The recent flooding in Uttarakhand, India reminded me of last November 2012, when I was in Boston during hurricane Sandy, which ravaged the US East Coast. There’s a lot of similarity I can draw between New York and Mumbai - both have a large number of key data centers in close proximity to business centers, both are quite vulnerable to floods, and both have a history of terrorist attacks.
Regardless of continent and country, the number of natural disasters is increasing. As stated by the United Nations Office for Disaster Risk Reduction (UNISDR) Head for Asia Pacific, extreme weather events are likely to become both more frequent and severe in the future. Asia Pacific (AP) in particular is the world's most disaster prone area. Apart from Uttarakhand there have been a number of natural disasters in the last decade, including the Tsunami and Earthquakes in Japan, Floods in Thailand, and the Mumbai Floods in 2005. Floods are the most common natural disaster, followed by extreme storms and earthquakes. In the case of hurricane Sandy, dozens of data centers in the New York City metropolitan area were impacted.
The picture is slowly coming into focus, and it’s a good one. This time last year I scolded Orange Business Services for not presenting a comprehensive smart cities strategy – particularly after having announced smart cities as one of its strategic pillars for the year. The announcement at their 2012 analyst event was not about a strategy; it was an announcement that they were going to create a strategy, and that they had appointed someone to do that. Well, Nathalie Leboucher has been in her role for 18 months now and progress has been made. Orange has developed a portfolio of solutions – mostly based on pilots across France and in the Middle East – and has announced several key partnerships. Yet there is more to do to develop a comprehensive message demonstrating that Orange “gets it” with regard to cities and can leverage all its assets to help cities (and capitalize on the opportunity).
The world may or may not be ending on December 21, 2012. I'm not an expert on the ancient Maya (although I've climbed many Mayan pyramids and have long been fascinated by their history, see proof below), but I've heard a rumor that this week marks the end of the Long Count calendar, meaning a new era begins on Friday, December 21, 2012, bringing a new civilization. Also, potentially a planet called Niburu might crash into the earth (although NASA has confirmed they have seen no evidence of this).
So, what's your plan? Will it be a space ark? A time machine (i.e., a TARDIS)? Wormhole (a la Fringe)? Should you consider sending your data to Mars? How do you even prepare for the unknown, the black swan events that are highly improbably, but highly disruptive?
A little more than a week after Hurricane Sandy barreled through the Eastern seaboard, I wanted to take a moment and share some of my thoughts on business technology resiliency* and how we fared during this significant weather event. While there are still over a million people without electricity and significant recovery efforts underway, I'm overall impressed with the level of resiliency and preparedness many organizations exhibited during (and since) Sandy. I stress resiliency over recovery here because I believe that is the future of disaster recovery and business continuity. Our official definition is: “The ability for business technology to absorb
On Monday, Hurricane Sandy slammed into the East Coast of the United States, flooding entire towns in New York and New Jersey, triggering large-scale power outages and killing at least 17 people. The health and safety of individuals is the first and foremost priority, followed by the recovery of critical infrastructure services (power, water, hospital services, transportation etc.). As these services begin to recover, many business and IT leaders are wondering how they will resume normal operations to ensure the long-term financial viability of the company and the livelihoods of their employees and how they will serve their loyal customers.
Most likely, if you have offices that lie in the path of Hurricane Sandy, you are experiencing some sort of business disruption, large or small. The largest enterprises, especially those in financial services, spend an enormous amount of money on business, workforce and IT resiliency strategies. Many of them shifted both business and IT workloads to other corporate locations in advance of the storm, proactively closed offices and directed employees to work from home or a designated alternate site.
If you are small and medium enterprise and, like many of your peers, you didn’t have an alternate workforce site, robust work-from-home employee capabilities, an automated notification system or a recovery data center, what do you do now? While it’s too late to implement many measures to improve resiliency, there are several things you can do now to help your organization return to normal operations ASAP. Here are Forrester’s top recommendations for senior business technology leaders:
At the recent Disaster Recovery Journal Fall World conference, I gave a presentation of the state of BC readiness. I had some great discussions with the audience (especially about where BC should report), but one of the statistics that really stood out for me and I made it a point to emphasize with the audience, is the state of partner BC readiness.
According to the joint Forrester/Disaster Recovery Journal survey on BC readiness, 51% of BC influencers and decision-makers report that they do not assess the readiness of their partners. If this doesn’t shock you, it should. Forrester estimates that the typical large enterprise has hundreds of third-party relationships – everyone from supply chain partners to business process outsourcers, IT service providers and of course cloud providers. As our reliance on these partners increases so does our risk – if they’re down, it greatly affects your organization’s business performance. And with the increasing availability of cloud services, the number of third parties your organization works with only increases, because now, business owners can quickly adopt a cloud service to meet a business need without the approval of the CIO or CISO and sometimes without the approval of any kind of central procurement organization.
Even among those organizations that do assess partner BC readiness, their efforts are superficial. Only 17% include partners in their own tests and only 10% conduct tests specifically of their critical partners.
During the past three years, you may have noticed that security and risk professionals have added a new term to their lexicon – business resiliency. Is this just an attempt by vendors to rebrand business continuity (BC) and IT disaster recovery (DR) in much the same way that vendors rebranded information security as cybersecurity to make it seem sexier and to sell more of their existing products? Some of it certainly is rebranding. However, like the shift in the threat landscape from lone hackers to well-funded crime syndicates and state sponsored agents that precipitated the use of the term cybersecurity, a real shift has also taken place in BC/DR.
If you look up the term “resiliency” in the dictionary, it’s defined as “an occurrence of rebounding or springing back”. Thus, business resiliency refers to the ability of a business to spring back from a disruption to its operations. Historically, BC/DR focused on the ability of the business to recover from a disruption. Recovery implies that there was in fact a disruption, that for some period of time, business operations were unavailable, there was downtime as the business strove to recover. Resiliency, on the other hand, implies that an event may have affected the business’ operations, perhaps the business operated in a diminished state for some period of time, but operations were never completely unavailable, the business was never down.
The current state of business continuity management (BCM) standards? Abysmal. According to a joint Forrester/DRJ study, 69% of respondents said that British Standard (BS) 25999 did not influence or only somewhat influenced BCM at their company. It’s not much better for NFPA 1600, 70% of respondents said that it did not, or only somewhat, influenced BCM at their company. I find this shocking. BS 25999 is one of the most widely recognized standards for BCM worldwide and NFPA 1600 has been popular in the US for years. In addition, the U.S Department of Homeland Security’s Private Sector Preparedness Program (PS‑Prep) recognizes both of these standards for assessing preparedness. If you’re wondering what standards respondents named in the “Other” category, it was mostly the Federal Financial Institutions Examination Council (FFIEC) and NIST. Not surprising but also a little disheartening, it’s clear that unless compelled to do so, most BC professional would not adopt or follow a BCM standard.
Even if you don’t intend to certify to these standards, they should strongly influence your BCM program. Why? It’s because:
They provide a foundation and a common vocabulary for BCM best practices and processes. This is important if you need to implement BCM across a geographically dispersed enterprise or you have to work with a multitude of global partners on joint preparedness.
In a recent Forrester/DRJ joint survey on BC preparedness, of organizations that have invoked a BC plan in the last five years, 37% said that their BC plans had not adequately addressed communication. In my experience, I’ve found that many organizations:
Don’t appreciate the importance of effective communication. Many organizations focus the content of their BC plans and the goals of their BC exercises on the details of recovery procedures but don’t focus on how they will contact and coordinate response teams, employees, partners, first responders and customers. If you can’t communicate, you can’t respond to anything.
Rely on manual procedures like call lists or email alone. By themselves, manual procedures are unreliable, they don’t scale for organizations with thousands of employees (or citizens) and they don’t provide any kind of reporting.
Underestimate the difficulty of communicating effectively under stress. During the incident is not the time to attempt to craft effective communication messages or look for a secondary mode of communication because your first mode of communication (land lines and email) is no longer available.
Business continuity is a top concern of global business and IT decision-makers. Headline news has made these concerns all the more acute – from the political unrest that characterized the “Arab Spring” and continues to plague certain countries in the Middle East to earthquakes, flooding, and other natural disasters across the globe. Those concerns become more acute as multinationals expand into new geographies such as Africa – a trend evidenced by recent announcements by HP and IBM.
Forrester’s Forrsights Budgets and Priorities Tracker Survey and Forrsights Business Decision-Makers Survey confirm that both IT and business decision-makers prioritize business continuity to ensure ongoing operations of their businesses. “Significantly upgrading disaster recovery and business continuity” was the third-highest IT priority of both IT and business decision-makers with 68% of each reporting it as a critical or high priority, behind only consolidation and greater use of analytics. That is to say, although cost controls through consolidation and better business intelligence came out ahead, keeping the lights on keeps corporate leaders up at night.