reasons. In the case of news articles, AI has seemingly captivated readers with its endless possibilities to address unsolvable problems. In response, news outlets pro duce articles to feed the reader desire for this content. In contrast, the use of AI in press releases stems from, in part, each provider’s desire to make its solution appear cut ting edge. Failing to mention AI may result in these solu

backup and/or production data and may even accelerate data restores. Organizations should not necessarily use this imple mentation of AI to replace their existing cyber security defenses. However, AI can complement these defenses in notable ways. For instance: n Uses AI to scan for anomalies in backups . Backup anomalies can result from ransomware having taken hold undetected in the production environment. In these cases, the ransomware may take administrative control of servers or PCs and disable the cyber security on them. The ransomware may then start to slowly but methodically delete, encrypt, or infect production data. Using AI to scan the backups, it can compare current backups with prior ones. These anomalies may become evident as the AI tool may identify changes to files that should rarely or never change. This technique provides organizations with a new means to detect the possible presence of ransomware.

tions being viewed as irrel evant or antiquated. Unfortunately, all these AI mentions, legitimate or oth erwise, have resulted in AI becoming just another buzz word. In some cases, features labeled as “AI” may repre sent nothing more than them a simple rebranding of existing features. Granted, these pre-existing features may fall under AI’s broader umbrella. However, they may not necessarily rep resent new or innovative func tions. Rather, they only serve to create more noise which has led to increasing AI fatigue on the part of organizations. Where AI Has Found a Home Despite the noise around AI, organizations that choose to ignore AI do so at their own peril. AI already provides some tangible, measurable benefits in today’s data pro tection solutions. The key for organizations becomes identi fying in which data protection solutions AI has found a home. Backup software currently represents the best place to look for meaningful implemen tations of AI in data protection solutions. It primarily uses AI to help detect ransomware in

In contrast, the use of AI in press releases stems from, in part, each provider’s desire to make its solution appear cutting edge. Failing to mention AI may result in these solutions being viewed as irrelevant or antiquated.

“

9 DISASTER RECOVERY JOURNAL | SUMMER 2024

n Proactively restores

alert about the ransomware presence and the remediation activities that occurred. n Attempts to slow or stop the attack by quarantining the compromised data, user account, or both . Some backup software even takes additional steps. All enterprise backup software now integrates with Microsoft’s Active Directory (AD) directory services. This integration positions the backup software to act more aggressively. Upon detecting ransomware, the backup software may attempt to quarantine the production data, the user account, or both. It will instruct Microsoft AD to limit

or stop access to the data or prohibit the user account from taking any further actions. Access to the data, user account, or both only

generation of AI. Used in this capacity, providers gather machine data from as many of their backup targets in the field as possible. This includes gath ering information about non sensitive customer data such as backup target firmware, disks, network ports, and perfor mance metrics. It then collects and aggre gates this data from all its deployed backup targets to analyze and identify poten tial issues. For instance, the machine data collected may indicate an HDD or network port is about to experience a failure. The provider may then notify its customer and perhaps even proactively fix the issue before the hardware failure occurs.

compromised data . Some backup software goes one step further than merely alerting to the possible presence of ransomware in backups. It may also monitor production data in real time and any changes to it. Should it detect suspicious activity on production data and definitively identify this activity as ransomware, it acts. Some backup software deletes the compromised production data and then performs a restore from a “good” backup. This activity can occur without administrative or user intervention. Instead, organizations receive an

then gets reinstated after an organization’s security professionals review and approve the access. Backup Targets Still ML Oriented Data protection solutions do not necessarily have to use AI for detecting ransomware. Disk-based storage devices that serve as backup targets still largely avoid employing AI capabilities in any capac ity. If they do offer AI in any form, it typically shows up as machine learning (ML). ML represents what most generally consider the first

10 DISASTER RECOVERY JOURNAL | SUMMER 2024

Protecting Performance

75% of organizations have recovery plans. Most prove inadequate. Siloed recovery and resiliency capabilities are now obsolete.

Protect business continuity and performance across your IT ecosystem with technology and experts you can rely on. Trust the predictive and proactive model led by automated insights into potential attacks continuously analyzed, tested, and executed by recovery specialists.

Vendor Agnostic

Expert Recovery

Holistic Strategy

Gartner Leader

877.445.4333

RECOVERYPOINT.COM

amount and quality of data used to train the AI tool. This explains why diagnosing hardware failures and ransomware detection represent AI’s first use cases. Providers often have access to large amounts of quality data in those two areas to train their AI tool. Validate how the provider gathers data to train its AI tool and how it sources that data. Also determine if the provider will gather data from your site, what data it will gather, and how it will use it. If a provider cannot clearly answer these questions, again view the quality of the AI tool with suspicion. represents the next major wave of IT innovation. Once organizations get a taste of it, they will like it, perhaps a lot. This will in turn lead to organizations wanting to consume as much AI as possible. However, providers of AI tools often use a consumption model to charge for their AI services. The more questions organizations ask of AI, the more the provider charges for the answers AI provides. This should prompt every organization to minimally assess how to monitor and control AI’s costs. Organizations may even want to ask the AI tool how much it charges for the answers it provides.

A few providers have also started to leverage this machine data to identify potential ran somware attacks or unauthor ized data access. In this case, analyzing the machine data may indicate unusual or high levels of activity on specific network ports. Flagging this activity may indicate a hacker attempting to change backups or copy them offsite. Chatting with Your Backups The larger the organiza tion, the more backups it typically stores and retains. Organizations often store these backups long term for compli ance reasons, disaster recov ery purposes, or both. While backups satisfy one or both use cases, the backups themselves typically provide nominal near-term value. One provider seeks to change that by mining the data in these archived backups. Its AI technology positions orga nizations to query and chat with their backup stores to obtain needed or desired information. This AI tool gets trained by first getting access to the archived organizational back ups. These backups serve as the large language models (LLM) the AI tool needs to understand the data. The AI tool then reads the backup data and indexes it to document the information contained in it. Once it completes this training, organizations may then “chat” with the AI inter face and ask it questions. The AI tool then formulates its answers based upon the data contained in the backups.

Validating the Promise of AI These existing implementa tions of AI hold great promise for organizations to help them better manage and optimize data protection. However, any AI tool deployed will minimally require significant amounts of computing and storage resources to operate well. Further, organizations may still need to dedicate resources to optimize the AI tool for its purposes. To ensure AI delivers on its promised functionality, orga nizations should minimally verify it possesses the follow ing features: n Cloud architecture . Any AI tool requires large amounts of computing and storage resources to store and process the data it needs to function. These AI demands likely outstrip the resources available on a single server or storage system. Meeting them typically requires a cloud-like architecture that both cloud hyperscalers or hyperconverged infrastructures (HCI) offer. Both architectures position organizations to quickly, and independently, add more computing, storage, or both and then utilize them. If an AI tool does not support one or both architectures, approach the AI tool with caution. n A large pool of quality data used to train the AI tool . Every organization wants an AI tool to provide it with valuable, actionable insights. However, the quality of those AI insights correlates to the

AI’s Promise Coming Closer to Reality The various implementa tions of AI in today’s data pro tection solutions hold a great deal of promise for organiza tions. It can help them in the near term proactively identify and resolve hardware issues in their backup targets. It can con tribute to identifying instances of ransomware and unauthor ized user access before these issues escalate. In some cases, it can even help organizations get better insights from the archived backups they possess. However, organizations should keep firmly in mind that AI remains in its early stages. The specific use cases mentioned here represent the few areas where organizations may confidently use AI in a turnkey fashion. Even then, it will come at a cost compared to competitive solutions. If hoping to use AI to address any other needs, organizations must proceed thoughtfully. They should prepare to make significant investments in money, time, and personnel if they want AI to deliver on any other internal objectives. While off-the-shelf AI solutions may soon solve other data protection issues organizations face, it cannot do so yet today. v

n A way to monitor and control costs . AI likely

Jerome Wendt, an AWS Certified Solutions Architect, is the president and founder of DCIG, LLC., a technology analyst firm. DCIG, LLC.,

focuses on providing competitive intel ligence for the enterprise data protection, data storage, disaster recovery, and cloud technology markets.

12 DISASTER RECOVERY JOURNAL | SUMMER 2024

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

By NTSBgov - This file has been extracted from another file, Public Domain

14 DISASTER RECOVERY JOURNAL | SUMMER 2024 Mastering the Aftermath: Strategic Responses to the Baltimore Bridge Collapse By SEAN MCLAUGHLIN T he recent collapse of the Francis Scott Key Bridge in Baltimore, MD, a criti cal artery for transport and logistics along the East Coast, presents a formida ble supply chain challenge. The bridge is renowned for its heavy daily traffic and role in freight movement between major industrial and commercial hubs. However, the cascading impacts resulting from its collapse underscore just how critical it is for organizations to have an effective and strong resilience posture. That includes third-party risk management and business continuity at its core, which will ultimately allow them to manage any disruption. As

organizations navigate the aftermath, they must be able to understand the compre hensive impacts of this disruption, explore potential alternative shipping routes, and identify strategic measures in order to mitigate these effects and safeguard their logistics operations against future uncer tainties. Understanding the Impact The bridge collapse not only impacted the immediate vicinity but also sent shock waves through supply chains that could disrupt business operations across a broad spectrum. This particular bridge’s signifi cant role in regional commerce means its outage can ripple out, affecting various sectors – including manufacturing, retail, and distribution – far and wide. Although current feedback from our clients indi cates no immediate impacts, the poten tial for significant disruptions looms as a pressing concern. This situation high

RESILIENCY eLearning

Business Continuity

Disaster Recovery

Crisis Management

Physical Security

Life Safety

IT Security

For Employees & Recovery Teams

TRAINING THAT WORKS FOR YOU Customized content: reflect your program, methodology, culture, and brand. Track your learners: courses are compatible with your Learning Management System. Subject matter experts: we create the content and you validate the outcome. 3 - 6 week development time: a quick launch builds momentum for your message.

POPULAR COURSES

Active Shooter

Cyber Security Awareness

Awareness Campaign

DR: All Employee Intro

BC: All Employee Intro

Home Prep (no charge)

Business Impact Analysis

End-User Software Training

CM: Introduction

Physical Security

CM: Roles & Responsibilities

Table-Top Exercise

www.ripcordsolutions.com

The tragedy at the Francis Scott Key Bridge is a stark reminder of the vulnerabilities that are inherent in critical infrastructure and supply chains, and it has brought a new focus on business continuity and operational resilience strategies. “

lights the necessity for organizations to have vigilant and proactive risk manage ment strategies in place to handle severe yet plausible events. The effects of this outage also emphasize the interconnected nature of modern supply chains and the widespread consequences that can arise from a single point of failure. Exploring Alternatives: Rerouting Around the Problem Immediately after the collapse, orga nizations were forced to identify viable alternative shipping routes in order to try and maintain uninterrupted supply chains. Several factors – including the type of cargo, the available infrastruc ture, and the distance from the original route – influence the selection of an alter native port. Notable alternatives include the Ports of Virginia, New York, and New Jersey, which, despite their distance, are well-equipped to handle large volumes of diverted cargo. Proximate options like the Ports of Wilmington and Philadelphia offer robust container and breakbulk facil ities. For organizations with international connections, the Ports of Charleston, Savannah, and Halifax in Canada provide extensive facilities and superior connec tivity, ensuring global trade flows remain unimpeded. Proactive Measures: Fortifying Your Supply Chain To mitigate risks that can arise from this type of unforeseen disasters, organizations should refine their third-party risk man agement strategies by assessing the con tinuity frameworks of essential partners and integrating redundancies into critical service areas. Conducting thorough risk assessments and developing contingency plans is crucial to identify vulnerabilities and prepare detailed response strategies for potential disruptions such as bridge collapses. Diversifying your supplier network and logistics options reduces dependence on any single point of failure. Proactively establishing agreements with various transportation providers ensures flexibil ity and responsiveness when adjustments are needed. In addition, maintaining open lines of communication with all stakehold

ers and actively participating in industry forums is vital for staying informed and prepared. Advanced monitoring and analytics tools are also instrumental in maintaining a real-time pulse on operations and effec tively managing risks. Regular prepared ness drills to test and refine contingency strategies are essential to ensure your team’s readiness in real scenarios. Keeping continuity strategies updated and vali dated helps outline operational procedures which minimize disruptions and keep your business operational. Additionally, veri fying your insurance policies adequately cover potential losses from supply chain disruptions is prudent. The Cost of Unpreparedness The consequences of failing to pre pare for such disruptions can be severe, leading to increased operational costs, prolonged delivery times, and significant revenue losses. Closing key logistics hubs like the Port of Baltimore could also halt shipments, causing delays and inven tory shortages. This disruption has a cas cading effect, impacting direct business operations and third- and fourth-party dependencies, which could escalate issues across your supply network. Financial repercussions may include elevated oper ational costs and potential contractual penalties, which could significantly strain financial resources. In addition, failure to meet customer expectations can tar nish your brand’s reputation and diminish

trust. Adapting to new routes and sched ules may require additional resources, and non-compliance with regulatory mandates could incur legal penalties, so being pre pared and proactive is a necessity. Securing Stability: Strategic Insights for True Resilience The tragedy at the Francis Scott Key Bridge is a stark reminder of the vulner abilities that are inherent in critical infra structure and supply chains, and it has brought a new focus on business conti nuity and operational resilience strate gies. Now is the time for organizations to protect their operations from unforeseen disruptions by fully understanding their third-party landscape and the potential impacts of any outage, actively explor ing alternative options, and implement ing robust mitigation strategies. This proactive approach ensures the resilience and stability of your supply chain in an ever-changing global landscape, thereby allowing you to maintain critical business operations while safeguarding against unexpected adversities. v

“

Sean McLaughlin is a highly experienced principal product manager at Fusion Risk Management with a deep understanding of the challenges faced by organizations. He has dedicated his career to developing inno

vative solutions that help businesses proactively plan for, respond to, and mitigate disruptions. McLaughlin brings a wealth of practical knowledge and expertise to his role. He has successfully implemented numerous strategies and technologies to ensure organizations can effectively navi gate through various disruptions.

16 DISASTER RECOVERY JOURNAL | SUMMER 2024

The Global Leader in Organizational Resilience

BusineSs Continuity/Continuity of Operations information security Critical Environments

Incident Response Crisis Management & Communications

Legal, Audit, & Compliance Organizational Behavior Risk Management Supply Chain Resilience

Financial Health & Visibility Human Resources Management ICT Continuity

we educate. we credential. we lead.

Building Resilient Communities, One Organization at a Time

www.build-resilience.org | info@theICOR.org | 1-866-765-8321

18 DISASTER RECOVERY JOURNAL | SUMMER 2024 Rehearsing Plan B: The Importance of Mastering Your Workarounds By RICHARD LONG I n terms of bang for the buck, not all business continuity activities are created equal. One of the most valuable ways BC practitioners can spend their time is making sure their organizations can truly execute on their manual workarounds. Rehearsing Your Plan B Due to the complexity of BC method ology, many aspects of the field have the potential to become time sinks. It’s not hard to spend hundreds of hours a year doing BIAs, gap analyses, risk assess ments, developing recovery strategies, and writing recovery plans.

Pursued purposefully, these are all worthwhile activities. However, there is one activity most BC offices tend to neglect – and pound for pound it is one of the most worthwhile ways a BC professional can spend his or her time. This activity is as practical as making sure you have the tools, equipment, and skill needed to change a flat tire. Not only making sure you have these things but val idating your capability by doing the task. The activity could be described as rehearsing your Plan B, or, alternately, mastering your workarounds. Closing the Circle Most of the people who read this pub lication work for organizations that have developed recovery plans, that incorporate manual workarounds for their mission critical business processes. This is to be commended.

green IT

consolidation portfolio computing vmware itil security GRC forrester wave service desk portal outsourcing vtl business continuity opsware asset management host disaster recovery email in the cloud change management virtualization web 2.0 metrics storage risk IT service community cloud computing

Research – Resources – Solutions Forrester delivers independent action-oriented insight to solve your biggest challenges. Visit us at www.forrester.com/drjournal to learn how our research, consulting, and executive programs will help you succeed.

Making Leaders Successful Every Day

for doing a particular task will never go down. Unprecedented outages occur all the time. You might need to put on your teacher hat to help your colleagues understand why practicing manual workarounds is important. Whichever way you slice it, it is impor tant for BC professionals to help their organizations master their manual work arounds. You have to rehearse your Plan B. Ensuring Your Workarounds Truly Work Business continuity has no shortage of complicated methodologies. However, one of the simplest things a BC practitio ner can do is also one of the most benefi cial: ensuring the company’s workarounds are truly functional. Just as theater people rehearse and prepare to enable them to mount polished stage productions, companies should rehearse their manual workarounds to make sure they can execute on them if and when the need arises. By rehearsing their “Plan B’s,” BC professionals can help their organizations ensure their manual workarounds actually work. v

In my experience, however, relatively few organizations have closed the circle by putting their workarounds to the test, to make sure the staff can perform them when the need arises. It’s not enough to have plans to man ually take orders, ship products, track inventory, and run payroll. The company has to make sure those plans have been carefully thought through and everything needed to execute on them – whether it’s special equipment, advance preparations, or training for staff – is in place. Like Putting on a Play The use of the term “rehearsal” is fitting because being able to successfully per form a workaround has a lot in common with putting on a play. In theater, a long distance separates having a script from being able to mount an entertaining production for a paying audience. Even with a brilliant director and great cast, putting on a polished pro duction requires rehearsal by the perform ers and preparation of the sets, costumes, and so on. Similarly, in business continuity, there’s a big difference between having a planned manual workaround and being able to execute on the workaround under pressure. No matter how talented your people are, rehearsal and preparation are required to close the gap. The BC Practitioner’s Role Let’s look more specifically at the BC

practitioner’s role in relation to this issue. For many people, working indepen dently on a BIA or recovery plan comes more naturally than persuading a team from another department to participate in an exercise. Nevertheless, the effort has to be made because the ultimate goal of the position requires it. The BC practitio ner’s role is primarily one of coordinating preparations and training, working with the departments to help them master their workarounds fits squarely in that basket. Here are some additional consider ations: n The kind of rehearsal we’re talking about doesn’t necessarily mean everyone has to perform the workaround for a full day (for example). Having a portion of the team work manually for two hours can go a long way toward ensuring a workaround is viable and executable. n In choosing which workarounds to practice, start with the ones for processes whose interruption would cause the greatest impact to the organization (as identified in the risk assessment). n It’s worth remembering these workarounds are not separate from the recovery plan; they are the plan. In working with the departments to practice their manual workarounds, you are helping your organization get better at executing on its recovery plans. n Be prepared for pushback by people who say there’s no point in rehearsing a workaround because the primary method

Richard Long is a senior advisory con sultant and practice team leader for MHA Consulting, where he successfully leads international and domestic disaster recov ery, technology assessment, crisis manage

ment, and risk mitigation engagements.

20 DISASTER RECOVERY JOURNAL | SUMMER 2024

Spring Showers and Climate Shifts Strategies for Mitigating Severe Weather Impacts By STACI SAINT-PREUX A s the vernal equinox ushers in the season of renewal, the specter of severe spring weather looms large. Spring has proven to have increasingly unpredictable pat terns, marked by violent storms, torren tial rains, and more unseasonable events. These meteorological upheavals are not isolated incidents but rather indicators of a changing climate. The impacts are far reaching, affecting ecosystems, econo mies, and communities worldwide. A Changing Climate A changing climate has profound impacts on severe spring weather. As our

atmosphere warms, it holds more water, leading to heavier rainfall during storms. This increase in precipitation can result in more frequent and severe flooding events. A warming climate escalates the frequency and intensity of severe weather phenomena, such as storms along fronts or the amount of rainfall from storms. Warmer than normal temperatures provide more energy for storms, allowing them to intensify and persist. Even seemingly innocuous pop-up showers can rapidly escalate, leading to flash flooding. These changes underscore the urgent need for comprehensive climate change mitigation and adaptation strategies. El Nino to La Nina Transition The transition from El Niño to La Niña significantly impacts severe weather pat terns. During the spring months of April, May, and June, we often witness the peak neutral phase in this transition. This period

DISASTER RECOVERY JOURNAL | SUMMER 2024 21

is characterized by a balance between the warmer El Niño and the cooler La Niña conditions. As we move into summer, La Niña begins to take hold, typically peak ing around August to October. This shift has a substantial influence on the Atlantic Hurricane season. The cooler sea surface temperatures in the Pacific Ocean associ ated with La Niña tend to enhance hurri cane activity in the Atlantic Ocean Basin, leading to more frequent and potentially more intense storms. Understanding these patterns is crucial for predicting severe weather events and implementing effec tive disaster management strategies. Preparing Your Business with Less Lead Time Spring’s unpredictability brings storms such as tornadoes and flash floods that are notorious for their sudden onset. To prepare for these short-lived yet high impact events, it is crucial to maintain up to-date emergency response plans and to create drills that simulate these scenarios. Regular practice of these drills can help communities respond swiftly and effec tively when real events occur. Updating emergency response plans every season is key to successful risk miti gation. Ensure all steps and communica tion is clear and reviewed by a team before each season starts. Each plan should be detailed and contain contingency plans for

each type of weather event, as every event can include different risks. Businesses can implement a variety of drills tailored to different weather scenar ios. Tornado drills, for instance, involve practicing taking shelter in a pre-desig nated location within the building, away from windows and exterior walls. Fire drills are essential for preparing employ ees for wildfires or lightning-induced fires, teaching them the quickest and safest evacuation routes. Earthquake drills, or “drop, cover, and hold on” drills, prepare employees for seismic events. Flood drills focus on evacuation procedures to higher ground. Businesses in hurricane-prone areas should conduct hurricane drills, which include securing the premises and evacuation. Site-Specific Alerts Ensuring the safety of employees during severe weather events is paramount. This involves implementing granular, site specific alerts for different locations and general alerts for employees, consider ing factors such as their distance from the office and whether they work from home. Site-specific alerts allow businesses to maintain safety and business operations at the most efficient levels. Understanding how weather will impact your exact loca tion can guide business decisions more effectively. These site-specific forecasts

can also include custom warnings and alerts for each location. Aftercare is Key to Future Mitigation The aftermath of severe weather events can be just as challenging as the events themselves. Designating the office or a temporary headquarters for employees to gather supplies if they were impacted is a vital part of the recovery process. If employees are caught at the office during severe weather, it’s important to ensure the office is well-stocked and prepared to pro vide shelter and resources. Lessons from the aftermath of weather events can shape future business emer gency response plans. The process of after care reveals the strengths and weaknesses of the existing plan, highlighting areas that require improvement. For instance, if communication channels were ineffective during the event, businesses might con sider implementing more robust systems or backup options. If certain resources were insufficient or quickly depleted, future plans could include stockpiling more sup plies or identifying alternative sources. By analyzing these experiences and incor porating the lessons learned, businesses can continually refine their emergency response plans, enhancing their resilience to future severe weather events. As businesses navigate the challenges of severe spring weather in a changing climate, preparedness, adaptability, and resilience are key. From understanding the impacts of El Niño to La Niña transi tions, to implementing site-specific alerts and drills, businesses can take proactive steps to mitigate risks. The lessons learned from each weather event serve as step pingstones towards creating more robust emergency response plans. Bracing for the unpredictability of spring weather, it is good to remember that every challenge presents an opportunity for growth and innovation. v

Staci Saint-Preux is a senior industry man ager and meteorologist for StormGeo. As part of the sales team, she has a crucial role in serving current and prospective clients in many different industries. Prior to her time

at StormGeo, Saint-Preux worked as a flight planner and meteorologist for a private aviation company in Houston.

22 DISASTER RECOVERY JOURNAL | SUMMER 2024

CAREER SPOTLIGHT

Career Spotlight: Melissa Muñiz of Zion Resiliency By RAY HOLLOMAN

Specializing in DR, I’ve encountered the challenges of being a female in a predominantly male environment. It often requires continuously proving one’s knowledge and abilities. While I’ve seen positive changes with more women and minorities enter ing the field, I hope this trend continues so future generations of women won’t face the same uphill battle. Have you had any mentors? Describe the effect they have had on your career. I’ve been fortunate to have numerous mentors throughout my career. Early on, a mentor in marketing and design taught me the importance of consistently doing my best in every interaction. Another mentor emphasized that effective management is about meeting your team’s needs, not just your own. These experiences taught me to always put my best foot forward and prioritize lis tening over talking. What are some lessons learned you still leverage today? While I rely on my “proven” methods for achieving results, I’ve learned to adapt them to a company’s culture and resilience climate. Understanding how new processes are received, adjust ing terminology where needed, and considering recent “disasters” are crucial. Listening and learning before proposing solutions is often the best approach. What aspects of working in this industry would you like to see change or evolve? I hope to witness a greater emphasis on integration and col laboration within companies. Instead of operating in isolation, we should seek opportunities to integrate our resilience processes with existing applications/processes and be willing to adapt our approaches as necessary. To often, I’ve observed overly rigid and structed plans simply because “that’s the way we’ve always done it.” Embracing collaboration, even when it doesn’t achieve per fection, can result in more agile and transparent plans that better suit the ever-changing landscape of resilience. These evolving relationships will be the key to our industry’s continued growth and success. What types of formal training and certifications have you pursued, and what kinds of learning and networking opportunities are you seeking to continue your professional development? I’m passionate about learning from others and network ing. Conferences and local continuity groups provide insights into industry responses to challenges and upcom ing trends. Sharing experiences, including what worked and what didn’t, is invaluable. Networking helps me build a community of peers for learning, brainstorming, and sup port. What gets you excited about your career? I’ve always said this career gives me the opportunity to learn a little about a lot of different areas within a company. With each impact assessment, every documented recovery plan, every test ing endeavor, I gain insights into a myriad of critical areas within a company. This diversity keeps me engaged and constantly

Tell us about yourself – your name, company, title, and responsibilities? I am currently working as a resilience consultant with Zion Resiliency. With more than 15 years of experience across various companies, I’ve specialized in building and enhancing programs. I find contract and consulting work engaging and rewarding, as it allows me to apply my expertise in impact assessments, test ing, risk management, and documentation to different industries and clients. This diversity challenges my “proven” methods and provides a unique opportunity for growth. How did you get into the business resilience industry? My journey into the business continuity industry began more than 15 years ago when I managed a data center that was going through consolidation. The company needed new resources for its growing disaster recovery (DR) group. I enjoyed the new challenged but within a few years I faced a decision: specialize in this industry or explore other avenues within the company. I chose to specialize, immersing myself in the world of resilience, which has since led to lifelong friendships, valuable colleagues, mentors, and even meeting my husband. Tell us about some of the challenges you have encountered in your career?

DISASTER RECOVERY JOURNAL | SUMMER 2024 23

CAREER SPOTLIGHT

learning and drives the enthusiasm I have in this industry. What advice would you give to those embarking on a career in this industry? I strongly encourage newcomers to attend conferences, connect with profes

sionals on LinkedIn, join local continuity chapters, and actively engage in network ing. Building a professional network can lead to invaluable insights and opportu nities. Never underestimate the power of interaction and collaboration in this field. v

Ray Holloman, M.B.A., M.S., CBCP, CCRP, MBCI, is a senior program man ager for enterprise disaster recovery for F5 Networks and the founder/CEO of Holloman Solutions. He works with teams and organi

zations to help them understand, implement and enhance their disaster recovery programs. Holloman is helping organizations become more resilient in the ever-changing threat landscape by educating them.

24 DISASTER RECOVERY JOURNAL | SUMMER 2024

Maximizing Business Risk Management Integrating Process Improvement and Financial Compliance By KATIE BRENNEMAN R isk is inherent, in some form or another, to every industry sector. Factors like financial crises, acci dental mismanagement, strategic pitfalls, natural disaster events, and technological failures can all nega tively impact a business’s bottom line. The failure to mitigate risk can have a wide range of consequences, from small errors stacking up to undermine projects’ financial viability to larger errors that can stymie (or even outright halt) businesses’ plans to scale. The failure to mitigate risk properly can lead to reputational damage,

financial losses, and businesses falling way behind the competitive curve. In an economy where the most efficient busi nesses are likely to rise above their com petitors, even small inefficiencies can set you behind if they are not dealt with. Good risk management practice hinges on you being prepared, shifting the bal ance from reactive to proactive as much as possible. I’ll walk you through some of the most common forms of risk, showing you how to mitigate them and remain in com pliance with federal and state regulations. Bookkeeping: The Risks and Rewards Bookkeeping is an essential back-office function no organization should neglect. A single source of truth where financials are mapped out, leaders leverage their organi zations’ books to make investments, plan for scaling, and adjust for losses. Making sure your books are accurate and up to date prevents you from acting on false information, keeping your budget stable and preventing cost snowballing.

DISASTER RECOVERY JOURNAL | SUMMER 2024 25

plan for a safely scalable future. You can also respond more agilely to crisis-level events, and develop an enterprise recovery infrastructure to help you rebound quickly. The Importance of Streamlining Processes As mentioned above, efficiency is key in the modern economy. Quite a bit of risk businesses face is caused, either directly or indirectly, by inefficiencies within their processes. So how can you identify these ineffi ciencies, and plan to resolve them? By set ting a process which allows for continuous improvement, removing inefficiencies and encouraging innovation. Here’s a rough sketch of what that process may look like for you: n Identify areas of risk : You can’t resolve problems you don’t know are there. Perform an audit of your finances and flag areas where you’re seeing bleeding. Identify the causes of the damage, where processes broke down, and make a short list of easy wins. Additionally, ask yourself if your organization has any level of disaster preparedness: do you have plans in place you can customize to different situations? level, 360-degree perspective. ... You can also respond more agilely to crisis-level events, and develop an enterprise recovery infrastructure to help you rebound quickly. “ With accurate records, you can see everything going on within your company from a high

n Embed compliance/risk mitigation best practices into processes : When you’ve narrowed down the sources of risk within your organization, it’s time to ideate on how you can quickly and effectively resolve them. Many of these will be direct process changes: scheduling deliveries earlier than needed, requiring frequent reporting, and regular backing up of data are examples of these changes. You can also invest in redundant systems such as backup internet connectivity, create a disaster recovery plan, and implement new cybersecurity systems at this stage. n Leverage technology to increase efficiency : Process breakdowns can be caused by unnecessary or redundant manual input. Fortunately, several tools on the market can automate these manual tasks, removing bottlenecks and driving efficiency across departments. These tools limit the possibility of manual error and also free your teams up to pursue profitable avenues of growth instead of doing manual labor. n Encourage communication across teams : Educate your teams on the risks inherent to their business, and encourage them to raise their voices if they see any instances of risk. While the exact structure of this pro cess will vary from organization to orga nization, these are the four essential steps you’ll use to mitigate most forms of risk. Some residual risk will likely remain; though, being aware of it, you can take steps to integrate protections into your processes. I hope this article gave you the tools you needed to identify and mitigate risk. Keep monitoring your attempts at risk mitigation and ensure your compliance with regulations, and you’ll be well above water when the flood comes. v Katie Brenneman is a passionate writer specializing in lifestyle, mental health, edu cation, and fitness-related content. When she isn’t writing, you can find her with her nose buried in a book or hiking with her dog, Charlie. To connect with Brenneman, you can follow her on Twitter at @KatieBWrites93. “

However, should organizations fail to upkeep their books properly, they may encounter an existential threat in the form of regulatory compliance issues. The IRS requires organizations to follow strict reporting guidelines for their finan cials, and if your information is misrep resented (whether intentionally or not), the hammer of the government will come down. Failure to upkeep books in compli ance with the law can result in these three consequences: n Tax fraud charges : The IRS takes underreported income very seriously and will issue both penalties and fines to businesses who do not have their finances logged accurately. n Incorrect form submissions : If payments issued to contractors and vendors haven’t been reported correctly, employees may accidentally submit 1099 and W-2 forms to these contractors with the wrong amount on them. Best case, the company is embarrassed and has to resubmit those forms; worst case, the company causes the contractor to miss the filing deadline and is scrutinized by the IRS. n Reputational damage : If forms and invoices are misplaced or not recorded, your company may issue the wrong payments to said contractors. Needless to say, this can cause a lot of strain in your working relationship, and possibly impact your organization’s ability to work with others in the future. Good bookkeeping practice, on the other hand, allows you to protect your organization and its assets, remain in good standing with the federal government, and avoid any unnecessary fines or penalties. Additionally, it provides leaders with a solid foundation from which to base any investment and strategic decisions they may make. With accurate records, you can see everything going on within your company from a high-level, 360-degree perspec tive. As a result, you can adjust budgets as needed to maintain project profitability, you can identify and resolve inefficiencies that have become money pits, and you can

26 DISASTER RECOVERY JOURNAL | SUMMER 2024