AmalfiCORE Blog

Less Lone Champions, More Defiant Heroes

There is a hero in every disaster. I’m actually OK with the existence of these heroes.

I think there are probably three types of heroes- those individuals who:

1. Act as lone champions, despite the existence of a viable planned process; who go around the system and do things their way (in emergency rescue we call it freelancing);
2. Methodically ‘play their position’ and do so impeccably, with the confidence, and competence which exudes leadership (not rank); with just enough of the right demeanor and who accomplish the work professionally, (whether it’s formal or not, I think is irrelevant).
3. Just happened by and started to help.

I’m focusing on number 1. and number 3. In the case of the lone champion, we might see interpersonal issues arise which interfere with a smooth operations during a time of heighten stress. We might see confusion caused by the lone champion doing other people’s jobs for them (albeit sometimes better than those assigned). Also, there are the ramifications of a loosely followed process that misses vital steps which would have supported a more successful recovery and restoration outcome.

A few ways to help retain the talents of the lone champion while reigning in the freelancing would be early awareness interventions. Business continuity planners can be quite valuable as observers during their own process of plan building. It’s sometimes at these early stages of working together as a continuity team that lone champions begin to emerge. It’s then that coaching and guidance can be of the most benefit.

Additionally, our emergency response plan can make good use of the Incident Command System Process. We can provide basic education to those who might become involved. The advantage of ICS is that it is designed to avoid freelancing, and focus on a chain of command and control with plan-full and systematic assignments based on position. This can go a long way to stave off the urge for a lone champion to emerge unexpectedly and can be significant in a hospital setting. [1]

In the absence of a plan with assigned tasks, an untrained staff will do what they think is best. A trained staff who each understands their specific roles, can be a great benefit to ensure better outcomes. Subsequent to Hurricane Katrina, a review of various lessons learned produced a number of recommendations. One of those focused on the care of the older generation of individual, especially those in health care settings, as outline in a 2009 text (Allen and Nelson). They indicate that recommendations exist that “…mandate that the social work profession boost its capacity and capability to provide competent emergency services to ease the suffering of older individuals before, during, and after a crisis.” [2]

I do recognize that great coaching and planning cannot always account for the emergence of a lone champion which doesn’t occur until the actual disaster is upon us/them. Once again, early detection is important, to the extent possible given the crisis, to immediately bring some reasoning to the individual and the process.

We must also consider that some heroes who have emerged did so unrelated to our organization, it’s plan, or our response. They are the first responders, the citizen bystander, the journalist, and others. None of these heroes are part of our plan. They probably don’t understand our business continuity discipline or goals – they were just driving by our building and started to help. It’s difficult to find any fault in this group of folks. The International News Safety Institute-INSI performs studies to determine the incidence of journalists getting injured or killed covering natural (and other) disasters. “…when journalists are first responders, they face difficult decisions, the potential of physical danger and emotional risk to others and themselves in addition to ethical issues, the question of whether to provide aid to injured victims or help in the evacuation before emergency responders arrive.” [3]

During some of the larger more impactful incidents I’ve responded to (i.e. train derailments, riots, and partial city evacuations), I’ve observed a natural tendency of some well-trained professionals to think and act as if they have the only right answer for the situation. I think we need to listen to that input while at the same time considering our planned response. In this way, we can better understand the impact this new information has on a more positive outcome.

Summary

Lone champions will always exist. We should detect them early and bring awareness and education through coaching and guidance. We should also be alert to the emergence of freelancing and determine quickly whether this unexpected, lone approach, serves the best interests of an improved outcome to the crisis. If so, accept and include, if not, head it off early for fear steps are missed in our very needed recovery and restoration of normal business.

References:

[1] “Disaster Nursing and Emergency Preparedness: for chemical, biological, and radiological terrorism and other hazards”.Veenema, Tener G. 2007.  2nd edition. Retrieved 10-27-09 from an ebook website from http://books.google.com/books?id=EwmhaCmZzMsC&pg=PT170&lpg=PT170&dq=freelancing+during+disaster&source=bl&ots=zKUAkou5kv&sig=FTgWz1oRfqfp_5_N-eYUphPQxM0&hl=en&ei=uZrnSvKDMIqOMaKq9KcI&sa=X&oi=book_result&ct=result&resnum=10&ved=0CCgQ6AEwCQ#v=onepage&q=freelancing%20during%20disaster&f=false

[2] Allen, Priscilla D. and Nelson, H. Wayne. Chapter 8. “Disaster Services With Frail Old Persons: From Preparation to Recovery” taken from the book “Lifespan Perspectives on Natural Disasters: Coping with Katrina, Rita, and Other Storms”, Springer Publishing, 2009. Retrieved 10-27-09 from http://www.springerlink.com/content/w5163r8138051j13/

[3]  ”Media and Save Disaster Coverage “. 2-MAY09. Retrieved 10-27-09 form http://www.newssafety.org/index.php?view=article&id=12493%3Ahealth-information-for-news-professionals-covering-the-asian-tsunami-disaster&option=com_content&Itemid=100124

More Benefits Than Meet the Eye

Organizations can reap benefits from Business Continuity programs that go beyond the program itself. However, I believe that the actual BC program is, in and of itself, an extremely valuable service to any organization.

Now for the blasphemy. Business Continuity, like any discipline, has its share of  ‘full of itself’.  I mean that in an OK way.

Regardless of which line of work we engage each day, there are those that do the work for the work’s sake, to check all the plan boxes and complete the program. Some may -

• Spend a great deal of time and money focused on being unduly thorough, (in my reliability engineering days, I’ve done this, for sure)
• Obtaining certifications (yes, it does prove we at least possess a cognitive knowledge of the subject with some applied experience)
• Adhere fastidiously to rules and regulations (helps to be on the correct side of this).
• Write books, blogs, twitters, white papers (many of which I read in awe)
• Speak at conferences and share their wealth of knowledge and experience (who doesn’t like a good conference now and then)

For this group of BC professionals, it may be somewhat of a challenge to find further benefit beyond the tireless work on readiness and continuity produced by their great efforts. [1]

Then, there are those that do a thorough job while, at the same time, balance business goals, customer requirements, and professionalism together into a blended solution. Now, there’s the extra benefit!

In the field of Business Continuity, we have the opportunity to make a real difference for our company or client. We can build not only a repeatable program which protects the organization’s resilience, but also supports the long-term stability of the enterprise.  It’s that stability which I consider a prime benefit.

Consultants, and there are dozens of them/us, offer many examples of BC benefits. Most of those benefits are quite valid and are couched to describe a justification for engaging in the BC activity. ETP Consulting out of the UK, offers some excellent justification/benefit examples which portend to broader company benefits:

• “…Protection of shareholder value…improved understanding of the business
• …Improved operational resilience
• …Reduced downtime bringing more value to customers
• …Improved compliance, vital records, operational effectiveness
• …Protection of intellectual property and improved security
• …Avoidance of liability…” [2]

An article by Honour in Continuity Central points to the advantage. It can be a competitive advantage [3] to companies to advertise to their client base that their business is robust, and they have a BC plan in place that works, has been tested and is ready to go. This can be an attractive draw, especially when customers are considering long-term supplier relationships.

I share the growing awareness that the enterprise can benefit in a huge and meaningful way from the ‘side’ benefits of a proper BC plan. Operational effectiveness can improve simply from the new level of process understanding shared across the organization. The education comes from having to go through the plan in detail, consider alternatives, find issues, and resolve them before they occur. Meeting regulatory requirements and reassuring customers can play a significant role in your IT service being chosen over other vendors. [4]

As a result, I see that these advantages may produce revenue growth, improved profits, and long-term goodwill.

References:

[1] Schulze, Steve. In commented response to Honour, David.  “The Business Benefits of Business Continuity”. Continuity Central. Retrieved 10-26-09 from http://www.continuitycentral.com/feature0427.htm

[2] “Business Continuity Management – The Business Benefits“. Retrieved 10-26-09 from

http://www.etpconsulting.co.uk/Learn-Business-Continuity/business_benefits.htm

[3] Honour, David.  “The Business Benefits of Business Continuity”. Continuity Central. Retrieved 10-26-09 from http://www.continuitycentral.com/feature0427.htm

[4] “Business Continuity Planning in IT”. Retrieved 10-27-09 from ttp://www.businesslink.gov.uk/bdotg/action/detail?type=RESOURCES&itemId=1076147045

The Merits of Using Software Tools for Business Continuity Planning

There are a number of business continuity-BC planning tools available to planners. Some are automated software created and sold by vendors. Others are for free. There is available a whole collection of downloadable online forms and templates, toolkits, and the like. Some are  even authorized and used by FEMA [1] and government agencies.

Many companies are using software tools. A recent reader survey conducted by Continuity Insights found that “…56 percent of respondents use business continuity planning software, down slightly from 59 percent in 2006. Seven percent of respondents to both the 2006 and 2009 surveys said they were currently considering or evaluating the purchase of a software product. An additional seven percent of respondents to this year’s survey said they are considering changing software tools.” [2]

My thoughts on the use of tools is that they serve a purpose, but are not the solution.  People are the solution. However, I sure do like the use of automation, especially to reduce data entry, repetitive tasks, and help ensure more accuracy.

We do need to consider the investment. These costs must be weighed with a full lifecycle perspective, not unlike other software tools.

Features

Business Continuity planning tools offer many very useful features, some more crucial than others. Here are the main staple features of most software-based BC tools:

• Automate routine, repetitive tasks which would otherwise be done manually. This feature reduces time and thus avoids some time-related costs, like labor.

• Offer an electronic means of inputting vital records, personnel information, terminology, other plans and data inputs, equipment and vehicle inventory lists, facilities descriptions, and other data which are required to complete a thorough plan.

• Provide off-site data backup and access, so that the plan and its contents are accessible in the event of loss of site or technology access.

• Provide ease of use, web-based, anywhere access to the plans, which can be a great benefit during and subsequent to a major disruption.

• The ability to port much of the data and information across platforms vis-a-vis import export functions. The porting capability can be useful to populate other continuity plans that use identical data inputs.
• Help make initial setup easier, often streamline updates, maintenance, and can help make preparation for training, exercises, and drills, a simpler organizing activity.

• Reduce paper use, although most of the tools available have ‘print-out’ reporting features. This helps with ease of creation of hardcopy, bound documents and plans and may also ease distribution costs.

Costs

The costs of BC software tools cover the entire gambit from free-template driven, to expensive fully functional, interactive plan applications. These applications are very robust and provide many, if not all, of the features to design, develop, exercise, and implement all facets of the business continuity regime.

An organization should give due consideration to the entire lifecycle costs including:

• Initial license/purchase
• Implementation of software including training to use
• On-going maintenance
• Annual license fees.

There is no replacement for the people in the equation of business continuity. During the gathering of data and information, an enormous amount of education must go on to raise a level of awareness about the subject area. So, don’t forget the cost trade-offs of people’s time to develop and use these plans [3]:

• doing all the work manually with forms, plan templates etc
• thinking and collaborating
• data gathering and verification
• meeting, discussing, and agreeing
• training, exercises and drills
• maintain, update

Fortunately, most software is license-based, sometimes with unlimited user access. Also, as a web-based offering, there is no software to buy or maintain. Further, initial training is sometimes included, while train-the-trainer education is available for a fee.

The other costs involved with using a software tool may be the use of an outside vendor or consultant. This is a choice of each organization that often depends largely on skill level and time available of staff and/or the any budget constraints [4].

My Experience

I have experience with the complete installation, design, and implementation of one BC software tool, and that was with a COOP plan for the public sector. Since I am in the business of representing companies and practice BC consulting, I’ll refrain from mentioning this brand in particular. (You may contact me directly for information).

I’ve also attended online webinars to learn about a variety of BC software tools from various vendors. Many are impressive and quite robust.

Summary

There is a place for software tools and templates to streamline how we handle the multitude of forms and plans in business continuity. Costs must be reviewed and considered in order to optimize tool use.

I find the software tools very useful and believe for most organizations, automation pays dividends through the lifecycle of the business continuity planning and implementation.

References:

[1]  “FEMA Continuity of Operations Plan“. Retrieved 10-19-09 from http://74.125.95.132/search?q=cache:xjr1MLGx7OkJ:www.fema.gov/doc/government/coop/coop_plan_blank_template.doc+%22coop+plan%22&cd=2&hl=en&ct=clnk&gl=us

[2]  “Special Report on Software Tools“. March/April 2009. Retrieved 10-19-09 from http://www.continuityinsights.com/Magazine/Issue_Archives/2009/03-04/software_tools_supplement.html

[3] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates. Chapter 7 pg 86; Chapters 15, 16.

[4 ] “Business Continuity Planning Software Toolbox“. 2008. Retrieved 10-19-09 fromhttp://whitepapers.zdnet.com/thankyou.aspx?&docid=84366&view=84366&load=1

What Value to Combine Continuity Plans?

There are a number of important plans that ensure business continuity is successful. Is there any point in combing all of the plans within the business continuity discipline? I think not.

The full breadth of business continuity plans are considered to typically [1] include:

• Crisis Management Plan
• Emergency Response Plan
• Business Continuity Plans
• Functional Restoration Plan
• Disaster Recovery Plan

(For a full list of Plans see FEMA Training website.)

There are other ancillary plans which support these plans, i.e. Contingency Plan, Business Resumption Plan [2] etc. I think it makes more sense to keep all continuity plans separate so that the benefits of individual plans can be fully realized.

Some experts believe that depending on the size of an organization, it can make sense to consider plan elements from all plans simultaneously. This is particularly true when one individual is responsible for more than one plan. For that, I agree. However, that does not mean the actual plans need to be combined.

Collaboration across plans can be a step incorporated in the review process in order to ensure compatibility where it’s needed. But, consider this: Keeping plans separate allows for more efficient alerts, invocations, training, and plan maintenance. The individuals concerned with one plan may not need to be concerned with all plans. So, simply from a resource efficiency point of view, let’s not burden the system any more than we already do with such a large number of plans.

Here are some detailed reasons for not combining all Continuity Plans

• Organization and Documentation:
  • People like simplicity. Keeping plans separate provides better organization. [3] It can help divide the work and provide clarity and ease of understanding because one plan will be less cumbersome than several plans rolled together.

• Impact on resources [1]:
  • Not all plans need to be invoked in every situation. Since raising an alert and invoking plans takes many resources, we can gain efficiency and optimize a proper degree of response by selecting the right plan for the right scenario. Of course, there will be events which trigger all plans, but those I believe will be more rare.
  • A time when multiple plans may be invoked more regularly may be for exercises, training, and drills. In addition, multiple plans may be brought together for consideration during initial creation, review, and maintenance. The purpose then would be to ensure there are no conflicts across the plans and that there is plan accord.

• Impact on people:
  • The people who may need to be alerted for one plan invocation, may not be the same for other plans. So, it may not make sense to interrupt multiple groups of people with an alert until they are needed.
  • Each plan is the responsibility of a particular role in the organization. Although, in smaller organizations, we might expect that individuals have more than one responsibility. However, for any company of a size which needs all of these plans, more likely, the people responsible for each plan will be different.

• The plans are tools:
  • There is a notion that the plans themselves are not the solution. Rather, they are useful tools. The dialog which results from preparing, inspecting, deliberating, and agreeing [Burtles, pg 167 ]  has great merit. It helps us all understand what we can and should do during an emergency. It can be extremely helpful to have gone through the planning process. In addition, the plans can each stand on their own for exercises, training, and drills.

• Plan vulnerability:
  • Having the plans in one document causes a vulnerability to misuse or attack. In the wrong hands, the entire set of plans could be used against the company or to do harm.
  • E.g. contingency plans are particularly susceptible since the plan outlines very specific (non-public knowledge) exposures which may render an organization useless. This plan should be particularly protected.

Summary

There is value in continuity plans being developed and documented separately. This approach allows for better organization, less impact on people and resources, more efficient use of the plans as tools, and helps reduce vulnerability to misuse

Plans should not, however, be completed in a vacuum. Collaboration and review, cross-training, and exercise, will help ensure a non-conflicting  more cohesive set of plans which work together when necessary to handle the disruptions for which they were designed.

References:

[1] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates. pg 167; Chapters 10, 14.

[2] Noakes-Fry, Kristen, Diamond, Trude. “Business Continuity and Disaster Recovery Planning and Management: Perspective“. Oct 2001. Gartner Research. Retrieved 10-19-09 from  http://www.availability.com/resource/pdfs/DPRO-100862.pdf

[3] Cobb, Steven. 2008. “Rice Pudding and Plan Writing”, Norwich University MSBC

Emergency Response Teams: Duty and Family Concerns

Emergency Response Teams-ERTs [1][2] are a very necessary part of any business continuity program. While there is concern that people may be more interested in self-preservation and family security during the crisis, that fact should not stop us from creating a qualified and responsible team of responders who are ready and able to help at a moment’s notice.

We create an Emergency Response Team-ERT to handle crisis and serious incidents in a business environment [1]. The emergency management function is not only about containing and controlling the actual operations of the disaster and its recovery, but first and foremost is very much about the appropriate management of and support for the people.  Besides including the entire organization of employees, visitors, and external connections, like family, preparations for a mature and robust ERT must also account for the toll a disaster takes on the emergency team.

The psychology of the human reaction to emergencies is complex and well beyond my expertise. A cursory review of the literature provides a number of viewpoints. Many positions acknowledge the unknown and myriad reactions of humans when we are personally impacted by and directly facing uncertainty or danger. For some, just the act of talking about, preparing and training for disasters can be enough to cause upset. So, selecting individuals to be on an ERT comes with a great responsibility of using well-tried criteria as a means of building a robust response team.

In my experience operating in a high-tech business environment on an ERT, as well as helping to form the team in its early days, the selection process can be easily managed by adopting membership criteria [2]:

• Background check – if not already done by the business
• Dedication – demonstration of willingness to commit time to training through written acknowledgment of the described commitment
• Ability – as demonstrated by documented experience or learning capability
• Skills – as evidenced by tests, evaluations, or references
• Knowledge – as evidenced by credentials, experience, or willingness to learn from our established ERT program curriculum

Like any other team, personnel considerations are always an important ingredient to success. The business continuity planner can work with the human resources department, external crisis managers, employee assistance psychologists, and emergency response experts to develop support mechanisms for the ERT members. These considerations would include physical, welfare, organizational, motivational and mental aspects [2].

Companies wishing to start an ERT have numerous government [CERT-3][Australia-4] and private sector [Cisco-5][Learn about disasters-6] tools, templates, and examples by which to learn and mirror. Along with all of the responsibilities of the business continuity planner (or in some cases, it may be the Safety Officer or Emergency Operations Manager) should be a strategy and action plan to prepare the team members. I already mentioned the selection criteria. In addition, the ERT leader can provide:

• learning material and opportunities to train together as a team
• access to counselors – particularly those with Critical Incident Stress experience [7][8],
• rewards and acknowledgment – both for achieving training status and post-incidents
• proper tools and resources to get the job done – lest we demoralize the team
• an incident exercise program which tests not only the general employee population and resources, but also brings confidence and trust to the ERT, as individuals and as a team.

There are many good examples of business Emergency Response Teams , their preparedness and successful deployment. For example, at Cisco in San Jose, the team was awarded “Best Emergency Response Team in the Santa Clara Valley” by the San Jose Fire Department [5] following an ISO audit of the team, it’s readiness and response posture. Sometimes these teams are not formal, have little resources, or time to train. Yet, the very fact that a team exists can go a long way toward a business being prepared for most incidents. This is especially true if the team feels appreciated, has practiced a time or two,  has a response plan shared with the business, and has built some level of confidence and trust in each other.

Summary

The establishment of an Emergency Response Team is very achievable in many business and public sector environments. The notion that team members may falter during a crisis due to personal concerns about self and family, while a real possibility, does not diminish the need to build and maintain the team. The ERT continues to be a critical first line of defense during the opening moments of any crisis, incident, or significantly disruptive event. Therefore, I believe these teams should be supported in all environments where it’s deemed practical for the general safety, welfare and continuity of the organization.

References

[1] Cobb, Steven.2008. “Keeping Your Head: Emergency Incident Response Team Planning”, Norwich University MSBC, Northfield, VT

[2] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates. Chapter 7 pg 86; Chapters 15, 16.

[3 ] “Community Emergency Response Team” Citizen Corps Department of Homeland Security. Retrieved 10-11-09 from http://www.citizencorps.gov/cert/

[4 ] “Corporate Emergency Response Team Member Tasks“. Government of South Australia. Retrieved 10-11–09 from http://www.crisis.sa.edu.au/files/links/Corporate_Emergency_Respo_1.pdf {date unknown}

[5 ]  “Emergency Response Team“, 2007. Cisco Systems Inc. Retrieved 10-11-09 from   http://www.cisco.com/web/about/ac227/ac333/our-employees/welfare-and-safety/emergency-response-team.html

[6 ] Gregory, Peter H., Rothstein, Philip J. “IT Disaster Recovery Planning for Dummies “, 2008 Wiley Publishing.  Retrieved 10-11-09 from http://books.google.com/books?id=YC49DXW-_60C&pg=PA37&lpg=PA37&dq=define+++%22emergency+response+team+%22+-computer&source=bl&ots=vrpqp4BqHc&sig=HP4WFKV7yFYLcnfAGyYl_vy1KxA&hl=en&ei=6i3SSrPvLpCeMauZlZQD&sa=X&oi=book_result&ct=result&resnum=2&ved=0CBMQ6AEwAQ#v=onepage&q=define%20%20%20%22emergency%20response%20team%20%22%20-computer&f=false

[7] Walter, Andrea A., Rutledge, Marty L., Edgar, Christopher N. “First Responder Handbook: Fire Service Edition“. 2003 Thompson-Delmar Learning. Retrieved 10-11-09 from http://books.google.com/books?id=354SNFOWyMEC&pg=PA33&lpg=PA33&dq=emergency+responders+%22critical+incident+stress%22+counselors&source=bl&ots=aBOoHWNIcl&sig=LcEZHq9sj9BrwyFzEUVuak5uzbk&hl=en&ei=8y7SSqnEPJGOMemb1JQD&sa=X&oi=book_result&ct=result&resnum=4&ved=0CBoQ6AEwAw#v=onepage&q=emergency%20responders%20%22critical%20incident%20stress%22%20counselors&f=false

[8] “Certificate of Specialized Training Program-in Critical Incident Stress Management“. International Critical Incident Stress Foundation, Inc. Retrieved 10-11-09 from http://www.icisf.org/

Communication Challenges During Disasters

Communication during and after a disaster is a vitally important element of business continuity planning. Helping employees be aware of a company’s standard operating procedure-SOP[1] for communications is a good first step. In my experience, practicing disaster drills and offering annual reminders of what and how two-way communication will occur during major disruptions will help prepare employees for the actual event. It will be important for each organization to appoint a representative to ensure good communications take place. This individual should work closely with risk managers, safety officers, or emergency managers to prepare employees for what to do during a disaster.

Preparations should include what to communicate and how to do it. Employees are expected to know and are encouraged to do the following (after safe evacuation):

• Contact their family and friends and let them know their status and that they are OK, but do so from off-premises
• Not expect to use a cell phone, which historically will be a sporadic means of communicating at best. {During major disasters of the last decade, the number of people trying to use cell phones overtaxes the cell systems and often the cell systems are down for extended periods. [2]}
• Listen to pre-established news media, radio, TV, internet, and in some cases, social media outlets [3] for official updates
• Contact a pre-established phone number or internet site for updates during and after the event.
• Refrain from representing the company to any outside person or entity.
• Not count on hearsay as the definitive information from the company

It is likely that the local, state, or federal government will implement and emergency override use of the cellular signals within a certain range of the incident. Regular phones systems may also be down, as well. [4] In any case, another means besides cell phones may be necessary. Managing your communications will certainly be a challenge.

Employees will want to know how to communicate with the company in the aftermath of the incident. Often times a Public Information Officer-PIO [5] will establish and publish a pre-plan. The pre-plan includes a means of informing employees of such things as whether or not to come back to work, where to report, and the length of time it might be before the situation is recovered from and business is restored. These actions can help set expectations so that during the crisis, procedures are more likely to be followed.

The liaison with external entities, beyond the news media and emergency services agencies may also be required of the PIO or public relations manager.  Suppliers, vendors, customers, and others all will have a vested interest in the status of the company, it’s people, products, and servicers.   It will continue to be important for a company representative to keep good communications open throughout the event and its aftermath. A person filling his role should have skills and experience that include knowing how to speak, choose words, set tones, and be honest and transparent to all audiences. [6]

Summary

A crisis communication plan can be written and employees can be made aware of such a plan well before major disruptions or disasters. The plan should outline expectations, logistics,  alarm response, evacuation routes, and what to do after the event.

A Public Information Officer or other organization representative will play a vital role to ensure that appropriate communications continue throughout the disruption or disaster, during recovery, and subsequent to the event.

Pre-planning goes a long way toward calming the fears of employees and can be of great help bring some smoothness to a hectic situation.

References:
[1] “A Standard Operating Procedure (SOP) is a set of written instructions that document a routine or repetitive activity followed by an organization. “

“Guidance for Preparing Standard Operating Procedures (SOS). EPA QA/G-6“.APR07. Office of Environmental Information. Retrieved 10-11-09 from http://www.epa.gov/quality/qs-docs/g6-final.pdf

[2] Hamblen, Matt. 7-JUL05. “Don’t Count on Using Your Cell Phone for Disaster Rescue”. Computerworld.  Retrieved 10-11-09 from http://www.pcworld.com/article/121744/dont_count_on_using_your_cell_phone_for_disaster_rescue.html

[3] Collins, Hilton. 27-JUL09.”Emergency Managers and First Responders Use Twitter and Facebook to Update Communities“.  Retrieved 10-11-09 from http://www.emergencymgmt.com/disaster/Emergency-Managers-and-First.html

[4] Salwati, Yusuf. 30-SEPT09. “Managing During Disasters Part I”. IT Knowledge Exchange. Retrieved 10-11-09 from http://itknowledgeexchange.techtarget.com/itproject/managing-during-disasters-part-1/

[5] “National Incident Management System- National Standard Curriculum Training Development Guidance“.  http://www.fema.gov/pdf/nims/nims_training_development.pdf

[6] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates. Chapter 7 pg 86; Chapters 15, 16.

Protecting Corporate IP

The options to protect data, formulas, products, and documented ideas or concepts come in many forms. Government and big business seem to spend the most time and money focused on this protection as well as educating others about the risks and mitigation.

Government Actions:

The government creates entire departments focused on protecting intellectual property. Presidential directives are issued, methods are developed, and collaboration ensues in an effort to protect both public and private sector from disaster. Governments encourage businesses to take steps to protect IP, brand, and innovations. Internal threats to data center security have been a known exposure for decades.

As early as 1998, the United States government formally recognized the increasing risk of cyber threats when the President issued “…Presidential Decision Directive 63 (PDD-63), which called for the creation of a national plan to protect the services on which we depend daily.” [1] Our everyday essential services, i.e. energy, banking, finance transportation, vital human services, and telecommunications are all interdependent. Preservation of vital intellectual property would be impacted due to the ever-increasing interdependency of electronics on our way of life. With the unchecked growth of the internet-web, advanced electronics, and miniaturized telecommunications, our intellectual property would be vulnerable to a whole host of new threats.

The economy itself when in a down turn, can be considered a disruption requiring considerations be given to protecting Intellectual Property-IP. In the Philippines,  “…micro, small, and medium enterprises (MSMEs) account for 99.6 percent of the country’s economy” and are told to protect assets [2]. These type organizations are being encouraged to register the innovations, inventions, and brands in order to preserve their intellectual property rights.

Business:

I’m sure there are hundreds of examples of methods employed by businesses to protect IP, here are a few:

• Hardware, software and services vendors develop products to protect data and systems for all size of organization from the home pc to multi-national corporations- anti-spam, anti-virus, anti-phishing, etc.
• At Intellistore Design Consulting one of the many IT service vendors on the web, they encourage clients to develop and implement IT Best practices. Their ‘Six Tips’ [3] could be used by any business/data center:
  • Take ownership of your IP
  • Ensure access to source code
  • Prepare and IT disaster recovery plan
  • Incorporate the ability to upgrade or migrate to new technologies
  • Implement data compliance standards
  • Take control of your companies online accounts
• At Google, the data center boasts several backup options with an emphasis on redundancy as a primary tactic to protect and restore data and systems, with a solution called Perforce Disaster Recovery. [4]
• ATT focused some of their advertising, marketing, and educational material for citizens around Katrina events by providing advice on protecting value records. Among many things to do, ATT recommended protecting all resources, records, and data through both traditional off-site backups, as well as, using generators for backup power supply. The generators are focused on the most critical business functions. [5]

Burtles suggests that more than one backup method needs to be employed to ensure successful recovery, and for data centers, he places great emphasis on hot-sites, cold-sites, and redundancy. [6]

The concept of trust seems to be an important element of protective disaster recovery plan for intellectual property. At some point, a decision must be made to place a copy and the original innovation (IP) in a two different safe places. Determining a ‘safe place’ is an entire project in itself and would involve statistical theory along with a healthy dose of trust.

Summary

Redundancy of data systems, data centers, access methods, and protective software are all offer solidly proven methods to protect data and information. Governments clearly see the need and have taken steps across the globe to secure their data as well as educate business on best practices. Entire businesses exist in the data storage world, which provide hardware, software, and services to protect information.

In the end, I believe it comes down to taking a calculated risk, based on solid data, and implementing a proven method of intellectual property protection.

References:

[1] “Critical Infrastructure Protection”. Department of Justice, Computer Crime and Intellectual Property Section-CCIPS, USA.gov. Retrieved 10-04-09 from http://www.usdoj.gov/criminal/cybercrime/critinfr.htm

[2]  GMA NewsTV.com, Retrieved 10-04-09 from http://www.gmanews.tv/story/167997/Firms-told-to-protect-intellectual-property-assets

[3] Herrmann, Kathy. “6 Tips to Protect Your Intellectual Property“. 6-MAY09Retrieved 10-04-09 from http://community.intellicore-design.com/blog/2009/5/6/6-tips-to-protect-your-intellectual-property.html

[4] Wright, Rick. 2008.“Perforce Disaster Recovery at Google”. Retrieved 10-04-09 from http://www.perforce.com/perforce/conferences/us/2009/Presentations/Wright-Disaster_Recovery-paper.pdf

[5] “ATT Disaster Preparedness – 2008 Hurricane Season”. 2008. Retrieved 10-04-09 from http://www.att.com/Common/merger/files/pdf/att_emer_prepare_tips.pdf

[6] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates.

Reciprocal Agreements

Reciprocal agreements can be defined by as “An agreement by two parties, each allowing the other to use their site, resources, or facilities during a disaster”[Burtles 1]. There are many similar definitions [2] which all focus on ‘sharing’ during times of disruption.

There seems to be quite a bit of disagreement about the merits of using reciprocal agreements as viable alternatives during disasters. Some of the experts [4] caution about a number of difficulties that may occur including incompatibility of systems, software and methods, time delay on actually implementing the transfer, and the unavoidable concern of the receiving entity being impacted by work overload.

An article by Davis [3] in the Disaster Recovery Journal cautions that “Reciprocal agreements are economical but beware of systems incompatibility”. This can be particularly helpful when the equipment needing backup is very expensive or of a special or rare type. In such cases, it may be completely necessary to partner with the only other company or entity which has this resource capability. [5]

In my personal experience, reciprocal agreements can be beneficial. Some examples:
• Tornado interrupts power to fire station, neighboring fire station one town away has previously agreed to house trucks and personnel in makeshift building at their headquarters. This happens until power is restored in under one week.
• City prepares COOP plan and includes several mutual agreements to make use of neighboring cities services, i.e. utility billing, power, data center transfer. It has not been tested yet.
• Fire and police departments have mutual aid agreements, which have been used several times during the past decades and it works quite well.

In the emergency services world, reciprocal agreements are commonplace and are known as ‘mutual aid’ agreements according to FEMA. [6] In such cases, one agency agrees to share resources with another agency during times when:
• the size of the incident calls for more help than can be mustered by the one agency,
• when a resource is out of service for maintenance or due to damage
• when personnel are unavailable due to training, inability to continue performing their duties (overworked, exhaustion, sickness, other peril)

Another concept describes using internal resources as redundancy or as backup during times when one function experiences a disruption. The success of this transfer would depend on some of the same criteria as when agreeing with other entities, that is, does the receiving facility have the expertise, resources, and capability to actually take on the workload of the disrupted entity. I think the same cautions and concerns would apply, despite the fact that there would be more familiarity and consistency when creating an internal agreement,

Summary

There are mixes opinions regarding the merits of using a reciprocal agreement to provide secure backup during a disaster or major disruption. While there are a number of situations, which may prove difficult, and be an imposition to the receiving entity, it makes sense in my judgment that the establishment of a reciprocal agreement has merit.

References:

[1] Burtles, Jim. 2007. “Principles and Practice of Business Continuity: Tools and Techniques”, Rothstein Associates.

[2] “Online Business Dictionary”. Retrieved 10-04-09 from http://www.businessdictionary.com/definition/reciprocal-agreement.html
“Definition 1
General: Quid pro quo arrangement in which two or more parties agree to share their resources in an emergency or to achieve a common objective.
Definition 2
Data backup: Whereby two departments or organizations agree to store one another’s backup data on their computers.
Definition 3
Disaster planning: Whereby each party agrees to allow another to use its site, facilities, resources, etc., after a disaster.

[3] Davis, J.R. 2003. “Regulatory Scrutiny of Item Processing Increases Disaster Recovery Planning”. Disaster Recovery Journal. Retrieved 10-04-09 from http://www.drj.com/articles/spr03/1602-09p.html. Vol. 16 Issue 2.

[4] Snyder, Richard. “Reciprocal Agreements: Do the Work?”. Disaster Recovery Journal. Retrieve 10-04-09 from http://www.drj.com/drworld/content/w1_095.htm. Vol. 3 No. 4, p. 54

[5] Contesti, Diane-Lynn., Andre, Douglas., Waxvik, Eric., Henry, Paul A., Goins, Bonnie, A.“Official (ISC) 2 Guide to the SSCP CBK, Volumes 978-2272” 2008. Pg 228. Retrieved 10-04-09 from http://books.google.com/books?id=Jt1meI49yTwC&pg=PA229&lpg=PA229&dq=%22reciprocal+agreements%22+during+disasters&source=bl&ots=AyaIAFYkUF&sig=WodAfpgE13GExjh-eVA9RFwOsfg&hl=en&ei=vkLJSoKSFpWEMeXPnfMH&sa=X&oi=book_result&ct=result&resnum=8#v=onepage&q=%22reciprocal%20agreements%22%20during%20disasters&f=false

[6] “Mutual Aid Agreement for Public Assistance and Fire Management“ 13-AUG07. FEMA Disaster Assistance Policy 9523.6. Retrieved 10-04-09 from http://www.fema.gov/government/grant/pa/9523_6.shtm

The Merits of Reciprocal Agreements

Reciprocal agreements are defined by Burtles as “An agreement by two parties, each allowing the other to use their site, resources, or facilities during a disaster”. [1]  There are many similar definitions [2] which all focus on ‘sharing’ during times of disruption.

Burtles is not supportive of the concept as a viable alternative and he is not alone [1]. There seems to be quite a bit of disagreement about the merits of using reciprocal agreements as viable alternatives during disasters. Some of the experts [3] caution about a number of difficulties that may occur including incompatibility of systems, software and methods, time delay on actually implementing the transfer, and the unavoidable concern of the receiving entity being impacted by work overload.

An article by Davis [4] in the Disaster Recovery Journal cautions that “Reciprocal agreements are economical but beware of systems incompatibility”.  This can be particularly helpful when the equipment needing backup is very expensive or of a special or rare type. In such cases, it may be completely necessary to partner with the only other company or entity which has this resource capability. [5]

In my personal experience, reciprocal agreements can be beneficial. Some examples:

• Tornado interrupts power to fire station, neighboring fire station one town away has previously agreed to house trucks and personnel in makeshift building at their headquarters. This happens until power is restored in under one week.
• City prepares COOP plan and includes several mutual agreements to make use of neighboring cities services, i.e. utility billing, power, data center transfer. It has not been tested yet.
• Fire and police departments have mutual aid agreements, which have been used several times during the past decades and it works quite well.

In the emergency services world, reciprocal agreements are commonplace and are known as ‘mutual aid’ agreements. [6] In such cases, one agency agrees to share resources with another agency during times when:

• the size of the incident calls for more help than can be mustered by the one agency,
• when a resource is out of service for maintenance or due to damage
• when personnel are unavailable due to training, inability to continue performing their duties (overworked, exhaustion, sickness, other peril)

Another concept describes using internal resources as redundancy or as backup during times when one function experiences a disruption. The success of this transfer would depend on some of the same criteria as when agreeing with other entities, that is, does the receiving facility have the expertise, resources, and capability to actually take on the workload of the disrupted entity. I think the same cautions and concerns would apply, despite the fact that there would be more familiarity and consistency when creating an internal agreement,

Summary

There are mixes opinions regarding the merits of using a reciprocal agreement to provide secure backup during a disaster or major disruption. While there are a number of situations, which may prove difficult, and be an imposition to the receiving entity, it makes sense in my judgment that the establishment of a reciprocal agreement has merit.

References:

[1] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates.

[2] “Online Business Dictionary”. Retrieved 10-04-09 from http://www.businessdictionary.com/definition/reciprocal-agreement.html

“Definition 1

General: Quid pro quo arrangement in which two or more parties agree to share their resources in an emergency or to achieve a common objective.

Definition 2

Data backup: Whereby two departments or organizations agree to store one another’s backup data on their computers.

Definition 3

Disaster planning: Whereby each party agrees to allow another to use its site, facilities, resources, etc., after a disaster.

[3] Davis, J.R. 2003. “Regulatory Scrutiny of Item Processing Increases Disaster Recovery Planning”. Disaster Recovery Journal. Retrieved 10-04-09 from http://www.drj.com/articles/spr03/1602-09p.htmlVol. 16 Issue 2.

[4] Snyder, Richard. “Reciprocal Agreements: Do the Work?”. Disaster Recovery Journal. Retrieve 10-04-09 from http://www.drj.com/drworld/content/w1_095.htm. Vol. 3 No. 4, p. 54

[5] Contesti, Diane-Lynn., Andre, Douglas., Waxvik, Eric., Henry, Paul A., Goins, Bonnie, A.“Official (ISC) 2 Guide to the SSCP CBK, Volumes 978-2272” 2008. Pg 228. Retrieved 10-04-09 from http://books.google.com/books?id=Jt1meI49yTwC&pg=PA229&lpg=PA229&dq=%22reciprocal+agreements%22+during+disasters&source=bl&ots=AyaIAFYkUF&sig=WodAfpgE13GExjh-eVA9RFwOsfg&hl=en&ei=vkLJSoKSFpWEMeXPnfMH&sa=X&oi=book_result&ct=result&resnum=8#v=onepage&q=%22reciprocal%20agreements%22%20during%20disasters&f=false

[6] “Mutual Aid Agreement for Public Assistance and Fire Management“ 13-AUG07. FEMA Disaster Assistance Policy 9523.6.  Retrieved 10-04-09 from http://www.fema.gov/government/grant/pa/9523_6.shtm

Redundancy: How Do You Protect IP?

The options to protect data, formulas, products, and documented ideas or concepts come in many forms. Government and big business seem to spend the most time and money focused on this protection as well as educating others about the risks and mitigation.

Government Actions:

The government creates entire departments focused on protecting intellectual property. Presidential directives are issued, methods are developed, and collaboration ensues in an effort to protect both public and private sector from disaster. Governments encourage businesses to take steps to protect IP, brand, and innovations. Internal threats to data center security have been a known exposure for decades.

As early as 1998, the United States government formally recognized the increasing risk of cyber threats when the President issued “…Presidential Decision Directive 63 (PDD-63), which called for the creation of a national plan to protect the services on which we depend daily.” [1] Our everyday essential services, i.e. energy, banking, finance transportation, vital human services, and telecommunications are all interdependent. Preservation of vital intellectual property would be impacted due to the ever-increasing interdependency of electronics on our way of life. With the unchecked growth of the internet-web, advanced electronics, and miniaturized telecommunications, our intellectual property would be vulnerable to a whole host of new threats.

The economy itself when in a down turn, can be considered a disruption requiring considerations be given to protecting Intellectual Property-IP. In the Philippines,  “…micro, small, and medium enterprises (MSMEs) account for 99.6 percent of the country’s economy.” [2] These type organizations are being encouraged to register the innovations, inventions, and brands in order to preserve their intellectual property rights.

Business:

I’m sure there are hundreds of examples of methods employed by businesses to protect IP, here are a few:

• Hardware, software and services vendors develop products to protect data and systems for all size of organization from the home pc to multi-national corporations- anti-spam, anti-virus, anti-phishing, etc.
• At Intellistore Design Consulting one of the many IT service vendors on the web, they encourage clients to develop and implement IT Best practices. Their ‘Six Tips’ [3] could be used by any business/data center:
  • Take ownership of your IP
  • Ensure access to source code
  • Prepare and IT disaster recovery plan
  • Incorporate the ability to upgrade or migrate to new technologies
  • Implement data compliance standards
  • Take control of your companies online accounts
• At Google, the data center boasts several backup options with an emphasis on redundancy as a primary tactic to protect and restore data and systems. [4]
• ATT focused some of their advertising, marketing, and educational material for citizens around Katrina events by providing advice on protecting value records. Among many things to do, ATT recommended “…protect hardware/software/data records/employee records, etc by routinely backing up files to an off-site location. Use a generator for supplying backup power to vital hardware and mission-critical equipment. Prearrange the replacement of damaged hardware with vendors to ensure quick business recovery.” [5]

Burtles suggests that more than one backup method needs to be employed to ensure successful recovery, and for data centers, he places great emphasis on hot-sites, cold-sites, and redundancy. [6]

The concept of trust seems to be an important element of protective disaster recovery plan for intellectual property. At some point, a decision must be made to place a copy and the original innovation (IP) in a two different safe places. Determining a ‘safe place’ is an entire project in itself and would involve statistical theory along with a healthy dose of trust.

Summary

Redundancy of data systems, data centers, access methods, and protective software are all offer solidly proven methods to protect data and information. Governments clearly see the need and have taken steps across the globe to secure their data as well as educate business on best practices. Entire businesses exist in the data storage world, which provide hardware, software, and services to protect information.

In the end, I believe it comes down to taking a calculated risk, based on solid data, and implementing a proven method of intellectual property protection.

References:

[1] “Critical Infrastructure Protection”. Department of Justice, Computer Crime and Intellectual Property Section-CCIPS, USA.gov. Retrieved 10-04-09 from http://www.usdoj.gov/criminal/cybercrime/critinfr.htm

[2]  GMA NewsTV.com, Retrieved 10-04-09 from http://www.gmanews.tv/story/167997/Firms-told-to-protect-intellectual-property-assets

[3] Herrmann, Kathy. “6 Tips to Protect Your Intellectual Property“. 6-MAY09Retrieved 10-04-09 from http://community.intellicore-design.com/blog/2009/5/6/6-tips-to-protect-your-intellectual-property.html

[4] Wright, Rick. 2008.“Perforce Disaster Recovery at Google”. Retrieved 10-04-09 from http://www.perforce.com/perforce/conferences/us/2009/Presentations/Wright-Disaster_Recovery-paper.pdf

[5] “ATT Disaster Preparedness – 2008 Hurricane Season”. 2008. Retrieved 10-04-09 from http://www.att.com/Common/merger/files/pdf/att_emer_prepare_tips.pdf

[6] Burtles, Jim. 2007.  “Principles and Practice of Business Continuity: Tools and Techniques“, Rothstein Associates.