Disaster Recovery Journal Winter 2022

Animated publication

REGISTER TODAY! www.drj.com/spring2023

Winter 2022 u Volume 35, Number 4

INSIDE ... Tips to Selecting the Right BaaS Solution Identifying The Right Impact Categories for Your BIA Ways Winter Weather Can Disrupt Business BC Software Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification


(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by



Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com ASSOCIATE EDITOR Pam Clifton PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER Amy Faulkner amy@drj.com PROGRAMS MANAGER Emily Rice emily@drj.com EVENT MARKETING Sonal Patel sonal@drj.com


COVER Shifting Baselines: Strategies to Build Your Program and Gain Support By REGINA PHELPS


14 Tips to Selecting the Right BaaS Solution to Protect Your IT Environment By JEROME WENDT 20 Identifying The Right Impact Categories for Your BIA and How to Rate Them By MICHAEL HERRERA & RICHARD LONG 28 Ways Winter Weather Can Disrupt Business – and What to Do About It By SHANNON COPELAND 32 Career Spotlight: Gabrielle Sandy By PETER LAZ 34 Updating Your Business Continuity Plan for a Distributed Workforce By KATE FULKERT 36 Hurricanes and Climate Change – What We Know Now By THOMAS VARNEY

38 Unified Management Is Key to Securing Your Data and Building Business Success By AHSAN SIDDIQUI 40 IT Insights: How Disaster Has Propelled the Shift to Cloud By JESSE STOCKALL 42 Your Disaster Recovery Strategy Needs These Three Key Components Now By DON BOXLEY 44 What Resilience Means To Me By SARAH GARRINGTON 48 BC Software Directory

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, Peter Laz, Frank Perlmutter, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Selma Coutinho, James Green, David Halford, John Hill, Kim Hirsch, Ray Holloman, Colleen Huber, Vaishali Jain, Cary Jasgur, Lisa Jones, Joan Landry, Joe Layman, Melanie Lucht, Katherine Whitaker, Matt Ziska + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience ADivisionofCOREMANAGEMENTCONSULTING Dhiraj Lal , Executive Director P.O. Box127557, AbuDhabi, UnitedArabEmirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

DISASTER RECOVERY JOURNAL (ISSN 1079-736X; USPS 013-076; Publication Agreement No. 40679000) is published quarterly by Systems Support, Inc., 1862 Old Lemay Ferry, Arnold, MO 63010. Subscriptions are free to all qualified personnel in the U.S. and Canada involved in managing, preparing, or supervising business continuity planning. Rate for all others in the U.S. is $10, Canada and Mexico $24, all other countries $47. For renewals or change of address, please include current mailing label. Periodical Postage Paid at Arnold, MO and additional offices at St. Louis, MO. POSTMASTER: Send address changes to DISASTER RECOVERY JOURNAL, 1862 Old Lemay Ferry, Arnold, MO 63010. Canada Post Publication Agreement No. 40686534. Return undeliverable Canadian addresses to: DISASTER RECOVERY JOURNAL, PO Box 456, Niagra Falls, ON L2E 6V2. DISASTER RECOVERY JOURNAL is copyrighted 1987-2022, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.



Doing BC in Troubled Times I ’ve been trying to come up with a good word to describe what the world feels like right now. “Eerie,” is one I thought of. Others are “vola tile,” “scary,” and “on edge.” How else do you describe a world in which a year’s worth of bad news is happening every week? You know the kinds of things I’m talking


jobs well has become greater than ever. In a multi hazard environment, the margin for error in our resiliency planning shrinks toward zero. At a time like this, we should be ready to give our very best. The third notable thing about doing BC now is that the current turmoil amounts to a significant opportunity. Because organizations today are so worried about risks, they are more open than usual to making changes. What is the biggest change most of us would like to see at our organizations in terms of business continuity? It’s for them to make resiliency thinking and practices part of the com pany culture. (As you know, too many companies look at BC as an obligation imposed on them by functional outsiders.) If the current situation can help us move closer to the goal of making BC part of every organization’s culture, that would be a significant silver lining. Finally, we come to the aspect of doing BC in troubled times I think is the most important of all. It’s the demeanor we bring to our jobs and our interactions with our coworkers. As BC profes sionals, we sometimes tend to emphasize the ter rible things that might happen to try to get people to take continuity seriously. In the current environ ment, everyone who’s paying attention knows bad things can happen. In this world, I think the BC professional can make a real contribution by being a calming voice. In times like these, a good motto for us is, “Keep Calm and Carry On.” To expand on the point, BC practitioners, in addition to ensuring their organizations are prepared, should let their colleagues know about the steps the organization has taken to protect itself. Provided those preparations are meaningful, their coworkers will be glad to hear about them. Knowing the company is resilient will take a load off their minds regarding the stability of their jobs and livelihood. This will make life better for them and their families and communities. In this overly stressful time, BC practitioners who can legiti mately bring down their coworkers’ anxieties will be performing a tremendous service. Doing BC in troubled times means facing an unprecedented challenge. It also represents an unprecedented opportunity to serve.

about: the war in Europe, the billion-dollar storms, the 400-point Dow swings, pandemic, inflation, civil discord, terrible school shootings and other violence. We’ve had more of that in the last few years than we’ve ever had. We also, as the result of all the turmoil, have more collective anxiety. That’s the bad news. The good news, those of us who do business continuity for a living are in the fortunate position of being able to do more than worry. Our knowl edge and skills are uniquely suited to this moment. Over the past few weeks, I’ve been think ing about what it means to work in BC during in troubled times. Here are four things that strike me as being particularly interesting about being a BC professional when the world seems to be going haywire. First, people return your phone calls. I’m speaking figuratively but you know what I mean. Suddenly business continuity has become top of mind for people who don’t usually think that much about it. We saw this during the beginning of the pandemic, and it surged again with the outbreak of the war in Ukraine and the resulting disrup tions. When bad things seem to be happening all the time, even many executives who are not big on preparedness start coming around to the idea that maybe they should get serious about resiliency. If I can speak on behalf of the profession, I have to admit this is a pleasant change. Second, the core job we have always done—of identifying likely risks and putting resiliency plans in place to mitigate them—has become more chal lenging than ever. The degree of difficulty in our profession is going up. The possible threats are multiplying, and many of the things we have to plan for today would have been unimaginable a few years ago. Meanwhile, the need for us to do our

PRESIDENT bob@drj.com


Your North Star for Resilience

Move From a Reactive to Proactive Approach

Fusion provides easy, visual, and interactive ways to analyze every aspect of your business so you can identify single points of failure, key risks, and the exact actions you need to take next to mitigate impact.

Get started on your resilience journey today! Visit fusionrm.com

“Fusion Framework System offers a fantastic tool to consolidate key elements to manage Continuity and Crisis Management programs from infancy to maturity.” - Manager, Technical Services Continuity

Shifting Baselines: Strategies to Build Your Program and Gain Support By REGINA PHELPS S ince March 2020, individuals, families, organizations, societ ies, and nations have been under tremendous stress. If it isn’t one thing, it seems like a hundred more: n Natural disasters – wildfires, hurricanes, flooding, tornadoes. n War – Ukraine and threats in the region, increased tension between China, Russia, and the world. n Diseases galore: new COVID variants, going on around the world and think, “Any program that does emergency response, business continuity, crisis management, crisis communications, and technology recovery (aka business continuity man agement) must be flying high!” My response to that: not so fast. The goal of this article is to dig deep and peel back some “faulty logic,” explore return on investment (ROI), and then dig into value on investment (VOI) as a likely better metric. The Dreaded Question

or three years ago. Or worse yet … never! Even with all the crises going on in the world, many BCM plans have not put into action. Most of our clients didn’t activate business continuity plans during the pandemic. It was a slow boil at first. Then when it exploded, there was nothing in their plans to really help such a cata strophic incident. So, the question is, when was the last time you had a plan activation? For most professionals, the answer will not be help ful. For many of our clients, the answer is not at all or once in the past X years. Return on Investment (ROI) ROI means – very literally – “return on investment.” This is a metric many of our colleagues use. What that means is you literally must prove your organiza tion received the same amount of money back, or more, as it was invested in your program. For some time now, I have been asking if this is the right metric. How do you demonstrate ROI in a BCM program? Two ways:

monkeypox, return of polio, avian influenza spreading worldwide. n Cyberattacks – ransomware, denial-of service. n Civil unrest – political violence, threat of a civil war, mass shootings. n Economic pressures – inflation, supply chain disruptions, economic uncertainty, market instability. You might be thinking, “This is a great time for our profession.” Anyone could simply look at the news and see what is

When an executive asks you, “What does your program do for our organiza tion?” What do you say? I call this the dreaded question. Most BCM profession als will turn to their business impact anal ysis (BIA) and point to forecasted losses “after the bad thing has happened” and deduce how a BCM program will mitigate those losses. Great! Then their next ques tion is, “When was the last time we used the program and plans to mitigate those losses?” For many the answer could be two



1. You can always point to your BIA, point to your planning efforts, correlate the two – and pray for the best. 2. If a serious outage occurred and your plans were used, how much did you save the organization? However, it‘s hard to do if you have had no major plan activations. Worse yet, you had an activation that wasn‘t that bad, or you never used your plans. As time passes from your last plan activation (or perceived major threat or risk) some thing begins to happen: the executive risk appetite grows and grows. This concept is called shifting baselines. Shifting Baselines This is what is called a shifting baseline – what is it, you say? A basic definition of the phrase is “failure to notice change over time.” It was coined by Daniel Pauly in 1995 as part of the environmental move ment to describe the subtle changes which occur over time and how we personally measure biodiversity loss. For example, 100 years ago, fishing stocks around the world were abundant. As time passed, the stocks decreased more and more. And yet, each next generation looked at what was in front of them and felt the number was “normal.” This happens even today with the loss of biodiversity, weather condi tions, climate change, and more. We grow used to what is in front of us and fail to notice those changes over time.

There is no doubt you’ve heard the fable on how to boil a frog. You can’t just plunk it into a pot of boiling water like you would a lobster, because (supposedly) a frog will simply jump out to safety. As the fable goes, you put a frog in a pot of lukewarm water and he will settle into this little frog Jacuzzi. You slowly increase the heat and he becomes so relaxed it doesn’t notice the water boils him to death. This legend has been refuted many times, but that doesn’t stop the story from being retold. However, it does demon strate the idea of shifting baselines. Over time, as things change, we become accus tomed to the “new normal” and then don’t remember any other way. This is what is happening right this moment with an expanding risk tolerance. So how does that apply to our work? As we get used to more and more crises, this is what we know and how we have adapted. When I first started my practice in 1982, BCM as we know it did not exist. There was only technology recovery. The first big international crisis which turned heads was the great Mexico City earthquake in 1985, followed quickly by another in Whitter, Calif., in 1987, Loma Prieta in 1989, and Northridge in 1991. With each earthquake, awareness increased and BCM was born and thrived. Since 1991, there have been hundreds of crises, all building one on top of the

other. To name just a few: Hurricane Andrew, 1992; World Trade Center bomb ing, 1993; Oklahoma City bombing, 1995; Kobe, Japan, earthquake, 1995; Y2K prep arations 1999-2000; 9/11 terrorist attacks, 2001; Hurricane Katrina, 2005; Sichuan earthquake of 2008; Haiti earthquake, 2010; Icelandic volcano Eyjafjallajökull eruption, 2010; Christchurch earthquake, 2010; Superstorm Sandy, 2012; California firestorms, 2015-2021; Hurricane Harvey (and associated floods), 2017; Hurricane Maria, 2017; Not-Petya, 2017; locust inva sions in Africa and Asia, 2020; COVID pandemic, 2020; daily mass shootings in the U.S.; school shootings; ransomware attacks; and much, much more. When we are repeatedly exposed to so many “bad things,” we become numb and this becomes the “new normal.” When things are unsettled, the economy is strug gling and money is tight. Our BCM pro grams, regardless of how many bad things are happening out there, are at risk. I first started to write about this issue in 2005, and it is even more applicable today. Value on Investment (VOI) What if you stopped and thought about things differently? In other words, is there another, perhaps more meaningful, way to show value of your program and your work? I have three questions for you to ponder: 1. What is the value-add of a BCM program? 2. Is the value-add only good in a crisis/ disaster? 3. Is there a way to show value to your organization every single day? Shouldn’t we as continuity profession als be asking if a better alternative exists to ROI? Is it possible to tie dollars invested to desired and realistic organizational out comes such as: n Increased resiliency. n Competitive advantage. n Effective staff training. n More thoughtful business processes. The answer is yes! Stop and consider the concept of “value on investment” for your work. What is VOI? This concept


1. What is the BMC program doing now that provides value? 2. What should the BCM program begin doing that provides value? 3. What am I/we doing to provide value to the organization, every single day? What you should be striving for is dem onstrating that VOI = increased overall organizational resilience! Start with that first question: what is the BMC program doing now to pro vide value? For me, this is what I call a whiteboard activity. Pull together your team – and if you are a solo department, others who you work with – to brainstorm ideas about the program, deliverables, and value. Here are some suggestions: n Establish goals for the whiteboard session. n Set a timeline for the session. n Give everyone on your team a homework assignment. – Bring to the session at least 10 ways the program provides value. n Create the environment for success. – Be prepared at the start of the n Write down and/or sketch out every idea. Value on Investment (VOI) Suggestions to Explore I strongly encourage you to really dig into the concept of VOI. To help get started on your brainstorming, let me offer at least eight ways you and your program deliver VOI every day: 1. Regulatory/contractual compliance. 2. Competitive advantage. 3. Brand and reputation protection. 4. Risk identification. 5. Operational improvement. meeting with sketchpads, sticky notes, colored markers, or a large amount of whiteboard space for everyone involved.

was developed by the Gartner Group and is defined as the “intangible assets which contribute heavily to an organization’s performance.” These intangible assets include knowledge, processes, organi zational structure, and ability to collabo rate. VOI is the measure of the intangible benefits of a project or an activity and can include aspects of ROI. Shifting to a VOI approach instead of an ROI approach provides the necessary forward-thinking framework for scoping, prioritizing, and initiating continuity proj ects. For example, VOI seeks to measure the idea of creating organizational resil ience and: n Ties planning outcomes to increased employee skills. n Creates value through collaborative planning and learning at every level of the organization. VOI measures the total value of “soft,” or intangible benefits derived from con tinuity initiatives, in addition to those “hard” benefits measured by ROI. Key things to keep in mind are: n VOI is subjective and difficult to measure with the same precision as ROI. n A VOI approach is critical to encourage funding for continuity activities and the success of these efforts. We aren’t the only professionals who struggle to demonstrate value. There are many other businesses and sectors work ing to reframe the discussion:

points and deepen the discussion. This is critically important not only for your program’s success but to help enrich your career and capabilities. It can move you from being a planner to a leader in the organization. Think Like an Octopus Stop and think about this: Because of who we are, the work we do, we know so much about an organization and can con nect with groups and departments which are struggling and have needs for infor mation and understanding. We know a lot about other departments (think BIA, BCP, CM, DR, etc.). We also can break down silos between groups, departments, and individuals. Because of the widespread engagement of BCM, we can help others (executives, managers, employees) con nect all the dots. What are you waiting for? Start brain storming, build your list of VOI qualities, and start to think octopus! Closing I encourage all of us in the BCM pro fession to start talking about this in real time. Work together with colleagues to develop a new approach to how we talk about our work and collaborate with each other. We can build a phenomenal list of qualities and values which BCM deliv ers every day. Together, we can create a brand-new story. v Since 1982, EMSS has provided consultation and speak ing services to clients on five continents. Phelps is a fre quent speaker at international continuity conferences and is consistently one of the top-rated speakers in her field. She is known for her approachable and entertaining speak ing style and ability to take complex topics and break them into easily digestible and understandable nuggets. She is the author of four books, all available on Amazon: • “Crisis Management: How to Develop a Powerful Program.” • “Cyberbreach: What If Your Defenses Fail? Designing an Exercise to Map a Ready Strategy.” • “Emergency Management Exercises: From Response to Recovery.” • “Emergency Management Exercises: From Response to Recovery Instructors Guide.” Regina Phelps is an internationally recog nized thought leader and expert in the field of crisis management, pandemic and conti nuity planning, and exercise design. She is the founder of EMS Solutions Inc, (EMSS).

n Associations. n Conferences.

n Health services. n Higher education. n NGOs.

n Technology. n Think tanks. n Wellness programs (health, nutrition, exercise). n Any organization that doesn’t have “tangible” results to note. Change the Conversation Your job is to change the conversation. Start with answering three questions:

6. Knowledge capture. 7. Increased robustness. 8. Deeper knowledge.

I first encourage you to do your own brainstorming and build your own list. Then, take my ideas and add yours to explore them and build out the bullet



•Information System •Claims Administration

•Third-party Risk Management •Enterprise Risk Management •Internal Audit •Policy Management •Compliance •Project Risk Management •Business Continuity & Resilience •Environmental, Social & Governance •Health & Safety


Together, we’ll give you integrated risk management with end-to-end visibility and true enterprise resilience.


EDITOR’S NOTE : DCIG empowers the IT industry with actionable analysis that equips individuals within organizations to do supplier and product evaluations. DCIG delivers informed, insightful, third-party analysis, and commentary on IT technology. As industry experts, DCIG provides comprehensive, in-depth analysis, and recommendations of various enterprise data storage and data protection technologies. The views, thoughts, and opinions expressed in all Disaster Recovery Journal articles belong solely to the author. The information, product recommendations, and opinions in this article are based upon public information and from sources DCIG, LLC. believes to be accurate and reliable.

Commonalities Across BaaS Solutions Any organization that assumes BaaS solutions pos sess ubiquitous traits across them will find almost the exact opposite to hold true. Organizations cannot simply deploy any BaaS solution into any IT environment. Rather, each BaaS solution tends to protect certain types of IT envi ronments better than others. However, all BaaS solu tions to share some common traits. Three features that all BaaS solutions include are: n Backup software and hardware . The BaaS includes the backup software and underlying hardware needed to host the software. However, the BaaS solution typically does not include the storage needed to store the backups. typically configure and setup its backup software and hardware for use. A BaaS provider may even deliver its software as a subscription based service that it hosts in a general-purpose cloud. An organization’s first interaction with the BaaS n No hassle deployment . The BaaS provider will

Tips to Selecting the Right BaaS Solution to Protect Your IT Environment By JEROME WENDT B ackup-as-a-service (BaaS) solutions address a common, recurring problem in organizations: backup deploy ment and ongoing maintenance. They minimize the need for organizations to deploy backup software and hardware and then fix, patch, and upgrade them. In adopting BaaS, organizations outsource a task many prefer not to do

and may not currently manage well. However, BaaS solutions do not represent a one size fits all. Each BaaS’s underlying architecture results in certain offerings being better suited to performing backup and recov ery in different IT environ ments. Hence, organizations that host their IT environment in physical, general-purpose clouds, private clouds, or hybrid IT environments will find BaaS solutions better suited for each one.


A great day at work, whatever happens

Give your company the space to recover and make sure you and your team have a great day at work, whatever happens. Through our global network of thousands of locations, IWG can support your business in every major city, town, or transport hub in the world.



may entail subscribing to it, configuring backup admins, and scheduling backup jobs.

more difficult or may not be an option. Or, if it is, production data may reside a storage array where the snapshots need to occur. BaaS solutions tuned for physical IT infrastructures offer agents to install on the OS that coordinate these backups. Some also interface with storage arrays to perform array-based snapshots. n Back up to local storage targets . Organizations may maintain a physical IT infrastructure due to the amount of production data they back up and store. BaaS solutions optimized for physical IT environments recognize, manage, and utilize different types of storage targets. These targets may include cloud storage, deduplicating backup appliances, disk storage arrays, and/or tape drives and libraries. n Offer on-site technical support . This may represent perhaps the biggest differentiator that separates BaaS offerings tuned for physical environments from others. Protecting a physical IT environment may require support staff to show up onsite to deploy the solution or perform repairs. These BaaS providers either have staff to perform these support services or they contract with third parties to perform them. BaaS solutions that protect physical IT environments can and do protect general-pur

few BaaS offerings that can effectively protect them. In a physical IT environment, each application server has its own dedicated hardware and operating system (OS). This requires a BaaS solution that can minimally interface with the server. The BaaS solution may also need to interface with the application hosted on the server and the server’s sup porting hardware. These very specific data protection requirements inher ently restrict the number of BaaS solutions available to protect physical IT infrastruc tures. Those that do protect physical IT environments ide ally offer the following fea tures: n On-premises deployment option for BaaS solution . Physical IT environments may have limited or no Internet connectivity which some BaaS solutions may require to perform backup. BaaS solutions tuned for physical IT environments offer physical and/or virtual appliances that get deployed when implemented.

pose cloud IT environments. However, these BaaS solutions may not work as well as those specifically tuned for general purpose cloud environments. If organizations run their workloads in general-purpose clouds, they should consider BaaS solutions specifically architected for them. Purpose-built for General purpose Clouds Organizations that already host their workloads in gen eral-purpose clouds should prioritize using BaaS solu tions purpose-built to pro tect them. General-purpose clouds include offerings such as Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and others. These platforms include technologies, such as auto scaling, identity, and access management (IAM), serverless compute, and object storage, among others. Purpose-built BaaS solutions capitalize on these technologies found in general-purpose clouds. Using these features, BaaS solu tions may dynamically scale to handle increased workloads with minimal intervention or planning. BaaS solutions purpose built for general-purposes clouds ideally include the fol lowing features to deliver a better backup experience: n Subscribe to it . When organizations use public clouds, they typically

n Ongoing maintenance . The vendor provides the ongoing maintenance of its BaaS hardware and software. This includes monitoring the BaaS for

faulty hardware, performing break/fix activities, and performing software fixes, patches, and updates as needed. However, its support does not extend to performing any activities that interact with and involve any of the organization’s data. For instance, the BaaS provider would not schedule organizational backups or perform recoveries except in a support role. Simply performing these three activities may free up the equivalent of a full-time employee, especially in enter prise organizations. BaaS solu tions also minimize many of the backup sizing activities that organizations go through when deploying a backup solu tion. Despite these similarities between available BaaS solu tions, their underlying archi tectural differences define which ones best meet specific organizational needs. These differences influence how well, or even if, a BaaS offer ing can perform backups and recoveries in certain IT envi ronments. Tuned for the Physical Organizations that run a physical IT infrastructure in any capacity will find only a

n Offers backup agents . Many BaaS solutions

capitalize on hypervisor and cloud OSes that offer snapshot APIs for the virtual machines (VMs) they host. BaaS solutions use these APIs to first create a VM snapshot and then back it up. This minimizes interaction with the VM’s guest OS. In physical environments, performing snapshots becomes

subscribe to services that cloud providers offer such as compute, storage,


Simple, Flexible Business Continuity Solutions.

With an end-to-end solution, such as Agility Recovery, business can recover 4 times faster than with no BCM solution.

The only integrated business continuity solution in the market that helps you plan , train , test , alert , and recover — all in one.

866-364-9696 contactus@agilityrecovery.com www.agilityrecovery.com

Copyright 2021 - Agility Recovery All Rights Reserved

networking, etc. They then pay for these services as they use them. BaaS offerings purpose-built for the public cloud function in the same way. Organizations simply select the BaaS offering and start using it to perform backup. They pay for the service based on one or more variables with cloud backup storage consumption being a common cost metric. protect VMs hosted in them. BaaS solutions use these APIs to discover VMs, assign backup policies to them, and then back them up using snapshots. This minimizes the need to deploy agents on each VM and facilitates ease of backup management. n Hosted in the cloud in which the BaaS solution offers protection . Organizations need to examine exactly where providers host their BaaS solution. For example, a provider that offers AWS protection may not host its BaaS solution there. It may host its software in a different general-purpose cloud or its own private cloud. Either of these approaches may require the organization to deploy a VM in that public cloud. The VM then acts as a gateway between that public cloud and the cloud where the provider hosts its BaaS. n Moves backups to object storage . Using snapshots n Tuned to protect VMs . Cloud operating systems offer their own APIs to

to take backups of VMs sounds great until one gets their next bill from Amazon (or Google or Microsoft.) Each VM snapshot consumes more of the provider’s more expensive cloud block storage. BaaS solutions typically cannot avoid using block storage to create and store snapshots. However, they can move aging snapshots to lower cost object storage to better control cloud storage costs. Look for BaaS solutions that offer this option.

hosted in general-purpose and private clouds. However, these BaaS solutions typically utilize physical or virtual appliances to protect applications and data hosted in general-purpose clouds. More organizations will find it makes the most sense to prioritize using BaaS solutions to protect their on-premises, private cloud IT environment. They have more BaaS solu tions from which to choose plus they typically protect applications and data hosted on Microsoft Azure Stack and VMware vSphere. In these environments, BaaS solutions deploy a virtual appliance on each hypervisor which the BaaS solutions uses to manage backups. These private cloud-ori ented BaaS solutions may not protect physical IT infrastruc ture very well, if at all. They may limit physical infrastruc ture support to a few operat ing systems and some physical storage devices. Organizations should generally shy away from BaaS solutions oriented toward private clouds if they need to protect their physical infrastructure. Conversely, private cloud oriented BaaS solutions tend to possess stronger support for applications and data hosted in general-purpose clouds. In some cases, they may offer cloud-native deployments of their BaaS solution in one or more of the general-purpose clouds. Organizations with hybrid environments that include on-premises private and general-purpose clouds

should prioritize evaluating these BaaS solutions. A Best Choice in a BaaS Solution Remains Elusive BaaS solutions have matured to become a viable option to protect all or much of an organization’s IT infra structure. They free orga nizations to outsource their hosting and management of the backup infrastructure and focus solely on backup and recovery. However, distinct differences between BaaS solutions persist and will likely remain. Organizations that host their entire IT envi ronment in a physical or general-purpose cloud will have fewer but better choices. BaaS solutions that target these IT environments deeply integrate with them to provide advanced levels of backup and recovery. In contrast, organizations that possess hybrid environ ments will find more choices in BaaS solutions. Unfortunately, they will also discover they will be hard-pressed to find one that works well across physical, private cloud, and general-purpose cloud IT envi ronments. Rather, they should expect to make trade-offs and must prioritize which of these IT environments they want the BaaS solution to protect. v

The Hybrid Trade-off

Organizations hosting their applications and data in all physical or all general-pur pose cloud environments have clear choices. However, most organizations find themselves somewhere in the middle. They manage hybrid IT envi ronments that span physical, general-purpose, and private cloud deployments. In these circumstances, organizations do not have a clear-cut choice. Rather, orga nizations must identify a BaaS solution for their hybrid IT environment based on which trade-offs they can accept. To make the best decision, organizations should first pri oritize which type of envi ronment they want the BaaS solution to protect. If they want to prioritize protection of their physical IT infrastructure, they should identify BaaS solutions with strengths in that area. These BaaS solutions also extend to protect applications and data

Jerome Wendt, an AWS Certified Solutions Architect, is the president and founder of DCIG, LLC., a technology analyst firm. DCIG, LLC.,

focuses on providing competitive intel ligence for the enterprise data protection, data storage, disaster recovery, and cloud technology markets.


The Global Leader in Organizational Resilience

BusineSs Continuity/Continuity of Operations information security Critical Environments

Incident Response Crisis Management & Communications

Legal, Audit, & Compliance Organizational Behavior Risk Management Supply Chain Resilience

Financial Health & Visibility Human Resources Management ICT Continuity

we educate. we credential. we lead.

Building Resilient Communities, One Organization at a Time

www.build-resilience.org | info@theICOR.org | 1-866-765-8321

dollars. Qualitative impacts cannot be so measured. Using categories of each type provides for a rounded view of the damage which would be caused by disruptions of various lengths. 2. Limit your total number of categories to three quantitative and three qualitative . Having more than six total categories tends to make the BIA interview go on too long and can confuse the participants. 3. Make sure the categories are consistent across departments . This allows you to measure apples to apples when gauging the impacts of potential disruptions. 4. Choose categories which respect the core mission of the business . Your impact categories should be in line with your mission, strategy, and operations. There are some categories which almost all organizations conducting a BIA will utilize such as loss of revenue; increased operating expenses; and damage to brand, image, and reputation. However, many categories will be derived from what is uniquely important to each organization or field. For example, hospitals commonly include as a qualitative area impact on patient care and safety while universities typically measure the impact to student experience and safety. Manufacturing firms typically have as a qualitative category something like impact to supply chain. Banks, being highly regulated, will usually have as one of their quantitative impact areas Impact on penalties, fines, and sanctions. Think carefully about the core mission of your organization and then select impact categories that reflect this mission. 5. Share your list with key colleagues . Once you choose the impact categories you think are best, circulate your list to such departments and individuals as enterprise risk management, the CFO, and the COO for their review. Ideally, you want everyone to align on the impact categories which are the most relevant for your organization and best reflect its mission and strategy.

20 DISASTER RECOVERY JOURNAL | WINTER 2022 Identifying The Right Impact Categories for Your BIA and How to Rate Them By MICHAEL HERRERA & RICHARD LONG I dentifying the right impact categories is a famously confusing aspect of the busi ness impact analysis (BIA). It is also critically important since the choice influences the order in which the vari ous business processes and units will be restored in the event of a disruption. Impact categories are the aspects of your business you look at in assessing the nega tive effects of disruptions of varying lengths. There is no universal list of impact categories that works in all industries. Every organization chooses a few such categories based on its unique situation. What impact categories should your organization be focusing on? The ones that are most important to its business or mission. Five Tips to Help You Choose Here are five tips to help you identify the right impact categories for your BIA: 1. Divide the categories between quantitative impacts and qualitative impacts . Quantitative impacts are those which can be measured in

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting


6 fields of expertise We've been in the business for 25 years. Talk about resilience.







How To Weight Your BIA Impact Categories N ow you have selected the impact cat egories, you’re ready to determine how to weight each one. What It Means To ‘Weight the BIA Impact Categories’ Weighting your categories is not simply a ranking of how important the processes are to the business. Many things are vital to the business but not especially time sen sitive. What we’re interested in is the vari ous quantitative and qualitative impacts of a disruption over time to the business functions and enterprise. Weighting impact categories is about evaluating the negative impact to the business of having the different functions interrupted. Although we used the word “rank ing” above, the process is actually more involved. What you want to do is assign a percentage value to each of your six cat egories, with the sum totaling 100%. The percentage value you give each category is your team’s estimate of the negative impact on your organization’s key mission and operations of having that function interrupted. Why It’s Important to Weight Your Impact Categories The reason it’s important to weight your impact categories is because you cannot restore everything first. You can only restore one or two things first; the rest will have to wait until you can get to them. The functions you restore first should be those whose interruption is causing you the most damage. Weighting the BIA impact categories is your way of figuring out which these are. Another reason it is important to weight your impact categories has to do with human nature – in this case, the tendency of humans to rate what they do as being

Identifying the impact categories to be addressed in your BIAs is a matter of applying good judgment to wide knowl edge. It comes down to figuring out which are the business units, pro cesses, and applications which support the mission of your organization, day in and day out. Takeaways n Every organization should choose a handful of impact categories which make sense for its industry and mission. n Impact categories are the aspects of your business you consider in assessing the negative effects of disruptions. n To find the best impact categories for your company, figure out which processes, units, and applications support its core mission, day in and day out. n Impact categories are divided between two types, quantitative and qualitative. n Make the impact categories consistent across departments so you can measure apples to apples. n Avoid the mistakes of having too many categories, mixing up quantitative and qualitative, and choosing the wrong categories for your company type.

The Most Common Mistakes People Make in Identifying Impact Categories The three most common mistakes people make in identifying impact areas are n Having too many BIA impact categories. n Mistaking quantitative impact categories for qualitative ones and vice versa. n Choosing the wrong categories for their company type. Examples From Four Major Industries The table below shows the

impact categories commonly used in BIAs in four major industries: finance, health care/hospitals, insurance, and real estate. Naturally, organizations in each

industry choose catego ries which are pertinent to their sector and mis sion. Seeing the cate gories they use might help you in thinking

about what cat egories make the most sense for your organiza tion, whatever industry it is in.


Quantitative Impacts n Loss of revenue n Increased operating expenses n Penalties, fines, and sanctions n Loss of revenue n Increased operating expenses n Penalties, fines, and sanctions n Increased or additional expenses n Fines, penalties, and sanctions n Loss of revenue n Increased operating expenses n Penalties, fines, and sanctions n Loss of current revenue n Impact to liquidity

Qualitative Impacts


n Impact to customer service n Legal/regulatory requirements n Impact on public goodwill, brand, image, and reputation

Healthcare/ hospitals

n Impact to patient safety and security n Impact to brand, image, and reputation n Delay in services n Impact on customer service n Impact to brand, image, and reputation


Real estate

n Internal and/or external customer impact n Legal and regulatory requirements n Delay in billings and payments n Impact to public goodwill, brand, image, and reputation










more important than what everyone else is doing. More often than not, when the differ ent business units are asked how important they are to the organization’s mission, the majority state they are of critical impor tance. But if management was required to create recovery plans which treated every department as critical, the cost would be prohibitive. Everyone wants to feel what they do is important, and the company could not operate without them. In most cases, they are correct: the company would be impacted if they were not operational. For some departments the impact would not be felt

for days or weeks while for others it would be felt right away. In weighting impact categories, we are attempting to identify the business func tions whose interruption would have an immediate impact on the organization. By weighting BIA impact categories, we are reducing the likelihood the pride of the business units will distort the recovery effort in a manner which detracts from the interests of the organization overall. How To Weight the Impact Categories So how do you go about assigning a weight to each of the impact categories? You do three things: First, consult with the management team supporting your BIA. Gather their

input as to which areas they think are most important. Second, again in collaboration with your management team, look at the impact categories selected and rate them by their relative importance to your company. Consider the mission of your company and how important each impact category is to the organization. For example, a bank might prioritize its impact categories as follows:

1. Loss of revenue. 2. Customer service.

3. Brand, image, and reputation. 4. Penalties, fines, and sanctions. 5. Legal/regulatory requirements. 6. Increase to operating expenses.


Introducing the new Virtual Corporation.


A nonprofit organization, however, would likely have a completely different list. Third, assign a percentage to each impact category based on its relative importance. Typically, the top categories make up the majority of the weighting per centage. Here are the same BIA categories we used above with sample weighting per centages added: 3. Brand, image, and reputation (20%). 4. Penalties, fines, and sanctions (15%). 5. Legal/regulatory requirements (10%). 6. Increase to operating expenses (5%). In the example, the areas most impor tant to the bank are not losing revenue; minimizing impact to customer service; maintaining brand and image; and mini mizing penalties, fines, and sanctions. Based on the above weighting, the busi ness processes which have the most signif icant impacts in these top four categories are the most critically time sensitive and need to be recovered the soonest. As with the example, the total of your weightings should add up to 100%. The Most Common Mistake Made in Weighting Impact Categories The most common mistake people make in weighting their organization’s 1. Loss of revenue (25%). 2. Customer service (25%).

impact categories is not taking the process seriously enough. How you weight the different areas is your judgment of what is critically time sensitive and what is not. Your weightings might determine what is restored first after a disruption and what is left to be recov ered at a later time. The consequences for your organization are potentially huge; therefore, you want the right processes to be designated as critical. After You Weight the BIA Impact Categories What happens after you weight your BIA impact categories? You integrate the results into your BIA process. The impact categories and their weight ings are used to evaluate the dollar and non-dollar impacts of a disruption to each business process over various periods of time (12 hours, 24 hours, etc.). This allows you to determine the recov ery time objective (RTO) for the different business processes. The following tables below illus trate how this is done where impacts are involved. In this example, the impacts to customer service and brand, image, and reputation (both of which have high weightings of importance) are significant within the first 12 to 24 hours. Based on the scoring (impact score multiplied by the weighting of each category and aggre gated), those processes experience a sig

nificant impact in 12 hours and would need to be recovered in 12 hours or less. Weighting your impact categories is a small task which can make a big differ ence to the effectiveness of your BIA and recovery plans. Takeaways n Weighting your categories is not simply a ranking of how important the processes are to the business. n It is important to get input from management in weighting impact categories. n The most common mistake in weighting impact categories is not taking the process seriously. n Incorporate the results of your weightings in your BIA process. n Weighting impact categories is a small task that can make a big difference. v Michael Herrera is the CEO of MHA Consulting, a leading business continu ity planning and information technology consulting firm. Herrera is the founder of BCMMetrics, which specializes in business continuity software designed to aid organizations in devel oping and executing business continuity programs.

Richard Long is a senior advisory con sultant and practice team leader for MHA Consulting, where he has successfully leads international and domestic disaster recovery, technology assessment, crisis

management, and risk mitigation engagements.

1=none to negligible, 2=minimal, 3=moderate, 4=critical, and 5=catastrophic.








Loss of revenue

1 1 1

1 1 1

1 1 1

1 1 1

1 1 1

1 2 2

Increase in operating expense Penalties, fines, and sanctions








Customer impact

3 1 3

4 1 4

4 1 4

4 1 4

4 2 4

5 2 5

Legal/regulatory requirements Brand, image, and reputation


Made with FlippingBook - Share PDF online