Disaster Due Diligence March 26, 2010

Business continuity

HEADLINE: Study: disaster recovery plans shift away from IT and data security

SUMMARY: A study by a business continuity communications provider showed a shift in corporate planning toward communicable illness and natural disasters preparedness. Among the findings: respondents ranked pandemic as the top threat to organizations in 2009 (55 percent); and natural disaster threat jumped from 39 percent in 2008 to 52 percent. For the first time, IT and data threats were not highest ranked.

STORY LINK: http://eon.businesswire.com/portal/site/eon/permalink/?ndmViewId=news_view&newsId=20100316005466&newsLang=en

ANALYSIS: Y2K drove disaster recovery planning in the 1990s and through the first decade of this century. Businesses need timely access to secure, accurate information to operate. CIOs and CTOs drove the identification of critical information, off-site backup, remote access, and 24/7 availability. These are essential. As a result, disaster recovery and business continuity became linked.  Control was an IT function by default.

As understanding of risk grew along with quantification of impacts, board members and senior management analyzed their governance and fiduciary requirements. Shifts to people, processes and procedures took over with an emphasis on revenue generation and protection. Supply chain failure emerged as the greatest failure point. Focus moved away from solely data to “business recovery.”

In 2005, Firestorm began an analysis of the causes and solutions. Firestorm’s Predict. Plan. Perform. ™process directs critical decisions to prioritize actions. How do you know if your company is prepared? If you cannot instantly answer this question, then you are not prepared.  A first step can be completing Firestorm’s Business Continuity Self-Assessment. Know the Preaction Index™ for your company and in each of the 11 dimensions required under Public Law 110, which mandates DHS develop certification of all private-sector business continuity plans. These Preaction Index ratings will prioritize your efforts and focus your budget on the greatest risk and highest return on investment. What is your Preaction Index? Where do you start?

--Jim Satterfield, Firestorm President/COO

HEADLINE: NFPA releases new edition of disaster/emergency management standard

SUMMARY: The National Fire Protection Association (NFPA) released its 2010 standard on Disaster/Emergency Management and Business Continuity Programs. NFPA 1600 is a completely revised and reorganized version that establishes a common, high-level set of criteria for management, planning, prevention, mitigation, implementation, response, recovery, testing and improvement.

STORY LINK: http://ehstoday.com/fire_emergencyresponse/news/nfpa-new-edition-disaster-emergency-0457/

ANALYSIS: Public Law 110-53, Tile IX (Private Sector Preparedness – PS Prep) mandates DHS to develop a certification plan for private-sector business continuity plans. There are three standards: ASIS, BSI-25999 and NFPA 1600.  The NFPA 1600 standards provide a framework to develop a business continuity plan. It is a good standard, as are the others.

Having an actionable business continuity plan is a necessity for every business. It should not wait until later. It is not a clerical task. It is a strategic business asset and requires understanding of business functions and requirements. Reading NFPA 1600 will provide an initial insight into requirements. NFPA 1600 is not a step-by-step guide on how to create business continuity plan. NFPA 1600 is a “what’’ not a “how’’ standard.

You know your business. You do not know what you don’t know. If you have business continuity questions, Firestorm would be glad to answer them at no cost. Better to ask questions today before a disaster, than try to explain failures after a crisis. If you are explaining, you are losing. An actionable business continuity plan is the difference in a disruption becoming a disaster. Are you ready? How do you know?

--Jim Satterfield, Firestorm President/COO

Campus safety

HEADLINE: Academic Impressions Research: over one-third of colleges and universities report low confidence or no confidence in their ability to effectively respond to a campus crisis

SUMMARY: Afour-week survey of higher education employees conducted in January revealed that many administrators lacked confidence that their institutions would fare well in a crisis. About half of those responding reported having experienced a crisis on their campus in the last two years, and a third said they had either low confidence or no confidence in their institution's ability to effectively execute their crisis response plan. Only about half reported testing their crisis response plan in the last year; while 23 percent said they had never tested their plans.

STORY LINK: http://www.earthtimes.org/articles/show/academic-impressions-research-over-one-third,1211593.shtml

ANALYSIS: No one can question the fact that colleges and universities have seen more than “occasional or rare’’ incidents that require emergency procedures. Most incidents are minor and require a simple communication to students and facility. Weather and safety alerts, and “perpetrator on the loose’’ messages are common. Unfortunately, recent events have involved the loss of life, at times on a large scale.

While the communications aspect of emergency preparedness and written policies has improved greatly since the tragedy at Virginia Tech, arguably the most important parts have not been addressed. Training and drills have largely been ignored and undervalued. Most universities, like most businesses, have an emergency plan in place. But the fact is, more than 80 percent have never READ it, never mind conducted proper training.

The Clery Act has new amendments that take effect in July and need to be adhered to by October. These amendments specially address new standards in training and drills. With government revenues down, there is a good chance revenue “hunting’’ parties will be more commonplace, looking to assess fines for noncompliance. You do not want to bear this expense and the negative publicity that will come with it; parents are more concerned than ever about safety.

While most universities installed great communications systems since Virginia Tech, many people still do not know what they are supposed to do with them. Students have access to the emergency plans, but how many have actually read them? Does your university train new students at orientation about disasters? What about new faculty? Are they trained? The fines that have been levied for Clery Act violations in the past can cost more than conducting training.

If you are not conducting proper training on a regular and frequent basis, how are the people you are responsible for going to have confidence in your preparedness? Without a well-documented training program, a jury can write a blank check for potential negligence. 

If you are not sure what constitutes acceptable training and drills under the new Clery Act amendments, contact Firestorm. We test the cohesion of all the existing policies so they work as a single plan, not as isolated ideas. 

--Scott Watkowski, Firestorm franchise principal

Financial services

HEADLINE: Alternative asset firms lagging in compliance

SUMMARY: An analysis by an IT outsourcing firm showed that some alternative investment firms are lagging in internal IT, compliance, policy enforcement, business continuity planning and IT security. The assessment looked at asset firms’ capabilities from an institutional investor’s perspective, and despite increased scrutiny from investors and regulatory agencies, found deficiencies in disaster planning; code of conduct enforcement; protecting client information; and lack of redundancy inside their networks.
 
STORY LINK: http://www.hedgeweek.com/2010/03/22/39852/alternative-asset-firms-lagging-compliance

ANALYSIS: One can’t help but chuckle to read that, in an article in hedgeweek -- ostensibly about firms whose purpose is to provide more sophisticated vehicles to hedge risk -- these same firms are themselves at risk because of poor business continuity planning, poor IT security, lack of compliance, etc.  Part of this can be explained based on the way these firms are created.  Usually a group of sharp traders and investment managers get together to form a new organization and, quite likely, they initially hire one individual to run operations (and all the other parts of the business they don’t like), who promptly approaches a known and favored third-party service provider to turn on the equipment on Day One.  At a later date, alas, those sticky additional details rear their ugly head.

There are important lessons here.  Significant large majorities of companies outsource some, or all, of their investment management, especially for their pensions, their 401Ks, and other alternative investments for their employees.  They are part of your supply chain – that part that provides investments and income to those in your company planning for their long-term finances.  You need to exercise your due diligence, not only with their investment philosophy but also with their ability to recover from disaster.   

As this report suggests, and as the painful experience of Bernie Madoff proves, reliance on our regulatory framework is not sufficient.   And even if you use a large “Wall Street Name” to manage your investments, understand they may be investing part of your money with these alternative investment firms.  That is not necessarily bad, of course, as these firms often have the geniuses on staff that provide exceptional returns.  Just be sure when the power goes out, you don’t lose your trades, your information and your money.  In fact, asking the right questions of your investment managers about their business continuity planning, disaster recovery, compliance, etc., will tell you in minutes if they are prepared, and if you aren’t sure exactly what to ask, call us.  That’s what we do.

--Ted Hansen, Director, Firestorm Expert Council

Communicable illness

HEADLINE: Bird flu remains a threat: WHO

SUMMARY: Bird flu (H5N1) outbreaks have killed seven people across several countries so far this year, the World Health Organization said. Current human cases have been identified in Egypt, Vietnam and Indonesia and outbreaks of the virus have been found in poultry and wild flocks in other parts of Southeast Asia. The fatality rate for humans infected with bird flu remains high at 59 percent, WHO said.

STORY LINK: http://www.google.com/hostednews/afp/article/ALeqM5geiFWivuPAl6cCiw3GvsQIVxGMzg

HEADLINE: Research team finds structure of 'swine flu' virus

SUMMARY: Scientists from The Scripps Research Institute have discovered the structure of a key protein from the virus that caused the swine flu (H1N1) pandemic that shares many features with influenza viruses common in the early 20th century, helping to explain why older individuals have been less severely affected by the recent outbreak. Strikingly, the scientists also found that one area of the protein was highly similar between H1N1 and the virus that caused the 1918-19 Spanish Flu pandemic.

STORY LINK: http://www.physorg.com/news188657864.html

ANALYSIS: These two news items offer a subtle, but significant, reminder of the resiliency and adaptability of nature and the timeless threat of communicable disease.  While the world has focused on H1N1 for much of the past year, H5N1 has continued in its presence and lethality.  Current cases are among individuals who have direct contact with the host animal – birds.  H5N1 has yet to adapt to human-to-human transmission.  The specter of H5N1 virulence with transmissibility of H1N1 is chilling, to say the least.  Influenza’s ability to reassort proteins – in effect to change how it impacts humans – is cause for continuing monitoring by public health authorities. 

Curiously though, a large portion of the population is willing to accept a significant risk.  The reported deaths of 37 individuals attributed to mechanical malfunctions in Toyotas resulted in Congressional hearings, public uproar, and modified purchasing habits.  Conversely, the annual passing of 36,000 people from influenza-related conditions is accepted as routine.  An expanded sense of awareness is indicated.  As the U.S. Public Health Service chief medical officer told healthcare administrators at a meeting in Chicago this week:  “flu is a very dangerous disease.”

Ultimately, individuals, families, and organizations would be well served to overcome what has been jocularly termed “short attention span.”  The fact that flu season appears to have passed with an abnormally low toll is not reason to forget the lessons of H1N1.  That virus emerged in the spring, a rarity for influenza.  Other threats, such as SARS, have no precedent.  Maintaining an appropriate level of awareness may be the differentiating factor at the next outbreak.  Do plans and policies support effective preventive and countermeasures?  Are hand washing and social distancing techniques enduring?  Are you prepared?

In the days following 9/11, American flags flew everywhere, particularly in and around Washington, D.C. and New York City.  As weeks and months passed, those flags slowly disappeared.  As the H1N1 pandemic grew, healthful and risk avoidance habits grew as organizations planned to deal with the unexpected.  Will we similarly forget as time passes?  The lack of memory could have deadly consequences. 

--Don Donahue, Director, Firestorm Healthcare Response Team

Preparedness groups

Join Firestorm’s LinkedIn groups and help build a Culture of Preparedness for your family and organization:

DISASTER READY PEOPLE: http://www.linkedin.com/groups?gid=1914314&trk=myg_ugrp_ovr

WORKPLACE VIOLENCE: http://www.linkedin.com/groups?gid=1898572&trk=myg_ugrp_ovr

COMMUNICABLE ILLNESS: http://www.linkedin.com/groups?gid=1899278&trk=myg_ugrp_ovr

SWINE FLU: http://www.linkedin.com/groups?gid=1921222&trk=myg_ugrp_ovr