Forgot your password? Call in-house IT support. They’ll ask you a couple of questions to verify your identity (maybe your date of birth, your favourite colour). Then they’ll reset your password and tell you what it is so that you can go and do that work that’s been piling up. Or so that you can break into that user’s account and from there into more databases and servers – because you weren’t a panicked user at all, but a hacker successfully masquerading as one. What’s the answer to this IT security risk? Harder questions? Passwords that are easier to remember? Or simply taking something out of the equation that shouldn’t have been in there in the first place?
Picture this. A main water pipe bursts and water begins to flood the warehouse, which is also where you happen to be, smartphone in pocket. To avert serious damage and downtime, you need to find the cut-off valve – quickly. At this point, two scenarios are possible. First scenario: you try to find out who can help by calling reception and trying to note the names they suggest and the phone numbers. Second scenario: you access a directory of resources directly from your smartphone, call the person concerned and turn the call into a video call from that person’s desktop so that you can be remotely guided to where the cut-off valve is and how to shut it. How do you get from scenario one to scenario two?
No, there is no typo in the title. In today’s C-level world, CRO can stand for Chief Risk Officer, but can also mean Chief Reputation Officer. By definition, the Chief Risk Officer looks after the governance of significant risks (both menaces and opportunities). The Chief Reputation Officer supervises the management of an organisation’s reputation, brand and communications. Looking after risks and reputation are both vital functions for organisations. The question is whether specific job functions are to be created for one or both of them. The definitive answer will depend on different factors.
Computers are typically robust and reliable. When it comes to doing the same thing over and over again at scheduled times, they leave human beings far behind. That makes IT automation an attractive proposition for many business continuity routines or processes. Where people might forget or botch a data entry because of the monotony of a task, computers remain unaffected. They will check the status of all your branch servers every hour on the hour without fail. They will monitor manufacturing stocks and supply chains and send alerts when any out of bounds situation occurs. What could ever go wrong? Two things at least that human beings still have to help computers sort out.
As seasoned IT professionals and business continuity managers, you’ve probably already done a good few projects. Typically, you start by thinking about what you need to get done and then map out the activities to see how long it will take. Here’s a slight different take on the subject. We start with a fixed time period (12 months) and look at project or process-oriented activities that can help you make the most of it. By planning ahead for the right milestones and routines, you can also contribute to a higher-performance, more robust IT department with less (or no) service outages.
“You’ll be sorry if it happens!” The problem is that until it does happen, it’s often hypothetical and even unimaginable. And yet it happens. Hurricane Sandy in 2012 caught a large part of the United States unawares. And who would have thought that Sony Pictures Entertainment would have been hacked and exposed to the extent of the November 2014 attack? Real disasters (other people’s disasters) can however provide leverage for business continuity managers to get their own senior management to take BC more seriously. Here’s a quick list of things to check before you state your case to the boss(es).
Agriculture and animal farming in particular have as much a need for business continuity as any other sector. Animal farmers deal with larger volumes of cattle, sheep or other livestock, whereas factories or other non-agricultural businesses are usually more concerned with teams or departments staffed by people. Yet when it comes to preparing for and dealing with natural disasters, these different types of enterprise may have more in common than you thought. The following quote from the film ‘Men in Black’ gives a hint about what’s going on.
The answer to this question depends on how fast you want your data back and how much time and effort you are prepared to spend. If your data is both mission and time critical, then full, frequent backups possibly with mirrored systems for immediate restore or failover may be the only solution. Financial trading organisations, large volume e-commerce sites and hospital emergency wards are examples. Other users who do not want to or cannot go down this route will be faced with more basic options.
Some enterprises are attracted by the potential advantages of the cloud for disaster recovery and business continuity. However, they fear the possibility of information being spied on, stolen or hacked after it leaves their own physical premises. A little lateral thinking suggests another possible solution. Instead of moving outside a company firewall to use cloud possibilities, how about implementing cloud functionality inside the firewall? A number of vendors now offer private cloud solutions and they have some customers whose identity may surprise you.
As cloud computing develops and providers multiply their data centres, physical location of data has become an important issue for many organisations. Their goal has often been to prevent storage of confidential data outside their national boundaries. The risk of a data breach is considered to be too great, especially in the wake of the Snowden revelations and CSA snooping saga. In some industries such as medical or financial, regulations may simply prohibit the use of data storage facilities abroad. Yet one national government is taking the opposite approach and making foreign facilities a part of its disaster recovery plan.
All business in a competitive market is risk-based, whether or not enterprises admit it. Positive risk indicates opportunities. Negative risk points to the need to take measures to avoid, transfer or mitigate that risk. Banks are a case in point, with risk analysis at the heart of their daily activities as they continually calculate the probabilities of profitability in investments and loans. For enterprises in other sectors, risk may be less in the spotlight, but no less important. All companies need good disaster recovery and business continuity management for instance. Both depend on properly assessing risks and their impact. So how can you tell if senior management is taking risk management seriously?
There are times when you wish you could undo what you just did. Sometimes, you can’t. Financial investments, office reorganisations and even that too-hasty email you sent often cannot simply be reversed. With IT on the other hand, it’s a different story. From individual PCs to corporate data centres, the ‘Undo’ function has become a standard feature of many computing systems for making errors and problems disappear. As little as one mouse click may be enough to turn back the hands of time and begin again as though a mistake had never been made. But is this disaster recovery capability the magical solution it is often made out to be?
People who manage a functional department or a business process may find it tough to set recovery objectives for what they manage so devotedly, day in and day out. That does not necessarily mean that they are not objective. Instead, they may not know how critical their part of the business is to the rest of the organisation. Without a measuring stick, they cannot confidently make recommendations or requests about suitable recovery times. So when the next business continuity planning moment comes along, BC managers may find that they have some handholding and educating to do to bring different organisational units up to speed.